Cisco VPN not passing through 2.9.12?

pbwalsh · Tue Feb 14, 2006 9:48 pm

We are having an issue with the new Cisco VPN client 4.6.0 not being able to connect through an RB232 or RB532 running 2.9.12. The problem seems to be limited only to this version of the VPN client as other Cisco 4.x.x clients seem to be working just fine. No other VPN issues have been reported yet.

Is any other provider seeing this problem?

We have removed all filters to try and isolate this problem with no success. This has cost some customers and we worried that if this problem is not identified, there could be more as this client becomes more popular.
I have some log info from the customer if anyone has any ideas I can post them.
Thank You.

andrewluck · Tue Feb 14, 2006 11:29 pm

4.6.04.0043 running fine here. MT is 2.9.12 on a Soekris Net4501.

Regards

Andrew

andrewluck · Sun Feb 19, 2006 10:52 pm

Spoke too soon. Tried to get it working tonight after a 2.9.13 upgrade, client connects but then no traffic through the tunnel.

Downgraded to 2.9.12 but no different. Bypassed the MT and it works fine. I need to look at this some more.

Regards

Andrew

pbwalsh · Thu Feb 23, 2006 9:34 am

We see much the same thing. The VPN will connect, then no key transaction and then a disconnect. Only on the 4.6 Cisco client.
Same on RB532 and 230's.
The older clients seem to work fine. They claim to be using transparent tunneling over UDP. The packet sniffer does not see port 10000 UDP traffic, but it sees all other traffic just fine. Yet the client will not connect.

Could use some Mikrotik support on this one. I have logfile data if they are interested.

cmit · Thu Feb 23, 2006 10:02 am

I'd suggest writing directly to support@mikrotik.com with all the information you can give them (i.e. supout files, log files from VPN client etc.)...

Best regards,
Christian Meis

andrewluck · Thu Feb 23, 2006 7:29 pm

I believe that UDP encapsulation is using a source and destination port of 4500.

I think we're looking at different problems as I always get the tunnel established. I've determined that it's only the laptop that has a problem when it connects via a wireless bridge. If I wire it to the switch it works OK. MTU is the same on both interfaces though. I haven't had time to get to grips with this one yet though.

What do you see in the client IKE log?

Regards

Andrew

pbwalsh · Fri Feb 24, 2006 5:19 pm

Ok, here you go……………..there's a bunch……...

Cisco Systems VPN Client Version 4.6.04.0043
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 1
Config file directory: C:\Program Files\Cisco Systems\VPN Client

1 15:23:08.765 02/10/06 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route: code 87
Destination 192.168.1.255
Netmask 255.255.255.255
Gateway 172.21.144.14
Interface 172.21.144.14

2 15:23:08.765 02/10/06 Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: ac15900e, Gateway: ac15900e.

3 15:23:08.765 02/10/06 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route: code 87
Destination 216.192.202.255
Netmask 255.255.255.255
Gateway 172.21.144.14
Interface 172.21.144.14

4 15:23:08.765 02/10/06 Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: d8c0caff, Netmask: ffffffff, Interface: ac15900e, Gateway: ac15900e.

5 15:26:55.264 02/10/06 Sev=Warning/3 CM/0xA3100027
Adapter address changed from 216.192.202.1. Current address(es): 172.21.144.14, 192.168.1.101.

6 15:26:55.280 02/10/06 Sev=Warning/2 CVPND/0xA340000E
Failed to get adapter index.

7 15:26:56.498 02/10/06 Sev=Warning/2 IKE/0xA3000067
Received an IPC message during invalid state (IKE_MAIN:507)

8 16:22:35.295 02/10/06 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route: code 87
Destination 192.168.1.255
Netmask 255.255.255.255
Gateway 172.21.144.19
Interface 172.21.144.19

9 16:22:35.295 02/10/06 Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: ac159013, Gateway: ac159013.

10 16:22:35.295 02/10/06 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route: code 87
Destination 216.192.201.255
Netmask 255.255.255.255
Gateway 172.21.144.19
Interface 172.21.144.19

11 16:22:35.295 02/10/06 Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: d8c0c9ff, Netmask: ffffffff, Interface: ac159013, Gateway: ac159013.

12 16:57:57.372 02/10/06 Sev=Warning/3 CM/0xA3100027
Adapter address changed from 216.192.201.7. Current address(es): 172.21.144.19, 192.168.1.101.

13 16:57:57.372 02/10/06 Sev=Warning/2 CVPND/0xA340000E
Failed to get adapter index.

14 16:57:58.747 02/10/06 Sev=Warning/2 IKE/0xA3000067
Received an IPC message during invalid state (IKE_MAIN:507)

15 17:00:15.747 02/10/06 Sev=Warning/2 CVPND/0xA3400011
Error -21 sending packet. Dst Addr: 0xC0A801FF, Src Addr: 0xC0A80165 (DRVIFACE:1152).

16 17:02:31.606 02/10/06 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: GetAdaptersInfo, error 0

17 17:02:31.715 02/10/06 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route: code 87
Destination 192.168.1.255
Netmask 255.255.255.255
Gateway 172.21.128.18
Interface 172.21.128.18

18 17:02:31.715 02/10/06 Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: ac158012, Gateway: ac158012.

19 17:02:31.715 02/10/06 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route: code 87
Destination 216.192.196.255
Netmask 255.255.255.255
Gateway 172.21.128.18
Interface 172.21.128.18

20 17:02:31.715 02/10/06 Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: d8c0c4ff, Netmask: ffffffff, Interface: ac158012, Gateway: ac158012.

21 17:11:22.497 02/10/06 Sev=Warning/3 CM/0xA3100027
Adapter address changed from 216.192.196.4. Current address(es): 172.21.128.18, 192.168.1.101.

22 17:11:22.512 02/10/06 Sev=Warning/2 CVPND/0xA340000E
Failed to get adapter index.

23 17:11:23.997 02/10/06 Sev=Warning/2 IKE/0xA3000067
Received an IPC message during invalid state (IKE_MAIN:507)

24 17:11:52.637 02/10/06 Sev=Warning/2 CVPND/0xA3400011
Error -21 sending packet. Dst Addr: 0xC0A801FF, Src Addr: 0xC0A80165 (DRVIFACE:1152).

25 17:14:43.872 02/10/06 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route: code 87
Destination 192.168.1.255
Netmask 255.255.255.255
Gateway 172.21.128.29
Interface 172.21.128.29

26 17:14:43.872 02/10/06 Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: ac15801d, Gateway: ac15801d.

27 17:14:43.887 02/10/06 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route: code 87
Destination 216.192.199.255
Netmask 255.255.255.255
Gateway 172.21.128.29
Interface 172.21.128.29

28 17:14:43.887 02/10/06 Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: d8c0c7ff, Netmask: ffffffff, Interface: ac15801d, Gateway: ac15801d.

29 17:34:07.752 02/10/06 Sev=Warning/3 CM/0xA3100027
Adapter address changed from 216.192.199.2. Current address(es): 172.21.128.29, 192.168.1.101.

30 17:34:07.752 02/10/06 Sev=Warning/2 CVPND/0xA340000E
Failed to get adapter index.

Cisco Systems VPN Client Version 4.6.04.0043
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 1
Config file directory: C:\Program Files\Cisco Systems\VPN Client

Cisco Systems VPN Client Version 4.6.04.0043
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 1
Config file directory: C:\Program Files\Cisco Systems\VPN Client

1 17:35:33.674 02/10/06 Sev=Info/4 CERT/0x63600013
Cert (cn=WA763267-WAH,ou=StandardWks,ou=Workstations,dc=OA2,dc=aeth,dc=aetna,dc=com) verification succeeded.

2 17:35:33.674 02/10/06 Sev=Info/4 CM/0x63100002
Begin connection process

3 17:35:33.674 02/10/06 Sev=Warning/2 CVPND/0xA3400011
Error -21 sending packet. Dst Addr: 0xC0A801FF, Src Addr: 0xC0A80165 (DRVIFACE:1152).

4 17:35:33.689 02/10/06 Sev=Info/4 CM/0x63100004
Establish secure connection using Ethernet

5 17:35:33.689 02/10/06 Sev=Info/4 CM/0x63100024
Attempt connection with server "xtranet1.aetna.com"

6 17:35:33.767 02/10/06 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 206.213.215.16.

7 17:35:33.767 02/10/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (SA, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to 206.213.215.16

8 17:35:33.783 02/10/06 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started

9 17:35:33.783 02/10/06 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

10 17:35:33.783 02/10/06 Sev=Info/6 IPSEC/0x6370002C
Sent 966 packets, 0 were fragmented.

11 17:35:33.783 02/10/06 Sev=Info/4 IPSEC/0x6370000D
Key(s) deleted by Interface (216.192.199.2)

12 17:35:33.861 02/10/06 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 206.213.215.16

13 17:35:33.861 02/10/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM (SA, VID(Nat-T), VID(Frag)) from 206.213.215.16

14 17:35:33.861 02/10/06 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T

15 17:35:33.861 02/10/06 Sev=Info/5 IKE/0x63000001
Peer supports IKE fragmentation payloads

16 17:35:33.861 02/10/06 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful

17 17:35:33.861 02/10/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (KE, NON, NAT-D, NAT-D, VID(?), VID(Unity)) to 206.213.215.16

18 17:35:33.986 02/10/06 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 206.213.215.16

19 17:35:33.986 02/10/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM (FRAG) from 206.213.215.16

20 17:35:33.986 02/10/06 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 206.213.215.16

21 17:35:33.986 02/10/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM (FRAG) from 206.213.215.16

22 17:35:33.986 02/10/06 Sev=Info/5 IKE/0x63000073
All fragments received.

23 17:35:33.986 02/10/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM (KE, NON, CERT_REQ, CERT_REQ, CERT_REQ, CERT_REQ, CERT_REQ, CERT_REQ, CERT_REQ, CERT_REQ, VID(Unity), VID(Xauth), VID(?), VID(?), NAT-D, NAT-D) from 206.213.215.16

24 17:35:33.986 02/10/06 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer

25 17:35:33.986 02/10/06 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH

26 17:35:33.986 02/10/06 Sev=Info/5 IKE/0x63000001
Peer supports DWR Code and DWR Text

27 17:35:34.158 02/10/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM *(ID, CERT, CERT_REQ, SIG, NOTIFY:STATUS_INITIAL_CONTACT) to 206.213.215.16

28 17:35:39.252 02/10/06 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!

29 17:35:39.252 02/10/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM *(Retransmission) to 206.213.215.16

30 17:35:41.970 02/10/06 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 206.213.215.16

31 17:35:41.970 02/10/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM (FRAG) from 206.213.215.16

32 17:35:41.970 02/10/06 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 206.213.215.16

33 17:35:41.970 02/10/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM (FRAG) from 206.213.215.16

34 17:35:41.970 02/10/06 Sev=Info/5 IKE/0x63000073
All fragments received.

35 17:35:41.970 02/10/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM (Retransmission) from 206.213.215.16

36 17:35:41.970 02/10/06 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!

37 17:35:41.970 02/10/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM *(Retransmission) to 206.213.215.16

38 17:35:47.252 02/10/06 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!

39 17:35:47.252 02/10/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM *(Retransmission) to 206.213.215.16

40 17:35:49.970 02/10/06 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 206.213.215.16

41 17:35:49.970 02/10/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM (FRAG) from 206.213.215.16

42 17:35:49.970 02/10/06 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 206.213.215.16

43 17:35:49.970 02/10/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM (FRAG) from 206.213.215.16

44 17:35:49.970 02/10/06 Sev=Info/5 IKE/0x63000073
All fragments received.

45 17:35:49.970 02/10/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM (Retransmission) from 206.213.215.16

46 17:35:49.970 02/10/06 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=87462B901B72E52E R_Cookie=F230BF4D0C7B9C10) reason = DEL_REASON_PEER_NOT_RESPONDING

47 17:35:49.970 02/10/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to 206.213.215.16

48 17:35:50.752 02/10/06 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=87462B901B72E52E R_Cookie=F230BF4D0C7B9C10) reason = DEL_REASON_PEER_NOT_RESPONDING

49 17:35:50.752 02/10/06 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "xtranet1.aetna.com" because of "DEL_REASON_PEER_NOT_RESPONDING"

50 17:35:50.752 02/10/06 Sev=Info/4 CM/0x6310000C
All connection attempts with backup server failed

51 17:35:50.752 02/10/06 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv

52 17:35:50.752 02/10/06 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection

53 17:35:50.752 02/10/06 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

54 17:35:50.752 02/10/06 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

55 17:35:50.767 02/10/06 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

56 17:35:50.767 02/10/06 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped

It should be noted that this same configuration works fine on a competitior wi-fi network that does not use routing. it also works via DSL. we run exclusively Motorola Canopy and until very recently everything worked perfectly, then the problem became apparent one weekend and then stopped alltogether.
We have no filters on internal routers and the external policies on the border router have not changed. Of couse the customers employer IT department claims no changes on their side at all and everyone else can work just fine.

andrewluck · Fri Feb 24, 2006 8:46 pm

From an initial readthrough it looks like a packet fragmentation issue. Try pinging from one of the clients with -f and -l options and varying packet sizes until you find a size that can get through. Then use the Cisco MTU adjustment program on one of the clients.

Regards

Andrew

andrewluck · Wed Mar 01, 2006 10:53 pm

I've just upgraded to v4.8 of the Cisco client and everything is working normally again.

Regards

Andrew

pbwalsh · Thu Mar 02, 2006 6:59 am

Thanks for the Note.
After further investigation we found that every customer that has had VPN issues has crossed AT&T on the 12.0.0.0 network. The outgoing traffic reaches every time, but the return traffic is lossy.
We have escalated this issue to AT&T and hope to have some explanation for the packet loss.
Thanks again for your update!

andrewluck · Thu Mar 02, 2006 10:26 pm

Sounds like you're making progress. Just goes to show, sometimes the obvious is not the problem.

I've had to de-install the 4.8 client. It broke PPTP connections from the laptop. I'll try the 4.7 client tomorrow. After that, it's back to try some earlier ones (if they're still available).

Regards

Andrew

sten · Fri Mar 03, 2006 1:17 am

what you experienced was v2.9.12's inability to pass fragments.
i -CANT WAIT- for a fix! it's just terrible to deal with on a pppoe network (which several of my customers run)

Cisco VPN not passing through 2.9.12?

Cisco VPN not passing through 2.9.12?

Who is online