Networknet.nl

Recently I was troubleshooting a Cisco VPN client issue. Cisco VPN client version is 4.0.5 and installed on a Windows XP SP2 client with all recent Windows Security updates. After you installed and configured the client you may experience same problem as I did when GPO was configured to enable the Windows Firewall when not connected to Active Directory domain.

VPN Client: Secure VPN Connection terminated locally by the Client. Reason 414: Failed to establish a TCP connection.

Enable transparent tunneling was enabled  with IPSec over TCP port 10000 to the Cisco VPN concentrator. I changed it to IPSec over UPD and even disabled the transparent tunneling but still same result when connecting. I googled and found one KB article from Microsoft.

http://support.microsoft.com/kb/838207

Update to permit the Cisco VPN Client program to work in TCP transport mode in Windows XP SP2

After you install a pre-release version of Windows XP SP2, if you configure Cisco VPN Client version 4.0.3.D to use Internet Protocol security (IPSec) over TCP, you receive the following error message when you try to connect to a Cisco VPN concentrator:

Secure VPN Connection terminated locally by the Client. Reason 414: Failed to establish a TCP connection.

This problem occurs because the TCP/IP protocol is changed to drop any packets that are directed to the loopback IP address, but that arrive on an interface other than the loopback interface. Because the Cisco VPN client sends packets to the loopback IP address, but the packet comes from a physical interface, the packets are dropped.

I reviewed my Windows Firewall and it was enabled.

I stopped the windows firewall with “cmd /k sc stop sharedaccess” and than I tried to reconnect again. The connection worked without any message and I had connection to my office network. After reading the KB article and stopping the firewall I realized we forgot to add the Cisco VPN client exception in the Active Directory GPO.

If you are managing local area networks which extent the UTP capabilities than most likely some kind of fiber optic equipment has been installed. Recently I evaluated couple of different Cisco switch models and ordered one Cisco Switch 2940-8TF to test with current equipment I am managing. Please make sure to read the product details and order the right fiber cable. Most of the equipment I have has a ST connector; Cisco 2940 has a integrated 100BASE-FX port with MT-RJ connector. Check wikipedia for more information on optical fiber connectors.

Cisco product details:

The Cisco Catalyst 2940-8TF is a member of the Catalyst 2940 Series Switches, small, standalone, managed switches with 8 Fast Ethernet ports and a single integrated Fast Ethernet or Gigabit Ethernet uplink. The switches are designed to be used outside the wiring closet in the end-user workspace, such as classrooms or conference rooms, and feature a durable metal shell, no fan for silent operation, easy wall or under-the-desk mounting, a security lock slot to prevent theft, and an available cable guard to lock down cables and help prevent theft.

Complete with a simple web-based Express Setup, a free Java-enabled web-based monitoring and configuration tool, and the rich functionality of Cisco IOS, this switch provides comprehensive functionality and manageability for classrooms, conference rooms, or other small workgroup environments. Easy to install and manage, periodic software updates for life, and built to last, these switches provide outstanding investment protection and the lowest total cost of ownership in its product class.

• 8 Ethernet 10/100 ports + 1 Ethernet 100BASE-FX + 1 1000BASE-X SFP port (one uplink active at a time)
• Wall-mountable, standalone, managed switch
• Catalyst 2940 Standard Image (SI) software
• Available with optional Cable Guard

During the installation I collected some screenshots. Take couple of seconds and check out the web and telnet interface of Cisco 2940 switch here.

Cisco IOS introduced the support of a range command in Release 12.0(7)XE, Release 12.1 E, and Release 12.1(5)T and above to select multiple ports wihtin the Cisco switch interface configuration. I am using the range function to assign my first twently gigabit ports as trunk interfaces for my VMWare ESX environment.

The Interface Range Specification feature allows specification of a range of interfaces to which subsequent commands are applied and supports definition of macros that contain an interface range. The Interface Range Specification feature is implemented with the range keyword, which is used with the interface command. In the interface configuration mode with the range keyword, all entered commands are applied to all interfaces within the range until you exit interface configuration mode.

The Interface Range Specification feature makes configuration easier because:

•Identical commands can be entered once for a range of interfaces, rather than being entered separately for each interface.

•Interface ranges can be saved as macros.

Switch1#enable

Switch1(config)#interface range gigabitEthernet 0/1 - 20

Switch1(config-if-range)#spanning-tree portfast

Switch1(config-if-range)#switchport mode trunk

Switch1(config-if-range)#^Z

Switch1# copy running-configuration startup-configuration

Switch1#show running-configuration

It can save some time when configuring a new Cisco switch and not assigning manual configuration for each Ethernet interface.

If you are installing different VMWare ESX servers than the CDP support in the networking area can help you find the right port on your Cisco switch; for details check my previous post. After I identified the port than I went back to the switch configuration and add the interface description!

In the following example I am configuring port forwarding to a Windows Server 2003 Standard Edition PPTP VPN server. My configuration has been configured as shown in the diagram. I have a /28 network registered on the Internet and 14 public IP Addresses are available though the SDSL ISP modem. The SDSL modem is providing these IP addresses by the internal DHCP server. For the Cisco PIX 501 firewall I am using manual assigned Public IP Address.

In the CLI command lines below I am configuring static NAT on a public IP Address for tcp port 1723 (pptp) and assign the private IP Address/hostname to VPN-02 which has been defined in the line “name”.

fixup protocol pptp 1723

name 192.168.5.35 VPN-02

access-list outside_access_in permit tcp any host 194.0.0.2

access-list outside_access_in permit gre any host 194.0.0.2

pdm location VPN-02 255.255.255.255 inside

static (inside,outside) tcp 194.0.0.2 pptp VPN-02 pptp netmask 255.255.255.255 0 0

What did I achieve with this configuration? After I applied this configuration I was able to connect from my Windows XP & Windows Vista clients with built-in VPN client and connect using the PPTP protocol. I also used static port forwarding on tcp 1723 port and enabled the GRE IP protocol fix by using the “fixup protocol pptp 1723″ command. Without the fixup for pptp protocol I was forced to translate complete internal host (VPN-02) and using all TCP ports. If you don’t apply to fixup than you probably will get eventlog message like one below.

I am setting up a Windows 2003 PPTP/L2TP VPN server and after the configuration I started the testing phase. The first error I got was 721 on my Windows XP XP2 client. Windows XP is running as VMWare virtual guest and host is sitting behind a Cisco PIX 501 firewall.

I than went back to the lab server and saw the error message below. I verified the NAT configuration and a static NAT rule was configured based on a private and public ip address translation. ACL was there for  ‘any’ tcp communication and I added second ACL for IP Protocol 47 (GRE).

Event Type:        Warning

Event Source:        Rasman

Event Category:        None

Event ID:        20209

Date:                1/18/2008

Time:                4:59:22 PM

User:                N/A

Computer:        VPN-01

Description:

A connection between the VPN server and the VPN client 0.0.0.0 has been established, but the VPN connection cannot be completed. The most common cause for this is that a firewall or router between the VPN server and the VPN client is not configured to allow Generic Routing Encapsulation (GRE) packets (protocol 47). Verify that the firewalls and routers between your VPN server and the Internet allow GRE packets. Make sure the firewalls and routers on the user’s network are also configured to allow GRE packets. If the problem persists, have the user contact the Internet service provider (ISP) to determine whether the ISP might be blocking GRE packets.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I start to troubleshoot from my Windows Vista Enterprise client and recreated the VPN connection. I tried to connect and Yes I was prompt for my domain password. The Vista client was connected to my ADSL model with 11G connection. The host with Windows XP was sitting behind the Cisco PIX and the Vista client was directly connected to my ISP.

Search on google directed me to this link and fixed my problem.

pixfirewall# conf t

pixfirewall(config)#fixup protocol pptp 1723

pixfirewall(config)#

pixfirewall# wr mem

Adding the “fixup protocol pptp 1723″ to my configuration let the Cisco PIX firewall know how successfully setup a PPTP connection.

pixfirewall# conf t
pixfirewall(config)# access-list ping_acl permit icmp any any
pixfirewall(config)# access-group ping_acl in interface outside
pixfirewall(config)# wr mem

That’s all. I was not able to configure this through PDM. Ping and tracert to google works fine now.