Need to disable firewall to allow Nortel VPN client to connect

Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Sed posuere consectetur est at lobortis. Vestibulum id ligula porta felis euismod semper. Donec ullamcorper nulla non metus auctor fringilla. Aenean lacinia bibendum nulla sed consectetur. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Cras mattis consectetur purus sit amet fermentum. Morbi leo risus, porta ac consectetur ac, vestibulum at eros. Sed posuere consectetur est at lobortis. Etiam porta sem malesuada magna mollis euismod. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Aenean eu leo quam. Pellentesque ornare sem lacinia quam venenatis vestibulum. Curabitur blandit tempus porttitor. Sed posuere consectetur est at lobortis.

I looked at the logs twice and did not see anything of interest. But I will clear all of them and look again.  Any particulat log to focus on?

 

Yes, I am have trouble on the client side.  I have two othere computers running XP where everything works fine but on those systems I am running Symantic Client Firewall 8.7.4.97.  

1 Like

I am running NIS 2008 on Vista and in order to get my Nortel VPN client to connect I need to disable the NIS firewall.  Within NIS the firewall program properties for the Nortel VPN clien (extranet) has an access setting of 'allow'.  Are there any other rules or settings I have to add to allow my VPN client to get through the firewall without disabling it?

 

When I log in using the VPN client it appears to login but then I get a message saying it is waiting on banner text.  If I use the wrong password it fails right away.  After it times out I get a message that says:

Unable to connect the server.  If a firewall is enabled it must be configured to allow outbound traffic on UDP Port 7500.

 

Any suggestions?

 

I cleared all of the different history sections and reproduced the poblem.  The history is still empty.

 

 

How did you fix this issue ? maybe you could share so we could all learn about it

Hi,
I have the same problem.
Right now i am evaluating the trial version of NIS 2009 and i am using the latest Nortel Contivity VPN Client to make a connection to my office.
When starting the vpn client, after resetting all firewall settings and rules, the connection seem to work at first.
At least all other connections are blocked by the vpn client… but after about 15 seconds the connection aborts with the error message “unable to connect to server”.
After that there are rules for the vpn client in the firewall which are set to “allow”.
But when i look into the history there are messages that a new network is detected (the network which the virtual vpn connection gets) and the status is “protected”.
So i tried to change some settings in the network security map.
There i can see the vpn adapter and change the trust setting from “protected” to “full trust”.
But i can only see the adapter while the vpn client is active. After that the settings are gone.
When trying to connect again the adapter re-appears and i managed to get the setting to stay on “full trust” but nevertheless the connection can not be stablished. There still is the message in the history that there is a new network which will be “protected”.

I assume that there is a way to configure this and allow the traffic !?

Message Edited by kultakala on 09-16-2008 02:38 PM

On the Norton Interface, Internet pane, click settings.

Can you turn off Smart firewall and reproduce the issue?

> How did you fix this issue ? maybe you could share so we could all learn about it

 

I problem is not fixed... I still have the same error message although there are NO history/log messages.  

 

I too appear to connect and I there is a window that say something like "checking for banner text from <server>"  and after about 15 seconds, things seem to time out and the connection fails.  Note that this same banner text message is normal and occurs on the systems where things work correctly.  

Not sure if you found solution yet , But I had the same problems, and corrected it with the following.

 

OPen Norton 360

Tasks and Settings

Change Advance Settings

Firewall Protection Settings

Firewall General Rule Tab.

Created a new policy for allowing outgoing and incoming  UDP ports  7500 and 48888 

moved the new rule up to the top of the list before any of the deny rules

 

Hope this helps..

yes, i also have that banner text message.

But if it works it is there for only a second and then the connection is established.

With NIS the message stays and runs into timeout.

 

@Vineeth:

 If i disable the Smart Firewall the vpn connection works instantly!

 

I tried to disable one part after the other...  stateful protocol filter, automatic sharing config, etc.

and also switched off the automatic program control and activated advanced events monitoring.

Nothing works...  except completely disabling the smart firewall.

 

I just tried again and again and the only message in the history which stays is:

 

>Protecting your connection to a newly detected network on adapter "Nortel IPSEC..:" <

Which is the network i try to connect to.

 

 No Idea what i can do....  *sigh*

Although i dont get he error message about port 7500 i already tried a general rule which allowed all kind of protocols on all ports...

Did not help...   i guess its the automatic block of the new network on the virtual vpn adapter.

I am shure that i tried that before but now i disabled the smart firewall, established the vpn connection and started a continous "ping" to the other side. After turning on the smart firewall the replies were lost.

Then i turned on and off all possible settings within the firewall and suddenly...  it worked.

I broke it down to one switch in the firewall configuration...  its the switch "hide blocked ports" within the advanced settings of the firewall.

Not shure if the correct name is "hide blocked port" because i use a german software and that would be the translated meaning.

 

I dont know if this should be this way ?

Other products (may i name f-secure here ?) are working without any problem using the vpn connection.

But i would prefer to switch to norton because of the much better performance!

 

Would it be a security risk to let the hide blocked ports off ?

Message Edited by kultakala on 09-16-2008 07:58 PM
1 Like

The only other option I can think of that was changed on my end.

I Changed the Firewall Program (on Norton 360)  Rule for Nortel  from Auto  to Allow ...

Sorry.

Downloaded the Newest VPN Client from Nortel,


kultakala wrote:

Although i dont get he error message about port 7500 i already tried a general rule which allowed all kind of protocols on all ports...

Did not help...   i guess its the automatic block of the new network on the virtual vpn adapter.


This may be different problem.   A long long time ago I had a similar problem on where the VPN clients connnects then gets dropped, but I did not the the UDP Port 7500 message either.  This was on XP connecting to the same server.  That problem was related to my wireless router.   I had to disable my D-Link router firewall Application Level Gateway IPSec(VPN) setting.

From my router configuration > advanced > firewall settings help...

IPSec (VPN)
Allows multiple VPN clients to connect to their corporate networks using IPSec. Some VPN clients support traversal of IPSec through NAT. This option may interfere with the operation of such VPN clients. If you are having trouble connecting with your corporate network, try disabling this option.

Check with the system administrator of your corporate network whether your VPN client supports NAT traversal.

 

Once I changed that I had no problems on XP.   To make sure I did not have a similar problem on the Vista machine I connected directly to my cable modem bypassing the wire router and I have the same UPD port 7500 error.

 

In response to:

   Not shure if the correct name is "hide blocked port" because i use a german software and that would be the translated meaning.

 

In NIS it is Stealth Blocked Ports.  If I uncheck this the VPN can connect with out disabling the firewall.  So the big questions are.... 

1) Is the best way to fix this? 

2) Or is there a better 'rule' that can be configured to do this only for the Nortel VPN client?

3) I am sure the Stealth Blocked Ports is there for a reason so by unselecting this what kind of attacks are we opening ourselves up to?

 

The stealth feature prevents your computer from responding to unsolicited and unexpected traffic.

It keeps you from being "discovered" from the network.

Hackers can often find and identify potential targets by sending invalid test messages and inspecting the response.

It would be nice to leave it on but it doesn't permit connections that wouldn't otherwise be allowed.

 

Rules enterred into the Smart Firewall/Advanced Settings/General Rules should override both the stealth function and the adapter trust setting for the traffic specified in the rule.

 

Just as a diagnostic procedure, adding an "Allow All" rule at the top of the list should be very much like having the firewall completely off. Checking "Create an event log entry" will help identify which ports are actually needed. (They should be logged in the history view.) Once a comlete list of ports needed by the VPN has been acquired, the rule can be tailored to only allow these ports.

 

 

There is definitely no problem with vpn pass through or something else.
Otherwise i would have the problem at any time, whether the firewall is on or off.
But with the NIS2009 firewall switched off or using my former product (f-secure) the vpn connection works flawless at any time.

I added an “allow all” rule at the top of the rule base.
But nevertheless the vpn connection fails. I have to disable “stealth blocked ports” then it works.

I had the same problem with Nortel VPN. I am using Norton Antivirus 2008. The Helpdesk person from Symantec created an "Allow All" rule in the "Internet Worm Protection" which I am guessing is the Firewall settings. After this Nortel VPN is working OK. Symantec rep. assured me that my computer would still be secure after these changes.

Hope this helps.

First thing to try is to look in the logs for any blocked connections or other traffic. If you see those, they should give you a hint about what rules you may need to add in order for the client to run.

 

Also, just to be sure that I understand, Norton Internet Security is running on the client machine and not on the server, correct?