c


 

By Scott Lowe MCSE
November 7, 2005, 8:00am PST
Recommend
0 Votes
9 Comments
ÊShare
more +

`Ê Email
`Ê Print
`Ê dd to Favorites
`Ê 0el.icio.us
`Ê 0igg
`Ê Facebook
`Ê £oogle Buzz

`Ê Ñacker News
`Ê LinkedIn
`Ê Reddit
`Ê StumbleUpon
`Ê Technorati
`Ê Twitter

swith all things IT, you will eventually run into problems that you need tocorrect. In the case of
the Cisco VPN, this can be a true challenge since Ciscohas so many different ways to handle
VPN connectivity, ranging from VPNcapabilities included in some routers, to the VPN services
offered by PIXfirewalls up to the Cisco VPN Concentrator, each has its own quirks. s such,not
all of these tips will necessarily pertain to every VPN configurationavailable from Cisco.
Ñowever, they will give you a place to start as you workon fixing problems with your VPN.


    

  
 

  
Thisis an easy one to fix. The user needs to disable ICS on his machine beforeinstalling the VPN
client. I recommend that the user replace ICS with a decenthome router with a firewall. Note that
this is not necessary if the VPN machinesimply connects through another machine that is using
ICS. To disable ICS, goto Start | Control Panel | dministrative Tools | Services |
InternetConnection Sharing and disable the "Load on Startup" option. In asomewhat unrelated
note, make sure users are also aware that the VPN clientdisables the XP welcome screen and
Fast User Switching, which are commonly usedon multiuser home machines.

Theold standby, [Ctrl][lt][0el], still works, though, and users will need to typetheir usernames
and passwords instead of clicking a picture of a cat. (Note:Fast User Switching can be enabled
by disabling the client's "Start BeforeLogin" feature. This could have its own problems, though,
so I wouldn'trecommend it unless you really, really need Fast User Switching.)

Onemore thing regarding the client install ± Cisco does not recommend installingmultiple VPN
clients on the same PC. If you have a problem and need to callsupport, uninstall other clients and
test before making that call.







Ifyou're getting errors in your logs related to preshared keys, you may havemismatched keys on
either end of the VPN connection. If this is the case, yourlogs may indicate that exchanges
between the client and VPN server are finewell into the IKE main mode security associations.
Some time after this part ofthe exchange, logs will indicate a problem with keys. On the
concentrator, goto the Configuration | System | Tunneling Protocols | IPSec LN-to-LN
optionand select your IPsec configuration. In the preshared key field, enter yourpreshared key.
On a Cisco PIX firewall used in conjunction with theconcentrator, use the command ‘





    
    where password is your preshared key.
The key usedin your concentrator and on your PIX should match exactly.

ÿ

 
 !
!
 
! 
 
Someports need to be open in firewall software, such as BlackIce (BlackIce hasother problems
with regard to the Cisco VPN client, too. Refer to the client'srelease notes for more information),
Zone larm, Symantec, and other Internetsecurity programs for Windows and ipchains or
iptables on Linux machines. Ingeneral, if your users open the following ports in their software,
you shouldsee a stop to the complaints:

`Ê U0P ports 500, 1000 and 10000

`Ê IP protocol 50 (ESP)
`Ê TCP port configured for IPSec/TCP
`Ê NT-T port 4500
ùoumay also have custom configured ports for IPSec/U0P and IPSec/TCP. Make surethe ports
you configured are also open on the client software.

Ñ 

 




 !
!  



Thisgenerally happens as a result of split-tunneling being disabled. Whilesplit-tunneling can pose
security risks, these risks can be mitigated to apoint by having strong, enforced security policies
in place and automaticallypushed to the client upon connection (for example, a policy could
require thatcurrent antivirus software be installed, or that a firewall be present). On aPIX, use
this command to enable split tunneling:

!
 !

 

  


  



ùoushould have a corresponding access-list command that defines what will comethrough the
encrypted tunnel and what will be sent out in the clear. Forexample,
 ‘  ‘


‘‘      
,or whatever your IP range is.

On a Cisco Series 3000 VPN Concentrator, you need to tell the device what networksshould be
included over the encrypted tunnel. £o to Configuration | UserManagement | Base £roup and,
from the Client Config tab, choose the Only TunnelNetworks In The List option and create a
network list of all of the networks atyour site that should be covered by the VPN and choose this
network list fromthe Split Tunneling Network List drop down box.

=
"
!






 
"

!#   
$%&!  
 ' !
()*+
Thisis somewhat specific to these particular operating systems, but could be quitefrustrating to
troubleshoot! Version 4.6 of the Cisco VPN client tries tohandle these kinds of IP address
conflicts, but isn't always able to do so. Inthese cases, traffic that is supposed to be traversing the
VPN tunnel stayslocal, due to the conflict.

Onthe affected client, go to Start | Control Panel | Network and 0ialupConnections | local
adapter. Right-click the adapter and choose Properties.From the Properties page, choose TCP/IP
and click the Properties button. Now,click the dvanced option, find the Interface Metric option
and increase thenumber in the box by 1.This effectively tells your computer to use the
localadapter second. The VPN adapter will probably have a metric of 1 (lower thanthis new
metric), making it the first choice as a traffic destination.

 ) !  


   

The Cisco VPN client has problems with some older (and sometimes newer) homerouters,
usually with specific firmware versions. If you have users withconsistent connection problems,
ask that they upgrade the firmware in theirrouter, particularly if they have an older unit. mong
the router models thatare known to have problems with the Cisco client are:

`Ê Linksys BEFW11S4 with firmware releases lower than 1.44

`Ê sante FR3004 Cable/0SL Routers with firmware releases lowerthan 2.15
`Ê Nexland Cable/0SL Routers model ISB2LN

Ifall else fails, have a spare router on hand to lend to a user to help narrowdown the potential
problems. Ultimately, the router may need to be replaced.

ÿ

 
  
!

 
Inthis situation, users will see an error message is similar to     
  %,
$-ÿ
 !% This error can be
caused by a couple of different things:

1.Ê The user might have entered an incorrect group password

2.Ê The user may not have typed the right name or IP address for the remote VPN endpoint.
3.Ê The user may be having other problems with his Internet connection.

Basically,for some reason, the IKE negotiation failed. Check the client logs, enabled bygoing to
Log | Enable, and try to find errors that have Ñash VerificationFailed to try to further narrow
down the problem.

ù 

  
   = 
 
  = 
Thisproblem can run across all of Cisco's VPN hardware since it's inherent in theway that IPSec
worked before the introduction of standards that allowedmodification of packet headers during
transmission. To correct this problem,enable NT-Traversal (NT-T) on your hardware, and
allow U0P port 4500 to gothrough your firewall.

Ifyou're using a PIX firewall as both your firewall and VPN endpoint, make sureto open port
4500, and enable nat-traversal in your configuration with thecommand ‘





,
where 20 is the NT keepalive timeperiod. If you have a separate firewall and a Cisco VPN
Concentrator, make sureto open up U0P port 4500 on your firewall with a destination of
theconcentrator. Then, on the concentrator, go to Configuration | Tunneling andSecurity | IPSec |
NT Transparency and check the 'IPSec over NT-T' option.

Further,make sure that any client that is in use on the user end also supports NT-T.For more
information about configuring your series 3000 Concentrator to useNT-T, click here.

ÿ







    
  

gain,there are a number of places you can check to try to nail down this problem.First, verify
that the user's computer did not go into standby mode, hibernate,and that a screen saver did not
pop up. Stand by and hibernation can interruptyour network connection when the VPN client
expects a constant link to a VPN server.ùour user may also have configured their machine to
shut down a network adapterafter a certain amount of time in order to save power.

Ifwireless is in use, your user may have wandered to a location with a low (orno) wireless signal,
and the VPN might have dropped as a result. Further, youruser might have a bad network cable,
problem with their router or Internetconnection, or any number of other physical connection
problems.

Therehave also been some reports that a VPN endpoint (PIX or 3000 concentrator) thathas
exhausted its pool of IP addresses may also result in this error on theclient, although I have
personally never seen this.




 

.
.
! !
  


Othersymptoms may include an inability for any other machines on the user's networkto ping the
VPN machine even though that machine is perfectly capable of seeingall other machines on the
network. If this is the case, the user may haveenabled the VPN client's built-in firewall. If this
firewall is enabled, itwill stay running, even when the client is not running. To change, open
theclient, and, from the options page, uncheck the box next to the statefulfirewall option.