Thread: CISCO VPN on Windows 7 64bit Shorten URL

I am using the following:

CISCO 2811 router.
Windows 7 64bit
CISCO Client 5.0.07.0440 64bit
HP Probook 4530s - 4 GB ram; Core i5

The issue is we recently purcahsed new laptops for our inspectors. They where running Windows XP 32 bit with CISCO Client 5.0.01 and every thing worked fine. When I upgraded them to the new laptops I am having issues with the VPN.

The symptom is that the VPN connects ok and you can download files from the servers ok but when you try to up load a file that is larger than 80 KB it hangs on "Discovering Items..." then times out.

What I have tried is:

I hooked one of the laptops into the LAN and connect the VPN and the uploads work fine.

I setup a SoHo router in our DMZ and hook the laptop to it and I have the problem my users are having at home as described above.

Tryed truning off all Windows Fire Walls. -> Fails on upload.

Tryed stopping the "Indexing Service". -> Fails on upload.

Updated the CISCO client to the latest version. -> Fails on upload.

Removed Anti-Virus. -> Fails on upload.

Used IP addresses in place of FQDN. -> Fails on upload.

We have other Windows VIST 32bit computers and they do not have these problems with their VPN. These are our first 64bit computers. I really do not want to down grade to Windows 7 32bit.

I can make the running config available upon request but I doubt that is the issue being that our other computers are working fine but if there is something I need to do with the tunnel to get around this issue, I am game.

Any help on this would help a lot. I have already spent a day on this issue.

Hello,

Thanks for visiting our forums -

I think your issue might be the Windows 7 and Vista Window Auto-tuning Feature...It is known to cause lag and timeout issues....

Windows 7 and Vista support a feature called "Receive Window Auto-Tuning" that continually adjusts the receive Windows size, based upon the changing network conditions.

Some people reported that auto-tuning causes network timeout problems with some applications and routers. If you have experienced such problems, you can turn it off using the following procedure:

Step 1 Open an elevated command prompt.

Step 2 Enter the following command to disable auto-tuning:

Code:

netsh interface tcp set global autotuninglevel=disabled

If this solution does not fix the problem, you can turn it back on, as follows:

Step 1 Open up an elevated command prompt.

Step 2 Enter the following command to enable auto-tuning

Code:

netsh interface tcp set global autotuninglevel=normal

To view the states of the TCP global parameters, use the following command:

Code:

netsh interface tcp show global

If this doesn't work, let me know I have another idea also that I'm looking into atm...

No that did not solve the problem. It could be a Windows issue but the more I think about it it could also be something I can fix in the CISCO firewall because every thing works fine on the private side when I do a VPN.

It sounds like an ACL issue in the firewall..

While connected to the VPN, are you able to ping the server and get a response at all ?

Yes.

When connected I can:

Ping Server by IP
Ping Server by FQDN
Download Files from the servers
Map drives to the server

I can not:

Upload files larger than 80 KB

I am currently trying to disable IPS in the router thinking that packet inspection might be the cause. I just don't under stand why the other computers are not having the problem with uploading files just these new laptops. I am going to put the newest CISCO client on an XP computer and see if it is the client.

These kinds of problem drive me nuts. Makes me feel like an idiot.

Here are my ACLs from my running config:

ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload
!
ip access-list extended Gateway
remark Gateway
remark SDM_ACL Category=1
remark Gateway
permit ip host 159.***.***.*** any
ip access-list extended Phoenix
remark Share
remark SDM_ACL Category=4
permit ip any 10.100.0.0 0.0.255.255
ip access-list extended WEB
remark WEB Filters
remark SDM_ACL Category=1
remark WinMX
deny ip host 66.240.163.19 any
!
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.100.100.0 0.0.0.255
access-list 2 remark Java
access-list 2 remark SDM_ACL Category=1
access-list 2 remark Any
access-list 2 permit any
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit tcp 10.100.100.0 0.0.0.255 host 10.100.100.2 eq www
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 deny ip 192.168.0.0 0.0.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip 10.100.200.0 0.0.0.255 10.100.0.0 0.0.255.255
access-list 101 permit udp any host 159.***.***.*** eq non500-isakmp
access-list 101 permit udp any host 159.***.***.*** eq isakmp
access-list 101 permit esp any host 159.***.***.***
access-list 101 permit ahp any host 159.***.***.***
access-list 101 deny ip 10.100.100.0 0.0.0.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny tcp any any
access-list 101 deny udp any any
access-list 101 deny ip any any
access-list 101 deny icmp any any
access-list 102 remark SDM_ACL Category=2
access-list 102 deny tcp host 10.100.100.210 eq www any
access-list 102 deny ip 10.100.0.0 0.0.255.255 10.100.200.0 0.0.0.255
access-list 102 deny ip 10.100.102.0 0.0.0.255 10.100.200.0 0.0.0.255
access-list 102 deny ip any 10.100.200.0 0.0.0.255
access-list 102 permit ip 10.100.100.0 0.0.0.255 any
access-list 103 remark SDM_ACL Category=4
access-list 103 permit ip 10.100.102.0 0.0.0.255 any
access-list 104 remark Local Internet
access-list 104 remark SDM_ACL Category=4
access-list 104 permit ip 10.100.0.0 0.0.255.255 any
access-list 104 permit tcp 10.100.0.0 0.0.255.255 any
access-list 104 permit udp 10.100.0.0 0.0.255.255 any
access-list 104 permit icmp any any
access-list 105 remark SDM_ACL Category=4
access-list 105 permit ip 10.100.0.0 0.0.255.255 any
access-list 106 remark SDM_ACL Category=2
access-list 106 deny ip host 10.100.100.210 10.100.200.0 0.0.0.255
access-list 106 permit tcp host 10.100.100.210 eq www any
access-list 107 remark SDM_ACL Category=2
access-list 107 deny ip host 10.100.100.210 10.100.200.0 0.0.0.255
access-list 107 permit tcp host 10.100.100.210 eq www any
access-list 108 remark SDM_ACL Category=2
access-list 108 deny ip host 10.100.100.210 10.100.200.0 0.0.0.255
access-list 108 permit tcp host 10.100.100.210 eq www any
access-list 109 remark SDM_ACL Category=2
access-list 109 deny ip host 10.100.100.210 10.100.200.0 0.0.0.255
access-list 109 permit tcp host 10.100.100.210 eq www any
no cdp run
route-map SDM_RMAP_4 permit 1
match ip address 108
!
route-map SDM_RMAP_5 permit 1
match ip address 109
!
route-map SDM_RMAP_1 permit 1
match ip address 102
!
route-map SDM_RMAP_2 permit 1
match ip address 106
!
route-map SDM_RMAP_3 permit 1
match ip address 107

Just out of curiousity, did you happen to check the power savings features?

goto control panel, power options, change plan settings, change advanced settings, wireless adapter settings.... Make sure maximum performance is selected and not maximum power savings.

I would have never guessed that.

Thanks.

Jim

Did that fix your issue?

Originally Posted by JimFFlagg

I would have never guessed that.

Thanks.

Jim

GREAT, glad you've solved it.

Cheers !