[Config] VPN issues - dslreports.com

Author	All Replies
Leathal Premium join:2002-02-09 Toronto, ON	[Config] VPN issues We have PIX 515e's UR/FO We use "vpnclient-win-msi-5.0.02.0090-k9.exe" on the clients. When we login from different internet providers, the ones at the office or ones at peoples homes 50% of them the PIX conneds to the LAN and the 50% of the time it doesn't. So in the statistics info you see everything normally except the Packets Decrypted is 0, and the bytes recieved is also 0, but sent byes are counting up, and ther rest of the packets are moving up as well. Here is a copy of the config. We have not been able to figure out how to make the VPN stable and have thought about putting something like Checkpoint or ISA server to replace the VPN. If you see anything wrong with the config that would effect the VPN please let me know... Thanks. timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto dynamic-map OUTSIDE_DYN_MAP 20 set transform-set ESP-3DES-MD5 crypto map OUTSIDE_MAP 30 match address S2SVPN crypto map OUTSIDE_MAP 30 set peer crypto map OUTSIDE_MAP 30 set transform-set ESP-3DES-MD5 crypto map OUTSIDE_MAP 65535 ipsec-isakmp dynamic OUTSIDE_DYN_MAP crypto map OUTSIDE_MAP interface outside crypto isakmp identity address crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 crypto isakmp policy 20 authentication pre-share encryption des hash md5 group 1 lifetime 86400 crypto isakmp policy 65535 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 no crypto isakmp nat-traversal telnet 192.168.75.0 255.255.255.0 inside telnet timeout 5 ssh 0.0.0.0 0.0.0.0 outside ssh 192.168.75.0 255.255.255.0 inside ssh timeout 30 ssh version 1 console timeout 0 threat-detection basic-threat threat-detection statistics access-list group-policy clientgroup internal group-policy clientgroup attributes dns-server value 192.168.75.2 192.168.75.15 vpn-idle-timeout 20 password-storage enable default-domain value fcproduction.local username password encrypted username password encrypted username password encrypted username password encrypted username password encrypted username password encrypted username password encrypted username password encrypted username password encrypted username password encrypted username password encrypted privilege 15 username password encrypted username password encrypted username password encrypted tunnel-group Users2VPN type remote-access tunnel-group Users2VPN general-attributes address-pool ippool1 default-group-policy clientgroup tunnel-group Users2VPN ipsec-attributes pre-shared-key * tunnel-group 208.124.189.155 type ipsec-l2l tunnel-group 208.124.189.155 ipsec-attributes pre-shared-key * ! class-map class_ftp match port tcp eq ftp-data class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect ftp inspect esmtp ! service-policy global_policy global prompt hostname context Cryptochecksum:
	to forum · permalink · · 2008-05-02 12:18:42 ·
aryoba Premium,MVM join:2002-08-22	said by Leathal : We have not been able to figure out how to make the VPN stable and have thought about putting something like Checkpoint or ISA server to replace the VPN. Replace PIX with other product like Checkpoint or ISA may not solve the problem, without understanding thoroughly the problem cause.
	to forum · permalink · · 2008-05-02 15:01:38 ·
elnino join:2006-08-27 Akron, OH	reply to Leathal Generally speaking, the problem is either with their home router or ISP. The home router isn't IPSEC passthru compatible or isn't passing NAT-T. I get a call like this every couple months. I go back and check the logs and on our VPN Concentrator there is no traffic received but there is traffic sent. Normally when I have them plug directly into their cable modem, it works. Once behind their router, it stops working.
	to forum · permalink · · 2008-05-02 16:51:06 ·
Leathal Premium join:2002-02-09 Toronto, ON	said by elnino : Generally speaking, the problem is either with their home router or ISP. The home router isn't IPSEC passthru compatible or isn't passing NAT-T. I get a call like this every couple months. I go back and check the logs and on our VPN Concentrator there is no traffic received but there is traffic sent. Normally when I have them plug directly into their cable modem, it works. Once behind their router, it stops working. I guess we'll have to phone Cisco and speak to someone with some intelligence as it's obvious I came to the wrong place again... (sigh) Leathal
	to forum · permalink · · 2008-05-02 18:50:31 ·
tubbynet Just a green in a sea of blue and red Premium join:2008-01-16 Mesa, AZ ·Sprint Mobile Broa.. ·Cox HSI ·FrontierNet Intern..	Just a friendly reminder: These forums are NOT tech support. It is a support community where volunteers come together to paruse and solve problems. It is NOT assistance whenever you need it. If someone can help you, they will try their best. elnino gave you an answer that solved his problem based on his experience. There is no reason to insult him. If you needed it immediately, you could have called TAC as soon as the problem manifested itself. There is a lot of "intelligence" here, we just aren't paid to provide support to end users.
	to forum · permalink · · 2008-05-02 19:06:26 ·
elnino join:2006-08-27 Akron, OH	reply to Leathal Like I said before, in my experience, it has never been a problem with our Cisco PIX or VPN Concentrator, it was always a problem with the connection at the client's home. In some cases, the cable modems themselves had firewalls built in that were also blocking ports. Let's try some troubleshooting questions.... Is it always the same people that have problems with VPN? Have you "problem" laptops from a known "good" internet connection? Are they plugging into home routers or directly into the cable modem? Do they have firewalls active and if so, what ports are open? Are IPSec (protocol 50), UDP 500, UDP 4500 and UDP 10000 open on your users' home routers/firewalls? -Brandon
	to forum · permalink · · 2008-05-02 22:19:37 ·
DocLarge Premium join:2004-09-08 England	reply to Leathal Leathal, every forum you go to, it's the same s**t, dude. You have a problem you can't figure out, then you criticize the folks who can't fix the problem you came looking for help with. The lacking of intelligence isn't within this forum, moreso, the person asking for help... A majority of us in this forum are Cisco certified, and I can think of a few people who "could" help you but most likely won't bother now because they are "intelligent" enough (by reading your commentary) not deal with your attitude. Oh, as TomS would say, "looks like you've got homework!" Jay
	to forum · permalink · · 2008-05-02 23:54:25 ·


Friday, 05-Sep 00:42:44	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 9 years online! © 1999-2008 dslreports.com.republican-creole page compression OFF