KB40124 - Unable to establish a connection to the destination server through the VPN Tunnel.

This article describes an issue and solution when Network Connect VPN users are unable to establish a connection an allowed destination server.

When this issue occurs, a Windows client machine will be unable to establish any network connections (including ping) to a particular destination IP address. Flushing the Address Resolution Protocol (ARP) cache may temporarily resolve this problem.You may flush the ARP cache by running the following command:

netsh interface ip delete arpcahe

You may be observe a "General failure" reply from ICMP (ping) to the destination server.

Example:

This problem occurs when the TCP/IP driver on the Windows client machine incorrectly selects the loopback IP address (127.0.0.1) as the best physical interface for the destination services. See https://support.microsoft.com/en-us/kb/2920546 and https://support.microsoft.com/en-us/kb/2902819 for more information.

For VPN tunneling to communicate, the following ports must be open:

• UDP port 4242 on loopback address
• TCP port 443
• If using ESP mode, the UDP port configured on the device ( default is UDP 4500).

The VPN tunneling option provides secure, SSL-based network-level remote access to all enterprise application resources using the device over port 443. Port 4242 is used for IPC communication between the VPN tunneling service and the VPN tunnel executable on the client PC. 

Please download and install the hotfix for your Windows version which is available from Microsoft Support. 

Windows 8
https://support.microsoft.com/en-us/kb/2902819

Windows 8.1
https://support.microsoft.com/en-us/kb/2920546