Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Terminal Services through Symantec VPN 7

Status
Not open for further replies.
indigojo

indigojo

Technical User
Jan 16, 2001
11
0
0
AU
I have recently switched to a ADSL plan with a permanent NO-NAT IP address and am still having great difficulty connecting to a server using Terminal Services through a tunnel. VPN 7 shows that I have succesfully connected to a tunnel but won't allow me to TS through it.

I have connected fine in the past using a dialup connection.

I did however notice some errors in the log file (VPN 7) and wonder if anyone can make sense of whats been happening by reading them.

I cannot ping the server either and also have just tried something called DR TCP, changing my MTU setting to 1472 after i read this in another post. Still no TS access.

Here is the VPN log
*************************************

May 16 12:47:32.387 JO-MAIN emapi[2692]: 301 Internal warning: accept fails (Socket operation on non-socket.)
May 16 12:47:37.374 JO-MAIN emapi[1732]: 100 Symantec Enterprise VPN Client Info: Entering EMAPI initial wait state.
May 16 12:47:37.374 JO-MAIN vpnd[2476]: 117 Daemon starting
May 16 12:47:37.354 JO-MAIN isakmpd[492]: 117 isakmpd Info: Daemon starting
May 16 12:47:37.434 JO-MAIN isakmpd[492]: 120 isakmpd Info: Not waiting for Mobile
May 16 12:47:37.444 JO-MAIN vpn: 401 Internal error: can't set interface parameters for IP address 192.168.0.101
May 16 12:47:37.444 JO-MAIN vpn: 343 Interfaces Warning: The interface 192.168.0.101 was configured, but was not found on the firewall.
May 16 12:47:38.445 JO-MAIN isakmpd[492]: 120 isakmpd Info: Reloading tunnels to vpnd with 3 sec wait.
May 16 12:47:38.445 JO-MAIN isakmpd[492]: 120 isakmpd Info: Reloading tunnels to RaptorMobile with 3 sec wait.
May 16 12:47:39.527 JO-MAIN isakmpd[492]: 120 isakmpd Info: Cannot find entrust config file C:\Program Files\Symantec\VPNClient\entrust.cf. Will use default configuration.
May 16 12:47:39.867 JO-MAIN isakmpd[492]: 120 isakmpd Info: IKMPLogin: Switched to lite mode, cannot access CA directory
May 16 12:47:39.867 JO-MAIN isakmpd[492]: 120 isakmpd Info: Try to turn off crl validation...
May 16 12:47:39.867 JO-MAIN isakmpd[492]: 120 isakmpd Info: Successfully logged into the ISAKMP engine with a default profile which has no Certificate support
May 16 12:47:39.867 JO-MAIN isakmpd[492]: 120 isakmpd Info: Reconfiguring Isakmp tunnels
May 16 12:47:39.867 JO-MAIN emapi[1732]: 100 Symantec Enterprise VPN Client Info: Continue operation.
May 16 12:47:39.867 JO-MAIN isakmpd[492]: 120 isakmpd Info: Reloading tunnels to RaptorMobile with 15 sec wait.
May 16 12:47:44.354 JO-MAIN emapi[1732]: 100 nsetup Trace: Session Notification enabled.
May 16 12:47:44.414 JO-MAIN isakmpd[492]: 120 isakmpd Info: Reconfiguring Isakmp tunnels
May 16 12:47:44.424 JO-MAIN emapi[1732]: 100 nsetup Trace: Connecting security gateway 193.114.XX.XX
May 16 12:47:44.424 JO-MAIN emapi[1732]: 100 nsetup Trace: Retrieving configuration for gateway 193.114.XX.XX
May 16 12:47:47.548 JO-MAIN isakmpd[492]: 120 isakmpd Info: Initiator, Established ISAKMP SA (Lsg=192.168.0.101, Rsg=193.114.XX.XX), [tunTemplate=Universal]
May 16 12:47:48.059 JO-MAIN emapi[1732]: 100 Symantec Enterprise VPN Client Info: Beginning authentication with remote security gateway at 193.114.XX.XX.
May 16 12:47:48.059 JO-MAIN emapi[1732]: 100 Symantec Enterprise VPN Client Info: Authenticating via Default authentication...
May 16 12:47:48.620 JO-MAIN emapi[1732]: 200 Symantec Enterprise VPN Client Notify: Authenticating via S/Key...
May 16 12:47:49.121 JO-MAIN emapi[1732]: 100 Symantec Enterprise VPN Client Info: Finished authentication with remote security gateway at 193.114.XX.XX.
May 16 12:47:49.121 JO-MAIN isakmpd[492]: 120 isakmpd Info: Authenticated
May 16 12:47:49.681 JO-MAIN emapi[1732]: 100 Symantec Enterprise VPN Client Info: Downloaded secure tunnel (XXX.XXX.114.3/255.255.255.255).
May 16 12:47:50.433 JO-MAIN emapi[1732]: 100 nsetup Trace: Connecting tunnel to XXX.XXX.114.3
May 16 12:48:27.025 JO-MAIN isakmpd[492]: 120 isakmpd Info: Initiator, Established IPSEC SA TUNNEL 0.isakmp.4 type=INSTANCE (Lnet/sg=192.168.0.101/192.168.0.101, Rnet/sg=XXX.XXX.114.3/193.114.XX.XX) Lspi=0x85d0b2ca Rspi=0xfadd6ed4 Auth Header = AH_NONE ESP Header = DES_MD5 IPComp algorithm = DEFLATE, [tunTemplate=Universal]
May 16 12:48:27.035 JO-MAIN emapi[1732]: 100 nsetup Trace: Tunnel to XXX.XXX.114.3 Connected
May 16 12:48:27.035 JO-MAIN emapi[1732]: 100 nsetup Trace: Security gateway 193.114.XX.XX Connected

***************************

IP's where changed with X's just in case you thought something funny was happening.

Anyone have any ideas to what I could try next?
 
Sort by date Sort by votes
None of the information you posted is an actual error message. Everything there is a 300 (warning) or below message, which is typical for a system running the SEVPN client.
Note - the slightly more concerning messages:
May 16 12:47:37.444 JO-MAIN vpn: 401 Internal error: can't set interface parameters for IP address 192.168.0.101
May 16 12:47:37.444 JO-MAIN vpn: 343 Interfaces Warning: The interface 192.168.0.101 was configured, but was not found on the firewall.

Are a moot point, as the tunnel comes up fine. Using the tcpdump utility on the VPN client, you would probably see udp/500 traffic go through fine, but none of the encrypted ESP traffic would function.

Suggestions:

1. Patch the VPN client to 7.01 (patches availiable at Symantec's site)
2. If you are using Windows XP, make sure you turn off the built in firewall.
3. Since this looks like a NATd connection, make sure you have IPSec Pass-through enabled on the device performing the NAT.
4. Check the logs on the SEVPN server. The logs have _ALL_ the answers.
5. On the SEVPN server, see if the traffic is being passed to the proxies. If it is, then you will need to allow the TS traffic in. If not, then see the above answers.
6. Pay for a support contract, and call Technical Support. They will be able to help you.

Hope it helps.
 
Upvote 0 Downvote
Thanks mastergara,

I had finally got up and running by doing a few things one being one being allowing IPSec Pass-through on my router settings and another allowing DMZ control. Was'nt sure what one got it working but suspect it's the IPSec you mention. Thanks anyway.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
152
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
73
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
177
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
53
WhosYourDiffie
WhosYourDiffie
ChrisFairley
  • Locked
  • Question
Downloads failing through ASA 5520
Replies
1
Views
50
iggsterman
iggsterman

Part and Inventory Search

Sponsor

Back
Top