Cisco VPN problems

[Wyvern971]

I've got a Cisco VPN client on a users PC (ver 3.6)

There are 2 Profiles (one for the UK and one for the head office in Japan)

The profile to Japan tunnels over TCP
Using a 3G data card it connects and traffic flows without issue

The profile to the UK office tunnels over UDP
Using a 3G data card it connects, but no traffic will flow
Using a wireless LAN connection it connects and traffic flows


What happens when connected using a 3G data card using the UK profile is that the packets returning all seem to get bypassed.

Any suggestions?

Thank in advance

Wyv

 

[bigredshark]

Could be something to do with UDP over the 3G card, off the top of my head it doesn't sound like a specific issue with the client. Can you tunnel to the UK office over TCP as well, other than that, who's responsible for the endpoints (i assume a pix), they should be able to debug it which will help a lot

 

[Rich]

When you right-click the padlock and hit statistics, what do you see? Are packets being encapsulated and decapsulated? What is listed in route details? Does this match your UK networks?

 

[derfderfley]

I've got a Cisco VPN client on a users PC (ver 3.6)

There are 2 Profiles (one for the UK and one for the head office in Japan)

The profile to Japan tunnels over TCP
Using a 3G data card it connects and traffic flows without issue

The profile to the UK office tunnels over UDP
Using a 3G data card it connects, but no traffic will flow
Using a wireless LAN connection it connects and traffic flows


What happens when connected using a 3G data card using the UK profile is that the packets returning all seem to get bypassed.

Any suggestions?

Thank in advance

Wyv

What is the logging on the client showing you. You will probably have to turn up the logging levels to debug to get any useful information. Look for the IPsec & authentication levels in particular. The head office network guys will probably ask for a copy of the logs anyway to help them debug the problem.

The UDP transport option is normally used to allow VPN access from behind a NAT device. It could be that your mobile provider is blocking UDP port 500 to stop people using the data card for VPN connections. Sound a bit odd to me but it is a possibility.

As others have suggested create a version of the UK profile using TCP and see if that works.

 

[Wyvern971]

Thanks for the replies so far,

I'll set logging on the PIX (506e) and force it over TCP at some point tomorrow (I don't have access to the machine as the user in question uses it most of the time, even though he is in the office)

Packets sent are encrypted packets returning are bypassed or discarded.

It was working a couple of days ago so I doubt Vodafone have put restrictions on UDP 500 for no reason over the last few days but I'll check

It does aquire the correct IP/DNS settings for the VPN tunnel & I've reduced the MTU to 576 for dial up connections.