Posted on 01/16/2009 6:30:08 PM PST by KoRn
Hello all. I recently purchased a Cisco ASA-5510(Adaptive Security Appliance) to handle all of our Site To Site and Remote Access VPN connections at work. The unit is licensed for 250 concurrent IPSEC tunnels, so I know licensing isn't a limitation. I have the unit up and running, but we have encountered an issue with our remote access clients...
Our remote access users are running the Cisco VPN Client v5.0.022. When multiple users connect from a REMOTE site, from behind a single public internet address, only one of them can successfully pass traffic into our internal network through the VPN tunnel.
All of the users can connect to the VPN, so this mean that PHASE1 and PHASE2 of the IPSEC session is working. But only one can send and receive packets. We tried this from multiple sites, using different Tunnel Groups and users. At one site we even connected using two different Tunnel Groups. One of the clients could connect and access the network without issue, while the other could connect, but couldn't access anything.
I believe there is some issue with how our ASA is seeing a single peer address and handling the multiple IPSEC sessions from that address. During our troubleshooting, we connected from two different public IPs using the same Tunnel Group, and both connections passed traffic perfectly. We have isolated this down to some kind of problem with multiple VPN clients behind a single public address.
I just wanted to post it here to see if anyone else might have encountered a similar situation.
PS: We have had multiple clients from many different sites connecting to our Cisco VPN Concentrator for years, so we know for certain the problem isn't at all likely to be on the remote side of the connection.
Thanks for your time if you have any advice.
Cisco help ping!!
Are the remote users behind a linksys firewall?
“CSCdv62613
When you have multiple VPN Client connections behind Linksys Cable/DSL router, the following problem can occur. Due to a Linksys problem with firmware versions 1.39 and 1.40.1, making multiple VPN Client connections enabling the feature “Allow IPSec over UDP” (transparent tunneling) may cause data transfer problems.
Allow IPSec over UDP is a VPN Client feature that allows ESP packets to be encapsulated in UDP packets so they traverse firewall and NAT/PAT devices. Some or all of the clients may not be able to send data. This is due to a Linksys port mapping problem, that Linksys has been notified of. “
I haven't yet, but I have an aging PIX 515E at work that I plan to replace with an ASA 5510 soon, and I suspect I'll encounter a number of similar situations...
Thanks for posting this question. Even though I can't help you on this one from past experience, you've already helped me by making me think about this.
I'll look around and see if I can find anything helpful.
Also thanks to ShadowAce for pinging the tech list...
We are in a similar situation, except we used a Cisco Concentrator for our VPN connections. We also have a PIX 515 for our internet usage. We have two different internet pipes, one for internet use and the other for remote access. We had a new 20MB fiber line installed, and decided to use it for our remote access users(and internet for the IT department... hehe). I HIGHLY recommend the ASA. Even though we ran into this issue, it is a SUPER perimeter security device. We just ran into this snag, but I'm SURE we will over come it. If I don't get it resolved by Monday morning, I'm going to call Cisco and have one of their CCIE 'Jedi' network guys get involved. I could have called them today because we have an agreement with them, but like all men, I'll sustain great stress, pain, and suffering before calling for help or asking for directions. lol
For some reason, Cisco products have always kind of reminded me of Unix.
A huge pain to get configured at times, but, once configured, you tend to forget about them, because they just work.
Anyway, good luck with this, sounds like an interesting if somewhat frustrating problem.
In my own tech world, I just got done fighting with Backup Exec, because it decided to go from 122 MB/min throughput to 1 MB/min throughput when backing up.
There was no apparent reason for the problem to occur, and what seems to have resolved the issue was upping the sync rate on the SCSI controller. I upped it to the maximum, versus what the tape drive manufacturer said it should be. Uggh.
I may be wrong but you cant NAT VPN traffic. Its possible but its a very very problematic setup. Better not to do it at the client level.
We do Lan2Lan(Site To Site), VPN tunnels with all of the sites that are directly affiliated with us(under our ownership). Yet those are a minority. We have so many other remote offices that are not managed by us that use the VPN client to access our network. We HAVE to have the ability for those users to be able to access our network using multiple clients. Nearly all of them don't have a perimeter device capable of handling a site to site tunnel. If all else fails, we can always take the Cisco VPN Concentrator from our old WAN connection all of them currently use, and throw it on our new one. Just configure it, and change the peer addresses on all of the tunnels and we are good to go(this was my initial suggestion but my director enjoys stressing me). That would be too easy though... and we bought the new ASA for our new WAN connection, so we hope to use it for our remotes.
I was able to get it working! I had to enable IPsec over NAT-T, open inbound UDP 4500, and enable and set an IPsec Prefragmentation Policy.
Thanks to you all for chiming in.
For some reason, Cisco products have always kind of reminded me of Unix.
Probably not by accident either - there is a strong unix culture within Cisco.
Congrats and thanks for the information.
So, how much time did you spend banging away at the problem?
I ask, because I know I’ve lost track of time when dealing with these kinds of issues.
The problem first became apparent mid-day yesterday. I went a few rounds with it for a couple of hours, then involved a colleague. He pretty much checked everything that I had already, but sometimes something easy can get overlooked. Both of us were perplexed for the rest of the afternoon. It was one of those problems that 'went home with me', I couldn't get it out of my mind, which is why I posted about it here.
This morning I woke up, and got to thinking about NAT and tunnels. I remoted in to the appliance from home and found what I was looking for in the 'help'(?) for the IPsec and NAT contexts of the IOS. 10 minutes later, I had it working, and tested it from home using 3 computers all logged in and passing traffic.
After it was all said and done, I'd say I was beating my head against the wall for around a half day(5hours). In a way, I'm glad I ran into the issue and solved it. It was a good learning experience.
Good job, I’m impressed. (Hopefully, you’ll hear the same from someone who counts, like your boss)
Also, thanks for the “file under future reference” information.
This is one of the things the 9 to 5 people don’t appreciate about our job; the willingness, on our part, to work from home, after hours, solving this kind of issue.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.