09-30-2005 07:29 PM - edited 02-21-2020 02:00 PM
Problem: Connection to my comany server fails and I get the message:
"Secure VPN Connection terminated locally by the Client.
Reason 414: Failed to establish a TCP connection."
I'm using client 4.7.00(0510) on my Mac. I had the same problem with 4.6.02 and hoped the upgrade might help - no luck. I imported the profile settings from my Dell laptop (version 4.6.03) which connects successfully. I should add that I was connecting successfully from the Mac until today when changes were made to our corporate server. The corporate IP guys of course won't even talk to a Mac user.
Connection from the Mac seems to get past user authentication OK, but then instead of successfully "securing the communnications channel" it goes back to "Initiating TCP to..." and then to the error message above. I've turned off my firewall, so far with no difference.
Can someone tell me what steps the connection goes through, and where this might be getting hung up?
10-01-2005 01:15 AM
Wayne,
On your VPN client - click the modify tab for your connection entry - this will bring up the properties screen for your connection entry - click onto the Transport tab and tick the 'Enable Transparent tunneling' box (IPSec over UDP (NAT/PAT)).
But if your corporate guys have configured your HQ PIX to connect on TCP port number then you'll need to make sure that your VPN client is setup correctly with the apporiate TCP port number, again this can be found under the Transport tab on your VPN client.
Hope this helps, and if it does please rate post.
Jay
10-04-2005 08:25 AM
Well, as I said, my settings are all as imported from my Dell laptop (which connects successfully) into my Mac (which doesn't). So every setting I can check on either VPN client is identical. And in my case, we're using IPSec over TCP.
Here are more details: We authenticate by the RSA SecurID fob. This does not seem (to me, no expert) to be the problem, but maybe important?
I've set logging to "Hi" on all categories and get the following output (complete details in the attachment) where I think the connect is failing:
First, I connect successfully to the corporate server:
11 10:47:55.863 10/04/2005 Sev=Info/4 CM/0x43100029
TCP connection established on port 80 with server "corporate server.com"
Then it goes through a bunch of configurations, ending with:
58 10:48:06.131 10/04/2005 Sev=Info/4 CM/0x43100019
Mode Config data received
Then things start to go badly:
63 10:48:06.294 10/04/2005 Sev=Info/4 IKE/0x43000081
Delete Reason Code: 11 --> PEER_DELETE-IKE_DELETE_FIREWALL_MISMATCH.
72 10:48:06.863 10/04/2005 Sev=Info/4 CM/0x43100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "PEER_DELETE-IKE_DELETE_FIREWALL_MISMATCH". 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
Finally, it tries again to the backup corporate server. It fails to even make a TCP connection with that server:
73 10:48:06.863 10/04/2005 Sev=Info/4 CM/0x43100024
Attempt connection with server "corporate server BU.com"
81 10:48:22.363 10/04/2005 Sev=Info/6 IPSEC/0x43700020
TCP SYN sent to [IP address], src port 53894, dst port 80
82 10:48:27.363 10/04/2005 Sev=Info/4 CM/0x4310002A
Unable to establish TCP connection on port 80 with server "corporate server BU.com"
83 10:48:27.363 10/04/2005 Sev=Info/4 CM/0x4310000C
All connection attempts with backup server failed
If you see any clues here (Firewall Mismatch?), please let me know!
10-09-2005 08:58 AM
Hi Wayne,
A few questions.
1 - Are you sure you connecting to a Cisco IOS Router and not a Cisco VPN Concentrator / Cisco ASA or PIX FW
2 - What personal FW are you running on the XP Dell vs the MAC
During the VPN establishment it is possible on the other 3 devices to specify that a certain firewall is enabled and even apply a certain policy to that firewall. This might be your problem.
Cisco refers to these features as
AYT - Are you There
and
CPP - Centralized Protection Policy
Hope this helps.
10-17-2005 07:43 PM
1- No, I'm not sure what I'm connecting to. At one time it was a Cisco 3000 VPN, but that was before the problem started.
2 - On the Mac, nothing (it's usually on but I've turned it off while trying to solve this) and on the Dell I believe the VPN client is running the "Stateful Firewall (Always On) as dictated by the server.
I think you've hit the nail on the head regarding my problem. The Mac client has no way to respond to the AYT or CPP push policies, so it can't connect. Seems like a pretty big flaw, which should be more prominently communicated so people like me don't waste so much time trying to make it work.
I'd like confirmation that there's no solution to this problem, or better yet a solution.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide