Nortel VPN Client behind PIX 515 firewall losing connection

Unanswered Question
Aug 26th, 2009

I have a Nortel VPN Client connecting to an external server from our office network. The internet connection was previously connected to a Cisco 2811 Router and a single IP address was used to translate all internal IP addresses for internet access. Now we just installed a Cisco PIX 515 Firewall and same translation was done using the single IP Address on the Outside interface of the Firewall. But i noticed that though the VPN client still connects, after a while it gives an error and disconnects. Any idea what could be the cause of this? Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Yudong Wu Wed, 08/26/2009 - 11:39

"sync timeout" indicated that TCP 3-way handshake did not complete. You might just have one direction traffic on your VPN tunnel. Check the encry/decry count to see if both are incrementing. Check your firewall configuration to make sure vpn related ports are opened.

imuonagor Wed, 08/26/2009 - 23:41

Yes, tcp sync is unable to complete. I wonder why since it works well without the Firewall.

The error on the VPN client when it disconnects is somethign like... configuration cannot be changed after connection is established.

I wonder if something on the Firewall is causing this. The firewall config is attached.

Yudong Wu Thu, 08/27/2009 - 07:14

I saw you permit any incoming traffic from two hosts. Not sure if they are VPN headend. If not, you might need open port for ESP, udp 500 and udp 4500.

You can enable logging buffered, and start your vpn and then check logging to see if there is related VPN packet is denied.

acomiskey Thu, 08/27/2009 - 07:24

Is the nortel vpn running nat-t? If not, is the vpn client being disconnected when a second vpn client makes a connection? Just a guess.

imuonagor Fri, 08/28/2009 - 01:53

Thanks the ip addresses permitted are the VPN headend. I've also opened udp 500 and 4500 any any but it's the same. I've attached the log from the Firewall. It builds the connection then once it says Teardown icmp... the connection is lost.

The error message on the Nortel VPN client application on the PC is: "The Routing Table cannot be altered after the Contivity VPN connection has been established. The contivity VPN connection has been closed"

The Nortel VPN client is running Nat-t. I also enabled Nat-t on the firewall.

Pls help. Thanks.

Yudong Wu Fri, 08/28/2009 - 07:18

It's most likely a client/PC issue. After vpn is UP, vpn client need to modify PC's route. From the error, it looks like the PC don't let Nortel VPN client to modify it. Can you try to disable any FW or anti Virus software on PC and try it again? You might check with Notel TAC to learn how to setup its VPN client.

imuonagor Fri, 08/28/2009 - 07:31

Thanks for your reply Kwu2, the VPN works perfectly when we bypass the Firewall and connect the internet to a Router. But once I pass the internet through the Firewall it connects then few minutes later comes up with the error message. I've searched the net and Nortel's website for help but hasn't be so lucky yet.

I'm thinking it could be that since i'm using PAT with just one public ip address maybe the source port number changes on the firewall and the remote peer at the other end doesn't trust it again and cuts the connection. I don't know if this is the cause or how to sort it out. But the connection works well without my newly deployed PIX 515 Firewall.

Yudong Wu Fri, 08/28/2009 - 07:41

Sorry, I missed that.

If VPN works fine without Firewall and you are thinking of PAT, you can check if NAT-T is enabled on client side and on headend.

Yudong Wu Fri, 08/28/2009 - 07:54

Sorry, I missed a point again. You have mentioned NAT-T is enabled on both sides.

Since FW is doing NAT, the only difference is that NAT-T is kicked in here. But the error message from client side does not make sense if it is related to FW. I do suggest to run the test again after disabling all antiVirus software on the client side. My guess would be that Notel vpn client needs use the other port to talk to VPN headend after a firewall is added between them, which might not permit by the antivirus software on the PC or something.

imuonagor Fri, 08/28/2009 - 11:29

Thanks again Kwu2, i just went to check the firewall and it's disabled along with internet connection sharing. I disabled the Antivirus to test but got the same result.

I'm wondering if the error message: "Built/Teardown icmp connection for faddr gaddr laddr" means that i need to permit icmp to and from the foreign address

I only permitted on the outside interface any traffic from (the vpn headend). Or maybe the ip address and port number used by the PC for the ICMP connection is different from that of the isakmp build so the headend drops connection i don't know. What do you think? Thanks a million, i really appreciate your help.

Yudong Wu Fri, 08/28/2009 - 11:58

I re-read your first post. It should not be related to NAT since the router did the NAT as well and you did not experience any issue.

I am not sure why you saw those ICMP packet. Did you use ping to test the connectivity? What's the current logging buffered level? You can set it to debug level to see if you can have more detail info when you run the testing. You already permit all traffic from VPN headend. Therefore, firewall should not block it.

Yudong Wu Fri, 08/28/2009 - 12:10

This is what I got by google search.


Error: The routing table cannot be altered after the Contivity VPN Connection has been established. The Contivity VPN connection has been closed.

Cause: This occurs because your system is renewing its IP address or routing tables. Here is the most common fix:


2) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

3) Add the line: "PerformRouterDiscovery"=dword:00000000


The problem could be that every time the OS changes the MTU for a specific path, it recorded that information in the routing table. By disabling PMTUD you can alleviate this problem. (This potential fix provided by wfaulk)

Maybe you can try uninstall/re-install Notel client as well.

cisco24x7 Fri, 08/28/2009 - 13:20

It is un-wise to suggest un-install/re-install Nortel client.

I've read this post with a great interest because I ran into the same issue about three years ago. The headend is a Nortel Contivity and my PC is behind a Cisco 2600 router. The router is doing PAT and that the Nortel client is working fine without any issues. I could not remember what version of Nortel because it's been a long time.

When I replaced the router with a Pix 515, I ran into the same exact situation that you had. I fixed the issue by making the Pix running OS version 6.3(5). That resolved the issue.

Seem to me like you will have to find a version of Pix code that will fix this issue. I don't think there are anything wrong with your Nortel VPN server or Nortel client. It seems like the problem lies with the OS code running on the Pix.

imuonagor Sat, 08/29/2009 - 07:01

Thanks a million guys! I think God saw how helpless i was and revealed the solution. Here it is:

When it's just the router, there's no problem. This is because the router is also the gateway for the office. But when i introduce the Firewall i have to add a route on the Router forwarding all outbound traffic to the firewall.

Now what happens is that the gateway Router sends an ip redirect message to the PCs in the LAN asking them to use the Firewall's ip address as gateway for outbound traffic instead. The VPN client PC changes its gateway and this change in routing table affects the VPN connection and it breaks.

Thanks a million Kwu2 for all ur assistance. Thanks cisco24x7 for ur insight too. Every problem is an opportunity to learn and Netpro is the place.

Yudong Wu Sat, 08/29/2009 - 21:37

Very glad that you finally found the issue.

Thanks for sharing info here.

imuonagor Sun, 08/30/2009 - 18:38

Yea, the solution was either to make the firewall also the default gateway (so that the router doesn't send the ip redirect that changes the PC's gateway/routing table) OR to disable ip redirect (using the "no ip redirect" interface subcommand) on the Router. I disabled ip redirect on the Router's LAN interface.

I think it's possible the cause of this same issue ("routing table cannot be altered after VPN connection has been established") might vary depending on the network design. But the solution would be in finding out what exactly is changing the routing table after the VPN has formed. It wasn't until i ran "debug ip icmp" on the router that i saw this. Thanks again.


This Discussion