[c-nsp] VPN issues

[Kaj Niemi]

Hi,


It's also possible you might need 'sysopt connection permit-vpn' (=>  
7.1(1), 'sysopt connection permit-ipsec' ( <= 7.0)). The settings  
allow packets from an IPSec tunnel to bypass interface ACLs (not group  
policy or per-user ones). As of 7.0 (I think) the default is enabled,  
if disabled you might need to explicitly permit traffic.

If traffic from RA to IPSec tunnel gets transmitted (you stated that  
you see the outbound connection and I'm assuming here that's on the  
site 1 ASA the RA is connected to) but if there is no return route on  
site 2 there won't be any return packets back towards site 1. Assuming  
all other sites have a default route towards the outside interface  
where the crypto map is this scenario is unlikely, though.

There was no mention of the kind of traffic you are transmitting. In  
some cases, for TCP/IP, you might need to play around with 'sysopt  
connection tcpmss' and decrease it further from the PIX/ASA default of  
1380. Decreasing would mean there would less payload inside the vpn  
encapsulated packets.

You didn't mention what version you're running but if you're on 7.2(1)  
or later you could take a look at 'packet-tracer'. Sometimes it is  
useful to see what rules/acls/etc. a packet would hit through the ASA  
or look at an existing flow.


As always, YMMV. :-)



Kaj

On Jan 15, 2008, at 13:56, Aaron R wrote:

> I am thinking it has something to do with the split-tunneling  
> configuration.
> Split tunneling is disabled therefore all traffic should route  
> accross the
> VPN connection from the vpn client. Both outbound internet access as  
> well as
> access to other site to site vpn's is not working for the VPN clients.



HTH

Kaj
-- 
Kaj J. Niemi
<kajtzu at basen.net>
+358 45 63 12000