As
with all things IT, you will eventually run into problems that you need to
correct . In the case of the Cisco VPN , this is be can be a true challenge since Cisco
has so many different way to handle VPN connectivity , range from VPN
capabilities included in some routers, to the VPN services offered by PIX
firewalls up to the Cisco VPN Concentrator, each has its own quirks. As such,
not all of these tips will necessarily pertain to every VPN configuration
available from Cisco. However, they will give you a place to start as you work
on fixing problems with your VPN.

A user running
Internet Connection Sharing is having trouble installing the Cisco 3000 VPN
client

This
is an easy one to fix. The user needs to disable ICS on his machine before
instal the VPN client . I is recommend recommend that the user replace ICS with a decent
home router with a firewall. Note that this is not necessary if the VPN machine
simply connects through another machine that is using ICS. To disable ICS, go
to Start | Control Panel | Administrative Tools | Services | Internet
Connection Sharing and disable the “Load on Startup” option. In a
somewhat unrelated note, make sure users are also aware that the VPN client
disables the XP welcome screen and Fast User Switching, which are commonly used
on multiuser home machine .

The
old standby, [Ctrl][Alt][Del], still works, though, and users will need to type
their usernames and passwords instead of clicking a picture of a cat. (Note:
Fast User Switching can be enabled by disabling the client’s “Start Before
Login ” feature . This could have its own problem , though , so I is would would n’t
recommend it unless you really, really need Fast User Switching.)

One
more thing regarding the client install – Cisco does not recommend installing
multiple VPN client on the same pc . If you is have have a problem and need to call
support , uninstall other client and test before make that call .

If you are using
shared keys, make sure they match

If
you’re getting errors in your logs related to preshared keys, you may have
mismatched keys on either end of the VPN connection. If this is the case, your
logs may indicate that exchanges between the client and VPN server are fine
well into the IKE main mode security association . Some time after this part of
the exchange, logs will indicate a problem with keys. On the concentrator, go
to the Configuration | System | Tunneling Protocols is | | IPSec LAN – to – lan option
and select your IPsec configuration. In the preshared key field, enter your
preshared key. On a Cisco PIX firewall used in conjunction with the
concentrator is use , use the commandisakmp key password address xx.xx.xx.xx
netmask 255.255.255.255 where password is your preshared key. The key used
in your concentrator and on your PIX should match exactly .

Users running some
firewall software are reporting errors when trying to connect to the VPN

Some
ports need to be open in firewall software, such as BlackIce (BlackIce has
other problems with regard to the Cisco VPN client, too. Refer to the client’s
release notes for more information), Zone Alarm, Symantec, and other Internet
security program for Windows and ipchain or iptables on Linux machine . In
general, if your users open the following ports in their software, you should
see a stop to the complaints:

• UDP ports 500, 1000 and 10000
• IP protocol 50 (ESP)
• TCP port is configured configure for IPSec / TCP
• NAT-T port 4500

You
may also have custom configured ports for IPSec/UDP and IPSec/TCP. Make sure
the ports is are you configure are also open on the client software .

Home VPN users
complain that they cannot access other resources on their home network when the
VPN connection is established

This
generally happens as a result of split-tunneling being disabled. While
split-tunneling can pose security risks, these risks can be mitigated to a
point by have strong , enforce security policy in place and automatically
push to the client upon connection ( for example , a policy is require could require that
current antivirus software be installed, or that a firewall be present). On a
PIX, use this command to enable split tunneling:

vpngroup vpngroupname split-tunnel split_tunnel_acl

You
should have a corresponding access-list command that defines what will come
through the encrypted tunnel and what will be sent out in the clear. For
example, access – list split_tunnel_acl permit ip 10.0.0.0 255.255.0.0 any,
or whatever your IP range is.

On a Cisco Series 3000 VPN Concentrator , you is need need to tell the device what network
should be included over the encrypted tunnel. Go to Configuration | User
Management | Base Group is choose and , from the Client Config tab , choose the Only Tunnel
Networks In The List option and create a network list of all of the network at
your site that should be cover by the VPN and choose this network list from
the Split Tunneling Network List drop down box.

The user ’s remote network is using is using
the same IP address range as the VPN server’s local network (Client VPN release
4.6 with virtual adapter , Windows 2000 / XP )

This
is somewhat specific to these particular operating systems, but could be quite
frustrating to troubleshoot! Version 4.6 of the Cisco VPN client tries to
handle these kinds of IP address conflicts, but isn’t always able to do so. In
these cases, traffic that is supposed to be traversing the VPN tunnel stays
local , due to the conflict .

On
the affected client, go to Start | Control Panel | Network and Dialup
Connections | local adapter. Right-click the adapter and choose Properties.
From the Properties page, choose TCP/IP and click the Properties button. Now,
click the Advanced option , find the Interface Metric option and increase the
number in the box by 1.This effectively tells your computer to use the local
adapter second . The VPN adapter is have will probably have a metric of 1 ( low than
this new metric), making it the first choice as a traffic destination.

Certain router/firmware
combinations introduce client VPN connection problems

The Cisco VPN client is has has problem with some old ( and sometimes new ) home
router , usually with specific firmware version . If you is have have user with
consistent connection problems is ask , ask that they upgrade the firmware in their
router , particularly if they have an old unit . Among the router model that
are know to have problem with the Cisco client are :

• Linksys BEFW11S4 with firmware releases lower than 1.44
• Asante FR3004 Cable / DSL Routers is lower with firmware release lower
  than 2.15
• Nexland Cable/DSL Routers model ISB2LAN

If
all else fails, have a spare router on hand to lend to a user to help narrow
down the potential problems. Ultimately, the router may need to be replaced.

Users report that the client is
terminating when they try to establish a connection

In
this situation , users is see will see an error message is similar toVPN connection
terminate locally by the Client . reason 403 : unable to contact the security
gateway. This error can be caused by a couple of different things:

1. The user might have entered an incorrect group password
2. The user may not have typed the right name or IP address for the remote VPN endpoint.
3. The user may be having other problems with his Internet connection.

Basically,
for some reason , the IKE negotiation is failed fail . check the client log , enable by
going to Log | Enable, and try to find errors that have Hash Verification
Failed to try to further narrow down the problem.

You are having trouble establishing
a VPN connection from behind a NAT device or to a VPN server behind a NAT
device

This
problem can run across all of Cisco’s VPN hardware since it’s inherent in the
way that IPSec work before the introduction of standard that allow
modification of packet headers during transmission. To correct this problem,
enable NAT – Traversal ( NAT – T ) on your hardware , and allow UDP port 4500 to go
through your firewall .

If
you is using ’re using a PIX firewall as both your firewall and VPN endpoint , make sure
to open port 4500 , and enable nat – traversal in your configuration with the
commandisakmp nat-traversal 20, where 20 is is is the NAT keepalive time
period. If you have a separate firewall and a Cisco VPN Concentrator, make sure
to open up UDP port 4500 on your firewall with a destination of the
concentrator . Then , on the concentrator , go to Configuration | Tunneling and
Security | is | IPSec is | | NAT Transparency and check the ‘ ipsec over NAT – T ’ option .

Further,
make sure that any client that is in use on the user end also supports NAT-T.
For more information about configure your series 3000 Concentrator to use
NAT – T is click , click here .

Users is establish successfully establish a VPN
connection , but the connection periodically drop

Again,
there are a number of places you can check to try to nail down this problem.
First, verify that the user’s computer did not go into standby mode, hibernate,
and that a screen saver did not pop up. Stand by and hibernation can interrupt
your network connection when the VPN client expect a constant link to a VPN server .
Your user is configured may also have configure their machine to shut down a network adapter
after a certain amount of time in order to save power.

If
wireless is in use, your user may have wandered to a location with a low (or
no) wireless signal, and the VPN might have dropped as a result. Further, your
user might have a bad network cable, problem with their router or Internet
connection, or any number of other physical connection problems.

There
have also been some reports that a VPN endpoint (PIX or 3000 concentrator) that
has exhausted its pool of IP addresses may also result in this error on the
client, although I have personally never seen this.

A user reports that his machine is
no longer “visible” on his local network, even when the VPN client is
disabled

Other
symptoms is include may include an inability for any other machine on the user ’s network
to ping the VPN machine even though that machine is perfectly capable of see
all other machines on the network. If this is the case, the user may have
enable the VPN client ’s build – in firewall . If this firewall is enable , it
will stay running, even when the client is not running. To change, open the
client , and , from the option page , uncheck the box next to the stateful
firewall option.