CISCO RV110W VPN fail.

Similar Messages

• Cisco IPSEC VPN not working after upgrade to Mavericks

  I have been using the Cisco IPSEC VPN for almost 2 years with no issues. When I upgraded to Mavericks this week it stopped working. When i tell it to connect it prompts for password and attempts to connect for about 30 seconds then comes back with the following message...
  VPN Connection
  The negotiation with the VPN server failed. Verify the server address and try reconnecting.
  The address, group, shared secret, user and password are correct. Any help would be greatly appreiated.

  Hry, I'm not sure if this fixes the Cisco IPSec issue, but I can vouch for it fixing the L2TP issue that occurs after tha mavericks upgrade!
  I’ve got L2TP VPN working in Mavericks 10.9 and Server App 3.0.0 / 3.0.1.
  It really is quite a simple fix.
  Obviously, the standard caveats apply: This is a temporary, unsupported, workaround, and only a suggested idea at that. Again, this workaround is NOT supported by Apple.
  Proceed with this workaround on your own equipment at your own risk. And remember the golden rule: Always backup your data!
  OK so here goes… copy and paste the following into termini ONE LINE AT A TIME!
  cd /tmp
  curl -sO http://c5mart.co/mavericks-vpn-fix/racoon.tar.gz
  tar -xzvf racoon.tar.gz
  rm racoon.tar.gz
  sudo chown root:wheel racoon
  sudo chmod 555 racoon
  if [ ! -f /usr/sbin/racoon.mavericks ]; then sudo mv /usr/sbin/racoon /usr/sbin/racoon.mavericks; fi;
  sudo mv racoon /usr/sbin/racoon
  sudo killall racoon
  This works fine for me and I'm running a OSX Server for my entire office.
  …et voilà!

• Profile for Cisco IPsec VPN does not set shared secret correctly

  Hi,
  We have a shared secret configuration for a Cisco IPsec (connecting to an ASA). I can correctly configure a profile for the Cisco IPsec VPN and deliver it to the device. However, the VPN connection fails due to an invalid shared secret. If I then go into the VPN settings on the device itself and manually retype the shared secret, it works fine.
  I have noticed this when generating the mobileconfig profile both from Apple's iPhone Configuration Utility and also when using the MobileIron management platform to generate and push profiles.
  Has anyone else seen this problem? I'm really confident that I'm typing the shared secret correctly in the iPCU generated profile as I've tried it many times. It also has happened across every flavor of iOS 3.x and 4.x (including the 4.2 betas).
  thanks

  Hi,
  Thanks for the reply but it is a bit of a strange one. What makes you think the shared secret we are using - which you don't know - is more than 32 characters long. I can promise you it isn't. There's a bug in the way mobileconfig files are storing the encrypted shared secret values. I've now seen it on a third party mobile device management platform too.

• 881 VPN fails after 24hrs/IKE key lifetime

  Hi all,
  This is my first post on the support forms and I only just got my CCNA, so please bear with me and don't shoot me if I pose a slightly newbish perspective on things. Thanks in advance.       
  We've got a central office (actually quite small) where several IPSec connections connect to. Two of these connections are Cisco 881 routers. One of them works fine, the other craps out after 24 hours (coincidentally also the IKE key lifetime). When I mean "craps out", it means the VPN worked fine from the get go, until 24 hours later. Only a reload will bring back the VPN tunnel. I've verified my PFS and DPD configurations are solid, because these kind of symptoms would most likely occur when these configurations aren't in order.
  The two 881 configurations are quite similar. The only differences between the two are some details in the PPPoE configurations and (quite obviously) the IP address space for the two sites. Both operate on the premise of a point to point connection (no multipoint stuff going on here).
  I have examined all I can. It took me two weeks to make sure I exhausted all my options before I post my issue here.
  Here is a brief list of things I've done.
  - Checked configuration of central router (which is a Mikrotik RB800 btw)
  - Verified that the central router is not the cause of the VPN not coming back. Rebooted it as a last resort; VPN stays down. Rebooted 881, VPN comes back.
  - I've downgraded the 881 firmware image from version 152.4.M2 to 151.4.M4 (the succesful 881 was running the 151.4.M4 image, and I found some Ipsec issues in the caveat for version 152.4.M2), but to no avail.
  - I've tried to clear several crypto components hoping to restore key exchanging, also to no avail. Only a reload will suffice.
  I've included the 881's config:
  Building configuration...Current configuration : 7795 bytes
  ! Last configuration change at 15:37:50 Paris Tue May 28 2013 by admin
  version 15.1
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname <<removed>>
  boot-start-marker
  boot system flash c880data-universalk9-mz.151-4.M4.bin
  boot-end-marker
  logging buffered 102400
  enable secret 4 <<removed>>
  no aaa new-model
  memory-size iomem 10
  clock timezone Paris 1 0
  clock summer-time Paris date Mar 30 2003 2:00 Oct 26 2003 3:00
  crypto pki token default removal timeout 0
  !no ip source-route
  ip dhcp excluded-address 192.168.4.1 192.168.4.9
  ip dhcp excluded-address 192.168.4.199 192.168.4.254
  ip dhcp pool Main
  network 192.168.4.0 255.255.255.0
  dns-server 192.168.4.250 8.8.4.4
  default-router 192.168.4.250
  lease infinite
  ip cef
  ip domain lookup source-interface Dialer1
  ip domain name <<removed>>
  ip name-server 8.8.4.4
  ip name-server 192.168.58.199
  no ipv6 cef
  password encryption aes!
  object-group network SUBNET_DUITSLAND
  description Hele subnet IC Duitsland
  192.168.4.0 255.255.255.0
  object-group network SUBNET_IC_ARNHEM
  description Hele subnet IC Arnhem
  192.168.58.0 255.255.255.0
  object-group network WAN_IC_ARNHEM
  description Het WAN IP adres van IC Arnhem
  host <<removed>>
  vtp mode transparent
  username <<removed>> privilege 15 view root secret 4 <<removed>>
  class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
  match access-group 102
  class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
  match access-group 105
  class-map type inspect match-all ccp-cls--1
  match access-group name Outgoing
  class-map type inspect match-all ccp-cls--2
  match access-group name Incoming
  policy-map type inspect ccp-policy-ccp-cls--1
  class type inspect ccp-cls--1
    pass
  class class-default
    drop
  policy-map type inspect ccp-policy-ccp-cls--2
  class type inspect ccp-cls--2
    pass
  class type inspect sdm-cls-VPNOutsideToInside-1
    inspect
  class type inspect sdm-cls-VPNOutsideToInside-2
    inspect
  class class-default
    drop
  zone security Inside
  zone security Outside
  zone-pair security sdm-zp-Inside-Outside source Inside destination Outside
  service-policy type inspect ccp-policy-ccp-cls--1
  zone-pair security sdm-zp-Outside-Inside source Outside destination Inside
  service-policy type inspect ccp-policy-ccp-cls--2
  crypto logging ezvpn
  crypto isakmp policy 1
  encr aes 256
  authentication pre-share
  group 5
  crypto isakmp key <<removed>> address <<removed>>
  crypto isakmp invalid-spi-recovery
  crypto isakmp keepalive 10 periodic
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec transform-set ESP-AES256-SHA esp-aes esp-sha-hmac
  crypto map SDM_CMAP_1 1 ipsec-isakmp
  description Tunnel to CO
  set peer <<removed>>
  set transform-set ESP-AES256-SHA
  set pfs group5
  match address 104
  interface FastEthernet0
  no ip address
  interface FastEthernet1
  no ip address
  interface FastEthernet2
  no ip address
  interface FastEthernet3
  no ip address
  interface FastEthernet4
  description DeutscheTelekom$ETH-WAN$
  no ip address
  duplex auto
  speed auto
  pppoe-client dial-pool-number 1
  interface Vlan1
  description $FW_INSIDE$
  ip address 192.168.4.250 255.255.255.0
  ip mask-reply
  ip nat inside
  ip virtual-reassembly in
  zone-member security Inside
  ip tcp adjust-mss 1412
  interface Dialer1
  description $FW_OUTSIDE$
  mtu 1492
  ip address negotiated
  ip nat outside
  ip virtual-reassembly in
  zone-member security Outside
  encapsulation ppp
  no ip route-cache
  dialer pool 1
  dialer-group 1
  ppp authentication pap callin
  ppp chap hostname <<removed>>
  ppp chap password 7 <<removed>>
  ppp pap sent-username <<removed>> password 7 <<removed>>
  ppp ipcp dns request
  ppp ipcp address accept
  crypto map SDM_CMAP_1
  ip forward-protocol nd
  no ip http server
  ip http access-class 2
  ip http authentication local
  ip http secure-server
  ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
  ip route 0.0.0.0 0.0.0.0 Dialer1 permanent
  ip access-list extended Incoming
  remark CCP_ACL Category=128
  permit ip any object-group SUBNET_DUITSLAND
  ip access-list extended Outgoing
  remark CCP_ACL Category=128
  permit ip object-group SUBNET_DUITSLAND any
  ip access-list extended SDM_HTTPS
  remark CCP_ACL Category=1
  permit tcp any any eq 443
  ip access-list extended SDM_SHELL
  remark CCP_ACL Category=1
  permit tcp any any eq cmd
  ip access-list extended SDM_SSH
  remark CCP_ACL Category=1
  permit tcp any any eq 22
  no logging trap
  access-list 1 remark CCP_ACL Category=2
  access-list 1 permit 192.168.4.0 0.0.0.255
  access-list 2 permit <<removed>>
  access-list 2 remark Auto generated by SDM Management Access feature
  access-list 2 remark CCP_ACL Category=1
  access-list 2 permit 192.168.4.0 0.0.0.255
  access-list 2 permit 192.168.58.0 0.0.0.255
  access-list 101 remark Auto generated by SDM Management Access feature
  access-list 101 remark CCP_ACL Category=1
  access-list 101 permit ip 192.168.4.0 0.0.0.255 any
  access-list 101 permit ip host <<removed>> any
  access-list 101 permit ip 192.168.58.0 0.0.0.255 any
  access-list 102 remark CCP_ACL Category=0
  access-list 102 permit ip 192.168.58.0 0.0.0.255 192.168.4.0 0.0.0.255
  access-list 103 remark CCP_ACL Category=2
  access-list 103 remark IPSec Rule
  access-list 103 deny   ip 192.168.4.0 0.0.0.255 192.168.58.0 0.0.0.255
  access-list 103 permit ip 192.168.4.0 0.0.0.255 any
  access-list 104 remark CCP_ACL Category=4
  access-list 104 remark IPSec Rule
  access-list 104 permit ip 192.168.4.0 0.0.0.255 192.168.58.0 0.0.0.255
  access-list 105 remark CCP_ACL Category=0
  access-list 105 permit ip 192.168.58.0 0.0.0.255 192.168.4.0 0.0.0.255
  dialer-list 1 protocol ip permit
  route-map SDM_RMAP_1 permit 1
  match ip address 103
  line con 0
  line aux 0
  line vty 0 4
  access-class 101 in
  privilege level 15
  password 7 <<removed>>
  login local
  transport input ssh
  ntp update-calendar
  ntp server de.pool.ntp.org prefer
  end
  Also, I have some ISAKMP debug output (when the VPN fails, I can still reach the router via the internet):
  .May 29 08:31:22.848: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
  .May 29 08:31:28.848: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
  .May 29 08:31:30.016: ISAKMP: set new node 0 to QM_IDLE
  .May 29 08:31:30.016: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local <<remote office WAN IP>>, remote <<central office WAN IP>>)
  .May 29 08:31:30.016: ISAKMP: Error while processing SA request: Failed to initialize SA
  .May 29 08:31:30.016: ISAKMP: Error while processing KMI message 0, error 2.
  .May 29 08:31:30.016: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
  .May 29 08:31:30.016: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
  .May 29 08:31:30.016: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
  .May 29 08:31:30.016: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
  .May 29 08:31:30.016: ISAKMP:(0):Sending an IKE IPv4 Packet.
  .May 29 08:31:34.848: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
  .May 29 08:31:40.016: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
  .May 29 08:31:40.016: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
  .May 29 08:31:40.016: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
  .May 29 08:31:40.016: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
  .May 29 08:31:40.016: ISAKMP:(0):Sending an IKE IPv4 Packet.
  .May 29 08:31:40.844: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
  .May 29 08:31:46.380: ISAKMP:(0):purging node 297623767
  .May 29 08:31:46.380: ISAKMP:(0):purging node -1266458641
  .May 29 08:31:46.452: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
  .May 29 08:31:49.848: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<<remote office WAN IP>>, prot=50, spi=0xCF8BD5F3(3482047987), srcaddr=<<central office WAN IP>>, input interface=Dialer1
  .May 29 08:31:50.016: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
  .May 29 08:31:50.016: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
  .May 29 08:31:50.016: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
  .May 29 08:31:50.016: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
  .May 29 08:31:50.016: ISAKMP:(0):Sending an IKE IPv4 Packet.
  .May 29 08:31:52.845: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
  .May 29 08:31:56.381: ISAKMP:(0):purging SA., sa=874CF15C, delme=874CF15C
  .May 29 08:31:58.849: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
  .May 29 08:32:00.017: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
  .May 29 08:32:00.017: ISAKMP:(0):peer does not do paranoid keepalives..May 29 08:32:00.017: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer <<central office WAN IP>>)
  .May 29 08:32:00.017: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer <<central office WAN IP>>)
  .May 29 08:32:00.017: ISAKMP: Unlocking peer struct 0x874792E0 for isadb_mark_sa_deleted(), count 0
  .May 29 08:32:00.017: ISAKMP: Deleting peer node by peer_reap for <<central office WAN IP>>: 874792E0
  .May 29 08:32:00.017: ISAKMP:(0):deleting node -118750948 error FALSE reason "IKE deleted"
  .May 29 08:32:00.017: ISAKMP:(0):deleting node -1193365643 error FALSE reason "IKE deleted"
  .May 29 08:32:00.017: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
  .May 29 08:32:00.017: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_DEST_SA.May 29 08:32:02.037: ISAKMP:(0): SA request profile is (NULL)
  .May 29 08:32:02.037: ISAKMP: Created a peer struct for <<central office WAN IP>>, peer port 500
  .May 29 08:32:02.037: ISAKMP: New peer created peer = 0x875BF6B8 peer_handle = 0x8000000A
  .May 29 08:32:02.037: ISAKMP: Locking peer struct 0x875BF6B8, refcount 1 for isakmp_initiator
  .May 29 08:32:02.037: ISAKMP: local port 500, remote port 500
  .May 29 08:32:02.037: ISAKMP: set new node 0 to QM_IDLE
  .May 29 08:32:02.037: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 85C6B420
  .May 29 08:32:02.037: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
  .May 29 08:32:02.037: ISAKMP:(0):found peer pre-shared key matching <<central office WAN IP>>
  .May 29 08:32:02.037: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
  .May 29 08:32:02.041: ISAKMP:(0): constructed NAT-T vendor-07 ID
  .May 29 08:32:02.041: ISAKMP:(0): constructed NAT-T vendor-03 ID
  .May 29 08:32:02.041: ISAKMP:(0): constructed NAT-T vendor-02 ID
  .May 29 08:32:02.041: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
  .May 29 08:32:02.041: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1.May 29 08:32:02.041: ISAKMP:(0): beginning Main Mode exchange
  .May 29 08:32:02.041: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
  .May 29 08:32:02.041: ISAKMP:(0):Sending an IKE IPv4 Packet.
  .May 29 08:32:04.849: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
  .May 29 08:32:10.845: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
  .May 29 08:32:12.041: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
  .May 29 08:32:12.041: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
  .May 29 08:32:12.041: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
  .May 29 08:32:12.041: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
  .May 29 08:32:12.041: ISAKMP:(0):Sending an IKE IPv4 Packet.
  .May 29 08:32:16.845: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
  .May 29 08:32:22.041: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
  .May 29 08:32:22.041: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
  .May 29 08:32:22.041: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
  .May 29 08:32:22.041: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
  .May 29 08:32:22.041: ISAKMP:(0):Sending an IKE IPv4 Packet.
  .May 29 08:32:22.449: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
  .May 29 08:32:28.846: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
  .May 29 08:32:32.038: ISAKMP: set new node 0 to QM_IDLE
  .May 29 08:32:32.038: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local <<remote office WAN IP>>, remote <<central office WAN IP>>)
  .May 29 08:32:32.038: ISAKMP: Error while processing SA request: Failed to initialize SA
  .May 29 08:32:32.038: ISAKMP: Error while processing KMI message 0, error 2.
  .May 29 08:32:32.042: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
  .May 29 08:32:32.042: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
  .May 29 08:32:32.042: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
  .May 29 08:32:32.042: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
  .May 29 08:32:32.042: ISAKMP:(0):Sending an IKE IPv4 Packet.
  .May 29 08:32:34.846: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
  .May 29 08:32:40.846: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
  .May 29 08:32:42.042: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
  .May 29 08:32:42.042: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
  .May 29 08:32:42.042: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
  .May 29 08:32:42.042: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
  .May 29 08:32:42.042: ISAKMP:(0):Sending an IKE IPv4 Packet.
  .May 29 08:32:46.846: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
  .May 29 08:32:50.018: ISAKMP:(0):purging node -118750948
  .May 29 08:32:50.018: ISAKMP:(0):purging node -1193365643
  .May 29 08:32:51.346: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<<remote office WAN IP>>, prot=50, spi=0xCF8BD5F3(3482047987), srcaddr=<<central office WAN IP>>, input interface=Dialer1
  .May 29 08:32:52.042: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
  .May 29 08:32:52.042: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
  .May 29 08:32:52.042: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
  .May 29 08:32:52.042: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
  .May 29 08:32:52.042: ISAKMP:(0):Sending an IKE IPv4 Packet.
  .May 29 08:32:52.846: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
  .May 29 08:32:58.847: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
  .May 29 08:33:00.019: ISAKMP:(0):purging SA., sa=875BE8B8, delme=875BE8B8
  .May 29 08:33:02.043: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
  .May 29 08:33:02.043: ISAKMP:(0):peer does not do paranoid keepalives..May 29 08:33:02.043: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer <<central office WAN IP>>)
  .May 29 08:33:02.043: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer <<central office WAN IP>>)
  .May 29 08:33:02.043: ISAKMP: Unlocking peer struct 0x875BF6B8 for isadb_mark_sa_deleted(), count 0
  .May 29 08:33:02.043: ISAKMP: Deleting peer node by peer_reap for <<central office WAN IP>>: 875BF6B8
  .May 29 08:33:02.043: ISAKMP:(0):deleting node 1839947115 error FALSE reason "IKE deleted"
  .May 29 08:33:02.043: ISAKMP:(0):deleting node -1221586275 error FALSE reason "IKE deleted"
  .May 29 08:33:02.043: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
  .May 29 08:33:02.043: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_DEST_SA.May 29 08:33:02.455: ISAKMP:(0): SA request profile is (NULL)
  .May 29 08:33:02.455: ISAKMP: Created a peer struct for <<central office WAN IP>>, peer port 500
  .May 29 08:33:02.455: ISAKMP: New peer created peer = 0x874792E0 peer_handle = 0x8000000B
  .May 29 08:33:02.455: ISAKMP: Locking peer struct 0x874792E0, refcount 1 for isakmp_initiator
  .May 29 08:33:02.455: ISAKMP: local port 500, remote port 500
  .May 29 08:33:02.455: ISAKMP: set new node 0 to QM_IDLE
  .May 29 08:33:02.455: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 87060E68
  .May 29 08:33:02.455: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
  .May 29 08:33:02.455: ISAKMP:(0):found peer pre-shared key matching <<central office WAN IP>>
  .May 29 08:33:02.455: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
  .May 29 08:33:02.455: ISAKMP:(0): constructed NAT-T vendor-07 ID
  .May 29 08:33:02.455: ISAKMP:(0): constructed NAT-T vendor-03 ID
  .May 29 08:33:02.455: ISAKMP:(0): constructed NAT-T vendor-02 ID
  .May 29 08:33:02.455: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
  .May 29 08:33:02.455: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1.May 29 08:33:02.455: ISAKMP:(0): beginning Main Mode exchange
  .May 29 08:33:02.455: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
  .May 29 08:33:02.455: ISAKMP:(0):Sending an IKE IPv4 Packet.
  .May 29 08:33:04.847: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>ndebug crypto isakmp
  .May 29 08:33:10.847: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>o debug crypto isakmp
  Crypto ISAKMP debugging is off
  IC-Deutschland#
  .May 29 08:33:12.455: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
  .May 29 08:33:12.455: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
  .May 29 08:33:12.455: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
  .May 29 08:33:12.455: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
  .May 29 08:33:12.455: ISAKMP:(0):Sending an IKE IPv4 Packet.
  Can anyone shed some light as what could be going on?
  Much obliged!

  Unfortunately I do not have a support contract for our hardware. I wouldn't even know how to get one.
  However, we do pay top dollar for the equipment and it seems one it's components doesn't work as advertised. So if no support is given I will have to try warrenty instead. This does mean I have to replace the unit with a competitor brand which isn't something I'm keen to do because I want to use Cisco as our main brand. This issue effectively nukes my entire plan.
  Given our work load, CPU power isn't an issue. The encryption level is set to this level because I'm paranoid. Which I reckon is a good thing when it comes to network security (correct me if I'm wrong). Do you suspect these settings could be of any influence in this particular case?
  If I remember correctly I used the "debug crypto isakmp" or "debug crypto isakmp errors" and "debug crypto ipsec" (also perhaps with the "error" suffix), I'm not sure.

• Cisco RV042 VPN unable to connect to Netgear PS FVS318

  Hello,
  We recently replaced one of two Netgear ProSafe VPN FVS318 with a Cisco RV042 VPN. Both Netgear were configured site-site and was working fine until one of them failed. We copied as much configuration settings from the failed Netgear PS to the RV042 but were unsuccessful in establishing a connection between the two sites.
  The logs on the Cisco router shows this:
  VPN Log packet from 1.1.1.1:500: received Vendor ID payload [RFC 3947]  
  VPN Log packet from 1.1.1.1:500: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]  
  VPN Log packet from 1.1.1.1:500: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]  
  VPN Log packet from 1.1.1.1:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]  
  VPN Log packet from 1.1.1.1:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]  
  VPN Log packet from 1.1.1.1:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]  
  VPN Log packet from 1.1.1.1:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]  
  VPN Log packet from 1.1.1.1:500: [Tunnel Negotiation Info] <<< Responder Received Main Mode 1st packet  
  VPN Log packet from 1.1.1.1:500: [Tunnel Negotiation Info] <<< Responder Received Main Mode 1st packet  
  VPN Log packet from 1.1.1.1:500: initial Main Mode message received on 2.2.2.2:500 but no connection has been authorized with policy=PSK  
  Each time we select a tunnel test connect, that last message appears with "but no connection has been authorized with policy=PSK"
  *replaced actual IP with sample IP.
  Any ideas why this is happening?
  Thank you!

  Hello,
  It looks as RV042 receive phase 1 configuration from Netgear, but due to mismatch with it's phase 1 settings does not reply back.
  I can't be more specific as this could be anything in phase 1 - aggressive/main mode; the WAN IP addresses, encryption or SA lifetime. As well if any of the devices is behind NAT, the option NAT traversal should be checked.
  Regards,
  Kremena

• Cisco Systems VPN Client Version 5.0.03.0560 Errors

  Hello I am getting the following errors on my
  VPN Connection Attempts
  Cisco Systems VPN Client Version 5.0.03.0560
  Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
  Client Type(s): Windows, WinNT
  Running on: 5.1.2600 Service Pack 3
  Config file directory: C:\Program Files\Cisco Systems\VPN Client\
  1      19:59:14.375  09/26/10  Sev=Warning/3 CVPND/0xA340000D
  The virtual adapter was not recognized by the operating system.
  2      19:59:14.375  09/26/10  Sev=Warning/2 CM/0xE310000A
  The virtual adapter failed to enable
  3      19:59:14.531  09/26/10  Sev=Warning/2 IKE/0xE300009B
  Failed to active IPSec SA: Unable to enable Virtual Adapter (NavigatorQM:936)
  4      19:59:14.531  09/26/10  Sev=Warning/2 IKE/0xE30000A7
  Unexpected SW error occurred while processing Quick Mode negotiator:(Navigator:2238)

  Please kindly check the following readme for VPN Client version 5.0.3.560:
  http://www.cisco.com/web/software/282364316/22941/vpnclient-windows-5.0.03.0560.txt
  Advisory:
  The new client requires a kernel patch, KB952876, from Microsoft before installing first before installing the actual client.
  REF: http://support.microsoft.com/kb/952876/en-us
  Pls kindly check if you have kernel patch KB952876

• Cisco IPSec VPN Client and sending a specific Radius A-V value to ACS 5.2

  This setup is to try routing Cisco VPN to either RSA or Entrust from Cisco ACS 5.2, depending on some parameter in incoming AUTH request from Cisco IPSec VPN Client 5.x. Tried playing with pcf files and user names/identity stores, none seems working

  Hi Tony,
  to the best of my knowledge this is currently not possible, but will be once this enhancement is implemented:
  CSCsw31922    Radius upstream VSAs (Tunnel Group,Client type) for VPN policy decisions
  You may want to try and ask in the AAA forum if there is anything you can do on ACS...
  hth
  Herbert

• Cisco AnyConnect VPN won't install, says There is a newer version of the AnyConnect client already installed

  I had an issue with my Cisco Anyconnect VPN not working, so uninstalled it. I've tried a new install and now I get the message "There is a newer version of the AnyConnect client installed" and it won't tell me install it at all. I've gone through various recommendations on the site included this :-
  Go to "Regedit" and search for "Deterministic Networks" and delete it.
  HKEY_LOCAL_MACHINE \SOFTWARE\Deterministic Networks
  Search with the following keywords in the registry, under "Uninstall" or  "Components" folders and delete any related entries.
  Vpnapi
  Vpngui
  Cisco
  CVPND
  CVPNDRA
  Ipsecdialer
  Source: https://supportforums.cisco.com/message/3728011#3728011
  But I've still got the same problem, and just cant find anything to help !

  Disable Internet Connection Sharing (ICS) and then try You can disable ICS in two ways:
  Per Adapter:
  Click the Start button.
  Click on Control Panel.
  Click on View Network Status and Tasks
  Click on Change adapter settings
  Right-click the shared connection and choose Properties
  Click the Sharing tab
  Clear the Allow other network users to connect through this computer's Internet connection checkbox
  Click OK
  System Wide:
  Click the Start button (Windows' orb)
  Type: services.msc and press ENTER
  Double-Click on Internet Connection Sharing (ICS)
  Change Startup Type to Disabled
  Reboot the computer
  You can now try reinstalling the WiscVPN client again

• Unable to unistall Cisco AnyConnect VPN - please help

  I have upgraded to Windows 8.1 preview on my Surface Pro. My Cisco AnyConnect VPN stopped working. When I uninstalled the software it left the ‘Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64’ under the network adapters in Device Manager. No matter what I do, I cannot uninstall it from there. I tried everything including uninstalling in safe mode. I says it uninstalled but still appears there. I believe because of this, my internet connection performance has decreased tremendously. It also disconnects and reconnects sometime after. My other computers work perfectly with maximum speed.
  Please Help.
  Thanks,
  Mike

  Windows Event Log detail as follows:
  Faulting application name: vpnagent.exe, version: 3.1.4066.0, time stamp: 0x52211732
  Faulting module name: Dbghelp.dll, version: 6.3.9600.16520, time stamp: 0x52e690ac
  Exception code: 0xc0000005
  Fault offset: 0x00029132
  Faulting process id: 0x1e74
  Faulting application start time: 0x01d02328f37bd890
  Faulting application path: C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
  Faulting module path: C:\Windows\SYSTEM32\Dbghelp.dll
  Report Id: 31beb6d1-8f1c-11e4-8278-54271ebdf9a6
  Faulting package full name: 
  Faulting package-relative application ID: 

• Browsing Oracle application using CISCO SSL VPN forms not opening

  Hi all,
  Any idea why am not able to access my application using CISCO SSL VPN.Normal clients are able to use our application there is no problem.i have modifyed the "certdb.txt",still i am having the same problem.here am attaching the Java console output.
  java.net.ConnectException: Operation timed out: connect
       at java.net.PlainSocketImpl.socketConnect(Native Method)
       at java.net.PlainSocketImpl.doConnect(Unknown Source)
       at java.net.PlainSocketImpl.connectToAddress(Unknown Source)
       at java.net.PlainSocketImpl.connect(Unknown Source)
       at java.net.Socket.<init>(Unknown Source)
       at java.net.Socket.<init>(Unknown Source)
       at oracle.jinitiator.protocol.https.HttpsClient.doConnect(Unknown Source)
       at sun.net.www.http.HttpClient.openServer(Unknown Source)
       at sun.net.www.http.HttpClient.openServer(Unknown Source)
       at sun.net.www.http.HttpClient.<init>(Unknown Source)
       at sun.net.www.http.HttpClient.<init>(Unknown Source)
       at sun.plugin.protocol.jdk12.http.HttpClient.<init>(Unknown Source)
       at oracle.jinitiator.protocol.https.HttpsClient.<init>(Unknown Source)
       at oracle.jinitiator.protocol.https.HttpsClient.New(Unknown Source)
       at oracle.jinitiator.protocol.https.HttpsURLConnection$1.run(Unknown Source)
       at java.security.AccessController.doPrivileged(Native Method)
       at oracle.jinitiator.protocol.https.HttpsURLConnection.connect(Unknown Source)
       at sun.plugin.protocol.jdk12.http.HttpURLConnection.getInputStream(Unknown Source)
       at oracle.jre.protocol.jar.HttpUtils.followRedirects(Unknown Source)
       at oracle.jre.protocol.jar.JarCache$CachedJarLoader.download(Unknown Source)
       at oracle.jre.protocol.jar.JarCache$CachedJarLoader.load(Unknown Source)
       at oracle.jre.protocol.jar.JarCache.get(Unknown Source)
       at oracle.jre.protocol.jar.CachedJarURLConnection.connect(Unknown Source)
       at oracle.jre.protocol.jar.CachedJarURLConnection.getJarFile(Unknown Source)
       at sun.misc.URLClassPath$JarLoader.getJarFile(Unknown Source)
       at sun.misc.URLClassPath$JarLoader.<init>(Unknown Source)
       at sun.misc.URLClassPath$2.run(Unknown Source)
       at java.security.AccessController.doPrivileged(Native Method)
       at sun.misc.URLClassPath.getLoader(Unknown Source)
       at sun.misc.URLClassPath.getLoader(Unknown Source)
       at sun.misc.URLClassPath.getResource(Unknown Source)
       at java.net.URLClassLoader$1.run(Unknown Source)
       at java.security.AccessController.doPrivileged(Native Method)
       at java.net.URLClassLoader.findClass(Unknown Source)
       at sun.applet.AppletClassLoader.findClass(Unknown Source)
       at sun.plugin.security.PluginClassLoader.findClass(Unknown Source)
       at java.lang.ClassLoader.loadClass(Unknown Source)
       at sun.applet.AppletClassLoader.loadClass(Unknown Source)
       at java.lang.ClassLoader.loadClass(Unknown Source)
       at sun.applet.AppletClassLoader.loadCode(Unknown Source)
       at sun.applet.AppletPanel.createApplet(Unknown Source)
       at sun.plugin.AppletViewer.createApplet(Unknown Source)
       at sun.applet.AppletPanel.runLoader(Unknown Source)
       at sun.applet.AppletPanel.run(Unknown Source)
       at java.lang.Thread.run(Unknown Source)
  WARNING: Unable to cache https://212.72.22.86/+CSCO+1a756767633A2F2F62656E6A726F322E7A75712E70622E627A++/forms/java/frmwebutil.jar
  java.net.ConnectException: Operation timed out: connect
       at java.net.PlainSocketImpl.socketConnect(Native Method)
       at java.net.PlainSocketImpl.doConnect(Unknown Source)
       at java.net.PlainSocketImpl.connectToAddress(Unknown Source)
       at java.net.PlainSocketImpl.connect(Unknown Source)
       at java.net.Socket.<init>(Unknown Source)
       at java.net.Socket.<init>(Unknown Source)
       at oracle.jinitiator.protocol.https.HttpsClient.doConnect(Unknown Source)
       at sun.net.www.http.HttpClient.openServer(Unknown Source)
       at sun.net.www.http.HttpClient.openServer(Unknown Source)
       at sun.net.www.http.HttpClient.<init>(Unknown Source)
       at sun.net.www.http.HttpClient.<init>(Unknown Source)
       at sun.plugin.protocol.jdk12.http.HttpClient.<init>(Unknown Source)
       at oracle.jinitiator.protocol.https.HttpsClient.<init>(Unknown Source)
       at oracle.jinitiator.protocol.https.HttpsClient.New(Unknown Source)
       at oracle.jinitiator.protocol.https.HttpsURLConnection$1.run(Unknown Source)
       at java.security.AccessController.doPrivileged(Native Method)
       at oracle.jinitiator.protocol.https.HttpsURLConnection.connect(Unknown Source)
       at sun.plugin.protocol.jdk12.http.HttpURLConnection.getInputStream(Unknown Source)
       at oracle.jre.protocol.jar.HttpUtils.followRedirects(Unknown Source)
       at oracle.jre.protocol.jar.JarCache$CachedJarLoader.download(Unknown Source)
       at oracle.jre.protocol.jar.JarCache$CachedJarLoader.load(Unknown Source)
       at oracle.jre.protocol.jar.JarCache.get(Unknown Source)
       at oracle.jre.protocol.jar.CachedJarURLConnection.connect(Unknown Source)
       at oracle.jre.protocol.jar.CachedJarURLConnection.getJarFile(Unknown Source)
       at sun.misc.URLClassPath$JarLoader.getJarFile(Unknown Source)
       at sun.misc.URLClassPath$JarLoader.<init>(Unknown Source)
       at sun.misc.URLClassPath$2.run(Unknown Source)
       at java.security.AccessController.doPrivileged(Native Method)
       at sun.misc.URLClassPath.getLoader(Unknown Source)
       at sun.misc.URLClassPath.getLoader(Unknown Source)
       at sun.misc.URLClassPath.getResource(Unknown Source)
       at java.net.URLClassLoader$1.run(Unknown Source)
       at java.security.AccessController.doPrivileged(Native Method)
       at java.net.URLClassLoader.findClass(Unknown Source)
       at sun.applet.AppletClassLoader.findClass(Unknown Source)
       at sun.plugin.security.PluginClassLoader.findClass(Unknown Source)
       at java.lang.ClassLoader.loadClass(Unknown Source)
       at sun.applet.AppletClassLoader.loadClass(Unknown Source)
       at java.lang.ClassLoader.loadClass(Unknown Source)
       at sun.applet.AppletClassLoader.loadCode(Unknown Source)
       at sun.applet.AppletPanel.createApplet(Unknown Source)
       at sun.plugin.AppletViewer.createApplet(Unknown Source)
       at sun.applet.AppletPanel.runLoader(Unknown Source)
       at sun.applet.AppletPanel.run(Unknown Source)
       at java.lang.Thread.run(Unknown Source)
  WARNING: Unable to cache https://212.72.22.86/+CSCO+1a756767633A2F2F62656E6A726F322E7A75712E70622E627A++/forms/java/frmall_jinit.jar
  java.net.ConnectException: Operation timed out: connect

  Hi,
  From your description, my understanding is that you get invalid workflowinstanceid error when you click on workflow link like "inprogress” in the current list.
  Please check the URL of workflow “inprogress” (also URL for workflow approval instance to open task form) to see if it’s correct.
  Please use your company network directly instead of CISCO SSL VPN, then access SharePoint portal url “https://vpnssl.companyname.com/”,  see if the issue still occur.
  Also, check the ULS log on the SharePoint server based on the Correlation ID value, get more detailed information about this error message.
  And you could refer to this similar issue:
  https://social.technet.microsoft.com/Forums/en-US/08aa6b33-cef6-4b01-8af7-6c25ed7d9953/invalid-workflowinstanceid-parameter-in-url?forum=sharepointgeneralprevious.
  Best Regards
  Vincent Han
  TechNet Community Support

• Need Help Setup Cisco RV042 vpn

  good day everyone, a month ago my boss purchase 4 pcs cisco rv042 vpn to be used in our small office and to our satelite office, with expectations of simple file sharing and remote troubleshooting and for better and safe data transfer. since the task is given to me as an IT staff it is difficult to me to setup this vpn router since i have a little  idea and many question are on my mind that need to be answered, i read the manual test the vpn router but still no good answered found. i know it is dufficult but with proper guide and step by step on how to use this one i can make it work. please anyone help me i need answers to this questions.
  i am using windows 7 pro sp1 64bit for my test unit, how can i make a vpn server? a client?
  in the past i connect the internet connection in the internet connection port in the back of the router, then another cable from vpn port 1-4 i select #4 port to connect to my pc, since the vpn give the ip on my pc i can easily connect to the firmware of the vpn using the deafault username and password. when i go to the firmware i dont know where to start, and i dont even have the internet connection for my pc.
  i feel sorry for myself beacuse i have no idea in this kind of thing, CISCO people and others out there i am calling for your help.
  thank you in advance
  mel

  Dear Emilio,
  Thank you for reaching Cisco Small Business Support Community.
  If you’d like to setup a Site to Site VPN on your RV042 here is a good step by step guide;
  http://sbkb.cisco.com/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=304
  If you are looking into a remote access VPN, QuickVPN, here is the step by step procedure;
  http://sbkb.cisco.com/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=452
  Just in case here is also a document with Windows operating systems tips;
  http://sbkb.cisco.com/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=2922
  Finally here is a link with the Admin Guide where starting on page 122 you can find everything related to VPN setup on this particular device model, beside info in how to setup your internal network (I suggest you to go through this admin guide so you know everything about the router);
  http://www.cisco.com/en/US/docs/routers/csbr/rv0xx/administration/guide/rv0xx_AG_78-19576.pdf
  Please let me know if there is any further assistance we may assist you with.
  Kind regards,
  Jeffrey Rodriguez S. .:|:.:|:.
  Cisco Customer Support Engineer
  *Please rate the Post so other will know when an answer has been found.

• Configurate cisco ipsec vpn client at asa 5505 version 8.4

  Hi dear. I want to configurate cisco ipsec vpn client at asa 5505. At my asa the software version is 8.4.
  please provide me a link or some material to config ipsec vpn client at asa 5505 version 8.4
  thank you.

  are you looking for vpn client .pcf file or the configuration on ASA (ASDM) ?
  what version of vpn client ?

• Cisco AnyConnect VPN app on iPhone 4s won't connect

  I have successfully installed the Cisco AnyConnect VPN app on my iPad Air and can connect to my target VPN. But the same app on my iPhone 4s won't work. When I try to connect I get this message: "Connect using Cisco AnyConnect App at least once before using any other App." I'm not trying to use another app, in fact I closed all other apps. I'm using the same settings as the Air. I tried with wi-fi, turned wi-fi off, location services on and off, etc. I'm on Verizon.
  Has anyone got this to work on an iPhone?
  Thanks

  Although I agree that this is really a question for Cisco, finding/receiving an official answer there may take a while.
  This app worked fine for me until I upgraded today - June 19, 2014 - the date of the release of Version 3.0.09430. After upgrade, I get the same message. The update note says "Apple IOS Connect On Demand Considerations - To ensure proper establish of Connect On Demand VPN tunnels after updating AnyConnect, users must manually start the Any Connect app and establish a connection. If this is not done, upon the next iOS system attempt to establish a VPN tunnel, the error message 'The VPN Connection requires an application to start up' will display."
  But I too have tried various interpretations of that, and still get the error above quoted by azmilt.
  It appears that either:
  - the upgrade is faulty
  - the version itself is faulty
  - the directions for a proper upgrade need clarification
  So if anyone has upgraded to this version, and made it work, I think that providing a procedure would help the community.

• Configurar smtp en cisco RV110W for scan spiceworks

  Configurar smtp en cisco RV110W for scan spiceworks
  This topic first appeared in the Spiceworks Community

  Hi,
  Could you please try to put another DNS server on the ESA? Like ISP's DNS or a public one.
  Luis Silva

• Cisco Systems VPN Driver installed without my authorization

  I just did a system software update, installing just the Security Update 2010-004. After rebooting I looked in the syslog and noticed for the first time a report of starting a Cisco Systems VPN driver:
  Wed Jul 21 14:03:59 mhackslab kernel[0] <Debug>: yukon: Ethernet address 00:1b:63:be:3c:6e
  Wed Jul 21 14:04:01 mhackslab rpc.statd[70] <Notice>: statd.notify - no notifications needed
  Wed Jul 21 14:04:01 mhackslab bootlog[85] <Notice>: BOOT_TIME: 1279742620 0
  Wed Jul 21 14:04:02 mhackslab com.apple.launchd[1] (com.apple.distccdConfigd[81]) <Warning>: Exited with exit code: 255
  Wed Jul 21 14:04:02 mhackslab fseventsd[77] <Critical>: bumping event counter to: 0x2bdc081c (current 0x0) from log file
  Wed Jul 21 14:04:12 mhackslab kextd[17] <Notice>: writing kernel link data to /var/run/mach.sym
  Wed Jul 21 14:04:12 mhackslab /System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow[73] <Error>: Login
  Wed Jul 21 14:04:13 mhackslab /usr/sbin/ocspd[104] <Alert>: starting
  Wed Jul 21 14:04:13 mhackslab com.apple.SystemStarter[68] <Notice>: Starting Cisco Systems VPN Driver
  Wed Jul 21 14:04:14 mhackslab com.apple.SystemStarter[68] <Notice>: kextload: /System/Library/Extensions/CiscoVPN.kext l
  Wed Jul 21 14:04:15 mhackslab kernel[0] <Debug>: CiscoVPN : attempting to attach to all available ethernet interfaces.
  Wed Jul 21 14:04:15 mhackslab kernel[0] <Debug>: CiscoVPN : checking if we are already attached to interface: en0
  Wed Jul 21 14:04:15 mhackslab kernel[0] <Debug>: CiscoVPN : no, not yet attached to interface: en0
  Wed Jul 21 14:04:15 mhackslab kernel[0] <Debug>: CiscoVPN : interface: en0, filter attached.
  Wed Jul 21 14:04:15 mhackslab kernel[0] <Debug>: CiscoVPN : current MTU for en0 is 1500, saving it.
  Wed Jul 21 14:04:15 mhackslab kernel[0] <Debug>: CiscoVPN : checking if we are already attached to interface: en1
  Wed Jul 21 14:04:15 mhackslab kernel[0] <Debug>: CiscoVPN : no, not yet attached to interface: en1
  Wed Jul 21 14:04:15 mhackslab kernel[0] <Debug>: CiscoVPN : interface: en1, filter attached.
  Wed Jul 21 14:04:15 mhackslab kernel[0] <Debug>: CiscoVPN : current MTU for en1 is 1500, saving it.
  Wed Jul 21 14:04:15 mhackslab kernel[0] <Debug>: CiscoVPN : loading cisco ipsec kernel module.
  Wed Jul 21 14:04:21 mhackslab kernel[0] <Debug>: display: Not usable
  My syslog goes back over a year and there is no prior report of such a driver being started. I don't think I have ever manually installed this driver. I have also listed all services by doing 'sudo launchctl list' and 'sudo launchctl bslist' and did not see any report of a Cisco service.
  I would like to know why the driver is now being started every time on bootup, what caused this to occur, and how I can prevent it.
  thanks,
  William Knight

  Hi,
    I suggest you to install the Latest Version of Cisco VPN 5.0.07.0440 : http://software.cisco.com/download/release.html?mdfid=281940730&softwareid=282364316&release=5.0.07.0440&os=Windows
  if you get the same Error try to turn off the Firewall and Connect again, if doesn't solve it you should contact with Cisco VPN Support: https://supportforums.cisco.com/community/netpro/security/vpn
  Regards,
  MCT / MCITP / MCTS / MCSA / MCSE / MCP / C|EH / CCNA