Cisco VPN Client outbound through an ISA server

Any help would be gratefully received. This has me stumped!



I have a client that needs to use the Cisco VPN client to connect to one of
their clients.



They are unable to. I have tried from a number of networks behind various
devices. Some work (Cisco 2600, Nokia M11, Linksys, direct Internet
connection), others don't (ISA 2004).



I have however tested a VPN using the Cisco client to one of my clients and
everything has so far worked, even from behind devices that don't work for
the other VPN.



The faulty VPN produces this error:



Error
Secure VPN Connection terminated locally by the Client. Reason 412: The
remote peer is no longer responding.




Looking at the ISA logs shows very little going on - a connection in and out
on port 500 - one establishing a connection and the other cancelling the
connection 30 or so seconds later. the connection that does work also
establishes traffic on port 4500 as I'd expect.



The VPN client log looks like this:



Cisco Systems VPN Client Version 4.6.01.0019

Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 5.1.2600 Service Pack 2

Config file directory: C:\Program Files\Cisco Systems\VPN Client



1 16:04:52.496 01/10/06 Sev=Info/4 CM/0x63100002

Begin connection process



2 16:04:52.526 01/10/06 Sev=Info/4 CM/0x63100004

Establish secure connection using Ethernet



3 16:04:52.526 01/10/06 Sev=Info/4 CM/0x63100024

Attempt connection with server "1.2.3.4"



4 16:04:52.536 01/10/06 Sev=Info/6 IKE/0x6300003B

Attempting to establish a connection with 1.2.3.4.



5 16:04:52.556 01/10/06 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd),
VID(Nat-T), VID(Frag), VID(Unity)) to 1.2.3.4



6 16:04:52.576 01/10/06 Sev=Info/4 IPSEC/0x63700008

IPSec driver successfully started



7 16:04:52.576 01/10/06 Sev=Info/4 IPSEC/0x63700014

Deleted all keys



8 16:04:52.576 01/10/06 Sev=Info/6 IPSEC/0x6370002B

Sent 8 packets, 0 were fragmented.



9 16:04:52.576 01/10/06 Sev=Info/4 IPSEC/0x6370000D

Key(s) deleted by Interface (218.101.3.22)



10 16:04:57.573 01/10/06 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!



11 16:04:57.573 01/10/06 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 1.2.3.4



12 16:05:02.581 01/10/06 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!



13 16:05:02.581 01/10/06 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 1.2.3.4



14 16:05:07.588 01/10/06 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!



15 16:05:07.588 01/10/06 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 1.2.3.4



16 16:05:12.595 01/10/06 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=541BD3B219A7020D
R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING



17 16:05:13.096 01/10/06 Sev=Info/4 IKE/0x6300004B

Discarding IKE SA negotiation (I_Cookie=541BD3B219A7020D
R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING



18 16:05:13.096 01/10/06 Sev=Info/4 CM/0x63100014

Unable to establish Phase 1 SA with server "1.2.3.4" because of
"DEL_REASON_PEER_NOT_RESPONDING"



19 16:05:13.106 01/10/06 Sev=Info/5 CM/0x63100025

Initializing CVPNDrv



20 16:05:13.126 01/10/06 Sev=Info/4 IKE/0x63000001

IKE received signal to terminate VPN connection



21 16:05:13.596 01/10/06 Sev=Info/4 IPSEC/0x63700014

Deleted all keys



22 16:05:13.596 01/10/06 Sev=Info/4 IPSEC/0x63700014

Deleted all keys



23 16:05:13.596 01/10/06 Sev=Info/4 IPSEC/0x63700014

Deleted all keys



24 16:05:13.596 01/10/06 Sev=Info/4 IPSEC/0x6370000A



I have tested by creating a (temporary) rule that will allow all traffic to
and from 1.2.3.4. This made no difference. I can't see how one VPN can work,
and the other not. I also found an MS article
(http://support.microsoft.com/default.aspx?scid=kb;en-us;812076) that
suggested adding port 10000 into the mix (for ISA 2000, so I added the
equivalent protocol and rules for 2004).





Is the problem with the other end? Is there a NAT issue here that I can't
see.



Does any one know what I need to do here?




.

Relevant Pages

  • Re: Cisco VPN Client outbound through an ISA server
    ... VPN tunnel from client to Cisco VPN server needs to be in "Transparent ... UDP 500 send receive allows S-NAT based cisco client to connect to the Cisco ... > Secure VPN Connection terminated locally by the Client. ...
    (microsoft.public.isa.enterprise)
  • [NEWS] Cisco VPN 5000 Client Multiple Vulnerabilities
    ... Multiple vulnerabilities exist in the Cisco Virtual Private Network (VPN) ... 5000 Client software. ... These vulnerabilities are documented as Cisco bug ID ... CSCdx17109 - MAC OS VPN 5000 Client password vulnerability ...
    (Securiteam)
  • RE: VPN connection
    ... I understand that when you try to establish a VPN ... connection from a remote client, the connection terminated in the process ... Please temporarily place a client directly connected to the external NIC ... of the SBS Server. ...
    (microsoft.public.windows.server.sbs)
  • RE: Problems with connectcomputer and active directory
    ... I understand that you would like to join a remote client to the domain. ... If you have hardware VPN tunnel setup using Linksys or others, ... In this scenario you have to configure the SBS Server computer to enable ... Create a VPN connection to ISA/RRAS on the Internet ...
    (microsoft.public.windows.server.sbs)
  • RE: VPN timeouts
    ... I do not use ISA & was wondering if there is a configurable option on the ... You remote clients VPN connection will timeout while trying to connect SBS ... between remote client and SBS server which caused by lack of network ...
    (microsoft.public.windows.server.sbs)
Loading