[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1060
  • Last Modified:

How to install & use Cisco VPN client on Cloud Server

I have been given the task to install and use a Cisco VPN client 4.8 on our Cloud Server (Rackspace, Windows 2003 Server), in order to connect to one of our customer's server.  We normally connect to our Cloud Server via Remote Desktop, but the VPN will not "allow" us to install via RDP.  Rackspace provides a Java utility for "direct" access to the Cloud Server--and using this I was able to install the VPN.

But the dilemma is this.  The Java Utility does not allow anything to go out of the Cloud Server (no network, vpn, internet, remote access--nothing).  Rackspace says this is by design (for security).  But the VPN will not work when the user is connected by Remote Desktop (for security, I assume).  So the Java utility allows the VPN to "work", but does not allow anything to go out of the server.  While Remote Desktop allows the user to go out, the VPN will not "work" via RDP.  Sigh.

Any help I can get to solve this would be greatly appreciated.  I am completely new to this sort of thing.  I need a way to install and use the Cisco VPN client on this Cloud Server, working around these restrictions.  Thanks.
0
xnish
Asked:
xnish
  • 17
  • 17
1 Solution
 
Ernie BeekCommented:
What exactly do you mean by the VPN will not "work" via RDP?
It won't start, it gives you an error, RDP disconnects?
Could you elaborate?
0
 
xnishAuthor Commented:
Sure. I can still remote in via RDP--it works fine.  But when I try to then start the VPN Client, it will not start.  When I click on "VPN Client", after about a minute or so, there is a message, "Error 56: The Cisco Systems, Inc. VPN Service has not been started. Please start this service and try again."  However, the service is listed and listed as "started".
0
 
Ernie BeekCommented:
Do you happen to have the ICS service running on that server?
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
xnishAuthor Commented:
I have checked in Network Connections/Local Connection/Properties/Advanced and the Internet Connection Sharing "Allow other network users to connect...." check box is not checked.  So I am assuming that ICS is not running on the server.
0
 
Ernie BeekCommented:
To be sure, check the services.

Furthermore, did you install the client as a local admin? And when you run it, ate you a local admin then?
0
 
xnishAuthor Commented:
I do have "Windows Firewall/Internet Connection Sharing" listed in the services.  And it has a status of "started".  And, yes, I believe that installing and attempting to run are both done as local admin.
0
 
Ernie BeekCommented:
Is the service set to 'auto'? Then try and set it to manual adn stop it. There seem to be some issue with ICS that way.
0
 
xnishAuthor Commented:
This Cloud Server is used to host at least one website to the public.  With that in mind, would setting the "Windows Firewall/ICS" service to "manual" cause any problems.

But, yes, the service is set to "automatic".
0
 
xnishAuthor Commented:
I set the service in question to manual and stopped it.  Then rebooted and tried to get the VPN to connect (connected to the Cloud Server via RDP).  But, alas, nothing had changed--the VPN would still not connect, with same error message as before.
0
 
Ernie BeekCommented:
Funny, I have a machine to which I can RDP and start the client. It's no server though.

When you connect to the server, do you set up a console version? So running: mstsc /console ?
0
 
xnishAuthor Commented:
Running mstsc /console does nothing different.  But running mstsc /admin to connect to the server did allow the VPN client to connect, it seemed.  That was new.  However, once it connected, I was then kicked out of my Remote Desktop connection and could not get back in.  Was then forced to use the Rackspace utility (which I now realize is a VNC) to connect to the cloud server and disconnect the VPN that was connected via RDP.
0
 
Ernie BeekCommented:
/admin is with the new version, you're correct :-~

So do you have split tunneling enabled?
0
 
xnishAuthor Commented:
I don't rightly know, actually.  I installed the VPN "as is" and did nothing special.  Guess I will need to look into that.
0
 
Ernie BeekCommented:
Split tunneling should be enabled on the remote firewall. Then there is also an option 'allow local LAN access' in the client.
0
 
xnishAuthor Commented:
I have checked the "Allow Local LAN Access" checkbox in the Transport tab of the VPN Client Properties.  Yet the VPN Client Statistics still says "Local LAN: Disabled".  What else am I supposed to do?

The Statistics also say "Transport Tunneling: Active on UDP port 4500".  I assume that is good.
0
 
Ernie BeekCommented:
The second step is to enable split tunneling on the remote firewall, otherwise it still won't work. The rest of the settings are ok.
0
 
xnishAuthor Commented:
How do I "enable split tunneling on the remote firewall"?
0
 
Ernie BeekCommented:
Do you have access to that firewall (it's the customers one)? It is a ASA/PIX I assume?
0
 
xnishAuthor Commented:
I don't have access to their firewall, no.  And I really have no information about it.
0
 
Ernie BeekCommented:
You might want to talk to their admin then. The thing is, without split tunneling when you set up the vpn, only traffic through the tunnel is allowed. That's why you loose the rdp session.
0
 
xnishAuthor Commented:
I will look into this.  And let you know.  In the meantime, sleep is a rare but good thing.....
0
 
Ernie BeekCommented:
Sleep? I seem to remember I did that once :)

Good night, we'll be waiting.
0
 
xnishAuthor Commented:
I have found that our customer does not allow for split tunneling due to security reasons.  So they will not change their firewall, it appears.

So it looks like the dilemma is the only access to VPN to the customer's server is a Cloud Server that is only reachable via remote, but the VPN Client does not split tunnel to allow both RDB and VPN at the same time.  Hmmmm....
0
 
Ernie BeekCommented:
That was a short night..........

So we have a challenge. I'm curious. What would happen if you rdp in, establish the vpn and go back in with the java utility?
This might be a long shot, but hey, who knows?
0
 
xnishAuthor Commented:
I did try that, but it didn't seem to work, last night.  

Sleep is overrated, isn't it?  Although, maybe if I had more of it, I would like it. :)
0
 
Ernie BeekCommented:
It seems to be addictive, they say ;)

So what are the options.....

-talk to the customer again. You need them, they need you. So perhaps it is an option to create a separate vpn profile for you so you're the only ones with split tunneling enabled.
-see if there is another way to set this up. Are there multiple users going to use this vpn? Can't they connect from another machine (their laptops or whatever)?

Just tossing ideas.
0
 
xnishAuthor Commented:
I have been in contact with the customer to see what they can do to accomodate.  You have been a help in narrowing down the problem.  Thanks.  I will "report back" tomorrow, hopefully, with a positive update.
0
 
Ernie BeekCommented:
I'll keep my fingers crossed ;)
0
 
xnishAuthor Commented:
I am able to test with my personal pc now.  Running Windows XP.  

Some details:
    Group authentication with name and password. Certificate Authentication unchecked.
    Transport Tunneling checked; IP Sec over UDP checked; Allow Local LAN Access checked.
    No certificates.

I can connect (get status: connected).  But then email cannot send/receive, internet unaccessible, rdp does not work anywhere, no new computer shows up in workgroup computers.

I have passed this info onto the customer's representative.  No word yet.

This is not really news, but I picture you getting nothing done, due to crossed fingers--at least all typing would be greatly hindered.  So I thought I needed to comment something. :)
0
 
Ernie BeekCommented:
:-D
Lol
I can still use the two-finger system ;)

If you can test with your own pc, you might want to have a look at your routing table with and without the vpn connected. Perhaps with some creative routing you could get it to work.
0
 
xnishAuthor Commented:
Well, I now have proper vpn access to the customer's server.  In short, the problems were all on their side.  When I vpn to connect, all "avenues" out of my pc are disabled except the rdp to their server.  But, again, the problem was all on their side.

My problem was that I assumed the use of a cloud server was messing things up.  That along with my assumption that they had everything working fine on their end.

You have been quite helpful (and patient).  I have learned much.  And you did help me to narrow down the problem to get them to find their own error.  I am not sure what I do in respect to "accepting solutions", but I am satisfied with your help, sir.
0
 
Ernie BeekCommented:
First, great you solved it (always nice to hear :).
With regards to the accept: if you would like to give me all points, just pick my most appropriate answer as an accepted solution. If you would like to split points (because you yourself supplied the final solution), accept one of your comments as the solution and one of mine as an assisted solution (or the other way around :).
0
 
xnishAuthor Commented:
For the information I gave and the problem I thought I had, the 'expert advice' was excellent.  My problem was actually a different one than what I originally thought, so a perfect solution could not be given.  But this helped me greatly to arrive at that final solution.  Many thanks.
0
 
Ernie BeekCommented:
The pleasure was all mine :)

Thanks for the points!
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

  • 17
  • 17
Tackle projects and never again get stuck behind a technical roadblock.
Join Now