Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
62407
Views
0
Helpful
3
Replies

VPN client fails reason 412

Thomas Grassi
Level 1
Level 1

‎01-14-2012 04:27 PM

VPN client 5.0.07.0410 on Windows Vista sp2

when I try to connect to my cisco 851

Secure VPN connection terminated locally by the client

Reason 412 The remote peer is no longer responding

I turned on debug crypto isakmp and debug crypto ipsec

no information displayed on the console

I was a lot futher before but now do not know where to turn

Any thoughts?

Thanks

Tom

Thomas R Grassi Jr
Labels:
0 Helpful
3 Replies 3

cflory
Level 1
Level 1

‎01-14-2012 08:09 PM

Caused by several different reasons:

1. The client is behind (or using) a firewall that is blocking ports TCP 4500/10000 or UDP 4500/10000 or 500 and/or ESP.

2. Your Internet connection is not stable and dropping packets.

3. The VPN client is behind a NAT device and the VPN Server doesn’t have NAT-T enabled.

Possible solutions:

1. If you are using wireless, try to connect wired, and ensure you have a stable network to your 851.

2. Turn your firewall off on your client, then test the connection to see whether the problem still occurs. If it doesn’t then you can turn your firewall back on, add exception rules for port 500, port 4500 and the ESP protocol in your firewall

3. Turn on NAT-T/TCP in your profile ( remember to unblock port 10000 in your firewall)

4. Edit your profile with your editor and change ForceKeepAlive=0 to 1

0 Helpful

Thomas Grassi
Level 1
Level 1
In response to cflory

‎01-15-2012 07:05 AM

Thank you

My client is on the lan not using wireless

The firewall is stopped

I have some NAT entries in my config see current config below is that what you mean?

What would I need to add to the router to make this work?

In the client under transport

I have Enable transport tunneling checked

then I tried IPSEC over UDP (NAT/PAT)       412 error

the I tried IPSEC over TCP                          414 error 

Secure VPN connection terminated locally by the client

Reason 414 Failed to establish a TCP connection

Also have Allow local lan access checked    peer responce timeout 90 seconds

I did not find the forcekeepalive option in my client

I am using the cisco vpn client to vpn and access my windows 2003 domain

I used cisco document ID 21060 as a guide line for the configuration

I think I have a configuration issue in the router here is my current config

I highlighted the vpn entries

-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege le
vel of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.

Here are the Cisco IOS commands.

username   privilege 15 secret 0
no username cisco

Replace and with the username and password you want to use
.

For more information about SDM please follow the instructions in the QUICK START

GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------


User Access Verification

Username: netman
Password:

MyRouter#show config
Using 5107 out of 131072 bytes
!
! Last configuration change at 17:17:10 EST Sat Jan 14 2012 by netman
! NVRAM config last updated at 17:17:14 EST Sat Jan 14 2012 by netman
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MyRouter
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login userauthen group radius local
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
clock timezone EST -5
clock summer-time edt recurring
ip subnet-zero
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool sdm-pool
   import all
   network 10.10.10.0 255.255.255.248
   default-router 10.10.10.1
   lease 0 2
!
!
ip cef
ip domain name TGCSNET.COM
ip name-server 71.242.0.12
ip name-server 71.250.0.12
ip name-server 4.2.2.2
!
!
crypto pki trustpoint TP-self-signed-1164042433
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1164042433
revocation-check none
rsakeypair TP-self-signed-1164042433
!
!
crypto pki certificate chain TP-self-signed-1164042433
certificate self-signed 01 nvram:IOS-Self-Sig#3302.cer
username netman privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
username mynet privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
!
!
crypto isakmp client configuration group TGCSVPN
key xxxxxxxx
dns 192.168.69.10 192.168.69.15
wins 192.168.69.10 192.168.69.15
domain our
pool SDM_POOL_1
netmask 255.255.255.0
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ETH-WAN$
ip address 72.88.223.20 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 mode ciphers tkip
!
ssid 010659120255
!
ssid TGCSNET
    vlan 1
    authentication open
    authentication key-management wpa
    guest-mode
    wpa-psk ascii 0 010659120255000000
!
speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2437
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no snmp trap link-status
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
no ip address
ip virtual-reassembly
ip tcp adjust-mss 1452
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.69.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip local pool SDM_POOL_1 192.168.70.75 192.168.70.99
ip classless
ip route 0.0.0.0 0.0.0.0 72.88.223.1
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 110 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.69.26 443 interface FastEthernet4 443
ip nat inside source static tcp 192.168.69.15 5900 interface FastEthernet4 5900
ip nat inside source static tcp 192.168.69.15 21 interface FastEthernet4 21
ip nat inside source static tcp 192.168.69.15 80 interface FastEthernet4 80
ip nat inside source static tcp 192.168.69.26 25 interface FastEthernet4 25
ip nat inside source static tcp 192.168.69.26 8080 interface FastEthernet4 8080
!
ip access-list extended denyDHCP
deny   udp any any eq bootpc
deny   udp any any eq bootps
permit ip any any
!
ip radius source-interface BVI1
access-list 23 permit 192.168.69.0 0.0.0.255
access-list 110 permit ip 192.168.69.0 0.0.0.255 any
snmp-server community mycisco01 RO
no cdp run
radius-server host 192.168.69.15 auth-port 1812 acct-port 1812 key xxxxxxxxx

!
control-plane
!
bridge 1 route ip
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege le
vel of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.

Here are the Cisco IOS commands.

username   privilege 15 secret 0
no username cisco

Replace and with the username and password you want to use
.

For more information about SDM please follow the instructions in the QUICK START

GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
ntp clock-period 17175157
ntp server 141.165.5.137
end

MyRouter#

ANy help would be great  need all I can get have had no luck getting vpn to work at all

Thanks

Tom

Thomas R Grassi Jr
0 Helpful

JEETENDRA BAGALE
Level 1
Level 1
In response to Thomas Grassi

‎01-26-2012 04:31 PM

go to services by issuing command services.msc in command prompt

Stop the Cisco Systems,Inc.VPN service

Stop the Internet Connection Sharing (ICS) service

Right click on ICS service and choose Properties. Then change Startup type

to Disabled or Manual.

Start Cisco Systems,Inc.VPN service

0 Helpful
Customers Also Viewed These Support Documents