VPN Client cannot pass any traffic through a VPN tunnel
|Article:TECH81001|||||Created: 2003-01-20|||||Updated: 2006-01-05|||||Article URL http://www.symantec.com/docs/TECH81001|
You have a Symantec Enterprise VPN Client that can connect to a firewall or VPN appliance but cannot pass any traffic through the tunnel including traffic to the firewall/VPN server's internal interface. Other computers with the Symantec Enterprise VPN Client can pass traffic through the VPN tunnels properly.
In some circumstances, computers running the Symantec Enterprise VPN Client may have problems passing traffic through connected tunnels. The common situations where this occurs are covered in the following text. Refer to the documents that best describe your situation to aid in troubleshooting the problem. After completing each of the following sections, determine whether the problem is solved. If the problem persists, then continue to the next section for another solution.
Once the VPN tunnel is connected, try passing traffic, using the ping command, to the internal interface of the firewall. If you receive responses from the internal firewall address, but you cannot pass traffic into the remote network, refer to the Symantec Knowledge Base articles, Cannot ping beyond firewall's internal interface after RaptorMobile connects or RaptorMobile/Symantec VPN Client - common problems and troubleshooting tips.
If you cannot ping the firewall's internal interface through the tunnel, check the following on the client computer:
- Personal firewalls
Verify that no personal firewall software is installed on the client computer.
If you are using Symantec Desktop firewall, read Symantec Knowledge Base article, Using RaptorMobile/Symantec Enterprise VPN Client with the Symantec Desktop Firewall for configuration details.
If you are using Norton Desktop firewall, refer to Symantec Knowledge Base article, Using RaptorMobile/Symantec Enterprise VPN Client with Norton Personal Firewall for configuration details.
- Home routers or gateways
If you are making the VPN connection through a home router (also known as a home gateway), make sure that the IPSec pass-through is an available option in the router's firmware and is enabled. For further home gateway troubleshooting tips, read Symantec Knowledge Base article, Requirements for connecting tunnels and passing VPN Client traffic through a Home Gateway router (cable/DSL).
- Corporate firewalls
If you are making the VPN connection through a corporate firewall, make sure that IP Protocol Types 50 and 51 (ESP and AH, respectively) are allowed through the firewall. For further information on configuring this type of pass-through on a Symantec Enterprise Firewall, refer to Symantec Knowledge Base article, Connecting RaptorMobile through a Raptor Firewall or Symantec Enterprise Firewall to another Raptor Firewall or Symantec Enterprise Firewall.
- Other VPN clients
Remove or uninstall any other third party VPN Clients (for example, Cisco VPN Client), that may interfere with Symantec Enterprise VPN Client driver binding.
- Network monitoring tools
Remove or uninstall any other network monitoring tools that may be installed, as these may also interfere with Symantec Enterprise VPN Client driver binding. Examples of this type of software are Windows Network Monitor or Lucent Technologies' MyVitalAgent, which appears as vtlagent.exe in the Task Manager process list.
- Internet Connection Sharing
See if Internet Connection Sharing (ICS) is enabled on the network connection. If ICS is enabled, disable it. You cannot run the Symantec VPN Client on a computer with ICS enabled. For further information, read Symantec Knowledge Base article, RaptorMobile compatibility with Microsoft Internet Connection Sharing (ICS).
- Internet Connection Firewall on Windows XP
See if Internet Connection Firewall (ICF) is enabled on the network connection (Windows XP only). If ICF is enabled, disable it. You cannot pass IPSec traffic through a Symantec Enterprise VPN Client tunnel if ICF is enabled. For further information, read Symantec Knowledge Base article, Cannot pass data through Symantec Enterprise VPN Client tunnel on Windows XP with ICF enabled.
- Symantec Enterprise VPN Client Driver installed
Verify that the Symantec Enterprise VPN Client Driver is installed and loading properly. To do this, open a command window (Click Start > Run. Type cmd and click OK.). In the command window, type axtvpnx /c and press Enter. You should receive a message that says, "AXTDRV: Driver is installed." If you do not receive this message, uninstall and reinstall the Symantec Enterprise VPN Client and test again.
- Symantec Enterprise VPN Client Driver binding
Verify that the Symantec Enterprise VPN Client Driver is bound to the network connection. In Windows 2000 and Windows XP, you can check or uncheck this binding for each network connection. If the binding is unchecked, no IPSec data will pass through that connection.
- Other VPN driver troubleshooting
Verify that traffic is actually being processed by the VPN driver.
- To verify that traffic is being processed
- Connect your client VPN tunnel.
- Open two command windows.
- In one command window, type:
tcpdump -vv host
- In the second command window, ping the internal interface of the firewall/VPN server (or something else through the tunnel).
- If traffic is being processed by the VPN driver, you will see packets like the following (this example assumes a client IP of 192.168.1.1 with a Security Gateway IP address of 220.127.116.11):
- This indicates that the packet was processed from your client to the Security Gateway by the VPN driver. If you do not see a message similar to the example, another driver in the IP stack is interfering with VPN communication. Recheck your personal firewall settings, other network monitor applications, or unknown network device drivers that may be installed on the workstation.
If you see a packet similar to the example, but no return packets (from 18.104.22.168 > 192.168.1.1 as an ESP packet), IPSec traffic is being blocked inbound to the client or the firewall has not received the packet at all. Check with your local ISP for IPSec pass-through restrictions that may be in place on your network connection.
Article URL http://www.symantec.com/docs/TECH81001