Problem with Cisco AnyConnect vpn

Forums › IT Pro and developers › Problem with Cisco AnyConnect vpn

tigercorp

668 posts

Ultimate Geek

#102745 21-May-2012 21:21

Hi all.

I don't like being this vague but I don't have access to the vpn concentrator. So all I can do is describe the problem from the user perspective.

I work from home in Dunedin and try to connect to the Sydney office with the Cisco AnyConnect client. The problem I've got is that every time I try to connect regardless on which machine I connect with, I'm always assigned the same IP address of 10.20.0.1 which is NOT on the office network of 192.168.27.0.

I've tried this on 3 different laptops, 1 desktop and 2 different virtual machines, all a mix of Windows 7 and XP and get the same result. I've also tried installing the AnyConnect client using different adsl and 3G connections.
Only once have I ever gotten a 192.168.27.0 address after I uninstalled the AnyConnect client and removed the Cisco network adaptor, then re-installed it. But the next time around I got the 10.20.0.1 again and haven't been able to repeat this no matter how many times I uninstall/reinstall.

As a workaround I can successfully use AnyConnect to vpn into one of the offices in North America, the UK or Europe and rely on the WAN links between offices to access my Sydney home server. But needless to say its a painfully slow experience.

I've taken this to the corporate European helpdesk in the past but got the runaround so it was easier and less frustrating to just put up with the slow workaround. But now I've a new laptop and figure its time to give this another shot.

Before I fire it back to the corporate helpdesk though, I'd prefer to give them some direction to travel in so if anyone's got any ideas then I'm all ears :)

*Edit - And if it helps I can also get someone in Sydney to wander into the server room and get the model of the concentrator.

bender

220 posts

Master Geek

#628612 21-May-2012 21:57

Cisco AnyConnect would normally use a separate IP range for the VPN client users, you won't get an IP in the same range as the office LAN.

There are a couple of factors that could be an issue:

* The company sounds big, so they probably auth using RADIUS. Is there a static IP assigned in RADIUS?

* After you connect, do a traceroute to the server you're trying to reach. Does it even hit the first hop? If it does, then the VPN is fine. If you can't get further than the concentrator then more likely someone there has firewalled the VPN IP range by accident or there is no routing between the VPN client range and the LAN.

* If you connect and can't reach the first hop, there is an access list defined in the concentrator which sets all the IP ranges you can reach with the client. Ask for this to be checked it actually allows access to the office LAN.

* Other common issue I see is anti virus software that scans HTTPS, NOD32 is often the culprit. Disable the web scanning feature. Same goes for any other software on the laptop that would touch HTTPS traffic.

Some of those steps above you will need access to the concentrator, but at least if you go to the helpdesk with those suggestions they might do something.

HTH

Scott

tigercorp

668 posts

Ultimate Geek

#628760 22-May-2012 09:52

Thanks for the reply Scott.

bender: Cisco AnyConnect would normally use a separate IP range for the VPN client users, you won't get an IP in the same range as the office LAN.

Yep, this is the actual case, I simplified it. I'm the only one that gets a 10.20.0.x address which routes nowhere, everyone else gets a 192.168.27.x address that can route through to the office lan.

* The company sounds big, so they probably auth using RADIUS. Is there a static IP assigned in RADIUS?

I'm not sure as the one (and once only) time it did actually work and I got a 192.168.27.x address. It does however seem the most likely culprit though so thanks, I've included it in the email.

* After you connect, do a traceroute to the server you're trying to reach. Does it even hit the first hop? If it does, then the VPN is fine. If you can't get further than the concentrator then more likely someone there has firewalled the VPN IP range by accident or there is no routing between the VPN client range and the LAN.

There's no default gateway handed out so I can't ping anything through the vpn interface. Split tunneling is enabled as I can ping/tracert everything else through the lan interface.

* Other common issue I see is anti virus software that scans HTTPS, NOD32 is often the culprit. Disable the web scanning feature. Same goes for any other software on the laptop that would touch HTTPS traffic.

I've tried on a brand new Windows 7 install that only has a few Windows updates installed - no AV or 3rd party software at all.

Its got to be the concentrator end, right?