My setup:
Nortel Netlock VPN for connecting to my employer's internal network from home, installed on RedHat 9, Uname -a: Linux ghome 2.4.20-8 #1 Thu Mar 13 17:18:24 EST 2003 i686 athlon i386 GNU/Linux.
It had been working for a couple of years without trouble. Recently I did some experiments with a 2nd network card, and also edited some of the networking setup files, without documenting my changes (OK, call me an idiot). I am now back to the original hardware with NIC on the motherboard.
Uname -a: Linux ghome 2.4.20-8 #1 Thu Mar 13 17:18:24 EST 2003 i686 athlon i386 GNU/Linux

The symptoms ever since the experiment:
I can start and close down up the VPN to my employer's network OK.
When connected:
I can telnet to my work computer.
I can ftp to my work computer, and I can put files there, but when I try to get files or even just do a 'dir', it hangs forever.
I can connect to a VNCserver I have running at work, but after opening the window it hangs without ever painting any content. (I checked at work that there is a window manager and a shell window running on the VNCserver.)
The VPN logfile shows what looks like regular connection setup and shutdown messages.

I have no firewall on this machine. Modules iptable_filter and ip_tables are loaded but there is no /etc/sysconfig/iptables and looking at /etc/rc.d/init.d/iptables that should mean it does nothing at all.

What could make the connection "one-way"? (Note it is one-way only for certain kinds of traffic since during telnet I have no trouble seeing what I am typing and the results of e.g. 'ls').

I think I somehow created an inconsistent networking or maybe authorization setup, but where should I look for inconsistencies?

Thank you for any help.

It would appear that your company has ports firewalled such that only the minium ports required are open.

But I think once I am on the VPN, all firewalling is over, at least on the company side. Otherwise a thousand other VPN users would scream also. If the company makes any changes that impact VPN users, they are quite good about telling us. I really think it is something that I fouled up on my end - but what?

Thanks for thinking about it.

use
ifconfig -a

and netstat -r

to check your network routing and make sure you didn't set your other ethernet card to the same subnet as your work subnet.

OK, I have only one network "card" left in the system, namely the motherboard NIC.
Here is the output of ifconfig -a (with addresses disguised for security):
# fresh after boot
eth0 Link encap:Ethernet HWaddr hh:hh:hh:hh:hh:hh
inet addr:xxx.xxx.xxx.3 Bcast:xxx.xxx.xxx.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:47638 errors:0 dropped:0 overruns:0 frame:0
TX packets:15321 errors:26 dropped:0 overruns:0 carrier:26
collisions:12922 txqueuelen:100
RX bytes:58809836 (56.0 Mb) TX bytes:2727048 (2.6 Mb)
Interrupt:11 Base address:0xe400

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:148 errors:0 dropped:0 overruns:0 frame:0
TX packets:148 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:26151 (25.5 Kb) TX bytes:26151 (25.5 Kb)

# VPN connected
eth0 Link encap:Ethernet HWaddr hh:hh:hh:hh:hh:hh
inet addr:xxx.xxx.xxx.3 Bcast:xxx.xxx.xxx.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:48531 errors:0 dropped:0 overruns:0 frame:0
TX packets:15527 errors:26 dropped:0 overruns:0 carrier:26
collisions:13208 txqueuelen:100
RX bytes:60025336 (57.2 Mb) TX bytes:2758236 (2.6 Mb)
Interrupt:11 Base address:0xe400

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:447 errors:0 dropped:0 overruns:0 frame:0
TX packets:447 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:93962 (91.7 Kb) TX bytes:93962 (91.7 Kb)

nlv0 Link encap:Ethernet HWaddr 00:00:00:00:00:00
inet addr:yyy.yyy.yyy.112 Bcast:yyy.yyy.yyy.255 Mask:255.255.255.0
UP BROADCAST RUNNING NOARP MULTICAST MTU:1438 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

And here the output of netstat -r:
# netstat-r fresh after boot, before loading VPN kernel module
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
xxx.xxx.xxx.0 * 255.255.255.0 U 0 0 0 eth0
yyy.yyy.0.0 * 255.255.0.0 U 0 0 0 eth0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default homeportal 0.0.0.0 UG 0 0 0 eth0

# netstat-r right after connecting the VPN
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
scs............ scs1..........s 255.255.255.255 UGH 0 0 0 nlv0
scs............ homeportal 255.255.255.255 UGH 0 0 0 eth0
scs1..........s localhost 255.255.255.255 UGH 0 0 0 lo
homeportal ghome 255.255.255.255 UGH 0 0 0 eth0
xxx.xxx.xxx.0 scs1..........s 255.255.255.0 UG 0 0 0 nlv0
xxx.xxx.xxx.0 * 255.255.255.0 U 0 0 0 eth0
yyy.yyy.0.0 scs1..........s 255.255.0.0 UG 0 0 0 nlv0
yyy.yyy.0.0 * 255.255.0.0 U 0 0 0 eth0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default scs1..........s 0.0.0.0 UG 0 0 0 nlv0
default homeportal 0.0.0.0 UG 0 0 0 eth0

I see nothing wrong with either of them, do you?
"ghome" is my PC, "homeportal" is my DSL modem/router, the two "scs..." machines are my employer's.

Thanks a lot for thinking about this.

I'm about out of gas. The yyy line troubles me. I don't have that extra line or mask on my Slackware or SUSE machines.


yyy.yyy.0.0 * 255.255.0.0 U 0 0 0 eth0
Where loopback is the same as your 127.0.0

Maybe recreate your network using your RH tools.

I was afraid you'd say that, but it is getting down to that, isn't it.

The yyy is really 169.254.0.0 - no idea what it is.

Thank you very much.