Reason 414, No TCP, but only over one router

MikeRubin · ‎09-07-2011

I am an end user and this question has baffled my company's IT department, my ISP (formerly Qwest, now CenturyLink), and my router manufacturer (Actiontec). I apologize if this question's been answered somewhere on the forum; my searches on the reason number resulted in answers that were not relevant or were too complex for me. (Sorry.)

I presently am at a vacation home that has a DSL wired/wireless connection through an Actiontec GT704-WRG, which was Qwest's only supported router/modem at the time I began service here a number of years ago. I am using a Dell Latitude E64001 with Intel network and wireless cards. There are no conflicts or device issues shown in Device Manager.

In years past, I've been able to reach my office network using the Cisco VPN client (currently at version 5.0.03.0560), but this trip I can't connect from here and get the Reason 414 error message. There have been ZERO changes to the router since I last used it. The notebook is newish, but I have used it here before, and, more to the point, it connected just fine yesterday at Starbucks. I've used the same computer for VPN access at relatives' homes, airports, and my own permanent residence. There is no problem with internet access (so thank heaven that I can access office email from outside the firewall). It's literally only here at this one location that I am having this trouble, and I get the same 414, no TCP connection, message whether trying to access using ethernet or wirelessly.

While talking to my IT department, the ISP, and Actiontec, I've tried the following: (1) reinstalling the VPN client and log-in information, (2) starting and restarting the modem/router several times, and (3) resetting the DHCP range so that it assigned beginning with 192.168.0.10 rather than 192.168.0.2. The Actiontec guy wanted me to undertake some port forwarding, but needed the port references from my corporate IT department; when I contacted the latter, I was told that port forwarding is only necessary if I want VPN access to my device, but not outbound, so I did not mess with that.

At this point, if I can't figure this out, I may need to change ISP's and/or purchase new equipment. Any ideas for me? I really do need to get this resolved, because I have office work that needs to be completed. Thank you for any help you can provide.

Marcin Latosiewicz · ‎09-09-2011

Mike,

Reason 414:  Failed to establish a TCP connection.

Please note that by default IPsec is using:

- UDP port 500

- UDP port 4500 for NAT transparency (as from message aggressive mode message 3 or main mode message 5)

- ESP

- TCP (read on)

In case you do not have a public IP address you will have to use NAT transparency method - which is to use either UDP/4500 or TCP/X.

Now the thing with TCP is that (to the best of my knowledge) all the solution are propriteary and just waiting to break, especially if there is something on the way that understands TCP.

I would suggest to talk to your IT guys and suggest making sure that UDP based nat transparency method is allowed.

In your client there is a setting like this:

I would HIGLY suggest to switch from "ipsec over TCP" to "IPsec over UDP" this is the setting I have and almost never face any problems.

M.

MikeRubin · ‎09-09-2011

Marcin, thank you for your response. My IT department did walk me through a UDP connection setup and it did not work, either. We tried some port forwarding within the modem/router, to enable most of the ports you mentioned (all but ESP) and that did not work, either. In the end, my IT department said that my ISP is closing ports for reasons of its own and the ISP said my modem/router is "too old." (Funny that it was not "too old" three months ago when it was working fine, but Centurylink had not yet finished its acquisition of Qwest.)

I will look for a new modem/router combination over the weekend and will cross my fingers in the hope that it's only a hardware issue. I appreciate your comments.

Marcin Latosiewicz · ‎09-09-2011

Mike,

I agree with your IT, there is no need to forward any ports for a client connection - in fact most of this can be harmful.

I do agree that the modem might be part of the problem, even my basic linksys here at home has some basic IPsec/PPTP filtering possibilities, features I made sure were off.

Quite frankly I would start with a sniffer trace, but I do know it might be hard to obtain at the same time on the router/modem and your gatway.

I.e. it's very interesting if the router/modem is passing this traffic towards ISP network.

Marcin

MikeRubin · ‎09-14-2011

Thanks, Marcin, for your comments. I've ended up buying an new modem/router combination device and that seems to have done the trick, for the most part. I have VPN access to the workplace and my iPhone is sending AOL email, but the Android device seems still to be having email issues. In any event, I now am able to manage as much work as my very, very slow ADSL connection will permit me to accomplish.