Cannot connect via VPN

Answered Question
Nov 18th, 2008

I have ran the VPN wizard on my PIX 501 choosing the option to connect with Cisco VPN client 3 or higher. i am using client version 5.0.04 with the group name, IP Address of the PIX and the username /password set. the rest are defaults. when i try to connect i get the error message "Secure VPN connection terminated locally by the client. reason 412: the remote peer is no longer responding.

When looking at the firewall logs on my DSL router that i am connecting through the log entry reads: src= My IP Address dst= PIX IP Address ipprot=17 sport1704 dport=500 packet dropped. i am assuming thet this entry is telling me that it got as far as the PIX but the connection was refused. i have attached 2 copies of the show run 1 before the wizard and one after so that somebody can view it to see if i have missed anything.

Thanks in advance,

James.

I have this problem too.
0 votes
Correct Answer by Jason Gervia about 5 years 5 months ago

James,

You need to add a rule on your router to allow the following traffic:

udp 500 to your pix

udp 4500 to your pix

and then turn on nat-traversal as the previous person suggested

The VPN client negotiates p1/p2 over udp 500. If your router (which I assume is before the pix, or after your client) is dropping that traffic (it shows as being dropped) then the pix is *not* receiving it.

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
ajagadee Tue, 11/18/2008 - 05:32

Hi,

Can you enable this command "isakmp nat-traversal" and try connecting again. In case if you are still having issues, can you post the outputs of "deb cry is", "deb cry ips" and also logs from the VPN Client with logging level set to high.

Regards,

Arul

*Pls rate if it helps*

Jamesy281 Tue, 11/18/2008 - 07:02

Hi,

Thanks for the prompt response.

I added the line you suggested and still could not connect. I have attached the log from the Client after that connection attempt.

Regards,

James

Correct Answer
Jason Gervia Tue, 11/18/2008 - 08:22

James,

You need to add a rule on your router to allow the following traffic:

udp 500 to your pix

udp 4500 to your pix

and then turn on nat-traversal as the previous person suggested

The VPN client negotiates p1/p2 over udp 500. If your router (which I assume is before the pix, or after your client) is dropping that traffic (it shows as being dropped) then the pix is *not* receiving it.

Actions

Login or Register to take actions

This Discussion

Posted November 18, 2008 at 4:28 AM
Stats:
Replies:3 Avg. Rating:5
Views:238 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard