VPN VPN Client tunnel established but no decrypted packets on client

danhosking · ‎12-01-2006

I have one VPN client who is unable to pass any traffic. All other users are fine.

- The VPN is established.

-On the ASA I can see packets being encrypted and decrypted.

- On the client I see packets being encrypted but zero packets being decrypted.

- I have checked the 2 dhcp addresses being assigned to the client, 1 is a 10.0.0.0 address from his bradband router and the other is a 192.168. address from the ASA VPN IP pool of addresses.

Any ideas as I am completely stumped!

ajagadee · ‎12-04-2006

Daniel,

First and foremost, have this specific VPN User connect to your VPN Server using a dial up. If the user is able to access your LAN through the VPN Tunnel, then we know for sure that there is nothing wrong with the VPN Client, PC and the VPN Server Configuration.

Then, have the same user connect through the broadband router. If your see encrypts on the client side and encrypts/decrypts on the VPN Server, then most likely there is a firewall that is blocking traffic.

Is the user using IPSEC, IPSEC Over UDP or IPSEC Over TCP. If IPSEC, then Protocol 50 is most likely blocked by a firewall. If IPSEC Over TCP or IPSEC Over UDP, then check with the user's ISP to make sure that UDP Port 10000 or TCP Port 4500 is not blocked.

I hope it helps.

Regards,

Arul

** Please rate all helpful posts **

danhosking · ‎12-05-2006

The issue was the ASA did not have IPSEC over Nat enabled. All working now. Thanks for the help.

ajagadee · ‎12-06-2006

Daniel,

Thanks for the update! Glad its working.

Regards,

Arul

kelvingarrahan · ‎12-07-2006

One thing to check is that NAT-T is enabled, a symptom we have seen is that the tunnel can be established but the client cannot decrypt traffic. Sometimes this problem resolves itself after 180seconds and packets start to get decrypted at the client. If we enable NAT-T this problem gets resolved immediately.