Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Problems with Client VPN connecting to Cisco Concentrator thru ISA server

Hi!, I am having problems connecting to a site with a Cisco concentrator. The problems occurs when I use it in a network thru an ISA server.

Without the ISA server it works fine, but without it it just keeps on saying the Remote Peer is no longer responding.

Whats the possible setting should be done in the ISA server?

Thanks in advance

  • Other Security Subjects
9 REPLIES
Cisco Employee

Re: Problems with Client VPN connecting to Cisco Concentrator th

You might want to talk to Microsoft about this further, but I don't believe the ISA server will forward ISAKMP or IPSec packets. You could try using IPSec over TCP, then the client and the concentrator will use TCP packets for the session, that might work better.

New Member

Re: Problems with Client VPN connecting to Cisco Concentrator th

Okay, but I think in the VPN client (ver 3.6) we selected the option IPSEC over UDP, and we used this option when connecting to ADSL without ISA server (works fine). I believe this setting (UDP) from what I read should work for ISA server, unfortunately I'm a newbie and don't know what to set in ISA server to make it work.

Again advance thanks for any help that you can give.

New Member

Re: Problems with Client VPN connecting to Cisco Concentrator th

Hi,

I have sort of the same problem here.

We use 800 series routers and connect with a vpn client 3.6.1.

It works fine with just a linux router or whatever.

But now we want to be able to VPN behind an ISA server.

We tried udp & tcp, i just can't get it right.

It seems to be possible if you read the internet.

We would be greatly pleased if someone could solve this.

New Member

Re: Problems with Client VPN connecting to Cisco Concentrator th

Hi!

I have Cisco VPN Client working well through MS ISA server. The only thing to do is to define some protocols and allow use of them. Here are the configurations:

Open ISA Management and go to Protocol Definitions. Define a new protocol, give name i.e. "Cisco VPN", Port: 10000, Protocol: UDP and Direction: Send/Receive.

Then Define another protocol, Internet Key Exchange. Port 500, Protocol: UDP, Direction: Send/Receive.

Then in Access Policy, define a new protocol rule, and allow use of those two protocols you just defined.

I'm writing this message through ISA server with the Cisco VPN Client, so if you can see my message, this configuration is working at least in my case ;-).

Good luck and best regards,

Eerik

New Member

Re: Problems with Client VPN connecting to Cisco Concentrator th

Thanks for the answer eerik , I followed your instruction step by step but still won't connect always have Remote Peer is no longer responding. Do you by chance have anymore suggestion? Thanks for the help I really appreciate it.

New Member

Re: Problems with Client VPN connecting to Cisco Concentrator th

Okay, I'll give you all the things, what I have in my ISA. May be you'll find the right combination.

First of all, I'm using Cisco VPN Client on XP-machine and it has been installed with default settings. "Allow IPSec through NAT mode" setting is checked in clients properties, then I have my authentication (name & pwd) configured. My VPN Client version is 3.1. I think that I have installed the client with default settings without any customization.

I'm connecting to the Internet via ADSL and I have ISA server running on win2k server, which has two NICs, one for inside network and other connected to ADSL modem.

I have allowed normal internet protocols: FTP, FTP download only, HTTP, HTTPS. NNTP, NTP (UDP), POP3 and SMTP.

Then I have following IP Packet Filters in allowed mode: DNS filter, ICMP outbound, ICMP ping response (in), ICMP source quench, ICMP timeout in, ICMP unreachable in and SecureNAT PPTP. The last one may be important for VPN. All these filters are defined with default settings, I haven't put any customization there.

That's all, what I have done to my ISA and it is working. Maybe the different version of VPN client is the reason for your problems. I remember that the older version of client was very slow in log-on procedure, but when I updated this one (v3.1), it does the log-on procedure very fast.

My friend was visiting Microsoft's conference last year and he wanted to use VPN there with his laptop and Wireless LAN, but all the ports were closed. He asked Microsoft's guys to open those ports what I just described in my prior message and they changed their ISA server settings and it worked well.

Is your ISA server working properly without Cisco VPN client?

I hope you'll find the solution.

Regards,

Eerik

New Member

Re: Problems with Client VPN connecting to Cisco Concentrator th

One thing about that error message. It will give this message, when you really don't have the connection there. I have seen that message once, when my ISA server was not working well, the reason was a automatic power-setting, which closed my network card when it was not used... but it could'nt put it on again.. just give me a guess how much time I spent searching the problem and going through all possible settings....

New Member

Re: Problems with Client VPN connecting to Cisco Concentrator th

Hi,

Do you still have the problem?

One thing that came in my mind, that propably is the reason for your problems, that if you are using SecureNAT in your ISA and even if you have NAT mode checked on your VPN client software, there is the same "NAT mode" setting in your VPN Concentrator also. It is off by default, so you should turn it on.

Cisco VPN is based on IPSec standards and IPSec packets cannot be transferred through NAT, because NAT is doing address and port translating and the IPSec packet has information inside, what was the address and port it was originally ment to send. Now when this information has been changed because of NAT, the packet is not accepted anymore, CRC does not match. The solution is to turn on the NAT mode on client and concetrator which puts the IPSec packet inside another UDP packet and now when packet goes to NAT, it makes changes only that UDP packet, not the IPSec TCP packet inside that UDP and then in Client software the original IPSec packet will be taken out from the UDP Packet. A little bit fuzzy eplanation, hope you understoof what I ment (sorry about my no so good English). But the system works.

When you allow the NAT mode in your concentrator in UDP 10000 port and then alow that same UDP 10000 (Send and Receive) protocol in your ISA it should work. Then you must have also IKE (TCP port 500) allowed in your ISA. That configuration is tested and working perfectly.

Regards,

Eerik

New Member

Re: Problems with Client VPN connecting to Cisco Concentrator th

I am having the same problem, I like to think I'm not an idiot and can follow a knowledge base article easy enough. I have followed the article verbatim but I am still unable to get the vpn client to work. If anyone has any other ideas besides creating two protocol definitions one for UDP 500 and one for UDP 10000 and than creating a protocol rule allowing both of these PLEASE LET ME KNOW!!! I'm losing it here, it seems like half the people it just doesn't work, half it does.

Thanks

423
Views
0
Helpful
9
Replies