Solution ID: NORT26199 Product Family: Enterprise Data
Title:
The client cannot connect to the Contivity.
Facts:
Enterprise Data
Contivity
Extranet Access Client
Bannersock
VPN
Extranet Access Client
Symptoms:
The client cannot connect to the Contivity.
Error: launching BannerSock: The attempt to connect timed out without establishing a connection.
When attempting to run the Nortel Extranet Access Client, the error message : 'launching BannerSock: The attempt to connect timed out without establishing a connection' appears.
Fix:
Perform two preliminary steps on all machines before further troubleshooting:
1) Make sure that the IPSec Policy Agent is disabled:
Start | Programs | Administrative Tools | Services IPSec Policy Agent |
Then check the status and set to disabled if it is enabled.
2) Disable Internet Connection Sharing:
Start | Settings | Control Panel | Dial Up and Network Connections |
Right click on the VPN connection that you set up | Properties | Sharing |
Then remove the check in the box for Internet Connection Sharing.
If these preliminary steps do not work, perform the following steps:
1) The user is logging on to the Extranet Switch as part of a group. Within that group, the WINS and DNS settings are configured. Go to Profiles/Groups/ and choose "edit the group". Under the IPsec parameters, make sure the WINS and DNS info is configured for the group the user is connecting to.
2) Make sure that there is Punch through the Firewall (both personal and at the ISP level) Protocol 17 (UDP) at source port 500, and destination port 500. Protocol 50 (ESP) must also be opened on inbound and outbound Ports are not necessary for Protocols 50, but if the firewall demands it then use zeros or NA for both the source and destination ports, depending on the requirements of the router or firewall. Remember that the ISP may also have a firewall.
3) There can be some issues related to NAT. 1 to 1 works - many to 1 does not. The CES server listens on port 500 for an IPsec tunnel to come in. It then must map this tunnel back to an IP address on that port. When a second tunnel request comes in with the same IP and port (many to 1), the CES server sees that as a security threat and drops the second connection. 1 to 1 can map the port 500 request back to a routable IP address and establish the connection.
4) The customer may be using a DSL, ISDN or cable connection which all use NAT. DSL typically uses several layers of NAT, and since IPsec is port 500 specific, if that port is blocked or in use at any level, the customer is not able to connect. Firmware upgrades from the vendors are often required.
5) Remove and reinstall the TCP/IP stack. Uninstall and reinstall the EAC.
Delete the connection from the Extranet Connection Manager, then re-create a connection and try re-connecting.
6) Remove unauthorized Third-Party Virtual Private Networking (VPN) Software by right clicking on Network Neighborhood, or My Network Places (Windows 2000 Professional) and choosing Properties. A number of Adaptors are listed, some of which are virtual ones that establish Virtual Private Networks. Look for names such as: NAP PGP (Pretty Good Protection), Cisco Secure VPN, Infra-RED VPN Adaptor, PPGNet VPN Adaptor, and AOL 5.0. This is a frequent cause of the error.
7) Too many adapters on PC can cause the problem as well. Nortel Networks' Client does not like more than four adapters. Do not remove the Dial Up Adaptor #2 (VPN Support), Extranet Access Client Adaptor (by Nortel Networks). The Microsoft Virtual Private Networking Adaptor for PPTP is supported, but may need to be removed if the number of adaptors listed is excessive.
8) Can you ping and/or tracert to the CES? Are filters installed? Are you using IP compression?
9) If the client is using Windows 95, update the Dial-up Networking (DUN) to at least version 1.3
10) If the client is using Windows NT 4.0 workstation, make sure that at least service pack 5 is installed. Service pack 6a is recommended.
