Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Windows 7 VPN ---- no luck

Hi Everyone,

First some background...

We're running a 3015 series concentrator running VPN 3000 Concentrator Version 4.7.2.D. Our Windows 7 clients are 64Bit and are running the Cisco VPN client version 5.0.07.0290.

As I understand it the latest VPN client no longer has the firewall component...so I created a new VPN group and selected "no firewall" required. What I'm seeing in the log files says:

Remote end is NOT behind a NAT device

This   end is NOT behind a NAT device

Any sugguestions would be greatly appreciated.

~Steve

  • VPN
1 ACCEPTED SOLUTION

Accepted Solutions

Re: Windows 7 VPN ---- no luck

If you change the current pool being used by a group on the concentrator, that most likely will disconnect the users yes.

Federico.

10 REPLIES

Re: Windows 7 VPN ---- no luck

Hi,

The message:

Remote end is NOT behind a NAT device

This   end is NOT behind a NAT device

Is just normal negotiation when chosing whether or not to use NAT-T

So, it does not represent a problem.

What is the problem with the VPN client? It won't connect or it does connect but it does not pass traffic?

Could you check the complete output from the logs and post it here?

Federico.

New Member

Re: Windows 7 VPN ---- no luck

Federico,

The client side gives the following error:

Secure VPN Connection terminated by Peer

Reason 427: Unknown Error Occurred at Peer.

The logs on the VPN concentrator show:


33508 06/07/2010 10:04:29.520 SEV=5 IKEDBG/64 RPT=6558 129.19.6.125
IKE Peer included IKE fragmentation capability flags:
Main Mode:        True
Aggressive Mode:  False

33510 06/07/2010 10:04:29.780 SEV=5 IKE/172 RPT=6438 129.19.6.125
Group [PRPA_W7]
Automatic NAT Detection Status:
   Remote end   IS   behind a NAT device
   This   end is NOT behind a NAT device

33514 06/07/2010 10:04:33.270 SEV=4 IKE/52 RPT=5695 129.19.6.125
Group [PRPA_W7] User [smiths]
User (smiths) authenticated.

33515 06/07/2010 10:04:33.290 SEV=4 IKE/131 RPT=2814 129.19.6.125
Group [PRPA_W7] User [smiths]
Received unknown transaction mode attribute: 28684

33516 06/07/2010 10:04:33.290 SEV=5 IKE/184 RPT=5674 129.19.6.125
Group [PRPA_W7] User [smiths]
Client Type: WinNT
Client Application Version: 5.0.07.0290

33518 06/07/2010 10:04:33.290 SEV=5 IKE/132 RPT=181 129.19.6.125
Group [PRPA_W7] User [smiths]
Cannot obtain an IP address for remote peer - FAILED

33520 06/07/2010 10:04:33.300 SEV=5 IKE/194 RPT=6171 129.19.6.125
Group [PRPA_W7] User [smiths]
Sending IKE Delete With Reason message: No Reason Provided.

Re: Windows 7 VPN ---- no luck

Hi,

According to the logs, the user gets authenticated but cannot receive an IP address.

33518 06/07/2010 10:04:33.290 SEV=5 IKE/132 RPT=181 129.19.6.125
Group [PRPA_W7] User [smiths]
Cannot obtain an IP address for remote peer - FAILED

The concentrator should assign an IP to the client either via a local pool or a DHCP server or even an authentication server.

Normally, you create a local pool of addresses to assing to the client (this is what you're missing).

Federico.

New Member

Re: Windows 7 VPN ---- no luck

Federico,

I thought that portion of the configuratin be inherited from the base group values? Where would I find in the GUI to set the DHCP/IPs?

~Steve

Re: Windows 7 VPN ---- no luck

Steve,

Under

Configuration | System | Address Management |


Make sure you have the correct option.

Also, create the pool under

Configuration | System | Address Management | Pools

Federico.

New Member

Re: Windows 7 VPN ---- no luck

Federico,

Forgive my ignorance on the system configs - I've inherited this system and am not in it much....

Well I have only "User Address Pools" checked, but no pools configured yet we've been running this way for serveral years.

~Steve

Re: Windows 7 VPN ---- no luck

Check the following:

Configuration | User Management | Groups

When you select a group, on the right side you have ''Address Pools''

Check if each group has Address Pool assigned.

Federico.

New Member

Re: Windows 7 VPN ---- no luck

Ah ha!

Thank you...I think that will solve the problem. If I need to change an IP range on another group does that disconnect users currently on the concentrator?

Many thanks,

~Steve

Re: Windows 7 VPN ---- no luck

If you change the current pool being used by a group on the concentrator, that most likely will disconnect the users yes.

Federico.

5236
Views
0
Helpful
10
Replies