Link to home
Start Free TrialLog in
Avatar of xnish
xnishFlag for United States of America

asked on

How to install & use Cisco VPN client on Cloud Server

I have been given the task to install and use a Cisco VPN client 4.8 on our Cloud Server (Rackspace, Windows 2003 Server), in order to connect to one of our customer's server.  We normally connect to our Cloud Server via Remote Desktop, but the VPN will not "allow" us to install via RDP.  Rackspace provides a Java utility for "direct" access to the Cloud Server--and using this I was able to install the VPN.

But the dilemma is this.  The Java Utility does not allow anything to go out of the Cloud Server (no network, vpn, internet, remote access--nothing).  Rackspace says this is by design (for security).  But the VPN will not work when the user is connected by Remote Desktop (for security, I assume).  So the Java utility allows the VPN to "work", but does not allow anything to go out of the server.  While Remote Desktop allows the user to go out, the VPN will not "work" via RDP.  Sigh.

Any help I can get to solve this would be greatly appreciated.  I am completely new to this sort of thing.  I need a way to install and use the Cisco VPN client on this Cloud Server, working around these restrictions.  Thanks.
Avatar of Ernie Beek
Ernie Beek
Flag of Netherlands image

What exactly do you mean by the VPN will not "work" via RDP?
It won't start, it gives you an error, RDP disconnects?
Could you elaborate?
Avatar of xnish

ASKER

Sure. I can still remote in via RDP--it works fine.  But when I try to then start the VPN Client, it will not start.  When I click on "VPN Client", after about a minute or so, there is a message, "Error 56: The Cisco Systems, Inc. VPN Service has not been started. Please start this service and try again."  However, the service is listed and listed as "started".
Do you happen to have the ICS service running on that server?
Avatar of xnish

ASKER

I have checked in Network Connections/Local Connection/Properties/Advanced and the Internet Connection Sharing "Allow other network users to connect...." check box is not checked.  So I am assuming that ICS is not running on the server.
To be sure, check the services.

Furthermore, did you install the client as a local admin? And when you run it, ate you a local admin then?
Avatar of xnish

ASKER

I do have "Windows Firewall/Internet Connection Sharing" listed in the services.  And it has a status of "started".  And, yes, I believe that installing and attempting to run are both done as local admin.
Is the service set to 'auto'? Then try and set it to manual adn stop it. There seem to be some issue with ICS that way.
Avatar of xnish

ASKER

This Cloud Server is used to host at least one website to the public.  With that in mind, would setting the "Windows Firewall/ICS" service to "manual" cause any problems.

But, yes, the service is set to "automatic".
Avatar of xnish

ASKER

I set the service in question to manual and stopped it.  Then rebooted and tried to get the VPN to connect (connected to the Cloud Server via RDP).  But, alas, nothing had changed--the VPN would still not connect, with same error message as before.
Funny, I have a machine to which I can RDP and start the client. It's no server though.

When you connect to the server, do you set up a console version? So running: mstsc /console ?
Avatar of xnish

ASKER

Running mstsc /console does nothing different.  But running mstsc /admin to connect to the server did allow the VPN client to connect, it seemed.  That was new.  However, once it connected, I was then kicked out of my Remote Desktop connection and could not get back in.  Was then forced to use the Rackspace utility (which I now realize is a VNC) to connect to the cloud server and disconnect the VPN that was connected via RDP.
/admin is with the new version, you're correct :-~

So do you have split tunneling enabled?
Avatar of xnish

ASKER

I don't rightly know, actually.  I installed the VPN "as is" and did nothing special.  Guess I will need to look into that.
Split tunneling should be enabled on the remote firewall. Then there is also an option 'allow local LAN access' in the client.
Avatar of xnish

ASKER

I have checked the "Allow Local LAN Access" checkbox in the Transport tab of the VPN Client Properties.  Yet the VPN Client Statistics still says "Local LAN: Disabled".  What else am I supposed to do?

The Statistics also say "Transport Tunneling: Active on UDP port 4500".  I assume that is good.
The second step is to enable split tunneling on the remote firewall, otherwise it still won't work. The rest of the settings are ok.
Avatar of xnish

ASKER

How do I "enable split tunneling on the remote firewall"?
Do you have access to that firewall (it's the customers one)? It is a ASA/PIX I assume?
Avatar of xnish

ASKER

I don't have access to their firewall, no.  And I really have no information about it.
You might want to talk to their admin then. The thing is, without split tunneling when you set up the vpn, only traffic through the tunnel is allowed. That's why you loose the rdp session.
Avatar of xnish

ASKER

I will look into this.  And let you know.  In the meantime, sleep is a rare but good thing.....
Sleep? I seem to remember I did that once :)

Good night, we'll be waiting.
Avatar of xnish

ASKER

I have found that our customer does not allow for split tunneling due to security reasons.  So they will not change their firewall, it appears.

So it looks like the dilemma is the only access to VPN to the customer's server is a Cloud Server that is only reachable via remote, but the VPN Client does not split tunnel to allow both RDB and VPN at the same time.  Hmmmm....
That was a short night..........

So we have a challenge. I'm curious. What would happen if you rdp in, establish the vpn and go back in with the java utility?
This might be a long shot, but hey, who knows?
Avatar of xnish

ASKER

I did try that, but it didn't seem to work, last night.  

Sleep is overrated, isn't it?  Although, maybe if I had more of it, I would like it. :)
ASKER CERTIFIED SOLUTION
Avatar of Ernie Beek
Ernie Beek
Flag of Netherlands image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of xnish

ASKER

I have been in contact with the customer to see what they can do to accomodate.  You have been a help in narrowing down the problem.  Thanks.  I will "report back" tomorrow, hopefully, with a positive update.
I'll keep my fingers crossed ;)
Avatar of xnish

ASKER

I am able to test with my personal pc now.  Running Windows XP.  

Some details:
    Group authentication with name and password. Certificate Authentication unchecked.
    Transport Tunneling checked; IP Sec over UDP checked; Allow Local LAN Access checked.
    No certificates.

I can connect (get status: connected).  But then email cannot send/receive, internet unaccessible, rdp does not work anywhere, no new computer shows up in workgroup computers.

I have passed this info onto the customer's representative.  No word yet.

This is not really news, but I picture you getting nothing done, due to crossed fingers--at least all typing would be greatly hindered.  So I thought I needed to comment something. :)
:-D
Lol
I can still use the two-finger system ;)

If you can test with your own pc, you might want to have a look at your routing table with and without the vpn connected. Perhaps with some creative routing you could get it to work.
Avatar of xnish

ASKER

Well, I now have proper vpn access to the customer's server.  In short, the problems were all on their side.  When I vpn to connect, all "avenues" out of my pc are disabled except the rdp to their server.  But, again, the problem was all on their side.

My problem was that I assumed the use of a cloud server was messing things up.  That along with my assumption that they had everything working fine on their end.

You have been quite helpful (and patient).  I have learned much.  And you did help me to narrow down the problem to get them to find their own error.  I am not sure what I do in respect to "accepting solutions", but I am satisfied with your help, sir.
First, great you solved it (always nice to hear :).
With regards to the accept: if you would like to give me all points, just pick my most appropriate answer as an accepted solution. If you would like to split points (because you yourself supplied the final solution), accept one of your comments as the solution and one of mine as an assisted solution (or the other way around :).
Avatar of xnish

ASKER

For the information I gave and the problem I thought I had, the 'expert advice' was excellent.  My problem was actually a different one than what I originally thought, so a perfect solution could not be given.  But this helped me greatly to arrive at that final solution.  Many thanks.
The pleasure was all mine :)

Thanks for the points!