Unoffical empeg BBS

Quick Links: Empeg FAQ | RioCar.Org | Hijack | BigDisk Builder | jEmplode | emphatic
Repairs: Repairs

Topic Options
#372232 - 26/08/2019 19:54 VPN weirdness
Dignan
carpal tunnel

Registered: 08/03/2000
Posts: 12318
Loc: Sterling, VA
Hi everyone.

I'm working for a new client who recently had their VPN stop working. Mostly folks couldn't connect or their credentials got rejected.

I think I've gotten it to the point where I can connect, or at least I can on my laptop I haven't been able to test one of their users' computers yet, but after a successful connection, I'm unable to access any resources at all. Can't get file shares, can't ping any devices on the network, etc.

The weird thing is that I tried setting up the VPN on my iPhone, then installed a File Explorer app and tried adding a file share there. It works perfectly. I'm completely puzzled. There don't seem to be any answers online either.

Little help?

Some info:
VPN is set up on a Cisco ASA5505
IPSec/L2TP
Local authentication on the ASA

Let me know if you need anything else.
_________________________
Matt

Top
#372236 - 27/08/2019 17:58 Re: VPN weirdness [Re: Dignan]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31563
Loc: Seattle, WA
Look for routing problems on the LAN connections physically connected to that Cisco. Including things like VLAN settings on the switches. Look for DHCP problems, DNS problems, etc.

If the user's VPN credentials are being authenticated via some kind of centralized system, for example, if users are authenticating with the VPN via their corporate Active Directory accounts, then look for problems between the Cisco and the domain controller and the path to authenticate with it.

Find out the timing of the first reports of connection failures. Then find out what kinds of changes were made (if any) right before that. For example, someone replaced a switch or a Wifi router, or made a change to the DNS settings, two days before the VPN problems started happening.

Check for a possible breach or malware. Or perhaps an update to security software which might be interfering.
_________________________
Tony Fabris

Top
#372245 - 04/09/2019 15:10 Re: VPN weirdness [Re: Dignan]
Dignan
carpal tunnel

Registered: 08/03/2000
Posts: 12318
Loc: Sterling, VA
So this was a weird one, and it doesn't seem like some of the symptoms were what I thought they were.

It appears that Microsoft broke some things in their latest Windows 10 update (hooray for automatic updates, amirite?!?!) that caused a bug when connecting to some L2TP connections. If you click the network icon in the system tray and click on your VPN, it just spins and spins and never connects. If you open your settings, go to network, then VPN, then click on your VPN and click connect, THAT will work. Extremely annoying. Clearly a bug that Microsoft introduced. It appears to only happen on the 1903 release.

It looks like the users who were able to connect but having weird problems are no longer having those problems. They seem to have cleared up on their own for some unknown reason. My least favorite IT problem is always the one that happens occasionally. I prefer when it works or it doesn't wink

Anyway, thanks for the input, Tony. Sorry to waste everyone's time. Please blame Microsoft :p
_________________________
Matt

Top
#372246 - 04/09/2019 15:14 Re: VPN weirdness [Re: Dignan]
Dignan
carpal tunnel

Registered: 08/03/2000
Posts: 12318
Loc: Sterling, VA
BTW, I really hate this Cisco device. The UI is a freaking nightmare. I've never seen a UI that acts like it's purposefully obscuring the current setup.

I'm taking over for a previous IT support person, and they left some info, which is more than I usually get, but nothing detailed. For example, there's no information at all about how the firewall is configured. Nothing about the VPN, port forwarding, security settings, nothing. I have to figure it all out. And since I've never dealt with this model before, first I have to familiarize myself with the UI before I can start to figure out the setup. It took me about 30 minutes alone to figure out how the VPN was setup between the various potential options, but figuring out what all the checkboxes did.

It's also ancient and seems like it hasn't been updated in years, which can't be secure. It's also the last bit of 10/100 gear in the network, so I'm going to try to get them to let me swap it out for something else. Because it's me, I'll probably push for Unifi wink
_________________________
Matt

Top