cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2700
Views
7
Helpful
20
Replies

VPN Client Error

maury_macdonald
Level 1
Level 1

Hi, new to cisco stuff. First thing i had working on the new PIX 506e was the VPN. Set up the IP Pool, group, and username. Installed the client, worked great. Now that ive been playing around with figuring out rules, acl's, translations, etc. it seems the VPN client is inconsistent now. It sometimes will work, but usually it will hang at "securing communications channel". Cancelling the connection does not work, it just creates the second error shown in the log (see below). I then have to end the task via taskmanager, open the VPN client again, (icon pops up in the tray as locked, but does not see the remote network in any way) disconnect, and then exit to get my machine to talk to its local network again.

Here is the log:

Cisco Systems VPN Client Version 4.6.00.0045

Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 5.1.2600 Service Pack 2

Config file directory: C:\Program Files\Cisco Systems\VPN Client

1 15:44:39.600 03/06/07 Sev=Warning/2 CVPND/0xA3400011

Error -14 sending packet. Dst Addr: 0xFFFFFFFF, Src Addr: 0xA9FE0202 (DRVIFACE:1199).

2 15:46:06.876 03/06/07 Sev=Warning/3 GUI/0xE3B00002

GI GI_EnumPPP failed with error (FFFFFFFEh).

Thank you for any help you can provide. This will be the primary means for the few remote users we have to access the network from home, vegas, etc.

Maury

Edit:

heres another one

Cisco Systems VPN Client Version 4.6.00.0045

Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 5.1.2600 Service Pack 2

Config file directory: C:\Program Files\Cisco Systems\VPN Client

1 15:47:31.117 03/06/07 Sev=Warning/2 CVPND/0xA3400015

Error with call to IpHlpApi.DLL: DeleteIpForwardEntry, error 87

20 Replies 20

Kamal Malhotra
Cisco Employee
Cisco Employee

I would appreciate if you could send the running configuration of the PIX so that we get an idea what is going wrong.

Regards,

Kamal

Hope this is it . . .

All these rules were just for testing, the system is not live, jsut on a spare IP i have.

Thanks

Maury

Hi Maury,

It seems that you configured it through PDM.

Please issue the following commands on the PIX as it is expected to resolve your problem :

no crypto map outside_map interface outside

no crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto map outside_map interface outside

HTH,

Please rate if it helps,

Regards,

Kamal

Yes, i have configured it through the PDM, much easier for a noob like me. I'll punch those in and let you know how it works.

PDM Ignored this command

access-list outside_cryptomap_dyn_20 permit ip any 192.168.60.192 255.255.255.224

Also, im struggling to figure out where this .60.192 address came from. My DHCP range for the VPN clients is .60.200 - .60.220

Hi Maury,

Don't worry about the .60.192 subnet. The pool range that you defined falls in this subnet so the PDM itself created the access-list using the subnet. Please let me know if the 3 commands I sent were issued on the PIX. If yes, did you try to connect after that and test?

Please let me k now how it goes.

HTH,

Please rate if it helps.

Regards,

Kamal

Hi Maury,

Did the suggestion help?

Regards,

Kamal

Well, like i said previous, the PDM Ignored that one command. And ive tried reconnecting, reinstalling the client software, and still same thing, securing communications channel.

PDM Ignored this command

access-list outside_cryptomap_dyn_20 permit ip any 192.168.60.192 255.255.255.224

Should i try running that through the console?

Maury

Hi Maury,

Does this problem occur only on one client or anyone trying to connect from any computer? Could you send the latest config again? I just need to see when you tried to paste those commands, which commands got issued and which got left.

Regards,

Kamal

No, i have tried it one two machines from 3 separate pulic IP's (if that even makes a difference) so far, and same thing for each.

Here is my running config

Thanks

Maury

Hi Maury,

As per the config, none of the commands I sent to you got issued to the PIX so please issue the following commands via console, telnet or SSH (basically CLI) :

no crypto map outside_map interface outside

no crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto map outside_map interface outside

HTH,

Please rate if it helps,

Regards,

Kamal

when i enter the second command via the console, i get ERROR: unable to clear match address

I rebooted the firewall, and entered the commands again, and they went through. going to test the VPN and get an updated config for you.

Well, worked the first time, disconnected, tried again, no go.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: