01-14-2012 04:27 PM
VPN client 5.0.07.0410 on Windows Vista sp2
when I try to connect to my cisco 851
Secure VPN connection terminated locally by the client
Reason 412 The remote peer is no longer responding
I turned on debug crypto isakmp and debug crypto ipsec
no information displayed on the console
I was a lot futher before but now do not know where to turn
Any thoughts?
Thanks
Tom
01-14-2012 08:09 PM
Caused by several different reasons:
1. The client is behind (or using) a firewall that is blocking ports TCP 4500/10000 or UDP 4500/10000 or 500 and/or ESP.
2. Your Internet connection is not stable and dropping packets.
3. The VPN client is behind a NAT device and the VPN Server doesn’t have NAT-T enabled.
Possible solutions:
1. If you are using wireless, try to connect wired, and ensure you have a stable network to your 851.
2. Turn your firewall off on your client, then test the connection to see whether the problem still occurs. If it doesn’t then you can turn your firewall back on, add exception rules for port 500, port 4500 and the ESP protocol in your firewall
3. Turn on NAT-T/TCP in your profile ( remember to unblock port 10000 in your firewall)
4. Edit your profile with your editor and change ForceKeepAlive=0 to 1
01-15-2012 07:05 AM
Thank you
My client is on the lan not using wireless
The firewall is stopped
I have some NAT entries in my config see current config below is that what you mean?
What would I need to add to the router to make this work?
In the client under transport
I have Enable transport tunneling checked
then I tried IPSEC over UDP (NAT/PAT) 412 error
the I tried IPSEC over TCP 414 error
Secure VPN connection terminated locally by the client
Reason 414 Failed to establish a TCP connection
Also have Allow local lan access checked peer responce timeout 90 seconds
I did not find the forcekeepalive option in my client
I am using the cisco vpn client to vpn and access my windows 2003 domain
I used cisco document ID 21060 as a guide line for the configuration
I think I have a configuration issue in the router here is my current config
I highlighted the vpn entries
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege le
vel of 15.
Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.
username
no username cisco
Replace
.
For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
User Access Verification
Username: netman
Password:
MyRouter#show config
Using 5107 out of 131072 bytes
!
! Last configuration change at 17:17:10 EST Sat Jan 14 2012 by netman
! NVRAM config last updated at 17:17:14 EST Sat Jan 14 2012 by netman
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MyRouter
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login userauthen group radius local
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
clock timezone EST -5
clock summer-time edt recurring
ip subnet-zero
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool sdm-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
lease 0 2
!
!
ip cef
ip domain name TGCSNET.COM
ip name-server 71.242.0.12
ip name-server 71.250.0.12
ip name-server 4.2.2.2
!
!
crypto pki trustpoint TP-self-signed-1164042433
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1164042433
revocation-check none
rsakeypair TP-self-signed-1164042433
!
!
crypto pki certificate chain TP-self-signed-1164042433
certificate self-signed 01 nvram:IOS-Self-Sig#3302.cer
username netman privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
username mynet privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
!
!
crypto isakmp client configuration group TGCSVPN
key xxxxxxxx
dns 192.168.69.10 192.168.69.15
wins 192.168.69.10 192.168.69.15
domain our
pool SDM_POOL_1
netmask 255.255.255.0
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ETH-WAN$
ip address 72.88.223.20 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 mode ciphers tkip
!
ssid 010659120255
!
ssid TGCSNET
vlan 1
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 0 010659120255000000
!
speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2437
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no snmp trap link-status
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
no ip address
ip virtual-reassembly
ip tcp adjust-mss 1452
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.69.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip local pool SDM_POOL_1 192.168.70.75 192.168.70.99
ip classless
ip route 0.0.0.0 0.0.0.0 72.88.223.1
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 110 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.69.26 443 interface FastEthernet4 443
ip nat inside source static tcp 192.168.69.15 5900 interface FastEthernet4 5900
ip nat inside source static tcp 192.168.69.15 21 interface FastEthernet4 21
ip nat inside source static tcp 192.168.69.15 80 interface FastEthernet4 80
ip nat inside source static tcp 192.168.69.26 25 interface FastEthernet4 25
ip nat inside source static tcp 192.168.69.26 8080 interface FastEthernet4 8080
!
ip access-list extended denyDHCP
deny udp any any eq bootpc
deny udp any any eq bootps
permit ip any any
!
ip radius source-interface BVI1
access-list 23 permit 192.168.69.0 0.0.0.255
access-list 110 permit ip 192.168.69.0 0.0.0.255 any
snmp-server community mycisco01 RO
no cdp run
radius-server host 192.168.69.15 auth-port 1812 acct-port 1812 key xxxxxxxxx
!
control-plane
!
bridge 1 route ip
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege le
vel of 15.
Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.
username
no username cisco
Replace
.
For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
ntp clock-period 17175157
ntp server 141.165.5.137
end
MyRouter#
ANy help would be great need all I can get have had no luck getting vpn to work at all
Thanks
Tom
01-26-2012 04:31 PM
go to services by issuing command services.msc in command prompt
Stop the Cisco Systems,Inc.VPN service
Stop the Internet Connection Sharing (ICS) service
Right click on ICS service and choose Properties. Then change Startup type
to Disabled or Manual.
Start Cisco Systems,Inc.VPN service
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide