Fail to establish secure connection to PIX 501

Discussion in 'Cisco' started by Ian Easson, Jul 8, 2003.

  1. Ian Easson

    Ian Easson Guest

    I have a LAN protected by a PIX 501. Our VPN has been working fine for
    time. However, we just set up a new remote office, connected to the
    internet via DSL. The remote office has *no* problem with internet access.

    However, when we try and connect the PC at the remote site to the VPN box --
    the whole purpose of
    the exercise -- the Cisco VPN client responds with the error message "Failed
    establish a secure connection to the security gateway". I have tried
    various things with the router configuration, but none of them help. So it
    may be a
    problem with the configuration of the Cisco VPN Client software or more
    likely with Windows.

    The connection is: PC running Windows XP & Cisco VPN Client 3.6 connected
    to Linksys DSL router connected to DSL modem (over PPoE), which reaches over
    the internet to the PIX box.

    The Client software configuration is like:

    - Enable transparent tunneling
    - Allow IP Sec over UDP
    - Allow LAN access
    - Peer response timeout:90
    - Stateful firewall (always on)

    Some of the Windows services that are running are:

    - DNS client services
    - DHCP services
    - Cisco's VPN service
    - Network connections
    - Remote Access Connection Manager

    Some of the Windows services that are *not* running are:

    - IPSEC services
    - Application gateway layer service
    - Remote Access Auto Configuration Manager
    - Routing and Remote Access

    I just noticed that in the Event Log there are Information Alerts that "The
    Security System could not establish a secured connection with the sever
    DNS/ No authentication protocol was available." This
    has nothing to do with the PIX box or VPN, so it points at a Windows
    configuration problem. There are also events dealing with DHCP semaphore

    Does anyone have any idea what is happening and what I can do to get this

    Ian Easson, Jul 8, 2003
    1. Advertisements

  2. My guess is that the new remote office has a problem with one of

    IKE (UDP port 500)
    protocol ESP (it isn't clear if you are actually using NAT-T in
    UDP port 4500 your Pix or not)

    You should put the VPN client's log on and study the output when
    the client tries to establish VPN connection. If the VPN client
    starts resending and eventually timeouts because it gets no answer
    then it is a clear sign of a blocked protocols/ports.
    Jyri Korhonen, Jul 8, 2003
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.