mrpierce2
asked on
Preventing connection timeout when using VPNC in place of Cisco VPN Client for Mac
Hello experts. Had my boss previously set up to connect to our PIX 506e via the last VPN Client for Mac (4.9.01.0180) and en elegant little app managing the connections called Shimo. All was well. Upon purchasing a new Mac Pro (5,1) with Snow Leopard recently we started receiving "Error 51: Unable to communicate with the VPN subsystem." Haven't had to change things for a while so when I got up to date I realized that the older Cisco client doesn't run in OS X 64-bit. Further research revealed the newer AnyConnect client was designed to work with newer Cisco hardware and the built-in VPN client in SL that includes the ability to create an IPSec connectiion for Cisco is also intended for newer hardware. We do video postproduction work so we will likely be running in 64-bit from here on.
One of Shimo's features is its ability to take a Cisco .PCF profile and convert it to vpnc. I found that if I booted the Mac in 32-bit, reinstalled the Cisco client and made sure it was happy and then created a vpnc profile from the Cisco profile I could reboot into 64-bit and connect happily using the vpnc profile. Shimo seemed to work just fine and the connection was solid...or so it seemed. I then discovered the connection would time out consistently at about 5 minutes and 30 secs. There are settings both in the vpnc profile and in Shimo to generate "Idle" or "keep-alive" packages, respectively. Unfortunately, neither seem to impact on the problem.
When I went back into 32-bit mode, using the vpnc profile I got the same result (as expected). I then made a connection using the Cisco profile and the connection has now been active for 45 minutes and counting with no sign of timing out. So, I can see that the Cisco client is sending something to the PIX that the vpnc isn't. I hadn't worked with vpnc previously and, as mentioned, Shimo created this profile for me so I'm not familiar with the underpinnings of this. Can anyone advise me as to how to get the vpnc to perform as a full-fledged substitute for the Cisco client and maintain the connection? Thanks.
One of Shimo's features is its ability to take a Cisco .PCF profile and convert it to vpnc. I found that if I booted the Mac in 32-bit, reinstalled the Cisco client and made sure it was happy and then created a vpnc profile from the Cisco profile I could reboot into 64-bit and connect happily using the vpnc profile. Shimo seemed to work just fine and the connection was solid...or so it seemed. I then discovered the connection would time out consistently at about 5 minutes and 30 secs. There are settings both in the vpnc profile and in Shimo to generate "Idle" or "keep-alive" packages, respectively. Unfortunately, neither seem to impact on the problem.
When I went back into 32-bit mode, using the vpnc profile I got the same result (as expected). I then made a connection using the Cisco profile and the connection has now been active for 45 minutes and counting with no sign of timing out. So, I can see that the Cisco client is sending something to the PIX that the vpnc isn't. I hadn't worked with vpnc previously and, as mentioned, Shimo created this profile for me so I'm not familiar with the underpinnings of this. Can anyone advise me as to how to get the vpnc to perform as a full-fledged substitute for the Cisco client and maintain the connection? Thanks.
ASKER
jmeggers,
Thanks for the input. As I mentioned, we're using a PIX. I don't see the company upgrading to ASA in the near future, especially since it's a small business with minimal VPN use and we've been spending a bunch of bucks lately on other infrastructure improvements (and I have another brand new unit purchased off eBay as a backup). While the Cisco client has been end-of-life'd and I realize that AnyConnect is its successor, even though it's available for 64-bit OS X it was my understanding that it would not support the PIX. My perusal of Cisco pages seemed to confirm this.
Essentially I only have one person to provide VPN access to--my boss, who works from home--with the only exception being our graphic designer, who on rare occasions needs to connect.
Web searches indicate there are a good number of folks in the same boat who suddenly found themselves experiencing the Error 51 (Area 51?) I encountered. The thing is, the vpnc client has proven it can establish a connection and run is SL 64-bit. The price is certainly right and in our case it's just this damn timing out that's preventing it from being a fully usable replacement for the Cisco client.
Thanks for info on AnyConnect. Definitely sounds like an improved system. Glad it's working well for you.
Thanks for the input. As I mentioned, we're using a PIX. I don't see the company upgrading to ASA in the near future, especially since it's a small business with minimal VPN use and we've been spending a bunch of bucks lately on other infrastructure improvements (and I have another brand new unit purchased off eBay as a backup). While the Cisco client has been end-of-life'd and I realize that AnyConnect is its successor, even though it's available for 64-bit OS X it was my understanding that it would not support the PIX. My perusal of Cisco pages seemed to confirm this.
Essentially I only have one person to provide VPN access to--my boss, who works from home--with the only exception being our graphic designer, who on rare occasions needs to connect.
Web searches indicate there are a good number of folks in the same boat who suddenly found themselves experiencing the Error 51 (Area 51?) I encountered. The thing is, the vpnc client has proven it can establish a connection and run is SL 64-bit. The price is certainly right and in our case it's just this damn timing out that's preventing it from being a fully usable replacement for the Cisco client.
Thanks for info on AnyConnect. Definitely sounds like an improved system. Glad it's working well for you.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
No helpful comments from anyone else. Kept researching outside of EE and found a solution. No longer have the problem. VPNC connection does not time out.
As you point out, you can run the AnyConnect client which is available for Mac in 64-bit. Although Cisco did produce a Windows 64-bit IPSec client, that wasn't in their plans, and it's pretty clear they're putting the majority of their development efforts into AnyConnect as opposed to IPSec. You don't say how many users you need to provide VPN services for, but there are two SSL licenses that come with the ASA. If you do need a solution for a larger number of users, Cisco also has AnyConnect Essentials, which is an excellent VPN approach for trusted machines that makes deployment and update of the client much easier than with IPSec, and while it's not completely free like IPSec is, it's extremely cheap compared to full SSL licenses. My company uses AnyConnect Essentials (I'm on a Mac) and I've found it to be much more for forgiving than IPSec for maintaining connectivity.
There's one slight downside to AnyConnect Essentials. There are some SSL VPN features that require the full SSL licenses, mainly clientless portal and host checks (Cisco has to have some reason to encourage customers to buy full-price SSL licenses), and once AnyConnect Essentials is enabled on an ASA, you cannot use that ASA for full SSL license features. So if you have a need for both kinds of SSL connections, then you would need separate ASAs for those. But if you're looking for a replacement for IPSec, I really think it's an excellent solution.
/end of sales pitch.... ;-)