QuickVPN Windows 7 64 bit RVS4000 don't ping

Unanswered Question
Dec 18th, 2011

Using the latest Cisco QuickVPN, my Windows 7, 64 bit laptop processes the QuickVPN connection to the point where the laptop attempts to ping the router and verify the connection.  Those pings fail.

Windows firewall is ON and IPSEC is started on the laptop.  I have tried Kaspersky's firewall both enabled and disabled with no change.

I see from searching the Internet and this site that there are a number of frustrated people who have had this same, or a similar, problem.  Someone must have figured it out by now.  Please share.  I will be most grateful.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
nimusell Mon, 12/19/2011 - 00:39

Hi Curtis,

Thank you for participating in the Small Business support community. My name is Nico Muselle from Cisco Sofia SBSC.

There are a lot of things that could go wrong setting up the connection using QuickVPN, and honestly, it does not always work flawlessly because it depends on many factors, including your PC and what's installed on it, the router that is your default gateway, etc ..

However, here are some things that you might try :

  • set the compatibility mode for QuickVPN to Windows Vista SP2 and run it as an administrator
  • uninstall (not just disable) Kaspersky
  • make sure that the PC you are connecting from is in a different subnet then the subnet behind the RVS4000
  • Windows Firewall and IPSec service have to be running.

Now try connecting to the RVS4000, hopefully this does the trick. I have it working in the same way on my laptop (W7 64-bit), but as said before, there are other factors that could have some influence on succesfully establishing the connection.

Hope this helps !

Best regards,

Nico Muselle

Sr. Network Engineer - CCNA - CCNA Security

cefalany Mon, 12/19/2011 - 13:29

I have a 32 bit Windows XP laptop running Kaspersky with no QuickVPN difficulties.  At this time, I am not willing to use a laptop out in the wild without some firewall and antivirus protection.  I hae tried all else you suggested.  If I must unload Kaspersky, what would you recommend for a firewall and antivirus that is compatible with QuickVPN?

rmanthey Mon, 12/19/2011 - 14:42

Hello Curtis,

QuickVPN will work in safe mode on Windows 7, and like Nico stated you need QVPN to be running in Visa SP2 mode, and the Windows Firewall needs to be on. The IPSec services need to be running under services.msc.

We have had to modify our Windows Firewalls to allow ICMP through the firewall both inbound and outbound, because Windows 7 is inherently more secure it blocks ICMP by default from subnet's other than its own.

This being said any other services or protocols needed from the remote subnet will need to be opened on the client. This isn't based on QVPN software but the configurations of the third party firewall software. QVPN software uses 443, 60443 for the SSL, and UDP 500 for the IPSec. It also sends a ICMP ping through the tunnel to verify connectivity after the tunnel has established. If the ping fails to report back to the QVPN client you will get the error "Remote Gateway Not Responding".

I hope this helps you configure what ever firewall you choose to use on top of the Windows built in firewall.

Cisco Small Business Support Center

Randy Manthey

CCNA, CCNA - Security

cefalany Wed, 12/21/2011 - 18:50

Thanks for the suggestions.  I tried them all with no improvement including removing Kaspersky.  Note that Kaspersky does not interefere with QuickVPN on the Win XP 32 bit laptop.

The fact that my 32 bit XP laptop and 32 bit Win 7 PC seem to work OK under the exact same conditions while the 64 bit Win 7 laptop fails, causes me to really wonder about the Win 7 64 bit OS.  Out of the box, the 32 bit OSs seem to work while the 64 bit OS does not.

That said, I did spend some time to make certain pings (ICMP) propagate in and out of the Windows 7 64 bit laptop.  Perhaps I should continue to look at the interface using wireshark or something similar.

Question, whick machine intiates the pings for for testing the connection, the QuickVPN or the RVS4000 firewall?

Additional suggestions would be appreciated.  ( Use Linux seems to be a popular, but not viable, suggestions ;-)

mpyhala Wed, 12/21/2011 - 19:19

Curtis,

Please make sure that you have the latest version of QuickVPN, 1.4.2.1. Earlier versions were known to have issues with Windows 7 64-bit. Also, make sure that the router has the latest firmware.

In answer to your question, the QuickVPN software pings the router. The router usually responds but the PC blocks the ping reply because of some antivirus or firewall software. This leads to the "Remote VPN router is not responding..." error.

cefalany Fri, 12/23/2011 - 07:10

All software and firmware are current.

I took a look with Wireshark.  The VPN negotiation between the Win32 system and the RVS4000, and the Win7 system and the RVS4000 are different.

Has the 64 bit Win7 QVPN ever worked for anyone?  If not, I am going to quit wasting my time.  Suggestions for alternatives would still be appreciated.

Thanks

jasbryan Fri, 12/23/2011 - 08:41

Curtis,

I have seen many customer connect with Qvpn to our Routers - have you tried running windows7 in Safe mode with networking and testing Qvpn? This usually shuts down certain other programs that could possibility interfering with Qvpn software.

Thanks,

Jasbryan

cefalany Fri, 12/23/2011 - 19:07

Router firmware and QVPN software is up to date.

32 bit Win XP laptops work fine with QVPN and router.  We just can't purchase those laptops anymore.  We need to migrate to 64 bit Win 7 laptops.

We have tried safe mode with network on 64 bit Win 7 without success.

I  don't understand 'testing.'  Please clarify.

Thanks

Curtis

cefalany Mon, 12/26/2011 - 12:30

Attached are two logs from our RVS4000 VPN firewall router.  In both cases, the client laptop is on LAN 192.168.1.0 with a gateway public WAN address of 166.147.114.20.  Likewise, the RVS4000 has LAN address 10.1.12.1, netmask = 255.255.255.0, and a public WAN address of 96.254.72.61.

Both laptops are running the same version of QVPN.

Both are using the same client certificate.

The log for the Win XP laptop shows a successful connection as evidenced by the ping from 192.168.1.3 ---> 10.1.12.12

The log for the Win 7 laptop shows an unsuccessful connection.  Among other things, the NAT entry for 166.147.114.20 is apparently never built.

Can anyone help with analyzing the negotiation and figuring out where it is going wrong?

Does anyone else see a similar failure in their logs?

Thanks

jasbryan Mon, 12/26/2011 - 13:11

Curtis,

You never mentioned what version of software you were using? Also did you attempt running the windows 7 machine in safe-mode with networking? What were the results of that tests?

Jasbryan

cefalany Mon, 12/26/2011 - 13:28

RVS4000 firmware = 1.3.3.5

QVPN = 1.4.2.1

All four instances of QVPN in windows firewall are enabled.

The log was captured using normal Windows mode.  QVPN was run as administrator.

I have tried safe mode with networking with no different result.  Would you like a copy of a log from that configuration?

Thanks

cefalany Mon, 12/26/2011 - 16:00

CISCO SAYS THAT QUICKVPN IS NOT FULLY COMPATIBLE WITH WINDOWS 7, 64 BIT.

I opened a case with Cisco support today.  Cisco closed it by saying the following.

It is a known issue that QVPN is not fully compatible with Windows 7, 64 bit version.

Cisco is working toward a solution and a new release of QVPN.

Support is sending a list of suggestions that sometimes work and will let me know when a compatible version of QVPN is released or a release date is available.

I wish to thank everyone for their assistance and support and look forward to hearing from Cisco.

rmanthey Wed, 02/01/2012 - 06:32

Hello Curtis,

QVPN is compatibile with Windows 7 64bit.

Normal problem seen with Windows 7/ Vista are firewall restricting the ICMP packet needed to ping the inside IP of the router during verification of the tunnel.

Hope this Helps,

Cisco Small Business Support Center

Randy Manthey

CCNA, CCNA - Security

cefalany Wed, 02/01/2012 - 07:20

What changed?

I don't see an upgrade in QVPN since August 2011.  Did the RVS4000 firmware recently upgrade?

Note: In our December 64 bit Windows testing, our diagnostic logs and wireshark show that the the RVS4000 failed to build a NAT table to translate IP addresses between the LANs.  Without NAT translation, no routing could place between the two LANs and neither ping nor our applications worked. 32 bit Windows worked fine.

That said, what combination of Hardware and Software do you recommend for a small business where the VPN client software DOES work for 64 bit Windows clients?

Thanks

Curtis

rmanthey Wed, 02/01/2012 - 08:18

Hello Curtis,

None of the Cisco routers that support QVPN will NAT the inside network or remote network; It only routes the traffic with a route statement. This route statement is built automaticly upon connection of the VPN tunnel. That is why the remote and local subnet needs to be different. If you are having issues communicating to devices on the local network through the QVPN tunnel the firewall on the Operating system of the clients, both local and remote might need to be modified to allow the remote subnet to communicate with the local subnet.

Windows 7 and Vista are built with far more security, and require at times the firewall to be opened up.

Sorry if thier was any confusion from previous posts.

Cisco Small Business Support Center

Randy Manthey

CCNA, CCNA - Security

cefalany Wed, 02/01/2012 - 08:58

Randy

I would love to have this conversation in depth.  My cell # is xxx-xxx-xxxx.  I am traveling today so you may not reach me.  Can I call you?

Everything you said makes sense to me.  BUT, in our analysis, the single biggest difference we saw between a 32 bit QVPN connection and a 64 bit QVPN connection was the presence of a NAT table entry built on the RVS4000 as part of the 32 bit negotiation process.

I wish I had the time to order and investigate the software for QVPN, which I understand is in the public domain, but I don't.  This is why I am interested in purchasing something more expensive which does 'work.'

In the past, our experience with low end Cisco products is that they simply don't work as well or reliably as the more expensive product.  Life is like that.  I just don't like to waste your and my time trying fixing something that wasn't intended to work all that well to start with.

Thanks

Curtis

rmanthey Wed, 02/01/2012 - 09:08

Curtis,

I have copied down your number, so please remove it from the forums. I will attempt to call you this afternoon due to meetings I am scheduled for the next few hours.

Randy

syosilITDep Tue, 02/07/2012 - 03:27

Hi,

I have exactly the same problem, but with a rv082. Did you find a solution?

/JacobSA

rmanthey Mon, 05/07/2012 - 09:26

Hello Jacob,

Curtis's issue was related directly to the RVS4000.

What is the error you are getting?

Are you getting the 5 errors, or Remote Gateway error?

Cisco Small Business Support Center

Randy Manthey

CCNA, CCNA - Security

Actions

Login or Register to take actions

This Discussion

Posted December 18, 2011 at 7:40 PM
Stats:
Replies:19 Avg. Rating:
Views:3830 Votes:0
Shares:0
Tags: rvs4000, quickvpn
+

Related Content

Discussions Leaderboard