Solved: IPSec over TCP Client Connections via USB

jwilder · ‎03-19-2003

We are having an issue (and I noticed that several other people here are as well) of our remote Broadband users not being able to connect. We have just recently started getting complaints from XP home users that they were receiving errors while trying to connect to the Concentrator.

To start troublshooting we temporarily moved our 3015 Concentrator to outside of our firewall. The users were still unable to connect. After quite a bit of further troubleshooting we were able to successfully duplicate this issue by simply switching the users VPN client from IPsec over TCP to IPsec over UDP.

We then tried to identify why it was happening to some clients but not all. In the end the only thing that we could find really different was that the clients who used a USB port to connect to the network instead of a proper Ethernet port failed to connect via IPSec over TCP. We tested and verified this on several operating systems including Windows 2000, XP Home and XP PRO. We also tested and verified this with several VPN Clients including 3.5.1 and 3.6.3b.

The end result is that in all cases users who use a USB type connection cannot connect via IPSec over TCP. All users who connect via a proper Ethernet adapter are able to connect via either method.

Our problem is that we cannot run UDP connections behind our firewall without converting over to NAT. We send out a preconfigured client to our users that forces them to use tcp port 10000 verses the default udp 10000. We do this for several reasons but the most important of them is our firewall will not redirect IPSec UDP sessions, only IPSec TCP sessions.

Leaving the VPN Concentrator outside the firewall and exposed is also not an option. So, I am left with telling all of my USB users that the only way they can connect is to install an Ethernet adapter, which in the end isn't really much of an option if you consider the expense and technical expertise required to pull this off with a couple of hundred home users it just won't fly.

So, this brings me to this forum. Before I open a TAC case I would like to hear from the experts to try and determine as close as possible if this is a Microsoft problem or a Cisco VPN client problem. I have my suspicions that this belongs to Microsoft but I can't prove anything yet. Does anyone else have any idea's on this? Please, I invite anyone to test this out and let us know what you find. If you need more detail on the methodolgy please let me know and I would be happy to provide it. I think this is potentially a huge problem just by the number of complaints that I have seen in this forum. My supervisor thinks I am smoking something when I try and explain this to him. All he can say is "if this really was a problem more people would also certainly have it and we would have heard about it by now, it must be in your configuration. GO FIX IT" (does any of this sound familiar?)

I appreciate any feedback that anyone is willing to give. I believe that if we as a community get together on this we can find a solution.

Thanks for your time!

smalkeric · ‎03-25-2003

This is a bug, use the bugtool kit to view the bug CSCdv00229.

View solution in original post

martincarr · ‎04-04-2003

I seem to have had the same pb (xp/usb sagem modem and vpn 3.6.2). It works with 3.6.4 rel k9.

View solution in original post

smalkeric · ‎03-25-2003

This is a bug, use the bugtool kit to view the bug CSCdv00229.

jkoos · ‎03-26-2003

Although I am a registered user and successfully logon I cannot get to the bug toolkit to view this bug. Would appreciate some help to do so or is it possible to "cut and paste" the fix. Thanks.

jwilder · ‎03-26-2003

Here is the actual bug data just in case you need it.

CSCdv00229 Bug Details

Headline Client is incompatible with USB based connections (i.e. DirecPC USB)

Product universal-vpn-client Model

Component win-vpn-client Duplicate of

Severity 3 Status Closed

First Found-in Version 3.0 First Fixed-in Version Version help

Release Notes

The Cisco Systems VPN Client does work with USB based connections. The USB

vendor must follow the USB specs. We've found that some don't specify the correct

info in the device .inf files.

jwilder · ‎03-26-2003

All the bug notice really says is that the problem is a driver issue from the USB provider. Some USB driver providers have left out certain information in the .inf file and therefore there are connection issue associated with the USB port.

I also want to update my case. Through more rigorus testing we have found that this issue appears to be related to one specific brand of cable modem that we have found. The model we are having problems with is the Motorola Surfboard SB4100. There may be other models out there that have this issue but I am not aware of them. We have contacted Motorola regarding this and they basically blew us off and told us "there is no way this is possilbe" so we responded OK then to fix the issue we will just replace ALL of your appliances with a different vendor! (they hung up on us) :-( guess they didn't appreciate our sense of humour!

Good Luck!

martincarr · ‎04-04-2003

I seem to have had the same pb (xp/usb sagem modem and vpn 3.6.2). It works with 3.6.4 rel k9.

jwilder · ‎04-10-2003

This client did fix the issue. Thanks for the update! I am curious though as to why the Cisco Buglist shows this as a manufacturer problem and then low and behold they release a client that fixes this very issue. I also noticed that in the Readme for the new client they didn't address this bugfix. Does that mean we can write this one off to a "OOPS"?

Thanks, Martin.