×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Beginner Needs help with VPN client

Unanswered Question
Sep 30th, 2005
User Badges:

Problem: Connection to my comany server fails and I get the message:

"Secure VPN Connection terminated locally by the Client.

Reason 414: Failed to establish a TCP connection."


I'm using client 4.7.00(0510) on my Mac. I had the same problem with 4.6.02 and hoped the upgrade might help - no luck. I imported the profile settings from my Dell laptop (version 4.6.03) which connects successfully. I should add that I was connecting successfully from the Mac until today when changes were made to our corporate server. The corporate IP guys of course won't even talk to a Mac user.


Connection from the Mac seems to get past user authentication OK, but then instead of successfully "securing the communnications channel" it goes back to "Initiating TCP to..." and then to the error message above. I've turned off my firewall, so far with no difference.


Can someone tell me what steps the connection goes through, and where this might be getting hung up?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Wayne,


On your VPN client - click the modify tab for your connection entry - this will bring up the properties screen for your connection entry - click onto the Transport tab and tick the 'Enable Transparent tunneling' box (IPSec over UDP (NAT/PAT)).


But if your corporate guys have configured your HQ PIX to connect on TCP port number then you'll need to make sure that your VPN client is setup correctly with the apporiate TCP port number, again this can be found under the Transport tab on your VPN client.


Hope this helps, and if it does please rate post.


Jay

waynehenderson Tue, 10/04/2005 - 08:25
User Badges:

Well, as I said, my settings are all as imported from my Dell laptop (which connects successfully) into my Mac (which doesn't). So every setting I can check on either VPN client is identical. And in my case, we're using IPSec over TCP.


Here are more details: We authenticate by the RSA SecurID fob. This does not seem (to me, no expert) to be the problem, but maybe important?


I've set logging to "Hi" on all categories and get the following output (complete details in the attachment) where I think the connect is failing:


First, I connect successfully to the corporate server:


11 10:47:55.863 10/04/2005 Sev=Info/4 CM/0x43100029

TCP connection established on port 80 with server "corporate server.com"


Then it goes through a bunch of configurations, ending with:


58 10:48:06.131 10/04/2005 Sev=Info/4 CM/0x43100019

Mode Config data received



Then things start to go badly:


63 10:48:06.294 10/04/2005 Sev=Info/4 IKE/0x43000081

Delete Reason Code: 11 --> PEER_DELETE-IKE_DELETE_FIREWALL_MISMATCH.


72 10:48:06.863 10/04/2005 Sev=Info/4 CM/0x43100012

Phase 1 SA deleted before first Phase 2 SA is up cause by "PEER_DELETE-IKE_DELETE_FIREWALL_MISMATCH". 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system


Finally, it tries again to the backup corporate server. It fails to even make a TCP connection with that server:


73 10:48:06.863 10/04/2005 Sev=Info/4 CM/0x43100024

Attempt connection with server "corporate server BU.com"


81 10:48:22.363 10/04/2005 Sev=Info/6 IPSEC/0x43700020

TCP SYN sent to [IP address], src port 53894, dst port 80


82 10:48:27.363 10/04/2005 Sev=Info/4 CM/0x4310002A

Unable to establish TCP connection on port 80 with server "corporate server BU.com"


83 10:48:27.363 10/04/2005 Sev=Info/4 CM/0x4310000C

All connection attempts with backup server failed


If you see any clues here (Firewall Mismatch?), please let me know!



nceitil Sun, 10/09/2005 - 08:58
User Badges:

Hi Wayne,


A few questions.


1 - Are you sure you connecting to a Cisco IOS Router and not a Cisco VPN Concentrator / Cisco ASA or PIX FW


2 - What personal FW are you running on the XP Dell vs the MAC


During the VPN establishment it is possible on the other 3 devices to specify that a certain firewall is enabled and even apply a certain policy to that firewall. This might be your problem.


Cisco refers to these features as

AYT - Are you There

and

CPP - Centralized Protection Policy


Hope this helps.

waynehenderson Mon, 10/17/2005 - 19:43
User Badges:

1- No, I'm not sure what I'm connecting to. At one time it was a Cisco 3000 VPN, but that was before the problem started.


2 - On the Mac, nothing (it's usually on but I've turned it off while trying to solve this) and on the Dell I believe the VPN client is running the "Stateful Firewall (Always On) as dictated by the server.


I think you've hit the nail on the head regarding my problem. The Mac client has no way to respond to the AYT or CPP push policies, so it can't connect. Seems like a pretty big flaw, which should be more prominently communicated so people like me don't waste so much time trying to make it work.


I'd like confirmation that there's no solution to this problem, or better yet a solution.

Actions

This Discussion