Vista and VPN Client Troubles

Unanswered Question
Aug 7th, 2007

Hello. We are evaluating Windows Vista along with the VPN Client version 5.0.01.0600. Many of our VPN users are reporting that they are experiencing problems connecting VPN to the ASA 5520 firewall. We are experiencing the same problems with error such as "Reason 418: Unable to configure the firewall software." Also in the client's log we see:

3 08:11:49.845 08/07/07 Sev=Warning/2 IKE/0xE3000086

Invalid concentrator firewall configuration.

Is anyone else experiencing this problem and is there a workaround? Thanks in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jagdeep Gambhir Tue, 08/07/2007 - 05:00

Tony,

Most likely the group that you are trying to connect to on the ASA has the integrated firewall feature. This feature is not supported for windows Vista Clients.

You can disable this on the ASA by getting into the group polices:

ASA(config)# group-policy "VPN group name" attributes

ASA(config-group-policy)#client-firewall none

If you have other clients connecting fine and you don�t want to do this change, you can configure a new group for the Vista Clients without the integrated firewall feature.

Please rate if helps

Regards,

~JG

tony_scarola Tue, 08/07/2007 - 05:20

Yes, this seems to be working, however, we will need to enable a client-side firewall for our VPN connections. What are the supported options? Thanks in advance.

tony_scarola Wed, 08/08/2007 - 07:54

Fyi - I ended up opening up a TAC case for this (SR 606571713) and received the following information from the engineer:

"Either disable the firewall check on for that group on the VPN appliance or clear a custom DLL check looking for the Microsoft Firewall DLLS or use an alternative Firewall that is supported on Vista and by the VPN appliance.

CPP pushes will not work for any other Firewalls other then ZoneLabs, if or when ZoneLabs releases ZoneAlarm for Vista customers can install this to get CPP support.

For more reference on this BUG please go to the following link :

http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsi26229&Submit=Search

Note:This feature is not enabled because we are still waiting for the patch from ZoneLab for Vista vpn client."

nickle Mon, 08/13/2007 - 12:37

I have not see that error before, but from the log it looks like it has to do with IKE security policy. We have a 5520 setup and working with XP and Vista clients. Seems that the version before 5.0.01 didnt work too well bet 5.0.01 works good. We are running ASA version 7.2.2.19 .

tony_scarola Mon, 08/13/2007 - 13:03

We have learned that the reason for this issue is because we were using the integrated client firewall which this VPN client currently does not support.

Actions

This Discussion