QVPN Connectivity Problem with WRVS4400N

ethanfharris · ‎06-06-2010

I am suddenly not able to connect from a Vista laptop running QVPN to a WRVS4400N (rev1). QVPN and the router are using the latest software & firmware respectively. QVPN had been working just fine, but suddenly just stopped, and I am unaware of any changes to the laptop (other than the usual automatic Windows Update stuff) or router that might account for the problem.

The QVPN log.tx file (see below) indicates that the laptop is unable to "reach" the WRVS4400N. I am able to ping the router from the laptop, and FTP from the laptop to a host connected to the WRVS4400N, so the TCP/IP connectivity is there and FTP port forwarding is working fine between the router and the FTP server. The laptop's Vista firewall is on, and QVPN is listed in the firewall as a permitted application, and the router used by the laptop for internet access has VPN passthough enabled. Here's the QVPN log.txt file:

2010/06/06 15:26:34 [STATUS]OS Version: Windows Vista
2010/06/06 15:26:34 [STATUS]Windows Firewall Domain Profile Settings: ON
2010/06/06 15:26:34 [STATUS]Windows Firewall Private Profile Settings: ON
2010/06/06 15:26:34 [STATUS]Windows Firewall Private Profile Settings: ON
2010/06/06 15:26:35 [STATUS]One network interface detected with IP address 192.168.1.107
2010/06/06 15:26:35 [STATUS]Connecting...
2010/06/06 15:26:35 [STATUS]Connecting to remote gateway with IP address: 68.xxx.xxx.xxx
2010/06/06 15:26:36 [WARNING]Remote gateway wasn't reached...
2010/06/06 15:26:36 [WARNING]Failed to connect.
2010/06/06 15:26:37 [WARNING]Remote gateway wasn't reached...
2010/06/06 15:26:37 [WARNING]Failed to connect.
2010/06/06 15:26:37 [WARNING]Failed to connect!

What are the conditions that cause QVPN to put the warning message in the log and how might I fix it? Thanks in advance!!

cchamorr · ‎06-09-2010

Ok, according to your information i think the only option that is left is that you have some ports blocked.

Do the following test:

1- Go to GRC.com

2- Under services select "Shields Up"

3- On the next page select "Proceed"

4- On the next page, on the blue square type the following with no quotes "500,4500,443,60443"

5- Hit enter and wait for result

On the results pages all those ports should be open, if you have them stealth or closed you should call your ISP and have them open those ports because thats what the IPsec client ifs looking for to establish the connection.

Good luck.

ethanfharris · ‎06-10-2010

I ran the GRC.com port scan as recommended. Ports 443 and 60443 are Closed, and ports 500 and 4500 are Stealth. While I was at it, I ran a port scan on ports 0 through 1056 and all of them are Stealth except 443.

I called my ISP (Charter) tech support as suggested, and got through to a supervisor who indicated that they do not look at port information or block any ports. So it must be that the WRVS4400N is itself (a) blocking one or more of these VPN ports, or (b) not responding properly on one or more of the VPN ports. Based on these assumptions I did a bit more investigating as follows:

I went to the WRVS4400N Administration tab, and selected the log page, and selected the VPN log which contained the following. Note that I am not using a router to router tunnel. All I am interested in is a QVPN to WRVS4400N VPN connection.

Jun 10 09:46:20 - [VPN Log]: Starting Pluto (Openswan Version cvs2006Jan12_11:29:56 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OE@ECqImzhFD)

Jun 10 09:46:20 - [VPN Log]: @(#) built on Nov 17 2008:09:38:57:

Jun 10 09:46:20 - [VPN Log]: Setting NAT-Traversal port-4500 floating to on

Jun 10 09:46:20 - [VPN Log]: port floating activation criteria nat_t=1/port_fload=1

Jun 10 09:46:20 - [VPN Log]: including NAT-Traversal patch (Version 0.6c)

Jun 10 09:46:20 - [VPN Log]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)

Jun 10 09:46:20 - [VPN Log]: starting up 1 cryptographic helpers

Jun 10 09:46:20 - [VPN Log]: started helper pid=13810 (fd:5)

Jun 10 09:46:20 - [VPN Log]: Using KLIPS IPsec interface code on 2.4.27-star

Jun 10 09:46:20 - [VPN Log]: Changing to directory '/etc/ipsec.d/cacerts'

Jun 10 09:46:20 - [VPN Log]: Changing to directory '/etc/ipsec.d/aacerts'

Jun 10 09:46:20 - [VPN Log]: Changing to directory '/etc/ipsec.d/ocspcerts'

Jun 10 09:46:20 - [VPN Log]: Changing to directory '/etc/ipsec.d/crls'

Jun 10 09:46:20 - [VPN Log]: Warning: empty directory

I then cleared all the local logs, and then tried a QVPN connection which failed as usual. After the attempt, the VPN log shows nothing, but the System log shows the following:

Jun 10 10:00:32 - unexpected server: xx.xxx.0.5

Jun 10 10:00:32 - Reply packet was to small. Ignoring reply from xx.xxx.0.29

Jun 10 10:00:52 - unexpected server: 66.189.0.5

Jun 10 10:00:52 - Reply packet was to small. Ignoring reply from xx.xxx.0.29

I xx'ed out some of the IP addresses above. the xx.xxx.0.29 IP adderss is the network address of the router my laptop is connected to when I to try and establish a QVPN connection. I have no idea what the xx.xxx.0.5 IP address is. What would cause the unexpected server, and the reply packet too small log entries in the system log on the WRVS4400N when attempting to establish a QVPN connection? Is there a protocol bug in the QVPN client which is preventing the establishment of the VPN?

sam88jeep · ‎11-23-2010

Any luck? My except for a few unrelated ports I'm forwarding, all my ports are stealth except 433 and 60433, which report as closed. My Quick VPN connection fails. I'm pretty use I need those ports open. I've tried every setting in the book.

Any advice?

My ISP says they're not blocking ports, and Cisco says to talk to my ISP. Going to talk to Cisco again tonight.

Thanks,

Sam

jasbryan · ‎11-23-2010

Sam,

Just some questions first, have you had any client connect to your site? Looking at the logs it does still look like port issue but also the router configuration errors can affect the qvpn. You might want to factory default the router and build your configuration again. Go ahead and change your default Lan address to something other than 192.168.1.x . Now you want to add a Qvpn user and test, preferably from a XP machine (if you got one) The reason is security/firewall can be disable completely as with Vista and 7 when disabling the firewall you disable the windows ipsec services. You can also call 1-866-606-1866 after completing the new configuration and allow an agent to test from the lab. Also you can test the qvpn ports also by enabling remote management changing the port number and attempt to connect to the remote management page of the router. You would want to test with 443,60443,500,4500. This just another option to test ports being block. If you are able to connect via all port with remote management then you should be able to connect via Qvpn but all ports must be open or available.

Test with router remote management , one port at a time. change port to 443 and save , then test. Change port to 500 and save and test. ETC.

This will surely let you know if your ISP is blocker or altering ports.

Thanks

Jason

Cisco Support Engineer

sam88jeep · ‎11-23-2010

Thank you very much for help! No successful VPN clients yet. I can remotely connect to the services that I expose via port forwarding (i.e. some simply HTTP pages on port 80, and 5000).

My internal IP range is already 10.35.35.XXX. Been testing with a Windows 7 client, but since grc is reporting these ports (433,60433) closed, my client OS is unlikely the issue.

Very sound advice on the port testing. Will try that tonight. I'll also try the clean reset. The Cisco interface for entering IP/Mac binding isn't friendly, so I was hoping to avoice re-keying all those.

Thanks again,

Sam