06-06-2010 01:02 PM
I am suddenly not able to connect from a Vista laptop running QVPN to a WRVS4400N (rev1). QVPN and the router are using the latest software & firmware respectively. QVPN had been working just fine, but suddenly just stopped, and I am unaware of any changes to the laptop (other than the usual automatic Windows Update stuff) or router that might account for the problem.
The QVPN log.tx file (see below) indicates that the laptop is unable to "reach" the WRVS4400N. I am able to ping the router from the laptop, and FTP from the laptop to a host connected to the WRVS4400N, so the TCP/IP connectivity is there and FTP port forwarding is working fine between the router and the FTP server. The laptop's Vista firewall is on, and QVPN is listed in the firewall as a permitted application, and the router used by the laptop for internet access has VPN passthough enabled. Here's the QVPN log.txt file:
2010/06/06 15:26:34 [STATUS]OS Version: Windows Vista
2010/06/06 15:26:34 [STATUS]Windows Firewall Domain Profile Settings: ON
2010/06/06 15:26:34 [STATUS]Windows Firewall Private Profile Settings: ON
2010/06/06 15:26:34 [STATUS]Windows Firewall Private Profile Settings: ON
2010/06/06 15:26:35 [STATUS]One network interface detected with IP address 192.168.1.107
2010/06/06 15:26:35 [STATUS]Connecting...
2010/06/06 15:26:35 [STATUS]Connecting to remote gateway with IP address: 68.xxx.xxx.xxx
2010/06/06 15:26:36 [WARNING]Remote gateway wasn't reached...
2010/06/06 15:26:36 [WARNING]Failed to connect.
2010/06/06 15:26:37 [WARNING]Remote gateway wasn't reached...
2010/06/06 15:26:37 [WARNING]Failed to connect.
2010/06/06 15:26:37 [WARNING]Failed to connect!
What are the conditions that cause QVPN to put the warning message in the log and how might I fix it? Thanks in advance!!
06-09-2010 04:56 PM
Ok, according to your information i think the only option that is left is that you have some ports blocked.
Do the following test:
1- Go to GRC.com
2- Under services select "Shields Up"
3- On the next page select "Proceed"
4- On the next page, on the blue square type the following with no quotes "500,4500,443,60443"
5- Hit enter and wait for result
On the results pages all those ports should be open, if you have them stealth or closed you should call your ISP and have them open those ports because thats what the IPsec client ifs looking for to establish the connection.
Good luck.
06-10-2010 07:56 AM
I ran the GRC.com port scan as recommended. Ports 443 and 60443 are Closed, and ports 500 and 4500 are Stealth. While I was at it, I ran a port scan on ports 0 through 1056 and all of them are Stealth except 443.
11-23-2010 05:47 AM
Any luck? My except for a few unrelated ports I'm forwarding, all my ports are stealth except 433 and 60433, which report as closed. My Quick VPN connection fails. I'm pretty use I need those ports open. I've tried every setting in the book.
Any advice?
My ISP says they're not blocking ports, and Cisco says to talk to my ISP. Going to talk to Cisco again tonight.
Thanks,
Sam
11-23-2010 06:18 AM
Sam,
Just some questions first, have you had any client connect to your site? Looking at the logs it does still look like port issue but also the router configuration errors can affect the qvpn. You might want to factory default the router and build your configuration again. Go ahead and change your default Lan address to something other than 192.168.1.x . Now you want to add a Qvpn user and test, preferably from a XP machine (if you got one) The reason is security/firewall can be disable completely as with Vista and 7 when disabling the firewall you disable the windows ipsec services. You can also call 1-866-606-1866 after completing the new configuration and allow an agent to test from the lab. Also you can test the qvpn ports also by enabling remote management changing the port number and attempt to connect to the remote management page of the router. You would want to test with 443,60443,500,4500. This just another option to test ports being block. If you are able to connect via all port with remote management then you should be able to connect via Qvpn but all ports must be open or available.
Test with router remote management , one port at a time. change port to 443 and save , then test. Change port to 500 and save and test. ETC.
This will surely let you know if your ISP is blocker or altering ports.
Thanks
Jason
Cisco Support Engineer
11-23-2010 06:40 AM
Thank you very much for help! No successful VPN clients yet. I can remotely connect to the services that I expose via port forwarding (i.e. some simply HTTP pages on port 80, and 5000).
My internal IP range is already 10.35.35.XXX. Been testing with a Windows 7 client, but since grc is reporting these ports (433,60433) closed, my client OS is unlikely the issue.
Very sound advice on the port testing. Will try that tonight. I'll also try the clean reset. The Cisco interface for entering IP/Mac binding isn't friendly, so I was hoping to avoice re-keying all those.
Thanks again,
Sam
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: