[Dshield] Cisco VPN Issues Anyone?

Jon Kibler Jon.Kibler at aset.com
Fri Nov 28 16:03:09 GMT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Problem identified -- but not solved.

It turns out that Sprint cellular wireless apparently updated their
drivers for Windows and this is the source of the problem. For some
reason the 500/UDP traffic is allowed, but 4500/UDP and ESP traffic
falls off the face of the Earth. (For example, once the router assigns
an IP address to the VPN connection, you cannot ping it from either end
of the connection.)

Client has been working with Sprint on this issue for several days, but
has made little progress.

I will keep you posted as I learn more.

Jon K.

M Quibell wrote:
> Please describe what happens, any errors. Check and post logs. Then do a
> sniff.
> 
> Marc
> 
>> Date: Tue, 18 Nov 2008 12:15:52 -0500
>> From: Jon.Kibler at aset.com
>> To: list at lists.dshield.org
>> Subject: [Dshield] Cisco VPN Issues Anyone?
>>
> Hi,
> 
> I have a client that had Cisco client-based VPN break over the weekend
> -- but just on Windows boxes. Everything was working okay Friday, but on
> Monday morning, Windows VPN users could not connect to the VPN. Mac and
> Linux still works fine.
> 
> Nothing has been changed on the network for a few weeks, and we have
> verified those configurations. Plus, all non-Windows boxes seem to work
> just fine, so it seems to be something on the Windows client side and
> not on the network side.
> 
> We have tried removing all the latest Windows patches, tried taking a
> new box and installing the VPN client on it, and nothing with Windows
> seems to work. We have also turned off all firewalls and AV on the boxes
> and that did not make any difference.
> 
> We have opened a case with Cisco TAC, but they are stumped at this point.
> 
> - From a technical standpoint, what happening is that the ISAKMP SA
> establishment breaks. It appears that for some reason the Windows client
> is failing to process a response packet and then starts a retry, which
> also fails.
> 
> Has anyone else seen this or something similar?
> 
> Any thoughts on where to look for an issue?
> 
> TIA for help!
> 
> Jon K

- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
c: 843-224-2494
s: 843-564-4224
http://www.linkedin.com/in/jonrkibler

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkkwFj0ACgkQUVxQRc85QlMHUACeOImMHHYHgwEdlVip0XzNnQeB
VGIAn2k34+IdB6qnnFp1W1gQnOaZ587j
=zAfw
-----END PGP SIGNATURE-----




=========================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.

More information about the Dshield mailing list