baggio8
asked on
Zone Alarm causes conflicts with VPN clients on Windows XP machine
Hi experts. This one has me buggers! I have a client, who does programming for different manufacturers and has to connect through muliple VPN clients to access their networks. Sometimes it seems hard to get this stuff to all work together. Currently they use Cisco client primarily along with Windows VPN. Also, one of their clients requires Aventail with Zone Alarm Integrity client, which just seems to be a proprietary client put out by Checkpoint. I won't even get into the AT&T client, since that won't work with anything. We have to have that set up alone on it's own machine.
The Zone Alarm seems to be the problem. Whenever the Zone Alarm is loaded at system boot it will lock up the machine. If I disable the True Vector Service and change the preferences to prevent the program from loading on start up everything is fine to boot. The other problem is that I can't remove Zone Alarm with the Add and remove Programs. At this point something seems to be damaged as I can't connect through the Cisco or MS VPN. I ran winsockfix, but that didn't work. We have this same setup on about 10 Dell laptops and I only just ran into the issue on our two newest machines-Dell 620's. I finally did a clean install on one to get it cleaned up, but it's still an issue on this machine. Help experts! I've spent many hours beating myself up on this one.
The Zone Alarm seems to be the problem. Whenever the Zone Alarm is loaded at system boot it will lock up the machine. If I disable the True Vector Service and change the preferences to prevent the program from loading on start up everything is fine to boot. The other problem is that I can't remove Zone Alarm with the Add and remove Programs. At this point something seems to be damaged as I can't connect through the Cisco or MS VPN. I ran winsockfix, but that didn't work. We have this same setup on about 10 Dell laptops and I only just ran into the issue on our two newest machines-Dell 620's. I finally did a clean install on one to get it cleaned up, but it's still an issue on this machine. Help experts! I've spent many hours beating myself up on this one.
ASKER
I'd drop it like a hot potato if I could. The proprietary design of Aventail requires that the Zone Alarm Integrity client be loaded before it will allow the VPN client to connect.
What a pain.
Have you tried manually reconfiguring ZA so that it cosiders the VPN server addresses as trusted?
Have you tried manually reconfiguring ZA so that it cosiders the VPN server addresses as trusted?
Personally what I do for customer connections is have a VMWARE virtual 2000 or XP machine for each client with their own VPN client software installed and any patches and AV software they insist on. I use it on VMWARE workstation as I have a licensed version but it could easily run on the free VMWARE player too. This connects back through bridged network connection and gets IP from DHCP as normal and to all intents and purpose is just another machine on the network. The virtual machines connect back to host machine to share files etc. It also means that people that need different software versions that clash or issues like you have only effect one VM - you can also roll this one VM out to all your laptops by simply copying the directory and changing the hostname :-)
Steve
Steve
(Sorry, I don't know how to fix your current problem, just been there with client apps breaking other stuff already installed like this which is why they all go on seperate VM's...)
Steve
Steve
I have several questions to narrow down your issue.
1. Have you tried removing Zonealarm in safe mode?
2. What error message do you get when trying to connect through the Cisco VPN client?
3. Can you telnet through the VPN port that you are using?
4. A). What transport protocol are you using in the cisco client, UDP or TCP? (have you tried switching protocols)
B). If TCP then what port are you trying to connect through and have you tried using an alternate port number?
5. What happens when you perform a trace route to the VPN host?
6. What version of the cisco VPN software are you using? Have you tried another version?
7. Assuming the new Laptops have a different hardware abstraction layer, then I assume they are imaged differently. In this case what software is installed on these laptops that is not on the old laptops (windows updates, new software versions, different network cards or more recent network card drivers, Adobe 6.0 rather than Adobe 6.4...etc)
1. Have you tried removing Zonealarm in safe mode?
2. What error message do you get when trying to connect through the Cisco VPN client?
3. Can you telnet through the VPN port that you are using?
4. A). What transport protocol are you using in the cisco client, UDP or TCP? (have you tried switching protocols)
B). If TCP then what port are you trying to connect through and have you tried using an alternate port number?
5. What happens when you perform a trace route to the VPN host?
6. What version of the cisco VPN software are you using? Have you tried another version?
7. Assuming the new Laptops have a different hardware abstraction layer, then I assume they are imaged differently. In this case what software is installed on these laptops that is not on the old laptops (windows updates, new software versions, different network cards or more recent network card drivers, Adobe 6.0 rather than Adobe 6.4...etc)
8. This is probably obvious from the above, but please verify the version of the VPN client you are using is the same on the older and newer machines.
We've solved a very similar situation by using Virtual machines. Create a different virtual machine for each unique VPN client/requirement. Use Microsoft Virtual PC to create the VM's and then you can use VMWare's free player to run multiple VM's at once on most any good desktop.
lrmoore: snap :-)
ASKER
Hello experts! Thank you for your feedback and sorry for my delay in responding.
Since my initial post my first laptop that I did the clean install on just "done blowed up". I have since performed new clean installs on both and they are (for now) working fine. I can provide no explanation as to why or how I accomplished this, nor do I care to continue. I have come to the conclusion that it is folly to further consider "why bad things happen to good software" and to babysit misbehaving rogue applications.
The VM ultimately sounds like the way to go, but I haven't a clue as to how to proceed. I have multiple copies of MS VM 2004 and I see where to download the VM Player. Do I need to have multiple licenses of the OS on each laptop? Would it make sense to set up the laptop standard config with Cisco client and then add a VM for Aventail and a VM for AT&T client? How would I do this?
Thanks experts for your valuable information!
Since my initial post my first laptop that I did the clean install on just "done blowed up". I have since performed new clean installs on both and they are (for now) working fine. I can provide no explanation as to why or how I accomplished this, nor do I care to continue. I have come to the conclusion that it is folly to further consider "why bad things happen to good software" and to babysit misbehaving rogue applications.
The VM ultimately sounds like the way to go, but I haven't a clue as to how to proceed. I have multiple copies of MS VM 2004 and I see where to download the VM Player. Do I need to have multiple licenses of the OS on each laptop? Would it make sense to set up the laptop standard config with Cisco client and then add a VM for Aventail and a VM for AT&T client? How would I do this?
Thanks experts for your valuable information!
ASKER
Merry Christmas experts. I didn't get any feedback to my last post. Please respond so I can get this info and I can close the question.
Thanks!
Thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
What is stopping you from just purging your network of ZoneAlarm and simply using the Windows firewall in SP2?
ZoneAlarm has never been good with VPNs, you need to add it as a trusted IP Address (the VPN server) before it will get close to working
-red