Bill Evjen's Blog

What Vista build are you using? I'm using build 6000 and I installed the vpnclient-win-msi-4.8.01.0590-k9.exe client. It installed fine, however when I try to connect I get error 412 "The remote peer is no longer responding". I haven't been able to resolve this.

I'm using the final release - not any beta version whatsoever.

Can you send the software or provide URL for downloading the final version?

Has anybody been able to successfully use 4.8.01.0590 to connect to their respective VPN? As Bill mentioned above, I to am receiving the 412 (The remote peer is no longer connected). I originally thought that perhaps a firewall was the culprit, but I am disabled both my router and the Windows firewall and still get the same message.

hey guys... i just install the beta vpn client and it works... I'm using Vista Business version (i have a Microsoft subscription). The vpn client download has two installs... a windows installer package and an application install. when i used the windows installer package i got error 422(the virtual client could not start... i think that's what it was... i didn't write it down) anyway... i installed the application install package on top of the windows installer package and it worked

using the link package, i get an error installing stating that the package could not start a program needed for the instalation to finish. Check the instalation package.

Anyone else seen this? for the meantime i have a vm of xp that i can use for vpn on here.. other than that vista is working out ok.

I was able to install VPN (4.8.01.0590) without any problem. It worked for a while, but now when I try to connect it hangs on the Securing Communications Channel and then prompts for another login. Anyone getting this error?

I have been able to execute cisco VPN using the clearchannel link reference above, but it I download the application from CISCO TAC, I'm able to duplicate the same errors referenced above.
I hope this helps

When I go to install it on Vista Ultimate, after the installation progress bar finishes I get three errors, two of them say that the software failed to install, and then the third says that there was an error loading "WINDOWS\SYSTEM32\CSGINA.DLL"
SPECIFIC MODULE COULD NOT BE FOUND

Then when I go to connect I get another error about my driver not being able to execute properly

Any ideas??

Yes I am getting the same error as Jason. No Ides still, whatsoever.

I get the exact same error with Home Premium. I wish something would be released to fix this...

I'm getting the same WINDOWS\SYSTEM32\CSGINA.DLL" SPECIFIC MODULE COULD NOT BE FOUND" error on install as well.

This really stinks. I REALLY need this to work ... soon.

Any help would be appreciated.

forgot to mention. using Vista Business

Here is the solution after working with CISCO VPN Team. A solution will be published shortly, but here is the answer.

Go to network connections, if you don't see the Cisco systems VPN adaptor you will have to start it manually. If you do go to Step 2

To start manually in dos (command line)
cd c:\program files\cisco systems\vpn client\

Type "vainstaller.exe i "c:\program files\cisco systems\vpn client\setup\netcvirta.ini" Press Enter

Step 2

Open

Network and Internet > network connections

Your Cisco VPN adapter will be disabled.

Open properties on the Cisco VPN Adaptor

Select Sharing Tab

Check the box "Allow other network users to connect through this computer's Internet connection"

Close

Launch your VPN Client and GOOD LUCK

Out of coffee after this problem

Many thanks to Cisco VPN team.

This should be posted Soon.

Paul

The solution contains to work with one drawback.
Before you launch the VPN app, you must go to \network and Internet\ Network connections and enable Shared Cisco System VPN Adaptor.

Paul

Running Production Release of Vista Ultimate with a fresh install No upgrade.

So far every version of Cisco VPN client
I tried to install comes up with the following error and rolls back. (Yes, I right click the exe and say run as Administrator).

Using the software link provided at the top of this page:
http://vpnclient.clearchannel.com/versions/vpnclient-win-msi-4.8.01.0590-k9.exe

Here is the error:
Error 1721. There is a problem with this Windows installer package. A program required for this install to complete could not be run. Contact your support personnel or package vendor.

Looked elsewhere and solution mentions running MSI cleanup prg which I did, but was no help.

Anybody else had this error and managed to get past it?

Thanks,
Todd

I've tried Paul's solution with no luck. If I watch the network connection in the background it goes from enabled to disabled. Still same issue, hangs on Securing Communications Channel then prompts for login again.

I had version 4.8.01.0590 working successfully on Windows Ultimate, attempted to upgrade to version 4.8.02.0010 hoping to resolve some intermittent connectivity issues. It completely TRASHED my VPN and now I am stuck. When I launch the client it errors saying the Cisco VPN service is not running – I looked, it’s not there (but I do have the VPNInstallService). I attempted Paul’s method to manually install the virtual adapter, but I do not have the netcvirta.ini file in my setup directory (I do have the .cat, .sys and .inf). I figured I would uninstall and try again, but the uninstaller does not appear to work – it gives me “Error loading C;\Windows\system32\csgina.dll The specified module could not be found”, then appears to continue the removal process and prompts to reboot. After reboot the VPN files are still in place and the VPN Client is still showing as an installed package. If I attempt to reinstall (any version) it prompts and says that the old version must be removed first, and the cycle repeats. Any ideas?

I had the same problem as Jason, my client (4.8.01.0590) would hang on securing communications channel. I upgraded to 4.8.02.0010 and still had the same problem. I finally got it working by rolling back my ethernet driver to the one orginally installed with Vista. I don't know if this will work for everyone, but it worked for me. Hope it helps.

Ok looks like my problem is back. After I tried reconnecting with my VPN, I again got hung up on the securing communciations channel step. Oh well. I wonder if something about rolling back the driver, reset my adapter and allowed it to connect? Back to the drawing board.

I tried the suggestion above, to enable internet connection sharing on the Cisco VPN adapter, however that breaks my LAN connection - I lose my DHCP address and can't connect to anything so obviously the VPN won't work.

Has anyone else found a way to resolve this? I'm still getting the 412 error, now with version 4.8.02.0010.

I’ve manually uninstalled the VPN client and am now back at the point I can run the Cisco installation. Now it gives me an error -2146500092 when attempting to install Deterministic Network Extender (DNE) and automatically rolls back. Anyone have experience with this?

Thanks,

J.

Well I got in with version 4.8.01.0590.

Read this entirley before trying.

Here is what I did.

1. Restored my version of vista back to the point before all this started happening.

2. I then installed the 4.8.01.0590, I right clicked on the setup file and installed as the administrator.

3. When the software asks where you would like to install the program I added an additonal folder at the end of the string.
ex. (notice the A)
c:\program files\cisco systems\vpn client\A

I think you can also do this if you are unable to restore your machine.

4. Reboot the machine

5. enable the VPN adapter.

6. Import your *.pcf file for you profile.
For some reason this is very critical. I tryed recreating my company profile and it didn't work.

So you want to save a previous profile from a diffrent version

You should be able to connect.

Sorry if the instructions are a little choppy but I am in a hurry

Let me know if you need any help

I am having the same problem. Everything installs, but I don't have a Cisco adapter installed. I tried the above mentioned solution with no luck. Any other ideas?

Yeah,
you do need the Cisco Adapter or it won't work.
but when I reinstalled the adapter showed up

Why would you be unable to restore your machine?? That makes no sense.

Do not do the above fix. IT DOES NOT work and now the uninstall does not work. Your Vista install will be trashed. I'm wiping and reinstalling.

I downloaded a traffic monitor plug-in from Deterministic Networks (because it has the full DNE installation), it gives the exact same error return code as when I run the MSI installer for the VPN (-2156500093). The problem is DEFINITELY with DNE. I’ve put a good 20 hours into this so far and have not figured it out. Looks like it’s time to re-install Vista….

I have Vista Ultimate. I loaded from the link at the top of the page 4.8.01.0590. When I run the VPN it attemps to connect and I receive the following message: The client did not match the firewall policy configured on the central site VPN device. Cisco Systems Integrated Client Firewall should be enabled or installed on your computer.

Problem fixed.... after reloading Vista. The Cisco VPN MSI file ran flawlessly, and I was able to directly connect to the concentrator. If your DNE is fried time to start looking for those installation CDs...

Was anyone able to get the 4.8.02.0010 running sucessful?

I received the Error: 1721 during installation.
"Error 1721. There is a problem with this Windows installer package. A program required for this install to complete could not be run. Contact your support personnel or package vendor."

I ran the cmd line
"vainstaller.exe i "c:\program files\cisco systems\vpn client\setup\netcvirta.ini"
but there is no VPN adaptor.

I was able to import my profiles, but when I start them I receive the Error Reason 442: Failed to enable Virtual Adapter.

Any and All help welcome!!

Everything you need to know for troubleshooting Vista Cisco Client is on this link! For me it was a good mine.

Sorry link didn't post from above:
https://kb.berkeley.edu/jivekb/servlet/KbServlet/download/1095-102-8/vista-vpn-troubleshooting.txt

Installed the Vista version of the client. When connecting i am getting Reason 435 Firewall Polciy Mismatch error. Can someone please help me out

Installed the Vista version of the client. When connecting i am getting Reason 435 Firewall Polciy Mismatch error. Can someone please help me out

Tonight I uninstalled my VPN client (not for the first time), and as suggested above reinstalled to a different directory ("C:\Program Files\Cisco Systems\VPN Client 2\") and imported an existing profile from a working Windows XP install (vs. creating it anew). Still getting the 412 error on connect. Note I have also tried reinstalling Vista from scratch (still got the error). I have also followed the troubleshooting steps in the vista-vpn-troubleshooting.txt file and sent the requested information to Cisco for assistance, the troubleshooting did not solve the issue and Cisco never replied to my email.

With version 4.08.02.0100 I am getting error 412 "The remote peer is no longer responding" - anyone know how to fix this? Thx

This is ridiculous. Has anyone heard a response from Cisco regarding this. All I want to do is get my work done, and now I can't.

I am really upset with Cisco. First rate company up until now. Very dissapointing.

I'm having the same 412 error on both 2.0100 and 1.0590 and like most of you spent a long time on it yesterday.

I thought for a while that perhaps it had to do with the tunneling settings on my pcf import (which would explain why some of us have been successful); however, I just talked to my boss and he has it working with the exact same import.

Has anyone had to change any firewall/router settings?

As J. Freeman says:
" ...run the MSI installer for the VPN (-2156500093). The problem is DEFINITELY with DNE. I’ve put a good 20 hours into this so far and have not figured it out. Looks like it’s time to re-install Vista….

Ah yes! Same problem I have (three clean install attempts plus attempts after driver updates) on 32-bit Vista Enterprise, with an HP Nx6325 Laptop (AMD Turion64 x2 2.0GHz).

Anyone with progress on getting that DNE installed after having this error??

J. Freeman,

Which client version did you have success with? Did you use any other tricks suggested here to effect the succesfull VPN install after the clean Vista install?

TIA

Has anyone had any luck in getting support from Cisco? I've had this problem since Christmas and if I soon don't fix it I'm going to have to give in and go back to Windows XP, my job requires me to have vpn access from home.

I've emailed their vista-support email address with no response, anyone have any better luck?

Run the vpnclient_setup.exe file after extracting files to temp folder! This worked for me on a clean 32-bit Vista OS. And the VPN client works!

The self-extracting executable (which must run the .msi file instead of the .exe setup file) will NOT work on my Laptop.

Note: The self-extracter DID work on my home desktop (Asus A8N Deluxe)....go figure??

Good Luck All
Ed

I am also having the 412 issue. I have tried disabling Firewall, Defender, Anti-Virus, etc. But still no luck. I watched the VPN Concentrator when I was doing this and it stated that it saw my connectiong but then said I had duplicate packets coming across so it terminated the session. Anyone know what this possibly may be?

Thanks

Hi Guys,

I was having issues with the Cisco VPN on Vista Business as well. I followed the instructions that P Mick mentions with the link to troubleshooting Cisco VPNs on Vista.

I first tried to install the .msi file, when that did not work I installed the VPN client via the .exe. It worked perfectly and I am currently up and running.

BTW...I am running a clean install of Vista Business.

Thanks for all the info - Luckily, I found your comments BEFORE attempting the install, and was able to get 4.8.02.0010 working on an OEM-installed Vista Business machine without too much hassle.

Cisco's document titled Vista-VPN-Troubleshooting.txt, dated Feb 5, 2007 was a helpful read. Basically, all I did was download vpnclient-win-msi-4.8.02.0010-k9.exe, run it to extract, cancel the setup (to be certain it was running vpnclient_setup.exe rather than vpnclient_setup.msi), run vpnclient_setup.exe manually, follow the prompts, reboot (which took much longer than expected), and imported my profile. Worked like a charm on two different remote networks (one using a PIX 501, the other using a VPN 3005 concentrator)

Good luck with yours,

Shane

Works now. Unzip to the temp folder. Kill the install and go to temp folder. Run the exe install from there.

Thanks.

I have followed all that, it installs just fine and imports my settings fine but when I try to connect I still get the 412 error. Anyone know how to fix this specific issue?

Thanks

Jones, what error specifically did this fix? I have done that several times and it has not resolved the 412 error I have.

For those interested, I emailed Cisco support today to ask why my support requests were not being answered (having already emailed twice requesting assistance with no response). They responded this time, here is their response:

---------
Hi Jamie,

Currently the support is provided on a best effort basis and try get to around to everyone.

We are aware of a bug with the client when it comes to the connection dropping. We hope to have a new beta candidate out to resolve this.
--------

I'm not certain whether the issue referred to is the 412 error or not, but at least now we know they are working on a better client.

Jones, what error specifically did this fix? I have done that several times and it has not resolved the 412 error I have.

For those interested, I emailed Cisco support today to ask why my support requests were not being answered (having already emailed twice requesting assistance with no response). They responded this time, here is their response:

---------
Hi Jamie,

Currently the support is provided on a best effort basis and try get to around to everyone.

We are aware of a bug with the client when it comes to the connection dropping. We hope to have a new beta candidate out to resolve this.
--------

I'm not certain whether the issue referred to is the 412 error or not, but at least now we know they are working on a better client.

I wasn't get an error. It would just not connect.

Interesting note...I did upgrade from Vista Business to Vista Ultimate. I don't know if that made any difference, but it now works fine on Ultimate.

I am on an OEM Vista Business. I followed instruction of Shane to install vpnclient-win-msi-4.8.02.0010-k9.exe. It works fine on one of my two profiles. One failed to throw a Reason 435 error "Firewall Policy Mismatch". I assume this is due to the integrated firewall not implemented in this version. Hopefully cisco will come out a version to support integrated firewall soon.

For those who get the DNE installer error...
Regedit from CISCO...
HKLM\Software\Microsoft\Windows\CurrentVersion\

You will see the key "DevicePath=
There will be several path statments.
The first is the only one to be concerned with.
Change "C:\inf" to "C:\Windows\inf"

Then your Cisco install will go through.
No Need to re-install Vista...

Hello again,

Well after a clean install of Vista and days of countless attempts, I am *still* getting this 412 error. I also talked to my co-workers who got it to work with the same version and import and did everything exactly how they said. (We are all software engineers too, although I know little about networking...)

At this point I think I have to quit and go back to XP...it's a shame since otherwise I really like Vista.

Since I did everything *exactly* like others, I wonder if it is a hardware issue. Do any of you who had a problem use a Linksys router? I am trying to think what could possibly be different for me from a hardware standpoint..

Mikey, I have the 412 error. I do use a Linksys router, however I too thought that was the issue and plugged directly into my cable modem (bypassing the router) - I had the same problem.

FWIW I'm using a Dell laptop, I've had the issue on both wired (Broadcom NetXtreme 57xx Gigabit Controller) and wireless (Intel PRO/Wireless 2915ABG) connections. I'm using Windows Vista Ultimate Version 6.0 Build 6000.

Interesting Jamie (and thanks for the information, that's exactly what I'm looking for.) ...I thought it was strange if a Cisco product was causing the trouble (but I know from my own company that it's very posssible.)

I'm also running a Dell (Dimension 3000 with the onboard "Intel PRO/100 VE Network" connection...)

I think it's hardware; I'm a software engineer and it seems I have exhausted any software differences....but just in case, I'm running Vista Ultimate 32-bit RTM downloaded on 2/3/2007 from their site with my MSDN license (en_windows_vista_x86_dvd_X12-34293.iso) on a clean install (well, multiple now...)

Good point. I'm running the 32-bit RTM as well, also downloaded as a dvd iso from MSDN.

Cisco has posted version Beta 5.0.00.0090 posted 7 Feb 07, that seems to work.

Make sure that you de-install and delete the CISCO SYSTEM directory under /program files.

Reboot
Install .0090
Reboot
Hope it works.
Paul

Anyone have a link to the Beta 5.0.00.0090? I get the 412 errors on 4.8.01.0590 and 4.8.02.0000.

Anyone have a link to download 5.0.00.0090? Anyone using it that knows for sure it works?

Well, after downloading the new version I still get the 412 error. I think this problem is an issue on the VPN Concentrator. The thing is I can connect to other "Internal" VPN profiles I have just fine. But I can not connect to the "External" VPN from home. But this also may be related to another issue I am having with Vista. On my laptop when I am at home I can access the internet just fine. But when I am work I can not. I can ping everything just fine. Like I can ping www.google.com and I get a reply. But when I try to browse to it. IE states I am not connected to the internet. I have disabled Firewall, Anti-Virus, etc. But I still have that issue. Frome reading in other groups other people who have had this IE issue stated that if the company's firewall had statefull inspections on it may be causing this. I am still trouble shooting this. But if I find anything out I will let everyone know. If anyone has any information on this problem please let me know.

Thanks

I can't seem to find this anywhere! (Although our company has a valid volumne license, it's a big company with a lot of red tape; in fact, I don't think they would allow me to grab anything in "beta" without needless heckling etc...)

Anyway, I swear I can legally use it, so please let me know if anyone finds a link to this new beta.

Heck, this should show you how important this is to me: this is my e-mail addy: myurkus at gmail

thanks again!

OK ... What I understood from Cisco is that the 412 is an authentication issue, not necessarily a software issue. I went back and verified authentication settings on my connection. I no longer get the 412 errors! Now I get a 435 (Policy mismatch). Apparently my Cisco 3000 is insisting that I use the Cisco Integrated Firewall (which is a stateful firewall). All I've read suggests that this is built in to the VPN client, but I have no options to verify or change settings in the client (4.8.02.0010). Is 5.0.0.0090 different? And does anyone have a link? I am also a legit user; just don't have the info on hand for my Cisco update.

I haven't had a chance to try this since Im at work, but I have a hunch. I was using 4.8.02.0010 and it worked fine, but then it stopped. I was going over the changes I have made, and then it hit me. Before it stopped working, I re-enabled UAC (User Access Control) in Vista. Since then, I get the 412 error every time.

If you are having the 412 error, check if UAC is enabled. Let me know what you find.

William/Josh, thanks both for the ideas/suggestions, unfortunately neither has solved the 412 error for me. It's not a credential issue - I have entered the same username/password on both VPN client 4.7.x on Windows XP and 4.8.02.0010 on Vista, the XP box connects fine but on Vista I get the 412 error.

Josh I had high hopes for the UAC idea, but after disabling it I still get a 412 error.

Cheers

Yeah, after a fresh install of Vista I always immediatly disable the UAC. Thanks for the idea though but I'm still stuck with the 412 error, but I really think this has to do with a firewall issue. Not at home, but at the office.

Well folks, this may have something to do with it. I uninstalled the client, disabled UAC, rebooted, installed the client, rebooted, enabled the VPN adapter... and ta-da... it connected just fine.

Make sure you are manually enabling the VPN adapter BEFORE opening the client.

Hope things work out for all of you. Hopefully Cisco releases a version of the VPN Client that will exist happily with UAC. I know its annoying, but it could prove useful in some situations.

Anyone Solve the 435 Firewall issue?

Well, I tried exactly that but I still get the 412 error. Thanks though. Any other ideas on this?

I've got the same problem with the policy mismatch because of the lack of the cisco integrated firewall. Does anyone know if the mythical 5.0.00.0090 version includes the firewall that the previous betas lacked?

I'm using Windows Vista Business with the 5.0.00.090 Version and here is what i get.

Secure VPN Connection terminated by Peer.
Reason 435: Firewall Policy Mismatch.

The client did not match the firewall policy configured on the central site VPN device. Cisco Systems Integrated Client Firewall should be enabled or installed on your computer.

Well, I guess that answers that.

I got the same problem:
Secure VPN Connection terminated by Peer.
Reason 435: Firewall Policy Mismatch.

Anyone know how to fix it?
how to get an integrated firewall?

Thanks

Sam.

I got the same 435 problem. Anyone have the solution for it?

Can you install XP over VISTA?

Not that i am aware of as i am typing this from my reinstalled version of XP. I have Home Ultimate on my laptop and will continue to test the Cisco Client from..Hopefully Cisco gets it together soon.

I cannot believe this! I just tried registering with Cisco in order to get the new beta and I cannot even get by the registration screen...I keep getting the following error:

"User Name contains invalid characters. Valid characters include "A-z, 0-9, @, -, _ , and ." with a length between 9 and 50 characters.

Enter the required information- Language Preference below."

I've made sure multiple times that I have the language set and my user-name is valid.

What is wrong with this company? I thought Cisco was supposed to be fairly reliable; but I have NEVER had such a bad week with any company ever.

Sorry for the rant without any new information; I'm just fed up and exceptionally upst right now!

Oh, and I tried disabling UAC...of course, I still get the 412 error. I'm beginning to loose hope of this ever working...

Make sure you use 9 characters + for a username. Weird requirement but that's what got me.

For the 412 error - try opening UDP ports 500, 62514, and 62515 on your router in your office/house. This worked for me.

THANKYOU SOOO Much Bill, this worked for me also. Note I also disabled UAC earlier with no effect.

I did notice however that I cannot seem to disconnect once I am connected.

i used my cell modem so i could trouble shoot if it was my home router and i connect fine with it.
now i will open the ports needed.

Now the question is about the 435 error. Assuming that we all had clients that were working beforehand, what's different about either Vista or the new client that makes us fail the policy test?

From my understanding, the firewall is supposed to be integrated in the client software. Is this not the case with the Vista version? Or is the policy testing for something that Vista blocks?

Update: Between yesterday and today I tried a few more install/uninstall options. I opened up those ports like Bill said, I tried it with and without UAC turned on, I tried manually messing with the network adapter (it always gives me the "limited or no connectivity), I turned off MTU on my Router, I tried with both a local static and local dynamic address, I even turned Windows Firewall completely off. ...Still no luck.

I was able to finally log onto the Cisco site, but since I only have a "guest" account, I still cannot download the new client.

I simply do not understand why I am having so many problems while other people appear to be successful.

Mikey, you're not alone - I've tried every suggestion here (plus some ideas of my own) and I still have been unable to resolve my 412 error. I've even tried reinstalling Vista from scratch and connecting from multiple different networks. I'm soon going to be forced to give up on Vista, which is unfortunate since other than the Cisco vpn client I have no issues at all (software & hardware).

Thanks Jamie; I'm sorry that you are having the same issues though.

I spent another few hours on this today; I must have clocked in over 30 hours working on this. At this point I am giving up and just going to stick with XP. I have everything (including about 100 apps) already working on it anyway. Thank you Cisco and Microsoft :(

Oh and thank you guys for all the tips. I wish all of you luck.

Bill Evjen's opening ports on my SOHO router worked for me as well. Not sure why this made a difference, when I didn't have to do it with XP...but it did.

435 error - My understanding is that for some reason Cisco made the decision to remove the integrated firewall from these beta versions. Whether it will return to the client when the production version is released I do not know. I have a feeling that Vista is giving Cisco fits by playing havoc with any sort of third party firewalls.

I get a 402 error. Anyone else getting this error? Not 412, 402. Doesn't even appear to try to connect. Also, where can I get 5.0? scott.rocke at gmail dot com.

Question to those that fixed this by opening UDP ports on the firewall - did you open ports on your personal (ie your home/home-office) firewall or did you have the ports opened on your corporate firewall (probably by your IT admin)? I've tried opening them on my personal firewall and it didn't work.

Thanks

I opened the ports on my local machine only. Hope that helps.

I haven't tried this - but it worked on some other programs I had. Go to START --> Help and type in Program Compatibility Wizard. From this wizard - you can install it using XP SP2 settings. Give it a try.

There is an option in vista, some user access control that you need to modify to allow the client to work. I will get the details and post up...some of you may have figured this out already.

When I install Cisco VPN Client 4.08.2.0010 on my computer with Windows Vista, I have an error message : "Setup failed to properly install Cisco Systems service software".
Is someone have this message or the solution?
Thanks

Cisco is not planning on supporting the stateful firewall on Vista.

See <a href=http://magnetsandmiracles.blogspot.com/2007/02/cisco-vpn-client-on-vista-ii.html>here</a>.

Gaah ! That link got mangled. Here is it again.

http://magnetsandmiracles.blogspot.com/2007/02/cisco-vpn-client-on-vista-ii.html

Crud....well this does not bode well. I wonder how hard it will be to get the entire State of Florida to change their VPN policy.

any help with 442 message on .0090

I have the lastest Cisco VPN Client beta for Vista (5.0.00.0090) and can successfully connect to my VPN; however, something bizarre is happening. After I have been connected for 30 minutes (and I mean precisely 30:00, not 29:59, not 30:01) the network just dies. The client doesn't say it has disconnected, but everything quits responding. At that point, I have to disconnect and reconnect. You can imagine how frustrating it is to do this every 30 minutes all day long. Does anyone have a clue what this could be about?

Can someone please post a link to BETA 5?

here's the exact error

Initializing the connection...
Secure VPN Connection terminated locally by the Client.
Reason 402: The Connection Manager was unable to read the connection entry, or the connection entry has missing or incorrect information.

Connection terminated on: Feb 14, 2007 12:04:43 Duration: 0 day(s), 00:00.00
Not connected.

I have gone through multiple problems with Vista Ultimate and Cisco VPN client. I have had Reason 442 errors, IP Conflicts, and the program hanging in the "securing connections" mode. I was running into dead-end solutions, until I stumbled upon this fix:

open your saved profile in an editor like notebook and inject the following line into the [main] section of the script

UseLegacyIKEPort=0


This change has taken me from spinning my wheels, to being able to actually get some work done for a change.

I am running Vista Ultimate and a a VPN install of 5.0.00.0090.

When I try to connect I instantly get the error msg "Reason 403: Unable to contact the security gateway."

I had it working fine on XP, but Vista is driving me crazy with this problem alone.

Anybody have any Ideas?
Thanks in advance!
Matthew.

Oh PS,

Here is a link to Beta 5.0:

http://vpnclient.clearchannel

Well I try run the Cisco VPN software got install ok then went I try to connect the blue screen of death.

Any ideas towards this?

The link above does not work. Please post again.

Come on guys. The first post in this thread has a link straight to every recent version of Cisco VPN. SCROLL UP!

Add .com to the link and it works fine.

Dear Frank, where can I find my profile.

Seems to work (after a long long delay) with version 5 but then again 4.8 sometimes worked too. Will have to test a couple times more to confirm.

Anyway Microsoft's own VPN client works fine and I will be recommending to my banking client that they switch from Cisco. We shouldn't have to waste time on something like this.

Does anyone know of a workaround of anykind to get past the "statefull firewall" on the Vista 5.0 client until Cisco can get it working?

Using the suggestion from Frank to edit the profile and enter UseLegacyIKEPort=0 worked for me. VPN connected right away, nice and solid. Vista Home Premium

Forgot to mention the error code I was getting was 402: The connection manager was unable to read the connection entry, or the connection entry has missing or incorrect information. Used Cisco VPN beta 5.0.00.0090. Make sure your profile is in the vpn client file so you can edit it.

Please, I get error 1721 "There is a ploblem with this windows installer package...."

I have Vista basic home edition 64 bit.

Taking Properties on the setup file, choosing the Compatibility and the administrator option have been utilized.

Thanks a lot for a hint.
Thorkild Houe Andersen
Denmark

Still stuck on this 402 from the beta 5, where is the profile that needs editing, the clean install of the client does not create a profile directory

I've posted the solution to the 402 error on my blogg http://programdotnet.spaces.live.com/

Here an internesting one, run the cisco v5 software on my vista box, connect to vpn at work, connects no problems, try to mstsc to a machine its like the client is on mogodon, do the exact same thing on an xp virtual machine from the same computer bingo its like its on speed no idea why but vista cisco vpn client is not doing something, anyone any ideas ? This is not just on my computer either confirmed on both of the test machines we have done this on.

Hi,
I am running vista ultimate, and this new vpn client worked a treat...many thanks

I tried to install the version 5 into my pre-installed Vista. When trying exe file with "Right click and Install as administrator", I got "transform path" error. So I had to run msi file, but I got error 1721. My solution was (1) Activate administrator user, (2) login as administraor and (3) install the exe file. This worked and I can connect to VPN now.

I had all the problems, and tried it all. After installing 4.8 ... and telling it to run in xp-mode it worked!

Ref: 402 error, Profile folder goes in this path: Program Files/Cisco Systems/VPN Client. Fortunately I was able to copy my profile folder from my archived XP files and pasted it into the Vista Cisco VPN, then edited it per Frank's suggestion. Good Luck and thanks to all for their suggestions.

I ha having what Cisco has come to call the DHCP bug. When my VPN client refreshes its IP address (for my server, that is every 30 minutes), the route table gets screwed up and my connection stops working. I have found a solution, so if anyone is having a similar problem where your connection randomly stops working (but doesn't disconnect), this solution might work for you. Connect and wait for your connection to stop working. Then do a route print in command prompt. See if there are two 0.0.0.0 destinations. The first one should have your VPN gateway and the second will have your local gateway. Delete the second one ("route delete 0.0.0.0 MASK 0.0.0.0 [localgateway]") and voila!

If you don't know what you're doing, you can really screw up your route table. I'm not responsible for what you do with this. :)

I'm using Vista Enterprise and I've just installed the most recent VPN Client (5.0.00.0090). I can successfully connect to my school's VPN (I'm a college student), however when I go to connect to the VPN at the software company where I work, the client says its connecting, then immediately says its not connected. It dosen't throw any error messages at all. I had the same error using the previous Vista Beta VPN Client. When I change the last number of my office VPN's IP, the client obviously can't connect, but at least it gives me an error message saying that the remote target wasn't responding.

Any help would be greatly appreciated...

Thanks.

I installed the latest VPN client (5.0.00.0090) on my Windows Vista Ultimate and I am consistently getting an Error 435 - Firewall Policy mismatch error. Looks like from other posts, that Cisco removed the integrated firewall from this client as it is incompatible with Vista! Unless this changes, my company will NOT be upgrading to Vista...period.

Just glad I have a virtual PC image running WinXP and a 3.x version of VPN client so I can still connect to our work VPN concentrator.

Does anyone have a reponse / solution to this prior post ?:

Please, I get error 1721 "There is a ploblem with this windows installer package...."

I have Vista basic home edition 64 bit.

I have the same problem. Thanks.

Installed the Beta version and everthing works with one exception. I only get the error "412" when trying to connect to one site??. I have about 15 other sites that all work fine. Can connect fine with an XP box.

hey Rob,
if you read the file "vpnclient-windows-5_0_00_0090-readme" you will notice the following notation from Cisco...

"The IPsec VPN client does not presently support 64-bit (x64) Windows. This support is under investigation."

its the 4th line up from the bottom of the file.
Hope this helps you solve your 1721 error.

Frank, what version of VPN are you using, I am using 4.8.02.0590.

I have put in UseLegacyIKEPort=0 in the pcf file, but still get 442 error, any help?

Same I'm still getting the 442 error after adding the UseLegacyIKEPort=0 script in the PCF File also

Well, decided to try once again with 5...still stuck on the 412 error! I wonder if this will ever work.

I just noticed that comments fall off this page; is there an archive available? I'd like to double-check those ports that Bill posted.

Thanks much!

I've installed version 5.0.00.0090
it was working great and solve all my problems but than again I got stuck after installing a bluetooth network adapter, so I've re-installed the VPN clien and it's working.

Having same 442 errors as many of you...I see a reference to some ports needed open on a router but those ports aren't listed here, does anyone have them?

Connect just fine but can't ping or connect to anything. Get DNS resolution (it might be cached) but still get no response. Turned off firewall. Remote Desktop does not work either.
Running 5.0.00.0090 K9 Beta. No errors in install (local admin account) connects right away. Any hints, I have not seen the list of port numbers that people have been trying either. Thanks

same problem as Eric, can connect but can't ping/get to any machines. all firewalls are off, nothing works on the remote network, disconnects after about 10-15 minutes.

I've got Vista 64 bit on a new system, but I won't switch over until I can VPN connect to work. I think it is irresponsible of Cisco to not have at least a beta VPN client for 64 bit Vista by now. They've had enough time to get one in the works.

here is a URL from Microsoft on their Vista third-party-VPN connect schedule

http://support.microsoft.com/kb/929490

take note that Cisco states to use their Cisco AnyConnect VPN Client for Vista 64-bit. doesnt say if there is a beta available or not.

Can anyone, Frank, Gary assist me on the steps for the fix on reason 403: unable to contact security gateway. It works fine on my home computer version Windows XP but not on my new laptop which has Windows Vista. How do I get to editing my profile to UseLegacyIKEPort=0 and steps thereafter?

I installed the suggested beta verion and am still getting the error message reason 403...How do I know if it installed correctly? Help!....

I'm running 5.0.00.0090 on a Windows XP machine. Works fine. I can connect, authenticate, and get to local resources over the VPN. The one thing I cannot do is connect via Remote Desktop Connection to a machine running VISTA. Inside the network we can Remote Desktop connect to the Vista system, and the remote computer can Remote Desktop connect to any NON-VISTA machine via the VPN... just not to the VISTA machine.

I've tried disabling the Vista firewall, but that didn't help.

Any suggestions as to why the Vista machine doesn't like the incoming VPN connection? The VPN terminates on a Cisco 1801 router, so the VPN client software is not involved directly with the Vista machine - only on the remote machine.

Thanks!

Run in the problem 402, and was deparate to solve it.
I found the solution on this page. http://www.bu.edu/nsg/vpn/ms/testmsvpn.htm

in the *.txt file you will find the text below and it worked for me.

Received error: Reason 402 The Connection Manager was unable to read the connection entry or the connection entry has missing or incorrect information.
Manually copy the files that where imported or created via the GUI from C:\users\<username>\appdata\local\virtualstore\program files\cisco systems\vpnclient\profiles to c:\program files\cisco systems\vpn client\profiles\

Anyone know where to find the Cisco AnyConnect VPN Client for Vista 64-bit?

If your work requires the integrated firewall like mine does, then you are still out of luck. It's truly amazing that Cisco is still unable to get their software Vista Compatible after all the Beta1 and Beta2 testing. It's just shameful.

Still suffering with the 412 error here :(

I finally got version 5 to install on Vista and it was working. Than i restarted the computer and it was gone. I looked back at System restore and it said that it was uninstalled twice. Which is impossible. I keep trying to reinstall it and it keeps getting uninstalled. This is so frustrating
Does anyone have any idea what could be doing this?

Thanks so much
Terry

Possible workaround for Vista-64: Use VMXBuilder to create a VMWare virtual disk (32 bit). Install VMWare Player. Install a Linux distro in VMWare. Install Cisco VPN Client within Linux. Turn IP forwarding on in Linux (so requests from Vista get forwarded through VPN). Create a route in Vista for your private network range (work, school wherever) to forward to the VMWare adapter's IP address, usually 192.168.x.x. Then, set your DNS in Vista to use your work's (school's) DNS servers (whichever would be used if Cisco VPN worked directly from Vista 64). I'm testing this out now, but in theory it should work.

Or, the other thing which will solve the Vista / Cisco problem completely is to dump Vista and install Linux. ;)

A note about my above suggestion: You have to run VMXBuilder on another non-Vista machine and copy the files over manually. Vista apparently doesn't ship with ALL the VB6 runtime files. Imagine that: yet another problem I'm having with Vista.

I was having the same type of problem with the v5.0 version so I uninstalled it and got the v4.8.01.0590 client from the top link in this thread. That was a quick install and I was back up and running with no problem.

Hope that helps.

This worked for me, in device manager and enabled the virtual adapter under networking.

http://www.bu.edu/nsg/vpn/ms/v.5.0.00.0090-k9-BETA/Vista-VPN-Troubleshooting.txt


If you are getting an error message saying that the client is unable to enable the virtual adapter do the following:

1. Check to see if the Virtual Adapter is installed. Open Device Manager and look under Networking to verify if the Virtual Adapter is installed.
If not run the following command in the VPN Client directory: vainstaller.exe i "C:\Program Files\Cisco Systems\VPN Client\setup\netcvirta.inf" CS_VirtA
If this doesn't show the Virtual Adapter, uninstall the client and reinstall the client with MSI logging enabled. See below for info. Then email the MSI log and the DNE log to vista-vpn@cisco.com.

2. Manually enable the Virtual Adapter and attempt to connect. If the adapter will not enable do the following:
If this doesn't show the Virtual Adapter, uninstall the client and reinstall the client with MSI logging enabled. See below for info. Then email the MSI log and the DNE log to vista-vpn@cisco.com.

3. Vista will attempt to a categorize the Virtual Adapter when it is enabled. We have found that if you set the physical adapter location to "Public" it minimizes the issue. This has been resolved but not yet made available.

Regarding Joshua's post, step #3. Where exactly does one set the adapter's location to public. I've been unable to find the correct screen. Thanks!

Still getting 412 error.
cisco suck, im gonna install an open source vpn server in the office.

I did the copy/paste profile folder and it worked like a charm!! Just copy your profile folder from the user section into the program files section.

Ok, been following a long for a while now and after doing a lot of searching around I finaaly got it working. Here is what I did:
- Installed 5.00.090K9 version.
-Added these 2 lines to the "vpnclient.ini" under
[main]
UseLegacyIKEPort=0
VAEnableAlt=0

Added Trigger port UDP/500 Input 49260-49290 to firewall. This is the Router/Firewall not Windows firewall. That is still enabled and it works fine.


Everything is working fine. Do not need to enable VPN adapter manually or anything. My firewall seem to be what was giving me the most problems. I did not have to do anything to me FW in XP but Vista you do!

I was struggling with the 412 error, and have tried all the tips on this site without any luck. I did a firmware upgrade on my Linksys wireless router (WRT54GX-v2)and now it works without any problems :o)

Please help with making the adaptor Public. I can't find it anywhere in Vista.

I still got 435 error, what can i do?

re: Cisco VPN error 442 in VISTA
This is an administrator problem in VISTA.
You need to change the adm. rights on ispecdialer.exe (VPN program).
1. Click Start
2. Type CMD (not enter). The cmd icon will be shown at the top of the list.
3. Right click on the icon(on the top).
4. Check mark the box Run as adminisrator.
5. Browse to the VPN program.
6. Execute the ispecdialer.exe
7. Right click on the VPN and ceck the Run as adminstartor box.

Missing info after 4. Check mark ....
After changing to Run as administrator, execute the CMD.

To have the Cisco VPN working properly, you need to manualy copy all your "old" VPN profiles into the VPN directory for profiles.
Not doing this will give you error 402!
(Importing the profiles will not place profiels in the Profiles dir).

error 1721 "There is a ploblem with this windows installer package...

I have vista ultimate 64. i cant get pass this error to install it.

what do i do?

Hi Harv.
Which version of the VPN are you trying to install?
I have 5.0.00.0090 on Vista Ultimate 32.
Cisco has an older version(4.8.01.0590), which you might want to try to install.

Take note on my previous post on 2/24 with the link to MS site for the schedule of Third-Party VPN clients:

32-bit - Final release date of 3/28/2007
64-bit - upgrade to Cisco AnyConnect Client

Lets hope the final release has a fix of some kind for the Stateful Firewall that some of us are still having.

can any please give me a link to dl a vpn client for windows vista x64?

thanks

Hi

I thought i had a problem with vista but now realise that it is started with version 4.8.02.0010 and happens on XP as well as Vista.

I get the 412 error and it never prompts for user/pass.

On my XP machine if I install version 4.8.01.0300 it works perfectly. Unfortunately this version wont work on Vista hence my problem. I am thinking maybe the PIX needs upgrading?

Can someone also post a link to Frank's suggestions as I cant seem to find them.

Cheers

Hi,
Im trying to connect to a VPN in my home using the Cisco Vpn. I have a wireless n/w in my home. So my laptop is behind a router. I cannot connect to VPN both in XP and Vista. Im using the 4.8.01.03 version in XP. Can any one help me what configuration should be changed to use VPN behind a router.

Thanks..

Hey, your post came at the top of my search! Thanks Bill!! :-)

re: Cisco VPN error 442 in VISTA

I had the same problem using both 4.8 and 5.0 versions. What is weird though is that it works during every first use for that day - if you restart your computer on that same day, then you will not be able to connect unless you will go through the entire uninstall/reinstall process again.

Does anyone has a fix for this? I tried all the suggestions posted in this thread but no luck - still getting Error 442 everytime I restart my computer.

Anyone able to figure out how to get around the 412 error on 32 bit vista? I've turned off my firewalls and plugged directly into my cable modem (instead of linksys router). Nothing seems to help.

Any ideas?

I too am getting the 442 error. Tried the fixes listed here, but the only way I can resolve it is to uninstall and reinstall the client. It will work fine for a day or so, then stop working again. Using Vista 32-bit Business version, and VPN Client 5.0.00.0090

Can anyone help. I cannot get past 412 error on cisco 5.0 software. I am running vista basic. Is there a solution. I have tried many of posted solutions. Nothing has worked...

I receive the 412 error as well.

running vista home premium
tried both 4.8.x & 5.0.X
added UseLegacyIKEPort=0 & VAEnableAlt=0 to .ini file

When I install v. 5.0.00.0090 and reboot, looks like it automatically gets uninstalled!..any idea what's going on?

An easier way than unistalling and reinstalling for Error 442 is to do the following:

1) open device manager
2) go to network adapters and uninstall the cisco adapter (right click-->uninstall)
3) go to start-->run-->cmd
4) cd to the cisco install directory (usually in c:\program files\cisco systems\vpn client\)
5) run ... vainstaller.exe i "C:\Program Files\Cisco Systems\VPN Client\setup\netcvirta.inf" CS_VirtA

That'll reinstall the virtual adapter and it should work again.

If anyone has a permanent fix, it is much appreciated.

Hi,
The existing IPsec VPN client will not be made available for 64-bit Vista. 64-bit support will be available only through Cisco&#8217;s next generation VPN Client for the ASA 5500 platform (Cisco AnyConnect VPN Client). 64-bit XP will be available in March (and is available in Beta now), and 64-bit Vista is presently in the plans for ~CY3Q/CY4Q07.
Best Regards,

hey thanks i was able to solve the 402 error from the post above.

AnyConnect is the SSL / DTLS VPN Client. It supports x64 x86 Vista XP, etc.

Hi,

Ran across this and would like to give everyone feedback which might be useful.

First issue, VA not enabling. This is a bad one for us and we think we have it licked. The issue we are having is that Vista has drastically changed the way adapter information is stored, XP it's stored in the registry, vista everything is done with NetSH and registry support is provided as a legacy application support but it's not reliable. Unfortunately NetSH doesn't have an API so we are having to do "shell executes" to work around this problem which is bad programming practice but we have to make do with what MS gives us. In the background this is what is happening, when you create a tunnel the agent negotiates with the headend, gets all the information, then goes into the registry to assign the IP, DNS, etc. Once this is done we then need to enable the adapter, so what we do is we query the network adapters looking for the adapter that has the IP which matches what we got from the headend and then we enable that adapter. This works great in XP however in Vista this isn't the case, Vista has this new fangled feature called persistent store and active store. We have found that previous session IPs are being added to the persistent store in Vista. What happens in subsequent reboots is that when you make a connection and the client has negotiated with the headend gotten the settings assigned it to the registry for the VA and now trying to enable it, Vista isn't returning the right IP instead the one in the persistent store so the client when trying to find the VA to enable it can't and thus you get the unable to enable VA because we can't find it. This just means we have had to add more checking and cleanup and so far it looks good. No need to set IKEPortLegacy or anything is this just something that is a pain and has been resolved in later builds.

Next is the integrated firewall, this is a 3rd party firewall we use, to be specific it's the ZoneLab's Integrity firewall libraries that we are using. Unfortunately Zone has turned around and said we have EOL'd "End of Life'd" that product and have no plans on making it Vista compatible, this is a big problem and it's not a simple replace firewall libraries and you are set. So for now we can't provide a working integrated firewall. People might ask well Cisco is big and I'm sure Zonelabs will be nice to you guys but realize Zone got bought out by Checkpoint so it's a competitor of ours etc etc etc. Anyway I'm sure you all understand this problem.

Profiles, please manually copy them to the Profiles directory for the time being, there is another wonderful Vista feature called Data Redirection, basically any application that doesn't have a manifest that tries to write to the Program Files directory will have the cwrite call redirected to virtual program files directory located under the users profile. We have resolved this in the future clients and don't have this problem, the current beta build still has this problem. Since the VPN GUI is running in User Space and the Service as System, the GUI is being redirected to the virtual folder but the Service which reads the profile is System and has all the rights in the world so it can read the real place and doesn't find the profiles, hence the problem you are seeing.

64bit support, will only be provided in our new VPN client, AnyConnect. All I can say on this right now. There are a few links floating around about this I believe one of them is already posted above so just refer to that.

The client uninstalls every time I install the client is another problem we have resolved. Basically this is caused when you try to upgrade the client from previous version on Vista. The problem we are running into is that services no longer have access to interact with the desktop, this is called Session 0 and another excellent feature from Microsoft. This causes problems so for now please uninstall the client first reboot and then install the new version.

I haven't added this to the troubleshooting guide yet, but go ahead and disable autotuning in Vista:

Netsh interface tcp set global autotuninglevel=disable

This should fix a few problems especially with Outlook and network performance.

Ok so everyone is complaining but to be honest I'm not seeing a lot of complaints coming in on the beta list. This is very important that if you like to contribute to the overall stability of the client they everyone should please email vista-vpn(at)cisco.com with the information so that we can take a look at it and if necessary add it to the bug list. I'm seeing very little issues in the lab, I do run this on my Vista laptop and don't see many issues so if we don't hear about it we can't fix it.

Ensure you have set the logging level in the vpnclient.ini to 15 for IPSec, cvpnd and IKE. You can set the rest to 0. Include the logs with your email and a brief description of the problem.

Our goal is to get something out that is stable might miss a few features but at least it works well. Subsequent releases we will then work on getting the rest of the issues resolved, it will take time.

My last comment is that everyone is complaining that Vista has been out forever why hasn't Cisco gotten a working version out yet. I hear this a lot and would agree but here is our problem, the first version of Vista that we received that we could use to develop the client on was RTM which we received at the end of October, I know, hard to believe. There has been a bug in Vista throughout its beta life that has prevented us from having a working beta version that our developers could use to actually work on. Throw in all the changes, like Session 0, no more registry settings for adapters, autotuning, etc and this all means fun and excitement for our developers.

Anyway hopefully this gives you guys some insight into the client world and maybe help with the problems you are having.

Finally, you all know now where to find me, I look forward to the email. :)

Again the email is: vista-vpn(at)cisco.com

Hmm... no mention of the IP refresh bug where every 30 minutes the client screws up the route table requiring a disconnect/reconnect or deletion of the redundant route table entry. Does anyone have any information about this? I've created a task to take care of it for me, but I'm getting tired of seeing the cmd window pop up every 30 minutes.

Hi Hank,

Ok so I guess this will become unofficial support place :D.

The IP refresh but is related to DHCP. You will probably notice that DHCP is set to 1 hour. This is another feature added to Vista which is driving us nuts. Vista is the only OS, out of previous Windows, Mac and Linux that does this. When a DHCP renewal is performed Vista readds the default route. You will notice the tunnel will still be up but no traffic flows. This has been fixed. We basically monitor the route table and soon as we see Vista readd the route we delete it. Anyway the work around for now is to manually remove the route entry that is added or just disconnect and reconnect.

Is there a resolution to the 412 error? I tried manually moving my .pfc to the profiles directory. I still get the same results. I'm guessing this is a client side error, but can't seem to get a proper configuration that allows me to connect.

Using Vista Home Premium

No solution for 412 error yet that I've found. Been trying to make it work since December with no luck. There have been lots of things suggested here, but none fixed the issue. I've sent several emails to the vista-vpn mailing list, hopefully that will help identify the issue (eventually), though I haven't received any technical response thus far.

BTW I've plugged directly into the cable modem (no firewall) and had the same issues. Recently I installed (by mistake) the 4.8X "Vista-capable" beta client on a Windows XP machine and discovered it didn't work their either - same 412 error. This suggests to me that the problem isn't with Vista compatibility, rather it might be compatibility with my company's Cisco hardward (and this beta client). 4.8.01.0590 works fine, whereas 4.8.02.0100 doesn't..

Cisco Support,

Many thanks for the post. I assumed this is what was happening and that a work around would involve checking the route table and deleting the entry as soon as it appears. That is basically what I have done. I wrote a batch that the Cisco client automatically executes as soon as it connects which prints the route table, prompts me to enter the gateway address (as it chances depending on from where on the wireless network I am connecting) and then creates a scheduled task to delete the 0.0.0.0 entry to that gateway every 30 minutes (which is how often my IP lease expires). Like I said, this works fine; it is just irritating to have the cmd window pop up every 30 minutes to delete the route. It will be nice to see a fix built in to the client. Thanks for the hard work!

-Hank

Ok lemme try this again. Sorry the last post didn't go through and I lost my text... My luck it will show up and this will be a dup. Lets see how close I can get the text.

Ok so I'm able to reproduct the 412 in the lab but only if I use the Apple Extreme Base Station wireless product. If you guys can let me know what mediums you are using to connect over that would help. We do have an open bug with Apple regarding their wireless product but I don't think it's related, the other bug is regarding the Mac client.

For now the workaround is to use TCP for tunnel instead of UDP, IPSec or NAT-T, if you can create a test group and give it a try, if you don't have access bug your IT guy.

/Copy text before submitting/

Regarding the VPN client uninstalling after reboots.

I had this same problem running Vista Ultimate 32bit. After some frsutrating mornings of finding it uninstalled, I got determined and tested for hours. What I found is the built in Windows Defender sets its Spynet membership to Basic. Basic is the new, "I won't bother you" version of Defender which is good and bad. Good meaning less OS bugging me, bad meaning when it needs to know what the DNE driver is, the VPN service, etc., it doesn't ask. I modified my Spynet membership to advanced, rebooted and installed the 5.0 client clean. After having to answer several questions from Defender, the client installs completely and does not ever uninstall again. I have been running the 5.0 client ever since with no uninstalls.

Someone else give this a try to see if my case is isolated. I hope it helps someone.

I still battle with the 442 error. I've been recreating the VA periodically to solve. When can we expect the next rev. of the client that you have already solved a large number of these issues in? Are you waiting to just release the final rev towards the eom?

Hi Chris,

See my most above regarding the 442 error, first para regarding the VA not enabling.

Good to know about the windows defender. Will give this a try.

I reread the post. Am I missing something or is the fix only in the later builds of the client that have yet to be posted? I understand the process of what's happening, just still don't see another method around it. Removing the adapter must purse the persistent store for the VA.

Am I missing something?

Hi Chris,

Give this a try and see if that works:

C:\netsh int ip reset resetlog.txt

Cisco support, so happy to see you reading and responding here.

Regarding the 412 error, I'm using a Dell Latitude D810. I experience the problem both on a wired (Broadcom NetXtreme 57xx Gigabit Controller) and wireless (Intel PRO/Wireless 2915ABG) connections, both behind my NAT router (Linksys model) and when directly connected to the cable modem. I am attempting to connect over UDP/IPSec (sysadmin hasn't enabled TCP).

If there's there's more info I can provide I'd be glad to debug/test/help.

Thanks

Hi, I have been trying to connect cisco vpn client in Vista home edition. I followed few steps to avoid er 412, 403 using the above comments. But now it doesnt give the error, but it remains in NOT CONNECTED state.
Can any one figure out what is this abt. Im using the Cisco vpn 5.X beta version.

May be the cisco guy can take a shot at his ;)

Cheers

Hi,

I have a Windows Vista Business Edition and I have a problem with Cisco VPN Client (5.0.00.0090).

The error messages are:
Reason 435: Firewall Policy Mismatch
1. The client did not match the firewall policy configured on the central site VPN device. Cisco Systems Integrated Client Firewall should be enabled or installed on your computer.
2. Initializing the connection...
Contacting the security gateway at xxx.xxx.xxx.xxx...
Authenticating user...
Contacting the security gateway at xxx.xxx.xxx.xxx...
Negotiating security policies...
Securing communications channel...
Secure VPN Connection terminated by Peer.
Reason 435: Firewall Policy Mismatch.

How can I solve this problem?

Thanks!

Arpado

Just to make sure we're helping everyone and not just ourselves, let's make sure we are sending our bug reports through the proper channels before we post. I understand us having issues we need resolved but if we don't report them into the dev team, everyone will suffer. For those who already are doing so, great.

If you're not reporting the issues to Cisco before posting please do the following as posted previously:
set the logging level in the vpnclient.ini to 15 for IPSec, cvpnd and IKE. You can set the rest to 0. Include the logs with your email and a brief description of the problem and send it to vista-vpn(at)cisco.com

Doing so before you post will assure the dev team has all the information they need to create the fixes for everyone.

If anyone disagrees with this post, rather than littering the one resource that has been invaluable to most of us with argurmentative comments, feel free to email me directly.

hodgy55 at gmail dot com

Is there any solution to 412???

I've tried change the ini, close firewall, reinstall, manually restart the VPN adapter... and nothing.

still not connecting.

in use with 5.0.00.0090 and 32bits Vista final version.

thks

have you tried using TCP rather than UDP for the transport?

i try to install Cisco vpn 5.0 but the are a (Error 1721. There is a problem with this Windows installer package.A program required for this install to complete could not be run.
Contact your support personnel or package vendor)Who can help me with that

Hi dosguru,

I'm assuming you are installing this on 64bit? If so we don't support 64bit, 64bit support is slated for AnyConnect client. If not make sure you are installing the MSI version of the product, but not by double clicking on the MSI since MSI our MSI package doesn't support Vista when UAC is enabled. So run the vpnclient_setup.exe or just let the self extractor launch the install.

Hi All,

I have a new cvpnd.exe if anyone wants it. It has a few fixes in it. The main issue I would like to get tested and see if it resolves anything is the "Unable to enable the Virtual Adapter".

Symptom is that it will just sit at "Securing communication protocol" and finally pop-up with an error.

If you want the new cvpnd.exe email me at vista-vpn(at)cisco.com.

Hi Chris

I want to connect a public network in the university. in his configuration i must disable the Transparent tunneling. So i can't change the TCP to UDP.

any help?

Cisco IPSec VPN, Is this fix for 412???

thanks

Hi Roque,

Disabling the tunneling means your are doing straight IPSec connection. The only work around currently available is to use TCP for the tunnel. This is for the 412 error.

THIS IS A PAIN IN THE ASS! DIE VISTA DIE!

Now that that is out of my system. As stated above, someone fixed the 412 errors by upgrading the firmware on their router. I'm in that club! I've got a Linksys BEFSR41v4. Firmware is available on linksys.com!

Hello.

Is anybody having this problem?

I installed the VPN Client (5.00.090K9 version) on a Vista Business 32-bit machine with no trouble. When the VPN Client is run, the error message "Error 56: The Cisco Systems, Inc. VPN Service has not been started. Please start this service and try again." I start the VPN service manually and it disables my VPN Adapter immediately. The VPN service stops immediately as well. I can re-enable but the same thing happens every time.

I have disabled the Windows Firewall to test this. I have tried everything I can think of but have had no luck. Have any of you had this problem?

Thanks.

Hi wsbrook,

Please do a clean uninstall, reboot, then install the client again, reboot.

Virtual adapter is meant to be disabled. It will be enabled when the connection is made.

Service should always be running.

Did you upgrade from XP by any chance?

Lastely please review the troubleshooting guide for the client. If you need a copy email vista-vpn(at)cisco.com.

Thanks for the response.

This is not an upgrade. I bought a HP laptop with Vista Business preinstalled.

I did the uninstall and reinstall with reboots and that did not do anything different. The CVPND service is set to Automatic but will not stay in a start status. It will start for about 3 seconds and then stop again. I only receive the "Error 56" when I attempt to start the VPN Client.

I will e-mail for the troubleshooting guide to make sure I do not have something configured incorrectly.

Thank you again for your help.

Hello Cisco IPSec VPN

Thanks for the quick answer. If i undestood you, this means that i don't have any solution for this 412 in this network?

thanks again

I too fixed the 412 problem by just upgrading the firmware on my Linksys Router. Thanks for the tip!

Can anyone tell me where to get the Cisco AnyConnect client? I have the Ultimate x64, and I cannot find it anywhere. I have an ASA, but Cisco's documentation on this leaves much to be desired. Any help would be appreciated.

Thanks,
Vinnie

Hi Vinnie,

The AnyConnect client is currently in Beta to a select few customers, if you wish to participate in the beta please email the vista-vpn(at)cisco.com and I will forward on your request.

The release date is around the beginning of April but again this is subject to change.

RE:Reason 435: Firewall Policy Mismatch

Since Cisco VPN use(d) zonelabs firewall technology in previous versions, the available clients still look for certain files.

If you are getting this error, you probably don't have zonealarm installed......

1-install "ZONEALARM" recent version to create the dll files for CISCO VPN
2-create a temporary directory c:\vpntempo

and save in this directory the files from C:\windows\system32

vsinit.dll
vsdata.dll
vspubapi.dll
vsutil.dll
vsutil_loc040.dll

save also the file c:\windows\system32\zonelabs : dbghelp.dll

3-uninstall ZONEALARM

4-copy the files from c:\vpntempo
vsinit.dll
vsdata.dll
vspubapi.dll
vsutil.dll
vsutil_loc040.dll

to the directory c:\windows\system32
and copy file
dbghelp.dll to the directory c:\windows\system32\zonelabs

5-install a recent version of Cisco VPN

6-delete the directory c:\vpntempo

Hi All,

Please note that the VPN Client uses the Integrity libraries and not the ZoneLab libraries. Also doing the above steps will cause system problems as ZoneAlarm is currently not compatible with Vista. If you place these libraries in the System32 directory the client will try to load these and may cause BSoD.

This is unsupported by TAC and the beta list, basically you are on your own if you try this.

I'm not even lucky enough to get 412 errors.

I have Vista Ultimate 32bit - upgraded from a clean XP install, but I cannot install either 4.8 or 5.0 and get the same InstallDNE error returncode 2146500093 from each insaller. I have a CCO account but there is nothing in support there about this.

I've tried with UAC on and off. There is nothing being installed in devices, networking or program files and the installation rolls back each time (registry only leaves two DNE folders that are empty).

I am missing something basic?

Hi Diavosh,

This is covered in the troubleshooting guide:

When installing the client you are getting a DNE error message?
Verify the following regkey:

HKLM\Software\Microsoft\Windows\CurrentVersion\

DevicePath = %SystemRoot%\inf

And the type is set to type REG_EXPAND_SZ

Either add it to the list already there or replace the entire entry with just that one.

More info regarding this registry key: http://support.microsoft.com/kb/279112

I have Windows Vista, and the Cisco's VPN client, the beta version. When I connect the VPN it does connect without any errors. But after it connects my internet explorer donest work, it wont connect even if you click any links. After i disconnect the VPN client it starts working again! Any solutions to this problem, are there any settings that can be tweaked?

Please check your browser proxy settings, sounds like this is set, when you make a connection the connection will still try to reach the local proxy which won't be possible.

If this isn't the case please contact the vista-beta list:

vista-vpn(at)cisco.com

Please include connection logs, see above posts regarding enabling logging.

Cisco Support,
Thanks. I tried the temporary fix for VA issue (Error 442) that you indicated above and it works. Right now, I can connect/reconnect anytime even if I rebooted my system several times in a day. Hope this helps those who are getting the same error.

----
Give this a try and see if that works:

C:\netsh int ip reset resetlog.txt
----

Cisco Support,

My network connection speed has also improved significantly after using the setting Vista's autotuninglevel below to "disable". Download speed used to be 16KB/sec only and now it went up to 200+KB/sec when VPN is enabled. Thanks.

----------
C:\Netsh interface tcp set global autotuninglevel=disable
----------

I'm also getting the "Secure VPN Connection terminated by Peer. Reason 435: Firewall Policy Mismatch."

I'm assuming this is due to the fact that my companies security policy requires the Cisco VPN firewall be enabled on the client. And since it doesn't exist in the Vista beta client yet, I'm unable to connect. Is this a safe assumption? If so, when will a VPN client that includes a client firewall be released?

Note to everyone. Don't blame Vista for your Vista/Cisco VPN related issues as Vista was in public beta for a very long time before it was released. Cisco's had plenty of time to release a production version of the VPN client. Just as Apple had plenty of time to test their iTunes software to make it compatible.

Hi Chris,

The vista version will not be released with firewall support. ZoneLabs Integrity has been EOL'd and these are the libraries we use. Since Zone has said this product will not made available for Vista we have removed this functionality. There are a few firewalls that are supported by the client, ZoneAlarm and BlackICE etc however none of these vendors have Vista compatible version out yet. When they do you are more then welcome to install those which will resolve the issue.

As for public betas please see my post above regarding this. It's a very ignorant statement you have made, we have been working hard with Microsoft and have had access to weekly builds since beginning of 06. However there was a pretty major flaw in Vista which affected the client and only got resolved in RTM version. This means that we have had only 4 months so pretty much rewrite the client that is about 6 years old based on a version of Vista that works with the client to begin with.

Vista does not support XP style GINA, thus requiring rewrite of the Start Before Login code. Vista doesn't allow session 0 "services" to interactive with users, again rewriting the agent and a number of things to ensure certificates work.

There are even a few things in the new network stack that is what is causing the 442 problems. The documented workarounds from MS don't work so we are left hacking this to make it work. We don't have access to some API's requiring us to come up with Shell Execute solutions to make it work which is just bad programming.

I'm sorry for the ranting but people need to understand that we are hamstrung and when people make statements about Vista beta's being out for 2 years why don't you have something yet is just sad.

Please remember the VPN client is a free product, if you don't like it there are alternatives, Certicom "Paid For" being one of them, Movian "Paid For" another, cvpn "opensource" being another that people are more then welcome to use.

As for iTunes, I wouldn't be surprised if they are running into similar issues, no documentation, help, etc. Same goes for Juniper, Checkpoint, Aventail etc. These guys are also probably having a tough time.

Be patient, if vista is causing business issues for your company don't go upgrading to it just because you need the latest and greatest, this is foolish, there is nothing in Vista that you can't do with XP and forced migration without first testing and ensuring business continuity is even more foolish.

Vendors will release products that support Vista and life will be good.

Please note this post does not reflect the views and beliefs of Cisco, this is me personally posting my personal view so don't go saying, look see what Cisco is saying.

Well this client is inconsistent on Vista. Can't reconnect half the time.

John,

Are you getting the 442 error? If so email vista-vpn(at)cisco.com and I will send you a new cvpnd.exe which fixes that.

Cisco IPSec VPN,

I apologize for making such a bold statement regarding Vista. At the same time, I'm glad I did as I see it has fueled your fire enough to provide a very detailed explanation as to what is going on with the client. I appreciate your detailed feedback! I've been looking for an answer to this issue and most of the posts I've seen on the web have a number of scattered VPN issues making it more difficult to find the answers I've been looking for. I have a company laptop which I, nor my company, would consider putting Vista on. VPN works fine here. However, like many, I also have a couple of home PCs which are more convenient to use than pulling out the company laptop. Regarding the cost of the client. It is not free. Perhaps it is for some in some way or another, but my company pays for Cisco hardware specifically for VPN connectivity (Pix/Concentrator...etc) as well as for support and maintenance. What good is a VPN hardware appliance without a client to connect to it? Also, having the latest and greatest is a part of being in IT....at least for me. For better or for worse.

Ultimately, I was suprised that Cisco was unable to provide a fully functional VPN client for the release of Vista or at least shortly thereafter. Again, I do apologize for making the bold statement earlier as I have no clue the challenges Cisco has experienced updating code for MS Vista compatability.

Chris

All,

Will be posting an RC version on Monday sometime on cisco.com. If you have time please go ahead and use this version. If you have any problems email vista-vpn(at)cisco.com with details, please include connection logs as outlined in my original posting above.

I will try and keep up with posting here but if you don't hear from me just email the support list and will handle the questions from there.

No worries Chris,

I just had to vent since I get this thrown at us everyday. As for cost of client it's debatable :) but hopefully you get what I mean by free*.

Cisco IPSec VPN, is there any hope of the RC client (Monday) fixing the 412 error? I can't use TCP - have to use UDP :(

Jamie,

Not that I can tell from the code check-ins. Send me your connection logs though so that we can take a look.

vista-vpn(at)cisco.com

Hi folks,
Some information regarding reason 412, for what it's worth. I'm running a new Gateway FX, factory installed Vista Ultimate. I loaded 4.8.01.0590. I have 8 different sites that I connect to, of those, 7 work fine, and 1 returns the reason 412. I upgraded the firmware of my Linksys to the latest release, this did not help. I have not been able to contact the IS guy (Sunday) to add another group using TCP for tunnel, hopefully I can do that Monday. I will also ask him for the model Pix, and software rev it is running. Those of you who are getting reason 412, are you able to connect to any other sites? Hope this may help in some small way. Looking forward to the RC version posted Monday.
Thanks!

Hi All,

My VPN Client (5.0.00.0090) works rather reliably with Vista Enterprise (6.0.6000), but I have got some starnge issues. First of all the "Securing communications channel..." stage takes about 20-30 seconds instad of 1-2 in Windows XP. And the second thing is that the client does not minimized to the system try, it just stays in the task bar. That is not critical but a bit inconvenient.

Will you kindly explain is it by design behaviour or something can be done to improve the issue.

Best regards, Roman

Hi ZheIR,

Vista will take longer to connect then XP, there are more sleeps in the code to account for the new way Vista deals with adapters that enabled and the checks it goes through.

I have checked the minimize and it works when you have the option set to minimize when connected.

Help with the 412, anyone that gets the 412 can you test the 5.0 client on an XP machine to see if the 412 error occurs on XP as well.

We have found that Vista is causing some src/dst port problems that we don't see on XP however this is just a hunch and trying to get more info.

To All,

As of today I will no longer be checking this blog. If you have questions or need help please email vista-vpn(at)cisco.com.

Release Candidate will be made available on cisco.com around 5pm MST today for download. Please use this version for testing.

Also this version fixes the 442 error so I will not be sending out the cvpnd.exe anymore.

Please do not contact the support email for a copy of the client. I am unable to provide the install via email and you will need to download this from cisco.com.

This blog was nice, I am sorry to see Cisco is no longer involved. By staying in the blog, I could see everyone else's issues as well and what others have tried... does cisco have an online support forum that does not require a user/pass ? Our tech department doesn't give the Cisco passwords out and so I can get the new clients with out a week of waiting for someone at a higher pay grade than I to download it.

Tim

I too can't download the latest beta client, I have to jump through a bunch of hoops at my office and it could take days or weeks, is there a working opensource version for vista or can someone post the new beta for just 24hrs?

has anyone got the beta version working over a sprint evdo card yet? doesn't work for me.

I'm assuming the beta will show up on the Clearchannel site. They always have in the past. Let's wait and see, shall we?

Delays delays delays...

Quick update, won't be posting the Release Candidate tonight, found the 412 bug and it's being worked on. Should be fixed tomorrow AM, then we go through through some sanity testing and will post this.

For those interested, some people where asking for Microsoft IPSec co-existence so we had to change the client to not bind to port 500. However we have a keyword entry for the profile to tell the client to go back to binding to port 500 if the admin wants this.

Anyway even with the flag set in the profile the client will still not bind to port 500, instead sticks to the dynamic port assignment. Unfortunately some network devices don't like this, Apple Airport Exreme being one of them so some users run into this and others don't.

Hi, quick question. Is the link in the original post dead? Just get a 404.

a few ago it was ok .. now i get a 404 too

We have been using the 5.0.00.0090 client and it works a treat on my test system. However our field people are having problems that I can't replicate.

I can only assume that the laptop manafacturer has applied some security policy that it's enabled by default.

When they try to connect to the gateway it will go through the "Contacting Security Gateway" until it times out. No error.

Does anyone know if there's a way to see the logs for the firewall or the vpn client to see if it's being actively blocked?

For what it is worth, I am not able to connect on a known working XP machine with beta 5.0...090. Once I removed 5 and went back to 4.8....0440 it worked again.

Where do I get the software 5.0..090? Any Idea?

Clearchannel caught on, their VPN client site is blank now.

When the client is released, if someone could grab it, and upload it to a newsgroup, maybe to news://alt.binaries.certification.cisco/ , there's only crap in there anyway. That would be great!

Cisco, please allow any registered user to download the client. We're loyal users, and we need this!

My guess is that Cisco contacted them to take it down. I couldn't imagine Cisco to allow anyone to redistribute their client, even if it's free. Lets hope the new version soon shows up on http://www.cisco.com/cgi-bin/tablebuild.pl/windows?sort=date
Is that where the rest of you expect it? (I'm new to the cisco site)

The problem, is that you need a Cisco service contract to get to that page.

Come on Cisco, many of us took time out of our precious schedules to help you debug this. Put the release candidate on an open web page!

Ok Release Candidate is posted on cisco.com. I have sent out invites to everyone that has been emailing "helping" me on the Cisco Vista list to get the new client.

Due to US Export regulations regarding encrypted products, we are unable to post this on an open website. No way to control access by country. :(

If you have a CCO account with any smartnet contract, hell even a smartnet for a cisco phone "$72", gets you access to the vpn client software. If you do have the client and want to make it available to everyone else the only guideline we require is that you have some form of ACL and it's not open to everyone. Then it becomes your responsibility to ensure the person that is downloading the file is allowed to per US Export Regulations.

ClearChannel was asked to put access control on their site, simply having an US Export notification isn't enough for the US Government. Go figure.

If you do download the client from Cisco you are bound by the End User License which does make you liable. Blah blah blah. Ok I have said the company tag line.

I don't make the rules but I do have to follow them. And some rules aren't made by Cisco, this being one of them.

The new client is posted on cisco. Use the link above. 1st install I received a 429 error. Rebooting now to see if it reoccurs.

Matt

Good news for all those folks who, like me have been struggling with 412 errors for the past few months. I just installed v5.0.00.0320 and can finally connect to the VPN :)

Works great, thanks to all the folks at Cisco!

Is there any solutions for us who don't have Cisco CCO account?

Can other's who donot have Cisco account get the latest version for Visata ???
kindly let me know !

What's a CCO ID? the username when we register to cisco.com????

Thanks

Anyone get this or know of an alternative download location?

HELP!! Somebody please make v5.0.00.0320 available for download from somewhere (other than cisco.com, unless they decide to make it available without a CCO ID)!

Thanks!

Tell me a place I can post it.

Some friendly soul put it on usenet already.

When i go to that cisco link above there are no files listed.

Hans, how about a link to that download? I could certainly use it. Thanks in advance!

Someone please put it up on Rapidshare.com or something.

Here you go guys, enjoy!

Try number 2

http://rapidshare.com/files/22151147/vpnclient-rc-5.0.00.0320.zip.html

Thanks so much Matt! My university has been so slow in releasing the vista capable version, your help is much appreciated!

Anyone with the 442 error??? i have it again..

how can i solve it?

I am also still getting the 442 error.

v5.0.00.0320 is working for me too. No more 412 error. Yay!! Thanks to everyone on this list for all the suggestions and ideas!

Has anyone had any install problems? I did on one of our Vista laptops near the end of the install process.

I am getting a 402 message. client will not allow connection.

I was getting the 442 error for a while, then I tried the fix that I thought was in this blog (removing the virtual adapter and then running a command prompt line to re-add it) and that worked - no need to reboot. Well now I checked this blog again and the entry I thought was here is missing! Maybe I'm going crazy or something.
Anyway, my problem now is it hangs on "securing communications channel". I had the 5.00.090 version. I just downloaded the 5.0.00.0320 version (THANKS MATT) and it still hangs there. Any ideas? I'm running Vista and the Windows Firewall is off.
Thanks in advance,

-Matt

How long are you letting it run? One instance took 30 minutes and I had to agree to continue what seemed a dead process. I still have one machine it will not work on but I am gonna mess with it tomorrow. Trying to bring up our Philippes site right now.

LOL, I mean the Philippines.

Like a first, thanks for a solution for alternate download location

With this version I still have the same problem 412 error (stuck on "establishing security gateway"). Can you, please tell me what port VPN Client is use, to establish connection to secutity gateway?

hi, i'm using vista 64bit, is there any alternative for the cisco client? it seems its not supported http://support.microsoft.com/kb/929490/en
it tells me about anyconnect, but i can't find a download site.

Sweet ... finally no more 442 error with the RC release .. Thank matt for posting it! My university doesnt support it at the present.

Help! Haven't loaded VPN on new Vista computer. Have heard it doesn't work. Is there fixes to the program that definitely do work? Thanks in advance.

On 32bit Vista systems it defenetly works

Has anyone got a reliable work-around for the "Reason 435: Firewall ..." situation on Vista? I installed BitDefender for Vista, but apparently this did not satisy Cisco. Can I incoporate a rule into the Vista firewall that will satisfy the VPN requirement? I'm running the latest Cisco client v5.0.0.0320 and I'm having no luck ...

Hi,

I have a same problem:
Reason 435: Firewall policy Mismatch
:(


Vista Business 32 Bit
Cisco Client 5.0.00.0320

I am having 418 error "Unable to configure Firewall Software"
The Log says "Invalid concentrator firewall configuration."

I am using Cisco client v5.0.0.0320 on Vista.

For you with the policy mismatch - the problem probably is that your vpn policy is set to require the client firewall to be active, since its not supported on Vista, there is no firewall in the vpn client. You will have to adjust this on the concentrator-side of things.
At least this is what happened at our place.

hth
Hans

After installing new version I'm still getting 442 error. Cisco folks sent me the following, but it has not solved the problem for me...anyone have any luck?

Looks like your network stack is in a bad state, please uninstall the
client, reboot, then run the following command:
netsh int ip reset c:\resetlog.txt
Reboot.
Then install the new client, 5.0.00.0320.
Reboot
Should be good to go.

Also, what should I see when I run the netsh command? I don't get any output to the specified txt file...this is what I see (I am running from an administrator prompt):

Reseting Echo Request, failed.
Access is denied.

and some other OK! messages that I can't recall...

Ran 5.0.00.0090 and it worked with noted issues (needed to reenable virtual adapter and run route -f on occassion). Installed 5.0.00.0320 and now I cannot ping anything on the other side of the VPN. Traffic going out, none coming back in. The VPN does not seem to stay connected anymore. Tried reinstalling 5.0.00.0090 and now I have the same issue. Went back to 5.0.00.0320. Anyone seen this? Is there an email address at Cisco for the beta to note problems?

If you have questions or need help please email vista-vpn(at)cisco.com.

Include brief description and connections logs.

Please ensure the logging level is set to 15 "debug". This is done by closing the GUI after enabling logging, opening the vpnclient.ini file and change the loglevel=1 to 15 for IPSec, IKE and CVPND.

Thank you for that client Matt. I need to login remotely to my university campus in order to send e-mails using my school e-mail address off campus using a pop3 client. I can do it with the client you posted. I'm running Vista Business.

Is anyone having any problems using the VPN with the 32-bit Vista or are the majority of the problems on the 64-bit.

Kim

Kim - the readme states "This client only support 32bit operating systems."

Still getting 442 error? Do the following, manually enable Virtual Adapter, right-click on it, and select "Diagnose", then select "Reset the network adapter "Local Area Connection X"".

Should solve the problem.

Please report success or failure to vista-vpn(at)cisco.com.

hey all, i'm facing the same problem here, my vpn doesnt work with my Vista. can anyone tell me where can i find an'update for Cisco VPN or at least a donwload site for their latest version!

Please contact vista-vpn(at)cisco.com for help.

twice connected, but not more. Now always error 442 (failed to enable Virtual Adapter) SOS. stop by now, my head is burning, :)

Sorry, I'm using 5.0.00.0320 version on Vista Home Premiun.

Still getting 442 error? Do the following, manually enable Virtual Adapter, right-click on it, and select "Diagnose", then select "Reset the network adapter "Local Area Connection X"".

Should solve the problem.

Please report success or failure to vista-vpn(at)cisco.com.

Cisco you guys suck, Vista has been final for a while now, get your slack asses in gear.

Whilst you are at it sort out your list of supported hardware devices since you clearly don't have a clue about USB wireless support either.

I also got the 442 error after having the client run successfully for 1 day. I worked around this problem by running the repair function for the VPN client program.

Any free link to vpn client for vista 64 bits?

You're a f*&king moron. Read the G*d d@mn forum! There IS NO 64-BIT CLIENT!

There IS a 64-bit client. Its the AnyConnect client that user is looking for.

I believe he/she is searching for a link outside of Cisco to obtain this client. I have not seen one posted here nor have I heard of one anywhere else as of today.

Oy vey, you couldn't have said it better. ;)

I have a few free cycles so I'm answering some questions.

Cisco IPSec client in it's current form does not, will not ever support 64bit. No reason to spent the effort on it when the new client "AnyConnect" will work and is the future.

Now before every asks for the client, AnyConnect requires the ASA appliance with the 8.0 code on it. This will be released next month. It will not work on PIX or VPN 3000 units. IOS device support is slated for the near future.

Again before everyone gets up in arms about having to upgrade hardware, PIX and VPN 3000's just don't have the CPU power to handle SSL VPN connections. Think back to 7 years ago, what was the fast Pentium, now think, what was the fasted embedded CPU? We have tried, since we complained internally about no support for PIX and VPN 3k's but it's just bad, if it's bad in the lab it's gonna be worse in the field.

Both the PIX and VPN 3k's have hardware encryption engines for IPSec only, these devices handle this very well, the ASA has both SSL and IPSec hardware accelerators allowing it to deal with SSL VPN tunnels a lot better.

The AnyConnect client is tied to the ASA appliance, there is an admin installation "msi" and web based deployment, you browse to say: https://vpn.companyx.com sign-in, client gets auto deployed to your Windows, Linux or Mac machine and establishes a tunnel. Proxy/NAT device friendly, doesn't have the issues surround IPSec, well not until IPv6 is out then IPSec will do a lot better again. Doesn't require the Sun, Moon and Mars to be aligned for it to work.

As for Firewall issues, blame Zonelabs, we use the Zonelabs Integrity library for the Firewall feature which is EOL'd and no plans to make it Vista compatible.

Soon as ZoneAlarm is vista ready, if it ever will be, install that and you are golden, or have your VPN administrator configure the VPN appliance to check for Vista firewall enabled, there is an option in the VPN appliance to do a custom check and not rely on integrated firewall. There are solutions but this is directed to the VPN administrators and not the endusers to solve.

Fest, not sure what you are talking about, you can use any wireless device you like, but if you really want a "tested" list we have tested, Intel, IBM, Linksys, 3com, Sierra Wireless, Novatel, Dell, Aironet, etc

The only requirement at install is that you have a network adapter or RAS connection, IE Modem. Other then that we don't care.

Since your above post offers up zero information, I CAN'T HELP YOU.

Please email a description of the problem to vista-vpn(at)cisco.com and the friendly support guys will answer your question, help you troubleshoot it, and god forbid, open up a bug for it to be fixed.

Other then that I'm heading back to my soft comfy couch here in the lab and enjoy the world cup cricket.

OK - this is just wonderful. I installed the BETA of ZoneLabs product for Vista.

Hooray - no more "435: Firewall Policy Mismatch" errors!

However - its gotten worse instead of better.

Now my entire system hangs during some point in the securing communications phase of establishing the VPN connection. And when I say hangs, I mean HANGS - as in permanently.

The only way to get things back is to hard boot the system (holding power button for 10 secs, etc, etc, etc).


Anyone else experiencing this sort of error?

I cannot believe a company with the resources Cisco has does not have a properly working version of the VPN Client out yet.

Chris, for some reason earlier posts are cleared, I didn't spend the time to find out how to get them back but if you find out a way you should read my original post regarding the development of the client in regards to Vista.

Sorry to hear the zonealarm problem...

Zonelab's was purchased by Checkpoint, Cisco competitor, so you can understand it's a sticky situation.

Again, got questions or need help, EMAIL: vista-vpn(at)cisco.com, it's free no registration, all done via email, painless, let us know and we can help!

Thanks for the response CIV - I appreciate it.

I did actually see yoru earlier repost with regards to the difficulty in developing for Windows. As a developer, on the one hand I understand working with MS is a pain - but on the other hand - this has gone on far too long.


I'm now looking at a hardware resolution to the issue. So let me ask you an off-beat question: if my clients are using a mix of group authentication and certificate authorization - is there a piece of hardware out there that will allow me to connect to both? I was looking at the Linksys VPN Router - but not sure it can handle certificates ...


In the meantime - I have sent an e-mail to the address you've supplied. Hopefully I'll be able to get this thing resolved - as having to revert this installation back to XP Pro is not going to be a fun undertaking.

Thanks again!

Hey Chris,

Just responded to your email... :)

If you install ZoneAlarm with the client installed it actually detects the Cisco VPN client, nice of them. :D

Anyway back to your original question, hardware wise there is the vpn 3002 but that is dead, next is the ASA 5505 which is the replacement for the vpn 3002 and the PIX 501, 505, etc, small little device, and it can run the 8.0 code and accept AnyConnect connections or it can be a hardware client. List price is around $500 or $600 I can't remember, probably get it under that from CDW or something.

Alternatively google for cvpn which is an opensource implementation of the Cisco VPN client.

Chris,
Is it possible to say where you got the Zonelabs Beta client from? I checked their site but I dont have access to their Early Access section to download it directly.

Thanks CIV - you rock.

I'll work with you via e-amil so that hopefully we can resolve and post a solution here that will help others.

In terms of the hardware solution - I'll look into the ASA 5505 - even at $600 it's better than the two weeks of lost productivity now.

Thanks!

Update, So ZoneAlarm causes the machine to hang on connect. Woohoo, not!

Emailing Zonelabs and see what we can do to resolve this.

Lou,

I found it by googling Zonelabs Vista BETA.

The link I cam up with was this:

http://download.zonelabs.com/bin/free/beta/index.html

However, I wouldn't recommend going this route. Note - it's been confirmed by Cisco now - this combination will hang your system after establishing the VPN connection - rendering it ultimately useless.

If you come up with a solution for that - we'd all be interested.

Anyone know of any incompatibilities with VMware Server and the new VPN client for Vista? ..I had version 5.0.00.0320 working ok until I installed VMware...at first, it gave me error 442, and then, the Cisco service won't even start..(and when I try to start it, it doesn't stay that way..).

I tried version 5.0.00.0320, rebooted, killed my firewall processes (Norton), added UseLegacyIKEPort=1 in my .pcf file. And it works like charm.

I used to have the 412 remote peer not responding message, but 0320 fixed it!


Tnx to Matt for posting the link to the 0320 version! And tnx to everyone who posted their solutions.

To avoid that the link gets removed from the page:
http://rapidshare.com/files/22151147/vpnclient-rc-5.0.00.0320.zip.html

I didn't see that.... lalalalalalalalalala...

ML,

VMWare Server does not support Vista! Only the 6.0 beta version of VMWare workstation which I have installed and works fine.

Please ensure you have read the supported Host OS requirements for VMWare Server.

VMWare Server Host requirements:
Support for 32-bit and 64-bit Operating Systems


Full support for SUSE Linux 10.1 as host and guest operating systems.
Full support for 32-bit Ubuntu 6.x as host and guest operating systems.
Full support for 32-bit Sun Solaris 10.x as guest operating systems.
Full support for 32-bit and 64-bit FreeBSD 6.0 as guest operating systems.
Experimental support for Red Hat Enterprise Linux 3.0 Update 8 and Red Hat Enterprise Linux 4.0 Update 4.

Experimental support for 64-bit Ubuntu 6.x as host and guest operating systems.

Experimental support for 64-bit Sun Solaris 10.x as guest operating systems.

Support for all guest operating systems supported by Workstation 5.5.

Support for all host operating systems supported by VMware Server GSX 3.2.


GSX 3.2 Host Requirements:

Windows Host Operating Systems
You need a Windows server operating system. If you intend to use the VMware Management Interface, Internet Information Server (IIS) 5.0 or 6.0 must be installed.

Note: Operating systems and service packs that are not listed are not supported for use as a host operating system for VMware GSX Server.

64-bit host computers can run the following operating systems for 64-bit extended systems:

Microsoft Windows Server 2003 x64 Edition
Microsoft Windows Server 2003 Enterprise Edition, including Service Pack 1
Microsoft Windows Server 2003 Standard Edition, including Service Pack 1
Microsoft Windows Server 2003 Web Edition, including Service Pack 1
32-bit host computers can run the following operating systems:

Microsoft Windows Server 2003 Enterprise Edition, including Service Pack 1
Microsoft Windows Server 2003 Standard Edition, including Service Pack 1
Microsoft Windows Server 2003 Web Edition, including Service Pack 1
Microsoft Windows 2000 Advanced Server, Service Pack 3 and Service Pack 4
Microsoft Windows 2000 Server, Service Pack 3 and Service Pack 4

Well, after all the discussion on here, there is still no native solution for Vista x64.

* Cisco drivers don't work on x64. Nix that.
* Anyconnect requires hardware upgrades on the server. Nix that.
* vpnc is for Linux. I've tried to install it on cygwin, but the tap0801 driver (even the supposed x64 one) don't work on Vista x64. Nix that.
* I have gotten VMWare Server installed on Vista x64, by disabling the signed driver enforcement (F8 at boot). This works, but it requires a legal or hacked copy of Win XP to get installed. I don't want to use a hacked copy, and I don't think I should have to install XP in VMware jsut to get a fricking VPN connection. Seriously. And you still have to duplicate all your stuff again within the virtual server. Not the best solution.

So, until someone can get tap0801 working on Vista x64, to support vpnc, or your company can fork over some cash to get a new Cisco device, I think Vista x64 users are screwed. I'm disappointed. After the countless hours I've spent screwing around with stuff, I'm shocked, and baffled, considering that *all I'm trying to do is get a VPN connection with my stuff at work.*

Erik, this is not directed. Just a general observation on the forum and the emails I get on the vista-vpn(at)cisco.com list and some thoughts.

I'm one of those people that has to have the latest and greatest but there came a point in live where I sat back and thought, what does the <gadget, OS, product> do for me, it makes my life easier and provides me with the tools to accomplish me job and provides endless entertainment.

I'm glad I got to experience Vista early on from inception to going Gold, but in a controlled "lab" environment and it was rough, I'm a very late adopter on my office laptop and home machines because of this. I reluctantly changed to Vista on my office laptop "T43p" as it's my life, home machine I could care less about.

All our developers still run XP and ask any of them to upgrade and they simply laugh and go, yeah right, good one.

I run Vista mainly to be the enduser, the consumer of our product and to write the bugs and provide feedback to the developers. If it wasn't for that I would shy away in a heartbeat. But someone on the team has to eat the dog food.

You all might ask why, you are a technology savvy person who has the expertise to deal with a new OS quirks and my response is simple, why..., why go through the countless hours running around find the one driver to make my wireless work so that I can be at Starbucks enjoying a latte and answering support email, or why spend the hours getting ATI or nVidia working so I get Aero. Why go through all this when at the end I have a machine that does exactly what <insert OS name here> does for me right now, why break something that isn't broken.

I'm amazed at home many people contact support with the "Oh my gawd the world is collapsing. I have VISTA and can't do XYZ and because you guys sux I can't do my job and I can't make money and my company is falling apart." I sit here and think, wow, you changed something that works to something that doesn't and you are yelling at me.... Mmmmmmmm.... Something wrong with this picture.

So then I think, imagine the VPN client team developers moving to Vista, what a nightmare, we wouldn't have a beta or RC version of the client out, instead our guys will be running around emailing IBM, WISE, Microsoft, etc going, "Oh my gawd the world is collapsing. I have VISTA and can't do XYZ and because you guys sux I can't do my job and I can't make money and my company is falling apart." Perforce would be broken, VS 6.0 doesn't work on Vista which would require our guys to upgrade to VS 2005 spX, but wait VPN client is build around the VS 6.0 libraries so now we have to upgrade those, which leads to software not building and other problems arising. Trust me it would be a mess.

So instead all our guys have VMWare 5.0 on XP, with Vista loaded on that. Gives them a chance to play, they can unit test and can even make it full screen so when they are at Starbucks they can be the cool kid on the block and show the cute girl with the Mac that they are cool too.

If you want Vista as your primary OS, like myself and the other QA Engineer here, we grabbed this VMWare converter, basically takes your current OS and virtualizes it, I mean how cool it that. So we have Vista on our laptop's T42p and T43p and we have VMWare 6.0 beta on Vista Host and run our old desktops as VMWare images. Works out great. Soon as we run into a problem with Vista, power up the VMWare and bam we are back to ol'school. VPN works, all our support tools work, build environment works and again it's caused a minor inconvenience but for the most part not a total tragedy.

I had another email conversation with someone that just makes me go... Mmmmmm... I apologies profusely to that person for using this example but it illustrates the point. We are going through some troubleshooting steps and at the end it turns out that one command MS gave me to pass on didn't work. So I said to the person, I'm sorry, I just can't help you here since I'm in the dark and I got this command from MS so I suggest you give them a call and see what they say.

Anyway after a week of dealing with them and apparently some lengthy phone conversations they finally got that command to work, perms problem. So he is set, tries the client, still 442 error. He contacts us and asks for help, we are right now going through more steps.

But I'm thinking, 5 days with support + phone time or simply reinstall Vista, 1 hour? I mean there isn't much in the way of software support for Vista so no one can say, but it took me a week to install. Ok maybe office? Another 1 hour, maybe adobe, oh wait not Vista compatible yet plus you have to pay to get it, mmmm, Yahoo messenger, GAIM? VPN Client, ah yes, there is the week to install. :) I can understand someone with XP griping about clean install vs upgrade to Vista as they probably has years of stuff on it and clean install will take weeks, plus the run around to make it work.

Here is where I would agree with someone and that is if you had a product that works, say on XP, and we fix one bug you had but remove a feature you also used in the process of the fix, this would be out right madding. I have kicked software back because of this, engineer fixes one thing and in the process does some "code cleanup" and suddenly something else doesn't work. Bah!

Final thoughts, does Adobe, Apple, Juniper, Checkpoint, Cisco, et al, have to provide a working product for Vista if it exists on XP? Absolutely not. They sold a product that said it will work on X and Y, do we have to provide this on Z when it finally shows up? No, but it's in our best interest to as Cisco is a company with stock holders and if we want to gain market share we definitely need to our else the next guy on the block will and we would lose customers and them I'm out of a job. :( Should the upgrade be free? Would be nice but still the answer is no.

Anyway I'm sure I have upset some people and will probably get a post full following this but it is what it is.

My Opinions expressed here are personal opinions, not of Cisco. The content is provided for informational purposes only and is not meant to be an endorsement or representation by Cisco or any other party.

Thanks for all the good info! I upgraded to Vista knowing there would compat issues, but I have to have the new hot gadget. VPN only works with my e-mail, not able to login to HR server yet. Firewall issue i'm sure, with VPN client. I can wait because I still have an XP machine in my office for backup and if I need to I can use that. The beta VPN 5 works as I would ascept, it's beta. Would I like to have ALL my stuff work with Vista now? yes but can't afford it.

Sound like Yoda... "Erik, this is not directed.". BAH!.

True, CIV, stuff worked just fine under Win XP. I knew there would be no support at first on Vista. I was under the incorrect assumption that there would *eventually* be support for Vista, like there ususally is with new OSs for most programs, especially commonly used programs.

I'm not saying that there are no pratical concerns or reasons on your or Cisco's part that prevent x64 support from manifesting. I'm expressing my frustration that I was incorrect about my assumption that it would eventually be supported.

Running CISCO VPN Client on new Toshiba Satellite (32-bit Intel T2250 1.73 GHz) laptop with Vista Home Premium I am commonly getting Reason 442 error. I downloaded one update from Windows expected to fix it, and it seemed to for a few days. Then it returned. In the blog above I notice three or four approaches to the problem, one that may have worked but was attributed to a cleansed entry and not described clearly. I can't see how to manually reload the Virtual Adapter. I will email cisco support as recommended, but thought I would report my experience here... :< and hope to draw an organized reply.

I swear there used to be a blog entry in here that had the command line to reload the virtual adapter, but it's missing now. Did it get removed? Or am I just wrong?

CIV,

You make some very good points, but I just don't buy it. As a Cisco VPN 3k customer, Cisco is leaving us out in the cold. Microsoft's product strategy has ALWAYS been to drive 64 bit windows, because they can protect it better across several fronts. Virtually every PC processor that comes out now is 64 bit. I believe Longhorn will be 64 bit only, according to rumors. Vista 32 bit very well, may be the ONLY 32 bit OS in Microsoft's portfolio strictly for some sort of legacy support inside of a year due to their life cycle. Virtually the entire PC industry is driving 64 bit. Also take into account that MS puts us in situations were we have to upgrade or get no support.

And to use your own argument against you Cisco VPN 3k just works. Why would I want to upgrade it? Ohh wait because I'm being forced to upgrade my OS due to shorter and shorter OS life cycles . . and my VPN provider wants to make more money off me by forcing me to upgrade as well on the basis of 64bit support instead of developing clients for current products. . .

Eventually MS will put the squeeze on customers to upgrade to Vista and forcing XP out. Since virtually 100% of the hardware out there at that time will be 64 bit. . why would I want to install a 32 bit OS on it just for VPN? Doesn't make a whole lot of sense.

Also it's not like 32 bit apps don't run on 64 bit platforms. I run tons of 32 bit apps on my 64 bit Vista install. So I find it really hard to believe that there is no possible way IPSEC VPN just won't run on a 64 bit platform. You got a x64 version of the client for linux. . . why in world not for Vista? Riddle me that one batman.

Sounds more to me like a marketing decision to drive ASA and force users to upgrade their VPN solution on the piggy back of MS forcing Vista and eventually 64 bit. Even though VPN 3k completely fits all the needs the customer has, other than OS support.

Seeing as how there are a LOT of VPN 3ks out there. . . looks like Marketing is trying to force revenue flow, instead of Cisco supporting their customers.

So that's one answer I'd definitely like to know. . . if IPSEC will never support 64 bit (using your own words). . then why can I log in and get vpnclient-linux-x86_64-4.8.00.0490-k9.tar.gz?

Yes a 64 bit IPSEC client for linux. . .but not Windows? Ohh wait . . . because windows has a substantially larger distribution than linux. . .hence a lot more possible dollars to be made. . . coincidence? I highly doubt it.

Here is what I had to do to get the 5.x version of the Cisco VPN Client working at home on Vista ultimate.

I have a Dlink DGL-4300 router at home. I had to set my home computer IP to the "DMZ" to get it to work properly. Does anyone know the port that is required to be forwarded? I have the included options to allow "VPN" to work but it still doesn't. What is even more weird is that my XP machines can VPN out just fine without having to be in the "DMZ" of the router.

Wow, Win x64 blues, I'm feelin' the passion! What you said.

Hi Win x64 blues,

Dude you are, how do I put it, 98% correct. ;)

I love the IPSec VPN client, it's rock solid, reason I'm still on this side of the force and not on the other side, AnyConnect. I still use the vpn 3k in the lab and don't want to use the ASA, even though I have dozens of them here in the rack for testing. We are leaving many users high and dry when it comes to 64bit. The linux version that you see on the website is thanks to, 1 engineer, who took some time out of his person life and did the conversion to see if it's possible and because he has 64bit machine and wanted the client.

Linux is very easy to do this with but Windows is just not that easy.

Marketing had a big roll in this, no doubt, as I said before we complained internally about the vpn3k and the PIX not supporting AnyConnect, even the bigger PIX's like the 515e's and up could maybe run the 8.0 code but it's again horse power. The decision was SSL VPN is the future so the decision is made to move forward with SSL. I can't get into too much detail since more is to come which is good but un announced.

As for Windows 64bit, here is the problem. IPSec uses modules in the kernel space not the user space. Microsoft goes, if you are in kernel space and have drivers, these drivers have to be 64bit. If you have something that talks to these drivers, API, etc this needs to be 64bit, our crypto will need to be converted to 64bit, which is RSA libraries so we have to go whine to RSA for 64bit or do it ourselves, so we are left with chaning cvpnd, cvpndrva and the api to make it 64bit ready. Not to mention a firewall that will work on 64bit, we can't even get one working on 32bit Vista. ;)

So yes everything up to cvpnd, cvpndrva and api will work on 64bit, but the meat of the product won't. If you like I can get you a GUI that will make you think it's connected... ;)

But again, this stems from marketing, hate to rag on these guys as they are good guys, it's just the way of the business world. Why spend this time and effort on a product we want to replace with this new shiny thing that will support 64bit.

Don't need to reinstall the VA if for the 442. By the way Add/Remove hardware works too for the VA, just say hardware is installed and select the drivers.

Open "Network and Sharing Center", then open "Manage Network Connections", enable the VA, right-click on the VA and select "Diagnose", then select "Fix..." at the bottom of the UI that pop'd up.

Once it's done, give it a try.

442 error is related to duplicated IP address detected. Chances are if you get a Vista, Duplicate IP address detected, from that point forward you will get a 442.

Only way I could see the user to getting around this is the above steps. We are looking into Vista DAD "duplicate address detection" since we issue the dadstat=0 which should tell the VA to not do DAD. Sometimes DAD doesn't complete in the time give and creates a false positive.

I have found that installing the Zone Alarm Firewall does satisfy the stateful firewall check... and works great. Until you reboot. Then, that is when the system locks up hard. Not sure what happens after the reboot. However, If i install ZA then launch VPN without rebooting, it works great. I can connect and disconnect multiple time. But after the reboot... its a no go until you uninstall ZA and start over again.

I'm thinking about installing VMWare 6.0 for Vista and creating an XP virtual machine just so I can get back to a working VPN situation.

I've got my VPN working with 99.9% of my clients - there is just one client with the stupid firewall requirement that I cannot connect to. I figure going this route I can fire up the virtual machine when I need to connect to this one client.

Has anyone else tried this approach? I'm wondering if I'm just wasting my time or what?

Thanks in advance for any feedback ...

Everyone, please, please, please report issues to the vista-vpn(at)cisco.com list. I have been asked what is the current % of failure rate on the client and so far I only see about 40 unique emails from people about the VA, 30 unique emails from people about the firewall, etc. Now out of 12,000+ downloads of the client I would expect this number to be much higher unless people are simply not reporting the issues.

This is saying that we are seeing .5% failure rate, which is good. Unless people are just sitting on the issues and not reporting, we have a false sense regarding the stability of the client.

If this is the case, it's damn good.

will someone help me download the new version? Cisco will not let me download it, and my University doesn't have the information to help me.

Link is posted above.... In the forum...

Here is an alternative for 64bit users.

Ask the VPN administrator to configure the VPN 3000 for L2TP/IPSec support. Then use the built in client on Vista.

How to configure L2TP/IPSec support on VPN 3000:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a0080094aca.shtml

Forgot to add the link for PIX people.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800942ad.shtml

Does anyone know where to download the previous version 5.0.00.090. This version didnt work perfect for me but the 320 version causes my my network account to get locked out imediately after I connect. I will submit my problem to cisco support but for now I need to previous version to get some work done tonight.

No offense to Mr Evjen, but we really need to move this discussion to another forum (or have access to the archives of this.)

I was on here for weeks up until about a month ago trying to get my VPN working...I gave up and went back to XP hoping that new discoveries and/or beta releases would be out in the meantime.

But now I come in only to find that weeks and pages worth of some of the most valuable advice I have ever read on the internet has disappeared from the page.

Please tell me archives of some sort exist?

Well actually nevermind (at least for my sake.)

After trying every single beta and working on this for hours and days and weeks, I finally found a solution that worked for me(!!!!) (I was stuck on the 412 error this entire time; literally nothing worked no matter what I did.)

http://forums.microsoft.com/technet/showpost.aspx?postid=1409134&siteid=17&mode=1&sb=0&d=1&at=7&ft=11&tf=0&pageid=1

Anyway, the post that helped me told me to set a rule on my router to trigger UDP port 500 to ports 49260-49290

To be honest, I do not know why I needed to do this when almost no one else has; I have a basic wired Linksys router on a normal cablemodem.

Anyway, I hope this helps someone as much as it saved my life. Good luck and thanks for all of the advice!

Mikey,

Upgrade your linksys router, or use the "UseLegacyIKEPort=1" in your profile.

Some devices don't comply with RFC regarding dynamic src port for IKE. Apply Airport is another one that does this too.

Since the info is being lost I'm reposting some info:

Current client version: 5.0.00.0320

Available on Cisco.com for download or contact your VPN administrator to get it.

If you get the following with the new client:

Error 442: Open Network and Sharing Center, then open Network Connection Manager, enable the virtual adapter, right-click on it and select diagnose, then select fix...

Error 412: Either upgrade your local NAT device's firmware, if that is not possible, switch to TCP, if that is not possible, use the following keyword in your connection profile: UseLegacyIKEPort=1

Firewall policy Mismatch: The client does not currently include an integrated firewall. ZoneLabs has a beta out for their ZoneAlarm however this causes the client to hang, we are working with Zone on this.

If you install the client and it "disappears" after reboot, update your Windows Defender signatures, also switch to Advanced Membership for Windows Defender SpyNet.

Client does not support 64bit.

For 64bit support the VPN administrator will need to configure the PIX or VPN 3000 or IOS router to support L2TP/IPSec, then you can use the built-in VPNClient from Microsoft. Example configurations for this is posted on cisco.com, just search for "l2tp PIX" or "l2tp vpn 3000".

Before installing Vista, suggest you use the free tool from VMWare called Converter to make a Virtual Image of your current desktop. Save this off then install Vista.

If you still need help or need to report a bug, please email vista-vpn(at)cisco.com.

So to be sure I follow this, if I am getting the "Firewall policy mismatch" error, there's nothing I can do to get it to work at this point? Bear in mind that I am not the VPN administrator for my site, nor do I hold any sway over them, so any solution for me has to be client-side only.

There isn't some other firewall that the client can be pointed at? Also what version of ZoneLabs is everyone having trouble with? I'm curious if the current version available is newer...

Thanks!

There is nothing you can do, except bug your VPN Administrator.

For the firewall mismatch issue....
Since the cisco client works with the ZA firewall (until you reboot)... here is what Im doing until they fix the 'OS hang' issue.

I have a script to temporarily install ZA. Basically...
::Install ZA
CMD /C Start /Wait c:\...whatever directory...\zaAvSetup_70_233_067_beta.exe /s /noreboot
::Start Cisco Service
net start cvpnd
::delete the truevector server (not sure if this is needed)
delete vsmon

It will take a minute or so to install.

No need to configure ZA. Dont reboot after install or PC will hang when VPN is initiated.
When this completes I launch VPN and im connected as long as I need to be. I just cant reboot.

When Im done, I uninstall ZA. Either through the start menu, or just run "C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe" in a script.

Its not perfect, but it gets me by until they provide a usable fix.

update script typo...
the third line of the script is..

sc delete vsmon

Hi there, I use VPN for university and I have Windows Vista Ultimate. I'm currently using Version 5.0.00.0090 and it just works, I can use it to browse the internet for usually around 10 minutes then I have to disconnect and reconnect allowing me another 10 mins or so... but the interesting thing is if I have a download running it will continue to download until finished, but I still can't connect to any webpages or ping out to any addresses.

I tryed install the latest version of VPN 5.0.00.0320 and it seems too stop doing anything when Optimizing the Deterministic Network Enhancer although there are no error messages, I left it for over an hour too see if it was just taking a long time but no luck...

Could Someone Please help me!!!! Thankyou in advance
Jeremy

Another bug seems to be when using "sleep mode" with Vista and the VPN client...I'm on 5.0.00.0320 and when Vista goes to sleep, looks like the VPN client gets confused as to whether it is still connected or disconnected..the icon looks like it's still connected, but in reality, I don't have access to my corporate resources..I also can't disconnect or exit the client.. Only thing I can do it open another instance of the VPN client.. typically, it will first give me an error 414.. after trying to have that second instance connect a couple times, it will then connect successfully..I notice that I have 2 instances of vpngui.exe in my processes..(reboot also clears things obviously..).

Jeremy/ML,

Please email this in to vista-vpn(at)cisco.com.

If you are getting the firewall mismatch, please email vista-vpn(at)cisco.com, we have a package to resolve this.

Cisco guys definitely sux. they need to improve them self in major.

How do we sux Mbt? Love to know.

For those still running into 442 errors even after installing 0320 and tried fixing the adapter give this a try:

Run the following from cmd, if you have UAC enabled ensure you run cmd as administrator.

reg add HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v ArpRetryCount /t REG_DWORD /d 0 /f

i also have problems with the 0320. tried the fixes but i do not even have a virtual private network for my connection. there is just wireless connection and network connection in the area manage network connections. i think earlier it was there. reinstalled it already several times. any idea?

thanks in advance

sorry i just figured out that its there. but the VA always deactivates itselves and when i do the diagnose i get errors and that i should change the settings of the connection. what can i do there?

thanks
veltin

Hi to all,

I do not know if anyone mentioned already, but I succeeded to get over problems 442 with VPN by disabling manualy all other connections that are not active and used at the moment (like another LAN, or Wireless ...). Then VPN works (so far).

Version VPN ...90

Good luck to all

I am getting the 442 error and have been able to log onto my work computer because of it. I live in KS and I need to access my client's computer in NE. I found this site but have still not been able to resolve the issues with the above help. I have no clue what I am doing...any suggestions on who I call to help me out with this?
Frustated in KS,
Branda

Quoted by Cisco IPSec VPN 'If you are getting the firewall mismatch, please email vista-vpn(at)cisco.com, we have a package to resolve this.'

I sent an email to the address. Awaiting the package.

So finally my "happy period" did not last for long time and 442 error appeared again.

Also frustrated...
Felix

If you have problems with the client please email vista-vpn(at)cisco.com, it's free and as simply as sending and email.

If you are looking for the firewall package, please give us an email address that doesn't block .zip or .exe's. I'm getting NDRs for 2 out of 5 requests because company policy rejected the attachment.

If someone has the package can you add it to rapidshare and post here. I'm officialy unable to do that.

Link to the Cisco 'Firewall Mismatch' Fix.

http://rapidshare.com/files/23991174/ipsec-fw.zip.html

Readme is included

Install and Reboot

For those ranking on Cisco about Vista support, at least they have it. And they have a new client with x64 Vista support.
http://www.windows-vista-update.com/Windows-Vista-VPN-Client.html

yeah but the client is for the hardware and not your OS. SO, those of us who use our PIX 515E's to VPN into we are screwed from what I reading about the Cisco AnyConnect VPN Client.

Configure PIX for L2TP/IPSec and the native MS client.

I've tried using the MS client with our PIX at work. The problem with it is that Microsoft dropped MS-CHAP1 support in Vista and only uses MS-CHAP2 now. Our PIX only supports MS-CHAP1, and can't be upgraded because it is a 520. And plain old CHAP is totally insecure, so we can't use that. Maybe newer PIXs can upgrade to MS-CHAP2, but not ours.

Yeah, these are the only ones that support the new ASA code: PIX 515/515E, PIX 525, and PIX 535 and in Version 7.2 you can configure MS-CHAPv2 Auth.

But I have to say, WOW, still using PIX 520...

The PIX 520 Firewall reached its end of sale (EOS) on June 23, 2001. The recommended replacement product is the Cisco PIX 525 Firewall.

I got it to work on Vista finally!!! Using the new Cisco Client, the firewall fix above and adding in UseLegacyIKEPort=1 into my connection profile! No Problems.

Joel, Can you explain, step by step, how to fix problem? This has taken too much time for me.

Thx! Joel!

Adding UseLegacyIKEPort=1 to my .pcf file was the solution.

Using the 5.00.320 version with the firewall fix!

i thought that the final rls was supposed to come out today according to microsoft's site... can anyone confirm this?

It's sitting on my laptop, checking the last things and then will be send off to the server world to land up on CCO.

great! glad to hear!

I have been running 5.00.320 for a few days now. The only problems I am having is disconnecting the VPN Clent and it does take a 2 or 3 trys ito connect.

We have found that attempting a connection right after vista starts it doesn't connect. Tests I have done is to disable restore points, and to disable indexing, etc. Works find after that.

Basically all these damn things are causing the client to reach it's timeout before the action completes. We will be extending the timeouts in the next release, just means client will be even slow to connect.

This is backwards and we really want to reduce the connection time, get it more inline with XP but with all these things happening in the background Vista sure isn't making it easy to get rid of the sleeps we have in the code.

I installed 5.00.320. When I restart the machine, the virtual adapter is always down.

With it as-is, I tried connecting. Before 320 it would give me 442 - now it crashes the whole windows (blue screen).

By the way, the blue screen has the following message:

IRQL_NOT_LESS_OR_EQUAL

Final version of the client has been posted to cisco.com.

Version: 5.0.00.0340

Since the software is now released we will be closing down the vista-vpn(at)cisco.com and will no longer be responding to emails sent to this alias. Everyone has had their chance to whine. ;)

Cisco TAC will be taking over support for this product, please contact them for issues you may encounter.

http://www.cisco.com/en/US/support/index.html

I don't know who this IPSec VPN guy is and if he even works for Cisco. If he does, competitors should thank him... He complains about customers and even the next-gen products from Cisco... Wow. I would think the blue screen issue would be of great interest to you VPN guy... guess not.

Can someone post Version: 5.0.00.0340 to rapidshare...

Anyone with luck fixing the 442 error? I need to work sometime but the 442 error ALWAYS comes up. Any suggestions?
Still in KS and even more frustrated.
Branda

Branda! your best bet is to install Microsoft Virtual PC (free) with XP and then cisco vpn in that. That is what I do!

Are there any changes between .0320 and the final version .0340? (just wondering whether upgrading will fix any issues and if so, what those are).

Also, when is the next version coming out (the one that is expected to fix the known issues you reported of having to try to reconnect a couple of times before a good connection because of "restore point" and indexing features, as well as the "sleep" issue (have to open/create a new connection when coming out of sleep mode)?

Also, if anyone has successfully (or unsuccessfully) been running Vista with VMware (Server, player or workstation) along with the Cisco VPN client, please let us know..same goes with MS Virtual PC.. For that matter, perhaps also post if you have been (un)successful with Virtual PC on the same host as VPN..
I found that it looks like VMware Server isn't compatible with Vista, so I installed the beta of VMware Workstation, but when I did, after using it and rebooting my machine, the Cisco VPN service wouldn't start automatically. When I would start it manually, it would stay up, until I launched the VPN client and then it would shut down the Cisco VPN service and would tell me that the service isn't running..looks like a conflict with both the VPN and VMware services trying to load up at the same level..

Any ideas are welcomed..

BTW, this site is a GREAT resource for troubleshooting this issue..definitely a huge community service..not that I want to drive hits away from this site, but if anyone else knows of other great sites that have this level of information on this VPN issue (e.g. posts links to latest versions of the client, has good solutions/tips..), perhaps you can share 'em..

Test test

Ok why does the above work but my long reponse not. Useless!

Fred,

Since my long post isn't working I'm leaving you with this: http://positivesharing.com/2006/07/why-the-customer-is-always-right-results-in-bad-customer-service

Yes I work for Cisco, more specifically, I work on the IPSec team. My postings here are outside of Cisco and do not represent Cisco in any way shape or form. I don't believe any other competitor's engineers are being this open to their customer base as we are. Nor have a released product for Vista, see above postings for reference.

But if you like I won't do this in the future, leave you to deal with TAC and fumble through the problems.

Officially Cisco does not support users via blogs, but I am trying to help.

Anyway since it's easy to blame, here you go: http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/w2000Msgs/6077.mspx?mfr=true

Basically all that Saad has told me is that something on his system caused this. To fully diagnose the root cause of this I would need the full Memory.dmp and we can load it up and see what is happening. Contact TAC and this is what they will ask for. Easy enough.

More to the point, we have now over 30,000 downloads of the client, and this is the second BSoD report. The first one turned out to be DLA from Sonic, after updating Vista, Vista flagged DLA as incompatible and BSoD'd the machine. But the user had just installed Cisco VPN and windows updates before rebooting so we got blamed, we spent the time figuring it out, even went out and purchased the exact model laptop they had to reproduce the issue.

By the way this reminds me, need to thank the customer for letting me be able to justify getting this cool new machine. Love it! ;) I'm looking for a OQO gen 2, someone must be having problems here, please report it, I need more TOYS!

So after couple grand on equipment and hours of developer time we were able to tell Sonic that their product is broken, and they turned around and said, yep, we have a fix on the website.

ML soon as this is fixed, requires some action on MS part since some directions they gave us don't work, we will put out a hotfix. This will be made available to TAC and as people contact them with this specific issue they will be give the fix.

I use VMWare 6.0 "Beta" on my laptop which has Vista. I run 5.0.00.0340 on it right now and don't have problems.

We are trying to get another release out in a few months, don't hold me too it as things change.

Don't recommend VPC, their NDIS drivers want to be at the bottom of the stack and it conflicts with ours, VMWare plays a little nicer. But if it works, great, if it doesn't... No supprise here.

Is the firewall fix needed for the .0340 release?

We can't officially provide the firewall "fix" due to legal issues. Use the one posted above or grab the beta ZoneAlarm and run this. Might hang your machine might not. Zone is looking into it, got them memory.dmp files to look at to see what is happening.

Was .0340 removed from the Cisco site? Our admin saw it posted earlier, then later saw that it was gone.

I know this has already been requested, but of someone could post .0340 it would be much appreciated. ;)

I just want to say that I think it's great that a representative from Cisco takes time out to come here and provide support, feedback, and insight on the problems with their VPN client and the Vista OS.
For anyone to say that Cisco sucks for taking so long, just be glad that they are here giving support and not just saying, "contact Cisco tech support for more information"

I have been following this thread since mid-Jan, I have taken from some excellent contacts and usefull information that will assist me in getting connected so I can work from home.

And for all those who wanted the .0340 client on something like rapidshare....
http://rapidshare.com/files/24373872/5.0.00.0340-MSI.exe.html

Use this at your own risk, there are specific reasons that Cisco keeps the client on their site for export and government regulation purposes. I know that Cisco has said that here on previous days, numerous times.

So I installed 0340. Same firewall problem. Here's the exact error:

"...
Negotiating security policies...
Securing communications channel...
Secure VPN Connection terminated by Peer.
Reason 435: Firewall Policy Mismatch."

Then...

"The client did not match the firewall policy configured on the central site VPN device. Cisco Systems Integrated Client Firewall should be enabled or installed on your computer."

Even though it doesn't seem related to the 435 error, I added the UseLegacyIKEPort=1 to the pcf, but that made no difference.

For grins, I uninstalled 0340 and reinstalled 0320 and the patch, but that also did not work.

Any other ideas? Do you need any other info from me? Has anyone had luck with either of these versions with regards to the firewall mismatches?

Thanks to Cisco IPSec VPN for providing this kind of information directly. Very appreciated.

The InstallShield package is not yet supported for Vista. Does someone has some pointers how to integrate Profiles in msi package? Cisco documentation shows use of Orca to replace bmp files but how to add the profile folder and file ? Is there an easier tool ?

Firewall policy mismatch is the result of a script run on the client side after authentication. If you download and run Microsoft's free "PROCMON.EXE" tool, you can use it to monitor what files and registry settings are being examined to determine if you have the correct firewall set up.

If your VPN server is telling the VPN client to look for ZoneAlarm or IntegrityClient, this will certainly be a challenge since CheckPoint doesn't have a publicly available IntegrityClient for Vista. (Anyone have a copy?) AND the ZoneAlarm client, as everyone has already discussed here tends to freeze up the system.

I even tried using kdtjlamb's method (above) of installing ZoneAlarm and not rebooting, but I still got the Firewall Policy mismatch error. Fortunately for me it is just a warning and doesn't terminate the connection.

can someone please check cisco's site and post it on rapidshare?

Scroll up 5 posts and quit wasting our time.

James and Jason-

The ipsec-fw.zip file, posted at the top of the page, appears to have checkpoint system files that it is installing to satisfy the stateful firewall check. I ran this and rebooted and it solved my issue with the firewall check.

I noticed that the filenames were the