Solved

Cisco PIX VPN - not all clients connect

Posted on 2004-09-09
16
223 Views
Last Modified: 2013-11-16
Ok, I searched for an answer before asking. I found related issues, but nothing that is helping me.

I have a Cisco PIX 501. It's working.

I have two remote clients that can connect via VPN. They work great.

I tried to set up two new clients, but they refuse to connect, giving the "Unable to contact the remote gateway" error. (That's 403, as I recall.) These clients are in a remote location. In the office, I set up those same two clients outside the firewall (behind another firewall) and I still cannot connect via VPN.

Both "new" systems have functional Internet access. So, I did a telnet xx.xx.xx.xx 25 from both clients to verify that I could *reach* the gateway. I was able to connect to the mail server.

I briefly looked at the Cisco log, but the system I had to use was very slow, and I couldn't wait for the log to update, but the only real errors I saw were something about an "spi" problem on an incoming connection. I didn't have the time to verify that it was the address I was coming from for my testing.

So I am stuck. I'm planning on calling Cisco for help, because I have to get these working, but if someone here has a suggestion, I am all ears!!

Thanks.

-- Rob --
0
Comment
Question by:iistech
  • 6
  • 4
  • 3
  • +2
16 Comments
 
LVL 13

Expert Comment

by:td_miles
ID: 12023796
suggestion: get the logs and post them here, that way we have something to go on. If you open a call with Cisco, they will ask for the same thing (you could guess endlessly otherwise).

Are they winXp ? Do they have SP2 installed.

Is there anything different between the clients that connect and those that don't ?
0
 

Author Comment

by:iistech
ID: 12025355
I always forget to add info...

The clients are all Windows 98. My system is XP. The two new clients are Windows 98.

I can't post log info now because the PIX has such a severe limit on the size of the log; all the entries related to the VPN connection attempts are gone now.

I just need to understand why, out of five similarly configured clients, two of the clients cannot connect, while three others can. I could use some guidance in what to look for.

Cisco hardware is non-intuitive and convoluted. Since I am getting the "Unable to contact the security gateway" error, I would assume that either the network connection is bad or there is an authentication problem. I've proven that there's  connection to the Internet. I have triple-checked the VPN credentials. I just connected from the system I am currently working on. I don't know what would cause those two other systems to not connect.

-- Rob --
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12027716
Which version of PIX did you get ?  It comes in 10,50 and unlimited user variants.
You may just be exceeding the license count.
0
 

Author Comment

by:iistech
ID: 12032113
Since there's only 5 users connecting, that wouldn't be the problem.

In this case, I found that he had entered the password for the VPN client incorrectly. (Part of that fault was mine because I had a one and a lowercase "L" next to each other, so the "1l" looked like two ones when printed.)

The way this was determined for sure was that the Cisco support person had him copy the profile from a working system to one of the new systems. (I wasn't aware you could do this because it's not documented.)

So, once the password was entered correctly, everything was fine.

Thanks to those who responded!!

-- Rob --
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12039261
Hmmm..  the right password always helps !  ;)
0
 
LVL 13

Expert Comment

by:td_miles
ID: 12039825
good to see you got your problem sorted out, now you just need to close the question. If you need help, or are wondering about your options, have a look here:

http://www.experts-exchange.com/help.jsp#hs5


Thanks.
0
 

Author Comment

by:iistech
ID: 12040902
Since my result seems to fall into the "I answered my own question", I guess I need to close this now and get a refund. (At least that's what the FAQ file says to do.)

Had I known I could copy a profile for a VPN client, I would never had needed to post. Now I just have to figure out how to set up those profiles for future users!!

Thanlk, again, to everyone who responded.

-- Rob --
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 13

Expert Comment

by:td_miles
ID: 12041046
yes, that would probably be the most appropriate response. You need to give notification that you intend to request a refund (which you have) so that anyone who wishes to object can (which they shouldn't in this case). Give it a couple of days, then submit your request to have the question refunded.

In relation to copying the user profiles, it is a little documented function. You can find some more info on using profiles at:
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_administration_guide_chapter09186a008015cfdc.html
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12042134
You need to 'PAQ - Refund' this question, so post up this request in community support, and you'll get your points back within the week.  ;)
0
 
LVL 13

Expert Comment

by:td_miles
ID: 15896895
I think he should lose the points, just because I am feeling vindictive this morning  }:)

After all, both Tim & I tried to point him in the direction of what to do to request a refund, with no response at all from the poster...
0
 
LVL 20

Expert Comment

by:Venabili
ID: 15897041
Well... Not everyone can get this kind of instructions...
Posted solution -> PAQ - refund... :)
0
 
LVL 13

Expert Comment

by:td_miles
ID: 15897148
I guess I'll have to go and club a baby seal now instead...
0
 

Author Comment

by:iistech
ID: 15900186
I'm still paying nine bucks per month for this forum and I'm still working multiple jobs; I already gave thanks. feel free to take the points. As long as I still get help when I need it.

-- Rob --
0
 
LVL 13

Expert Comment

by:td_miles
ID: 15900904
Rob, sorry to have antagonised you, I was just messing around a bit. Of course you will still get help, in the words of Kevin Costner:

If you ask a question, they will come...
0
 

Accepted Solution

by:
CetusMOD earned 0 total points
ID: 15934960
PAQed with points refunded (500)

CetusMOD
Community Support Moderator
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
This video discusses moving either the default database or any database to a new volume.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now