• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 235
  • Last Modified:

Cisco PIX VPN - not all clients connect

Ok, I searched for an answer before asking. I found related issues, but nothing that is helping me.

I have a Cisco PIX 501. It's working.

I have two remote clients that can connect via VPN. They work great.

I tried to set up two new clients, but they refuse to connect, giving the "Unable to contact the remote gateway" error. (That's 403, as I recall.) These clients are in a remote location. In the office, I set up those same two clients outside the firewall (behind another firewall) and I still cannot connect via VPN.

Both "new" systems have functional Internet access. So, I did a telnet xx.xx.xx.xx 25 from both clients to verify that I could *reach* the gateway. I was able to connect to the mail server.

I briefly looked at the Cisco log, but the system I had to use was very slow, and I couldn't wait for the log to update, but the only real errors I saw were something about an "spi" problem on an incoming connection. I didn't have the time to verify that it was the address I was coming from for my testing.

So I am stuck. I'm planning on calling Cisco for help, because I have to get these working, but if someone here has a suggestion, I am all ears!!

Thanks.

-- Rob --
0
iistech
Asked:
iistech
  • 6
  • 4
  • 3
  • +2
1 Solution
 
td_milesCommented:
suggestion: get the logs and post them here, that way we have something to go on. If you open a call with Cisco, they will ask for the same thing (you could guess endlessly otherwise).

Are they winXp ? Do they have SP2 installed.

Is there anything different between the clients that connect and those that don't ?
0
 
iistechAuthor Commented:
I always forget to add info...

The clients are all Windows 98. My system is XP. The two new clients are Windows 98.

I can't post log info now because the PIX has such a severe limit on the size of the log; all the entries related to the VPN connection attempts are gone now.

I just need to understand why, out of five similarly configured clients, two of the clients cannot connect, while three others can. I could use some guidance in what to look for.

Cisco hardware is non-intuitive and convoluted. Since I am getting the "Unable to contact the security gateway" error, I would assume that either the network connection is bad or there is an authentication problem. I've proven that there's  connection to the Internet. I have triple-checked the VPN credentials. I just connected from the system I am currently working on. I don't know what would cause those two other systems to not connect.

-- Rob --
0
 
Tim HolmanCommented:
Which version of PIX did you get ?  It comes in 10,50 and unlimited user variants.
You may just be exceeding the license count.
0
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

 
iistechAuthor Commented:
Since there's only 5 users connecting, that wouldn't be the problem.

In this case, I found that he had entered the password for the VPN client incorrectly. (Part of that fault was mine because I had a one and a lowercase "L" next to each other, so the "1l" looked like two ones when printed.)

The way this was determined for sure was that the Cisco support person had him copy the profile from a working system to one of the new systems. (I wasn't aware you could do this because it's not documented.)

So, once the password was entered correctly, everything was fine.

Thanks to those who responded!!

-- Rob --
0
 
Tim HolmanCommented:
Hmmm..  the right password always helps !  ;)
0
 
td_milesCommented:
good to see you got your problem sorted out, now you just need to close the question. If you need help, or are wondering about your options, have a look here:

http://www.experts-exchange.com/help.jsp#hs5


Thanks.
0
 
iistechAuthor Commented:
Since my result seems to fall into the "I answered my own question", I guess I need to close this now and get a refund. (At least that's what the FAQ file says to do.)

Had I known I could copy a profile for a VPN client, I would never had needed to post. Now I just have to figure out how to set up those profiles for future users!!

Thanlk, again, to everyone who responded.

-- Rob --
0
 
td_milesCommented:
yes, that would probably be the most appropriate response. You need to give notification that you intend to request a refund (which you have) so that anyone who wishes to object can (which they shouldn't in this case). Give it a couple of days, then submit your request to have the question refunded.

In relation to copying the user profiles, it is a little documented function. You can find some more info on using profiles at:
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_administration_guide_chapter09186a008015cfdc.html
0
 
Tim HolmanCommented:
You need to 'PAQ - Refund' this question, so post up this request in community support, and you'll get your points back within the week.  ;)
0
 
td_milesCommented:
I think he should lose the points, just because I am feeling vindictive this morning  }:)

After all, both Tim & I tried to point him in the direction of what to do to request a refund, with no response at all from the poster...
0
 
VenabiliCommented:
Well... Not everyone can get this kind of instructions...
Posted solution -> PAQ - refund... :)
0
 
td_milesCommented:
I guess I'll have to go and club a baby seal now instead...
0
 
iistechAuthor Commented:
I'm still paying nine bucks per month for this forum and I'm still working multiple jobs; I already gave thanks. feel free to take the points. As long as I still get help when I need it.

-- Rob --
0
 
td_milesCommented:
Rob, sorry to have antagonised you, I was just messing around a bit. Of course you will still get help, in the words of Kevin Costner:

If you ask a question, they will come...
0
 
CetusMODCommented:
PAQed with points refunded (500)

CetusMOD
Community Support Moderator
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 6
  • 4
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now