VPN Client 4.0.3(f) to VPN 3030

Client configuration:
OS::Windows Server 2003

VPN:Cisco VPN 4.0.3(f)
Transport :Enable Transparent Tunneling
IPSec over TCP TCP Port: xxx

Note: No firewall software, MS Firewall disabled

My Connection:
ISDN: pipeline p130 router using nat and private IP for lan
-forwarding port xxx (using actual port not xxx)

Server:
Cisco VPN 3030 (per the admin)


I am unable to get VPN to work on my machine.
When I launch the client and connect, I get the login prompt. Next it
acts as though it is connected until I get the following error:

"Secure VPN Connectoin terminated by the Client. Reason 422: Lost
contact with the security gateway. Check you network connection"

The log shows numorous "AddRoute failed to add a route. code 87" and
"Failed to add Split Tunnel route" messages, until finally the last
two messages before getting the error are
"Adapter address changed from 10.150.252.12. Cureent address(es):
192.168.0.21" and "Failed to disable the virtual adapter"

I have seen many similar posts but no fixes. Does anyone out there
have any thoughts?

Let me know if additional info is needed.

Thanks in advance for the help.

 

Make sure you allow the IPSec port xxx access inbound to your system.

Don Woodward

 

The pipeline is configured to forward that port to my workstation with
the VPN client.

 

Try and forward the port for ESP also.

Here's the ports from "show xlate" my PIX is using...

PAT Global xx.xx.xx.xx(500) Local nt(500)
PAT Global xx.xx.xx.xx Local nt ESP

Don Woodward

 

1. Make sure the VPN Virtual adapter is enabled and configured for DHCP.
This is found under Network Neighborhood
2. Have the VPN admin look at live event log while you log in. This should
give you a little more insight
3. Have the VPN admin verify that the split tunnel list is associated to
your user ID.
3. Try uninstalling and reinstalling the client

Good luck,
John

 

What port does ESP run on? or is that configured by the admin?

Thanks again for all the help.

Fred

 

ESP doesn't run on an port--it is an IP protocol, like ICMP. ESP's protocol
number is 50.

Cheers!

 

On my PIX I use "fixup protocol esp-ike" to allow me to use the VPN client.

The PIX software docs say...

"The fixup protocol esp-ike command enables PAT for Encapsulating Security
Payload (ESP), single
tunnel."

"The fixup protocol esp-ike command is disabled by default. If a fixup
protocol esp-ike command is
issued, the fixup is turned on, and the firewall preserves the source port
of the Internet Key Exchange
(IKE) and creates a PAT translation for ESP traffic. Additionally, if the
esp-ike fixup is on, ISAKMP
cannot be turned on any interface."

Sombody else pointed out ESP is a protocol which I had forgot.

Don Woodward

 

http and ftp are protocols but if I want them to get though my router
to my server that serves those protocols, I have to forward them on
the port they are using.

So does that mean i should not have to worry about it?

Thanks agian!

Fred

 

John,
Thanks for the input.

1. I the adapter was configured to use ip 0.0.0.0, so I changed it to
DHCP. I then enabled the adapter and started the vpn client and
attempted to connect. It seemed to connect, I recieved the cisco
login promt. I then started outlook and recieved the domain login
prompt (I was getting excited.) Then boom same error : "Secure VPN
Connectoin terminated by the Client. Reason 422: Lost contact with the
security gateway. Check you network connection"
Again the last message was "Failed to disable the virtual adapter",
but looking in network properties for tha connectoid, I found it was
disabled.

2. We will try this when the admin has some free time. I run an
unsupported configuration (I am a developer, please don't hold that
against me), and he is in the middle of a big datacenter project so i
get to support myself.

3.

4. I uninstalled/Reinstalled and no dice.

 

Did not mean to send that, I am waiting on a reply from the admin.

Thanks

 

You aren't trying to VPN over satellite are you? If not, what are you using?

 

Ascend (lucent) Pipeline p130 router over 128k ISDN

 

It could be a couple of things. The first thing that came to mind before I
even knew that you were running ISDN was that your IKE keepalives were
timing out. In other words, the key exchange that happens at the beginning
of the session goes through, but the IKE keepalives that happen periodically
throughout the session aren't making it. After hearing that you are running
ISDN, this becomes more of a possibility. ISDN will sometimes require that
"interesting traffic" be flowing in order for the link to stay active. In
order to ensure that traffic is flowing, start a constant ping to a server
on the other end of the tunnel before you start VPN (yes, your pings will
not make it). Once you connect, the ICMP traffic may be enough to keep the
tunnel up. Give it a try and let me know what happens.

 

I keep my 2 channels nailed up all day, so the link should not be an
issue. I monitor the router and can see that the channels are up
during the entire process.

I went ahead and tried it out for Ss&Gs, but unfortunatley same thing.

?are the IKE keep alive packets being communicated on the port
specified in the configuration setting::
Or is that communication on a different port?

Thanks for the help!

 

BTW, one other thing - I didn't have much luck with Cisco VPN Client 4.0.3 -
I actually never could get it to work so I went back to 4.0.1 - that's what
I currently use - you might want to try 4.0.1.

As far as getting either to work - if you look at the capture from my PIX -
"IKE" goes out and comes in on port 500. Do you have the same port open
both ways? I believe you also want to allow the ESP protocol.

I used to run a Pipeline 50 a long time ago but didn't use the VPN client
then - it seems to me there was a way to open up a protocol like ESP
(protocol "50") - other protocols include IP which is protocol "0", TCP is
"6" and UDP is "17" - these are not ports numbers but protocol numbers. FTP
and HTTP are higher layer application protocols that run on TCP/IP. As you
can see ESP is at a lower level with IP, UDP, ICMP and TCP.

Don Woodward