Unable to connect with QuickVPN to SA520

Unanswered Question

I'm trying anything to connect to these SA520 devices and having no luck. Shrew client is not working for me and now I am having trouble with the QuickVPN client.

Windows 7 Ultimate x64 - Cannot connect with firewall on or off

Windows XP Pro - Cannot connect with firewall on or off

I turned on Remote Management and turned off the blocking of ping  requests to the WAN port. I can ping the outside interface of the SA520.

Both get the same message "The remote gateway is not responding. Do you want to wait?" I click Yes and 30 seconds later the message pops up again. The client say "Verifying Network...."

Logs show:

2010/04/14 17:18:31 [WARNING]Server's certificate doesn't exist on your local computer.
2010/04/14 17:18:34 [STATUS]Remote gateway was reached by https ...
2010/04/14 17:18:34 [STATUS]Provisioning...
2010/04/14 17:18:42 [STATUS]Success to connect.
2010/04/14 17:18:42 [STATUS]Tunnel is configured. Ping test is about to start.
2010/04/14 17:18:42 [STATUS]Verifying Network...
2010/04/14 17:18:46 [WARNING]Failed to ping remote VPN Router!
2010/04/14 17:18:47 [WARNING]Failed to ping remote VPN Router!
2010/04/14 17:18:48 [WARNING]Failed to ping remote VPN Router!
2010/04/14 17:18:49 [WARNING]Failed to ping remote VPN Router!
2010/04/14 17:18:50 [WARNING]Failed to ping remote VPN Router!
2010/04/14 17:19:02 [WARNING]Ping was blocked, which can be caused by an unexpected disconnect.
2010/04/14 17:21:43 [STATUS]Disconnecting...
2010/04/14 17:21:46 [STATUS]Success to disconnect.

This is proving to be a VERY frustrating device after working with the PIX and ASA devices.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jsbardel Thu, 04/15/2010 - 05:55

Do you have any 3rd party firewalls running on either of your OSs?

Try running a Port Scan on www.GRC.com (ShieldsUP!), scan for ports 443, 500, 4500, and 60443. This is to see if any of these ports are being blocked or are in stealth mode (listening only). Try this from both side (remote and where the SA is at). Also, when you try this port scan, do it on a computer directly connected to your modem.

What version of QVPN are you using? Needs to be if you are using Win 7.

Dealing with the Windows firewall on Win 7, try Reseting it to Default. Make sure on XP that the firewall is off and on Vista or Win 7 the firewall is on.

You may want to try uninstalling Shrew Soft and QVPN from your computer, reboot the computer, run WinSock, reboot the computer, then reinstall QVPN (latest) and test again.

No third party firewalls or even any A/V on either machines. No blocked ports anywhere. The XP Pro machines has never had any VPN installed on it and still doesn't connect.

I think I might wait until the next firmware is out. Saw some posts on this forum where people had better luck with the VPN after running the beta firmware.

biraja Thu, 04/15/2010 - 15:07

Hi Mark,

Was there any pop-up window complaining about CA certificate of the client while connecting using QuickVPN ?

I don't remember exact wordings but if you have seen it, click on NO to continue connecting.



biraja Fri, 04/16/2010 - 13:13

Hi Mark,

Glad it worked out for you with new build.



Florence09 Sun, 04/18/2010 - 08:38

Hi Mark. You appear to have had some success with QVPN and SA520 1.1.42. I have these in place but am not getting the success that you have. Could you post where you got the settings for the SA520 or what your settings are.


moudalee1 Thu, 04/22/2010 - 07:39

Yes, please do post what Florence09 asked for because I am having the same issues.

Cisco supports QuickVPN and SA520 for Windows 7 now? About a month ago, I tried opening a ticket and was told Windows 7 is not supported.

biraja Thu, 04/22/2010 - 10:21


Yes, QuickVPN is supported with WIndows 7 with 1.1.42 firmware.



moudalee1 Thu, 04/22/2010 - 10:45

is there documentation for using QuickVPN on SA520 for Windows 7 somewhere?

weilia Tue, 05/04/2010 - 15:52
1) For windows 7, firewall must be on
   Quickvpn client release note mentioned this
2) Make sure IKE service is started
    Manually starting IKE service. Go to Control Pannel-> computer management-> Services and Appliction->Services. Start the "IKE and AUthIP IPsec Keying Modules"
justin.tsui Mon, 07/05/2010 - 22:42

Any updates on this thread? I have the same problem running latest firmware and QVPN on Windows 7 Ultimate. It is quite frustrating for my client and I to get this up and running. It works with SSL VPN but not QVPN. I called Cisco support and they said they can connect to the box okay. But for both me and my client, we cannot remotely connect to the VPN site.

weilia Mon, 07/26/2010 - 13:18

Hi Justin,

Could you post the exact error message you see for the quickvpn connection ?

Is it the 'remote gateway not responding' error ?


juliomar Thu, 09/09/2010 - 10:33

Hi Justin,

Can you send us your SA 520's configuration file, I will load it and try it  out locally to try to narrow the cause of the failure. Please change any  password and/or sensitive information from the configuration.

Furthermore,  if you can describe the topology of your client's network, as well as the remote site's environment, it can help us in trying to re-create any issue.

If  you do not want to post these items in the forum, please feel free to  send me these items in a private message.

Best regards,


I too have been plagued with the same problems with the SA520, SA520W and SA540.  However, the most significant issues I have had to deal with has been the QuickVPN accounts becoming corrupted (or something),  Basically, after a week or two the user accounts would simply stop working.  A reboot of the unit would always fix the problem or simply create a new redundant account (user1, user2, etc).  It appears the latest firmware 2.1.51 has fixed this problem.  I installed it the day it was released on several units and so far I have had no complaints from my users!!!  I have been testing it hard daily (20-50 connections) and it appears 2.1.51 has provided me a glorious fix! 

2.1.51 also appears to have fixed other random connection issues, including the one in this thread.  Paired with QuickVPN client it appears to have fixed multiple complaints as long as these rules are followed:

1. Use only the Windows Firewall on both XP and Windows 7 (32 & 64).  The client does not play nice with third party FW's.  I also use Trend Micro Worry Free Business Security with the integrated FW.  Once we deployed Trend all the clients stopped connecting at "verifying network".  Turned the Trend FW off, turned the Windows FW on, all was good in the world.  Norton FW is another that must be turned off.

2.  A delete and reinstall of the client works more times than it should.  Go figure.

3. IKE Service must be running.  However, it will automatically start if it's not (Win 7) when you attempt a QuickVPN connection - just make sure it's not disabled.

gmdcuser1 Wed, 01/25/2012 - 14:43

I was having the same issue of no client vpn connections...just hanging on the checking network.  After going over every setting in the unit i found one little check box.  The manual shows:

STEP 1 Click Firewall > Attacks. The Attack Checks window opens.

STEP 2 In the WAN Security Checks area, check the box for each feature that you want to


     • Block Ping to WAN interface: Check this box to prevent attackers from

     discovering your network through ICMP Echo (ping) requests. Cisco

     recommends that you uncheck this box only if you need to allow the security

     appliance to respond to pings for diagnostic purposes.

          This setting is overridden in these cases:

          - A firewall rule that directs ping requests to a particular computer on the

          LAN. See Configuring Firewall Rules to Control Inbound and

           Outbound Traffic, page103.    

         - WAN Mode settings that ping specified IP addresses for failure

          detection. See Configuring Auto-Rollover, Load Balancing, and Failure

          Detection, page 57.

• Enable Stealth Mode: Check this box to prevent the security appliance from

responding to port scans from the WAN. In Stealth Mode, your network is

less susceptible to discovery and attacks.

Once I unchecked both boxes...the QuickVPN client worked!  Not sure which fixed it as I'm still testing.

mattiraisanen Mon, 02/20/2012 - 11:47



Win 7 64bit.

Windows firewall should be enabled

We sometimes get qvpn work like this:

When first "The remote gateway is not responding. Do you want to wait?" appears ==> Find from qvpn directory

(usually: C:\Program Files (x86)\Cisco Small Business\QuickVPN Client) a file called IPSEC.exe and doubleclick it....

Script window appears and disappears...Wait few seconds and click "Yes" (I want to wait...) from Cisco message....

Connection appears on some computers...

Hope this helps.


rmanthey Mon, 02/20/2012 - 13:09

Hello everyone,

Some things to be aware of...

Router Requirements:

  1. Depending on the device Remote Management needs to be on and configured for port 443 or 60443.
  2. Users need to be created and enabled.
  3. Only One Connection per User Account.
    1. Username and passwords must match and are case sensitive.
  4. Local Network Subnet must be different than Remote Network Subnet.
  5. If using Certificate the .pem file needs to be exported and placed under the “C:\Program Files\Cisco Small Business\QVPN Client” folder.

Microsoft XP SP3 (until 2014)

  1. Must be running Service Pack 3
  2. Must have the Windows Firewall Off (you can have the firewall on but ICMP Echo Requests are required inbound through the software Firewall for a connection to establish.)
  3. Must have IPSec Services Running

Windows Vista/ 7

  1. QuickVPN must run Vista Service Pack 2 or run in Vista Service Pack 2 compatibility for Windows 7.
  2. Windows Firewall needs to be on. (Other Firewall software will interfere.)
    1. Add ICMP rules to the Windows Firewall.
  3. Must have IPSec Services Running.
  4. You can test QuickVPN in safe mode with networking on Windows 7. XP will not because IPsec services will not start. (Note some antivirus and other programs will still run in safe mode.)

The QuickVPN Utility is just a front end interface that allows for a user friendly interface on configuring the Microsoft IPSec service to connect to the router. (That’s why it doesn’t work on any operating system but Microsoft.)

First the client connects using SSL to the router and looks for a certificate.

If you are using a certificate it in needs to be installed or you can click no and bypass the certificate warning.

The next step authenticates the user name and password supplied to the router. Only one client per username can be logged in at one time. Once the user authenticates the IPSec tunnel will negotiate and establish. (Up until this point if anything fails you will get the 5 error message screen.)

At this point the client sends an ICMP Echo Request through the tunnel to the internal IP address of the router. (Yes, if you look the user is connected in the status of the routers interface for the tunnel.) The inside IP address determined during the authentication phase. The router sends an ICMP Echo Reply back through the tunnel to the client. (If this fails you will get the error Remote Gateway not responding.)

Out of the server thousand QVPN issues I have trouble shot it is 90%, or more the client’s windows firewall. The other 5% is third party software or firewall, 3% is customers using the same IP subnet on both sides of the tunnel, and the last 2% is configuration issues on the router.

Software like Windows Defender and other Antivirus and software will modify the TCP/IP stack and the security of the operating system. Some of these software’s will run in safe mode and others modify settings that even if removed from the computer will continue to prohibit the QuickVPN process.

Since XP, Microsoft has continued to make their operating systems more secure. The more secure you make something the more user unfriendly, and more productivity prohibiting it becomes. We all want our environment secure, but everyone’s environment is different, and manually changes must be made to allow traffic that we want to work through this added security.

The ipsec.exe file runs a netsh command to add a firewall rule to allow the remote (office side) network in and out of the windows firewall. This being said Windows Defender and many other Firewall software(Antivirus software) will remove or prevent this from happening.

Cisco Small Business Support Center

Randy Manthey

CCNA, CCNA - Security

jpMartinek Thu, 12/12/2013 - 14:04


With an RSV4000, Windows 7 Pro, my problemn with your instructionsa is where you say
"If you are using a certificate it in needs to be installed or you can click no and bypass the certificate warning."

The warning does not pop up so I don't get a chance to answer no.

Any ideas on this?


This Discussion