Solved: Windows Vista x64 client to VPN 3000

Marvin Rhoads · ‎08-24-2009

I am trying to ascertain whether it is possible to use any Cisco VPN client from a client machine running Vista Home Premium 64-bit (x64) to a VPN 3000 concentrator.

The Cisco VPNclient is not supported on x64 systems. At least the version I am running - 5.0.03.0560 - isn't.

The AnyConnect client, while supported on x64 clients, is not supported on VPN 3000 concentrators (per http://www.cisco.com/en/US/products/ps8411/products_qanda_item09186a00809aec31.shtml#qa145).

Any suggestions?

Phillip Remaker · ‎02-20-2010

The statement is correct. The Embedded firewall was last supported on XP, it is not supported on Windows Vista or Windows 7, regardless of 32 or 64-bit.

The workaround is to relax the policy (make it optional or disabled) for groups that include Windows Vista and Windows 7 machines.

The release notes for the first 5.x release report:

When connecting to a group that requires the firewall on Vista, the client terminates the connection due to Firewall policy mismatch.

Workaround

Do one of the following:

–Disable the firewall check on for that group on the VPN appliance

–Clear a custom DLL check looking for the Microsoft Firewall DLLS

–Use an alternative Firewall that is supported on Vista and by the VPN appliance.

CPP pushes do not work for any Firewalls other then ZoneLabs. If or when ZoneLabs releases ZoneAlarm for Vista, customers can install this to get CPP support.

Do you need CPP support?

The release notes for the beta release should also appear sometime next week in the same area where you downloaded the beta software.

View solution in original post

Richard Burts · ‎08-25-2009

Marvin

I believe that there is no attractive choice for you. You have correctly identified the issues: the IPSec VPN client from Cisco does not support Vista 64. And the Cisco client that does support Vista 64 is AnyConnect. A customer that I work with faced this issue and decided that adopting the new ASA as their replacement concentrator for their old 3000 concentrator was the solution. I am afraid that it may be your best choice.

HTH

Rick

HTH

Rick

Phillip Remaker · ‎02-19-2010

Starting with the 5.0.7 public beta, 64-bit Windows Vista and Windows 7 is supported

Key Capabilities available for Beta Testing:
New Platform support – Windows 7 & Windows Vista 64-bit platform compatibility
Software Access: http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=281940730 (under 5.BETA)
Software is available for download by any customer with a Cisco.com SMARTnet™ enabled login.

Marvin Rhoads · ‎02-19-2010

Thanks for the tip.

I note however that the Vista/Windows 7 version still removes the integrated firewall that is included in other distributions. So while I can get into some of the VPNs with the new client from my Win7 x64 host, the one that requires the integrated firewall (by policy) will still not work.

Phillip Remaker · ‎02-20-2010

The statement is correct. The Embedded firewall was last supported on XP, it is not supported on Windows Vista or Windows 7, regardless of 32 or 64-bit.

The workaround is to relax the policy (make it optional or disabled) for groups that include Windows Vista and Windows 7 machines.

The release notes for the first 5.x release report:

When connecting to a group that requires the firewall on Vista, the client terminates the connection due to Firewall policy mismatch.

Workaround

Do one of the following:

–Disable the firewall check on for that group on the VPN appliance

–Clear a custom DLL check looking for the Microsoft Firewall DLLS

–Use an alternative Firewall that is supported on Vista and by the VPN appliance.

CPP pushes do not work for any Firewalls other then ZoneLabs. If or when ZoneLabs releases ZoneAlarm for Vista, customers can install this to get CPP support.

Do you need CPP support?

The release notes for the beta release should also appear sometime next week in the same area where you downloaded the beta software.

Marvin Rhoads · ‎02-21-2010

That combination (the new client plus ZoneAlarm) did the trick. I successfully got into our customer's VPN using that. Thanks!

craig bache · ‎02-24-2010

Hi All

With regards to the following software bug CSCsi26229. Does anyone have any idea how to Clear a custom DLL check looking for the Microsoft Firewall DLLS?

Thanks Craig

Phillip Remaker · ‎02-26-2010

A product manager reports that "the custom checking functionality in the Cisco VPN Client AYT feature was intended for Cisco use. It is not designed to be used by end customers to support their own FW checks. For this capability, they would either need NAC w/ the Cisco VPN Client OR AnyConnect or AnyConnect Host Scan (via Cisco Secure Desktop)."

So, it would seem that the fact that we exposed the "Custom DLL" information in a release note was a mistake.

All that said, "Windows Firewall" does not support the Are You There (AYT) firewall test.

Supported firewalls can be found in the VPN Client Administrator's Guide:

http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/vpn_client500_501/administration/5vcAch4.html

Namely:

Currently, the VPN Client supports the following personal firewalls:

BlackIce Defender

Cisco Security Agent

Sygate Personal Firewall

Sygate Personal Firewall Pro

Sygate Security Agent

ZoneAlarm

ZoneAlarmPro

andrewswanson · ‎08-25-2009

if replacing the vpn3000 isn't an option you can use 32-bit VMs on the 64-bit clients and run the Cisco client from the VM. its a hassle but it works.

andy

Marvin Rhoads · ‎08-25-2009

Thanks Andrew - that's the solution I had narrowed down to as well. Sub-optimal but it works, after a fashion. The downside is the isolation of the VM from my primary desktop. Little things like having to duplicate my "toolbox" and bookmarks on both the real and virtual desktop.

I'll pursue getting us on to a successor platform for the long term solution.

andrea.meconi · ‎08-31-2009

I'm using Shrew Soft VPN Client, http://www.shrew.net/.

Hope this helps.

Andrea