08-24-2009 05:39 PM
I am trying to ascertain whether it is possible to use any Cisco VPN client from a client machine running Vista Home Premium 64-bit (x64) to a VPN 3000 concentrator.
The Cisco VPNclient is not supported on x64 systems. At least the version I am running - 5.0.03.0560 - isn't.
The AnyConnect client, while supported on x64 clients, is not supported on VPN 3000 concentrators (per http://www.cisco.com/en/US/products/ps8411/products_qanda_item09186a00809aec31.shtml#qa145).
Any suggestions?
Solved! Go to Solution.
02-20-2010 11:08 PM
The statement is correct. The Embedded firewall was last supported on XP, it is not supported on Windows Vista or Windows 7, regardless of 32 or 64-bit.
The workaround is to relax the policy (make it optional or disabled) for groups that include Windows Vista and Windows 7 machines.
The release notes for the first 5.x release report:
When connecting to a group that requires the firewall on Vista, the client terminates the connection due to Firewall policy mismatch.
Workaround
Do one of the following:
–Disable the firewall check on for that group on the VPN appliance
–Clear a custom DLL check looking for the Microsoft Firewall DLLS
–Use an alternative Firewall that is supported on Vista and by the VPN appliance.
CPP pushes do not work for any Firewalls other then ZoneLabs. If or when ZoneLabs releases ZoneAlarm for Vista, customers can install this to get CPP support.
Do you need CPP support?
The release notes for the beta release should also appear sometime next week in the same area where you downloaded the beta software.
08-25-2009 04:17 AM
Marvin
I believe that there is no attractive choice for you. You have correctly identified the issues: the IPSec VPN client from Cisco does not support Vista 64. And the Cisco client that does support Vista 64 is AnyConnect. A customer that I work with faced this issue and decided that adopting the new ASA as their replacement concentrator for their old 3000 concentrator was the solution. I am afraid that it may be your best choice.
HTH
Rick
02-19-2010 12:11 PM
Starting with the 5.0.7 public beta, 64-bit Windows Vista and Windows 7 is supported
Key Capabilities available for Beta Testing:
New Platform support – Windows 7 & Windows Vista 64-bit platform compatibility
Software Access: http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=281940730 (under 5.BETA)
Software is available for download by any customer with a Cisco.com SMARTnet™ enabled login.
02-19-2010 06:58 PM
Thanks for the tip.
I note however that the Vista/Windows 7 version still removes the integrated firewall that is included in other distributions. So while I can get into some of the VPNs with the new client from my Win7 x64 host, the one that requires the integrated firewall (by policy) will still not work.
02-20-2010 11:08 PM
The statement is correct. The Embedded firewall was last supported on XP, it is not supported on Windows Vista or Windows 7, regardless of 32 or 64-bit.
The workaround is to relax the policy (make it optional or disabled) for groups that include Windows Vista and Windows 7 machines.
The release notes for the first 5.x release report:
When connecting to a group that requires the firewall on Vista, the client terminates the connection due to Firewall policy mismatch.
Workaround
Do one of the following:
–Disable the firewall check on for that group on the VPN appliance
–Clear a custom DLL check looking for the Microsoft Firewall DLLS
–Use an alternative Firewall that is supported on Vista and by the VPN appliance.
CPP pushes do not work for any Firewalls other then ZoneLabs. If or when ZoneLabs releases ZoneAlarm for Vista, customers can install this to get CPP support.
Do you need CPP support?
The release notes for the beta release should also appear sometime next week in the same area where you downloaded the beta software.
02-21-2010 07:43 PM
That combination (the new client plus ZoneAlarm) did the trick. I successfully got into our customer's VPN using that. Thanks!
02-24-2010 01:34 AM
Hi All
With regards to the following software bug CSCsi26229. Does anyone have any idea how to Clear a custom DLL check looking for the Microsoft Firewall DLLS?
Thanks Craig
02-26-2010 04:28 PM
A product manager reports that "the custom checking functionality in the Cisco VPN Client AYT feature was intended for Cisco use. It is not designed to be used by end customers to support their own FW checks. For this capability, they would either need NAC w/ the Cisco VPN Client OR AnyConnect or AnyConnect Host Scan (via Cisco Secure Desktop)."
So, it would seem that the fact that we exposed the "Custom DLL" information in a release note was a mistake.
All that said, "Windows Firewall" does not support the Are You There (AYT) firewall test.
Supported firewalls can be found in the VPN Client Administrator's Guide:
Namely:
Currently, the VPN Client supports the following personal firewalls:
BlackIce Defender
Cisco Security Agent
Sygate Personal Firewall
Sygate Personal Firewall Pro
Sygate Security Agent
ZoneAlarm
ZoneAlarmPro
08-25-2009 07:22 AM
if replacing the vpn3000 isn't an option you can use 32-bit VMs on the 64-bit clients and run the Cisco client from the VM. its a hassle but it works.
andy
08-25-2009 05:48 PM
Thanks Andrew - that's the solution I had narrowed down to as well. Sub-optimal but it works, after a fashion. The downside is the isolation of the VM from my primary desktop. Little things like having to duplicate my "toolbox" and bookmarks on both the real and virtual desktop.
I'll pursue getting us on to a successor platform for the long term solution.
08-31-2009 03:55 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide