03-06-2007 03:17 PM - edited 02-21-2020 02:54 PM
Hi, new to cisco stuff. First thing i had working on the new PIX 506e was the VPN. Set up the IP Pool, group, and username. Installed the client, worked great. Now that ive been playing around with figuring out rules, acl's, translations, etc. it seems the VPN client is inconsistent now. It sometimes will work, but usually it will hang at "securing communications channel". Cancelling the connection does not work, it just creates the second error shown in the log (see below). I then have to end the task via taskmanager, open the VPN client again, (icon pops up in the tray as locked, but does not see the remote network in any way) disconnect, and then exit to get my machine to talk to its local network again.
Here is the log:
Cisco Systems VPN Client Version 4.6.00.0045
Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
Config file directory: C:\Program Files\Cisco Systems\VPN Client
1 15:44:39.600 03/06/07 Sev=Warning/2 CVPND/0xA3400011
Error -14 sending packet. Dst Addr: 0xFFFFFFFF, Src Addr: 0xA9FE0202 (DRVIFACE:1199).
2 15:46:06.876 03/06/07 Sev=Warning/3 GUI/0xE3B00002
GI GI_EnumPPP failed with error (FFFFFFFEh).
Thank you for any help you can provide. This will be the primary means for the few remote users we have to access the network from home, vegas, etc.
Maury
Edit:
heres another one
Cisco Systems VPN Client Version 4.6.00.0045
Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
Config file directory: C:\Program Files\Cisco Systems\VPN Client
1 15:47:31.117 03/06/07 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: DeleteIpForwardEntry, error 87
03-06-2007 03:39 PM
I would appreciate if you could send the running configuration of the PIX so that we get an idea what is going wrong.
Regards,
Kamal
03-06-2007 04:07 PM
03-06-2007 04:17 PM
Hi Maury,
It seems that you configured it through PDM.
Please issue the following commands on the PIX as it is expected to resolve your problem :
no crypto map outside_map interface outside
no crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto map outside_map interface outside
HTH,
Please rate if it helps,
Regards,
Kamal
03-06-2007 04:22 PM
Yes, i have configured it through the PDM, much easier for a noob like me. I'll punch those in and let you know how it works.
03-06-2007 04:26 PM
PDM Ignored this command
access-list outside_cryptomap_dyn_20 permit ip any 192.168.60.192 255.255.255.224
Also, im struggling to figure out where this .60.192 address came from. My DHCP range for the VPN clients is .60.200 - .60.220
03-07-2007 01:59 AM
Hi Maury,
Don't worry about the .60.192 subnet. The pool range that you defined falls in this subnet so the PDM itself created the access-list using the subnet. Please let me know if the 3 commands I sent were issued on the PIX. If yes, did you try to connect after that and test?
Please let me k now how it goes.
HTH,
Please rate if it helps.
Regards,
Kamal
03-07-2007 06:54 AM
Hi Maury,
Did the suggestion help?
Regards,
Kamal
03-07-2007 07:36 AM
Well, like i said previous, the PDM Ignored that one command. And ive tried reconnecting, reinstalling the client software, and still same thing, securing communications channel.
PDM Ignored this command
access-list outside_cryptomap_dyn_20 permit ip any 192.168.60.192 255.255.255.224
Should i try running that through the console?
Maury
03-07-2007 07:51 AM
Hi Maury,
Does this problem occur only on one client or anyone trying to connect from any computer? Could you send the latest config again? I just need to see when you tried to paste those commands, which commands got issued and which got left.
Regards,
Kamal
03-07-2007 08:05 AM
03-07-2007 08:21 AM
Hi Maury,
As per the config, none of the commands I sent to you got issued to the PIX so please issue the following commands via console, telnet or SSH (basically CLI) :
no crypto map outside_map interface outside
no crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto map outside_map interface outside
HTH,
Please rate if it helps,
Regards,
Kamal
03-07-2007 08:29 AM
when i enter the second command via the console, i get ERROR: unable to clear match address
03-07-2007 08:36 AM
I rebooted the firewall, and entered the commands again, and they went through. going to test the VPN and get an updated config for you.
03-07-2007 08:41 AM
Well, worked the first time, disconnected, tried again, no go.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: