VPN Client 4.0.3(f) to VPN 3030

Discussion in 'Cisco' started by Joe Shmoe, Apr 14, 2004.

  1. Joe Shmoe

    Joe Shmoe Guest

    Client configuration:
    OS::Windows Server 2003

    VPN:Cisco VPN 4.0.3(f)
    Transport :Enable Transparent Tunneling
    IPSec over TCP TCP Port: xxx

    Note: No firewall software, MS Firewall disabled

    My Connection:
    ISDN: pipeline p130 router using nat and private IP for lan
    -forwarding port xxx (using actual port not xxx)

    Server:
    Cisco VPN 3030 (per the admin)


    I am unable to get VPN to work on my machine.
    When I launch the client and connect, I get the login prompt. Next it
    acts as though it is connected until I get the following error:

    "Secure VPN Connectoin terminated by the Client. Reason 422: Lost
    contact with the security gateway. Check you network connection"

    The log shows numorous "AddRoute failed to add a route. code 87" and
    "Failed to add Split Tunnel route" messages, until finally the last
    two messages before getting the error are
    "Adapter address changed from 10.150.252.12. Cureent address(es):
    192.168.0.21" and "Failed to disable the virtual adapter"

    I have seen many similar posts but no fixes. Does anyone out there
    have any thoughts?

    Let me know if additional info is needed.

    Thanks in advance for the help.
     
    Joe Shmoe, Apr 14, 2004
    #1
    1. Advertisements

  2. Joe Shmoe

    News Account Guest

    Make sure you allow the IPSec port xxx access inbound to your system.

    Don Woodward
     
    News Account, Apr 14, 2004
    #2
    1. Advertisements

  3. Joe Shmoe

    Joe Shmoe Guest

    The pipeline is configured to forward that port to my workstation with
    the VPN client.
     
    Joe Shmoe, Apr 15, 2004
    #3
  4. Joe Shmoe

    News Account Guest

    Try and forward the port for ESP also.

    Here's the ports from "show xlate" my PIX is using...

    PAT Global xx.xx.xx.xx(500) Local nt(500)
    PAT Global xx.xx.xx.xx Local nt ESP

    Don Woodward
     
    News Account, Apr 15, 2004
    #4
  5. Joe Shmoe

    cisco_guru Guest

    1. Make sure the VPN Virtual adapter is enabled and configured for DHCP.
    This is found under Network Neighborhood
    2. Have the VPN admin look at live event log while you log in. This should
    give you a little more insight
    3. Have the VPN admin verify that the split tunnel list is associated to
    your user ID.
    3. Try uninstalling and reinstalling the client

    Good luck,
    John
     
    cisco_guru, Apr 15, 2004
    #5
  6. Joe Shmoe

    Joe Shmoe Guest

    What port does ESP run on? or is that configured by the admin?

    Thanks again for all the help.

    Fred
     
    Joe Shmoe, Apr 15, 2004
    #6
  7. Joe Shmoe

    Richard Deal Guest


    ESP doesn't run on an port--it is an IP protocol, like ICMP. ESP's protocol
    number is 50.

    Cheers!
     
    Richard Deal, Apr 15, 2004
    #7
  8. Joe Shmoe

    News Account Guest

    On my PIX I use "fixup protocol esp-ike" to allow me to use the VPN client.

    The PIX software docs say...

    "The fixup protocol esp-ike command enables PAT for Encapsulating Security
    Payload (ESP), single
    tunnel."

    "The fixup protocol esp-ike command is disabled by default. If a fixup
    protocol esp-ike command is
    issued, the fixup is turned on, and the firewall preserves the source port
    of the Internet Key Exchange
    (IKE) and creates a PAT translation for ESP traffic. Additionally, if the
    esp-ike fixup is on, ISAKMP
    cannot be turned on any interface."

    Sombody else pointed out ESP is a protocol which I had forgot.

    Don Woodward
     
    News Account, Apr 15, 2004
    #8
  9. Joe Shmoe

    Joe Shmoe Guest

    http and ftp are protocols but if I want them to get though my router
    to my server that serves those protocols, I have to forward them on
    the port they are using.

    So does that mean i should not have to worry about it?

    Thanks agian!

    Fred
     
    Joe Shmoe, Apr 15, 2004
    #9
  10. Joe Shmoe

    Joe Shmoe Guest

    John,
    Thanks for the input.

    1. I the adapter was configured to use ip 0.0.0.0, so I changed it to
    DHCP. I then enabled the adapter and started the vpn client and
    attempted to connect. It seemed to connect, I recieved the cisco
    login promt. I then started outlook and recieved the domain login
    prompt (I was getting excited.) Then boom same error : "Secure VPN
    Connectoin terminated by the Client. Reason 422: Lost contact with the
    security gateway. Check you network connection"
    Again the last message was "Failed to disable the virtual adapter",
    but looking in network properties for tha connectoid, I found it was
    disabled.

    2. We will try this when the admin has some free time. I run an
    unsupported configuration (I am a developer, please don't hold that
    against me), and he is in the middle of a big datacenter project so i
    get to support myself.

    3.

    4. I uninstalled/Reinstalled and no dice.
     
    Joe Shmoe, Apr 15, 2004
    #10
  11. Joe Shmoe

    Joe Shmoe Guest

    Did not mean to send that, I am waiting on a reply from the admin.

    Thanks
     
    Joe Shmoe, Apr 15, 2004
    #11
  12. Joe Shmoe

    cisco_guru Guest

    You aren't trying to VPN over satellite are you? If not, what are you using?
     
    cisco_guru, Apr 16, 2004
    #12
  13. Joe Shmoe

    Joe Shmoe Guest

    Ascend (lucent) Pipeline p130 router over 128k ISDN
     
    Joe Shmoe, Apr 16, 2004
    #13
  14. Joe Shmoe

    cisco_guru Guest

    It could be a couple of things. The first thing that came to mind before I
    even knew that you were running ISDN was that your IKE keepalives were
    timing out. In other words, the key exchange that happens at the beginning
    of the session goes through, but the IKE keepalives that happen periodically
    throughout the session aren't making it. After hearing that you are running
    ISDN, this becomes more of a possibility. ISDN will sometimes require that
    "interesting traffic" be flowing in order for the link to stay active. In
    order to ensure that traffic is flowing, start a constant ping to a server
    on the other end of the tunnel before you start VPN (yes, your pings will
    not make it). Once you connect, the ICMP traffic may be enough to keep the
    tunnel up. Give it a try and let me know what happens.
     
    cisco_guru, Apr 16, 2004
    #14
  15. Joe Shmoe

    Joe Shmoe Guest

    I keep my 2 channels nailed up all day, so the link should not be an
    issue. I monitor the router and can see that the channels are up
    during the entire process.

    I went ahead and tried it out for Ss&Gs, but unfortunatley same thing.

    ?are the IKE keep alive packets being communicated on the port
    specified in the configuration setting::
    Or is that communication on a different port?

    Thanks for the help!
     
    Joe Shmoe, Apr 16, 2004
    #15
  16. Joe Shmoe

    News Account Guest

    BTW, one other thing - I didn't have much luck with Cisco VPN Client 4.0.3 -
    I actually never could get it to work so I went back to 4.0.1 - that's what
    I currently use - you might want to try 4.0.1.

    As far as getting either to work - if you look at the capture from my PIX -
    "IKE" goes out and comes in on port 500. Do you have the same port open
    both ways? I believe you also want to allow the ESP protocol.

    I used to run a Pipeline 50 a long time ago but didn't use the VPN client
    then - it seems to me there was a way to open up a protocol like ESP
    (protocol "50") - other protocols include IP which is protocol "0", TCP is
    "6" and UDP is "17" - these are not ports numbers but protocol numbers. FTP
    and HTTP are higher layer application protocols that run on TCP/IP. As you
    can see ESP is at a lower level with IP, UDP, ICMP and TCP.

    Don Woodward
     
    News Account, Apr 16, 2004
    #16
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.