Windows 7 64 bit VPN client problems

Answered Question
Sep 19th, 2010

Hi there,

I am currently running Windows 7 Professional 64 bit and Cisco VPN client 5.0.07.0240. I am able to connect to my corporate network and work ok however connecting is a very long process!

Connecting in terms of time is broken down as follows:

Opening VPN client program: 70 seconds.

Click connect and wait for user credentials dialogue box: 30 seconds.

Enter credentials and click ok then "Authenticating user": 90 seconds.

"Negotiating Security Policies": 60 seconds.

User Credentials box re-appears, re-enter credentials as dialogue box is empty and click ok: 90 seconds.

"Authenticating User" and then connection establised: 120 seconds.

I have a colleague running 64 bit Windows 7 (ultimate edition) who is using the same version and doesn't have these issues!

Any ideas anyone?!?

Cheers,

Gary

I have this problem too.
0 votes
Correct Answer by Namit Agarwal about 3 years 6 months ago

Gary, thanks for the update. So disabling the firewall and restarting the vpn service did not help . Could you please try and install the version 5.0.07.0290 ?

Before you do that I would like to know if you are importing the .pcf files for the VPN Client. If yes, please try and recreate a .pcf file on the PC and then try and use that file to connect. Also I see that the existing .pcf file you are using is a read-only file. Could you change that and give write permissions to the file and try connecting. If thess two steps do not help then lets install the version 5.0.07.0290.

Thanks,

Namit

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
jathaval Sun, 09/19/2010 - 21:51

do win xp or vista users to the same vpn headend face the issue

and the friend you were alking about does he connect to the same headend

please enable logs on the client and see if it is the traffic that is slow while connecting or something to do with PC

also try disabling any firewall, anti virus you have and try connecting

jathaval Mon, 09/20/2010 - 02:23

looking at the logs it looks like there are times in between when nothing happens, i saw once before the xauth was

launced (user credentials). there was a lag of 10 sec and nothing happened

and again there was a idling for a duration of 30 sec again right after phase 1 came up

look slike there is something on the client which is delaying this

lets try this if possible can you ask your friend to send the logs too at the highest level and lets compare them with your logs at highest level

did u try disabling firewall/anti virus and try

fossellag Mon, 09/20/2010 - 12:58

Hello again.

To be honest, I did forget to disable both AV and Windows Firewall this morning. Attached are the latest set of logs with both of these services stopped.

I have asked my colleague to setup logging for when he logs in tomorrow morning so I should be able to post those logs tomorrow morning.

Thanks.

Gary

fossellag Mon, 09/20/2010 - 13:10

I just remembered something regarding other OS's. I had a 32bit XP machine that previously ran version 4.8.01.0300 (connecting to the same headend), this machine had the same issues when I uninstalled and upgraded to version 5.0.05.0290 a few months ago...

jathaval Mon, 09/20/2010 - 17:16

i see the same delays, lets wait for your friend to get back with debugs

also is it possible that you collect debugs on asa when you connect

manisharora111 Mon, 09/20/2010 - 17:27

I had issues with vista / windows 7 both 32 bit and 64 bit. I am myself using a windows 64 bit with older version of cisco client and it works like a champ. But the other day a user came up with windows 7 32 bit with the new version of cisco client and it would not load at all, I tried updating the citrix DNE update for windows 7 but it dint help either.


With no hope or help after uninstalling/installing ( using microsoft uninstall etc ) no help. Then tried this open source client "shrewsoft" , and it worked just fine.

so , check out that client and see if it helps you.

Thanks

Manish

jathaval Tue, 09/21/2010 - 09:25

here are the deviations i found

  • 3      20:44:24.908  09/20/10  Sev=Info/6    GUI/0x63B00011

          Reloaded the Certificates in all Certificate Stores successfully.

          4      20:44:46.404  09/20/10  Sev=Info/4    CM/0x63100002

          Begin connection process


you lost 20 + sec , but on the other end the connections starts directly from "begin connection process"

  • then right after the connection establishment is being tried, i see
  • 4      20:44:46.404  09/20/10  Sev=Info/4    CM/0x63100002

    Begin connection process

    5      20:45:16.840  09/20/10  Sev=Info/4    CM/0x63100004

    Establish secure connection

    we lose 30 sec here comapared to that of your collegue

    • then after it says lauch xauth application

             28     20:45:17.074  09/20/10  Sev=Info/4    CM/0x63100015

                         Launch xAuth application

                29     20:45:27.188  09/20/10  Sev=Info/6    IKE/0x63000055

                         Sent a keepalive on the IPSec SA

              36     20:45:57.733  09/20/10  Sev=Info/4    CM/0x63100017    

                        xAuth application returned

              again it takes around30 sec for the xauth application to be launched


    • here again we lose 30 sec after phase 1 is up when comapred to your collegue

         41     20:45:58.092  09/20/10  Sev=Info/4    CM/0x6310000E

                   Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

           42     20:46:28.512  09/20/10  Sev=Info/5    IKE/0x6300005E

                   Client sending a firewall request to concentrator

    • again 20 sec

                   57     20:47:29.384  09/20/10  Sev=Info/4    CM/0x63100019


                        Mode Config data received




                   58     20:47:59.804  09/20/10  Sev=Info/4    IKE/0x63000056


                             Received a key request from Driver: Local IP = 10.249.128.10, GW IP = 213.249.231.100, Remote IP = 0.0.0.0

    after this for some reason it dicards the request (probably because it timesout) and starts the entire process again and the same delay again

    were you prompted to authenticate twice during this negotiation or just once

    i dunno for sure what is going on, lets see if someone can help, i will try to search some stuff and get back to you

    Namit Agarwal Tue, 09/21/2010 - 19:53

    Hi Gary,

    You and your friend both using the same type of internet connection ? I just want to find out if you are using wireless connection.

    Regards,

    Namit

    fossellag Wed, 09/22/2010 - 02:11

    Hi Namit,

    I can confirm that both my colleague and I use wireless. I have tested wired (and wi-fi disabled) with the same results.

    It is very odd that the VPN client takes just over 1 minute to launch and even more bizarrely my DVD drive gets queried just before launch.

    Regards,

    Gary

    Namit Agarwal Thu, 09/23/2010 - 08:33

    Gary,

    After the connection is established, does the traffic present any problems ? Is the traffic flow normal or do you latency there as well ? Also could you please paste the contents of  the following files from the PC running into issues

    1) the client connection profile file with the extension .pcf under the path C:\Program Files\Cisco Systems\VPN Client\Profiles

    2) vpnclient.ini file under the path C:\Program Files\Cisco Systems\VPN Client

    Regards,

    Namit

    fossellag Thu, 09/23/2010 - 08:58

    Traffic flow appears normal (have not monitored/checked) but I am able to get on with work as usual and connect to all relevant corporate systems with seemingly normal performance/response.

    Contents of vpnclient.ini:

    [main]
    ClientLanguage=
    EnableLog=1
    [GUI]
    DefaultConnectionEntry=myconnection
    WindowWidth=629
    WindowHeight=330
    WindowX=497
    WindowY=257
    VisibleTab=0
    ConnectionAttribute=0
    AdvancedView=1
    LogWindowWidth=0
    LogWindowHeight=0
    LogWindowX=0
    LogWindowY=0
    [LOG.IKE]
    LogLevel=3
    [LOG.CM]
    LogLevel=3
    [LOG.PPP]
    LogLevel=3
    [LOG.DIALER]
    LogLevel=1
    [LOG.CVPND]
    LogLevel=3
    [LOG.XAUTH]
    LogLevel=3
    [LOG.CERT]
    LogLevel=3
    [LOG.IPSEC]
    LogLevel=3
    [LOG.CLI]
    LogLevel=3
    [LOG.FIREWALL]
    LogLevel=3
    [LOG.GUI]
    LogLevel=3

    PCF file:

    [main]
    !Description=myconnection
    !Host=xxx.xxx.xxx.xxx
    !AuthType=1
    !GroupName=myconnection
    !GroupPwd=
    !enc_GroupPwd=xxxxxxxxxxxxxxxxxxxxxxxxx

    EnableISPConnect=0
    ISPConnectType=0
    ISPConnect=UCST RAS direct on Q
    ISPPhonebook=C:\WINDOWS\system32\Ras\Ucstras.pbk
    ISPCommand=
    Username=
    !SaveUserPassword=0
    !UserPassword=
    !enc_UserPassword=
    !NTDomain=
    !EnableBackup=1
    !BackupServer=xxx.xxx.xxx.xxx
    !EnableMSLogon=1
    !MSLogonType=0
    !EnableNat=1
    !TunnelingMode=0
    !TcpTunnelingPort=10000
    !CertStore=0
    !CertName=
    !CertPath=
    !CertSubjectName=
    !CertSerialHash=00000000000000000000000000000000
    !SendCertChain=0
    !PeerTimeout=90
    !EnableLocalLAN=0

    Regards,

    Gary

    Namit Agarwal Thu, 09/23/2010 - 09:26

    Gary,

    Thanks for the details. The files look standard config. You have mentioned that your colleague runs the same version of the VPN Client on Windows 7  Ultimate and it works normally for him. On your system for Windows 7 Professional  was it a clean OS installation or upgrade from some OS like other Windows 7 or Windows Vista ?

    Please try the following steps

    1) disable the firewall on your system running Win 7 Pro , if any

    2) Please try restarting the service of the VPN client. (cvpnd.exe).

    3) Is it possible to uninstall and reinstall the VPN Client ? How do you determine that the DVD drive is queried before the VPN Client starts, does the drive light come up ?

    Regards,

    Namit

    fossellag Thu, 09/23/2010 - 12:23

    I can confirm that both our installs were clean and not upgrades.

    I will try the first two steps mentioned. I know that the DVD drive spins up shortly before launch because it's one of those drives that sounds like it's taking off when it spins!

    Uninstalling and re-installing would be no problem. Would it best if I re-install the same version or install 5.0.07.0290 (currently running 5.0.07.0240 - same as colleague).

    I will post again soon with the firewall disabled and the vpn service re-started...

    Gary

    Correct Answer
    Namit Agarwal Thu, 09/23/2010 - 13:46

    Gary, thanks for the update. So disabling the firewall and restarting the vpn service did not help . Could you please try and install the version 5.0.07.0290 ?

    Before you do that I would like to know if you are importing the .pcf files for the VPN Client. If yes, please try and recreate a .pcf file on the PC and then try and use that file to connect. Also I see that the existing .pcf file you are using is a read-only file. Could you change that and give write permissions to the file and try connecting. If thess two steps do not help then lets install the version 5.0.07.0290.

    Thanks,

    Namit

    fossellag Fri, 09/24/2010 - 02:02

    Hi Namit,

    I had been importing the pcf files and as you correctly pointed out - for some reason they were read only files.

    I modified this and the program launched within seconds. I still get asked to authenticate twice however the response is almost instant! (I've again attached logs).

    Thanks for all your help!

    professorguy2006 Mon, 11/08/2010 - 13:02

    .pcf file must be read-only to prevent the known bug whereby the client overwrites the .pcf with blanks and the connection entry "disappears" from the client.  If you fix your speed problem by changing the .pcf to readable, be prepared to re-install the .pcf after it is destroyed.  But that is probably the lesser of 2 evils.

    professorguy2006 Mon, 11/08/2010 - 12:02

    The reason the .pcf file is read-only is because there is a different known bug with Cisco VPN

    clients whereby if certain conditions are met, the .pcf file is blanked and the client no lo

    nger knows the address and PSK required to find the VPN concentrator.  To fix this, the correct

    procedure is to make the .pcf read-only.  If this fixes your problem, be aware you are going to ha

    ve another problem within a few months.  Clients will complain that the connection entry is missing and you'll find t

    he .pcf is empty.

    Actions

    Login or Register to take actions

    This Discussion

    Posted September 19, 2010 at 10:43 AM
    Stats:
    Replies:20 Avg. Rating:5
    Views:13148 Votes:0
    Shares:0
    Tags: No tags.

    Discussions Leaderboard