Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




539 posts

Ultimate Geek
+1 received by user: 24

Subscriber

Topic # 102745 21-May-2012 21:21 Send private message

Hi all.

I don't like being this vague but I don't have access to the vpn concentrator.  So all I can do is describe the problem from the user perspective.

I work from home in Dunedin and try to connect to the Sydney office with the Cisco AnyConnect client.  The problem I've got is that every time I try to connect regardless on which machine I connect with, I'm always assigned the same IP address of 10.20.0.1 which is NOT on the office network of 192.168.27.0.

I've tried this on 3 different laptops, 1 desktop and 2 different virtual machines, all a mix of Windows 7 and XP and get the same result.  I've also tried installing the AnyConnect client using different adsl and 3G connections.  
Only once have I ever gotten a 192.168.27.0 address after I uninstalled the AnyConnect client and removed the Cisco network adaptor, then re-installed it.  But the next time around I got the 10.20.0.1 again and haven't been able to repeat this no matter how many times I uninstall/reinstall.

As a workaround I can successfully use AnyConnect to vpn into one of the offices in North America, the UK or Europe and rely on the WAN links between offices to access my Sydney home server.  But needless to say its a painfully slow experience.

I've taken this to the corporate European helpdesk in the past but got the runaround so it was easier and less frustrating to just put up with the slow workaround.  But now I've a new laptop and figure its time to give this another shot.

Before I fire it back to the corporate helpdesk though, I'd prefer to give them some direction to travel in so if anyone's got any ideas then I'm all ears :)

*Edit - And if it helps I can also get someone in Sydney to wander into the server room and get the model of the concentrator.

Create new topic
190 posts

Master Geek
+1 received by user: 1

Subscriber

  Reply # 628612 21-May-2012 21:57 Send private message

Cisco AnyConnect would normally use a separate IP range for the VPN client users, you won't get an IP in the same range as the office LAN.

There are a couple of factors that could be an issue:

* The company sounds big, so they probably auth using RADIUS. Is there a static IP assigned in RADIUS?

* After you connect, do a traceroute to the server you're trying to reach. Does it even hit the first hop? If it does, then the VPN is fine. If you can't get further than the concentrator then more likely someone there has firewalled the VPN IP range by accident or there is no routing between the VPN client range and the LAN.

* If you connect and can't reach the first hop, there is an access list defined in the concentrator which sets all the IP ranges you can reach with the client. Ask for this to be checked it actually allows access to the office LAN.

* Other common issue I see is anti virus software that scans HTTPS, NOD32 is often the culprit. Disable the web scanning feature. Same goes for any other software on the laptop that would touch HTTPS traffic.

Some of those steps above you will need access to the concentrator, but at least if you go to the helpdesk with those suggestions they might do something.

HTH

Scott



539 posts

Ultimate Geek
+1 received by user: 24

Subscriber

  Reply # 628760 22-May-2012 09:52 Send private message

Thanks for the reply Scott. 

bender: Cisco AnyConnect would normally use a separate IP range for the VPN client users, you won't get an IP in the same range as the office LAN.


Yep, this is the actual case, I simplified it.  I'm the only one that gets a 10.20.0.x address which routes nowhere, everyone else gets a 192.168.27.x address that can route through to the office lan.

* The company sounds big, so they probably auth using RADIUS. Is there a static IP assigned in RADIUS?


I'm not sure as the one (and once only) time it did actually work and I got a 192.168.27.x address.  It does however seem the most likely culprit though so thanks, I've included it in the email.

* After you connect, do a traceroute to the server you're trying to reach. Does it even hit the first hop? If it does, then the VPN is fine. If you can't get further than the concentrator then more likely someone there has firewalled the VPN IP range by accident or there is no routing between the VPN client range and the LAN.


There's no default gateway handed out so I can't ping anything through the vpn interface.  Split tunneling is enabled as I can ping/tracert everything else through the lan interface.

* Other common issue I see is anti virus software that scans HTTPS, NOD32 is often the culprit. Disable the web scanning feature. Same goes for any other software on the laptop that would touch HTTPS traffic.


I've tried on a brand new Windows 7 install that only has a few Windows updates installed - no AV or 3rd party software at all.

Its got to be the concentrator end, right?

Create new topic




Twitter »
Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





Trending now »

Hot discussions in our forums right now:

Government Limos
Created by networkn, last reply by Bung on 31-Oct-2014 12:39 (94 replies)
Pages... 5 6 7


Snap refuses to replace faulty gear
Created by Brendan, last reply by MadEngineer on 28-Oct-2014 19:07 (92 replies)
Pages... 5 6 7


Shutup and take my money (via NFC on my mobile phone)
Created by sxz, last reply by sonyxperiageek on 31-Oct-2014 22:34 (24 replies)
Pages... 2


How good is your general Science Knowledge?
Created by Aredwood, last reply by Rikkitic on 1-Nov-2014 13:54 (45 replies)
Pages... 2 3


OneDrive code giveaway - go!
Created by freitasm, last reply by PhantomNVD on 1-Nov-2014 10:31 (36 replies)
Pages... 2 3


Uber: a cheaper taxi ride?
Created by kingdragonfly, last reply by livisun on 31-Oct-2014 14:47 (34 replies)
Pages... 2 3


DDos Protection from ISP
Created by charsleysa, last reply by freitasm on 31-Oct-2014 12:11 (46 replies)
Pages... 2 3 4


Sky will be 'upgrading software' of My Sky to connect to internet. What does that mean?
Created by Geektastic, last reply by Jase2985 on 1-Nov-2014 07:06 (28 replies)
Pages... 2



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.