1

Problem:

When I successfully connect to a specific company's VPN, I cannot access any internal or external websites. A website request in Safari just hangs. All traffic is setup to go through the VPN and the IT person in charge says that everything should just work for me and he is at a loss as to what the problem might be.

Setup:

  • iMac running OS X (v10.5)
  • Cisco AnyConnect VPN Client (v2.4)
  • Verizon DSL (Westell VersaLink 327W, all traffic allowed, PPPoE)
  • Connected wirelessly to DSL modem/router

I can:

  • Ping www.google.com
  • Traceroute www.google.com
  • nslookup www.google.com
  • SSH to internal server
  • Ping internal URL
  • telnet www.google.com 80

I've also tried Firefox and Chrome and experienced the same hanging. In fact, right before bed, instead of canceling the URL request in Safari, I let it sit all night out of curiosity and this morning it was still trying to contact the site.

I've tried using tcpdump to monitor the cscotun0 interface (added by the Cisco VPN client) but I'm not really sure what I'm looking for---I do see activity when requesting a URL in Safari.

How can I further troubleshoot this to determine the cause?

UPDATE:

While connected to the VPN, I captured an HTTP request for www.google.com using Wireshark. Here is a link to a screenshot of the capture (sorry I cannot post images---not enough rep):

Wireshark Capture of HTTP request

Lauren
  • 11
  • 1
  • 4
  • Would it be better to ask this question of your own internal IT people as they set it up, know it and presumably provide support? It's not that we aren't happy to help but this sounds like they could fix it sooner. – Chopper3 Jul 28 '10 at 14:09
  • 1
    Ask your I.T. person about "split tunneling". Most won't allow it when you're connected to their network via VPN. – GregD Jul 28 '10 at 14:10
  • He is at a loss as well---I probably should have mentioned that in the question. I'm assuming they won't allow split-tunneling but I've just sent him an email asking...OK, no split-tunneling allowed, it's against policy. – Lauren Jul 28 '10 at 14:15

6 Answers6

1

Try telnet www.google.com 80 to confirm that http traffic is permit.

lg.
  • 4,649
  • 3
  • 21
  • 20
  • % telnet www.google.com 80 Trying 72.14.204.147... Connected to www.l.google.com. Escape character is '^]'. I assume that means I can successfully telnet. – Lauren Jul 28 '10 at 15:18
  • Yes, you are right. No http proxy? – lg. Jul 28 '10 at 15:35
  • Locally? In System Preferences, under the Proxy section, I see nothing that indicates I'm using a proxy. Am I looking in the correct location? – Lauren Jul 28 '10 at 15:44
  • I think yes, but I am not a Mac user. – lg. Jul 28 '10 at 15:49
1

This should really be a comment, your computer, is this a fixed installation or laptop, if so have you tried tried connecting from another location?

Even though you say no firewall is active, often these all-in-one crap modems have some kind of VPN pass through setting that needs to be checked, have you actually viewed the configuration?

EDIT: Your problem is with the router, please view my comment and these additional threads:

http://www.google.se/#hl=sv&q=Westell+327+%2B+VPN&aq=f&aqi=&aql=&oq=&gs_rfai=&fp=721993aec07591cc

Anders
  • 283
  • 1
  • 4
  • 12
  • It is an iMac. There are two other VPN users that have no problems but no, I have not connected from another location. – Lauren Jul 28 '10 at 20:41
  • @Lauren, These two other users are on the same machine? – Anders Jul 28 '10 at 20:43
  • No, they are not on the same machine---just other VPN users that have not experienced the same issues I have. – Lauren Jul 28 '10 at 20:47
  • I've poked around a little but not too extensively. I'll see if I can find anything...thanks for the suggestion. – Lauren Jul 28 '10 at 20:48
  • @Lauren, Is this beast the router/modem that you own: http://www22.verizon.com/NROneRetail/NR/rdonlyres/9FDE87A6-F0D6-499D-B868-BCABBDB34432/0/LinksysBEFW11S4UserVer2.pdf ? – Anders Jul 28 '10 at 20:55
  • :) No, I have the Westell VersaLink 327W: http://www22.verizon.com/NROneRetail/NR/rdonlyres/3EE6AA38-3830-4C75-B566-3753A48A3E49/0/VersaLink327WGatewayUserGuide.pdf – Lauren Jul 28 '10 at 21:05
  • @Lauren, Your issue is with the router. Please view this thread: http://www.dslreports.com/forum/remark,13888947 , you should configure your router to be in bridge mode. Or just buy a proper one cause this one seems to really suck. Never even heard of the brand before, anyway. There you have it. – Anders Jul 28 '10 at 21:17
  • Can I put the DSL modem in bridge mode without having a third-party router? I have multiple computers connected to the LAN (some wirelessly). – Lauren Jul 28 '10 at 22:20
  • Apparently bridge mode is only for certain Verizon customers. According to a Verizon tech, I am required to use PPPoE. Sounds like I might be able to solve my problem by upgrading to their commercial package. Why can I communicate over the VPN using other techniques (telnet, ssh, etc.) but HTTP requests from the browser are ignored or dropped or lost? I'd love to know what's actually happening to that traffic... – Lauren Jul 29 '10 at 00:36
  • @Lauren, Buy a new router/modem, it's like 50 bucks and you get a working stable one. – Anders Jul 29 '10 at 07:45
0

If you have a tcp dump, you probably want to look whether your 3-way handshake is successful. That means you send to dest a packet with a SYN flag, receive an SYN-ACK and send an ACK again.

Is your system maybe using a proxy by default? You could cross check the target IP address against the IP address your packets get actually send to.

Phi
  • 171
  • 8
  • In System Preferences, under the Proxy section, I see nothing that indicates I'm using a proxy. As for the tcp dump---that's a little beyond my comprehension. It might take me a while but I'll see if I can figure that one out and get back to you. – Lauren Jul 28 '10 at 15:25
  • After unsuccessful attempts at trying to interpret tcpdump output, I gave up and downloaded Wireshark. Capturing some output, while connected to the VPN, I see the SYN, SYN-ACK and ACK after hitting http://www.google.com/. However, after that I see "TCP Previous segment lost" and "TCP Dup Ack" packets, which Wireshark is highlighting in colors that indicate a problem. – Lauren Jul 28 '10 at 21:15
0

If you can telnet to www.google.com on port 80, but the browser can't get anything from the site, then I would bet that there is a proxy in between that just drops any return from the site (or maybe it even drops the outgoing request) . Telnet only establishes the basic TCP connection to the host, whereas your browser sends a specific request for a site on that host, and that is usually where the proxy kicks in.

This can only really be fixed by the IT team in charge of that network.

If you are really, really desperate to have Internet access while on the VPN, you will have to change your default route back to what it is before the VPN connection is established (while on the VPN).

wolfgangsz
  • 8,847
  • 3
  • 30
  • 34
  • I cannot get to any external or internal websites. The external ones I don't care much about, it's the internal ones that I need to access to. A proxy could be setup anywhere, right? E.g. my local computer, on my dsl router (?), at my ISP, and on the VPN-side. So I would need to verify each location, correct? – Lauren Jul 28 '10 at 16:49
  • If you can't get to any internal websites either, then I suspect there is also a routing problem, or some very special configuration of the VPN link. In any case you're best off talking to the folks that provided that VPN link. – wolfgangsz Jul 29 '10 at 11:23
0

What you need to provide to your VPN administrator/support is the following command outputs:

  • ifconfig
  • route

These commands will output your networking configuration, so you want both the VPN and no VPN outputs. They should be slightly different, but the key here is that the outputs will provide the correct VPN administration/support person with the information needed to ensure the VPN aspects is working correctly - if so and you're still in the same situation, then it will be the desktop support folks at that point.

user48838
  • 7,431
  • 2
  • 18
  • 14
  • I've been back and forth with the I.T. person for two days and have provided output from tcpdumps, netstat, ifconfig, etc. He has been working with me to try and solve the problem. – Lauren Jul 28 '10 at 19:34
  • ifconf - before the VPN is up versus ifconfig when the VPN is running (same with "route" too)? If so and if it is not against your company's policies, then you might consider posting them here too for a few more sets of "eyeballs..." – user48838 Jul 28 '10 at 20:24
  • Good idea. I'll add this information to the question. – Lauren Jul 28 '10 at 20:43
  • What is 192.168.223.237 from your WireShark capture? Is that your home or your company's network IP plan? – user48838 Jul 28 '10 at 21:37
  • The company's IP plan. – Lauren Jul 28 '10 at 22:17
  • Then the VPN is most likely up and running. There may be a chance that your VPN Account/Profile is blocking specific/incorrect applications and/or ports. There is also a chance that the web browser has been setup for proxy auto-detect and is getting this mixed up or wrong (try disabling auto-detect and possibly setting it to "none). – user48838 Jul 28 '10 at 23:23
  • Yes, I have no problems connecting to the VPN and even once connected, I can ping, telnet, traceroute, etc. The settings under Proxies (in System Preferences > Network) don't indicate that anything proxy-related is enabled. – Lauren Jul 29 '10 at 00:29
  • Have you verified that your company does NOT require a proxy for web access through the VPN/across the internal network? Are you using a company computer or is it your personal system? – user48838 Jul 29 '10 at 01:18
0

The I.T. person in charge of the VPN suggested:

sudo ifconfig cscotun0 mtu 1200

And it worked!

Thank you to everyone who made suggestions---I got a crash course on networking in the last two days!

Lauren
  • 11
  • 1
  • 4