User has WinXP SP2 with Cisco Systems VPN Client 4.8.01.0300. Can consistently dial out via modem and use VPN successfully to connect to company network/domain. However, the VPN over the Ethernet port and Wireless adapter inconsistently fails. They can always get an Internet connection, but after they connect via VPN, only 50% of the time they can access network resources. There is no error, VPN always states a successful connection. If (stress if) it does work via one method (say Ethernet) then the other method will not work until after a reboot. That is the only pattern I've found so far. I have updated drivers on both Eth and Wrlss adapters, made sure there are no TCP/IP settings (all auto), reinstalled VPN, uninstalled Symantec Client Security (including Firewall), and rebuilt the machine completely after harddrive reformat. Still exhibits the same behavior. Suggestions?

Thank you, Jacquelyn

At first I'd say, I wonder if the path between supports the tunnel at all times. But then you say a reboot allows the connection to release. That would make me consider some setting that doesn't change. Maybe do a network card "repair" and see it it clears the issue. Repair does more than a few things to help reset the status of the connection.

I read it wrong and answer it wrong too. So get off my case you goober.

Are there any client logs you can post when it fails?

The Cisco Pix/ASA should also have some useful connection logs.

Ahh, also, check your network adapter's MTU settings. You may have too much packet fragmentation (especially if you use PPPoE DSL).

How to optimize VPN performance with your network.

Determining the maximum packet size that can traverse the tunnel:
Connect with the MUVPN client and do a ping test to a server on the other side of the MUVPN or BOVPN tunnel.

Example. Your Exchange or Terminal server is 192.168.10.5

C:\ping –l 1500 –f 192.168.10.5

Pinging 192.168.10.5 with 1500 bytes of data:
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.

Ping statistics for 192.168.10.5:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

This means the packet is fragmenting and is rejected since the –f (do not fragment is set) as most PC’s are set to 1500 MTU by default.

Reduce the size in the ping command until you get good reply pings.

C:\ping –l 1350 –f 192.168.10.5

Pinging 192.168.10.5 with 1350 bytes of data:
Reply from 192.168.10.5: bytes=1350 time=109ms TTL=52
Reply from 192.168.10.5: bytes=1350 time=32ms TTL=52
Reply from 192.168.10.5: bytes=1350 time=235ms TTL=52
Reply from 192.168.10.5: bytes=1350 time=141ms TTL=52

Ping statistics for 192.168.10.5:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 32ms, Maximum = 235ms, Average = 129ms

Once you have determined the maximum packet size, subtract 10 from this value, to allow for some additional overhead. Use this value for the MaxMTU string.

Caution: The following steps demonstrate how to manually adjust the MTU setting in your Windows registry. Using the Registry Editor incorrectly can lead to serious problems in Microsoft Windows and Windows applications. WatchGuard assumes no responsibility for mistakes or errors that result of incorrectly using the Registry Editor.

How to change the MTU on Windows NT, 2000, and XP (As an alternative, Dr. TCP can be downloaded from dslreports.com)

1. Click on Start => Run.
2. Type: regedit and click OK.
3. Find HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip
4. Click the Parameters folder.
5. Click Edit => New => String Value.
Type MaxMTU and hit the "Enter" key twice. In the dialog box that appears, type 1450.
6. Click the OK button.
7. Exit Regedit and restart your computer.

I have another but (maybe) similar problem, I can connect with my local Cisco client on my home PC and authenticate to Cisco VPN network. That works great. But I
can't communicate with anything once in secure network, I connect. I have used some another versions Cisco clients with the same result. I have disabled all firewalls, with the same result. I had reset my IP configuration etc...

When I use the same home computer as router (with Winroute), my notebook connected through it works fine.... !

What can be wrong on my home computer?

Thank you for any advice.

Regards,

J.Cvrk