QuickVPN and RV042 not verifying network

Unanswered Question
Jun 8th, 2009

I installed an RV042 this weekend at my home office that has dual DSL connections.  The unit works great except now I am offsite and I cannot get to the VPN.  The frustrating thing is that the quickVPN CONNECTS it just does not verify the connection via the remote ping.

2009/06/08 08:48:19 [STATUS]OS Version: Windows XP
2009/06/08 08:48:19 [STATUS]Windows Firewall is OFF
2009/06/08 08:48:19 [STATUS]One network interface detected with IP address 10.15.25.xxx
2009/06/08 08:48:19 [STATUS]Connecting...
2009/06/08 08:48:26 [STATUS]Remote gateway was reached by https ...
2009/06/08 08:48:26 [STATUS]Provisioning...
2009/06/08 08:48:33 [STATUS]Tunnel is connected successfully.
2009/06/08 08:48:33 [STATUS]Verifying Network...
2009/06/08 08:48:37 [WARNING]Failed to ping the remote VPN Router!
2009/06/08 08:48:38 [WARNING]Failed to ping the remote VPN Router!
2009/06/08 08:48:39 [WARNING]Failed to ping the remote VPN Router!
2009/06/08 08:48:40 [WARNING]Failed to ping the remote VPN Router!
2009/06/08 08:48:41 [WARNING]Failed to ping the remote VPN Router!
2009/06/08 08:48:42 [WARNING]Ping was blocked, which can be caused by an unexpected disconnect.

As you can see the windows firewall is off, I have a 10.15.25 address on the client side, (The VPV side is 192.168.100.xxx).  So the tunnel connects okay but the network verification fails.  SO this means that 443 from where I am is open.  Of course who would block 443 anyhow?  Is there an access rule that needs to be created to allow ping to the local address of the router or something?  If so that is not in the documentation anywhere.  Help please?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 1 (1 ratings)
Loading.
daviddun Mon, 06/08/2009 - 06:29

The ISP may be blocking port500, this is the port that the quick VPN is using to verify security of the tunnel.  The easist way to look at this to go to www.grc.com and try the tool call sheilds up to check to see if the port is being blocked.  Make sure that you are directly connected to the ISP modem with your firewall turned off.  This is a great test to get a screen shot of when calling your ISP.  Typically all ISP's say they do not block port 500, but with this test you will know the answer before you call them.

Hope this helps you resolve your issue.

https://www.grc.com/x/ne.dll?bh0bkyd2

Port 500 info

http://www.grc.com/port_500.htm

ccolotticisco Mon, 06/08/2009 - 07:12

So even though the QuickVPN connects on 443 it still uses 500?  So that means a company blocking IPSEC VPN would still not work?  I was assuming since it was using 443 that it was an SSL style VPN tunnel with no IPSEC.  Can you confirm this for me?  I can try from a hotel tonight that should have all VPN ports open but I was hoping to see it work from where I am.

When I did the sheild's up test it said 500 was "Stealth" so I am not sure what that means.  I am pretty sure this company actually blocks IPSEC though.

-Chris

daviddun Mon, 06/08/2009 - 07:19

When doing your testing you need to be at the ofice you are trying to VPN into.  Then unplug the router ands run the shields up program off you computer that is directly attached to the DSL/Cable Modem.  This will let you see if Port 500 is being blocked.  The ping that happens after you connect across Port 500 is a security check to see if that the VPN tunnel is secure.

If you are still having a probelm, you need to open a ticket with Cisco

Best of luck

ccolotticisco Mon, 06/08/2009 - 07:44

If that is the case I know 500 is open on the Home Office side as I have used other VPN clients and products.  Therefore I know 500 is open on the end where the RV042 is sitting.

However it may be closed from the location I am trying to go out from.

Would that still pose the same errors in the log?  I will definately try from the hotel where there is no VPN restrictions tonight and re-post, but if 500 is used I pretty much know that is blocked from the customer site I am at trying to get out.  Thanks so far for the help knowing about the 500 requirement was helpful.  All documentation makes it seem like 443 is the only requirement for QuickVPN to work and that seems to not be the case if 500 is also a requirement on both ends.

Te-Kai Liu Wed, 06/10/2009 - 19:09

As far as I know, port 443 or 60443 is for QuickVPN client to get VPN settings from the QuickVPN router via the SSL protocol. Ports 500 and 4500 are used for establishing IPSec tunnel per the IPSec protocol.

lancooper Tue, 11/24/2009 - 06:04

I ran into this same problem with the latest version of QuickVPN (1.3.0.3).  I have three computers running Windows XP Pro SP3 in a local network that I wanted to individually connect using VPN to a remote network with an RV042 router.  However one computer would not connect (the other two worked ok).  It would get stuck at Verifying Networks.  That told me it wasn't the local router (a D-Link DI-604) causing the problem.

After comparing all firewall settings (the XP firewalls were enabled) and much research on the Internet I came across one suggestion which fixed it.  On the one computer which did not work the service "IPSEC Services" was disabled (Control Panel > Administrative Tools > Services > scroll down to IPSEC Services).  I set it to Automatic and Started it.  Voila - QuickVPN connected right away.

Hope this helps others find the solution as this thread showed up near the top of the list when I Googled the problem.

lpkurdelski Wed, 11/25/2009 - 08:00

I have the same original problem.

The ISP told me that NO port is blocked by him.

Shields Up shows me nearly all ports al "stealth" if the computer is connected via the router, and as "closed" if the computer is connected directly to the cable modem. The ISP told me that they have several customers using VPN successfully. Now it looks it is my fault.

Here are the question: If I take the router out of the box it is not clear

- do I have to define a tunnel first? It is the only point where I can define an ip-subnet

I used a different ip subnet like x.y.z.0 as private net and x.y.z+1.0 as vpn subnet

- do I have to open the ports 443, 500, 4500, 60443 and ICMP in the router?

  from the documetation it looks like I do not have to do int.

BTW: system is Ubuntu 9.04 64 with vpnc incl. openssl and windows XP sp3 running as vm in vmware.

No firewalls are set up. ufw on ubuntu is inactive.

Any hints on what I have to setup, change?

daviddun Wed, 12/16/2009 - 09:45

Good Afternoon All,

Just wanted to check in, this post is still active and has a not answered status on it.

Please post if you have additional questions

Have a great day :)

iandesousa Tue, 12/29/2009 - 02:54

i had the same issue but on a wrv210, as soon as i port forwarded "ESP" it all started to work...

mmoore9154 Thu, 02/11/2010 - 00:17

David,

This is definitely *not* resolved, and I am having the exact same problem with an RV042 (firmware version 1.3.12.19-tm) from a WIndows 7 Ultimate (v6.1.7100) platform.

All of the ports on the RV042 are fully available from the internet.  Here is an nmap scan of the entire RV042:

C:\Users\markm>nmap 173.13.184.201

Starting Nmap 5.00 ( http://nmap.org ) at 2010-02-10 22:12 Pacific Standard Time

Interesting ports on 173-13-184-201-sfba.hfc.comcastbusiness.net (173.13.184.201
):
Not shown: 995 filtered ports
PORT      STATE  SERVICE
80/tcp    open   http
113/tcp   closed auth
443/tcp   open   https
1723/tcp  open   pptp
60443/tcp open   unknown

Here's the screen shot of QuickVPN (not much to tweak):

QuickVPN Screen.png

When try and connect, it get's all the way through everything, but hangs on "Verifying network..."  This is the classic "can't ping the server" problem...  FWIW, I inserted a copy of my QuickVPN logfile at the end of this post.

I see a lot of guys trying crazy stuff, but no answers, or even suggestions that seem to understand the problem.  Maybe I should turn this around a little...

Has *anyone* successfully connected using QuickVPN under Windows?  If so, can you please describe your configuration?  I suspect this tool worked once in '98, and Linsys/Cisco still thinks it works. 

  As best I can tell, the tool simply hasn't worked since at least WinXP, maybe Win2K.

Helllllllllllllllllllllllllllllllllllllp!

-Mark

Log file after unsuccessful connection attempt (with 2 retries):

2010/02/10 21:54:55 [STATUS]OS Version: Windows XP
2010/02/10 21:54:55 [STATUS]Windows Firewall is ON
2010/02/10 21:54:55 [STATUS]One network interface detected with IP address 10.69.1.100
2010/02/10 21:54:55 [STATUS]Connecting...
2010/02/10 21:54:55 [STATUS]Connecting to remote gateway with IP address: 173.13.184.201
2010/02/10 21:55:00 [STATUS]Remote gateway was reached by https ...
2010/02/10 21:55:00 [STATUS]Provisioning...
2010/02/10 21:55:04 [STATUS]Tunnel is configured. Ping test is about to start.
2010/02/10 21:55:04 [STATUS]Verifying Network...
2010/02/10 21:55:10 [WARNING]Failed to ping the LAN IP of the remote VPN Router!
2010/02/10 21:55:13 [WARNING]Failed to ping the LAN IP of the remote VPN Router!
2010/02/10 21:55:16 [WARNING]Failed to ping the LAN IP of the remote VPN Router!
2010/02/10 21:55:19 [WARNING]Failed to ping the LAN IP of the remote VPN Router!
2010/02/10 21:55:22 [WARNING]Failed to ping the LAN IP of the remote VPN Router!
2010/02/10 21:55:25 [WARNING]Ping was blocked, which can be caused by an unexpected disconnect.
2010/02/10 21:55:33 [WARNING]Failed to ping the LAN IP of the remote VPN Router!
2010/02/10 21:55:34 [WARNING]Failed to ping the LAN IP of the remote VPN Router!
2010/02/10 21:55:35 [WARNING]Failed to ping the LAN IP of the remote VPN Router!
2010/02/10 21:55:36 [WARNING]Failed to ping the LAN IP of the remote VPN Router!
2010/02/10 21:55:37 [WARNING]Failed to ping the LAN IP of the remote VPN Router!
2010/02/10 21:55:38 [WARNING]Ping was blocked, which can be caused by an unexpected disconnect.
2010/02/10 21:55:46 [WARNING]Failed to ping the LAN IP of the remote VPN Router!
2010/02/10 21:55:49 [WARNING]Failed to ping the LAN IP of the remote VPN Router!
2010/02/10 21:55:52 [WARNING]Failed to ping the LAN IP of the remote VPN Router!
2010/02/10 21:55:55 [WARNING]Failed to ping the LAN IP of the remote VPN Router!
2010/02/10 21:55:58 [WARNING]Failed to ping the LAN IP of the remote VPN Router!
2010/02/10 21:56:01 [WARNING]Ping was blocked, which can be caused by an unexpected disconnect.
2010/02/10 21:56:05 [STATUS]Disconnecting...
2010/02/10 21:56:13 [STATUS]Tunnel is disconnected successfully.
UltimateSE Thu, 02/11/2010 - 03:49

I'am sorry for my english, I write from Russia ...

And so, at me precisely same problem, a broad gull simply copy, has noticed such piece if I am connected with allocated to me static ip address through ethernet that all ok! If I am connected from 3G  modem, ip address dynamic that is jumped out by these error. May be really at the provider is closed udp 500, as firewall it is turn off, the service ipsec is started!!!  I test 5 laptop to connect for RV042 with linksys QuickVPN through static ip adress on work, and all was connect!!!

I will try tonight houses, to test udp port on page http://www.grc.com/port_500.htm

And in general it is possible to conncet by means of  TheGreenBow VPN client, there all parametres in the manual register, but on RV042 it will be necessary to create connection client2gateway as Microsoft XP/2000 VPN client...

jasbryan Thu, 02/11/2010 - 06:42

When using qvpn there a lot of factors to take in account. Most the time when we get a failed to ping remote ip address, usually there is a firewall blocking the icmp echo or the reply. I have seen in some case where the users where put in and a certificate wasn't created , even though you don't need the certificate to connect, it's best practice to create a new one after deleting or adding users.I would do a test with a pc plugged directly inot your modem(where the RV042 or WRV210) is located. Bypassing the router ! Go to GRC.COM run a shields up test. You can specify your ports 443,500,4500,60443 click(user specified customer port probe). This is just to confirm that ports are opened at the vpn site. After you know that the ports are opened then it's just matter of firewalls on the pc or router that you are remote from. XP (firewalls off)

vista(firewall on  (compatibility mode xp pro service pack )

windows 7 (firewall on  compatibility mode vista service pack 3) can't use dns name on windows 7 you have to use the public ip address. right now windows 7 is not support but i have had it working with many my account and any time i test someone vpn i use windows 7 so these settings should work for you.

If you have any of the RV042 RV082 RV016 you can also enable the PPTP server in these routers, to have another vpn connection that you use and also maybe test to see if port 1723 is open. PPTP uses port 1723  You use the vpn client installed in your windows machines to connect to the PPTP server.

Also do this, delete all your qvpn users and create a certificate while no users are in the table save settings, add all your users and generate a new certificate with user in your table.

Thanks,

Steven Smith Thu, 02/11/2010 - 07:31

QuickVPN doesn't run on Windows 7 yet.  It will in the 1.4.X.X release.  Should be out soon.

mmoore9154 Thu, 02/11/2010 - 11:04

Steven,

I mean no disrespect, but there is a loooooong list of where QuickVPN DOESN'T work.  I'm looking for a single configuration where it *does* work.  Does it work under Windows XP?  Do I have to go back to Win98 SE???  Win 3.1????

Sorry for being direct, but I've never been successful with QuickVPN.  Every thread here basically says give up on QuickVPN and just use PPTP.  Can anyone report on a configuration that does work?

-Mark

Steven Smith Thu, 02/11/2010 - 11:18

I have used with with Windows XP with no problems.  You must have with Windows XP firewall on when you do it, and you must have a different local subnet than remote subnet.

ultranetworks Tue, 02/23/2010 - 12:57

I have installed QuickVPN on XP SP3 with firewall ON or OFF, separate subnets in the two locations (192.168.232.0 and 192.168.1.0).

Opened TCP ports 443 and 60443 and UDP 500 and 4500 on the ADSL modem at RV042 side, checked with GRC.com and confirmed open.

Also opened PPTP port and PPTP connection works perfectly.

But this thing is definitelly not reliable. I could connect a couple of times but in 99% cases QuickVPN is not connecting. I tried with a new certificate, running the QuickVPN as administrator, turning firewall on or off, changing the RV042 MTU value to a smaller one, using a different PC with XP SP2 and any other suggestion I could find in this community and also on the forums.linksysbycisco.com.

The connection fails at the PING test, please see the log below.

If you Cisco guys have a tested procedure for this connection please present it here as I bought this router after I read the documentation for RV042 and QuickVPN client to be sure that I can have more than 5 connections to our central office!!

Now the log looks like this:

2010/02/23 19:35:16 [STATUS]OS Version: Windows XP

2010/02/23 19:35:16 [STATUS]Windows Firewall is OFF

2010/02/23 19:35:16 [STATUS]One network interface detected with IP address 192.168.232.110

2010/02/23 19:35:16 [STATUS]Connecting...

2010/02/23 19:35:16 [STATUS]Connecting to remote gateway with IP address: 86.35.xx.xx

2010/02/23 19:35:21 [STATUS]Remote gateway was reached by https ...

2010/02/23 19:35:21 [STATUS]Provisioning...

2010/02/23 19:35:27 [STATUS]Tunnel is configured. Ping test is about to start.

2010/02/23 19:35:27 [STATUS]Verifying Network...

2010/02/23 19:35:34 [WARNING]Failed to ping the LAN IP of the remote VPN Router!

2010/02/23 19:35:37 [WARNING]Failed to ping the LAN IP of the remote VPN Router!

2010/02/23 19:35:41 [WARNING]Failed to ping the LAN IP of the remote VPN Router!

2010/02/23 19:35:44 [WARNING]Failed to ping the LAN IP of the remote VPN Router!

2010/02/23 19:35:48 [WARNING]Failed to ping the LAN IP of the remote VPN Router!

2010/02/23 19:35:52 [WARNING]Ping was blocked, which can be caused by an unexpected disconnect.

Best regards,

Alex Moise.

UltimateSE Thu, 02/11/2010 - 09:55

Ok, i'm understand, but it is interesting that, there is a laptop, then i connect to the internet throught 3G modem, the qvpn is not connect (error is: the remote gateway is not responding...), i change connection to the Internet for ethernet cable from provider and the connection is established! Here in what a question, one laptop, one windows, one firewall customisations and connection is not establish, the dynamic or static address? Now i try to connect to rv042 from house, my network at home it's pc -> router (lan 192.168.10.0 ...) and the qvpn connect is estabilish, my firewall agnitum outpost is on (truth i created a allow rule), firewall on router Zyxel p330 is on!!! Then i connect my pc directly to cable off provider, make pptp connection to the internet, and the qvpn is not estabilish!!!

Therefore I do not think that removal user vpn profiles and to create them anew is help to me.

I use rv042, it's supports only 5 pptp user, and it is necessary to me at least 9, therefore it is necessary to invent a bicycle =) with quick vpn  =(

QuickVpn can run in Windows 7 in compatibility mode, i try run it's in windowsxp sp3 mode and it's run, but not connect for the same reason.

Thanks for the help!!!

ultranetworks Tue, 03/16/2010 - 02:10

Well... this version (1.4.0.5) seems to work...

Here  is the config:

RV042 with firmware Version:  1.3.12.19-tm connected through ADSL modem set in bridge mode so the  RV042 does the ADSL authentication and gets the external IP address (static!).

PCs  with XP Pro with SP2 and SP3, QuickVPN v1.4.0.5 installed and running as  administrator (I tried as user and power user and is NOT connecting).  These PCs are behind another ADSL router and have 192.168... internal IP  addresses. The communication goes on TCP ports 443 and 60443 and UDP  500 and 4500 from clients to the RV042, no special ports needs to be  opened at the client side.

Not tested with Vista or 7  yet, however the admin rights need is annoying, on XP I solved it  quickly with a script to start from a different account but on Vista  & 7 this will need more clicks from the user...

Good  luck,

Alex.

mmoore9154 Thu, 02/11/2010 - 11:19

Jason,

Thanks for the detailed response.

I do have an RV042.  It is connected directly to the internet through a SMC DOCSIS 3.0 cable modem.  All ports are exposed, and there is *no* firewall between the RV042 and the Internet in the wild.

PPTP does work which is how I'm hobbling along for now.  But, I need more than the 5 connections PPTP supports, and I'm hoping QuickVPN will provide this.

I'll give your suggestion about clearing the users and regenerating the certificates a test.  I'll report back what I find so others can benefit.

On the local firewall...

I think that's a bit of a red herring.  Windows doesn't generally block outgoing connection requests.  And, I've tried to connect with the firewall completely disabled just to eliminate variables.  (Turning off the firewall had *no* effect, fwiw.)

Most notably, all of the connection is setup before the "verifying server" phase.  The ping is attempted *through* the IPSec tunnel.  The only devices with any ability to filter ICMP would be QuickVPN on the client side, and the RV042 firmware on the server side.  Both of those endpoints are from Linsys/Cisco, so you have full control.  It really doesn't seem like it could be a firewall issue once the connection is established.  To further cement this, it should be noted that I can freely ping the RV042 directly.  In fact, if I setup an ongoing ping, there will be no dropped packets during the entire QuickVPN connection attempt.

There is nothing filtering ICMP except QuickVPN and the RV042.

Thanks again for the rsponse!

-Mark

UltimateSEe Fri, 03/19/2010 - 00:12

So I have the same problems as with the previous version. Eventually I customized the connection of mobile users via greenbow vpn client.

techxpressllc Wed, 10/27/2010 - 07:59

Here is what I have

and how I finally got it to work:

SBS2008, RV042, Win7, quickVPN (latest version).  Initial setup everything worked.  VPN would connect everytime.  Configured RV042 with port forwarding on 443 to enable the OWA access.  VPN stopped working.  After numberous tests, remove the 443 port forward (not just disable but remove) and then the VPN started connecting fine again.  Also tried using port 60443 in the VPN client but that never worked.  See if this solution helps anyone.  If so, then it looks like Cisco needs to address the port confilict so 443 can be forwarded for other uses.

deepak.x.kumar Fri, 04/24/2015 - 23:49

Hi, I banged my head against wall for 3 days, and finally solved this issue. Here are the few things people have suggested.

1. Open port 60443 for both TCP and UDP for Inbound and Outbound
2. Create firewall rules for ICMPv4 for both Inbound and Outbound
3. Install and run QuickVPN to run in Compatibility Mode 
4. Run As Administrator
5. Disable Windows Defender

Doing #2, #3 and #5 worked for me. Attached is the document explaining everything I did. I own RV042G router, and have installed client on two windows 8.1 machines.

Thanks

Deepak