VPN internet issue.

Similar Messages

• VPN Speed Issue

  Hi all,
  I am having a VPN speed issue. When I am using the internet and not connected to the VPN, I experience speeds of 25mbps/25, which is what my contract with Verizon calls for. When I connect to the VPN with my laptop, speeds drop to about 3/2 mbps. (I am connected via Ethernet hardwire not wireless)
  I ran Ethernet wire to the Verizon box and then had Verizon activate. Unfortunately this did not solve my problem. Internet is fine until I connect to the VPN.
  I also was able to conduct a test: I connected wireless to an open local network while in the office and then to my work server via the VPN with no noticeable speed issues. This leads me to believe the issue lies with the Actiontec router issued from Verizon?
  I only work remotely 1x per week so have been hobbling along with this problem for the past 3 months since our switch from Comcast. (Speed was fine with Comcast ) It is painful as it causes a 5-10 second lag for each click when navigating folders on the remote server. This means it can take me 5 minutes to pull down one PDF file.
  Is there a suggested solution for this - should I buy another router?
  thanks,
  Steve

  No, usually, you dont have to wait. You do have to log into the router and go in and release the IP, but most of the time this is all you have to do.
  Once in a while it wont release properly, in which case you do have to wait a couple of hours. But most of the time it will release just fine.
  ====================================================================================
  Error exists between keyboard and chair.

• 10.3.9 Internet issues

  Hi All
  i have been trawling through the fourms and still cannot find a solution to my iMac internet issues. I have done a complete format and reinstall of Mac OS X 10.3.9 (to be fair i downloaded update on another computer and instelled via USB stick) everything works great can import into firewire from camcorder etc. Airport card can see the wireless connection but when i enter the password it states there is a problem and connot connect. I have tried everying (to what i can understand anyway) and teh main reason for a clean install was to get rid of any possible conflicts that may have been there.
  everything else can use the internet including my MacBook (intel) fine. Some one did suggest once that DNS settings were not correct which to be honest i did not userstand how to alter them, plus if eberying else was ok why just this iMac playing up.
  Please can you assist just want to this to connect so my son can upload his filming to pleople for his re school assignments.
  thank you in advance
  Peter

  Oops!
  Could you specify what iMac you have, the specs of the system & computer,
  as that may help research or find workable ideas for you to try. This would
  help in troubleshooting, or in discovering Support articles to link you to in
  the course of a discussion.
  I just re-read your post and had thought it was for a later
  mac + OS X that would not run in PowerPC vintage!
  (The mention of MacBook threw me off, as did a recent newer
  OS X upgrade that may run -- in that newer hardware 10.9.3)
  So you've upgraded a PowerPC iMacG4 to Leopard 10.3.9
  and the internet doesn't work? The wireless router may be
  using a different security protcol than the old Airport Card
  can support; you may have to test the unit via Ethernet to
  be sure the computer itself is fully updated. It may go to
  Apple servers to look for Software Updates.
  The settings for the wireless security may be incorrect,
  since later WPA2, won't apply to vintage AirPort card.
  With a later OS X such as Tiger 10.4(.11) the odds do
  improve for connectivity to the internet.
  The DNS settings should not be an issue if you can use the
  internet with a recent version computer and later OS X.
  Not sure how to help, except to try as a test, to run without
  the security you'd really want with the wi-fi (WPA2, etc)
  turned on, to see if the old iMac can then use it.
  Another issue would be the lack of correct frequency; a
  newer Wi-Fi system may not be set to be backward
  compatible to 802.11a/b, newer ones use 802.11/b/g/n/+
  You may check to see if the router has a setting to allow
  use of lower or older spec connection.
  •Solutions for connecting to Internet, set up sm Network & troubleshooting:
  http://support.apple.com/kb/HT1714
  •Creating a small ethernet network:
  http://support.apple.com/kb/HT1433
  Panther is a very old OS X and hardly finds any support.
  There is an area in ASC discussions for 10.3.x & earlier:
  https://discussions.apple.com/community/mac_os/mac_os_x_v10.3_and_earlier
  You may be able to get a download .PDF manual for Panther
  http://manuals.info.apple.com/en_US/MacOSX10.3_Welcome.pdf
  Or later Tiger, in .PDF from this Manuals support site:
  http://support.apple.com/manuals#macos
  Sorry to not have more info...

• Macbook pro internet issues

  my computer has been taken in three times for internet issues. each time they say it is fixed. I have rest my safari several times, all the internal parts have been checked and are said to be in perfect working order, and i have had the entire profile of my computer wiped clean, having to reinstall everything. now it is doing this and will stay on this gray screen for up to a half hour, until the box that says safari has quit working, or the flash player plug in has quit working. Has anyone else had this problem, if so any help would be great, casue I really do not want to take the computer in again only for them to tell me its fine. 

  my computer has been taken in three times for internet issues. each time they say it is fixed. I have rest my safari several times, all the internal parts have been checked and are said to be in perfect working order, and i have had the entire profile of my computer wiped clean, having to reinstall everything. now it is doing this and will stay on this gray screen for up to a half hour, until the box that says safari has quit working, or the flash player plug in has quit working. Has anyone else had this problem, if so any help would be great, casue I really do not want to take the computer in again only for them to tell me its fine. 

• Incessant Internet Issues

  Hi there
  It's been a while since I last posted on these forums with an internet issue, but my connection is really messed up. I'll see if I can do the speedtester stuff in between the constant disconnections that I am getting.
  My router stats are at the end of this message. Despite the fact my Downstream speed keeps switching between 6Mbps - 7.9Mbps, I am getting around 1.6Mbps, which I expect. The very high number of errors is telling me that my line is really noisy: my parents have told me that the line, when using the phone, was very noisy when calling other people, which would confirm that theory. 
  I do know that there are some works being done in a plot of land right next to the telephone exchange and I suspect it's BT adding the fibre broadband exchange in preparation of activating fibre in my area by the end of the year, is it possible this is causing line issues ? I know we've also had really bad weather and I'm suspecting this to be a factor in my connection issues.
  Many thanks for any help I can get.
  Connection Information
  Line state:
  Connected
  Connection time:
  0 days, 00:05:55
  Downstream:
  6.375 Mbps
  Upstream:
  448 Kbps
  ADSL Settings
  VPI/VCI:
  0/38
  Type:
  PPPoA
  Modulation:
  G.992.1 Annex A
  Latency type:
  Interleaved
  Noise margin (Down/Up):
  9.2 dB / 22.0 dB
  Line attenuation (Down/Up):
  7.5 dB / 4.0 dB
  Output power (Down/Up):
  12.0 dBm / 12.3 dBm
  FEC Events (Down/Up):
  9986496 / 638
  CRC Events (Down/Up):
  12054 / 615
  Loss of Framing (Local/Remote):
  0 / 0
  Loss of Signal (Local/Remote):
  0 / 0
  Loss of Power (Local/Remote):
  0 / 0
  HEC Events (Down/Up):
  143872 / 649
  Error Seconds (Local/Remote):
  933 / 604
  YouTube Channel: http://youtube.com/lpsajuuk
  Follow me on Twitter @supersajuuk
  Solved!
  Go to Solution.

  john46 wrote:
  the infinity upgrade will have no effect on standard broadband services are you connected to the test socket also have you tried the quiet line test dial 17070 option 2 you should here no noise any noise heard need reporting to BT Faults on 151 with no mention of broadband in the call
  I'm not connected to test socket, but I doubt that would make a difference to a noisy line ?
  I'll do quiet line test, but my router settings do seem to be indicating the line is noisy. Here's another set of stats from just now.
  ADSL Line Status
  Connection Information
  Line state:
  Connected
  Connection time:
  0 days, 00:26:38
  Downstream:
  6.375 Mbps
  Upstream:
  448 Kbps
  ADSL Settings
  VPI/VCI:
  0/38
  Type:
  PPPoA
  Modulation:
  G.992.1 Annex A
  Latency type:
  Interleaved
  Noise margin (Down/Up):
  12.8 dB / 22.0 dB
  Line attenuation (Down/Up):
  7.5 dB / 4.0 dB
  Output power (Down/Up):
  12.0 dBm / 12.3 dBm
  FEC Events (Down/Up):
  13286918 / 840
  CRC Events (Down/Up):
  16125 / 833
  Loss of Framing (Local/Remote):
  0 / 0
  Loss of Signal (Local/Remote):
  0 / 0
  Loss of Power (Local/Remote):
  0 / 0
  HEC Events (Down/Up):
  221506 / 887
  Error Seconds (Local/Remote):
  1084 / 707
  YouTube Channel: http://youtube.com/lpsajuuk
  Follow me on Twitter @supersajuuk

• Is July 9 internet issue a problem for Mac Pro users?

  Is the July 9 internet issue a problem for Mac Pro users or has Apple taken care of this issue in updates?

  It is a only a problem for users affected by the malware that replaces their DNS IPs on their macs. They already have a serious problem which they should fix. Follow the url in sig's post to determine if you are infected and how to remove it.

• Lots of crazy internet issues

  I seem to be having a massive amount of random internet issues after upgrading to Leopard. The first and most apparent is that Mail and iChat both get randomly disconnected and Mail often insists that it cannot connect to the IMAP server one moment, only to work perfectly again within a minute while no other internet services (Safari, Transmission) are affected.
  Safari has decided that http://news.bbc.co.uk is actually http://www.apple.com. I kid you not. I try and look at BBC news and I am consistently redirected to Apple's website. news.bbc.co.uk/iphone goes to apple.com/iphone. I've never seen anything like it before in my life.
  Mail's RSS feeds seem to randomly disappear. No trace of their existence is left. After switching the 'default RSS reader' preference to Safari and then back to Mail, they re-appear - with all articles unread.
  On the whole, quite a number of confusing bugs.

  So, what happens if you go here: http://212.58.226.73/ ? That's the IP address that news.bbc.co.uk is supposed to point to. I found that by looking in Tiger's Network Utility as my Leo is still on it's way to me. If you want to know what that IP is before going there ( a good idea ), you can put that in the lookup tab on Net Util and see what comes back.
  If the IP works, then DNS is hosed somewhere. See what Net Util says news.bbc.co.uk translates to. If it the number above, it's a Safari thing. If it's apple (starts with 17 IIRC) then it might be fixable by flushing the DNS cache though I don't know how to in Leo (shouldn't be hard).
  If you did an upgrade install, you might want to reinstall using Archive and Install.

• VPN over Internet Issues

  I have a Mac OS X Server with VPN (L2TP and PTP) enabled. I am able to connect to the VPN service from my iMac (I also tried another computer) from within my LAN, but VPN over LAN isn't very useful, of course.
  The problem is, I cannot connect to the VPN by typing in my public IP (with the rest of the settings the same) instead of the private IP. I've enabled port forwarding for UDP 1701, 4500, and 500, and TCP 1723. I also tried making my Mac OS X Server machine (a Mac Mini) a DMZ host, and that didn't work. I turned my router's firewall off, too.
  So if I can connect to my VPN locally but not over the Internet even though I've enabled a DMZ host, which shouldn't fail, some setting must be wrong somewhere. Does anyone know what it could be?
  By the way, the Mini is on WiFi for now (we recently got it and haven't set up a place for it yet).

  Jeff: Sorry to sound inexperienced, but I can't find a VPN or network related log in Console. Which one is it? Anyway, I doubt that it's the connection settings but something with my router. I know all routers are different, but I was wondering if there was some generic problem with VPN and routers. Strangely enough, my other services work on the server (HTTP, AFP, SSH, VNC) by port forwarding. Again, DMZ hosting did NOT solve the problem, so I'm guessing that there's more to do if you want VPN???
  Basically (to anyone), my VPN works fine over the network, so my settings must be correct, and I am almost sure that when I connect over the internet, the request does not even touch my server.
  As for the other reply: I've forwarded the same ports and made my server's IP static like in the thread. The only difference is that DD-WRT firmware. Was that the final solution?
  P.S. My server is temporarily down (due to some nasty irrepairable permissions issues) as I reinstall Mac OS X, so I can't really test anything on the server until it's up.
  Message was edited by: Mac OS 9000

• Cisco ASA 5505 VPN connection issue ("Unable to add route")

  I'm trying to get IPSec VPN working onto a new Cisco ASA5505. Pretty standard configuration.
  Setup:
  * Cisco VPN client on Windows 7 (v5.0.07.0290 x64 on Laptop1 and v5.0.07.0440 x64 on Laptop2)
  * PPPoE/NAT and internal DHCP on the ASA were configured with the Startup Wizard in ASDM
  NATting is working fine - internal PCs get an IP address in the 192.168.2.0/24 range and can all access the Internet.
  I wanted to be able to connect from anywhere to the ASA in order to reach one of the internal servers. Should be pretty basic.
  First I tried with the built-in ASDM IPSec Wizard, instructions found here.
  VPN clients can connect to the ASA, are connected (until they're manually disconnected), but cannot reach the internal network nor the Internet. Note VPN client can connect fine to a different VPN site (not administered by myself).
  Client logs show following error messages:
  1 15:53:09.363 02/11/12 Sev=Warning/3     IKE/0xA300005F
  Firewall, Cisco Intrusion Prevention Security Agent, is not running, the client will not send firewall information to concentrator.
  2 15:53:13.593 02/11/12 Sev=Warning/2     CVPND/0xE3400013
  AddRoute failed to add a route with metric of 0: code 160
  Destination     192.168.1.255
  Netmask     255.255.255.255
  Gateway     172.16.1.1
  Interface     172.16.1.101
  3 15:53:13.593 02/11/12 Sev=Warning/2     CM/0xA3100024
  Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: ac100165, Gateway: ac100101.
  4 15:54:30.425 02/11/12 Sev=Warning/2     CVPND/0xA3400015
  Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.16.1.101, error 0
  5 15:54:31.433 02/11/12 Sev=Warning/2     CVPND/0xA3400015
  Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.16.1.101, error 0
  6 15:54:32.445 02/11/12 Sev=Warning/2     CVPND/0xA3400015
  Error with call to IpHlpApi.DLL: CleanUpVASettings: Was able to delete all VA settings after all, error 0
  7 20:50:45.355 02/11/12 Sev=Warning/3     IKE/0xA300005F
  Firewall, Cisco Intrusion Prevention Security Agent, is not running, the client will not send firewall information to concentrator.
  8 20:50:50.262 02/11/12 Sev=Warning/2     CVPND/0xE3400013
  AddRoute failed to add a route with metric of 0: code 160
  Destination     192.168.1.255
  Netmask     255.255.255.255
  Gateway     172.16.1.1
  Interface     172.16.1.100
  9 20:50:50.262 02/11/12 Sev=Warning/2     CM/0xA3100024
  Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: ac100164, Gateway: ac100101.
  I've already tried the suggestions from this link, although the problem is different there (as the user can still access the internet, even without split tunneling, which I cannot).
  A show run shows the following output (note in the below I have tried a different VPN network: 192.168.3.0/24 instead of 172.16.1.0/24 seen in the Client log)
  Result of the command: "sh run"
  : Saved
  ASA Version 8.2(5)
  hostname AsaDWD
  enable password kLu0SYBETXUJHVHX encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.2.254 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  pppoe client vpdn group DW-VPDN
  ip address pppoe setroute
  ftp mode passive
  access-list inside_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.240
  pager lines 24
  logging enable
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  ip local pool DWD-VPN-Pool 192.168.3.5-192.168.3.15 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.2.0 255.255.255.0 inside
  http 0.0.0.0 0.0.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  vpdn group DW-VPDN request dialout pppoe
  vpdn group DW-VPDN localname fa******@SKYNET
  vpdn group DW-VPDN ppp authentication pap
  vpdn username fa******@SKYNET password *****
  dhcpd auto_config outside
  dhcpd address 192.168.2.5-192.168.2.36 inside
  dhcpd domain DOMAIN interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy DWD internal
  group-policy DWD attributes
  vpn-tunnel-protocol IPSec
  username test password ******* encrypted privilege 0
  username test attributes
  vpn-group-policy DWD
  tunnel-group DWD type remote-access
  tunnel-group DWD general-attributes
  address-pool DWD-VPN-Pool
  default-group-policy DWD
  tunnel-group DWD ipsec-attributes
  pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
  message-length maximum client auto
  message-length maximum 512
  policy-map global_policy
  class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:3e6c9478a1ee04ab2e1e1cabbeddc7f4
  : end
  I've installed everything using the CLI as well (after a factory reset). This however yielded exactl the same issue.
  Following commands have been entered:
  ip local pool vpnpool 172.16.1.100-172.16.1.199 mask 255.255.255.0
  username *** password ****
  isakmp policy 1 authentication pre-share
  isakmp policy 1 encryption 3des
  isakmp policy 1 hash sha
  isakmp policy 1 group 2
  isakmp policy 1 lifetime 43200
  isakmp enable outside
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 10 set reverse-route
  crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000
  crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto isakmp nat-traversal
  sysopt connection permit-ipsec
  sysopt connection permit-vpn
  group-policy dwdvpn internal
  group-policy dwdvpn attributes
  vpn-tunnel-protocol IPSec
  default-domain value DWD
  tunnel-group dwdvpn type ipsec-ra
  tunnel-group dwdvpn ipsec-attributes
  pre-shared-key ****
  tunnel-group dwdvpn general-attributes
  authentication-server-group LOCAL
  default-group-policy dwdvpn
  Unfortunately I'm getting the same "AddRoute failed to add a route with metric of 0: code 160" error message.
  I'm very confused as this should be a pretty standard setup. I tried to follow the instructions on the Cisco site to the letter...
  The only "differences" in my setup are an internal network of 192.168.2.0 (with ASA IP address 192.168.2.254) and PPPoE with DHCP instead of no PPPoE at all.
  Does anyone know what's going on?

  Yes, I have tried from a different laptop - same results. Using that laptop I can connect to a different IPSec site without issues.
  Please find my renewed config below:
  DWD-ASA(config)# sh run: Saved:ASA Version 8.2(5) !hostname DWD-ASAenable password ******* encryptedpasswd ****** encryptednames!interface Ethernet0/0 switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1 nameif inside security-level 100 ip address 192.168.2.254 255.255.255.0 !interface Vlan2 nameif outside security-level 0 pppoe client vpdn group DWD ip address pppoe setroute !ftp mode passiveaccess-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.224 pager lines 24logging asdm informationalmtu inside 1500mtu outside 1500ip local pool vpnpool 192.168.50.10-192.168.50.20 mask 255.255.255.0icmp unreachable rate-limit 1 burst-size 1no asdm history enablearp timeout 14400global (outside) 1 interfacenat (inside) 0 access-list inside_nat0_outboundnat (inside) 1 0.0.0.0 0.0.0.0timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00dynamic-access-policy-record DfltAccessPolicyhttp server enablehttp 192.168.2.0 255.255.255.0 insidehttp 0.0.0.0 0.0.0.0 outsideno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstartcrypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAPcrypto map outside_map interface outsidecrypto isakmp enable outsidecrypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400telnet timeout 5ssh 0.0.0.0 0.0.0.0 outsidessh timeout 5console timeout 0vpdn group DWD request dialout pppoevpdn group DWD localname *****@SKYNETvpdn group DWD ppp authentication papvpdn username *****@SKYNET password ***** dhcpd auto_config outside!dhcpd address 192.168.2.10-192.168.2.40 insidedhcpd enable inside!threat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptwebvpn enable outside svc enablegroup-policy DfltGrpPolicy attributes vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpngroup-policy dwdipsec internalgroup-policy dwdipsec attributes vpn-tunnel-protocol IPSec default-domain value DWDDOMusername user1 password ***** encrypted privilege 0username user1 attributes vpn-group-policy dwdipsectunnel-group dwdipsec type remote-accesstunnel-group dwdipsec general-attributes address-pool vpnpool default-group-policy dwdipsectunnel-group dwdipsec ipsec-attributes pre-shared-key *****tunnel-group dwdssl type remote-accesstunnel-group dwdssl general-attributes address-pool vpnpool!class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters  message-length maximum client auto  message-length maximum 512policy-map global_policy class inspection_default  inspect dns preset_dns_map   inspect ftp   inspect h323 h225   inspect h323 ras   inspect rsh   inspect rtsp   inspect esmtp   inspect sqlnet   inspect skinny    inspect sunrpc   inspect xdmcp   inspect sip    inspect netbios   inspect tftp   inspect ip-options !service-policy global_policy globalprompt hostname context no call-home reporting anonymousCryptochecksum:f5c8dd644aa2a27374a923671da1c834: endDWD-ASA(config)#

• ASA 5505 vpn connection issues

  Hello I am having some issues with getting my vpn connection working on a new site. I get no internet connection when hooking up the asa. My current config is below. I have included a packet trace from my remote site to my main site. Any help would be appriciated, I am not very experanced in coniguring the devices.
  hostname ciscoasa
  domain-name .com
  enable password w3iW.W8jLtqmhFnt encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Vlan1
   nameif inside
   security-level 100
   ip address 10.10.10.1 255.255.255.0
  interface Vlan2
   nameif outside
   security-level 0
   ip address 72.xxx.xx.xx 255.255.255.0
  interface Ethernet0/0
   switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  dns server-group DefaultDNS
   domain-name .com
  access-list NONATACL extended permit ip 10.10.10.0 255.255.255.0 192.1.1.0 255.2
  55.255.0
  access-list VPNACL extended permit ip 10.10.10.0 255.255.255.0 192.1.1.0 255.255
  .255.0
  access-list OUTSIDEACL extended permit icmp any any
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/flash
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list NONATACL
  nat (inside) 1 0.0.0.0 0.0.0.0
  access-group OUTSIDEACL in interface outside
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 0.0.0.0 0.0.0.0 inside
  http 10.10.10.1 255.255.255.255 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESPDESMD5 esp-des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map VPNMAP 13 match address VPNACL
  crypto map VPNMAP 13 set peer 68.xx.xxx.xxx
  crypto map VPNMAP 13 set transform-set ESPDESMD5
  crypto map VPNMAP interface outside
  crypto isakmp identity address
  crypto isakmp enable outside
  crypto isakmp policy 13
   authentication pre-share
   encryption des
   hash md5
   group 2
   lifetime 86400
  telnet 10.10.10.0 255.255.255.0 inside
  telnet 192.1.1.0 255.255.255.0 outside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd dns 192.1.1.6 192.1.1.4
  dhcpd wins 192.1.1.6 192.1.1.4
  dhcpd ping_timeout 750
  dhcpd domain .com
  dhcpd auto_config outside
  dhcpd address 10.10.10.10-10.10.10.40 inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  tunnel-group 76.xxx.xxx.xx type ipsec-l2l
  tunnel-group 76.xxx.xxx.xx ipsec-attributes
   pre-shared-key *
  tunnel-group 68.xx.xxx.xxx type ipsec-l2l
  tunnel-group 68.xx.xxx.xxx ipsec-attributes
   pre-shared-key *
  class-map inspection_default
   match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum 512
  policy-map global_policy
   class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:229af8a14b475d91b876176163124158
  : end
  ciscoasa(config)#reciated

  Hello Belnet,
  What do the logs show from the ASA.
  Can you post them ??
  Any other question..Sure..Just remember to rate all of the community answers.
  Julio

• ASA 5505 VPN conenction issue

  Good morning everyone. I am in need of some help. I am a newbie when it comes to configuring the ASA. Here is my problem. I have the asa configure and it is allowing me to get out to the internet. I have several VLANs on my network and from inside I can ping everything. I have created the VPN and I am able to connect to it and get in IP assigned from the pool of address. If I have multiple connections I can ping the other PCs. Right now I am able to ping the outside and inside interfaces of the ASA but no where else. I have split tunneling enabled. Here is a copy of my config.
  Thanks
  Dave 
  Result of the command: "sh run"
  : Saved
  : Serial Number: *****
  : Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
  ASA Version 9.1(5)21
  hostname Main-ASA
  domain-name *****
  enable password ***** encrypted
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  names
  ip local pool AnyC-CPN-Client-Pool 192.168.59.0-192.168.59.250 mask 255.255.255.0
  interface Ethernet0/0
   switchport access vlan 12
  interface Ethernet0/1
   switchport access vlan 2
  interface Ethernet0/2
   shutdown
  interface Ethernet0/3
   shutdown
  interface Ethernet0/4
   shutdown
  interface Ethernet0/5
   shutdown
  interface Ethernet0/6
   shutdown
  interface Ethernet0/7
   shutdown
  interface Vlan2
   nameif inside
   security-level 100
   ip address 192.168.0.1 255.255.255.252
  interface Vlan12
   nameif Outside
   security-level 0
   ip address dhcp setroute
  banner login *************************************
  banner login       Unuathorized access is prohibited !!
  banner login *************************************
  ftp mode passive
  clock timezone MST -7
  clock summer-time MDT recurring
  dns domain-lookup inside
  dns domain-lookup Outside
  dns server-group DefaultDNS
   domain-name *****
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object network VLAN54
   subnet 192.168.54.0 255.255.255.0
   description VLAN 54
  object network Management
   subnet 192.168.80.0 255.255.255.0
   description Management
  object network VLAN51
   subnet 192.168.51.0 255.255.255.0
   description VLAN 51
  object network VLAN52
   subnet 192.168.52.0 255.255.255.0
   description VLAN 52
  object network VLAN53
   subnet 192.168.53.0 255.255.255.0
   description VLAN 53
  object network VLAN55
   subnet 192.168.55.0 255.255.255.0
   description VLAN 55
  object network VLAN56
   subnet 192.168.56.0 255.255.255.0
   description VLAN 56
  object service 443
   service tcp destination eq https
  object service 80
   service tcp destination eq www
  object service 8245
   service tcp destination eq 8245
  object service 25295
   service udp destination eq 25295
   description Blocking 25295
  object network VPN-Connections
   subnet 192.168.59.0 255.255.255.0
   description VPN Connections
  object-group service No-IP
   description no-ip.com DDNS Update
   service-object object 80
   service-object object 8245
   service-object object 443
  access-list inside_access_in remark No-ip DDNS Update
  access-list inside_access_in extended permit object-group No-IP object VLAN51 any
  access-list inside_access_in extended permit ip any any
  access-list VPN standard permit 192.168.0.0 255.255.0.0
  access-list Outside_access_in remark Blocking 25295 to HTPC
  access-list Outside_access_in extended deny object 25295 any object VLAN54
  pager lines 24
  logging enable
  logging asdm warnings
  mtu inside 1500
  mtu Outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,Outside) source dynamic any interface
  access-group inside_access_in in interface inside
  access-group Outside_access_in in interface Outside
  router eigrp 1
   no auto-summary
   network 192.168.0.0 255.255.255.252
   network 192.168.59.0 255.255.255.0
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa-server LDAP protocol ldap
  aaa-server LDAP (inside) host 192.168.51.1
   server-port 636
   ldap-base-dn cn=users,dc=spicerslocal
   ldap-scope subtree
   ldap-naming-attribute cn
   ldap-login-password *****
   ldap-login-dn cn=users,dc=*****
   sasl-mechanism digest-md5
   ldap-over-ssl enable
   server-type microsoft
  user-identity default-domain LOCAL
  http server enable
  http 192.168.0.0 255.255.0.0 inside
  http 0.0.0.0 0.0.0.0 Outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev2 ipsec-proposal DES
   protocol esp encryption des
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
   protocol esp encryption 3des
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
   protocol esp encryption aes
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
   protocol esp encryption aes-192
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
   protocol esp encryption aes-256
   protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map Outside_map interface Outside
  crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map inside_map interface inside
  crypto ca trustpoint ASDM_TrustPoint0
   enrollment self
   subject-name CN=Main-ASA
   crl configure
  crypto ca trustpool policy
  crypto ca certificate chain ASDM_TrustPoint0
   certificate
    quit
  crypto ikev2 policy 1
   encryption aes-256
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 10
   encryption aes-192
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 20
   encryption aes
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 30
   encryption 3des
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 40
   encryption des
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 enable Outside
  crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
  telnet timeout 5
  ssh stricthostkeycheck
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  management-access inside
  vpn-addr-assign local reuse-delay 5
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ssl trust-point ASDM_TrustPoint0 Outside
  ssl trust-point ASDM_TrustPoint0 inside
  webvpn
   enable Outside
   anyconnect image disk0:/anyconnect-win-3.1.06079-k9.pkg 1
   anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 2
   anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 3
   anyconnect profiles AnyC-SSL-VPN_client_profile disk0:/AnyC-SSL-VPN_client_profile.xml
   anyconnect enable
   tunnel-group-list enable
  group-policy DfltGrpPolicy attributes
   dns-server value 192.168.51.1 8.8.8.8
   vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value VPN
   default-domain value *****
   split-dns value 8.8.8.8
  group-policy GroupPolicy_AnyC-SSL-VPN internal
  group-policy GroupPolicy_AnyC-SSL-VPN attributes
   wins-server none
   dns-server value 8.8.8.8
   vpn-tunnel-protocol ikev2 ssl-client
   default-domain value *****
   webvpn
    anyconnect profiles value AnyC-SSL-VPN_client_profile type user
  username Dave password ***** encrypted privilege 15
  username Don password ***** encrypted privilege 15
  tunnel-group AnyC-SSL-VPN type remote-access
  tunnel-group AnyC-SSL-VPN general-attributes
   address-pool AnyC-CPN-Client-Pool
  tunnel-group AnyC-SSL-VPN webvpn-attributes
   group-alias AnyC-SSL-VPN enable
  class-map inspection_default
   match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
   class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny 
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip 
    inspect xdmcp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
   profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:af0fad1092e0314b0a80f20add03e3f7
  : end

  Hi Dave,
  It seems to be an issue with the NAT, I saw your VPN configuration:
  ip local pool AnyC-CPN-Client-Pool 192.168.59.0-192.168.59.250 mask 255.255.255.0
  unnel-group AnyC-SSL-VPN type remote-access
  tunnel-group AnyC-SSL-VPN general-attributes
   address-pool AnyC-CPN-Client-Pool
  tunnel-group AnyC-SSL-VPN webvpn-attributes
   group-alias AnyC-SSL-VPN enable
  group-policy DfltGrpPolicy attributes
   dns-server value 192.168.51.1 8.8.8.8
   vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value VPN
   default-domain value *****
   split-dns value 8.8.8.8
  access-list VPN standard permit 192.168.0.0 255.255.0.0
  You will need to set up a NAT exemption as follow:
  object-group network obj-192.168.59.0-Pool
   network-object 192.168.59.0 255.255.255.0
  object-group network obj-192.168.0.0
   network-object 192.168.0.0 255.255.0.0
  nat (inside,outside) 1 source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.59.0-Pool obj-192.168.59.0-Pool no-proxy-arp route-lookup
  Please proceed to rate and mark as correct this post, if it helps!
  David Castro,
  Regards,

• Server 2012 R2 RRAS NAT VPN connectivity issues

  Hello all,
  I'm having trouble making IKEv2 connections to my VPN server from the Internet after changing my home lab network infrastructure to use Server 2012 R2 RRAS NAT routing. Despite all of the appearances of a proper configuration, it appears that NAT-T is not
  working properly.
  Let me preface my questions/issues with some critical infrastructure disclosures/explanations to help troubleshoot this issue:
  1. This is a home lab environment with no impact to corporate production systems in any way. All information garnered from help in this session is understood to be as-is.
  2. The entire environment is on Server 2012 R2 Hyper-V. I’ve configured trunking on all of the layer 2 (Cisco Catalyst switch) etherchannels, and I’ve configured trunking on the Hyper-V vSwitches. I have no issue with internal routing or NAT or with attaching
  to VPN from an internal VLAN, which indicates that routing (Layer 3) is not at issue here since everything goes where it should.
  3. The NAT server and the VPN server are two separate Windows Server 2012 R2 Std. Hyper-V VMs. The NAT server has 1 NAT uplink to/from my ISP and 5 router interfaces (NICs with no gateways specified). I have a static IP, so it’s not an IP changing anywhere.
  I have all of the port forwarding on the public NAT interface configured properly. Email, web, and application access work fine from out-to-in. The VPN server has 2 NICs: one on a VPN VLAN and the other on an internal VLAN.
  4. I ran Netmon from my corporate office and saw that IKEv2 traffic to my host over UDP 500 was successful (I got a response back), but the connection to UDP 4500 was attempted 3 times and then fails. Since UDP 4500 is the NAT-T port, I’m thinking this is
  where the fault is occurring. I also ran Netmon from the NAT router itself and found that traffic was flowing from the Internet to the VPN server up the stack to Layer 3.
  5. As a test, I turned off Windows firewall on both the VPN server and the NAT server. This made no difference, so firewall is not at play here.
  6. My certificates are configured properly with my external VPN address and appropriate SANs pointing to the public IP address. These same certificates worked without issue prior to the migration to Server 2012 R2 RRAS as my NAT router.
  The actual error I'm receiving is Error 809 which indicates a problem with the connectivity to the VPN server, presumably through the NAT router. Prior to the change to virtual routing, I was using a Linksys E3000 with L2TP/PPTP passthrough enabled and had
  no issues connecting to my VPN server remotely.
  Some questions I have specifically regarding Server 2012 R2 RRAS and NAT:
  1. Is NAT-T "turned on" by default? Are there any settings required through netsh or elsewhere that I might have overlooked to enable NAT Traversal?
  2. How can I test if NAT-T is working outside of VPN testing?
  3. Is it Microsoft's recommendation/requirement that VPN and NAT be collocated on the same server? I noticed in the NAT forwarding rules that the pre-defined L2TP forwarder says "L2TP on this server." Does that indicate that L2TP can't pass beyond
  that server? What are the security implications for running VPN from the router?
  Any help would be appreciated. I've been troubleshooting this issue for 2 weeks and cannot seem to find any documentation or help on this issue. I'm hoping if others have similar issues, this post will help point them in the right direction. I have netmon
  captures to assist with troubleshooting if it comes to that. I'm certain this is NAT-T at this point, but I just can't prove it beyond a shadow of a doubt, and I have customers who have asked about using Microsoft RRAS for routing. I can't, in good conscience,
  recommend it if NAT-T is problematic since most companies want some sort of VPN solution for their environment.
  Respectfully yours,
  Ron Arestia

  Hi Ron,
  Please try to create and configure the AssumeUDPEncapsulationContextOnSendRule registry value.
  For detailed information, please refer to the link below:
  http://support.microsoft.com/kb/926179
  Best Regards.
  Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• VPn Server issue

  Hello everybody.
  I have an issue making my VPN Server work. here is my situation:
  I have a router R1 with 2 ethernet interfaces
  interface N°1 : 192.168.1.1/24
  interface N°2 : 192.168.2.1/24
  the first interface is connected to the subnet to which some computers and servers (DHCP,DNS,Active directory servers) are connected.
  the second interface is connected to my VPN server.
  the VPN server has 2 interfaces.
  one connected to the intranet (precisely R1) with the ip 192.168.2.2 and the second has a public ip address.
  the VPN server successfully get its pool of addresses from the dhcp server with the ip 192.168.1.4.
  and since the VPN server use the interface with the ip 192.168.2.2 to reach the DHCP server it gets a subset of 192.168.2.0/24.
  so I end up with a  VPN server who has an intranet interface that belongs to the same subnet as any connected vpn client.
  the connection between the server and clients is established correctly and the clients get the correct ip addresses. and yet I can't ping any device except the VPN server interface.
  so I captured the packets flow and I discovered that the ECHO message reach it's destination. The problem occur when the Router R1 try to forward the reply to the client.it send an ARP request but it don't get any response.
  in this situation based on what a read on internet the VPN server is supposed to act as a proxy ARP replying with it's own MAC address on behalf of the vpn client and then routing the packet to it's destination.
  when I configured the VPN server with a static pool from 192.168.3.0/24 and added a static route in R1 everything worked perfectly.
  Thanks

  Hi,
  Could you clarify “so I end up with a 
  VPN server who has an intranet interface that belongs to the same subnet as any connected vpn client.” Have you disable the 192.168.2.2 interface or make others action on it’s configuration?
  •If the static IP address pool consists of ranges of IP addresses that are for a separate subnet, then you need to either enable an IP routing protocol on the remote access
  server computer or add static IP routes consisting of the {IP Address, Mask} of each range to the routers of the intranet. If the routes are not added, then remote access clients cannot receive traffic from resources on the intranet.
  •If the DHCP server is on the same subnet as the RRAS server, then you do not have to configure the DHCP relay agent. RRAS can find DHCP servers on the same subnet by using
  broadcast network packets.
  The related KB:
  Configure the Way RRAS Assigns IP Addresses to VPN Clients
  http://technet.microsoft.com/en-us/library/dd469667.aspx
  Hope this helps.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.
  "“so I end up with a 
  VPN server who has an intranet interface that belongs to the same subnet as any connected vpn client.” means that the interface of my server that is connected to my private network has an ip from 192.168.2.0/24 its the interface used to get to my network
  ressources like the DHCP server.
  the DHCP relay agent is configured correctly and my vpn server can contact the dhcp server.
  when I used a static pool from 192.168.3.0/24 and added a static route to my router  everything work perfectly but when I configure my vpn server to get ip addresses
  from DHCP server The vpn client can't access my intranet ressources even though it get a correct ip.

• More 525 VPN phone issues.

  So I have a VPN setup on a customers UC560 that has been working just fine for close to a year.  The 525 phone worked well at a remote location for 6 months and has been nothing but problems since.
  I have wiped it to factory defaults, updated the firmware to 7.5.5, re-configured it via the wizard in CCA, increased the VPN DHCP pool to 10 from 3, and it tests out fine on our shop network here at work.  After that it is 50/50 whether it wants to sync up and work properly off-site.  The client brings it to his house where he has cable internet and a basic Linksys router and it boots up, shows the VPN icon on the top bar as connected but just sits at downloading some .xml file.  Bypasses the router and same thing so it can't be a weird firewall issue.
  I was under the impression that if this phone finds an internet connection it would work.  Don't understand all the hit and miss whether it's going to sync up or not.

  Thanks for the response.
  I have verified we're on the latest IOS...
  Cisco IOS Software, UC500 Software (UC500-ADVIPSERVICESK9-M), Version 15.1(4)M6, RELEASE SOFTWARE (fc2)
  And I always use the 2.5.6005 version of Anyconnect.  Not sure about the DART thing.
  Thanks for reminding me about the subnet.  The client is taking the phone home with him for testing and keeps reporting that the vpn connects but doesn't fully sync up with the phone system.  I bet he is on the same subnet of the system.  The data VLAN is 192.168.0.X which is common with home routers.
  Thanks again,
  Jim

• IPad and PPTP VPN - Internet access (e-mail & Safari) not working

  Hi there!
  I've got an iPad2 (WiFi only) and need to configure it to use Witopia PPTP VPN, which is the VPN provider I've been using for a long time on my desktop and netbook.
  Configure the iPad was an easy task, and I was able to successfuly authenticate and establish a PPTP session with any of the Witopia servers.
  The problem is that once established the PPTP session, if the "send all traffic" option is ON, I have no Internet access at all (no e-mail neither browsing with Safari). Then, if I stop VPN, turn OFF the "send all traffic" option in the iPad, and start VPN again, I have Internet communication back and everything starts working fine. I've been fiddling with this in my home network (D-Link Dir-655 router using the IP 192.168.0.1 addressing scheme for my LAN).
  Obviously, I decided to leave the "send all traffic" option OFF, but then I discovered that doing this my Safari traffic is not encrypted and my IP is not masked, i.e. the VPN is up and running, I have normal Internet traffic, but the service to be provided by the VPN for some inknown reason is not happening.
  Does anyone have a clue about what's going on ?
  TIA
  RTadeu

  Have you tried a battery pull?  If not, give that a try and then try again. 
  1. Please thank those who help you by clicking the "Like" button at the bottom of the post that helped you.
  2. If your issue has been solved, please resolve it by marking the post "Solution?" which solved it for you!