Cisco Systems VPN Client and Linksys router

[jfokas]

I am trying to enable a VPN connection using the Cisco VPN cient version 3.5.1, but get the following error in the log each time I attempt a connection:

14:42:53.208 09/10/02 Sev=Warning/3 DIALER/0xE3300015
GI VPN start callback failed "CM_CTCP_FAIL" (1Dh).

I'm assuming the problem may a conflict with or a setting on my Linksys BEFSR11 cable/dsl router. I've tried changing various settings to no avail.

Does anyone have any ideas or suggestions that might help?

Thanks,

John

 

[blackk]

John,

Did you ever find a solution for this? I am getting the same exact message. I have a windows 2000 laptop, hooked up to cable with a usb cable. I am using cisco client 3.6.

Please let me know.

Thanks.

KJB

 

[garcila]

I was also getting the following error message from the IPSEC log viewer on XP machine.

1 12:51:34.233 01/12/03 Sev=Warning/ DIALER/0xE3300008
GI VPNStart callback failed "CM_CTCP_FAIL" (1Dh).

Apparently, XP has a built-in firewall ICF (Internet Connection Firewall) that must be turned off in order for the VPN client to connect correctly. To turn off the firewall;

1. Go to Network Connections
Start -> Control Panel -> Network Connections

2. Highlight your connection type
Under 'Network Tasks' select change settings

3. Select the 'Advanced' tab and make sure Internet Connection Firewall is turned off.

If your connection type doesn't show an 'Advanced' tab with the ICF option to select/deselect you may not have your connection type of 'Local Area Connection' set up correctly. You may need to recreate your connection using 'Create a new connection'

 

[postup]

Cisco VPN client has an open issue that may apply:
CSCdu86399


If you use the VPN Client with a Digital Certificate and your Client sits behind a Cable/DSL router or some other NAT device, you might not be able to connect to your VPN Gateway device (that is, the VPN 3000 Concentrator). The problem is not with the VPN Client or the Gateway; it is with the Cable/DSL router. When the VPN Client uses a Digital Certificate, it sends the Certificate to the VPN Gateway. Most of the time, the packet with the Certificate is too big for a standard Ethernet frame (1500), so it is fragmented. Many Cable/DSL routers do not transmit fragmented packets, so the connection negotiation fails (IKE negotiation).


This problem might not occur if the Digital Certificate you are using is small enough, but this is only in rare cases. This fragmentation problem happens with the D-Link DI-704 and many other Cable/DSL routers on the market. We have been in contact with a few of these vendors to try to resolve the issue.


Testing with the VPN Client Release 3.1 indicates that VPN Client connections using Digital Certificates can be made using the following Cable/DSL routers with the following firmware:


Linksys BEFSRxx v1.39 or v1.40.1


SMC 7004BR Barricade R1.93e


Nexland Pro400 V1 Rel 3M


NetGear RT314 V3.24(CA.0)


Asante FR3004 V2.15 or later


Others like 3COM 3C510, and D-Link DI-704 either had updated firmware that was tested and failed, or had Beta firmware that was NOT tested because the firmware notes did not indicate a fix specifically for fragmentation.