Our remote access users are running the Cisco VPN Client v5.0.022. When multiple users connect from a REMOTE site, from behind a single public internet address, only one of them can successfully pass traffic into our internal network through the VPN tunnel.
All of the users can connect to the VPN, so this mean that PHASE1 and PHASE2 of the IPSEC session is working. But only one can send and receive packets. We tried this from multiple sites, using different Tunnel Groups and users. At one site we even connected using two different Tunnel Groups. One of the clients could connect and access the network without issue, while the other could connect, but couldn't access anything.
I believe there is some issue with how our ASA is seeing a single peer address and handling the multiple IPSEC sessions from that address. During our troubleshooting, we connected from two different public IPs using the same Tunnel Group, and both connections passed traffic perfectly. We have isolated this down to some kind of problem with multiple VPN clients behind a single public address.
I just wanted to post it here to see if anyone else might have encountered a similar situation.
PS: We have had multiple clients from many different sites connecting to our Cisco VPN Concentrator for years, so we know for certain the problem isn't at all likely to be on the remote side of the connection.
Thanks for your time if you have any advice.
Cisco help ping!!
I haven't yet, but I have an aging PIX 515E at work that I plan to replace with an ASA 5510 soon, and I suspect I'll encounter a number of similar situations...
Thanks for posting this question. Even though I can't help you on this one from past experience, you've already helped me by making me think about this.
I'll look around and see if I can find anything helpful.
Also thanks to ShadowAce for pinging the tech list...
I may be wrong but you cant NAT VPN traffic. Its possible but its a very very problematic setup. Better not to do it at the client level.