Just to report it, the 2.6.8-1.521 kernel breaks the Cisco VPN client in a very odd way.
The current network configuration og the laptop I'm using, is a wireless network card, and an normal network card (wirefull).
The funny thing is, that when i start the client on the wireless interface, everything is fine, and everything works as it's supposed to. If i then shifts to the wire, UDP packages suddently isn't comming throug, but tcp connections work fine. That is, no name server resolution, but I'm able to ping and access sites with the ip.
I know that the vpn client is Cisco's responsibility, but I thought I would mention it to you, in case that it points to something gone bad in the kernel. I have tried to do the same exercises with the -358 kernel that ships with Fedora, and everything works in this kernel.
I hope this is of some use (And that a fix can be made :)
Regards /kbn
---- Ouuh... Everybody here has a six-pack, but all I've got is a keg... -Homer Simpson
On Tue, 2004-08-31 at 11:32, Kim B. Nielsen wrote:
Just to report it, the 2.6.8-1.521 kernel breaks the Cisco VPN client in a very odd way.
The current network configuration og the laptop I'm using, is a wireless network card, and an normal network card (wirefull).
The funny thing is, that when i start the client on the wireless interface, everything is fine, and everything works as it's supposed to. If i then shifts to the wire, UDP packages suddently isn't comming throug, but tcp connections work fine. That is, no name server resolution, but I'm able to ping and access sites with the ip.
I know that the vpn client is Cisco's responsibility, but I thought I would mention it to you, in case that it points to something gone bad in the kernel. I have tried to do the same exercises with the -358 kernel that ships with Fedora, and everything works in this kernel.
I hope this is of some use (And that a fix can be made :)
Regards /kbn
Kim,
I'm not familiar with the newer VPN clients, but does it need recompiling to support the latest kernel? Also, does anything show up in /var/log/messages?
Bob...
Bob Chiodini wrote:
On Tue, 2004-08-31 at 11:32, Kim B. Nielsen wrote:
Just to report it, the 2.6.8-1.521 kernel breaks the Cisco VPN client in a very odd way.
The current network configuration og the laptop I'm using, is a wireless network card, and an normal network card (wirefull).
The funny thing is, that when i start the client on the wireless interface, everything is fine, and everything works as it's supposed to. If i then shifts to the wire, UDP packages suddently isn't comming throug, but tcp connections work fine. That is, no name server resolution, but I'm able to ping and access sites with the ip.
I know that the vpn client is Cisco's responsibility, but I thought I would mention it to you, in case that it points to something gone bad in the kernel. I have tried to do the same exercises with the -358 kernel that ships with Fedora, and everything works in this kernel.
I hope this is of some use (And that a fix can be made :)
Regards /kbn
Kim,
I'm not familiar with the newer VPN clients, but does it need recompiling to support the latest kernel? Also, does anything show up in /var/log/messages?
Bob...
Hi...
Yes, it does need to recompile, but this is taken care of in the installation of the vpn client. And when you upgrade the kernel, you just need to run the installation again. And the kernel module works fine when the wireless connection is used, and on tcp trafic in the wirefull, but not udp traffic on the wirefull...
And nothing shows up in the /var/log/messages....
/kbn
On Tue, 2004-08-31 at 12:44, Kim B. Nielsen wrote:
Hi...
Yes, it does need to recompile, but this is taken care of in the installation of the vpn client. And when you upgrade the kernel, you just need to run the installation again. And the kernel module works fine when the wireless connection is used, and on tcp trafic in the wirefull, but not udp traffic on the wirefull...
And nothing shows up in the /var/log/messages....
/kbn
Kim,
What about firewall rules? Do any apply to the wirefull and not the wireless interface? I don't see this changing between kernel releases, but maybe something broken got fixed, or vice versa.
Bob...
Bob,
I've tried to disable the firewall, and the problem persists....
And the firewall rules were the same as fedora came loaded with in the first place, with port 22 (ssh) enabled for indboud connections (configured during installation), and nothing else.
I also find this quite odd, but I just wanted to point out a possible problem...
/kbn
Bob Chiodini wrote:
On Tue, 2004-08-31 at 12:44, Kim B. Nielsen wrote:
Hi...
Yes, it does need to recompile, but this is taken care of in the installation of the vpn client. And when you upgrade the kernel, you just need to run the installation again. And the kernel module works fine when the wireless connection is used, and on tcp trafic in the wirefull, but not udp traffic on the wirefull...
And nothing shows up in the /var/log/messages....
/kbn
Kim,
What about firewall rules? Do any apply to the wirefull and not the wireless interface? I don't see this changing between kernel releases, but maybe something broken got fixed, or vice versa.
Bob...
--On Tuesday, August 31, 2004 5:32 PM +0200 "Kim B. Nielsen" kbn@daimi.au.dk wrote:
Just to report it, the 2.6.8-1.521 kernel breaks the Cisco VPN client in a very odd way.
Have you tried the open source alternative, vpnc?
I'm also using the Cisco VPN client here at Sun, to connect my laptop from home, but I'm not having the problem, for me things are working correctly with the 521 kernel, at least on the wire (never quited worked with the wireless card though). Though i mainly use ssh, dns resolutions certainly work...
-denis
--- "Kim B. Nielsen" kbn@daimi.au.dk wrote:
Just to report it, the 2.6.8-1.521 kernel breaks the Cisco VPN client in a very odd way.
The current network configuration og the laptop I'm using, is a wireless network card, and an normal network card (wirefull).
The funny thing is, that when i start the client on the wireless interface, everything is fine, and everything works as it's supposed to. If i then shifts to the wire, UDP packages suddently isn't comming throug, but tcp connections work fine. That is, no name server resolution, but I'm able to ping and access sites with the ip.
I know that the vpn client is Cisco's responsibility, but I thought I
would mention it to you, in case that it points to something gone bad in the kernel. I have tried to do the same exercises with the -358 kernel that ships with Fedora, and everything works in this kernel.
I hope this is of some use (And that a fix can be made :)
Regards /kbn
Ouuh... Everybody here has a six-pack, but all I've got is a keg... -Homer Simpson
-- fedora-devel-list mailing list fedora-devel-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-devel-list
That's oddd...
I've experienced my behaviour on two different laptops now. For some reasen, the wireless has worked perfectly in both cases, but not the wire... The laptops are from two different manufacturers (Dell and IBM) So somehow I don't think it's a unique problem related to one specific laptop or network card.
/kbn
Denis Leroy wrote:
I'm also using the Cisco VPN client here at Sun, to connect my laptop from home, but I'm not having the problem, for me things are working correctly with the 521 kernel, at least on the wire (never quited worked with the wireless card though). Though i mainly use ssh, dns resolutions certainly work...
-denis
--- "Kim B. Nielsen" kbn@daimi.au.dk wrote:
Just to report it, the 2.6.8-1.521 kernel breaks the Cisco VPN client in a very odd way.
The current network configuration og the laptop I'm using, is a wireless network card, and an normal network card (wirefull).
The funny thing is, that when i start the client on the wireless interface, everything is fine, and everything works as it's supposed to. If i then shifts to the wire, UDP packages suddently isn't comming throug, but tcp connections work fine. That is, no name server resolution, but I'm able to ping and access sites with the ip.
I know that the vpn client is Cisco's responsibility, but I thought I
would mention it to you, in case that it points to something gone bad in the kernel. I have tried to do the same exercises with the -358 kernel that ships with Fedora, and everything works in this kernel.
I hope this is of some use (And that a fix can be made :)
Regards /kbn
Ouuh... Everybody here has a six-pack, but all I've got is a keg... -Homer Simpson
-- fedora-devel-list mailing list fedora-devel-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-devel-list
On Tue, 2004-08-31 at 13:34, Kim B. Nielsen wrote:
That's oddd...
I've experienced my behaviour on two different laptops now. For some reasen, the wireless has worked perfectly in both cases, but not the wire... The laptops are from two different manufacturers (Dell and IBM) So somehow I don't think it's a unique problem related to one specific laptop or network card.
/kbn
Denis Leroy wrote:
I'm also using the Cisco VPN client here at Sun, to connect my laptop from home, but I'm not having the problem, for me things are working correctly with the 521 kernel, at least on the wire (never quited worked with the wireless card though). Though i mainly use ssh, dns resolutions certainly work...
-denis
--- "Kim B. Nielsen" kbn@daimi.au.dk wrote:
Kim,
Was the 521 kernel the first one to fail? Also, what type of hardware are your two interfaces? Does the wired interface work correctly on your local LAN without the VPN? Which Cisco client are you using?
Lots of questions and no real answers, sorry.
This might be a long shot, but try running ethereal while in the VPN tunnel and look for errors associated with the UDP packets.
Bob...
Bob Chiodini wrote:
On Tue, 2004-08-31 at 13:34, Kim B. Nielsen wrote:
That's oddd...
I've experienced my behaviour on two different laptops now. For some reasen, the wireless has worked perfectly in both cases, but not the wire... The laptops are from two different manufacturers (Dell and IBM) So somehow I don't think it's a unique problem related to one specific laptop or network card.
/kbn
Denis Leroy wrote:
I'm also using the Cisco VPN client here at Sun, to connect my laptop
from home, but I'm not having the problem, for me things are working
correctly with the 521 kernel, at least on the wire (never quited worked with the wireless card though). Though i mainly use ssh, dns resolutions certainly work...
-denis
--- "Kim B. Nielsen" kbn@daimi.au.dk wrote:
Kim,
Was the 521 kernel the first one to fail? Also, what type of hardware are your two interfaces? Does the wired interface work correctly on your local LAN without the VPN? Which Cisco client are you using?
Lots of questions and no real answers, sorry.
This might be a long shot, but try running ethereal while in the VPN tunnel and look for errors associated with the UDP packets.
Bob...
No, there was a kernel I tried on the first laptop i experienced the problem on (Not this one), but I can't recall the kernel number and I cannot get in touch with the user who has the laptop right now.
The laptop I'm trying now, is an IBM R51, with a gigabit ethernet port (Intel I think) and an Intel Pro/2100 Wireless adapter. The network on the wired interface works without problems when vpn is off. The laptop is Centrino certified if that helps any.
I'm not at work right now, so I can't perform the ethereal test right now, but I will tomorrow...
The cisco vpn client is version 4.0.4.B-k9. On the first laptop we tried the latest Cisco client, and that doesn't work either.
Kim
On Tue, 31 Aug 2004 17:32:47 +0200, Kim B. Nielsen kbn@daimi.au.dk wrote:
Just to report it, the 2.6.8-1.521 kernel breaks the Cisco VPN client in a very odd way.
The current network configuration og the laptop I'm using, is a wireless network card, and an normal network card (wirefull).
The funny thing is, that when i start the client on the wireless interface, everything is fine, and everything works as it's supposed to. If i then shifts to the wire, UDP packages suddently isn't comming throug, but tcp connections work fine. That is, no name server resolution, but I'm able to ping and access sites with the ip.
I know that the vpn client is Cisco's responsibility, but I thought I would mention it to you, in case that it points to something gone bad in the kernel. I have tried to do the same exercises with the -358 kernel that ships with Fedora, and everything works in this kernel.
Known problem with the Cisco VPN Client and 2.6.x kernels. It is already in Bugzilla (sorry, I cannot remember the number) and Cisco are aware of the problem. The problem is in the Cisco binary module, so only they can fix it (and I believe they are working on it).
The workaround, as you already discovered, is to use a wireless connection...
Keith.
If i then shifts to the wire, UDP packages suddently isn't comming throug but tcp connections work fine. That is, no name server resolution, but I'm able to ping and access sites with the ip.
Since you're running 4.0.4B you might want to upgrade to 4.6.00.0045 (released August 25, 2004), which fixes "The Linux VPN Client does not work with DNS requests and SMTP." (CSCee27420)
The workaround for 4.0.3, 4.0.4 and 4.0.5 is to use a split-tunnel setup instead of tunneling everything and making sure the name servers are positioned outside the ranges setup as being tunneled. This of course will not work if your internal network consists of private address space and your external name servers do not return the correct answers for RFC 1918 address space queries. :) Yet another reason why nat is evil. ;-)
// kaj
devel@lists.stg.fedoraproject.org
-
Bob Chiodini -
Denis Leroy -
Kaj J. Niemi -
Keith Sharp -
Kenneth Porter -
Kim B. Nielsen