Error: Secure VPN Connection terminated locally by clent

[destini]

I am trying to connect from my Win2000 pc from home to our network and I keep getting the error "Secure VPN Connection terminated locally by clent". The VPN never gets to the login and appears to be looking for secure gateway when it bombs out. I have a Win2000 laptop with the same Client on it and it connects with no problem. Cisco suggested that I may have a corrupt TCP/IP stack and I needed to format the pc which I did and still I get the same error. Sure could use some help or any ideas to resolve this problem.

Thanks!!

 

[erans]

Hi,
I get the same error, did you fix this problem?

Eran
erans@convergys.co.il

 

[ChicagoTechNet]

Assuming you use Cisco vpn client to Cisco router or pix, try to disable or re-confiure the firewall or security software on vpn client

Robert Lin, MS-MVP, MCSE & CNE
Windows, Network and How to at

http://www25.brinkster.com/ChicagoTech

 

[destini]

No I haven't resolved this issue and I installed the client without any firewall or security software on the pc. The client on this pc was installed on a laptop without making any configuration changes so I don't think that is an issue and they are both the same OS.
I am beginning to think the problem is my NIC which is a realtek NIC but had Intel Pro drivers installed. I will try the realtek drivers first and if that doesn't work, I'm going to replace the NIC. Biggest problem I'm having at this point is I have to reformat everytime I install the Cisco Client and it doesn't connect. It tries once then won't even attempt a reconnection even if I uninstall and reinstall the client.

 

[hAkron]

I'm having the same problem with a Windows XP home based laptop that I was setting up for a customer. I've removed and re-installed the VPN Client and all that important stuff, but it just wont connect. I am half suspecting the issue is with this user's dial-up service and not with the firewall or the VPN Client or the laptop.

 

[destini]

I am using a cable modem, not a dialup on both pc's and still the laptop works great but the desktop doesn't work at all. Still seems logical that it has something to do with the NIC at this point. I'll keep coming back and will let you know if/when I resolve this issue

 

[TMaslak]

I don't believe this is a nic issue, nor a firewall issue, nor a TCP/IP issue. Here is why: I installed the cisco client, rebooted, installed a novell netware client, rebooted, lauched and connected to the VPN, and then logged into the network successfully. Upon restarting the machine later in the day, I get the same error message as you. I removed/reinstalled TCP/IP, the nic has already demonstrably worked with the cisco client, and even with my software firewall enabled (winxp), I was able to establish the tunnel once. I have not, since the initial time I connected, been able to reproduce that result.

 

[netmanrick]

DO you have more than 1 vendor's VPN client installed?
Cisco and Nortel clients do not function well if both are installed.


Rick Harris
SC Dept of Public Safety-DMV
Network Operations

 

[destini]

DO not have more than one vendor's vpn installed and replaced the nic with another brand nic. Still getting the same error. This is driving me crazy!

 

[carrison]

I met the same problem, Do you solve it?

 

[themut]

Are you connecting the VPN client to a PIX, router or VPN concentrator? What does the Log Viewer say on the client? How about debugs on the headend device? Try to look at debug crypto isakmp and debug crypto ipsec.

 

[saurav2281]

Hi destini

Destini can you please tell me what is the version of VPN Client you are using and can you paste what logs are you recieving on the VPN Client. Since you said that your laptop is working fine then we might be facing an issue with the NIC card as you have pointed it out.

Saurav

 

[destini]

Connecting to a PIX box. Client is 4.0.1 but I also tried two previous versions.

Log file states:
2 14:42:07.984 11/29/03 Sev=Warning/3 CM/0xA310000D
Unable to open connection profile "GHSMD"

I thought it was the NIC too but took out the 3Com NIC and replaced it with a Kingston NIC and it did not resolve the issue.

 

[saurav2281]

Destini can you collect msinfo32 file on your system to collect it type msinfo32 do start>run and click on system information then actions save that as text file then find the keyword problem in that file that will tell you if any device is clashing with your VPN client.

If this does not work also your last option is to reinstall the OS (bad thing)

Saurav

 

[sydlow]

Destini- I dont think this will fix it but it is worth a try. Make sure that the windows IPSec client is not enabled. Look at your services that are running. If the IPSec client is running, turn it off and set it to manual so it doesn't restart when you reboot. Then try a connection.

 

[carrison]

All,

See my error msg as followvpn server: pix 6.3.3
client: cisco vpn client 4.0)


Client error msg£º
Secure vpn connection terminated locally by the client
reason: Unable to contact the security gateway.

Server error msg£º
crypto_isakmp_process_block:src:61.165.0.75, dest:61.155.20.123 spt:500 dpt:500
OAK_AG exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP (0): atts are not acceptable.
crypto_isakmp_process_block:src:61.165.0.75, dest:ISAKMP (0): deleting SA: src 61.165.0.75, dst 61.155.20.123
ISADB: reaper checking SA 0x3d2d1bc, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for 61.165.0.75/500 not found - peers:1

ISADB: reaper checking SA 0x310f34c, conn_id = 0
spt:500 dpt:500
ISAKMP: error, msg not encrypted
crypto_isakmp_process_block:src:61.165.0.75, dest:61.155.20.123 spt:500 dpt:500
ISAKMP: error, msg not encrypted

 

[themut]

Have you configured DES and SHA on your ISAKMP policy? That combination is not supported on the VPN client either configure DES and MD5 or 3DES and SHA. I experienced some weird issues a few months ago, the policy was matched but the tunnel wouldn't come up I configured AES and SHA and the tunnel came up. It was very strange... that's my two cents.

 

[RiderJon]

Well I have the same problem.

I share a DSL with my room-mate. He can connect (VPN to school) fine but I cannot. We both have XP Home and are connecting to the same VPN.

I am able to use Internet, SSH client for emails, but not Cisco VPN. I don't even get the "logon screen". Tried disabling the Norton Firewall ....but still no luck.

Anyone found a solution yet?

RiderJon
"I might have created ctrl+alt+del,
But Bill made it famous" - Dr. Dave

 

[tek777]

if IPSEC is running in windows, and then you try to run IPSEC from Cisco, it should not cause a problem. Cisco IPSEC has a higher priority level then the windows IPSEC. Unlike checkpoint, where Windows IPSEC will throw a monkey wrench in the operation. Besides, i dont think XPhome has IPSEC on it.

I am thinking you need to open some ports on the router you are using. Try Cisco Client Version 4.x.

 

[RiderJon]

tek777,

How do I enable a port on the router? Thank you.

RiderJon
"I might have created ctrl+alt+del,
But Bill made it famous" - Dr. Dave