Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Contivity VPN Traffic

Status
Not open for further replies.
carlosmcse

carlosmcse

IS-IT--Management
Nov 17, 2005
67
US
I have a Contivity 1740 with 3 PCI NIC's plus the default LAN NIC. I also have the OSPF and Statefull firewall license installed. This device was used as a site to site vpn switch. We are no longer using Site-to-Site VPN's but we still need User VPN access to our Network from anywhere. So we configured the the switch with LDAP proxy, ipsec.... etc... I can establish the connection using the VPN client and get an ip address from the client address pool configured on the contivity i also get the dns server ip's configured for the group etc.. I can ping from the client to any server/host on the internal network and vice versa. But that's all i can do only ping I can't use any other protocol. The firewall is set with an override rule to allow from any to any and all traffic. I know it's not the firewall blocking I also disabled the statefull firewall and I still have the same problem, I can only ping. Any recommendations???? Please Help.....
 
Sort by date Sort by votes
Is it possible you have an interface filter or tunnel filter applied?
This would not be related to the Stateful Firewall but could potentially allow only PING traffic and nothing else (especially interface filters since this is a canned service thats easily selectable).
Check that and let us know.
 
Upvote 0 Downvote
Can you be more specific than "any other protocol"? I know there are issues with Kerberos and packet fragmentation on the Contivitys that can be solved by adjusting the TCP MSS value.

Do this on the private interface because VPN clients are logically attached to the private side. Go to System > LAN > Edit (Next to the IP address) and enable it first. Then lower it to 1300 or so, maybe even lower (<1000) until you can connect to some resources.


peace
 
Upvote 0 Downvote
I tried all of the above with no luck... i'm sure i'm missing something but what? The IP addresses that I'm providing to the users is from a address pool that is not directly configured with any NIC on the contivity, I don't think this should be a problem since the contivity automatically creates the dynamic routes when a user connects. Why is that i can only ping the internal subnet? This is getting me crazy.............
 
Upvote 0 Downvote
Sounds like you need to enable client address redistribuition:

Routing > Client-addr-dis > CAR Options > Enable

If you are using OSPF on the private side, make sure you redistribute your utunnel routes into OSPF: Routing > Policy.


peace
 
Upvote 0 Downvote
Nortel Dude.. Kerberos is UDP TCP clamping will not help with this..

He is able to ping. Can you HTTP with IP address??
 
Upvote 0 Downvote
I can http to the contivity but that's it. I looked at the firewall logs and nothing is being blocked. I'm about to reset this thing to defaults and try again. This contivity is not being used (for now) so I can play with it until I get it to work.. Any sugestions?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

halj
  • Locked
  • Question
VPN phones - IKE version 2
Replies
1
Views
82
halj
halj
DocRobotnik
  • Locked
  • Question
Nortel Contivity 1750 password unknow and maybe ip static unknow 1
Replies
1
Views
97
andy88
andy88
Elderusr07
  • Locked
  • Question
Nortel Contivity - Random End User Disconnects
Replies
0
Views
66
Elderusr07
Elderusr07
atascoman
  • Locked
  • Question
Setting up an ACL to filter IPv^ DHCP traffic
Replies
2
Views
77
atascoman
atascoman
nodeisup
  • Locked
  • Question
qos ip-acl and Inter VLAN traffic filtering 4826GTS
Replies
0
Views
73
nodeisup
nodeisup

Part and Inventory Search

Sponsor

Back
Top