You are here: Home Services Internet and Network Access VPN FAQ

FAQ and Troubleshooting for VPN

FAQ Cisco VPN-Client (IPSec-VPN)

VPN Troubleshooting Checklist

  1. Ensure that you are using the latest available version of the Cisco VPN Client software (to_VPN_software_download) and that previously installed versions are completely uninstalled.
  2. Does the Internet connection function correctly without VPN using the same PC?
  3. Are you in a foreign network? Is a firewall used in this network? Ensure that the firewall allows your data to pass.
  4. Is a firewall installed on your PC? Deactivate the firewall for a VPN connection test and remember that Windows XP has its own integral firewall.
  5. Is anti-virus software installed on your PC? Deactivate the software for a VPN connection test.
  6. If you are using WiFi and you cannot connect to VPN, try to establish a connection using a network cable.
  7. Ensure that the network cable you are using is properly functional. Carry out a test using a second network cable that you know to be properly functional.
  8. Check that there are no question marks or exclamation marks visible in the device manager.
  9. Check whether the manufacturer of the network board you are using (Ethernet and/or WiFi) has newer driver software than that you are using.
  10. Is your network board configured such that it uses DHCP?
  11. Does your login to BONNET (e.g. e-mail) function correctly otherwise?
  12. Is a network bridge installed on your PC?
  13. What log entries are displayed when you open the log window before establishing the connection?

 

Error message 1609

During the installation of the latest version of the Cisco VPN client (vpnclient-win-msi-5.0.01.0600-k9.exe) under Windows XP and VISTA German versions the error message 1609 appears and the setup cannot be continued. The error message 1609 is displayed because the installation program is designed only for English-language operating systems and in a German Windows version the necessary user groups have different names.

  • Remedy:
    In order to be able to nevertheless install the program, create two empty user groups with the English-language names that the program requires.
    This can be done under Windows XP and Vista as follows:
    • Log on with administrator rights
    • Call up the command line (cmd) of Windows (DOS window / Windows input prompt) and enter the commands:
      • net localgroup Users /add
      • net localgroup Interactive /add
    • Then start the installation program again.

An installation guide with pictures can be found at:
Information on error 1609 (in German)

 

Browsing: I can connect to the VPN but cannot browse the Internet

Check in the properties of My Network Places (Windows XP) whether there is a local area connection for the Cisco Systems VPN adapter.
If you are using a personal firewall (Windows XP / Vista), deactivate this firewall and use the Windows firewall.
Check in the device manager and on the manufacturer's website whether you are using the latest driver for your network board.

 

Error: CM_CTCP_FAIL

Below is an example of a log that can be displayed when a firewall on the client computer prevents the VPN connection from being established using IPSec over TCP:

1 09:24:56.320 06/02/04 Sev=Info/6 IPSEC/0x6370001F
TCP SYN sent to 10.2.3.45, src port 3249, dst port 10000

2 09:25:01.327 06/02/04 Sev=Info/6 IPSEC/0x6370001F
TCP SYN sent to 10.2.3.45, src port 3249, dst port 10000

3 09:25:06.334 06/02/04 Sev=Info/6 IPSEC/0x6370001F
TCP SYN sent to 10.2.3.45, src port 3249, dst port 10000

4 09:25:11.341 06/02/04 Sev=Info/6 IPSEC/0x6370001F
TCP SYN sent to 10.2.3.45, src port 3249, dst port 10000

5 09:25:15.998 06/02/04 Sev=Warning/3 DIALER/0xE3300008
GI VPNStart callback failed "CM_CTCP_FAIL" (1Dh).

6 09:25:17.040 06/02/04 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

7 09:25:17.040 06/02/04 Sev=Info/6 IPSEC/0x63700022
TCP RST sent to 10.2.3.45, src port 3249, dst port 10000

 

Error: CM_PEER_NOT_RESPONDING

Below is an example of a log that can be displayed when a firewall on the client computer prevents the VPN connection from being established using IPSec over UDP:

1 08:36:38.699 06/01/04 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

2 08:36:58.577 06/01/04 Sev=Warning/2 IKE/0xE300007C
Exceeded 3 IKE SA negotiation retransmits... peer is not responding

3 08:36:58.627 06/01/04 Sev=Warning/3 DIALER/0xE3300008
GI VPNStart callback failed "CM_PEER_NOT_RESPONDING" (16h).

4 08:36:59.679 06/01/04 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

 

Error: Error 56: The Cisco Systems, Inc. VPN Service has not been started. Please start this service and try again

This error message appears if the VPN service is not active at the time of the VPN connection. The status of the service should be set to "Automatic" after installation of the Cisco VPN client software. The status of the "Cisco Systems, Inc. VPN Service" can be checked in the Windows Control Panel under "Services". To open the control panel, click "Start" and then "Control Panel". The service can also be started manually there if it has not started automatically.

Under Windows 98 this error can occur if the Cisco VPN Software 4.6 is being used. For Windows 98, use version 3.6.6.A.

 

Error: IPC socket allocation failed with error fffffff8h

The Cisco VPN software was incorrectly or incompletely installed. It has to be uninstalled using the menu command "Uninstall VPN Service" and then installed again. Often the program cannot be completely uninstalled; this is then reflected in the fact that a further new installation also fails or is aborted. The program components than have to be uninstalled manually. The instructions for this: How to Manually Uninstall the Cisco VPN Client 3.5 and Later for Windows 2000. The procedure described has also proved to be effective on Windows XP computers, even if not all the files listed can be found.

After several unsuccessful attempts to install the program, we recommend that you try it with an older version of the software.

 

Interpreting error messages - How do I find out what the error message displayed by my Cisco VPN client means?

In VPN Client GUI Error Lookup Tool

 

Log file: How can I have a VPN log file created?

  1. If you have already established a VPN connection, you should cancel this before calling up the Log Viewer. It has to be opened first.
  2. The Log Viewer is locked as standard; it can be unlocked using the command "Enable" in the log menu.
  3. The log window can be displayed using the command "Log Window" in the log menu. The amount of information collected can be checked via the log settings.

Further information on the filtering, saving and searching of log files and on understanding these files can be found here:

  • Cisco VPN Client for Windows Online Help that is installed on your system ("Viewing and Managing the VPN Client Event Log")
  • Instructions from Cisco: Troubleshooting with View Log

The Log Viewer configuration possibilities and menus can differ, depending on which version of the VPN Client software you have installed.

 

NAT: I cannot establish a VPN connection and my computer is in a network in which NAT is used

A VPN tunnel can generally be created without problems using a NAT device. This is made possible by the standard setting IPSec over UDP (NAT/PAT) that allows the VPN servers and your client to agree on the port number. Alternatively you can select IPSec over TCP (NAT/PAT/Firewall). The port number provided for this on the VPN servers then has to be entered. As standard this is port 10000.

Network Address Translation (NAT): The number of IP addresses available worldwide is not unlimited. NAT allows a larger number of computers to be connected to the Internet using the existing number of addresses. For this, individual addresses from the "private address ranges" (10.0.0.0 - 10.255.255.255, 172.16.0.0 - 172.31.255.255 and 192.168.0.0 - 192.168.255.255) are assigned to "public addresses", when necessary, via tables stored in the router. In this way the computers in question are able not only to establish a connection to the Internet, but can also be reached via the Internet. The structure of the network remains hidden to the outside, however, and computers which communicate with one another only within the network do not use a public address. In the MS-DOS prompt you can check with the command "ipconfig" whether your computer has been assigned a private or public IP address.

Port and Address Translation (PAT): All addresses of a private network are linked to a single public (dynamic) IP address and their port numbers are exchanged. A private network therefore needs only one public IP address. The private computers cannot, however, be dialed up from the Internet.

IPSec over UDP vs IPSec over TCP: The protocols UDP and TCP are both assigned to the transport layer of the IP protocol stack. TCP exhibits a lower data loss, the respective packet size is known and all bytes are numbered consecutively. Sequence numbers make corruption more difficult. The transmission is slowed down, however, by the establishing and breaking of the connection and by acknowledgments. The transmission with UDP, on the other hand, is unsafe but fast, UDP is susceptible to data loss and data corruption. IPSec is nevertheless a good possibility for ensuring a safe UDP transmission.

 

VPN Client uninstall: Error "The VPNClient application is running"

When try to uninstall the Cisco VPN software, the error message "The VPNclient application is running. Please terminate all Cisco Systems VPN Client applications and restart uninstall." may be displayed. The tasks "vpngui.exe", "cisvc.exe" and "ipseclog.exe" then have to be terminated so that the software can be successfully uninstalled.

 

Windows Internet Connection Firewall (ICF): IPSec over TCP connection fails

If the Windows Internet Connection Firewall (ICF) is active and you try to establish an IPSec over TCP connection, the error message "Secure VPN Connection terminated locally by the Client. Reason 414: Failed to establish a TCP connection" is displayed. This problem has been remedied since Version 4.6 of the Cisco VPN software.

The Internet Connection Firewall feature implemented in Windows XP and Windows Server 2003 is a "status-sensitive" (stateful) firewall, i.e. it implicitly takes the status of connections into consideration. The opening of specific ports is therefore not necessary when using the ICF.

 

Blue screen when establishing the connection

Some firewalls (e.g. F-Secure) in conjunction with the VPN client causes an error which leads to the computer crashing. In order to prevent this, the "vsdatant" device can be deactivated:

  • First open the Windows device manager (Start -> Execute -> "devmgmt.msc")
  • Under menu item View, select "Show hidden devices".
  • Under "Non-PNP drivers", select the entry "vsdatant" and call up the
  • context menu with a right mouse click.
  • Here click "Deactivate" and then boot the computer again.

 

FAQ Cisco AnyConnect (SSL-VPN) 

Blue screen after booting under Windows XP

A firewall (e.g. ZoneAlarm) in conjunction with the Cisco AnyConnect client can cause a blue screen during the boot routine. In order to prevent this, uninstall the firewall before installing Cisco AnyConnect. After successful installation of Cisco AnyConnect, the firewall must be installed again after booting the system again.

If this problem does occur, it can be remedied as follows:

  • Boot the system with "F8"
  • Start Windows with the last bootable configuration
  • Uninstall Cisco AnyConnect again under "Software"
  • Uninstall the firewall
  • Boot the computer and install Cisco AnyConnect again
  • Finally the firewall can also be installed again.

It should now be possible to boot the system without blue screen and both the firewall and Cisco AnyConnect should function normally.

To top of page of the FAQ-VPN

 

Document Actions