WRVS4400N and Quick VPN "remote gateway not responding"

Unanswered Question
Jul 28th, 2010

Hi SupportCommunity

I hope that you can help with this hot potato.

Router is a version 1.1 running with sw version V1.1.13-ETSI

Quick VPN is sw version Ver 1.4.1.2

The issue is that I can't connect due to that i cant ping the internal IP, get this error message in the QVPN log  [WARNING]Failed to ping remote VPN Router!

I have tried to do what is suggested in this thread http://homecommunity.cisco.com/t5/Wireless-Routers/User-based-VPN-access-using-a-WRVS4400N-and-QuickVPN-quot-remote/m-p/236334 and with this work arround QVPN can connect.

I have disablet the "Block WAN Request" and it is possible to ping the router on the external site.

So as I see it, the router blocks for ping on the internal IP via QVPN, what have I done wrong ?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
Te-Kai Liu Thu, 07/29/2010 - 06:08

Does the normal traffic pass through the tunnel before you modifying the remotelanip in the vpnserver.conf file?

soren@bterp.dk Thu, 07/29/2010 - 08:09

Hi Tekliu

I dont know if this is what you are asking for, if not please clarify

Output from the QVPN log file:

2010/07/29 17:06:00 [STATUS]OS Version: Windows XP
2010/07/29 17:06:00 [STATUS]Windows Firewall is ON
2010/07/29 17:06:00 [STATUS]One network interface detected with IP address 192.168.15.106
2010/07/29 17:06:00 [STATUS]Connecting...
2010/07/29 17:06:00 [DEBUG]Input VPN Server Address = 188.176.147.182
2010/07/29 17:06:00 [STATUS]Connecting to remote gateway with IP address: 188.176.147.182
2010/07/29 17:06:05 [STATUS]Remote gateway was reached by https ...
2010/07/29 17:06:05 [STATUS]Provisioning...
2010/07/29 17:06:11 [STATUS]Success to connect.
2010/07/29 17:06:11 [STATUS]Tunnel is configured. Ping test is about to start.
2010/07/29 17:06:11 [STATUS]Verifying Network...
2010/07/29 17:06:18 [WARNING]Failed to ping remote VPN Router!
2010/07/29 17:06:21 [WARNING]Failed to ping remote VPN Router!
2010/07/29 17:06:25 [WARNING]Failed to ping remote VPN Router!
2010/07/29 17:06:28 [WARNING]Failed to ping remote VPN Router!
2010/07/29 17:06:32 [WARNING]Failed to ping remote VPN Router!
2010/07/29 17:06:35 [WARNING]Ping was blocked, which can be caused by an unexpected disconnect.

I have also tried with the Windovs firewall turned off, no changes observed.

Te-Kai Liu Thu, 07/29/2010 - 08:23

>2010/07/29 17:06:18 [WARNING]Failed to ping remote VPN Router!

The above showed that QuickVPN Client was not able to ping the remote router's LAN IP. What's the LAN IP of the WRVS4400N that you were trying to connect to? While the QuickVPN Client showing "Verifying Network...", could you test if you can ping the PC in the LAN of WRVS4400N?

soren@bterp.dk Thu, 07/29/2010 - 09:10

The Lan IP of the router is 10.10.0.1

I cant from the external site ping a PC on the inside lan side of the router, it seems thats the problem  and the reason for QVPN cant conect

The remote client PC IP is 192.168.1.6

Te-Kai Liu Thu, 07/29/2010 - 08:35

What type of WAN/Internet connectivity you do you have on the QuickVPN Client side?

soren@bterp.dk Thu, 07/29/2010 - 09:13

I have tried it from work, which is a big infrastructure, with no luck

Then I have tried it from the neibóurgh, on a LinksysC230 connected to a DSL line, still with no luck

Te-Kai Liu Thu, 07/29/2010 - 09:27

It might be a good idea to contact the Small Business Support Center so more toubleshooting can be done. Common issues include

Windows IPsec service not started, third party firewall blocking the ping, or firewall in front of the QuickVPN Client blocking the IKE, etc.

Here you can find a list of phone numbers to call.

http://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html

soren@bterp.dk Thu, 07/29/2010 - 10:20

OK I will do that

But to answer your question, I have tried the following:

Windows IPsec service not started - Checked, service is running

Third party firewall blocking the ping - I can ping the WAN side of the router, how do I check if my ISP has blocked for ping ?

Firewall in front of the QuickVPN Client blocking the IKE - I have tried booth with windows firewall switched on and off

Te-Kai Liu Thu, 07/29/2010 - 11:01

>Firewall in front of the QuickVPN Client blocking the IKE

Some companies block IKE/IPsec at work. At home, some ISP blocks IKE. This will require packet capture analysis to find the root cause.

rootmedia78 Fri, 01/20/2012 - 02:08

Had the same problem and just wanted to post my solution.

Im using a firewall named Windows 7 Firewall Control, and for that reason I did disable and stop the Windows 7 naitve firewall, and that was what caused the problem.

Reading this thread, the second last posting by Barranquillero, helped me fix the problem:

http://homecommunity.cisco.com/t5/Wireless-Routers/WRVS4400N-QVPN-The-remote-gateway-is-not-responding/td-p/151081

Windows Firewall need to up and running, so make sure it is.

Then, click the Windows orb, in the "search programs and files" field type "firewall"

Click on "Windows firewall with Advanced Security"

Then click "Outbound Rules"

Enable

Remote Assistance WSD Out

and Network Discorvery WSD Out

I'm running Quick VPN Client version: 1.4.2.1, WRVS4400N firmware version: V2.0.2.1-ETSI, Win7 pro 64bit

Hope that some Cisco tech can explain why it is necessary to have the Windows 7 firewall running for this to work?

And would it be possible that you could update the installer for the Quick VPN client, so that it is not necessary

to click yes to the UAC alert every time the Quick VPN client is started.

moecheladrian Mon, 02/20/2012 - 05:50

Hello,

I got the same Problem. about 3 months ago when i bought 2 of these WRVS4400Nv2 Routers: site2site vpn and client2site vpn worked fine.

Now i can't connect to both of them any more via quick VPN Client. - I tried from the same machine it worked already 3 months ago. - Since some days i get the error at verifying Network - The remote Gateway isn't responding, and if i wanna wait....

I also updated now to the newest version on the router 2.0.2.1-ETSI - no change same error.

I'm running Quick VPN Client version: 1.4.2.1, WRVS4400N firmware version: V2.0.2.1-ETSI, Client: Win7 Enterprise 64bit

I've read that the Win7 Firewall is the problem..in my company the Win7 Firewall is deactivated in the Domain, but it worked already 3 months before....didn't change anything in the win7 Fw....the win7 firewall was already deactivated 3 months before (in the domain), thats a domain wide configuration of my company.

So i tried from outside my company (from home, same client), then the win7 firewall is enabled (private network, no domain) - still no change same error.

I also tried from a new different computer, Win7 Enterprise 64bit - this host is in no domain, still no luck. tried win7 FW on and off, no change.

To the 2 rules:

Remote Assistance WSD Out

and Network Discorvery WSD Out

I already enabled  "Network Discorvery WSD Out" on the Win7 Firewall in the domain (even that the win7 fw is disabled i the domain) and for private networks. - no change same error.

-> on both pc's i can't find a rule "Remote Assistance WSD Out" - so what port(s) do i have to enable when i add this new rule?

And confusing is, it worked already 3 months before without doing anything else then  configuring the Router and installing Quick VPN on the client, so why should i need to enable these 2 rules Jacob wrote,  when it already worked without doin this 3 months ago?

What else can i do to get this Quick VPN Client working again with my 2 routers?

BR Adrian

client log output: 2012/02/20 14:20:18 [STATUS]Success to connect. 2012/02/20 14:20:18 [STATUS]Tunnel is configured. Ping test is about to start. 2012/02/20 14:20:18 [STATUS]Verifying Network... 2012/02/20 14:20:24 [WARNING]Failed to ping remote VPN Router! 2012/02/20 14:20:27 [WARNING]Failed to ping remote VPN Router! 2012/02/20 14:20:30 [WARNING]Failed to ping remote VPN Router! 2012/02/20 14:20:33 [WARNING]Failed to ping remote VPN Router! 2012/02/20 14:20:36 [WARNING]Failed to ping remote VPN Router! 2012/02/20 14:20:39 [WARNING]Ping was blocked, which can be caused by an unexpected disconnect. 2012/02/20 14:20:40 [STATUS]Disconnecting... 2012/02/20 14:20:48 [STATUS]Success to disconnect.

UPDATE: I even tried an allow rule on the router which allows ping to the internal IP(192.168.0.1) from any....makes no change. So the only thing what really changed since 3 months where client VPN already worked is windows itself (trough updates). I only updated the router firmware cause this was not working, but it made no change if i use 2.0.1.3 or the new one 2.0.2.1. -> didnt change anything on the router neither on the quick vpn (same version). Really cofusing why its not working any more.

rmanthey Mon, 02/20/2012 - 07:25

Hello everyone,

Some things to be aware of...

Router Requirements:

  1. Depending on the device Remote Management needs to be on and configured for port 443 or 60443.
  2. Users need to be created and enabled.
  3. Only One Connection per User Account.
    1. Username and passwords must match and are case sensitive.
  4. Local Network Subnet must be different than Remote Network Subnet.
  5. If using Certificate the .pem file needs to be exported and placed under the “C:\Program Files\Cisco Small Business\QVPN Client” folder.

Microsoft XP SP3 (until 2014)

  1. Must be running Service Pack 3
  2. Must have the Windows Firewall Off (you can have the firewall on but ICMP Echo Requests are required inbound through the software Firewall for a connection to establish.)
  3. Must have IPSec Services Running

Windows Vista/ 7

  1. QuickVPN must run Vista Service Pack 2 or run in Vista Service Pack 2 compatibility for Windows 7.
  2. Windows Firewall needs to be on. (Other Firewall software will interfere.)
    1. Add ICMP rules to the Windows Firewall.
  3. Must have IPSec Services Running.
  4. You can test QuickVPN in safe mode with networking on Windows 7. XP will not because IPsec services will not start. (Note some antivirus and other programs will still run in safe mode.)

The QuickVPN Utility is just a front end interface that allows for a user friendly interface on configuring the Microsoft IPSec service to connect to the router. (That’s why it doesnt work on any operating system but Microsoft.)

First the client connects using SSL to the router and looks for a certificate.

If you are using a certificate it in needs to be installed or you can click no and bypass the certificate warning.

The next step authenticates the user name and password supplied to the router. Only one client per username can be logged in at one time. Once the user authenticates the IPSec tunnel will negotiate and establish. (Up until this point if anything fails you will get the 5 error message screen.)

At this point the client sends an ICMP Echo Request through the tunnel to the internal IP address of the router. (Yes, if you look the user is connected in the status of the routers interface for the tunnel.) The inside IP address determined during the authentication phase. The router sends an ICMP Echo Reply back through the tunnel to the client. (If this fails you will get the error Remote Gateway not responding.)

Out of the server thousand QVPN issues I have trouble shot it is 90%, or more the client’s windows firewall. The other 5% is third party software or firewall, 3% is customers using the same IP subnet on both sides of the tunnel, and the last 2% is configuration issues on the router. Once in a great while an ISP will be blocking ports but it is rare.

Software like Windows Defender and other Antivirus and software will modify the TCP/IP stack and the security of the operating system. Some of these software’s will run in safe mode and others modify settings that even if removed from the computer will continue to prohibit the QuickVPN process. Domain systems use Group Policy to control firewalls of workstations in the domain. Network based antiviruses will create Domain policies to distribute those settings.

Since XP, Microsoft has continued to make their operating systems more secure. The more secure you make something the more user unfriendly, and more productivity prohibiting it becomes. We all want our environment secure, but everyone’s environment is different, and manually changes must be made to allow traffic that we want to work through this added security.

I would recommend if you are not able to connect from your machines you can call into the call center at 1-866-606-1866 and create a case. From there we can test from our lab which doesn't have any domain or antivirus rules to test. We use these computers to test everyday and can verify that the ISP is not blocking and that the router is properly working.

Cisco Small Business Support Center

Randy Manthey

CCNA, CCNA - Security

moecheladrian Thu, 02/23/2012 - 02:38

Hello again,

Thanks for the fast answer!

I solved the problem with switching back to an older System Recovery Point (2 weeks ago, i installed the Anyconnect client for a customer) - changed back before this install and QuickVPN login works again with both of my WRVS4400N.

So in my case it was not the win7 firewall i guess - it seems the VPN clients on my client disturbed each other (6 different VPN clients atm, the 7th was too much it seems, too many virtual adapters)

Thanks for all.

BR Adrian

rmanthey Thu, 02/23/2012 - 09:42

Hello Adrian,

I have seen that before, sorry for not posting on that. One thing that has been reported to help is to reset the tcp/ip stack. I found a kb on Microsoft for this.

http://support.microsoft.com/kb/299357

Hope this helps,

Cisco Small Business Support Center

Randy Manthey

CCNA, CCNA - Security

westlandict Thu, 03/22/2012 - 06:40

Problem solved...

Need to set all devices on DHCP, so getting automatic IP from the DHCP server.

Still it is a bug, because when i set the same settings as manual (IP, subnet mask, gateway and DNS) then it will not work.

moecheladrian Thu, 03/22/2012 - 07:38

Hello,

I have the same Problem just had no time to post it here - Danny informed me - thx!

-> Got a site2site tunnel between my 2 WRVS4400N where all is working fine:

I can ping my internal server on sideA with the ip 192.168.0.9 from sideB (10.0.0.0/24 subnet.)

All is working like im in the same subnet, so vpn working like intended.

But when i connect trough quickvpn i can't reach the server neither per ping nor by netshares. - But i can reach other hosts in the LAN per ping and browser....But i didn't check if all static hosts are not pingable,i will test this next time.

Its not possible for me to put this server onto dhcp, that makes no sence -I mean i could put it on dhcp for testing and reserve the ip for the server with the MAC Adress, but that can't be a solution its only a workarond i would say.

It would be nice if you could fix that problem in the next software.

thanks,

BR Adrian

sebsatienruel Mon, 12/17/2012 - 19:34

I had the same problem. I found that the system Time of the router was out of sync. I used my Domain Controller as the NTP server and the time as synced properly. The VPN is now working perfectly.

You should verify the Router Local Time.

Thank you

~SR

Actions

Login or Register to take actions

This Discussion

Posted July 28, 2010 at 1:34 AM
Stats:
Replies:20 Avg. Rating:
Views:30475 Votes:0
Shares:0
Tags: vpn, wrvs4400n, qvpn
+

Related Content

Discussions Leaderboard