I use ASA5505's always. I never had this problem with solaris 10&11, but those run on sun hardware. I also have solaris 10 on an old HP DL340 with bge's also without problem. And OI 1.57 on VMware also without the problems you describe. I use the cisco VPN windows client.
Is your cisco the defaultgateway for your servers? Otherwise i think OI sees a packet comming in from (for example) 172.18.12.12 which is your vpn ip-address, it then can't figure out where to reply to and the messages start bouncing around??? Op 5 feb. 2013 om 02:34 heeft "Edward Ned Harvey (openindiana)" <openindi...@nedharvey.com> het volgende geschreven: >> From: Edward Ned Harvey (openindiana) >> [mailto:openindi...@nedharvey.com] >> >> I am having a really hard time coming up with a plausible explanation for >> this, >> other than some kind of kernel bug with openindiana... > > Found a new clue, which is totally unbelievable, yet totally enlightening. > > The firewall is a cisco asa 5505. We have both anyconnect & ipsec vpn for > mobile clients enabled. I tried them both, and got the same result for both > (thinking maybe it was a problem with the vpn client.) > > My home firewall is a pfsense device. So today, I enabled point-to-point > ipsec vpn between my home and work. Now I can sit at home with my laptop, > use the laptop VPN client to connect direct to the failing OI hosts... Or I > can disconnect my laptop vpn client, enable the firewall vpn, and then ssh to > the failing OI machines. > > When I use the IPSec or Anyconnect VPN client, I have the problem. When I > enable the site-to-site VPN, I don't have the problem. > > So I've reached two conclusions: > > -1- The problem is related to the Cisco ASA firewall, and mobile VPN > connectivity. > -2- The problem is related to OpenIndiana. (No problems connecting to other > ssh/vnc systems in the office, linux, mac, or windows.) > > I have not yet tried using a mac/linux VPN client. Might learn something > there too. > > I don't know why there would be a bad interaction between the OI machines and > the Cisco ASA. But there is. I think I'll probably try to lay it on Cisco > support next. They'll probably tell me to upgrade IOS. Even though this is > a relatively current stable version ... the most stable latest bugfix version > of the almost-latest line, last July. The one they recommended as "the most > stable one we're recommending for now." > > > _______________________________________________ > OpenIndiana-discuss mailing list > OpenIndiana-discuss@openindiana.org > http://openindiana.org/mailman/listinfo/openindiana-discuss _______________________________________________ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
