01-16-2009 06:09 AM - edited 02-21-2020 04:07 PM
Hi All,
We are facing one issue for connecting to remote end Cisco VPN concentrator using VPN client. Remote end is VPN concentrator is not managed by us.User is using iPass 3.51 and Cisco VPN Client 4.8.02.Users are using our internet connection for this vpn & behind Checkpoint FW.
Remote end VPN concentrator is configured to accept vpn connection on customized port of TCP 9009 & same has been open on our firewall.Now issue is that users are not able to connect using VPN client while connected in our n/w but at the same time users are able to telnet remote end vpn conc.ip on mentioned port i.e.9009 but using vpn client they can't connect.Our firewall has been open for UDP IKE,IKE NAT-T,TCp IKE,TCP 9009 ports.But this connection is only using TCP 9009 for connection.Now strange thing is that if they disconnect from our n/w & use their 3G connection it works fine. We have collected logs from VPN client attached herewith. Remote end guys also checked logs on concentrator & suspecting asymetrical routing issue but our n/w team has confirmed that this is not the case.
User is getting error like "Reason 412 connection terminated by vpn client locally;remote peer no longer responding"
Can anybody please help if we can diagnose the problem here using these logs as we only have these logs for troubleshooting ? Your help is much appreciated.
01-22-2009 06:35 AM
The description for the error is "The remote peer is not responding to the client's request to establish the connection. Make sure you can ping the remote peer, or check remote peer logs for why it is not responding to the client." Check whether any traffic block from the remote peer or check the verison f VPN concentrator because the Cisco VPN Client supports Cisco VPN 3000 Concentrator Software Version 3.0 and later.
01-22-2009 08:37 AM
Here are some suggestions:
1- what is the checkpoint version on your end?
"fw ver" "uname -a" will display that.
2- If I have to guess, I would say Checkpoint
SmartDefense (SDF) causes this issue. Can
you disable SDF profile, if you are running
NGx R65?
3- run "fw monitor" and capture the file. You
then use wireshark to find out why it is not
connecting.
Let me know if you need additional help.
01-28-2009 07:57 AM
Hi cisco24x7,
1.I have Checkpoint NGX R65(Smart Center Server) with Nokia IP530 (enforcement module) on NG AI R55 HFA_19 Hotfix-848 Build-018 & IPSO ver 3.7
2.I can't see any drop on firewall via smartdefense.Also we have only default protection for smatdefense like icmp,ping sweep etc.
3.Unfortunately I couldn't run "fw monitor" when user was trying but captured tcpdump from nokia box.Here is a small part of tcpdump o/p
12:27:13.413126 I 172.20.245.50.1425 > x.x.64.100.9009: S 16810110:16810110(0) win 65535 <1100145E85A469070101>1100145E85A469070101>
12:27:13.453848 O x.x.64.100.9009 > 172.20.245.50.1425: S 3871196192:3871196192(0) ack 16810111 win 65535 [tos 0x20]
12:27:13.459023 I 172.20.245.50.1425 > x.x.64.100.9009: . ack 1 win 32767
12:27:14.164689 I 172.20.245.50.1425 > x.x.64.100.9009: . 1:537(536) ack 1 win 32767
12:27:14.164708 I 172.20.245.50.1425 > x.x.64.100.9009: P 537:652(115) ack 1 win 32767
12:27:17.165341 I 172.20.245.50.1425 > x.x.64.100.9009: . 1:537(536) ack 1 win 32767
12:27:20.138821 I 172.20.245.50.1425 > z.z.150.97.9009: S 16810117:16810117(0) win 65535 <1100145E85A469070101>1100145E85A469070101>
12:27:20.143505 I 172.20.245.50.1425 > x.x.64.100.9009: R 652:652(0) ack 1 win 32767
12:27:20.144710 I 172.20.245.50.1425 > x.x.64.100.9009: . ack 2147483719 win 46
12:27:20.150926 I 172.20.245.50.1425 > x.x.64.100.9009: R 2147484164:2147484164(0) ack 2147483719 win 46
Sorry for pasting such large & Checkpoint related post in Cisco forum....
02-06-2009 07:58 AM
Has anybody experienced similar kind of issue ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide