cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
676
Views
0
Helpful
3
Replies

VPN Traffic Issue

mikewillis
Level 1
Level 1

Okay this happens to be the weirdest thing I've seen. Here is the setup. I have a Pix 515e firewall. I have VPN setup on it  so my users can connect remotely from across the country.

I have one set of users who can't connect. Let me clarify. The VPN client connects, they are given a IP by the firewall, but they can't send traffic over the tunnel. I've tried pinging everything from the inside interface of the firewall to servers behind it and nothing. Now the set of users that aren't working all exist in the same location, running on the same network, and behind their own firewall. And they were working up until a week ago. Their provider says he hasn't changed anything on his firewall and I know I haven't changed anything on mine. So any help would be greatly appreciated.

1 Accepted Solution

Accepted Solutions

Pls turn on nat-traversal on your PIX firewall:

crypto isakmp nat-traversal

That would encapsulate the ESP in UDP/4500. It looks like it fails due to that behind NAT device at that particular location.

Hope that helps.

View solution in original post

3 Replies 3

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Mike,

Check if client is encapsulating traffic. If it is and you're not seeing decaps on PIX....

Do a sniffer trace on PIX and client.

If you see ESP or udp/4500 packets leaving towards PIX but not arriving on the PIX voila. Something is dropping them on the way.

Marcin

Without even doing any sniffing I see that packets are being bypassed for some reason. Everything appears right. I've reinstalled the VPN client software, redid the connection entry, and still nothing.

Again and whats weird is that other VPN clients are working. Just not any from this particular location. Is there anything in particular I should be looking for when I ask the IT department that controls the firewall on this location. (And it was working a few weeks ago).

Pls turn on nat-traversal on your PIX firewall:

crypto isakmp nat-traversal

That would encapsulate the ESP in UDP/4500. It looks like it fails due to that behind NAT device at that particular location.

Hope that helps.