Networks·41,389 discussions

VPN IP traffic

Locked

My company has one remote site. Our main site has a PIX 501 and DSL. The remote site has a DSL connection with a cisco678. The remote site has 20 users and one server which is a Win2000 domain controller. We wrote a script to connect the remote Win2000 DC to our main site using a Cisco VPN client. The remote DC and the DC at our main site then synch. It all worked great for a few months.

Now for some reason the remote DC can still connect to the PIX but the 2 DC’s cannot synch. The remote DC has lost the ability to ping any machine on the main network after it connects to the PIX with the Cisco VPN client. Other machines on the remote network can connect to the PIX with the Cisco VPN client and successfully ping machines on the main network. As a test we set up PPTP on the PIX and set up the Microsoft VPN client on the Win2000 remote DC. The remote DC connects fine to the PIX but still can’t pass IP traffic. It does not appear to be a problem with the VPN clients, the PIX, or the cisco678. The remote Win2000 DC can ping machines on its remote network when not connected through the VPN to the PIX. Does anyone have any ideas what might be preventing ip traffic from passing through these vpn connections? There has to be some file or setting on the remote DC causing the problem.

Topic

Reply To: VPN IP traffic

In reply to VPN IP traffic

Has the remote Windows Domain Controller become an island? If it is pointed to itself for DNS first, this is most likely the cause of the issue. You should check what DNS server the remote DC is set to forward queries to. You may want to run the command ipconfig /flushdns after checking the DNS settings. Also run the command NBTSTAT -RR, if WINS is in the enviornment.

You can also run the command REPADMIN /SHOWREPS to see if it is replicating traffic to the other DC.

How long a period has this been down? If it is more than 60 days, the DC may have tombstoned and it cannot replicate as Active Directory has removed it from the forest.

Also check in the NTDS settings that the AD replication link is set correctly. If there have been a large number of changes in the environmnet and this remote DC is a Global Catalog server, it is possible that replication traffic hasn’t completed and it is trying over and over again.

Reply To: VPN IP traffic

In reply to VPN IP traffic

Are the failed ping pinging a netbios/host name or an ip
address?

If it is by name then try by ip.

If the ip version works then it is a name resolution issue and use
the previous well written comment. Check DNS and WINS on
both sides. Try using a host file during the troubleshoot to rule
out resolution.

Also, I would check the VPN client licenses on the VPN hardware.
You may have exceeded them if there are any new workstations
added and using connections up.

razz

Reply To: VPN IP traffic

In reply to VPN IP traffic

I am pinging by ip address. I should have made that clear. It doesn’t seem to have anything to do with dns or wins. The replication of the DC’s is just a symptom of what I believe is a tcp/ip problem. I don’t think I will have any trouble with the repadmin once I can ping across the vpn again. The vpn software connects fine, no license issue. The PIX allows for far more vpn connections than I use.

Reply To: VPN IP traffic

In reply to VPN IP traffic

if everything ran fine then all of a sudden doesn’t, what changed? Something changed to cause the site link not to work anymore. Review your access lists on the PIX and 678. review the running configs and ip routes on both the PIC and 678. IF you connect to the PIX and can’t ping hosts behind the PIX PIX prolly blocks the ICMP. Might be the PIX blocks 53 even though you connect over 1723.

[Author]

Replies