Problem with Cisco Quick VPN, Win7, and NIS 2010

I have a Cisco WRVS4400 router.  When I had NIS 2010 and XP on my laptop, I was able to connect to my home PC via the router using Quick VPN without a problem.  I recently upgraded my laptop to Win7 and now I am unable to connect successfully.  Quick VPN makes the connection (I can see it if I am home looking at the interface on the router while trying to connect remotely via another connection), but it Quick VPN hangs on "verifying network" and returns a messagea that "Remote  Gateway is not responding, do you want to wait"; waiting does nothing and not waiting drops the connection.  Cisco says that this is because the message it needs to confirm the connection is blocked by the firewall.

 

Cisco finally issued a patch to support Win7, but it doesn't work any differently.  Now they say that with either Vista or Win7, one MUST run windows firewall to allow the connection.  (Some change to the settings related to VPN's and IP Sec apparently in Vista and Win7.)  Obviously, NIS takes over and doesn't allow running both firewalls, so that doesn't work.

 

NIS has a rule for Quick VPN under Program Control that allows In/Out, any computer, any communications and all protocols, so I am not sure what is blocking Quick VPN.  Even if I disable the firewall, Quick VPN can't connect.

 

Cisco has told me the following, but I am not sure where/how to make these settings.  Can someone please give me some guidence on this?

 

From protocol perspective, QuickVPN makes use of SSL (TCP port 443 and 60443), IKE (UDP port 500 and 4500), ESP, and ICMP. You need to make sure the third-party firewall is not blocking any of the above.

 

Thanks,

 ...Rich

 

 

Hi rdeyoungaia:

 

Have you checked in History under Network and Connections and also under Firewall Activities to see if there are any actual blocks being logged?  If something shows as blocked, you can find the rule and add the ports to it.  I will leave a note for dbrisendine to have a look when he comes online.  He is extremely knowledgeable about VPN issues.

rdeyoungaia,

 

The ICMP blocking in NIS2010 is most likely what is preventing the connection from completing.  You can help overcome this by making a manual rule in the General Rules settings under Smart Firewall settings.  Click on Add and set the rule to Allow, To and From, Only computers listed below (here you will need the exact IP address or name for you Cisco router; this would have to be a static address; which it should be anyway if you are trying to point to your router from any place outside your home network), select ICMP for the protocol, mark whether you want this recorded in the History log or not (you can change this later if you like), name the rule Cisco VPN ICMP and click FINISH.  Highlight the new rule, as a default this will be on the end of the filter list, and click on Move Up until the rule is at the top of the list; this will make sure that the rule is applied to all the network traffic first before any other rule / filter.

 

Let us know if this solves the problem before we go into any further changes.  Thanks.

I tested the rule you suggested; actually had to set it up for all computers, not the specific IP, but it didn't work and did not report any errors in the log.

Quite a few users are having problems with this particular router and Win 7.  If you are unable to connect with the Norton firewall disabled, it would appear to be the Win 7 and Cisco issues that are causing the problem.  Some users have been able to make it work by uninstalling the Cisco software and reinstalling it in compatibility mode for Vista sp 2.

 

There are further options and instructions here on how to install Cisco successfully in Win 7.

 

http://weblogs.asp.net/bhouse/archive/2009/01/15/how-to-successfully-install-cisco-vpn-client-on-windows-7.aspx

 

 

I am unable to connect with NIS 2010 disabled.  I agree that it appears to really be a Cisco/Win7 issue, but the trouble shooting from Cisco suggested it could be a problem with NIS because some are working who don't have NIS and are using the Win7 firewall.

 

The links you have pointed to don't appear to apply to the problem I am having.  They are referencing the Cisco VPN Client Version 5.0.01.0600, but I am trying to use the updated QuickVPN QVPN v1.4.0.5 that Cisco just released a couple of weeks ago specifically to address the issues with Win 7.  In the release notes, they clearly say that you MUST use the Win7 firewall for it to work, but NIS will not allow both to run at the same time.  For this reason, Cisco has sent me to Symantec to trouble shoot this end too.

 

Some people on the Cisco small business forum have tried uninstalling NIS completely, activating the Win7 firewall, and then installing QVPN, but this hasn't work either.

 

The recommendations to run QVPN in Vista SP2 mode don't work either.  Several of us have tested this and it has failed to work.

 

The only way I have been able to connect successfully is to run Virtual PC in XP mode with the Windows firewall on and NIS not installed.  (I haven't tested it with NIS installed in the Virtual PC session yet.)

 

 ,,,Rich

When the Norton firewall is disabled, it can'block anything.  If it had been Norton, the rule that you built specifically allowing the connection should have worked.

 

Some people on the Cisco small business forum have tried uninstalling NIS completely, activating the Win7 firewall, and then installing QVPN, but this hasn't work either.

 

This clearly indicates a problem with Win 7, rather than Norton.  It can't interfere when it is uninstalled. 

 

There are some other suggestions and information from another QVPN but it may change from system to system.

 

THE BUGS - SUMMARY:

1. QVPN doesn't handle long hostanems - MUST USE IP address.

2. Client doesn't give ANY errors from that part of the execution, but only later when the ping doesn't work.

3. Client doesn't give specific errors (example. It should say if the problem was the password, or the gateway, etc.)

4. Client doest run on Windows 7 without compatibility mode (in the compatibility mode it works as well as in Vista)

4.b Error message is flawed "This only works in Windos 2000 / XP" - So where's Vista?

 

Posted by pekka ahota in the Cisco Support Community.

 

https://supportforums.cisco.com/thread/184868: https://supportforums.cisco.com/thread/184868