[c-nsp] WebVPN Issue

Antonio Soares amsoares at netcabo.pt
Wed Feb 10 18:05:55 EST 2010


The session of the 1st user remains up and the vpn routes are there. But in the router the route back to the user is removed. So in
the user's perspective, connectivity is broken and he doesn't have an idea why. Clearly a bug, don't you think ?

Thanks.

Regards,
 
Antonio Soares, CCIE #18473 (R&S/SP)
amsoares at netcabo.pt

-----Original Message-----
From: Tyson Scott [mailto:tscott at ipexpert.com] 
Sent: quarta-feira, 10 de Fevereiro de 2010 22:33
To: 'Roman Rodichev'; 'Antonio Soares'
Cc: 'Farrukh Haroon'; cisco-nsp at puck.nether.net; 'Cisco certification'
Subject: RE: WebVPN Issue

Actually it makes sense.  You have duplicate IP's and the router needs to
decide which one is valid, which often will cause a network interrupt.
Although it doesn't allow the second connection it is terminating the first
to process to make a decision about the conflict.  At least that is what I
interpret what you are seeing to be.

Regards,
 
Tyson Scott - CCIE #13513 R&S, Security, and SP
Technical Instructor - IPexpert, Inc.
Mailto: tscott at ipexpert.com
Telephone: +1.810.326.1444, ext. 208
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130



-----Original Message-----
From: nobody at groupstudy.com [mailto:nobody at groupstudy.com] On Behalf Of
Roman Rodichev
Sent: Wednesday, February 10, 2010 12:28 PM
To: Antonio Soares
Cc: Farrukh Haroon; <cisco-nsp at puck.nether.net>; Cisco certification
Subject: Re: WebVPN Issue

Probably just a "feature" :)

Sent from my iPhone

On Feb 10, 2010, at 11:24 AM, "Antonio Soares" <amsoares at netcabo.pt>  
wrote:

> Yes, it works fine with local pool. In this case, the AC client gets  
> a message saying "no address assigned".
>
> I was able to reproduce the problem in the meanwhile. It makes sense  
> that the 2nd user is not able to establish the session but it
> doesn't make sense the 1st looses his connection.
>
> This seems a bug to me.
>
> Thanks.
>
> Regards,
>
> Antonio Soares, CCIE #18473 (R&S/SP)
> amsoares at netcabo.pt
>
> -----Original Message-----
> From: Roman Rodichev [mailto:romangs at iementor.com]
> Sent: quarta-feira, 10 de Fevereiro de 2010 17:03
> To: Antonio Soares
> Cc: Farrukh Haroon; <cisco-nsp at puck.nether.net>; Cisco certification
> Subject: Re: WebVPN Issue
>
> So that might be the problem. How can you assign a different IP from
> RADIUS for concurrent logins?
>
> It should work with local pool
>
> Sent from my iPhone
>
> On Feb 10, 2010, at 10:14 AM, "Antonio Soares" <amsoares at netcabo.pt>
> wrote:
>
>> Thank you both for your inputs. I still cannot share the config
>> since i saw this in a production network and i'm still trying to
>> reproduce it in the lab.
>>
>> But the "debug ip routing" says it all:
>>
>> 1) When user X connects, he gets ip=10.10.10.166
>>
>> RT(VRF_X): updating static 10.10.10.166/32 (0x1) via 0.0.0.0 SS1
>> RT(VRF_X): add 10.10.10.166/32 via 0.0.0.0, static metric [0/0]
>>
>> 2) When another user tries the connection with the same user X:
>>
>> RT(VRF_X): del 10.10.10.166 via 0.0.0.0, static metric [0/0]
>> RT(VRF_X): delete subnet route to 10.10.10.166/32
>> RT(VRF_X): updating static 10.10.10.166/32 (0x1) via 0.0.0.0 SS1
>> RT(VRF_X): add 10.10.10.166/32 via 0.0.0.0, static metric [0/0]
>> RT(VRF_X): del 10.10.10.166 via 0.0.0.0, static metric [0/0]
>> RT(VRF_X): delete subnet route to 10.10.10.166/32
>>
>> So the router deletes the route, adds it and removes it again. This
>> explains the loss of connectivity.
>>
>> We have radius authentication and the radius server assigns a pre-
>> defined ip to each user. So when the radius server sends the same
>> ip, it seems the router gets confused.
>>
>>
>> Thanks.
>>
>> Regards,
>>
>> Antonio Soares, CCIE #18473 (R&S/SP)
>> amsoares at netcabo.pt
>>
>> -----Original Message-----
>> From: nobody at groupstudy.com [mailto:nobody at groupstudy.com] On Behalf
>> Of Farrukh Haroon
>> Sent: quarta-feira, 10 de Fevereiro de 2010 6:27
>> To: Antonio Soares
>> Cc: cisco-nsp at puck.nether.net; Cisco certification
>> Subject: Re: WebVPN Issue
>>
>> No it works fine for multiple users, we have it running. If you can
>> post the
>> sanitized config, I can have a look.
>>
>> Also check your 'show tcp brief' output to see if you have any stale
>> connections there. We faced a  similar issue, and putting 'service
>> tcp-keepalives-in' fixed the issue (you may put 'out' as well)..
>>
>> We are running 12.4(15)Tx tough.
>>
>> Regards
>>
>> Farrukh
>>
>>
>>
>> On Wed, Feb 10, 2010 at 4:55 AM, Antonio Soares
>> <amsoares at netcabo.pt> wrote:
>>
>>> Hello group,
>>>
>>> I'm facing a strange issue with IOS Based WebVPN: when user X is
>>> connected
>>> and then another user uses the same user X, the second
>>> user is not able to connect but the first user looses connectivity.
>>> I have
>>> this with IOS 12.4.24T and AC 2.3.2016 running on a 2821.
>>> This is not expected behavior, right ?
>>>
>>>
>>> Thanks.
>>>
>>> Regards,
>>>
>>> Antonio Soares, CCIE #18473 (R&S/SP)
>>> amsoares at netcabo.pt





More information about the cisco-nsp mailing list