All users have access to a subnet (A) through a traffic rule associated with a group. I added another traffic rule to allow a user access to an additional internal subnet (B). This worked, and the user was able to gain access to the new subnet over VPN. This was also relfected in the NRM "Real Time Monitor", where the two subnets were displayed on the user connection.

Then I realised that I didn't want this user to have access to subnet (A), but only subnet (B). So I created a traffic rule (C) denying the user access to subnet (A).

After adding this deny rule (C), I was unable to connect (as the user). So I removed this rule. However the user was still unable to connect.

So I deleted rule B, (restoring to original config.) and then tried to add another "Allow" Rule (D) to the new subnet.


I am unable to login if the user/group/"All users" are associated with the new Allow rule (D). The VPN Client does not complete the login, it hangs on authenticating and negotiating.

Without the association with the new rule, it works!

The new rule can be in any position in the list, the rule can contain "Destination" of either a subnet or an IP range. The same behaviour happens if other users are associated with the new rule.

I have seen TID 10097500 6/3/06 (VPN server stops assigning object based traffic rules to VPN clients after a couple of minutes uptime), which identifies a similar error - so in response to this I installed BM3.8sp4. The behaviour is still the same.

No error is evident in the Audit log, I still see "Nmas user check authentication and traffic rule" during login, followed by no error.

NW6.5sp3 (single server tree)
VPN client 3.8.9
TCPIP.NLM v6.67.10 29 Nov 2004

Any help or suggestions are greatly appreciated.