I'm rolling out an install for about 30 sites using the 3002 coming back to a 3060 and I ran into a similar issue. I will insert this caveat that I am not running network extension mode. Good ole' NAT/PAT for me...
Anyway, when I would monitor my sessions there was always one site that had a zero in the "Bytes TX" section. I would try to reset the session and it never worked. The "Bytes RX" counter would increment, but never the TX. I finally checked the IP that was being assigned from the VPN pool and I couldn't ping it either. Very strange, since the IP was in the middle of the pool and all of the other address worked fine. Come to find out everytime that a site would connect and get assigned this particular IP address nothing would work. I duplicated the problem across several different locations and all had the same result. I verified that the IP address wasn't being used anywhere else in the network and I took some Sniffer traces. Basically, the I could see traffic destined for the IP address, but the 3060 would never respond. I ended up having to remove this single IP address from my pool and everything works great now. I currently have a TAC case w/Cisco to verify my findings and to find out what the problem is. My guess is that it may be some sort of bug...actually I'm surprised that TAC hasn't told me to upgrade my IOS yet! Sorry for the longish post, but I thought it might be of some interest. Eric -----Original Message----- From: Marshal Schoener To: [EMAIL PROTECTED] Sent: 1/17/2002 3:30 PM Subject: RE: VPN3002 Network Extension Mode [7:32309] Hi, I am using the exact same setup between 2 of our offices. In fact, it works so good, I am able to put a VoIP call from my office in NY to an office in Malaysia over the VPN. It is amazing. We were able to save my company almost 6k a month by dropping the frame-relay ;-) Here's the thing... You should have no problem pinging the concentrator from 3002, or vice versa. You should be able to do this whether or not the tunnel is established. These are both public addresses, and if you can't ping from one side to the other, you won't be able to establish the tunnel in the first place. Remember that each side has a public and private address. You need to put the concentrator's public IP address in the 3002 client's IPsec settings. Then setup a group and username for the 3002 client on the concentrator and you should be home free. Once that tunnel is established, you should be able to ping the private address of the concentrator / client as well as all the machines behind it from either side. Did you put the concentrator or client behind a firewall or did you put it parallel to the firewall? Also, you might want to check a machine from each side with a tracert to a machine on the other side to see how the packets are moving. If you do a tracert from a workstation on the client side, you should first see your 3002 client address. Then see your concentrator address. Finally the destination machine you did the tracert to. If the packets are not attempting to go in this direction, it is most likely a routing error on the gateway or a router. Good luck and I hope this helped a bit :-) Regards, -----Original Message----- From: Jean-Luc Gugler [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 17, 2002 11:31 AM To: [EMAIL PROTECTED] Subject: VPN3002 Network Extension Mode [7:32309] does anyone experimented the Network Extension Mode beetween VPN3002 and VPN 3000 concentrator ? I configure it based on the cisco document and the ipsec tunnel works very weel. The problem is : I dont have any paket sent from the concentrator to the 3002. It is impossible to ping from one to another. Any clue ? Jean-Luc Gugler Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=32375&t=32309 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
