locked
Strange issue with Cisco VPN client and ISA 2006 EE in NLB configuration RRS feed

  • Question

  • Hi all,

    I've an strange issue with my ISA 2006 EE NLB environment. Sometimes, without logging anything in the logging tab, random users cannot connect to customers VPNs using Cisco Clients, but they can connect to other VPN services (using Fortinet Clients, SonicWall or Windows VPN). After investigating a lot of time we have a clue : IP addresses that cannot connect to Cisco VPNs previously were logged by flood mitigation alerts. For testing today we took an IP  from a client who cannot connect (assigned by our DHCP server) and configured it as static on a computer. That computer before configuring the "bad" IP (using another static IP) could connect using Cisco VPN client, but after set the bad IP, this computer also cannot connect. Reseting the IP to the previous one, we could connect again.

    Has someone any idea about what can produce this issue? I've been thinking to add an exception to all my LAN to increase them the number of the max number of concurrent connections, but I prefer to identify exactly what is the problem.

     

    Thanks in advanced

     

    Salva.

     

    Wednesday, March 9, 2011 4:41 PM

Answers

All replies

  • This can happen if the Cisco VPN client is configured to use UDP.  Follow the instructions from http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_user_guide_book09186a008015cdf2.html.  Set the client to use TCP mode.  Look for the instructions under this heading, Using IPSec over TCP (NAT/PAT/Firewall).
    Brennan Crowe
    Wednesday, March 9, 2011 6:39 PM
    Answerer
  • Hi Brennan,

    first of all thanks for your reply. I have to use UDP because I don't have the administration of the Cisco devices, so I cannot reconfigure them to use TCP instead of UDP.

    Do you know if can I do any change on ISA to avoid this issue without changing anything on Cisco devices/clients?

    Thanks in advanced for your help

     

    Salva.

    Friday, March 11, 2011 9:53 AM