VPN Client cannot pass any traffic through a VPN tunnel

Article:TECH81001  |  Created: 2003-01-20  |  Updated: 2006-01-05  |  Article URL http://www.symantec.com/docs/TECH81001
Article Type
Technical Solution


Environment

Issue



You have a Symantec Enterprise VPN Client that can connect to a firewall or VPN appliance but cannot pass any traffic through the tunnel including traffic to the firewall/VPN server's internal interface. Other computers with the Symantec Enterprise VPN Client can pass traffic through the VPN tunnels properly.


Solution



In some circumstances, computers running the Symantec Enterprise VPN Client may have problems passing traffic through connected tunnels. The common situations where this occurs are covered in the following text. Refer to the documents that best describe your situation to aid in troubleshooting the problem. After completing each of the following sections, determine whether the problem is solved. If the problem persists, then continue to the next section for another solution.

Once the VPN tunnel is connected, try passing traffic, using the ping command, to the internal interface of the firewall. If you receive responses from the internal firewall address, but you cannot pass traffic into the remote network, refer to the Symantec Knowledge Base articles, Cannot ping beyond firewall's internal interface after RaptorMobile connects or RaptorMobile/Symantec VPN Client - common problems and troubleshooting tips.

If you cannot ping the firewall's internal interface through the tunnel, check the following on the client computer:
  • Personal firewalls
    Verify that no personal firewall software is installed on the client computer.
    If you are using Symantec Desktop firewall, read Symantec Knowledge Base article, Using RaptorMobile/Symantec Enterprise VPN Client with the Symantec Desktop Firewall for configuration details.
    If you are using Norton Desktop firewall, refer to Symantec Knowledge Base article, Using RaptorMobile/Symantec Enterprise VPN Client with Norton Personal Firewall for configuration details.
  • Home routers or gateways
    If you are making the VPN connection through a home router (also known as a home gateway), make sure that the IPSec pass-through is an available option in the router's firmware and is enabled. For further home gateway troubleshooting tips, read Symantec Knowledge Base article, Requirements for connecting tunnels and passing VPN Client traffic through a Home Gateway router (cable/DSL).
  • Corporate firewalls
    If you are making the VPN connection through a corporate firewall, make sure that IP Protocol Types 50 and 51 (ESP and AH, respectively) are allowed through the firewall. For further information on configuring this type of pass-through on a Symantec Enterprise Firewall, refer to Symantec Knowledge Base article, Connecting RaptorMobile through a Raptor Firewall or Symantec Enterprise Firewall to another Raptor Firewall or Symantec Enterprise Firewall.
  • Other VPN clients
    Remove or uninstall any other third party VPN Clients (for example, Cisco VPN Client), that may interfere with Symantec Enterprise VPN Client driver binding.
  • Network monitoring tools
    Remove or uninstall any other network monitoring tools that may be installed, as these may also interfere with Symantec Enterprise VPN Client driver binding. Examples of this type of software are Windows Network Monitor or Lucent Technologies' MyVitalAgent, which appears as vtlagent.exe in the Task Manager process list.
  • Internet Connection Sharing
    See if Internet Connection Sharing (ICS) is enabled on the network connection. If ICS is enabled, disable it. You cannot run the Symantec VPN Client on a computer with ICS enabled. For further information, read Symantec Knowledge Base article, RaptorMobile compatibility with Microsoft Internet Connection Sharing (ICS).
  • Internet Connection Firewall on Windows XP
    See if Internet Connection Firewall (ICF) is enabled on the network connection (Windows XP only). If ICF is enabled, disable it. You cannot pass IPSec traffic through a Symantec Enterprise VPN Client tunnel if ICF is enabled. For further information, read Symantec Knowledge Base article, Cannot pass data through Symantec Enterprise VPN Client tunnel on Windows XP with ICF enabled.
  • Symantec Enterprise VPN Client Driver installed
    Verify that the Symantec Enterprise VPN Client Driver is installed and loading properly. To do this, open a command window (Click Start > Run. Type cmd and click OK.). In the command window, type axtvpnx /c and press Enter. You should receive a message that says, "AXTDRV: Driver is installed." If you do not receive this message, uninstall and reinstall the Symantec Enterprise VPN Client and test again.
  • Symantec Enterprise VPN Client Driver binding
    Verify that the Symantec Enterprise VPN Client Driver is bound to the network connection. In Windows 2000 and Windows XP, you can check or uncheck this binding for each network connection. If the binding is unchecked, no IPSec data will pass through that connection.
  • Other VPN driver troubleshooting
    Verify that traffic is actually being processed by the VPN driver.
    To verify that traffic is being processed
    1. Connect your client VPN tunnel.
    2. Open two command windows.
    3. In one command window, type:
      tcpdump -vv host (Example: tcpdump -vv host 164.109.1.2 , if you are connected to firewall using the IP address 164.109.1.2).
    4. In the second command window, ping the internal interface of the firewall/VPN server (or something else through the tunnel).
    5. If traffic is being processed by the VPN driver, you will see packets like the following (this example assumes a client IP of 192.168.1.1 with a Security Gateway IP address of 164.109.1.2):
09:04:57.356414 192.168.1.1 > 164.109.1.2 ESP (spi=3784146589) (ttl254, id 33)
    This indicates that the packet was processed from your client to the Security Gateway by the VPN driver. If you do not see a message similar to the example, another driver in the IP stack is interfering with VPN communication. Recheck your personal firewall settings, other network monitor applications, or unknown network device drivers that may be installed on the workstation.

    If you see a packet similar to the example, but no return packets (from 164.109.1.2 > 192.168.1.1 as an ESP packet), IPSec traffic is being blocked inbound to the client or the firewall has not received the packet at all. Check with your local ISP for IPSec pass-through restrictions that may be in place on your network connection.





Legacy ID



2003032008262354


Article URL http://www.symantec.com/docs/TECH81001


Terms of use for this information are found in Legal Notices