Re: Cisco VPN Client outbound through an ISA server
- From: "Henk Steunenberg \(Ms\)" <stjesp@xxxxxxxxxxx>
- Date: Wed, 11 Jan 2006 16:22:03 -0000
Hello,
VPN tunnel from client to Cisco VPN server needs to be in "Transparent
Tunneling"
mode.
Creating a protocol definition for UDP port 10000 Send receive and another
one for
UDP 500 send receive allows S-NAT based cisco client to connect to the Cisco
VPN
server on the internet through ISA as all traffic is passed as UDP traffic
and
according to Cisco Transparent tunneling technology allows this traffic to
traverse
NAT firewalls.
Just make sure that the Accerss policy : rules allow the two protocols
listed above
..
regards,
Henk
"Bobby T" <robert_tristram@xxxxxxxxxxx> wrote in message
news:43c3a223$1@xxxxxxxxxxxxxxx
> Any help would be gratefully received. This has me stumped!
>
>
>
> I have a client that needs to use the Cisco VPN client to connect to one
> of
> their clients.
>
>
>
> They are unable to. I have tried from a number of networks behind various
> devices. Some work (Cisco 2600, Nokia M11, Linksys, direct Internet
> connection), others don't (ISA 2004).
>
>
>
> I have however tested a VPN using the Cisco client to one of my clients
> and
> everything has so far worked, even from behind devices that don't work for
> the other VPN.
>
>
>
> The faulty VPN produces this error:
>
>
>
> Error
> Secure VPN Connection terminated locally by the Client. Reason 412: The
> remote peer is no longer responding.
>
>
>
>
> Looking at the ISA logs shows very little going on - a connection in and
> out
> on port 500 - one establishing a connection and the other cancelling the
> connection 30 or so seconds later. the connection that does work also
> establishes traffic on port 4500 as I'd expect.
>
>
>
> The VPN client log looks like this:
>
>
>
> Cisco Systems VPN Client Version 4.6.01.0019
>
> Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.
>
> Client Type(s): Windows, WinNT
>
> Running on: 5.1.2600 Service Pack 2
>
> Config file directory: C:\Program Files\Cisco Systems\VPN Client
>
>
>
> 1 16:04:52.496 01/10/06 Sev=Info/4 CM/0x63100002
>
> Begin connection process
>
>
>
> 2 16:04:52.526 01/10/06 Sev=Info/4 CM/0x63100004
>
> Establish secure connection using Ethernet
>
>
>
> 3 16:04:52.526 01/10/06 Sev=Info/4 CM/0x63100024
>
> Attempt connection with server "1.2.3.4"
>
>
>
> 4 16:04:52.536 01/10/06 Sev=Info/6 IKE/0x6300003B
>
> Attempting to establish a connection with 1.2.3.4.
>
>
>
> 5 16:04:52.556 01/10/06 Sev=Info/4 IKE/0x63000013
>
> SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd),
> VID(Nat-T), VID(Frag), VID(Unity)) to 1.2.3.4
>
>
>
> 6 16:04:52.576 01/10/06 Sev=Info/4 IPSEC/0x63700008
>
> IPSec driver successfully started
>
>
>
> 7 16:04:52.576 01/10/06 Sev=Info/4 IPSEC/0x63700014
>
> Deleted all keys
>
>
>
> 8 16:04:52.576 01/10/06 Sev=Info/6 IPSEC/0x6370002B
>
> Sent 8 packets, 0 were fragmented.
>
>
>
> 9 16:04:52.576 01/10/06 Sev=Info/4 IPSEC/0x6370000D
>
> Key(s) deleted by Interface (218.101.3.22)
>
>
>
> 10 16:04:57.573 01/10/06 Sev=Info/4 IKE/0x63000021
>
> Retransmitting last packet!
>
>
>
> 11 16:04:57.573 01/10/06 Sev=Info/4 IKE/0x63000013
>
> SENDING >>> ISAKMP OAK AG (Retransmission) to 1.2.3.4
>
>
>
> 12 16:05:02.581 01/10/06 Sev=Info/4 IKE/0x63000021
>
> Retransmitting last packet!
>
>
>
> 13 16:05:02.581 01/10/06 Sev=Info/4 IKE/0x63000013
>
> SENDING >>> ISAKMP OAK AG (Retransmission) to 1.2.3.4
>
>
>
> 14 16:05:07.588 01/10/06 Sev=Info/4 IKE/0x63000021
>
> Retransmitting last packet!
>
>
>
> 15 16:05:07.588 01/10/06 Sev=Info/4 IKE/0x63000013
>
> SENDING >>> ISAKMP OAK AG (Retransmission) to 1.2.3.4
>
>
>
> 16 16:05:12.595 01/10/06 Sev=Info/4 IKE/0x63000017
>
> Marking IKE SA for deletion (I_Cookie=541BD3B219A7020D
> R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
>
>
>
> 17 16:05:13.096 01/10/06 Sev=Info/4 IKE/0x6300004B
>
> Discarding IKE SA negotiation (I_Cookie=541BD3B219A7020D
> R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
>
>
>
> 18 16:05:13.096 01/10/06 Sev=Info/4 CM/0x63100014
>
> Unable to establish Phase 1 SA with server "1.2.3.4" because of
> "DEL_REASON_PEER_NOT_RESPONDING"
>
>
>
> 19 16:05:13.106 01/10/06 Sev=Info/5 CM/0x63100025
>
> Initializing CVPNDrv
>
>
>
> 20 16:05:13.126 01/10/06 Sev=Info/4 IKE/0x63000001
>
> IKE received signal to terminate VPN connection
>
>
>
> 21 16:05:13.596 01/10/06 Sev=Info/4 IPSEC/0x63700014
>
> Deleted all keys
>
>
>
> 22 16:05:13.596 01/10/06 Sev=Info/4 IPSEC/0x63700014
>
> Deleted all keys
>
>
>
> 23 16:05:13.596 01/10/06 Sev=Info/4 IPSEC/0x63700014
>
> Deleted all keys
>
>
>
> 24 16:05:13.596 01/10/06 Sev=Info/4 IPSEC/0x6370000A
>
>
>
> I have tested by creating a (temporary) rule that will allow all traffic
> to
> and from 1.2.3.4. This made no difference. I can't see how one VPN can
> work,
> and the other not. I also found an MS article
> (http://support.microsoft.com/default.aspx?scid=kb;en-us;812076) that
> suggested adding port 10000 into the mix (for ISA 2000, so I added the
> equivalent protocol and rules for 2004).
>
>
>
>
>
> Is the problem with the other end? Is there a NAT issue here that I can't
> see.
>
>
>
> Does any one know what I need to do here?
>
>
>
>
.
- References:
- Cisco VPN Client outbound through an ISA server
- From: Bobby T
- Cisco VPN Client outbound through an ISA server
- Prev by Date: Re: Firewall Service crashing during peak usage
- Next by Date: Re: ISA 2K4 CACHE
- Previous by thread: Cisco VPN Client outbound through an ISA server
- Next by thread: Firewall Service crashing during peak usage
- Index(es):
Relevant Pages
|
