Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss VPNs in the Wireless WAN with Cisco expert Peter Davis and experts from AVVID partner, Certicom Corp. Peter worked for Altiga before it was acquired by Cisco and is now a product manager. Certicom's encryption products and integration services solve complex security problems for leading manufacturers of computing and communication products and for enterprise customers that require secure mobile and wireless access to corporate resources. Feel free to post any questions relating to VPNs in the Wireless WAN.
The team may not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through August 17. Visit this forum often to view responses to your questions and the questions of other community members.
I have a situation that as of yet I have been unable to resolve. My w2k clients are running the 3.03(A) VPN software client. My domain is NT 4.0 with an NT PDC, BDC and WINS server. I cannot get name resolution at all. I can create a tunnel fine but cannot communicate with NT machines at all. If I do start, run, \\ipaddress and the address is to a w2k box I can view it's shares and from then on double click it's shares and view but if I do the same to an NT machine I get "path not found". I can ping both OS's by address but neither by name. An ipconfig/all done both before and after the tunnel shows the WINS info is being pulled by the client but apparently not USED. I also have an LMHOSTS file on the client but still have the same results. I am doing the start before logon as well. I think my problem lies in not being able to communicate with NT machines and since my PDC, BDC and WINS server are NT..no name resolution? The ISP's DNS servers aer being used as we are not doing our own DNS. Any help is greatly appreciated!!
A few things to look at in your troubleshooting.
1. Are you able to do \\NAME from the START>RUN prompt to access a Win 2K machine? (This can at least give you an idea if ANY names are being resolved by the WINS server. WINS may or may not be relevant since you mentioned you can't even reach the machines by IP)
2. Does anything show up under My Network Places>Entire Network>Network Contents>Microsoft Windows Network? Can you connect to any machines listed in there? Is there a pattern (like the one you described above for the ones you cannot reach?)
3. Are you able to send a PING to your NT PDC/BDC? Are you able to send a PING of 1500 bytes? Are you able to send a PING to the NT device you're trying to connect to? Are you able to send a PING of 1500 bytes?
4. Look at the output from nbtstat -c and nbtstat -n, confirm that the domain/system information looks correct. What do you see for the W2K machine/NT machine that you tried to access? Do you see it in the table, does it have the correct address?
4. If you have access to CCO (a CCO login), examine the Release-Note information for ID # CSCdt65322. This describes some configuration tips to ensure that your Domain Controller is properly configured. * http://www.cisco.com/kobayashi/bugs/bugs.html
5. Under Advanced TCP/IP>WINS setings for your adapter, confirm that you see your WINS addresses liste.
6. Try to assign just your PDC or just your BDC for the WINS setting inyour group in the off chance that maybe one of the two servers is misconfigured, this may help you to isolate which one.
7. Confirm that the machines you are trying to access don't have any type of permission restrictions that would restrict you from accesing the information on them.
If all else fails, our TAC group is available for you to help work through troubleshooting steps as long as you have a SMARTnet contract. Feel free to open a case with them.
I have a Cisco Systems 340 Series Wireless LAN Adapter, am running on Cisco VPN 5000 Client software (Version: 4.2.11 3DES).
I am connecting to my corporate LAN via MobileStar's Wireless Access Point (Starbucks). I can stay logged on for aprox. 30 minutes and then I get kicked off the network. If I log back on but do not get into VPN, I can stay on indefinitely.
What would be some good troubleshooting tips for me to use to try and narrow this down?
It would be helpful to examine the client/Concentrator logs and see if there is any reason or information provided prior to the disconnect.
You should also ensure that you are running the latest versions of Aironet drivers/firmware/etc and Cisco VPN 5000 Client.
The latest version of the Aironet 340 drivers are located at http://www.cisco.com/cgi-bin/tablebuild.pl/aironet-340 if you have a SmartNET contract (CCO login).
The latest version of the VPN 5000 client for Windows is 5.1 and can be obtained from http://www.cisco.com/kobayashi/sw-center/vpn/5000/
When you say "kicked off the network", are you receiving a message when you're kicked off the network or does connectivity just break? What are you doing to get back on the network when this happens?
Last session log file ended with this message: manage_1_conn exited with rc = 0
However, because the log file overwrites itself, I will have to check again when I am actually onsite.
When I say "kicked off the network", I do not get any error messages. The VPN client icon in the task bar is still spinning, but my IP connection is gone. I may be in my email and get a network err message when I try to save a message, or I might be on the web and I get a Page cannot be displayed message. To get back on, I disable my card, then re-enable it to renew the lease on my IP address, then I restart VPN and am good for another 30 minutes. This only happens while on VPN and MobileStar network. The same thing happens with a LinkSys WCP11 card. I was told by MobileStar that they use Cisco equipment, I know my company uses it, so I am hoping to find an answer here.
I do not have access to CCO Login so I cannot download the latest drivers or VPN client. Is there a public area that I can download the files?
Unfortunately not. Software updates are only available for customers with SMARTnet contracts (CCO access). You may wish to contact the TAC (Technical Assistance Center) and see what the cost is to purchase SMARTnet if you do not have it. The Product Manager for the Cisco VPN 5000 client told me that he expects that there'd be a significant difference with the 5.x client since there have been significant improvements to the client since 4.x so I think you'll have a much better experience after upgrading.
My name is Patrice Carbonneau, I worked as Engineer for Bell Canada, listen honestly I won't be able to help you or give you any tips on this case.
The reason I have post you, is to understand how your VPN connectivity works through MobileStar's Wireless Access Point (Starbucks). I will appreciate if you help me to understand your architecture if possible (any little diagram ?)
1- What plan $ do you have with MobileStar ?
2- Any special setup ? visa card ?
3- Once you have a open connection from MobileStar , do you have a DES encryption (point-to-Point) from your corporate LAN ?
Thanks for your collaboration
------------ Architecture ----------------------
Laptop client - Cisco VPN 5000 client soft )ver 4.2.11 3 DES)
Corporate - Cisco VPN box
To sign up, goto http://www.mobilestar.com
Goto a Starbucks with your wireless card's ssid set to MobileStar. Try to access the web as you normally would. You should be re-directed to a MobileStar.net login screen. you can sign up from there as well.
#1: I am on the Local Plan which costs me 29.95/month.
#2: Billing is handled via Credit Card
#3: Once I am authenticated via web based authentication a small windowpops up indicating that I am logged into the MobileStar network. This popup window must stay open in order for me to stay connected.I can start my VPN client and login from there. Once logged into the VPN, I am able to access all resources.
I did not have to make any changes to my VPN Client so it works with my Dial-up, my Cable Modem, my DSL, my Ricochet Wireless, and MobileStar.
I am still working with MobileStar to try and determine why I get disconnected every 30 minutes.
My network admin just sent me the newest version of the VPN - 5000 client so I will try it out.
Hi - My name is Todd Gibson from MobileStar and I am a systems engineer.
MobileStar is currently running firmware 11.06 on all our Cisco Aironet AP's. When utilizing VPN's on our network, there are different variables that can come into play while on an IP network. For instance, are you utilizing a split or single tunnel. If using a single tunnel, are you also utilizing a proxy server on the far end.
What solution are you utilizing PPTP/MPPE or L2TP/IPSec?
Theoritically, none of these should pose any problems while connected via MobileStar's wireless access. We are running a true IP environment with broadband access throughout.
If you would allow me to assist you on this particular issue, I would like to help. I know that you have worked with several of our staff in an attempt to resolve the issue.
Please email me at email@example.com with contact info so I can call you.
If anyone else has questions concerning MobileStar Network, please feel free to email me.
I posted this another thread - but thought it may be better suited an this thread
I am having problems keeping the routing up on my client when using the linksys wireless - If I connect via patch and ethernet port on the linksys- routing stays up, but if I try to use the linksys wireless card the routing fails - in both cases the padlock stays - Any help, direction would be appreciated...
VPN Cisco 3.02 - Pix firewall 515 -
Also - my email address is firstname.lastname@example.org not the above link
We have been informed by other customers that there were problems with the Linksys Wireless w/VPN and supposedly these were resolved with Linksys firmware Beta 1.37.9a-BEFW11S4 and greater.
I suggest the following plan to resolve your problem:
1. Upgrade your Linksys base station to the latest firmware available from Linksys. This is what we have been told has solved this problem.
2. Upgrade your Linksys Wireless card to the latest firmware available from Linksys.
3. Use Cisco VPN Client v3.0.3a. While no problems have been resolved related to this type of issue, there have been various other unrelated fixes since v3.0.2 and you will want to run v3.0.3a.
4. See if you're using IPsec (ESP) or IPsec/UDP. We have also had reports that turning off IPSEC-pass-through on the Linksys and using IPsec/UDP (IPsec through NAT) functionality has allowed customers to get around this bug.
If nothing works (in particualr the Linksys upgrade), make sure that you turn your client log viewer on, set all event classes to HIGH and capture logs.
I was able to keep routing up by doing the following:
Upgraded the Linksys firmware - router and card (had already done the card last week)...
I have requested an upgrade to 3.03a, awaiting a reply from Cisco...
I am a little concerned, the padlock disappears-should I be worried?
Thank you for your help
Error message "No Domain Controller Available to validate password" on win95 clients. CVPN client 3.0.3a loaded on WIN95 and when it is connected (via dial up through the internet) to the Cisco 3015 running release 3.0.2 I get an error (no domain controler avalible to validate password). The tunnel does come up, and I can ping the domain controller which is also the WINS server. Once I have pinged the server, and try to log into the NT domain again, it will work. If I try to ping with the default 32 bytes, the pings are fine. If I try to ping with 1500 byte pings, the replies are very eractic and seems flakey. What could be the problem?
Is it always the case that after pinging once, you can log in properly? Please try ALL (non split) tunneling and see if this works in all cases.
Please make sure that you're running Windows 95 OSR2 or greater. See if this problem occurs on any other systems (i.e. 98/ME) or if it's specific to your 95 environment.
If you do not use dial-up and use an ethernet based connection (i.e. DSL/Cable), does this work fine in all cases?
Try going to the Advanced TCP/IP settings on your dial-up adapter and see if setting your system for medium packets vs. large makes any difference as well.
Look at the output from nbtstat -c and nbtstat -n and confirm that everything looks correct.
Here are the answers to your questions:
Pinging does not always work
Win95 OSR2 with Winsock 2 and Dialup Networking 1.4.
Login seems to work fine over DSL/Cable but the configuration is different. The VPN Tunnel must be created before logging on to windows.
I don't have this option ( Advanced TCP/IP settings on your dial-up adapter and see if setting your system for medium packets vs. large makes any difference as well) in Win95.
Look at the output from nbtstat -c and nbtstat -n and confirm that everything
Node IpAddress: [xxx.xxx.xxx.xxx] Scope Id: 
NetBIOS Local Name Table
Name Type Status
VMCN414B 00> UNIQUE Registered
Ourcompany <00> GROUP Registered
VMCN414B <03> UNIQUE Registered
Node IpAddress: [xxx.xxx.xxx.xxx] Scope Id: 
NetBIOS Remote Cache Name Table
Name Type Host Address Life [sec]
Ourcompany <1C> UNIQUE 10.1.2.1 -1
ABC <03> UNIQUE 10.1.2.1 -1
ABC <00> UNIQUE 10.1.2.1 -1
ABC <20> UNIQUE 10.1.2.1 -1
Ourcompany = Master Domain I'm logging into.
ABC = PDC for Ourcompany Domain.
VMCN414B = My Win95 PC.
Strange. You shouldn't be seeing dropped packets. Try increasing the wait timeout and see if they show up. If not, try using the setmtu program to set your MTU to something like 1350 instead of the default value, see if this makes any difference.
Can you not access machines by \\HOSTNAME or via Network Neighborhood?
Make sure that your machine is in the correct domain/workgroup as well.
One thing I noticed in the output provided is that there is no Master Domain Controller (1B entry). Attached below is note that we put together on this type of issue which may or may not be related to your problem.
WINs server / Master Browser is most likely misconfigured.
(the document above describes another method to accomplish the same as below)
The problem was resolved by adding the following things on the Windows 2000
WINs server, which in this example is also the Primary Domain Controller (PDC).
1. In the WINs server config screen, select Active Registrations, then go to
the Action menu at the top, select Find by Name and enter an asterick (*) to
find all names.
2. Right click on Active Registrations and select New Static Mapping....
On the next screen, enter the following:
Computer Name: <- enter your domain name here (i.e.: TESTDOM)
NetBIOS scope: <- leave empty
Type: <- select Domain Name from the drop down list
IP Address: <- enter the IP Address of the PDC/WINs server
When thats done, you should see a new entry in the right that
YourDomainName [1C]Domain Controller X.X.X.X Active x (static)
3. Next, create a text file named LMHOSTS.SAM with one line as seen in this example:
220.127.116.11 TESTDOM \0x1b #PRE
Replace 18.104.22.168 with the same IP Address used in Step 2.
Replace TESTDOM with your Domain name.
The number of characters BETWEEN the double quotes MUST be EXACTLY 20
characters!!! Add or remove spaces between your Domain name and the
\0x1b so all the characters between the double quotes equal 20.
(This includes the \0x1b)
4. Right click on Active Registrations and select Import LMHOSTS
file.... Point it at the LMHOSTS file you created in step 3. When thats
done, you should see a new entry in the righthand window that says
YourDomainName [1B]Domain Master Browser X.X.X.X Active x (static)
Now connect using a VPN Client on Windows 2000 using Dial-Up Networking and
add the workstation to the Domain. It should work now.
You're correct that the page is no longer there. I am not sure where it was moved to and the Support button appears to not be functioning on the page. Please use the information that we enclosed that describes how to accomplish this.
We have set the MTU to 1400.
I cannot access machines by either \\HOSTNAME or via Network Neighborhood.
The machines are in the correct domain/workgroup.
We 've tried the directions in Knowledge Base Article Q180094. No dice. I made sure that I had a 1B entry for the Master Domain Controller as well.
What I have found that does work is to change the MTU to 1400 and install the NetBeui stack on both the dialup adapter and the ethernet nic. If it is only installed on the dialup adapter it still doesn't work. What is really bizarre about this is that NetBeui is disabled on the dialup connectioid being used to dialup to the internet. However, using NetBeui is not an acceptable solution.
How about \\IP.ADDRESS? This will at least help you determine if it's a Windows networking problem or a WINS problem.
One other thing to check is to ensure that under Network Properties / TCP+IP that the Client for Microsoft Networks is bound to the dial-up adapter. Also under TCP/IP Netbios tab, make sure Enable Netbios over TCP/IP is checked.
Concentrator and NT network browsing
I have a Concentrator 3030, using the 3.0.3 vpn client for remote access.
In all cases, I can successfully establish the VPN tunnel from client to the corporate network. All clients are pulling down the approriate information from the Concentrator: DNS servers, WINS servers, IP address on the internal network. I can successfully ping the WINS servers by both IP address and by NetBIOS name. I can access Windows network shares if I enter the name (or address) like so \\server\share (I get prompted for NT authentication when attempting to access the resource for the frist time, and after successful authentication the resource is available.)
The problem that I am having is that not all remote clients can browse the network neighborhood. It does not appear to be a result of different versions of windows. I can browse the network and see all the domains and workgroups from different clients (98, nt4, 2k, me). but on other clients (also on 98, nt4, 2k, or me) I cannot browse the network even after manually accessing known shares. The clients that can succesfully browse the network are all members of the domain that they are trying to browse. however, the clients that are not able to browse the network are parts of workgroups or other domains (home user's pc is a perfect example). Note, some remote clients that are NOT part of any corporate domains have been able to browse, there isn't anything consistent that I've been able to nail down. Also, home user's pc to our domains is not a viable solution.
Am I overlooking something in the Concentrator config?
I think you nailed the problem on the head. If the users machines are not part of your DOMAIN/Workgrup, they're not going to be able to properly access Windows resources especially with Network Neighborhood/Browsing type functionality. In some cases, these machines may be able to access particular Windows resources by individually authenticating to each resource, but they're not going to have the same experience as a machine that is properly enrolled in your domain.
The interesting thing is that I do have clients that are not part of the corporate domains, yet they have successfully done windows browsing, even without first accessing a known resource. Some clients have no problem, others do. I believe the 98 and ME clients that are not part of the domain have been able to do this, but not the NT or 2k clients (I still have to reproduce and confirm this last statement).
Adding the remote client pcs to the domains in not an acceptable solution for us. Writing a script to map network drives to a home pc is not viable either, there are far too many resources that need to be accessed for us to use mapping as a work-around. Finally, users are not going to accept having to manually access servers themselves (executive staff in particular).
Thanks again for your response.
This makes sense. NT/W2K/XP have much more of a dependency on this because of the fact that you log in to the computer as a user of the domain when you boot up. With 98/ME, this can be "launched" later on in the process. For our customers with NT/W2K/XP who wish to have access to NT shares/resources in the same manner as the office, they are enrolling these computers in to the domain.
I have a problem with a PIX firewall and VPN client 3.0. I can successfully connect 1 computer to the LAN but I have no idea how to connect the other PCs to the network. I need to connect the rest of the computer to stay up continuosly without loosing connection. Any ideas on how to connect them. I have tried setting up the client software on teh other machines but I couldnot get my Linksys router to allow more than 1 IPSEC connection through it. I have only one public ip address on the linksys. Does PIX 6.0.1 and VPN client 3 allow PAT on the client side.?
Unfortunately you're only going to be able to connect 1 simultaneous connection to your PIX 6.x device from behind a Linksys device at a time. I know that customers have stated that they have used other PAT devices in conjunction with the VPN 3000 that have worked fine and I will send you a couple of pointers via email.