VPN Client Error

Unanswered Question
Mar 6th, 2007
User Badges:

Hi, new to cisco stuff. First thing i had working on the new PIX 506e was the VPN. Set up the IP Pool, group, and username. Installed the client, worked great. Now that ive been playing around with figuring out rules, acl's, translations, etc. it seems the VPN client is inconsistent now. It sometimes will work, but usually it will hang at "securing communications channel". Cancelling the connection does not work, it just creates the second error shown in the log (see below). I then have to end the task via taskmanager, open the VPN client again, (icon pops up in the tray as locked, but does not see the remote network in any way) disconnect, and then exit to get my machine to talk to its local network again.


Here is the log:


Cisco Systems VPN Client Version 4.6.00.0045

Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 5.1.2600 Service Pack 2

Config file directory: C:\Program Files\Cisco Systems\VPN Client


1 15:44:39.600 03/06/07 Sev=Warning/2 CVPND/0xA3400011


Error -14 sending packet. Dst Addr: 0xFFFFFFFF, Src Addr: 0xA9FE0202 (DRVIFACE:1199).




2 15:46:06.876 03/06/07 Sev=Warning/3 GUI/0xE3B00002


GI GI_EnumPPP failed with error (FFFFFFFEh).





Thank you for any help you can provide. This will be the primary means for the few remote users we have to access the network from home, vegas, etc.


Maury


Edit:


heres another one


Cisco Systems VPN Client Version 4.6.00.0045

Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 5.1.2600 Service Pack 2

Config file directory: C:\Program Files\Cisco Systems\VPN Client


1 15:47:31.117 03/06/07 Sev=Warning/2 CVPND/0xA3400015


Error with call to IpHlpApi.DLL: DeleteIpForwardEntry, error 87



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.5 (2 ratings)
Loading.
Kamal Malhotra Tue, 03/06/2007 - 15:39
User Badges:
  • Cisco Employee,

I would appreciate if you could send the running configuration of the PIX so that we get an idea what is going wrong.


Regards,


Kamal

Kamal Malhotra Tue, 03/06/2007 - 16:17
User Badges:
  • Cisco Employee,

Hi Maury,


It seems that you configured it through PDM.


Please issue the following commands on the PIX as it is expected to resolve your problem :


no crypto map outside_map interface outside

no crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto map outside_map interface outside


HTH,


Please rate if it helps,


Regards,


Kamal

maury_macdonald Tue, 03/06/2007 - 16:22
User Badges:

Yes, i have configured it through the PDM, much easier for a noob like me. I'll punch those in and let you know how it works.

maury_macdonald Tue, 03/06/2007 - 16:26
User Badges:

PDM Ignored this command

access-list outside_cryptomap_dyn_20 permit ip any 192.168.60.192 255.255.255.224


Also, im struggling to figure out where this .60.192 address came from. My DHCP range for the VPN clients is .60.200 - .60.220

Kamal Malhotra Wed, 03/07/2007 - 01:59
User Badges:
  • Cisco Employee,

Hi Maury,


Don't worry about the .60.192 subnet. The pool range that you defined falls in this subnet so the PDM itself created the access-list using the subnet. Please let me know if the 3 commands I sent were issued on the PIX. If yes, did you try to connect after that and test?


Please let me k now how it goes.


HTH,


Please rate if it helps.


Regards,


Kamal

maury_macdonald Wed, 03/07/2007 - 07:36
User Badges:

Well, like i said previous, the PDM Ignored that one command. And ive tried reconnecting, reinstalling the client software, and still same thing, securing communications channel.


PDM Ignored this command

access-list outside_cryptomap_dyn_20 permit ip any 192.168.60.192 255.255.255.224


Should i try running that through the console?


Maury

Kamal Malhotra Wed, 03/07/2007 - 07:51
User Badges:
  • Cisco Employee,

Hi Maury,


Does this problem occur only on one client or anyone trying to connect from any computer? Could you send the latest config again? I just need to see when you tried to paste those commands, which commands got issued and which got left.


Regards,


Kamal

maury_macdonald Wed, 03/07/2007 - 08:05
User Badges:

No, i have tried it one two machines from 3 separate pulic IP's (if that even makes a difference) so far, and same thing for each.


Here is my running config


Thanks

Maury



Attachment: 
Kamal Malhotra Wed, 03/07/2007 - 08:21
User Badges:
  • Cisco Employee,

Hi Maury,


As per the config, none of the commands I sent to you got issued to the PIX so please issue the following commands via console, telnet or SSH (basically CLI) :


no crypto map outside_map interface outside


no crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20


crypto map outside_map interface outside


HTH,


Please rate if it helps,


Regards,


Kamal

maury_macdonald Wed, 03/07/2007 - 08:29
User Badges:

when i enter the second command via the console, i get ERROR: unable to clear match address

maury_macdonald Wed, 03/07/2007 - 08:36
User Badges:

I rebooted the firewall, and entered the commands again, and they went through. going to test the VPN and get an updated config for you.

Kamal Malhotra Wed, 03/07/2007 - 09:34
User Badges:
  • Cisco Employee,

Could you capture the client logs and debugs from the PIX?


debug cry isak

debug cry ipsec


Regards,


Kamal

Kamal Malhotra Wed, 03/07/2007 - 11:37
User Badges:
  • Cisco Employee,

Hi Maury,


For testing, could you please consider changing the software version of the VPN client. You can download the latest version from :


http://www.cisco.com/cgi-bin/Software/Tablebuild/doftp.pl?ftpfile=cisco/crypto/3DES/vpn/client/windows/vpnclient-win-is-4.8.02.0010-k9.exe&app=Tablebuild&status=showC2A


Please make sure that you remove the existing version first. Please also make sure that you don't have any 3rd party firewalls running like Norton Internet Security, McAffee Desktop Firewall or ZoneAlarm stuff.


HTH,


Please rate if it helps,


Regards,


Kamal

maury_macdonald Wed, 03/07/2007 - 11:44
User Badges:

i guess i dont have the proper access. Probably havent spent enough money on cisco stuff yet :)

maury_macdonald Thu, 03/08/2007 - 12:22
User Badges:

Well, i think it may be solved partially, looks like its now just a client issue on my laptop here. Ive tried it on the other client with no problems multiple times. Could have been two issues seeming to be one, and those commands fixed one. I'm not too concerned about my laptop for now. Thank you for all your help!!!


Maury

Actions

This Discussion