David Schmalzer
asked on
Cisco Vpn client not working everywhere
I am experiencing a situation that I cannot figure out. I connect the latest cisco vpn client(5.0.01.0600) to an ASA5505 firewall. It seems I can connect fine from anywhere I go except one particular office. This office has their own watchguard firewall and the admin insists(not very nice to work with) that everything that needs to be opened on their end is open. It was working from their location until they recently changed their ip addresses and they tell me they change their ip addresses at regular intervals.
Anyway, when I try to connect to the ASA, I get the error VPN connection terminated locally by the Client. Reason 412 The peer is no longer responding.
Let's assume for arguments sake, that their administrator is correct, and the problem is at the target ASA5505.
Is there anything I need to "open" or check on the ASA5505 to allow the remote location's ip address in? I know my way around a little through the ASDM gui, and am not as familiar with console commands as an FYI. Any guidance would be appreciated.
Anyway, when I try to connect to the ASA, I get the error VPN connection terminated locally by the Client. Reason 412 The peer is no longer responding.
Let's assume for arguments sake, that their administrator is correct, and the problem is at the target ASA5505.
Is there anything I need to "open" or check on the ASA5505 to allow the remote location's ip address in? I know my way around a little through the ASDM gui, and am not as familiar with console commands as an FYI. Any guidance would be appreciated.
Does their internal DHCP address assignment conflict with the subnet configured in your VPN IP pool?
Hello,
I know that the Cisco VPN client uses port 500, 4500, or 10000 on UDP.
Thanks,
Kelly W.
I know that the Cisco VPN client uses port 500, 4500, or 10000 on UDP.
Thanks,
Kelly W.
ASKER
No, not at all.
ASKER
Kelly W. Correct, but does that explain why I can successfully connect from other locations. Their administrator insists that the above ports are open on their firewall.
Hello,
Well, how about you change the VPN Cisco software at that site to use port 80 or port 443?
Here is the link to change it:
http://www.greghughes.net/rant/UseCiscoVPNClientOnTCP443Or80ToSolveConnectivityProblems.aspx
Thanks,
Kelly W.
Well, how about you change the VPN Cisco software at that site to use port 80 or port 443?
Here is the link to change it:
http://www.greghughes.net/rant/UseCiscoVPNClientOnTCP443Or80ToSolveConnectivityProblems.aspx
Thanks,
Kelly W.
ASKER
No go.
Hello,
Can you report any logs that the Cisco VPN client produces?
Thanks,
Kelly W.
Can you report any logs that the Cisco VPN client produces?
Thanks,
Kelly W.
ASKER
I enabled and turned the logs on, but nothing showing up oddly in the log window.
Hello,
There is a previous thread that is similar to this on here:
https://www.experts-exchange.com/questions/22629895/Problem-using-Cisco-VPN-to-connect-through-a-watchguard-firewall.html
Maybe that will fix the issue.
Thanks,
Kelly W.
There is a previous thread that is similar to this on here:
https://www.experts-exchange.com/questions/22629895/Problem-using-Cisco-VPN-to-connect-through-a-watchguard-firewall.html
Maybe that will fix the issue.
Thanks,
Kelly W.
ASKER
Nope.
Have you tried deleting the VPN agents information from DNS/WINS records as these might contain old records from the previous IPs before the change and DNS/WINS never updated appropriately.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hello,
I would also make sure that it is the UDP side of port 50, since some firewalls you can either open up the TCP or UDP side of things.
Thanks,
Kelly W.
I would also make sure that it is the UDP side of port 50, since some firewalls you can either open up the TCP or UDP side of things.
Thanks,
Kelly W.
Make sure you have nat-traversal enabled on the ASA. Just put this command in at the command-line tool of the ASDM:
crypto isakmp nat-traversal 25
If that still fails, you can enable TCP for the VPN and it usually fixes any local firewall issues.
crypto isakmp nat-traversal 25
If that still fails, you can enable TCP for the VPN and it usually fixes any local firewall issues.
ASKER
lrmoore,
I see in the asa configuration that there already is an entry : crypto isakmp nat-traversal 20. What do those numbers mean, and should I still add the entry with 25?
Kelly W:
When you say open up the TCP or UDP side of things, what do you mean specifically as far as commands or ASDM entries? Be specific please.
Everyone,
Is there anything that anyone has stated here that is disagreeable?
Thanks everyone so far.
I see in the asa configuration that there already is an entry : crypto isakmp nat-traversal 20. What do those numbers mean, and should I still add the entry with 25?
Kelly W:
When you say open up the TCP or UDP side of things, what do you mean specifically as far as commands or ASDM entries? Be specific please.
Everyone,
Is there anything that anyone has stated here that is disagreeable?
Thanks everyone so far.
If the nat-traversal command is there, you can leave it alone.
The number is a timout with 20 being the default. Sometimes the default doesn't show up in the config, so I like to use just a slight variation using 25.
In the ASDM you should have an option to enable IPSEC over TCP (look in Remote Access VPN, Network (client) access, Advanced, IPSEC, IKE Parameters
Check the box to enable TCP on port 10000
Then on the client profile, select [x] Enable Transparent Tunneling (*) IPSec over TCP port 10000
This helps communications through other firewalls.
The number is a timout with 20 being the default. Sometimes the default doesn't show up in the config, so I like to use just a slight variation using 25.
In the ASDM you should have an option to enable IPSEC over TCP (look in Remote Access VPN, Network (client) access, Advanced, IPSEC, IKE Parameters
Check the box to enable TCP on port 10000
Then on the client profile, select [x] Enable Transparent Tunneling (*) IPSec over TCP port 10000
This helps communications through other firewalls.
ASKER
It turns out, as suspected, that the problem was on the other admin's firewall although he won't disclose what the solution/ problem was. Thank everyone for responding.