IPS vista, and cisco vpn client

Unanswered Question
Apr 26th, 2007

We have installed a 4150 SX Cisco Intrusion Prevention System, Version 5.1(2)S240.0 sensor using vlan pairs.

The problem that we are experiencing is that when the Cisco vpn client is installed on Microsoft Vista, the IPS causes the IPSec tunnel to be broken shortly after the connection is made to the vpn3000 concentrator.

With widows xp and the same vpn client, we have no problem like this.

Is anyone aware of any problems relating to vista, the IPS and vpn client?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
marcabal Thu, 04/26/2007 - 08:59

Problems like this are generally because of the Normalizer.

The Normalizer has been modified since 5.1(2) to account for other situations.

Those changes since 5.1(2) may or may not have addressed this issue.

I would recommend upgrading to 5.1(5)E1:



Then trying your test again.

If the problem goes away then one of the Normalizer changes likely addressed the issue.

If the problem remains, then you might consider contacting the TAC.

The development team would need a copy of your configuration and traffic traces of the problem traffic in order to try and diagnose the issue.

darin.marais Fri, 04/27/2007 - 00:02

the patch is for IPS Service Pack for IPS-4260 Sensor Platform.

can it be used on a 4250-SX. does the sensor have to have a valid licence in order to apply the fix.

marcabal Fri, 04/27/2007 - 10:52

There are 2 upgrade files for 5.1(5)E1:




The first is only for the IPS-4260, and the second will work on all other Cisco IPS platforms.

Technically a service contract is required for the download and installation of any software updates.

However, the service contract requirement is not enforced with a license for Major Upgrades, Minor Upgrades, or Service Packs.

So the software won't prevent the installation if you don't have a license. But you should legally only install them if your have purchased the service contract.

The service contract is enforced by a license for Signature Updates and Engine Updates.

In your situation if you do not currently have a license, but do intend on purchasing a service contract, then go ahead and download and install the 5.1(5)E1 upgrade package and start your process for purchasing the service contract.

In the mean time you can also go ahead and request a Trial license for your sensor if you have not already done so.

This will allow you to bring your sensor up to date while you go through the purchasing process for your service contract.


This Discussion