10-08-2002 04:46 PM - edited 03-09-2019 12:36 AM
My Windows 2000 laptop has the Cisco Intraport 5000 V5.2.3 client loaded to connect to a corporate VPN. If the laptop is connected directly to an internet connection, everything works fine; but if the laptop is connected behind a Linux firewall computer, the VPN connection predictably fails after about 30 minutes (the time varies a good bit), and the only way to restore the connection is to reboot the laptop. The Linux firewall has IPSEC support loaded. Trying different laptops, of various makes and models, produces the same results. The connection log of the client simply shows "connection aborted". Internet access through non-vpn routes works without a problem. I suspect that either the DHCP / Proxy server at the corporate end is terminating the VPN connection, or the client software drops the VPN connection, perhaps because some kind of "status query" packets are not being answered, but that is only a guess, and I really do not know what the problem might be. Corporate support tells me to get rid of the Linux firewall and to make a direct connection, but that is not an option. Note that the Linux firewall does not support the NAT option. Can anyone familiar with the Cisco 5000 setup help me?
Thanks,
Addendum:
Here is a client debug log that shows the connection lost after about 30 minutes with rc = 232 (I assume that is an error/status code but have been unable to find out what it means).
(note: username, server and ip edited for security.)
========================================================================
Platform = Windows NT
Build # = 2195
CSDVersion = Service Pack 3
Client version = 5.2.3.1
UserName = vpnusr
IPPrimary = corp.vpn.pai.com
IPSecondary =
IPEnabled = 1
IPXEnabled = 0
NetBTEnabled = 1
ExcludeLocalLAN = 1
ExcludeDHCP = 1
UseFTCP = 0
FTCPDestinationPort = 80
System IP address = 192.168.0.101
new script: ISAKMP primary negotiation for <no id> (start)
manage @ 02/10/09 11:19:43 :: vpnusr (start)
02/10/09 11:19:43 doing ipri_init, (0 @ 0)
02/10/09 11:19:43 doing ipri_do_negotiation, (0 @ 0)
new script: ISAKMP secondary Aggr / shared-secret for vpnusr (start)
02/10/09 11:19:43 doing iass_init, (0 @ 0)
02/10/09 11:19:43 doing iass_build_pkt_1, (0 @ 0)
02/10/09 11:19:43 doing iass_send_pkt_1, (0 @ 0)
manage @ 02/10/09 11:19:43 :: vpnusr (done)
manage @ 02/10/09 11:19:43 :: vpnusr (start)
02/10/09 11:19:43 doing iass_process_pkt_2, (0 @ 0)
02/10/09 11:19:47 doing iass_rad_chal_resp, (0 @ 0)
manage @ 02/10/09 11:19:47 :: vpnusr (done)
manage @ 02/10/09 11:19:47 :: vpnusr (start)
02/10/09 11:19:47 doing iass_rad_mop_up, (0 @ 0)
manage @ 02/10/09 11:19:47 :: vpnusr (done)
manage @ 02/10/09 11:19:47 :: vpnusr (start)
02/10/09 11:19:47 doing iass_rad_mop_up, (0 @ 0)
manage @ 02/10/09 11:19:47 :: vpnusr (done)
manage @ 02/10/09 11:19:47 :: vpnusr (start)
02/10/09 11:19:47 doing iass_rad_mop_up, (0 @ 0)
02/10/09 11:19:47 doing iass_process_pkt_2, (0 @ 0)
02/10/09 11:19:48 doing iass_build_pkt_3, (0 @ 0)
02/10/09 11:19:48 doing iass_send_pkt_3, (0 @ 0)
manage @ 02/10/09 11:19:48 :: vpnusr (done)
manage @ 02/10/09 11:19:48 :: vpnusr (start)
02/10/09 11:19:48 doing iass_phase_2_start, (0 @ 0)
02/10/09 11:19:48 doing iass_last_op, (0 @ 0)
end script: ISAKMP secondary Aggr / shared-secret for vpnusr, (0 @ 0)
next script: ISAKMP primary negotiation for vpnusr, (0 @ 0)
02/10/09 11:19:48 doing ipri_negot_done, (0 @ 0)
02/10/09 11:19:48 doing ipri_start_p2, (0 @ 0)
new script: phase 2 responder for vpnusr (start)
02/10/09 11:19:48 doing rph2_init, (0 @ 0)
02/10/09 11:19:48 doing rph2_process_pkt_1, (0 @ 0)
02/10/09 11:19:48 doing rph2_build_pkt_2, (0 @ 0)
02/10/09 11:19:48 doing rph2_send_pkt_2, (0 @ 0)
manage @ 02/10/09 11:19:48 :: vpnusr (done)
manage @ 02/10/09 11:19:48 :: vpnusr (start)
02/10/09 11:19:48 doing rph2_pkt_3_wait, (0 @ 0)
02/10/09 11:19:48 doing rph2_config_SAs, (0 @ 0)
02/10/09 11:19:48 doing rph2_last_op, (0 @ 0)
end script: phase 2 responder for vpnusr, (0 @ 0)
next script: ISAKMP primary negotiation for vpnusr, (0 @ 0)
02/10/09 11:19:48 doing ipri_open_tunnel, (0 @ 0)
========================================================================
User vpnusr connected to corp.vpn.pai.com
IntraPort Version - v6.0.21.0003 (dalecki) US
IPNets Number = 1
Exclude IPNets Number = 0
Tunneled Nets IPAddress = 0.0.0.0
Tunneled Nets IPMask = 0.0.0.0
========================================================================
10/09/2002 11:19:48 <Status > V The user connected with IP Addr 208.1.148.1
02/10/09 11:19:48 doing ipri_start_maint, (0 @ 0)
new script: responder maintenance for vpnusr (start)
02/10/09 11:19:48 doing rmnt_init, (0 @ 0)
02/10/09 11:19:48 doing rmnt_maintenance, (0 @ 0)
manage @ 02/10/09 11:19:48 :: vpnusr (done)
manage @ 02/10/09 11:27:48 :: vpnusr (start)
02/10/09 11:27:48 doing rmnt_maintenance, (0 @ 0)
manage @ 02/10/09 11:27:48 :: vpnusr (done)
manage @ 02/10/09 11:35:48 :: vpnusr (start)
02/10/09 11:35:48 doing rmnt_maintenance, (0 @ 0)
manage @ 02/10/09 11:35:48 :: vpnusr (done)
manage @ 02/10/09 11:43:48 :: vpnusr (start)
02/10/09 11:43:48 doing rmnt_maintenance, (232 @ 379)
02/10/09 11:43:48 doing rmnt_last_op, (232 @ 379)
end script: responder maintenance for vpnusr, (232 @ 379)
next script: ISAKMP primary negotiation for vpnusr, (232 @ 379)
02/10/09 11:43:48 doing ipri_last_op, (232 @ 379)
end script: ISAKMP primary negotiation for vpnusr, (232 @ 379)
next script: <none> for vpnusr, (232 @ 379)
manage @ 02/10/09 11:59:06 :: vpnusr (done)
========================================================================
manage_1_conn exited with rc = 232
========================================================================
10/09/2002 11:59:06 <Status > S Connection to IntraPort lost
10-16-2002 08:42 AM
The problem must be something on the Linux firewall. Are there logs you can look through on the firewall to see what is happening at the time of failure? That's where I'd start.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: