Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

windows xp problem

I am new to PIXs and VPN so please forgive my evident new-ness. We recently had a VPN installed between two offices. There is a PIX 515e on each end. The site2site works fine. However. I am having problems with remote2site. I have 3 PCs at home behind a Netgear router. All three have Cisco Client 3.6 installed. WS-A is WinXPhome. WS-B is also WinXPhome. WS-C is Win98. WS-A is able to connect to Site A. WS-B is able to connect only to Site B. WS-C can connect to both sites. I recently installed XP Pro on WS-B to see if my problems were OS related. I installed the OS, updated with all the updates. I installed the VPN client and the same problems occured. I am trying to test the whole setup prior to a rollout to other remote users. But obviously I need to find out what my true problems are.

Client side errors are IKE retransmissions and peer not responding. While at the same time the PIX side shows no connections.

Thanks for any insight.

Cisco Employee

Re: windows xp problem

Is the NetGear router doing PAT? It sounds like this might be causing your problem more than anything. Try connecting to Site A and Site B from outside this router and see if that makes a difference.

Of course this doesn't explain why the 98 PC can connect to both, but if the NetGear is screwing up the IPSec PAT, it'll depend on what current connections you have open as to where you can connect. For example, if you open a connection from WS-A to SiteA, you'll probably find that WS-B can't connect to SiteA. If you open a connection from WS-B to SiteB, then you'll probably find that WS-A can't connect to SiteB. If you don't have any connections open, you might find that WS-B can connect to both SiteA and SiteB, assuming the PAT table in the NetGear has timed out. Your test results may be flawed somewhat just by virtue of what other connections you had open and what was currently active in the NetGear's translation table.

Of course, I may also be completely wrong too, but I'd certainly try it without the NetGear in place, particularly if it's doing address translation, as NAT/PAT will quite often cause issues with IPSec.