Cisco VPN acting weeeeeeeeeeird

Discussion in 'Mac OS X Server, Xserve, and Networking' started by n8236, Apr 24, 2008.

  1. macrumors 65816

    Joined:
    Mar 1, 2006
    #1
    So I started using the Cisco VPN Client (version 4.9.01 (100)) and there is ONE client that when I'm connected to them, I lose web surfing and ping capability in Terminal. I won't be able to ping anything, no gateway, no nothing. When I connect to other clients on my list, it works fine.

    So I tried this in Windows and voila, that ONE client works! But that's besides the point.

    Does anyone have any clues?!
     
  2. macrumors 6502

    Joined:
    Jul 24, 2007
    #2
    Actually its not besides the point, its a really good clue. Check the settings on both OSes. Compare the two. Maybe there is a difference. Do you run anything that could manually edit the firewall? Maybe you did something that breaks it at the firewall.

    Maybe that site hates your MAC address.

    I am just guessing, as I do not have much information to go on.

    Did you play with/add files in /etc/ppp ?

    What does the console say when you attempt to connect?
     
  3. thread starter macrumors 65816

    Joined:
    Mar 1, 2006
    #3
    I chcked both OSs and I don't see any differences. I had the OSX one working before, it just decided to stop working one day. I also tried re-installing the osx client.

    Firewall for OSX and XP is off.
     
  4. thread starter macrumors 65816

    Joined:
    Mar 1, 2006
    #4
    Here is the code when connected to that funky vpn connection which doesn't allow web surfing:



    lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
    inet 127.0.0.1 netmask 0xff000000
    inet6 ::1 prefixlen 128

    gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280

    stf0: flags=0<> mtu 1280

    en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    ether 00:16:cb:9b:37:b8
    media: autoselect status: inactive
    supported media: autoselect 10baseT/UTP <half-duplex> 10baseT/UTP <full-duplex> 10baseT/UTP <full-duplex,hw-loopback> 10baseT/UTP <full-duplex,flow-control> 100baseTX <half-duplex> 100baseTX <full-duplex> 100baseTX <full-duplex,hw-loopback> 100baseTX <full-duplex,flow-control> 1000baseT <full-duplex> 1000baseT <full-duplex,hw-loopback> 1000baseT <full-duplex,flow-control> none

    fw0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 2030
    lladdr 00:17:f2:ff:fe:77:5a:d6
    media: autoselect <full-duplex> status: inactive
    supported media: autoselect <full-duplex>

    en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1356
    inet 192.168.1.47 netmask 0xffffff00 broadcast 192.168.1.255
    inet6 fe80::216:cbff:fe07:a8c1%en1 prefixlen 64 scopeid 0x6
    ether 00:16:cb:07:a8:c1
    media: autoselect status: active
    supported media: autoselect

    vmnet8: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    inet 172.16.135.1 netmask 0xffffff00 broadcast 172.16.135.255
    ether 00:50:56:c0:00:08

    vmnet1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    inet 172.16.208.1 netmask 0xffffff00 broadcast 172.16.208.255
    ether 00:50:56:c0:00:01

    tun0: flags=8850<POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    closed

    tap0: flags=8842<BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    ether 74:61:70:00:00:00
    closed

    en2: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
    inet6 fe80::21c:42ff:fe00:0%en2 prefixlen 64 scopeid 0xb
    ether 00:1c:42:00:00:00
    media: autoselect status: active
    supported media: autoselect

    en3: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
    inet6 fe80::21c:42ff:fe00:1%en3 prefixlen 64 scopeid 0xc
    ether 00:1c:42:00:00:01
    media: autoselect status: active
    supported media: autoselect


    Can anyone decode what this means?
     
  5. macrumors 6502

    Joined:
    Jul 24, 2007
    #5
    Thats not code, thats an output of ifconfig -a

    Open your console (/applications/utilities/console.app)
    There should be an entry for ppp somewhere.

    See what the last entry is, try to connect to your VPN, and see if it adds logs there. if so, copy and paste them here. Maybe its erring out and will report it there. I have never used the Cisco VPN client, so it may not use ppp.log for its logging. If it does not, your gonna need to find out where it logs things, and post that here instead.

    I found this: http://www.kombitz.com/2007/08/21/cisco-vpn-client-problem-on-mac-os-x/

    Maybe thats your problem there.

    Also you posted
    Code:
    tun0: flags=8850<POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    closed
    
    tap0: flags=8842<BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    ether 74:61:70:00:00:00 
    closed
    
    Those should be the vpn tunnel. They are closed.

    We need the logs from the console.
     
  6. thread starter macrumors 65816

    Joined:
    Mar 1, 2006
    #6
    Here's what the Cisco log says.

    Cisco Systems VPN Client Version 4.9.01 (0100)
    Copyright (C) 1998-2006 Cisco Systems, Inc. All Rights Reserved.
    Client Type(s): Mac OS X
    Running on: Darwin 9.2.2 Darwin Kernel Version 9.2.2: Tue Mar 4 21:17:34 PST 2008; root:xnu-1228.4.31~1/RELEASE_I386 i386

    195 16:52:01.725 04/25/2008 Sev=Info/4 CM/0x43100002
    Begin connection process

    196 16:52:01.725 04/25/2008 Sev=Warning/2 CVPND/0x83400011
    Error -28 sending packet. Dst Addr: 0xAC1087FF, Src Addr: 0xAC108701 (DRVIFACE:1158).

    197 16:52:01.726 04/25/2008 Sev=Warning/2 CVPND/0x83400011
    Error -28 sending packet. Dst Addr: 0xAC10D0FF, Src Addr: 0xAC10D001 (DRVIFACE:1158).

    198 16:52:01.726 04/25/2008 Sev=Info/4 CM/0x43100004
    Establish secure connection using Ethernet

    199 16:52:01.727 04/25/2008 Sev=Info/4 CM/0x43100024
    Attempt connection with server "vpn.spgsolar.com"

    200 16:52:01.732 04/25/2008 Sev=Info/4 CVPND/0x43400019
    Privilege Separation: binding to port: (500).

    201 16:52:01.735 04/25/2008 Sev=Info/4 CVPND/0x43400019
    Privilege Separation: binding to port: (4500).

    202 16:52:01.735 04/25/2008 Sev=Info/6 IKE/0x4300003B
    Attempting to establish a connection with 12.26.39.2.

    203 16:52:01.837 04/25/2008 Sev=Info/4 IKE/0x43000013
    SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 12.26.39.2

    204 16:52:01.973 04/25/2008 Sev=Info/4 IPSEC/0x43700008
    IPSec driver successfully started

    205 16:52:01.973 04/25/2008 Sev=Info/4 IPSEC/0x43700014
    Deleted all keys

    206 16:52:01.973 04/25/2008 Sev=Info/4 IPSEC/0x4370000D
    Key(s) deleted by Interface (192.168.0.135)

    207 16:52:01.979 04/25/2008 Sev=Info/5 IKE/0x4300002F
    Received ISAKMP packet: peer = 12.26.39.2

    208 16:52:01.979 04/25/2008 Sev=Info/4 IKE/0x43000014
    RECEIVING <<< ISAKMP OAK AG (SA, VID(Xauth), VID(dpd), VID(Unity), VID(?), KE, ID, NON, VID(?), VID(Nat-T), NAT-D, NAT-D, HASH) from 12.26.39.2

    209 16:52:01.979 04/25/2008 Sev=Info/5 IKE/0x43000001
    Peer supports XAUTH

    210 16:52:01.979 04/25/2008 Sev=Info/5 IKE/0x43000001
    Peer supports DPD

    211 16:52:01.979 04/25/2008 Sev=Info/5 IKE/0x43000001
    Peer is a Cisco-Unity compliant peer

    212 16:52:01.979 04/25/2008 Sev=Info/5 IKE/0x43000082
    Received IOS Vendor ID with unknown capabilities flag 0x000000A5

    213 16:52:01.979 04/25/2008 Sev=Info/5 IKE/0x43000001
    Peer supports NAT-T

    214 16:52:02.101 04/25/2008 Sev=Info/6 IKE/0x43000001
    IOS Vendor ID Contruction successful

    215 16:52:02.101 04/25/2008 Sev=Info/4 IKE/0x43000013
    SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 12.26.39.2

    216 16:52:02.102 04/25/2008 Sev=Info/6 IKE/0x43000055
    Sent a keepalive on the IPSec SA

    217 16:52:02.102 04/25/2008 Sev=Info/4 IKE/0x43000083
    IKE Port in use - Local Port = 0x1194, Remote Port = 0x1194

    218 16:52:02.102 04/25/2008 Sev=Info/5 IKE/0x43000072
    Automatic NAT Detection Status:
    Remote end is NOT behind a NAT device
    This end IS behind a NAT device

    219 16:52:02.102 04/25/2008 Sev=Info/4 CM/0x4310000E
    Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

    220 16:52:02.102 04/25/2008 Sev=Info/4 CM/0x4310000E
    Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

    221 16:52:02.103 04/25/2008 Sev=Info/4 IKE/0x43000013
    SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 12.26.39.2

    222 16:52:02.124 04/25/2008 Sev=Info/5 IKE/0x4300002F
    Received ISAKMP packet: peer = 12.26.39.2

    223 16:52:02.124 04/25/2008 Sev=Info/4 IKE/0x43000014
    RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 12.26.39.2

    224 16:52:02.125 04/25/2008 Sev=Info/5 IKE/0x43000045
    RESPONDER-LIFETIME notify has value of 86400 seconds

    225 16:52:02.125 04/25/2008 Sev=Info/5 IKE/0x43000047
    This SA has already been alive for 1 seconds, setting expiry to 86399 seconds from now

    226 16:52:02.134 04/25/2008 Sev=Info/5 IKE/0x4300002F
    Received ISAKMP packet: peer = 12.26.39.2

    227 16:52:02.134 04/25/2008 Sev=Info/4 IKE/0x43000014
    RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 12.26.39.2

    228 16:52:02.134 04/25/2008 Sev=Info/5 IKE/0x43000010
    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 192.168.10.209

    229 16:52:02.134 04/25/2008 Sev=Info/5 IKE/0x43000010
    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 192.168.1.11

    230 16:52:02.135 04/25/2008 Sev=Info/5 IKE/0x43000010
    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 192.168.1.12

    231 16:52:02.135 04/25/2008 Sev=Info/5 IKE/0x43000010
    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NBNS(1) (a.k.a. WINS) : , value = 192.168.1.11

    232 16:52:02.135 04/25/2008 Sev=Info/5 IKE/0x43000010
    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NBNS(2) (a.k.a. WINS) : , value = 192.168.1.12

    233 16:52:02.135 04/25/2008 Sev=Info/5 IKE/0x4300000E
    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = sp

    234 16:52:02.135 04/25/2008 Sev=Info/5 IKE/0x4300000D
    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001

    235 16:52:02.135 04/25/2008 Sev=Info/5 IKE/0x4300000F
    SPLIT_NET #1
    subnet = 192.168.1.0
    mask = 255.255.255.0
    protocol = 0
    src port = 0
    dest port=0

    236 16:52:02.135 04/25/2008 Sev=Info/5 IKE/0x4300000D
    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000

    237 16:52:02.135 04/25/2008 Sev=Info/5 IKE/0x4300000D
    MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194

    238 16:52:02.135 04/25/2008 Sev=Info/4 CM/0x43100019
    Mode Config data received

    239 16:52:02.139 04/25/2008 Sev=Info/4 IKE/0x43000056
    Received a key request from Driver: Local IP = 192.168.1.47, GW IP = 12.26.39.2, Remote IP = 0.0.0.0

    240 16:52:02.139 04/25/2008 Sev=Info/4 IKE/0x43000013
    SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 12.26.39.2

    241 16:52:02.167 04/25/2008 Sev=Info/5 IKE/0x4300002F
    Received ISAKMP packet: peer = 12.26.39.2

    242 16:52:02.167 04/25/2008 Sev=Info/4 IKE/0x43000014
    RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NOTIFY:STATUS_RESP_LIFETIME) from 12.26.39.2

    243 16:52:02.167 04/25/2008 Sev=Info/5 IKE/0x43000045
    RESPONDER-LIFETIME notify has value of 28800 seconds

    244 16:52:02.167 04/25/2008 Sev=Info/5 IKE/0x43000046
    RESPONDER-LIFETIME notify has value of 4608000 kb

    245 16:52:02.167 04/25/2008 Sev=Info/4 IKE/0x43000013
    SENDING >>> ISAKMP OAK QM *(HASH) to 12.26.39.2

    246 16:52:02.168 04/25/2008 Sev=Info/5 IKE/0x43000059
    Loading IPsec SA (MsgID=CFD4212C OUTBOUND SPI = 0x6526F06B INBOUND SPI = 0x12BDD98F)

    247 16:52:02.168 04/25/2008 Sev=Info/5 IKE/0x43000025
    Loaded OUTBOUND ESP SPI: 0x6526F06B

    248 16:52:02.168 04/25/2008 Sev=Info/5 IKE/0x43000026
    Loaded INBOUND ESP SPI: 0x12BDD98F

    249 16:52:02.168 04/25/2008 Sev=Info/4 CM/0x4310001A
    One secure connection established

    250 16:52:02.168 04/25/2008 Sev=Info/4 CVPND/0x4340001E
    Privilege Separation: reducing MTU on primary interface.

    251 16:52:02.174 04/25/2008 Sev=Info/4 CVPND/0x4340001B
    Privilege Separation: backing up resolv.conf file.

    252 16:52:02.175 04/25/2008 Sev=Info/4 CVPND/0x4340001D
    Privilege Separation: chown( /var/run/resolv.conf.vpnbackup, uid=0, gid=1 ).

    253 16:52:02.176 04/25/2008 Sev=Info/4 CVPND/0x43400018
    Privilege Separation: opening file: (/var/run/resolv.conf).

    254 16:52:02.192 04/25/2008 Sev=Info/4 CM/0x4310003B
    Address watch added for 192.168.1.47. Current hostname: eddie-liangs-macbook-pro-15.local, Current address(es): 192.168.1.47, 172.16.135.1, 172.16.208.1.

    255 16:52:02.760 04/25/2008 Sev=Info/4 IPSEC/0x43700014
    Deleted all keys

    256 16:52:02.760 04/25/2008 Sev=Info/4 IPSEC/0x43700010
    Created a new key structure

    257 16:52:02.760 04/25/2008 Sev=Info/4 IPSEC/0x4370000F
    Added key with SPI=0x6bf02665 into key list

    258 16:52:02.760 04/25/2008 Sev=Info/4 IPSEC/0x43700010
    Created a new key structure

    259 16:52:02.761 04/25/2008 Sev=Info/4 IPSEC/0x4370000F
    Added key with SPI=0x8fd9bd12 into key list

    260 16:52:12.474 04/25/2008 Sev=Info/6 IKE/0x43000055
    Sent a keepalive on the IPSec SA

    261 16:52:22.474 04/25/2008 Sev=Info/6 IKE/0x43000055
    Sent a keepalive on the IPSec SA

    262 16:52:32.474 04/25/2008 Sev=Info/6 IKE/0x43000055
    Sent a keepalive on the IPSec SA

    263 16:52:42.474 04/25/2008 Sev=Info/6 IKE/0x43000055
    Sent a keepalive on the IPSec SA

    264 16:52:48.533 04/25/2008 Sev=Info/4 CM/0x4310000A
    Secure connections terminated

    265 16:52:48.533 04/25/2008 Sev=Info/4 IKE/0x43000001
    IKE received signal to terminate VPN connection

    266 16:52:48.533 04/25/2008 Sev=Info/4 IKE/0x43000013
    SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 12.26.39.2

    267 16:52:48.534 04/25/2008 Sev=Info/5 IKE/0x43000018
    Deleting IPsec SA: (OUTBOUND SPI = 6526F06B INBOUND SPI = 12BDD98F)

    268 16:52:48.534 04/25/2008 Sev=Info/4 IKE/0x43000049
    Discarding IPsec SA negotiation, MsgID=CFD4212C

    269 16:52:48.534 04/25/2008 Sev=Info/4 IKE/0x43000017
    Marking IKE SA for deletion (I_Cookie=866216F65FF0571E R_Cookie=98FE3D252BB92390) reason = DEL_REASON_RESET_SADB

    270 16:52:48.534 04/25/2008 Sev=Info/4 IKE/0x43000013
    SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 12.26.39.2

    271 16:52:48.534 04/25/2008 Sev=Info/4 IKE/0x4300004B
    Discarding IKE SA negotiation (I_Cookie=866216F65FF0571E R_Cookie=98FE3D252BB92390) reason = DEL_REASON_RESET_SADB

    272 16:52:48.535 04/25/2008 Sev=Info/4 CM/0x43100013
    Phase 1 SA deleted cause by DEL_REASON_RESET_SADB. 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

    273 16:52:48.535 04/25/2008 Sev=Info/4 CVPND/0x4340001C
    Privilege Separation: restoring resolv.conf file.

    274 16:52:48.535 04/25/2008 Sev=Info/4 CVPND/0x4340001D
    Privilege Separation: chown( /var/run/resolv.conf, uid=0, gid=1 ).

    275 16:52:48.537 04/25/2008 Sev=Info/5 CM/0x43100025
    Initializing CVPNDrv

    276 16:52:48.539 04/25/2008 Sev=Info/6 CM/0x43100031
    Tunnel to headend device vpn.spgsolar.com disconnected: duration: 0 days 0:0:46

    277 16:52:48.539 04/25/2008 Sev=Info/4 CVPND/0x4340001F
    Privilege Separation: restoring MTU on primary interface.

    278 16:52:53.540 04/25/2008 Sev=Warning/2 CVPND/0xC3400018
    Privilege Separation: root operation failed.

    279 16:52:53.541 04/25/2008 Sev=Info/5 CM/0x43100025
    Initializing CVPNDrv

    280 16:52:53.541 04/25/2008 Sev=Info/4 CVPND/0x4340001F
    Privilege Separation: restoring MTU on primary interface.

    281 16:52:53.542 04/25/2008 Sev=Info/4 IPSEC/0x43700013
    Delete internal key with SPI=0x8fd9bd12

    282 16:52:53.542 04/25/2008 Sev=Info/4 IPSEC/0x4370000C
    Key deleted by SPI 0x8fd9bd12

    283 16:52:53.542 04/25/2008 Sev=Info/4 IPSEC/0x43700013
    Delete internal key with SPI=0x6bf02665

    284 16:52:53.542 04/25/2008 Sev=Info/4 IPSEC/0x4370000C
    Key deleted by SPI 0x6bf02665

    285 16:52:53.542 04/25/2008 Sev=Info/4 IPSEC/0x43700010
    Created a new key structure

    286 16:52:53.542 04/25/2008 Sev=Info/4 IPSEC/0x4370000B
    Key requested

    287 16:52:53.542 04/25/2008 Sev=Info/4 IPSEC/0x43700013
    Delete internal key with SPI=0x00000000

    288 16:52:53.543 04/25/2008 Sev=Info/4 IPSEC/0x43700014
    Deleted all keys

    289 16:52:53.543 04/25/2008 Sev=Info/4 IPSEC/0x43700014
    Deleted all keys

    290 16:52:53.543 04/25/2008 Sev=Info/4 IPSEC/0x4370000A
    IPSec driver successfully stopped

    291 16:52:53.543 04/25/2008 Sev=Info/4 IPSEC/0x43700014
    Deleted all keys

    292 16:52:53.543 04/25/2008 Sev=Warning/2 IKE/0x83000067
    Received an IPC message during invalid state (IKE_MAIN:507)
     
  7. thread starter macrumors 65816

    Joined:
    Mar 1, 2006
  8. macrumors 6502

    Joined:
    Jul 24, 2007
    #8
    What is the IP range of the local network, and the IP range of the remote VPNed network.

    It looks like they are both using the same subnet, which would not work unless your default route would be out the VPN, but then the internal network would not work.

    Remember a VPN connection is much like a virtual network interface to a remote location (there is more to it though, such as encryption). It gives you access to the remote location's IP range/internal network. If your IP range and the IP range of the remote network, are the same, and the internal network has precedence, you will never see the VPNed network.

    I guess what I am saying, is your getting connected fine, but since your on the same subnet as the remote location, you will never see anything.
     
  9. thread starter macrumors 65816

    Joined:
    Mar 1, 2006
    #9
    I think I may understand where you are coming from. You're suggesting that my IP range shouldn't be the same as that of the VPN? (like the example below?)

    My home gateway being 192.168.1.1 while my IP is 192.168.1.2
    My VPN's gateway being 192.168.1.1 while my IP on the vpn is 192.168.1.x

    You are correct, the IP range of the vpn network and my home one is one of the same.

    Is this what's causing my problem? And that I should change my home gateway to something other than that of the vpn network? I'm going to test that.
     
  10. macrumors 6502

    Joined:
    Jul 24, 2007
    #10
    Yes. In your current setup, you machine has 2 interfaces, on the same ip range. It does not know to send the VPN packets over the VPN interface.
    Change your ip range on your local network to another range (192.168.55.x) or something like that.
     
  11. thread starter macrumors 65816

    Joined:
    Mar 1, 2006
    #11
    Brilliant, it worked! God, and I work in IT too! :D lol

    I wonder why it worked before and then suddenly stopped working, how strange.

    Here's a question. I see this as a temporary fix because, technically speaking, my machine is able to distinguish which interface is which and use my gateway to access the internet when connected via vpn.

    Say (in an extreme case) I have 255 vpn connections using up the whole range of IPs (192.168.1.x to 192.168.255.x), how will I then remedy this? Change my subnet and use a different range of IPs?

    God.......i can't believe I didn't think of this solution! I even posted on Experts-Exchange w/ 500 point and no one answered hehehe.
     
  12. macrumors 6502

    Joined:
    Jul 24, 2007
    #12
    It possibly worked before because the OS was putting the VPN before the other interface. I deal with alot of VPN connections, in this job and my last. I am not surprised about the "experts-exchange" site. There is a ton of good info put up there before it went completely pay, or whatever it is now. But now that its restricted from anonymous use, it seems to have gone down hill in decent responses.

    Just be glad you don't have to support vista in a medical Corp environment. Ya sure the pay is great, but the clients act like they are 10 years old. Seriously, you get a MD, and you become 10.

    Back on topislc, good to hear it works now.
     
  13. macrumors member

    Joined:
    Feb 28, 2008
    #13
    Same problem, but solution didn't work

    I have the same problem described in this thread, but the solution didn't work. In my case, I have a MBP (10.5.4) with the latest Cisco VPN client installed. I have two connections... one to our Florida office, one to our California office. If I connect to the CA connection, all works fine... I can hit servers on the remote network, yet still browse my local LAN and resources without issue. But when I hit the FL VPN, I can only reach remote hosts and I suddenly become unable to browse local shares and my internet access gets bogged down as it routes through the VPN conn for everything.

    At home, I'm using an AE in the 10.0.0.0 range. I know the FL conn is running in 10.1.1.0 (and FWIW, I know the CA conn uses 192.168), but since the netmasks are the same for my home 10.1.1.0 range and the FL 10.0.0.0 range, for the sake of it I re-IP'd my home LAN over to 172.16 (most home routers default to NAT and either 192.168 or 10.0.0.0, so I figured 172.16 was safe).

    But moving to 172.16 didn't fix it for me. I even tried with it set to 172.16.254.0. I've compared both client configs and with the exception of the remote host they authenticate to, they are identical. In the Windows world with an MS VPN server, I know how to resolve this (there's an Advanced option under TCP/IP that says "use default gateway on remote network" that needs to be unchecked. I'm lost as to how to implement something similar in OS X... at least with the Cisco client.

    Any thoughts would be much appreciated...
     
  14. macrumors G4

    Joined:
    Mar 4, 2006
    #14
    Sounds to me that the VPN Concentrator/ASA device in your FL office doesn't have split-tunnelling enabled in the policy delivered to clients in the VPN set up, but the one in CA does. Contact the sysadmin.
     
  15. macrumors member

    Joined:
    Feb 28, 2008
    #15
    Thanks... I escalated to our network admin and he fixed it and here's what he had to say:

    I applied the correct access list to the split tunneling command. Basically told the VPN to route 10.1.1.0/16 to 10.1.16.0/23 to the tunnel and the rest goes out to the internet.
     

Share This Page