VPN Client Cert Chain Issues

Similar Messages

• Oracle HTTP Server, client certificate chain

  I use Oracle (Apache) HTTP Server, installed from Oracle SOA Suit distrib.
  There're 2 types of ssl client cert chains that I use: client-issue-root, client-root.
  My ssl works fine, unless I should config mod_ossl to accept only user certificates signed by certificate issuer (not root).
  I add SSLRequire directive:
  SSLOptions StdEnvVars ExportCertData
  SSLRequire (%{SSL_CLIENT_CERT_CHAIN_0} == file("/path/to/issue.cer"))
  but this doesn't work (condition expression always turn in false), and
  SSLOptions StdEnvVars ExportCertData
  SSLRequire (%{SSL_CLIENT_CERT_CHAIN_0} == "")
  condition always turn in true.
  So, SSL_CLIENT_CERT_CHAIN_0 is ALWAYS EMPTY.
  I've tried to use different versions of ApacheModuleOSSL.dll (build in 09/19/2006 version 10.1.3.1, 06/12/2007 version 10.1.3.3), result is the same.
  I've found something about mod_ssl (not mod_ossl) in "Technologies for Information Environment Security: TIES project report" (http://edina.ac.uk/projects/ties/ties_23-9.pdf):
  "NOTE: This is the second, and more significant, problem we encountered in this area of mod_ssl: the first caused all the
  SSL_CLIENT_CERT_CHAIN_n environmental variables to be empty. We traced this bug back to a literal +17 offset into a
  character string that should have been +18, but by the time we had done so, a fixed version was available."
  Is there the same problem in mod_ossl?
  Does anybody have any ideas?

  Once again)
  http://www.mail-archive.com/[email protected]/msg11705.html
  I've got a question for Oracle developers: is this the same problem in OHS and OHS2 mod_ossl?
  And if yes, when we can wait the patch?
  Thanks!

• IPad IPSEC Cisco client - Additional route issue

  Hi,
  I am unsure if this problem has come about in recent iOS releases, or just something thats only become aparent now because someone has tried to use. I've never had any complaints prior to the last month or so.
  When connecting to a VPN configuration on a Cisco router (which previously didnt work but has for about a year I guess), the iPad recieves additional routes just fine, as it should, but does not seem to work with them.
  For example I have 2 networks
  192.168.200.0/24
  10.0.10.0/24
  In my ACLs on the router I add both networks, and I have confirmed with an app on my ipad that it gets both routes. They have the exact same flags, mtu, and gateway.I can get to the 192.168.200.0/24 network, but not the 10.0.10.0/24 network, even though my network tools software says the correct route is in use. Its almost as if it is not encrypted
  If i reverse the ACLs order, so i have the route to the 10.0.10.0/24 network first, then that network will work, and the 192.168.200.0/24 network will NOT, despite the route tables looking EXACTLY the same as the first instance.
  If I connect via a PC cisco client, works fine. All routes work.
  I've had reports (that I have yet to confirm as I do not have a Mac) that the built in VPN client in MacOS has the same issue, but the Cisco supplied VPN client has no issue.
  It seems like its an issue with the apple OS software, but am open to suggestion - Anyone got any ideas?
  Leigh

  I know you don't have an ASA, but I just want to be clear about the information you've given so no one is misled.  The ASA5500-SSL-25 license is a premium license, and with that one gets:
  Robust posture assessment capabilities protect the integrity of the corporate network by restricting VPN access based on an endpoint's security posture. Prior to establishing connectivity, a system may be validated for compliance with various antivirus, personal firewall, or antispyware products, and may undergo additional system checks. An advanced endpoint assessment option is available to automate the process of remediating out-of-compliance endpoint security applications.
  If one didn't want all that then one wouldn't it, and I didn't.  I bought an unlimited anyconnect essentials license and mobile option for my 5520 for no more than $250 USD for both, and unlimited on a 5520 means 250 users since that is the max it can handle.  On the Cisco ISR G2 routers, they're quite expensive units and I think licensing is higher.
  But as far as the main point of discussion here, the real issue is that though IPsec will be around for years to come in site-to-site and dmvpn scenarios, on clients it is another story especially mobile.  Apple collaborated with Cisco on the IPsec client for iOS because of the complexity of IPsec clients and that it had to work to drive iOS acceptance.  That it took Now that SSL VPN client software has matured, it is only a matter of time before Apple yanks IPsec VPN from iOS altogether, and I wouldn't be surprised if they aren't as speedy about fixing bugs in the iOS built-in client as they once may have been.  SSL VPNs are lighter and easier to install on mobile clients and it is not in Apple or Cisco's interest to support IPsec on the client on all platforms indefinitely (Cisco only grudgingly added Win64 support somewhat recently).  It isn't perfect, but installing the client is much easier for our users to do, doesn't require a reboot on Windows or pre-10.6 Macs, and it unifies the experience across all platforms.  I'm not even one to jump on the "latest thing" bandwagon normally, but even at the higher ISR router cost to get SSL VPN I'd have done it just from a user support perspective alone.  If you can eliminate client support costs then there is a cost savings to me and my users that I factor in.

• Strange issue with 3.6.3 VPN Client and IOS firewall

  I'm able to establish a VPN connection from the VPN Client to the e0/0 interface of the IOS FW/VPN router and pass encrypted traffic.
  Whenever I initiate a connection to something on the "Internet" from the LAN (e0/1) of the router, a temporary ACL entry is added to ACL 103 as it should be and I'm able to get out on the Internet from the internal LAN; however, I immediately lose my VPN connection from my PC Client when IOS FW adds those temporary "return entries".
  Router is running 12.2(13)T.
  Anyone else having issues like that? I've looked everywhere on cisco.com and elsewhere but I don't see anyone having a similar issue.
  You Cisco gurus have any thoughts?
  Thanks,
  Jamey
  Config below:
  jamey#wr t
  Building configuration...
  Current configuration : 3947 bytes
  ! Last configuration change at 16:27:03 GMT Wed Jan 22 2003 by jdepp
  ! NVRAM config last updated at 00:14:38 GMT Wed Jan 22 2003 by jdepp
  version 12.2
  service timestamps debug datetime msec
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  hostname "jamey"
  no logging buffered
  no logging console
  username XXXX password 7 XXXXX
  clock timezone GMT 0
  aaa new-model
  aaa authentication login tac local
  aaa session-id common
  ip subnet-zero
  no ip domain lookup
  ip inspect name myfw ftp
  ip inspect name myfw realaudio
  ip inspect name myfw smtp
  ip inspect name myfw streamworks
  ip inspect name myfw vdolive
  ip inspect name myfw tftp
  ip inspect name myfw rcmd
  ip inspect name myfw tcp
  ip inspect name myfw udp
  ip inspect name firewall http java-list 3
  ip audit notify log
  ip audit po max-events 100
  crypto isakmp policy 3
  encr 3des
  hash md5
  authentication pre-share
  group 2
  crypto isakmp nat keepalive 20
  crypto isakmp client configuration group XXXX
  key XXXXXXX
  dns x.x.x.x
  domain xxx.com
  pool ipsec-pool
  acl 191
  crypto ipsec security-association lifetime kilobytes 536870911
  crypto ipsec security-association lifetime seconds 86400
  crypto ipsec transform-set foxset esp-3des esp-md5-hmac
  crypto dynamic-map dynmap 10
  set transform-set foxset
  crypto map clientmap client authentication list tac
  crypto map clientmap isakmp authorization list XXXXX
  crypto map clientmap client configuration address respond
  crypto map clientmap 10 ipsec-isakmp dynamic dynmap
  interface Loopback10
  description just for test purposes
  ip address 172.16.45.1 255.255.255.0
  interface Ethernet0/0
  description "Internet"
  ip address x.x.x.x 255.255.255.224
  ip access-group 103 in
  ip inspect myfw out
  no ip route-cache
  no ip mroute-cache
  half-duplex
  crypto map clientmap
  interface Ethernet0/1
  description "LAN"
  ip address 192.168.45.89 255.255.255.0
  no ip route-cache
  no ip mroute-cache
  half-duplex
  ip local pool ipsec-pool 192.168.100.1 192.168.100.254
  ip classless
  ip route 0.0.0.0 0.0.0.0 Ethernet0/0
  no logging trap
  access-list 3 permit any
  access-list 103 permit ip 192.168.100.0 0.0.0.255 any log
  access-list 103 permit icmp any any log
  access-list 103 permit udp any eq isakmp any log
  access-list 103 permit esp any any log
  access-list 103 permit ahp any any log
  access-list 103 permit udp any any eq non500-isakmp log
  access-list 103 permit tcp any any eq 1723 log
  access-list 103 permit udp any any eq 1723 log
  access-list 103 deny tcp any any log
  access-list 103 deny udp any any log
  access-list 191 permit ip 192.168.45.0 0.0.0.255 192.168.100.0 0.0.0.255
  access-list 191 permit ip 172.16.45.0 0.0.0.255 192.168.100.0 0.0.0.255
  radius-server authorization permit missing Service-Type
  call rsvp-sync
  line con 0
  line aux 0
  line vty 0 4
  exec-timeout 0 0
  password XXXXXX
  line vty 5 15
  end
  Some debugging info:
  At this point, my VPN PC is successfully connected to the e0/0 VPN router and assigned IP of 192.168.100.2. It is running constant pings to 192.168.45.67 and 172.16.45.1 (172.16.45.1 is a loopback on the router for testing), 192.168.45.67 is a host on the internal network.
  .Jan 22 01:27:38.284: ICMP type=8, code=0
  .Jan 22 01:27:38.288: IP: s=192.168.45.67 (Ethernet0/1), d=192.168.100.2 (Ethern
  et0/0), g=192.168.100.2, len 60, forward
  .Jan 22 01:27:38.288: ICMP type=0, code=0
  .Jan 22 01:27:38.637: IP: s=192.168.45.145 (Ethernet0/0), d=255.255.255.255, len
  40, access denied
  .Jan 22 01:27:38.637: UDP src=2301, dst=2301
  .Jan 22 01:27:38.641: IP: s=192.168.45.145 (Ethernet0/1), d=255.255.255.255, len
  40, rcvd 2
  .Jan 22 01:27:38.641: UDP src=2301, dst=2301
  .Jan 22 01:27:38.761: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
  et0/0), len 112, rcvd 3, proto=50
  .Jan 22 01:27:38.765: IP: s=192.168.100.2 (Ethernet0/0), d=172.16.45.1, len 60,
  rcvd 4
  .Jan 22 01:27:38.765: ICMP type=8, code=0
  .Jan 22 01:27:38.765: IP: s=172.16.45.1 (local), d=192.168.100.2 (Ethernet0/0),
  len 60, sending
  .Jan 22 01:27:38.765: ICMP type=0, code=0
  .Jan 22 01:27:39.282: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
  et0/0), len 112, rcvd 3, proto=50
  .Jan 22 01:27:39.286: IP: s=192.168.100.2 (Ethernet0/0), d=192.168.45.67 (Ethern
  et0/1), g=192.168.45.67, len 60, forward
  .Jan 22 01:27:39.286: ICMP type=8, code=0
  .Jan 22 01:27:39.286: IP: s=192.168.45.67 (Ethernet0/1), d=192.168.100.2 (Ethern
  et0/0), g=192.168.100.2, len 60, forward
  .Jan 22 01:27:39.290: ICMP type=0, code=0
  .Jan 22 01:27:39.763: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
  et0/0), len 112, rcvd 3, proto=50
  .Jan 22 01:27:39.767: IP: s=192.168.100.2 (Ethernet0/0), d=172.16.45.1, len 60,
  rcvd 4
  .Jan 22 01:27:39.767: ICMP type=8, code=0
  .Jan 22 01:27:39.767: IP: s=172.16.45.1 (local), d=192.168.100.2 (Ethernet0/0),
  len 60, sending
  .Jan 22 01:27:39.767: ICMP type=0, code=0
  .Jan 22 01:27:40.283: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
  et0/0), len 112, rcvd 3, proto=50
  .Jan 22 01:27:40.287: IP: s=192.168.100.2 (Ethernet0/0), d=192.168.45.67 (Ethern
  et0/1), g=192.168.45.67, len 60, forward
  .Jan 22 01:27:40.287: ICMP type=8, code=0
  .Jan 22 01:27:40.287: IP: s=192.168.45.67 (Ethernet0/1), d=192.168.100.2 (Ethern
  et0/0), g=192.168.100.2, len 60, forward
  .Jan 22 01:27:40.291: ICMP type=0, code=0
  .Jan 22 01:27:40.596 GMT: %SEC-6-IPACCESSLOGNP: list 103 permitted 50 216.16.193
  .52 -> <VPN ROUTER E0/0 INTERFACE>, 222 packets
  .Jan 22 01:27:40.596 GMT: %SEC-6-IPACCESSLOGP: list 103 permitted udp 216.16.193
  .52(500) -> <VPN ROUTER E0/0 INTERFACE>(500), 16 packets
  here is where I initiate a telnet connection to a host 2.2.2.2 (a dummy host on the "Internet")
  from a host on the internal side (LAN) (192.168.45.1)
  .Jan 22 01:27:40.600: IP: s=192.168.45.1 (Ethernet0/1), d=2.2.2.2 (Ethernet0/0),
  g=2.2.2.2, len 44, forward
  .Jan 22 01:27:40.600: TCP src=38471, dst=23, seq=953962328, ack=0, win=4128
  SYN
  .Jan 22 01:27:40.764: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
  et0/0), len 112, rcvd 3, proto=50
  here is where by VPN connection breaks
  .Jan 22 01:27:40.768: IPSEC(epa_des_crypt): decrypted packet failed SA identity
  check
  .Jan 22 01:27:41.285: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
  et0/0), len 112, rcvd 3, proto=50
  .Jan 22 01:27:41.285: IPSEC(epa_des_crypt): decrypted packet failed SA identity
  check
  .Jan 22 01:27:45.773: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
  et0/0), len 112, rcvd 3, proto=50
  .Jan 22 01:27:45.777: IPSEC(epa_des_crypt): decrypted packet failed SA identity
  check
  .Jan 22 01:27:46.774: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
  et0/0), len 112, rcvd 3, proto=50
  .Jan 22 01:27:46.774: IPSEC(epa_des_crypt): decrypted packet failed SA identity
  check

  Ok..I found the bug ID for this:
  CSCdz46552
  the workaround says to configure an ACL on the dynamic ACL.
  I don't understand what that means.
  I found this link:
  http://www.cisco.com/en/US/products/sw/secursw/ps2138/products_maintenance_guide_chapter09186a008007da4d.html#96393
  and they talk about it, but I'm having a hard time decoding what this means:
  "To specify an extended access list for a crypto map entry, enter the match address crypto map configuration command. This access list determines which traffic should be protected by IPSec and which traffic should not be protected by IPSec. If this is configured, the data flow identity proposed by the IPSec peer must fall within a permit statement for this crypto access list. If this is not configured, the router will accept any data flow identity proposed by the IPSec peer. However, if this is configured but the specified access list does not exist or is empty, the router will drop all packets."

• VPN Client and Windows 7 Issue

  Using VPN Client, V5.0.07.0440 a Dell Vostro W7 Professional system, 64 bit. The client installs and runs the same way it has on at least 20 other systems without issue. When I try to remote into the network, I get a "can not connect" error attempting to connect to any system or server. I placed a known good laptop using XP on the same internet line, it connects without issue. The remote access (mstsc.exe) verson is 6.1.7601.17514 there is no Admin switch in the shortcut. This is the first time anything like this has happened, numerous W7 32 and 64 bit and XP systems. Any help greatly appreciated.
  Thanks
  It's like the VPN connects to the network, but the remote access is not using the same connection. I get the same results whether the VPN Client is loaded or not.
  Sure could use some help on this.

  The system that I am trying to connect with is a Dell Vostro desktop, W7 64bit Pro. I am attempting to connect to a Windows 2003 domain thru a PIX 501 firewall. The desktop system uses an onboard Ethernet adaptor connected to the Internet thru Charter. I do not have ready access to the computer as it's my employers home system. The frustrating thing is, I have installed and set this up on at least 30 other systems and all of them worked flawlessly. Of course, this one would be the problem as it belongs to my boss.
  Thanks for responding, I plan on picking up the unit so I can devote some real time to fixing it.
  Thanks again

• SSLException : untrusted server cert chain in java client, but not getting that with weblogic.

  Hi,
  I am bit confused about what i am seeing,
  a. i used java client to talk to talk to server, got "untrusted server cert chain"
  , ressolved the exceptio by adding certificate to cacerts file.
  b. tried to connect to server using another weblogic server and not getting "untrusted
  server cert chain", even when the certificates are not installed.
  i dont know why it is throwning the SSLException in (a) and not in (b).
  thanks,
  Nirmala

  Stand alone client takes its trusted certificate from the JDK cacerts keystore
  by default.
  SSL client running on server uses server trust configuration. By default the server
  is configured to trust the CAs with certificates in DemoTrust.jks keystore and
  the JDK cacerts keystore.
  Pavel.
  "Nirmala" <[email protected]> wrote:
  >
  Hi,
  I am bit confused about what i am seeing,
  a. i used java client to talk to talk to server, got "untrusted server
  cert chain"
  , ressolved the exceptio by adding certificate to cacerts file.
  b. tried to connect to server using another weblogic server and not getting
  "untrusted
  server cert chain", even when the certificates are not installed.
  i dont know why it is throwning the SSLException in (a) and not in (b).
  thanks,
  Nirmala

• Untrusted server cert chain - MI 7.1 Client PDA

  Dear Expert,
  I am implementing SSL security in SAP MI 7.1.
  The HTTPS service is already enabled (port 443) and I can enter on via browser.
  Generate a certificate and signed by the SAP test certificate for 8 weeks.
  Export the certificate to the truststore file, using the command:
  keytool -import -file MID.cer  -keystore truststore -alias MID -storepass access
  Copy the truststore file (whit certificate MID) in PDA: \MI\settings.
  And also enable the parameters (in configuration.properties ):
  com.sap.tc.mobile.sync.http.port=443
  com.sap.tc.mobile.sync.protocol=https
  com.sap.tc.mobile.sync.http.sslenabled=true
  com.sap.tc.mobile.sync.https.hostnameverifying=false
  com.sap.tc.mobile.sync.https.truststore=/MI/settings/truststore
  But in trying to synchronize the PDA with the DOE get an error: "untrusted server cert chain"
  I am using: Client MI 7.1 for PDA SP9
  I have reviewed the documents: "How To Configure SSL for SAP NetWeaver Mobile 7.1 Applicable"
  Check various forms, without finding a solution ...
  some idea of the problem?
  Thanks!!

  Hi,
  Follow the below given links to configure SSL
  --> Making External Server Certificates Trusted
  http://help.sap.com/saphelp_dm40/helpdata/en/0f/8d80f68eace441b3d1ebdc4b
  2f2c81/content.htm (The link applies for PDA also)
  --> Configure the below given parameters in the default.properties
  com.sap.tc.mobile.sync.http.sslenabled
    > Default value: True
  com.sap.tc.mobile.sync.https.hostnameverifying
     > Default value: True
  com.sap.tc.mobile.sync.https.truststore
    > Location of truststore file containing SSL certificates. If the
  given location is not absolute, the system searches for the file in a
  path that is relative to the installation directory.
  For more details refer Note : 1312866
  And follow the below given link :
  http://help.sap.com/saphelp_nwmobile71/helpdata/en/06/a7d001e17b421db7e2
  dd8279853971/frameset.htm
  --> Even after following the above mentioned steps,Do the following :
  Create the Trustsore on a PC and then use a Addon to
  deploy these files to the PDA along with the SSL Libraries.
  Regards,
  Suma

• Windows 8.1 pro and vpn client issue

  dear support community ,
  Am using windows 8.1 pro and cisco vpn client version 5.0.0.7.0410
  .my issue is that am able to connect to the VPN succesfully but  when connected i cant ping nodes inside the VPN
  whereas when i do the same test with a windows 7 and xp PCs , am able to ping and even remote desktop nodes.
  someone help please ??

  funniest thing is , after using my PC for two weeks and doing regular updates , am now able to ping and RDP to nodes
  inside the VPN..:-)

• Cisco vpn client issue on windows 8.1 pro

  I am using Cisco RV325-k9 router, I am configure "Easy vpn" in this router.
  Our some users use Windows 7 pro and others users use Windows 8.1 pro with Cisco vpn client version 5.0.070290.
  Issue is VPN client connected but not access remote machine and ping on windows 8.1 pro machines. but Working fine on windows 7 pro.
  But When i am using wifi through MTS wifi usb device then working fine.
  Please find the attached screenshot of VPN Client Statistics.
  Please give me a solution.
  Regards
  Sanjib

  Hi Sanjib,
  Cisco VPN clinet is not supported for the windows version 8.1. And also it is EOL announced. Might be the below mentioned work around might help you. Try this.
  http://www.vmwareandme.com/2013/12/solved-windows-8-and-windows-81-cisco.html#.U9tCdxCrOxo
  Regards
  Karthik

• VPN Client Issue after Vista Upgrade

  Not sure if this should be posted here, if not please let me know.
  My organization has recently implemented Vista via an Upgrade-in-Place Process that takes an imaged system (Windows XP Pro - 32bit) and upgrades the system with a network image of Windows Vista Enterprise. Applications are left installed and herein lies my problem.
  I'm using Cisco VPN Client 5.0.04, the client worked fine before the upgrade, after the upgrade, not so well.
  While troubleshooting I noted the Cisco Systems VPN Adapter was no longer listed as being installed under Network Adapters in the Windows Device Manager, there was however an adapter, labled 6to4 adapter with an exclamation point. I went through the uninstall process for the Cisco VPN Client, rebooted and reinstalled. When trying to connect, I can use one of two pcf files (both are a back up of one another), the first connection profile goes through the motion of connection, tries to contact the security gateway, and states "Not Connected"
  I enabled logging on the connection and tried again. Here's an excerpt from that log:
  09:37:18.278 04/21/09 Sev=Warning/2 CERT/0xA3600038
  Successfully added Key Usage fields to be matched.
  7 09:37:19.792 04/21/09 Sev=Warning/2 CERT/0xA3600038
  Successfully added Key Usage fields to be matched.
  8 09:37:20.338 04/21/09 Sev=Warning/2 CERT/0xE3600001
  Failed to launch application using cert pipe due to error: 0x800b010a.
  9 09:37:20.338 04/21/09 Sev=Warning/2 IKE/0xE300009B
  Failed to generate signature: Signature generation failed (SigUtil:97)
  10 09:37:20.338 04/21/09 Sev=Warning/2 IKE/0xE300009B
  Failed to build Signature payload (MsgHandlerMM:489)
  11 09:37:20.338 04/21/09 Sev=Warning/2 IKE/0xE300009B
  Failed to build MM msg5 (NavigatorMM:312)
  12 09:37:20.338 04/21/09 Sev=Warning/2 IKE/0xE30000A7
  Unexpected SW error occurred while processing Identity Protection (Main Mode) negotiator:(Navigator:2263)
  Has anyone seen this behavior after an upgrade from XP to Vista? I'm I going to have to start with a fresh install? I appreciate any suggestions or advice.
  Thanks,
  Jimi

  I finally figured out this problem and I feel it should at least be shared for another person who runs into this problem.
  The problem was resolved by loading my personal certificates (the one that is read by the smart card reader and used to authenticate me on VPN) needed to be added to the personal certificates folder in the Local Machine layer.
  I did this by opening up an MMC window --> Adding the certificates snap-in (in windows 7 it distinguishes 3 different layers, so choose the local user and the computer layer) --> and then copying the certificates in the personal folder located under Certificates - Current User into the personal folder located in Local Machine.
  The most likely reason this happened to me is that the image I was working with had security settings blocking the certificates to be read at the current user level and not at the local machine level. Therefore, it's a problem with out image and the security policies put in place at the registry level and/or group policies placed in Active Directory. This is more of a workaround than an actual fix to the problem, but at least it pinpoints where the break is happening.
  Now I can push the image back to the developers to review the security policies placed in the image.

• WLC 5508 7.0.98.0 has vpn client connection issues

  Hi
  my guest ssid is set to L2 security none and L3 Web policy and authentication local. clients that need to connect to some vpn server (internet) are reporting disconnection issues with the vpn session but not the wireless network. as soon as they get connected via another wireless internet connection the vpn connection gets stable. that makes me thing is in deed the my wireless network the one causing issues.  is there a know issues with the web authentication WLAN and vpn clients?  no firewall in the middle.
  Exclusionlist.................................... Disabled
  Session Timeout.................................. Infinity
  CHD per WLAN..................................... Enabled
  Webauth DHCP exclusion........................... Disabled
  Interface........................................ xxxxxxxxxxxxxxxx
  WLAN ACL......................................... unconfigured
  DHCP Server...................................... Default
  DHCP Address Assignment Required................. Disabled
  --More or (q)uit current module or <ctrl-z> to abort
  Quality of Service............................... Bronze (background)
  Scan Defer Priority.............................. 4,5,6
  Scan Defer Time.................................. 100 milliseconds
  WMM.............................................. Allowed
  Media Stream Multicast-direct.................... Disabled
  CCX - AironetIe Support.......................... Enabled
  CCX - Gratuitous ProbeResponse (GPR)............. Disabled
  CCX - Diagnostics Channel Capability............. Disabled
  Dot11-Phone Mode (7920).......................... Disabled
  Wired Protocol................................... None
  IPv6 Support..................................... Disabled
  Passive Client Feature........................... Disabled
  Peer-to-Peer Blocking Action..................... Disabled
  Radio Policy..................................... All
  DTIM period for 802.11a radio.................... 1
  DTIM period for 802.11b radio.................... 1
  Radius Servers
     Authentication................................ Disabled
     Accounting.................................... Disabled
     Dynamic Interface............................. Disabled
  Local EAP Authentication......................... Disabled
  Security
     802.11 Authentication:........................ Open System
     Static WEP Keys............................... Disabled
     802.1X........................................ Disabled
     Wi-Fi Protected Access (WPA/WPA2)............. Disabled
     CKIP ......................................... Disabled
     Web Based Authentication...................... Enabled
          ACL............................................. Unconfigured
          Web Authentication server precedence:
          1............................................... local
     Web-Passthrough............................... Disabled
     Conditional Web Redirect...................... Disabled
     Splash-Page Web Redirect...................... Disabled
     Auto Anchor................................... Disabled
     H-REAP Local Switching........................ Disabled
     H-REAP Learn IP Address....................... Enabled
     Client MFP.................................... Optional but inactive (WPA2 not configured)
     Tkip MIC Countermeasure Hold-down Timer....... 60
  Call Snooping.................................... Disabled
  Roamed Call Re-Anchor Policy..................... Disabled
  Band Select...................................... Disabled
  Load Balancing................................... Disabled

  Thanks Scott,
  We have two controllers and all the APs (50) are associated with the primary Controller,what is the best path to follow for the upgrade.
  we don't have Field recoversy image installed on our controller, do we have to do the FSU upgrade?
  (Cisco Controller) >show sysinfo
  Manufacturer's Name.............................. Cisco Systems Inc.
  Product Name..................................... Cisco Controller
  Product Version.................................. 7.0.98.0
  Bootloader Version............................... 1.0.1
  Field Recovery Image Version..................... N/A
  Firmware Version................................. FPGA 1.3, Env 1.6, USB console                                                        1.27
  Build Type....................................... DATA + WPS
  System Name...................................... Airespace_01
  System Location..................................
  System Contact...................................
  System ObjectID.................................. 1.3.6.1.4.1.9.1.1069
  IP Address....................................... 10.0.0.201
  Last Reset....................................... Power on reset
  System Up Time................................... 9 days 2 hrs 57 mins 21 secs
  System Timezone Location......................... (GMT -6:00) Central Time (US and Canada)
  Current Boot License Level....................... base
  Current Boot License Type........................ Permanent
  Next Boot License Level.......................... base
  Next Boot License Type........................... Permanent
  Configured Country............................... Multiple Countries:US,CN,DE,TW,HK
  Is the below Upgrade Path make sense ?
  1. Upgrade the Primary controller and reboot- wait till all APs associate with primary controller and download the new image
  2. Upgrade the secondary controller and reboot
  3. Failover the APs to secondary controller and test
  Siddhartha

• 64bit vpn client issue /error :reason -442:failed to enable virtual adapter.

  Hi All of you ,
  I m using vpn client for windows64bit  -  file name - vpnclient-winx64-msi-5.0.07.0290-k9.exe and installing it on windows 2003 server .
  But while connecting via vpn client to f/w , Virtual Adapter is taking the ip address but not connecting .getting error message on screen -
  reason -442:failed to enable virtual adapter.
  Is it possible some configuration or image issue from ASA as its first time we are trying to use 64bit OS , vpn client for 32bit OS working fine .
  Below are the logs from vpn clinet when i tried to connect to ASA5520 . Version 7.0(8) -
  Cisco Systems VPN Client Version 5.0.07.0290
  Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
  Client Type(s): Windows, WinNT
  Running on: 5.2.3790 Service Pack 2
  Config file directory: C:\Program Files (x86)\Cisco Systems\VPN Client\
  1      15:38:03.921  01/27/11  Sev=Info/4 CM/0x63100002
  Begin connection process
  2      15:38:03.937  01/27/11  Sev=Info/4 CM/0x63100004
  Establish secure connection
  3      15:38:03.937  01/27/11  Sev=Info/4 CM/0x63100024
  Attempt connection with server "203.199.30.190"
  4      15:38:04.125  01/27/11  Sev=Info/4 CM/0x6310000E
  Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
  5      15:38:04.140  01/27/11  Sev=Info/4 CM/0x63100015
  Launch xAuth application
  6      15:38:09.515  01/27/11  Sev=Info/4 CM/0x63100017
  xAuth application returned
  7      15:38:09.515  01/27/11  Sev=Info/4 CM/0x6310000E
  Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
  8      15:38:10.562  01/27/11  Sev=Info/4 CM/0x63100019
  Mode Config data received
  9      15:38:10.781  01/27/11  Sev=Warning/2 CVPND/0xE340002C
  Unable to enable the 64-bit VA after timeout
  10     15:38:10.781  01/27/11  Sev=Warning/3 CVPND/0xE3400029
  The Client failed to enable the Virtual Adapter on 64-bit Windows
  11     15:38:10.781  01/27/11  Sev=Warning/2 CM/0xE310000A
  The virtual adapter failed to enable
  12     15:38:10.781  01/27/11  Sev=Info/6 CM/0x6310003A
  Unable to restore route changes from file.
  13     15:38:10.781  01/27/11  Sev=Info/6 CM/0x63100037
  The routing table was returned to original state prior to Virtual Adapter
  14     15:38:10.859  01/27/11  Sev=Info/4 CM/0x63100035
  The Virtual Adapter was disabled
  15     15:38:10.859  01/27/11  Sev=Warning/2 IKE/0xE300009B
  Failed to active IPSec SA: Unable to enable Virtual Adapter (NavigatorQM:936)
  16     15:38:10.859  01/27/11  Sev=Warning/2 IKE/0xE30000A7
  Unexpected SW error occurred while processing Quick Mode negotiator:(Navigator:2263)
  17     15:38:11.546  01/27/11  Sev=Info/4 CM/0x63100012
  Phase 1 SA deleted before first Phase 2 SA is up cause by "Unknown".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
  18     15:38:11.546  01/27/11  Sev=Info/5 CM/0x63100025
  Initializing CVPNDrv
  19     15:38:11.578  01/27/11  Sev=Info/6 CM/0x63100046
  Set tunnel established flag in registry to 0.
  20     15:38:40.953  01/27/11  Sev=Info/4 CM/0x63100002
  Begin connection process
  21     15:38:40.953  01/27/11  Sev=Warning/2 CVPND/0xA3400019
  Error binding socket: -21. (DRVIFACE:1234)
  22     15:38:40.968  01/27/11  Sev=Info/4 CM/0x63100004
  Establish secure connection
  23     15:38:40.968  01/27/11  Sev=Info/4 CM/0x63100024
  Attempt connection with server "203.199.30.190"
  24     15:38:41.156  01/27/11  Sev=Info/4 CM/0x6310000E
  Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
  25     15:38:41.171  01/27/11  Sev=Info/4 CM/0x63100015
  Launch xAuth application
  26     15:39:08.031  01/27/11  Sev=Info/4 CM/0x63100017
  xAuth application returned
  27     15:39:08.046  01/27/11  Sev=Info/4 CM/0x6310000E
  Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
  28     15:39:09.093  01/27/11  Sev=Info/4 CM/0x63100019
  Mode Config data received
  29     15:39:09.312  01/27/11  Sev=Warning/2 CVPND/0xE340002C
  Unable to disable the 64-bit VA after timeout
  30     15:39:09.312  01/27/11  Sev=Warning/3 CVPND/0xE340002A
  The Client failed to disable the Virtual Adapter on 64-bit Windows
  31     15:39:19.937  01/27/11  Sev=Warning/3 CVPND/0xA340000D
  The virtual adapter was not recognized by the operating system.
  32     15:39:19.937  01/27/11  Sev=Warning/2 CM/0xE310000A
  The virtual adapter failed to enable
  33     15:39:19.937  01/27/11  Sev=Info/6 CM/0x6310003A
  Unable to restore route changes from file.
  34     15:39:19.937  01/27/11  Sev=Info/6 CM/0x63100037
  The routing table was returned to original state prior to Virtual Adapter
  35     15:39:20.109  01/27/11  Sev=Warning/2 CVPND/0xE340002C
  Unable to disable the 64-bit VA after timeout
  36     15:39:20.109  01/27/11  Sev=Warning/3 CVPND/0xE340002A
  The Client failed to disable the Virtual Adapter on 64-bit Windows
  37     15:39:20.281  01/27/11  Sev=Warning/2 CVPND/0xE340002C
  Unable to disable the 64-bit VA after timeout
  38     15:39:20.281  01/27/11  Sev=Warning/3 CVPND/0xE340002A
  The Client failed to disable the Virtual Adapter on 64-bit Windows
  39     15:39:20.578  01/27/11  Sev=Warning/2 CVPND/0xE340002C
  Unable to disable the 64-bit VA after timeout
  40     15:39:20.578  01/27/11  Sev=Warning/3 CVPND/0xE340002A
  The Client failed to disable the Virtual Adapter on 64-bit Windows
  41     15:39:20.953  01/27/11  Sev=Warning/2 CVPND/0xE340002C
  Unable to disable the 64-bit VA after timeout
  42     15:39:20.953  01/27/11  Sev=Warning/3 CVPND/0xE340002A
  The Client failed to disable the Virtual Adapter on 64-bit Windows
  43     15:39:21.437  01/27/11  Sev=Info/4 CM/0x63100035
  The Virtual Adapter was disabled
  44     15:39:21.437  01/27/11  Sev=Warning/2 IKE/0xE300009B
  Failed to active IPSec SA: Unable to enable Virtual Adapter (NavigatorQM:936)
  45     15:39:21.437  01/27/11  Sev=Warning/2 IKE/0xE30000A7
  Unexpected SW error occurred while processing Quick Mode negotiator:(Navigator:2263)
  46     15:39:22.046  01/27/11  Sev=Info/4 CM/0x63100012
  Phase 1 SA deleted before first Phase 2 SA is up cause by "Unknown".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
  47     15:39:22.046  01/27/11  Sev=Info/5 CM/0x63100025
  Initializing CVPNDrv
  48     15:39:22.062  01/27/11  Sev=Info/6 CM/0x63100046
  Set tunnel established flag in registry to 0.
  release notes for vpn client 64bit  -
  http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/vpn_client5007/release/notes/vpnclient5007.html#wp63537

  Hi Anisha ,
  Exact version of OS is "Microsoft Windows Server 2003 x64"  .
  I need supported cisco vpn client for this OS .
  =========
  Thanx 4 reply .
  Raj

• IPhone VPN client issues

  1. Even if you key in a password for the VPN client, putting the phone to sleep will cause the password to be cleared, requiring you to retype it the next time you start the client.
  2. the only place to type alphanumerics in for the password is on the VPN setup screen, if you just slide the VPN switch to On, you are presented with a numbers only dial pad
  3. The PPTP VPN client only recognizes maximum security, setting to either automatic or none will just hop back to maximum on save.
  4. The network stack doesn't allow you to easily set up special DNS servers for the VPN connection (the equivalent under OS X is to go into System Preferences, Network and select the VPN (PPTP) adapter and enter the DNS information there.
  Since we use VPN to secure our wireless network, that means our iPhone users are unable to use WiFi at the office.
  iPhone Windows XP
  Dell Optiplex GX620 Windows 2000
  iPhone   Windows 2000  

  Scott,
  You're correct (mostly). I've experienced the same issues and have tried to work around them as follows:
  1) Use a numeric password for the VPN user account. Of course, you'll have to enter it each time (did they even test this?) but at least it works.
  4) Depending on your VPN device you should be able to set the DNS addresses via that. I'm using a Cisco ASA and set the DNS via the Group Policy for the DefaultRAGroup.
  The bottom line? iPhone and VPN are not friends. Moreover, the iPhone has no EAP support wireless authentication. I'm a huge Apple fan but that is just stupid.

• Vista VPN Client TrueVector Device Driver Issue

  Hi,
  I have an unresolved issue with the VPN Client v.5.0.01.0600 (Vista) on a Vista Home Premium System.
  The client was successfully installed using admin privileges. But upon rebooting, the following error pops up:
  <snip>
  This driver is blocked due to compatibility issues...
  Driver: TrueVector Device Driver
  Publisher: Zone Labs, Inc.
  </snip>
  This error occurs immediately upon user logon and just pops up every minute or so.
  I haven't seen anything about this problem in the release notes. Does anyone know what could cause it or/and how it can be resolved?
  PS: Some norton security software (don't remember which one) was installed on this system. But I have removed it prior to the cisco vpn client installation.

  On Vista Beta2, the first time logs are enabled, Microsoft firewall would pop-up a dialog box to allow the IPSecLog process. To enable logging, please allow IPSecLog process. Log messages do not show up till the log file is touched.
  In Vista Beta 2, the VPN Client is cannot detect that the VPN Client is already connected after user logs in. The workaround is Launch VPN Client. You will notice that the lock icon appears in taskbar.

• Windows 8 Cisco VPN Client Issue

  I connect to several of my customers with the Cisco VPN Client Version 5.0.07.0290 and all has been working fine. In the last week, virtually every Windows 8 machine has stopped working. The client connects fine, shows it's connected, but if I go to Status -> Statistics it just shows 0 in the Bytes Received and Sent. The Bypassed and Discarded increases, but I am unable to reach any system. Does anyone know what causes this or how to resolve it? This is a HUGE problem for me as all of the work we do for our customers is via their VPNs. Every non-Windows 8 PC still works fine. And these Windows 8 PCs have been working fine until just the last week. Browsing through, I've seen posts with this same issue, but none related to Windows 8 recently. They are all Windows 7, and my Windows 7 machines are working flawlessly.
  Someone help!
  Thanks,
  Brian

  Hi Brian,
  IPSEC client on Windows 8 machine is not supported.
  Cisco VPN Client 5.0.07 supports the following Microsoft OSs:
  •Windows 7 on x64 (64-bit)
  •Windows 7 on x86 (32-bit) only
  •Windows Vista on both x86 (32-bit) and x64
  •Windows XP on x86
  VPN Client does not support the Tablet PC 2004/2005; and Windows 2000, NT, 98, and ME.
  VPN Client supports smart card authentication on Windows 7, Vista, and  XP. However, VPN Client does not support the ST Microelectronics smart  card Model ST23YL80, and smart cards from the same family.
  VPN Client supports up to one Ethernet adapter and one PPP adapter. It  does not support the establishment of a VPN connection over a tethered  link.
  VPN Client 5.0.x is incompatible with the combination of Cisco Unified  Video Advantage 2.1.2 and McAfee HIPS Patch 4 Build 688. To avoid system  failures, uninstall either of these two applications, upgrade McAfee to  the latest version, or use VPN Client 4.6.x.
  To install the VPN Client, you need
  •Pentium®-class processor or greater
  •Microsoft TCP/IP installed. (Confirm via Start > Settings > Control Panel > Network > Protocols or Configuration.)
  •50 MB hard disk space.
  •128 MB RAM
  (256 MB recommended)
  •Administrator privileges
  The VPN Client supports the following Cisco VPN devices:
  •Cisco Series 5500 Adaptive Security Appliance, Version 7.0 or later.
  •Cisco VPN 3000 Series Concentrator, Version 3.0 or later.
  •Cisco PIX Firewall, Version 6.2.2(122) or Version 6.3(1).
  •Cisco IOS Routers, Version 12.2(8)T or later.
  you can get more information from following link:-
  http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/vpn_client5007/release/notes/vpnclient5007.html#wp63537
  Regards,
  Naresh