[Config] VPN issues in Cisco

[Config] VPN issues in Cisco http://www.dslreports.com/forum/r20421061 en Thu, 04 Dec 2008 16:05:56 EDT Thu, 04 Dec 2008 16:05:56 EDT Re: [Config] VPN issues http://www.dslreports.com/forum/remark,20424220 DocLarge : Leathal,

every forum you go to, it's the same s**t, dude. You have a problem you can't figure out, then you criticize the folks who can't fix the problem you came looking for help with. The lacking of intelligence isn't within this forum, moreso, the person asking for help...

A majority of us in this forum are Cisco certified, and I can think of a few people who "could" help you but most likely won't bother now because they are "intelligent" enough (by reading your commentary) not deal with your attitude.

Oh, as TomS would say, "looks like you've got homework!" :)

Jay]]> http://www.dslreports.com/forum/remark,20424220 Fri, 02 May 2008 23:54:25 EDT Re: [Config] VPN issues http://www.dslreports.com/forum/remark,20423839 elnino : Like I said before, in my experience, it has never been a problem with our Cisco PIX or VPN Concentrator, it was always a problem with the connection at the client's home. In some cases, the cable modems themselves had firewalls built in that were also blocking ports.

Let's try some troubleshooting questions.... Is it always the same people that have problems with VPN? Have you "problem" laptops from a known "good" internet connection? Are they plugging into home routers or directly into the cable modem? Do they have firewalls active and if so, what ports are open? Are IPSec (protocol 50), UDP 500, UDP 4500 and UDP 10000 open on your users' home routers/firewalls?

-Brandon]]> http://www.dslreports.com/forum/remark,20423839 Fri, 02 May 2008 22:19:37 EDT Re: [Config] VPN issues http://www.dslreports.com/forum/remark,20422981 tubbynet : Just a friendly reminder:

These forums are NOT tech support. It is a support community where volunteers come together to paruse and solve problems. It is NOT assistance whenever you need it. If someone can help you, they will try their best. elnino

gave you an answer that solved his problem based on his experience. There is no reason to insult him.

If you needed it immediately, you could have called TAC as soon as the problem manifested itself. There is a lot of "intelligence" here, we just aren't paid to provide support to end users.]]> http://www.dslreports.com/forum/remark,20422981 Fri, 02 May 2008 19:06:26 EDT Re: [Config] VPN issues http://www.dslreports.com/forum/remark,20422907 Leathal :

said by elnino

:

Generally speaking, the problem is either with their home router or ISP. The home router isn't IPSEC passthru compatible or isn't passing NAT-T. I get a call like this every couple months. I go back and check the logs and on our VPN Concentrator there is no traffic received but there is traffic sent. Normally when I have them plug directly into their cable modem, it works. Once behind their router, it stops working.

I guess we'll have to phone Cisco and speak to someone with some intelligence as it's obvious I came to the wrong place again... (sigh)

Leathal]]> http://www.dslreports.com/forum/remark,20422907 Fri, 02 May 2008 18:50:31 EDT Re: [Config] VPN issues http://www.dslreports.com/forum/remark,20422367 elnino : Generally speaking, the problem is either with their home router or ISP. The home router isn't IPSEC passthru compatible or isn't passing NAT-T. I get a call like this every couple months. I go back and check the logs and on our VPN Concentrator there is no traffic received but there is traffic sent. Normally when I have them plug directly into their cable modem, it works. Once behind their router, it stops working.]]> http://www.dslreports.com/forum/remark,20422367 Fri, 02 May 2008 16:51:06 EDT Re: [Config] VPN issues http://www.dslreports.com/forum/remark,20421834 aryoba :

said by Leathal

:

We have not been able to figure out how to make the VPN stable and have thought about putting something like Checkpoint or ISA server to replace the VPN.

Replace PIX with other product like Checkpoint or ISA may not solve the problem, without understanding thoroughly the problem cause.]]> http://www.dslreports.com/forum/remark,20421834 Fri, 02 May 2008 15:01:38 EDT [Config] VPN issues http://www.dslreports.com/forum/remark,20421061 Leathal : We have PIX 515e's UR/FO

We use "vpnclient-win-msi-5.0.02.0090-k9.exe" on the clients.

When we login from different internet providers, the ones at the office or ones at peoples homes 50% of them the PIX conneds to the LAN and the 50% of the time it doesn't. So in the statistics info you see everything normally except the Packets Decrypted is 0, and the bytes recieved is also 0, but sent byes are counting up, and ther rest of the packets are moving up as well.

Here is a copy of the config. We have not been able to figure out how to make the VPN stable and have thought about putting something like Checkpoint or ISA server to replace the VPN. If you see anything wrong with the config that would effect the VPN please let me know... Thanks.

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map OUTSIDE_DYN_MAP 20 set transform-set ESP-3DES-MD5
crypto map OUTSIDE_MAP 30 match address S2SVPN
crypto map OUTSIDE_MAP 30 set peer
crypto map OUTSIDE_MAP 30 set transform-set ESP-3DES-MD5
crypto map OUTSIDE_MAP 65535 ipsec-isakmp dynamic OUTSIDE_DYN_MAP
crypto map OUTSIDE_MAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 192.168.75.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.75.0 255.255.255.0 inside
ssh timeout 30
ssh version 1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
group-policy clientgroup internal
group-policy clientgroup attributes
dns-server value 192.168.75.2 192.168.75.15
vpn-idle-timeout 20
password-storage enable
default-domain value fcproduction.local
username password encrypted
username password encrypted
username password encrypted
username password encrypted
username password encrypted
username password encrypted
username password encrypted
username password encrypted
username password encrypted
username password encrypted
username password encrypted privilege 15
username password encrypted
username password encrypted
username password encrypted
tunnel-group Users2VPN type remote-access
tunnel-group Users2VPN general-attributes
address-pool ippool1
default-group-policy clientgroup
tunnel-group Users2VPN ipsec-attributes
pre-shared-key *
tunnel-group 208.124.189.155 type ipsec-l2l
tunnel-group 208.124.189.155 ipsec-attributes
pre-shared-key *
!
class-map class_ftp
match port tcp eq ftp-data
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ftp
inspect esmtp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:]]> http://www.dslreports.com/forum/remark,20421061 Fri, 02 May 2008 12:18:42 EDT