Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Client Error

Hi, new to cisco stuff. First thing i had working on the new PIX 506e was the VPN. Set up the IP Pool, group, and username. Installed the client, worked great. Now that ive been playing around with figuring out rules, acl's, translations, etc. it seems the VPN client is inconsistent now. It sometimes will work, but usually it will hang at "securing communications channel". Cancelling the connection does not work, it just creates the second error shown in the log (see below). I then have to end the task via taskmanager, open the VPN client again, (icon pops up in the tray as locked, but does not see the remote network in any way) disconnect, and then exit to get my machine to talk to its local network again.

Here is the log:

Cisco Systems VPN Client Version 4.6.00.0045

Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 5.1.2600 Service Pack 2

Config file directory: C:\Program Files\Cisco Systems\VPN Client

1 15:44:39.600 03/06/07 Sev=Warning/2 CVPND/0xA3400011

Error -14 sending packet. Dst Addr: 0xFFFFFFFF, Src Addr: 0xA9FE0202 (DRVIFACE:1199).

2 15:46:06.876 03/06/07 Sev=Warning/3 GUI/0xE3B00002

GI GI_EnumPPP failed with error (FFFFFFFEh).

Thank you for any help you can provide. This will be the primary means for the few remote users we have to access the network from home, vegas, etc.

Maury

Edit:

heres another one

Cisco Systems VPN Client Version 4.6.00.0045

Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 5.1.2600 Service Pack 2

Config file directory: C:\Program Files\Cisco Systems\VPN Client

1 15:47:31.117 03/06/07 Sev=Warning/2 CVPND/0xA3400015

Error with call to IpHlpApi.DLL: DeleteIpForwardEntry, error 87

20 REPLIES
Cisco Employee

Re: VPN Client Error

I would appreciate if you could send the running configuration of the PIX so that we get an idea what is going wrong.

Regards,

Kamal

New Member

Re: VPN Client Error

Hope this is it . . .

All these rules were just for testing, the system is not live, jsut on a spare IP i have.

Thanks

Maury

Cisco Employee

Re: VPN Client Error

Hi Maury,

It seems that you configured it through PDM.

Please issue the following commands on the PIX as it is expected to resolve your problem :

no crypto map outside_map interface outside

no crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto map outside_map interface outside

HTH,

Please rate if it helps,

Regards,

Kamal

New Member

Re: VPN Client Error

Yes, i have configured it through the PDM, much easier for a noob like me. I'll punch those in and let you know how it works.

New Member

Re: VPN Client Error

PDM Ignored this command

access-list outside_cryptomap_dyn_20 permit ip any 192.168.60.192 255.255.255.224

Also, im struggling to figure out where this .60.192 address came from. My DHCP range for the VPN clients is .60.200 - .60.220

Cisco Employee

Re: VPN Client Error

Hi Maury,

Don't worry about the .60.192 subnet. The pool range that you defined falls in this subnet so the PDM itself created the access-list using the subnet. Please let me know if the 3 commands I sent were issued on the PIX. If yes, did you try to connect after that and test?

Please let me k now how it goes.

HTH,

Please rate if it helps.

Regards,

Kamal

Cisco Employee

Re: VPN Client Error

Hi Maury,

Did the suggestion help?

Regards,

Kamal

New Member

Re: VPN Client Error

Well, like i said previous, the PDM Ignored that one command. And ive tried reconnecting, reinstalling the client software, and still same thing, securing communications channel.

PDM Ignored this command

access-list outside_cryptomap_dyn_20 permit ip any 192.168.60.192 255.255.255.224

Should i try running that through the console?

Maury

Cisco Employee

Re: VPN Client Error

Hi Maury,

Does this problem occur only on one client or anyone trying to connect from any computer? Could you send the latest config again? I just need to see when you tried to paste those commands, which commands got issued and which got left.

Regards,

Kamal

New Member

Re: VPN Client Error

No, i have tried it one two machines from 3 separate pulic IP's (if that even makes a difference) so far, and same thing for each.

Here is my running config

Thanks

Maury

Cisco Employee

Re: VPN Client Error

Hi Maury,

As per the config, none of the commands I sent to you got issued to the PIX so please issue the following commands via console, telnet or SSH (basically CLI) :

no crypto map outside_map interface outside

no crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto map outside_map interface outside

HTH,

Please rate if it helps,

Regards,

Kamal

New Member

Re: VPN Client Error

when i enter the second command via the console, i get ERROR: unable to clear match address

New Member

Re: VPN Client Error

I rebooted the firewall, and entered the commands again, and they went through. going to test the VPN and get an updated config for you.

New Member

Re: VPN Client Error

Well, worked the first time, disconnected, tried again, no go.

New Member

Re: VPN Client Error

Updated Config

Cisco Employee

Re: VPN Client Error

Could you capture the client logs and debugs from the PIX?

debug cry isak

debug cry ipsec

Regards,

Kamal

New Member

Re: VPN Client Error

Files attached

Cisco Employee

Re: VPN Client Error

Hi Maury,

For testing, could you please consider changing the software version of the VPN client. You can download the latest version from :

http://www.cisco.com/cgi-bin/Software/Tablebuild/doftp.pl?ftpfile=cisco/crypto/3DES/vpn/client/windows/vpnclient-win-is-4.8.02.0010-k9.exe&app=Tablebuild&status=showC2A

Please make sure that you remove the existing version first. Please also make sure that you don't have any 3rd party firewalls running like Norton Internet Security, McAffee Desktop Firewall or ZoneAlarm stuff.

HTH,

Please rate if it helps,

Regards,

Kamal

New Member

Re: VPN Client Error

i guess i dont have the proper access. Probably havent spent enough money on cisco stuff yet :)

New Member

Re: VPN Client Error

Well, i think it may be solved partially, looks like its now just a client issue on my laptop here. Ive tried it on the other client with no problems multiple times. Could have been two issues seeming to be one, and those commands fixed one. I'm not too concerned about my laptop for now. Thank you for all your help!!!

Maury

1074
Views
7
Helpful
20
Replies