cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
489
Views
0
Helpful
3
Replies

Cannot connect via VPN

Jamesy281
Level 1
Level 1

I have ran the VPN wizard on my PIX 501 choosing the option to connect with Cisco VPN client 3 or higher. i am using client version 5.0.04 with the group name, IP Address of the PIX and the username /password set. the rest are defaults. when i try to connect i get the error message "Secure VPN connection terminated locally by the client. reason 412: the remote peer is no longer responding.

When looking at the firewall logs on my DSL router that i am connecting through the log entry reads: src= My IP Address dst= PIX IP Address ipprot=17 sport1704 dport=500 packet dropped. i am assuming thet this entry is telling me that it got as far as the PIX but the connection was refused. i have attached 2 copies of the show run 1 before the wizard and one after so that somebody can view it to see if i have missed anything.

Thanks in advance,

James.

1 Accepted Solution

Accepted Solutions

Jason Gervia
Cisco Employee
Cisco Employee

James,

You need to add a rule on your router to allow the following traffic:

udp 500 to your pix

udp 4500 to your pix

and then turn on nat-traversal as the previous person suggested

The VPN client negotiates p1/p2 over udp 500. If your router (which I assume is before the pix, or after your client) is dropping that traffic (it shows as being dropped) then the pix is *not* receiving it.

View solution in original post

3 Replies 3

ajagadee
Cisco Employee
Cisco Employee

Hi,

Can you enable this command "isakmp nat-traversal" and try connecting again. In case if you are still having issues, can you post the outputs of "deb cry is", "deb cry ips" and also logs from the VPN Client with logging level set to high.

Regards,

Arul

*Pls rate if it helps*

Hi,

Thanks for the prompt response.

I added the line you suggested and still could not connect. I have attached the log from the Client after that connection attempt.

Regards,

James

Jason Gervia
Cisco Employee
Cisco Employee

James,

You need to add a rule on your router to allow the following traffic:

udp 500 to your pix

udp 4500 to your pix

and then turn on nat-traversal as the previous person suggested

The VPN client negotiates p1/p2 over udp 500. If your router (which I assume is before the pix, or after your client) is dropping that traffic (it shows as being dropped) then the pix is *not* receiving it.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: