I’m having a rather strange CISCO client VPN problem here and thought I’d see if any 'dopers know the answer. I’ve got a tech support email into the TAC, but seeing as I’m just sitting here I thought I’d ask.
Basically, this is a new VPN implementation here. They are using standard IPSec…nothing fancy. What’s happening is that with some clients (so far they seem to all be VISTA boxes, but that might or might not be the case with all of them) they attach to the VPN, they get their DHCP provisioning from the firewall, and everything looks good (with two exceptions I’ll list below)…but they can only ping themselves, the firewalls interior NIC and other VPN boxes in the same VLAN. However, my machines (as well as several others, all XP so far) are having no issues. We get in and can ping the entire network (i.e. all of the VLAN’s that aren’t part of the VPN VLAN).
The exceptions I mentioned above are this: On my (working VPN) adapter, I have the gateway as being my actual machine, while on the non-working systems they are getting the actual gateway address. In addition, the non-working systems have the work preferred in parentheses after their IP address while on the working systems it just lists the IP address as usual (this is probably an artifact of Vista vs XP however, and may or may not be meaningful).
The machines that work seem to work pretty much from the get go, either configured manually or using the .PCF file from the client profile. The ones that don’t work are the same…regardless of whether they are configured from scratch or using an imported .PCF file they simply don’t work correctly. They attach fine and can ping anything on the VPN VLAN, but can’t seem to get out of that VLAN to the full network.
I’m not a network or Cisco guy, but I did stay in a Holiday Inn Express last night.
Actually, no, but I work in an IT department as a database administrator. This is a complete stab in the dark, but I recall until very recently, Cisco’s VPN client was not functional on 64 bit Operating Systems. If you have the latest version of the client, it should no longer be a problem, but I thought I’d offer that up, in case your folks were running 64 Bit Vista.
I’m not a Cisco guy either, but I’ve worked with Cisco VPNs. Are the clients all in the same DHCP scope? Have you verified that the default router IP address supplied by DHCP is actually routing for those IP addresses?
Thanks for the replies…sorry it took so long to get back to you guys. I’ve been flying this weekend so have been mostly out of touch.
Yes, you are right…CISCO doesn’t have a 64 bit version for the Vista/Windows 7 (or XP 64 bit either for that matter) OS. Both machines are 32 bit OS’s though…ironically, one of the working machines is a 64 bit Windows 7 machine, but it’s using a 3rd party VPN client.
Yes, all in the same DHCP scope…and on the same VLAN for that matter.
Well, the default gateway thing is kind of strange actually. On the working machines, the DGW seems to be set to the workstations DHCP address for some reason. On the non-working machines the DGW is actually correctly set to the gateway. I was told by a friend of mine that in VPN the gateway isn’t all that important for the client, since supposedly it knows how to get back to the firewall, and that’s all it really needs. She mentioned that she’s seen gateways set to 0.0.0.0 0.0.0.0 and still function perfectly well.
It is one of the weird things happening though. I’m going to be going out to the site tomorrow and will look at it directly (though I was VPNed into their system myself over the weekend and part of last week), so if anyone has any suggestions of things to try I’m all ears.
And all of them fail. This bears further investigation.
So the traffic is going via your normal gateway, which has not been set to block traffic outside its normal area.
Umm…
It seems like your VPN gateway is set not to route. This is Not Good. And I think the wider network might bear some inspection. But I’m not a networking specialist.
Either I’m explaining this poorly or you aren’t following me here. Not all of them fail…in fact, nearly all of them work. So far, of the 30 machines tried, 3 have failed. All the machines, whether they work or not are on the same VLAN with the same addressing. The machines that work can see their own VLAN plus all the rest of the network. The one’s that are failing see only their own VLAN…nothing else.
Is that clearer?
The entire VLAN (and thus all the VPN users) are using the same access-lists. To answer your question, no…they aren’t being blocked to access for the network in any way. This particular customer users authentication through a RADIUS server (plus encryption certificates of course) to provide security for their VPN users…it’s felt that VPN users are already trusted users of the network, since only employees are allowed VPN accounts.
The VPN gateway is the core switch (layer 3), and the VPN VLAN is in the AS for their EIGRP routing. Besides…it’s working for all but 3 machines, so I’m pretty sure it’s not a routing issue. If it was working for none of them, that would be different.
