06-10-2009 04:22 AM - edited 08-23-2017 12:31 PM
This document answers frequently asked questions about the Cisco VPN Client.
Note: The naming conventions for the various VPN Clients are:
Refer to Cisco Technical Tips Conventions for more information on document conventions.
A. You must log in and possess a valid service contract in order to access the VPN Client software. VPN Client software can be downloaded from the Software Center (registered customers only) .
If you do not have a valid service contract associated with your Cisco.com profile you cannot log in and download the VPN Client software.
Follow these steps to obtain a valid service contract:
A. When you reach the VPN Client area of the Software Center (registered customers only) be sure that you select the downloads area for your desired operating system in the middle of the page.
A. Refer to the Documentation Changes section of the VPN Client Rel 4.7 Release Notes in order to learn about the two topics "Using MSI to Install the Windows VPN Client without Stateful Firewall" and "Using InstallShield to Install the Windows VPN Client without Stateful Firewall".
A. Refer to the How to Uninstall Manually and Upgrade the Cisco VPN Client 3.5 and Later for Windows 2000 and Windows XPin order to know the procedure to manually uninstall (InstallShield) and then upgrade the Cisco VPN Client Version 3.5 and later for Windows 2000 and Windows XP.
A. The MST file is no longer provided with the VPN Client, but you can download it from the Software Center (registered customers only) :
Filename: Readme and MST for installation on the international version of Windows.
A. The VPN client doesn't have such a capability. You can only launch scripts before and after VPN start/termination.
A. On CCO.
A. Not at this time. If you want 64-bit support please use the AnyConnect SSL VPN client at this time.
If you try to install the Cisco IPsec VPN client on a 64-bit machine it will error out with a message and not allowed to proceeed with the installation
Update:Yes, VPN Client v5.0.7 supports Windows 7 and Vista 64-bit platforms. See Release Notes for details.
A. The VPN Client doesn't support any virtualized software at this time.
A. Cisco VPN Client Version 5 is available for 32-bit Windows Vista. Support for 64-bit Windows Vista is not available at this time. This client and release notes can be obtained from the Software Center (registered customers only) .
Update:Yes, VPN Client v5.0.7 supports Windows 7 and Vista 64-bit platforms. See Release Notes for details.
Note: Cisco VPN Client is only supported on Windows Vista clean install. It means that an upgrade of Windows of any OS to Windows Vista is not supported with the VPN Client Software of this Vista. You must freshly install the Windows Vista and try to install the Vista VPN Client software.
Note: If you do not have a valid service contract associated with your Cisco.com profile you cannot log in and download the VPN Client software. See Download VPN Client Software for more information.
Tip: The Cisco AnyConnect VPN Client is now available for the Windows Operating Systems, which includes Vista 32 and 64-bit. The AnyConnect client supports SSL and DTLS. It does not support IPSec at this time. Additionally, AnyConnect is available only for use with a Cisco Adaptive Security Appliance that runs version 8.0(2) or later. The client can also be used in weblaunch mode with IOS appliances running version 12.4(15)T. VPN 3000 is not supported.
The Cisco AnyConnect VPN Client and ASA 8.0 can be obtained from the Software Center (registered customers only) . Refer to the Cisco AnyConnect VPN Client Release Notes for more information on the AnyConnect Client. Refer to the Cisco ASA 5500 Series Adaptive Security Appliances Release Notes for more information on ASA 8.0.
Note: If you do not have a valid service contract associated with your Cisco.com profile you cannot log in and download the AnyConnect VPN Client or ASA software. See Download VPN Client Software for more information.
A. Setup depends on the version of Microsoft Windows that you run. You should contact Microsoft for specific information. These are setup instructions for some of the common versions of Windows.
Windows 95
Windows 98
Windows 2000
Windows NT
Refer to Installing, Configuring, and Using PPTP with Microsoft Clients and Servers.
A. Support for additional operating systems is constantly added for the VPN Client. Refer to the system requirements in the release notes for the latest client to determine this, or refer to Cisco Hardware and VPN Clients Supporting IPsec/PPTP/L2TP.
A. Yes, you must have Administrator privileges to install the VPN Client on Windows NT and Windows 2000 because these operating systems require Administrator privileges to bind to the existing network drivers or to install new network drivers. The VPN Client software is networking software. You must have Administrator privileges to install it.
A. Yes.
A. No, the Cisco VPN 3000 Client is not compatible with Microsoft ICS on the same machine. You must uninstall ICS before you can install the VPN Client. Refer to Disabling ICS when Preparing to Install or Upgrade to Cisco VPN Client 3.5.x on Microsoft Windows XP for more information.
Although having the VPN Client and ICS on the same PC does not work, this arrangement does work.
A. Verify that the built-in firewall in Windows XP is disabled.
A. This issue has been resolved. View Cisco bug ID CSCdx15865 (registered customers only) in Bug Toolkit for more details.
A. The installation disables the welcome screen and the fast user switching. View Cisco bug ID CSCdu24073 (registered customers only) in Bug Toolkit for more details.
A. After signing on, type these.
A. Choose Control Panel > Network Connections > Remove Network Bridge to adjust this setting.
A. This is because the new release of RedHat has a newer version of the GCC compiler (3.2+), which causes the current Cisco VPN Client to fail. This issue has been fixed and is available in Cisco VPN 3.6.2a. View Cisco bug ID CSCdy49082 (registered customers only) in Bug Toolkit for more details or download the software from the VPN Software Center (registered customers only) .
A. Microsoft automatically disables Fast User Switching in Windows XP when a GINA.dll is specified in the registry. The Cisco VPN Client installs the CSgina.dll to implement the "Start Before Login" feature. If you need Fast User Switching, then disable the "Start Before Login" feature. Registered users can get more information in Cisco bug ID CSCdu24073 (registered customers only) in Bug Toolkit.
Q. Are manual DNE upgrades to the VPN Client supported?
A. No. Cisco only supports the DNE module that ships and installs with the VPN Client releases.
A. This issue can be caused by firewall packages installed on your VPN client computer. In order to avoid this error message, ensure that no firewall or antivirus programs are installed or running on your PC at the time of installation.
A. You must add UseLegacyIKEPort=0 to the profile (.pcf file) found in the /etc/CiscoSystemsVPNClient/Profiles/ directory for the VPN Client 4.x to work with Mac OS X 10.3 ("Panther").
A. Check the networking Control Panel to ensure that the Deterministic NDIS Extender (DNE) was not installed. Also choose Microsoft > Current Version > Uninstall in order to check for the uninstall file. Remove the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{5624C000-B109-11D4-9DB4-00E0290FCAC5} file and retry the uninstallation.
A. Remove the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Currentversion\Uninstall key. Then reboot your computer, and reinstall the VPN Client.
Note: In order to find the correct key for the Cisco VPN Client software under the path HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Currentversion\Uninstall\<key to be determined>, go to the path HKEY_LOCAL_MACHINE\SOFTWARE\Cisco Systems\ and click VPN Client. In the right-hand window, you see the Uninstall Path (under the Name column). The corresponding Data column displays the VPN Client Key value. You need to take this key as reference and go to the path HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Currentversion\Uninstall\. Then select the determined key and delete it.
Refer to Initialization Error Troubleshooting and refer to Cisco bug ID CSCdv15391 (registered customers only) in Bug Toolkit for more information.
A. This is because the new release of RedHat has a newer version of the GCC compiler (3.2+), which causes the current Cisco VPN Client to fail. This issue has been fixed and is available in Cisco VPN 3.6.2a.View Cisco bug ID CSCdy49082 (registered customers only) in Bug Toolkit for more details or download the software from the VPN Software Center (registered customers only) .
A. The symptom of this problem is that the Linux Client seems to try to connect, but it never gets a response from the gateway device.
The Linux OS has a built-in firewall (ipchains) that blocks UDP port 500, UDP port 1000, and Encapsulating Security Payload (ESP) packets. Since the firewall is on by default, you either have to disable the firewall or open up the ports for IPsec communication for both inbound and outbound connections to fix the problem.
A. As stated in the product release notes, the Cisco VPN 5000 Client is supported up to version 10.1.x and thus is not supported on version 10.3. It is possible to make the VPN Client work when you reset the permissions on two of the installed files after you run the install script. This is an example.
Note: This configuration is not supported by Cisco.
sudo chown -R root:wheel /System/Library/Extensions/VPN5000.kext
sudo chmod -R go-w /System/Library/Extensions/VPN5000.kext
A. Install the latest DNE upgrade from Deterministic Networks .
208 15:09:08.619 01/17/08 Sev=Debug/7 CVPND/0x63400015
Value for ini parameter VAEnableAlt is 1.
209 15:09:08.619 01/17/08 Sev=Warning/2 CVPND/0xE3400003
Function RegOpenKey failed with an error code of 0x00000002(WindowsVirtualAdapter:558)
210 15:09:08.619 01/17/08 Sev=Warning/3 CVPND/0xE340000C
The Client was unable to enable the Virtual Adapter because it could not open the device.
A. It is a fairly generic error message, which usually requires manual uninstallation of the client. Follow the instructions in this link. How to Uninstall Manually and Upgrade the Cisco VPN Client 3.5 and Later for Windows 2000 and Windows XP.
Once you have done the uninstall, make sure you reboot. Then reinstall the client. Make sure you are logged on as a user that has admin rights on the local machine.
A. The issue can be resolved if you restart the service after you close the VPN client in this way:
To stop:
sudo kextunload -b com.cisco.nke.ipsec
To start:
sudo kextload /System/Library/Extensions/CiscoVPN/CiscoVPN
A. No. The Nortel and other third-party VPN Clients cannot connect to the Cisco VPN 3000/ASA Concentrator.
A. Yes. As of Release 4.0, the VPN Client is compatible (co-exist) with VPN clients from Microsoft, Nortel, Checkpoint, Intel, and others. This feature offers the ability to use other VPN products while the Cisco VPN Client is installed on the same PC, but not simultaneously with established tunnels.
A. Cisco VPN Clients are not supported with third party VPN Concentrators.
A. The VPN Client 1.1 has its own certificate store. The VPN Client 3.x can either store certificates in the Microsoft store using Common-Application Programming Interface (CAPI), or it can store them in Cisco's own store (RSA Data Security).
A. Yes, the VPN IPsec client will warn the user when the certificate is about to expire , starting 30 days prior to expiration. There's no configuration setting to disable the certificate expiration popup.Renewing the certificate will cause the popup to not display.
A. No, groupname and username cannot be the same. This is a known issue, found in software versions 2.5.2 and 3.0, and integrated into 3.1.2. View Cisco bug ID CSCdw29034 (registered customers only) in Bug Toolkit for more information.
A. No, cards of this type are not supported.
A. No this is not supported. We recommend you use digital certificates for authenticating the VPN session without the need for enduser interaction.
A. The VPN Client now adjusts the Maximum Transmission Unit (MTU) size. The Set MTU Utility option is no longer a required installation step and has been removed from the Start menu. Use Internet Explorer in order to access the Set MTU Utility option. You can also choose Start > Run, choose Browse, and navigate to the Cisco Systems VPN Client directory.
A. Refer to the System Requirements in the release notes for your VPN Client to determine interoperability issues or support of personal firewalls. Starting in version 3.1, a new feature is added to the VPN 3000 Concentrator that detects what personal firewall software remote users have installed and prevents the users from connecting in the absence of the appropriate software. Select Configuration > User Management > Groups > Client FW and select the tab for the group to configure this feature.
A. The VPN Client does not work with AOL 7.0 without the use of split tunneling. View Cisco bug ID CSCdx04842 (registered customers only) in Bug Toolkit for more details.
A. If there is no communication activity on a user connection during this 30-minute period, the system terminates the connection. The default idle timeout setting is 30 minutes, with a minimum allowed value of 1 minute and a maximum allowed value of 2,147,483,647 minutes (more than 4,000 years).
Choose Configuration > User Management > Groups and choose the appropriate group name to modify the idle timeout setting. Select Modify Group, go to the HW Client tab, and type the desired value in the User Idle Timeout field. Type to disable timeout and allow an unlimited idle period.
A. Yes. Administrators can create a Cisco VPN Client installation floppy disk set that has all client configuration parameters preset so that the installation is completely hands-free for end users. Information related to the creation of a predefined configuration is noted in the Cisco VPN Client documentation.
A. Make sure that you run the latest drivers on the NIC card. This is always recommended. If possible, test to see if the problem is specific to the operating system, PC hardware, and other NIC cards.
A. Choose Options > Properties > Connections, and have the VPN Client pull down a Dial-Up Networking phone book entry in order to fully automate the dial-up into the VPN connection.
A. Refer to Notifying Remote Users of a Client Update. Ensure that you type the release information as "(Rel)", as noted in step 6 of the process.
A. The VPN Client is in "fall back" mode. This contributes to the delay. Uninstall the VPN Client and remove the offending applications to allow startup without being in "fall back" mode. Then reinstall the VPN Client.
View Cisco bug IDs CSCdt88922 (registered customers only) and CSCdt55739 (registered customers only) in Bug Toolkit for more information.
A. The ipsecdialer.exe was the original launching mechanism for VPN Client 3.x. When the GUI was changed in the 4.x versions, a new executable called vpngui.exe was created. The ipsecdialer.exe file was carried forward in name only for backward compatibility and just launches the vpngui.exe. This is the reason you could see the difference in the file size.
So when you downgrade from the 4.x to the 3.x VPN Client, you need the ipsecdialer.exe file to launch this.
A. The VPN Client in the startup folder supports the "Start Before Logon" feature. If you do not use the feature, then you do not need it in the startup folder.
A. The "Start Before Logon" feature requires the "user_logon" but a normal launch of the VPN Client by the user does not need this.
A. There was a bug in several Network Address Translation (NAT)/PAT implementations that causes ports less than 1024 not to be translated. On the VPN Client 3.1, even with NAT transparency enabled, the Internet Security Association and Key Management Protocol (ISAKMP) session uses UDP 512. The first VPN Client goes through the PAT device and keeps source port 512 on the outside. When the second VPN Client connects, port 512 is already in use. The attempt fails.
There are three possible workarounds.
A. Two clients can connect to the same head end from the same location as long as the clients are not both behind a device performing PAT such as a SOHO router/firewall. Many PAT devices can map ONE VPN connection to a client behind it, but not two. In order to allow two VPN clients to connect from the same location behind a PAT device, enable some sort of encapsulation such as NAT-T, IPSec over UDP, or IPSec over TCP at the head end . Generally, NAT-T or another encapsulation should be enabled if ANY NAT device is between the client and the head end.
A. The laptop might be retaining the routing information from the LAN connection. Refer to VPN Clients with Microsoft Routing Problems for information about how to resolve this issue.
A. Check the registry key named HKLM\Software\Cisco Systems\VPN Client\TunnelEstablished. If a tunnel is active, the value is 1. If no tunnel is present, the value is 0.
A. Follow the appropriate step(s) listed here in order to control the connection settings.
The Dead Peer Detection (DPD) interval varies based on the sensitivity setting. Once a response is not received, it moves into a more aggressive mode, and sends packets every five seconds until the peer response threshold is met. At that time, the connection is torn down. You can disable the keepalives, but if your connection does actually drop, you need to wait for the timeout. Cisco recommends that you set the sensitivity value very low initially.
A. No, this is not a supported or operational configuration. Only one IPSec remote access session can be sourced from a PC endpoint.
Document ID: 45102
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: