Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

Cisco VPN Client

Release Notes for VPN Client, Release 4.6.00 through 4.6.04

Downloads

Table Of Contents

Release Notes for VPN Client, Release 4.6.00 through 4.6.04

Contents

Introduction

System Requirements

Installation Notes

Installation Notes - Windows Platforms

Installing the VPN Client Software Using InstallShield

Installing the VPN Client Software Using the MSI Installer

VPN Client Installation Using Windows Installer (MSI) Requires Windows NT SP6

Installation Notes - Solaris Platforms

Uninstall an Older VPN Client If Present on a Solaris Platform

Disable the ipfilter Firewall Kernel Module Before Installing the VPN Client on a Solaris Platform

Using the VPN Client

New Features in Release 4.6.x

About Version Numbers

New Features in Release 4.6.03.190 (Linux)

New Feature in Release 4.6.03.160 (Mac OS X)

New Feature in Release 4.6.2.0011 for Windows

AutoInitiation Enhancement for Windows VPN Client

New Features in Release 4.6.02.0030 and 4.6.03.190 for Linux

Support for Solaris 10

Firewall Configuration for the VPN Client for Linux with Virtual Adapter

New Features in Release 4.6.00

Mutual Group Authentication

Automatic Updates

Browser Proxy Configuration

VPN Client API Support

Connect on Open

Section 508 Accessibility Compliance

Maximum Preshared Key Length is 128 Characters

Benign Connection Message Removed

Initialization Status Splash Screen Display -- Changed Requirements

New Command Line Argument Allows Minimization on Startup

API for Cisco VPN Client

Usage Notes

Potential Application Compatibility Issues

No Support for ipdptp Dialup Interface on Solaris

Windows Interoperability Issues

DNS

Network Interfaces

Network ICE BlackICE Defender Configuration

Microsoft Outlook Error Occurs on Connection or Disconnect

Adjusting the Maximum Transmission Unit (MTU) Value - Windows Only

Asante FR3004 Cable/DSL Routers Require Asante Firmware Version 2.15 or Later

Using Nexland Cable/DSL Routers for Multiple Client Connections

Cert DN Matching Cannot Match on Email Field EA

VPN Dialer Application Can Load During OS Shutdown or Restart

America Online (AOL) Interoperability Issues

Browser Interoperability Issues

Entrust Entelligence Issues

Accessing Online Glossary Requires Connection to Cisco.com

ZoneAlarm Plus Versions 3.1.274 and Earlier Are Incompatible with VPN Client

ZoneLabs Automatically Adds Loopback and VPN 3000 Concentrator Addresses to Trusted Zone for Windows NT PCs

Upgrading Zone-Alarm Pro to Version 3.7.098 Causes Error When VPN Client Is Already Installed on the PC

Harmless Warning Might Occur with Linux Kernel 2.4

DHCP Route Renewal in Windows 2000 and Windows XP

Solaris Client Using Routed RIP Might Lose Connectivity

Data Meant for Private Network Stays Local if VPN Client's Local Network Is on Same IP Subnet as Remote Private Network

DNS Server on Private Network with Split DNS Causes Problems

VPN Client Supports Sygate Personal Firewall V. 5.0, Build 1175

The 4.6 VPN Client Is Not Supported on Windows 95

VPN Client Not Supported on Windows NT Servers

No Limit to Size of Log File

Start Before Logon and Microsoft Certificate with Private Key Protect Fails

Downgrading VPN Client from Release 4.6 Causes Start Before Logon Failure

Linksys Wireless AP Cable/DSL Router Version 1.44 or Higher Firmware Requirement

VPN Client Can Require Smart Card When Using Certificates

VPN Client GUI Connection History Display Lists Certificate Used

Use Zone Labs Integrity Server 2.1.052.0 or Higher with VPN Client 4.0

Restart VPN Client Service If You Install VPN Client Before Zone Alarm

InstallShield Error Might occur during VPN Client Installation

VPN Client cTCP Connection Fails If Checkpoint Client Is Installed

Open Caveats

Resolved Caveats

Caveats Resolved in All VPN Clients

Caveats Resolved in Release 4.6.04

Caveats Resolved in Release 4.6.03

Caveats Resolved in Release 4.6.02

Caveats Resolved in Release 4.6.01

Caveats Resolved in VPN Clients for Windows,

Caveats Resolved in VPN Client for Windows, Release 4.6.04.0043

Caveats Resolved in VPN Client for Windows, Release 4.6.03.0021

Caveats Resolved in VPN Client for Windows, Release 4.6.2.0011

Caveats Resolved in VPN Client for Windows, Release 4.6.01.0019

Caveats Resolved in VPN Client for Windows, Release 4.6.00.0045

Caveats Resolved in VPN Clients for Linux

Caveats Resolved in VPN Client for Linux, Release 4.6.03.0190

Caveats Resolved in VPN Client for Linux, Release 4.6.02.0030

Caveats Resolved in VPN Clients for Solaris

Caveats Resolved in VPN Client for Solaris, Release 4.6.02.0030

Caveats Resolved in VPN Client for Solaris, Release 4.6.00.0045

Caveats Resolved in VPN Clients for Mac OS X

Caveats Resolved in VPN Client for Mac OS X, Release 4.6.04.0150

Caveats Resolved in VPN Client for Mac OS X, Release 4.6.04.0061

Caveats Resolved in VPN Client for Mac OS X, Release 4.6.03.0160

Caveats Resolved in VPN Client for Mac OS X, Release 4.6.02.0023

Documentation Updates

Related Documentation

Obtaining Documentation

Cisco.com

Documentation CD-ROM

Ordering Documentation

Documentation Feedback

Obtaining Technical Assistance

Cisco.com

Technical Assistance Center

Cisco TAC Website

Cisco TAC Escalation Center

Obtaining Additional Publications and Information


Release Notes for VPN Client, Release 4.6.00 through 4.6.04

These release notes support Cisco VPN Client software Release 4.6.00 through 4.6.04 on Windows, Macintosh, Linux, and Solaris. Release 4.6.00.0045 is the first VPN Client 4.6 release. Please refer to About Version Numbers for information about the new version numbering scheme.

These release notes describe new features, limitations and restrictions, caveats, and related documentation. Please read the release notes carefully prior to installation. The section, "Usage Notes," describes interoperability considerations and other issues you should be aware of when installing and using the VPN Client.

Contents

Introduction

System Requirements

Installation Notes

New Features in Release 4.6.x

Usage Notes, page 15

Open Caveats

Resolved Caveats

Documentation Updates

Related Documentation

Obtaining Documentation

Obtaining Technical Assistance

Introduction

The VPN Client is an application that runs on a Microsoft® Windows®-based PC, a Sun ultraSPARC workstations, a Linux desktop, or a Macintosh (Mac) personal computer that meets the system requirements stated in the next section. In this document, the term "PC" applies generically to all these computers, unless specified otherwise.

The VPN Client on a remote PC, communicating with a Cisco VPN device at an enterprise or service provider, creates a secure connection over the Internet that lets you access a private network as if you were an on-site user. This secure connection is a Virtual Private Network (VPN).

System Requirements

Refer to Chapter 2, "Installing the VPN Client," in the Cisco VPN Client User Guide for Windows or Cisco VPN Client User Guide for Mac OS X, as appropriate for your platform, for a complete list of system requirements and installation instructions.

To install the VPN Client on any system, you need

CD-ROM drive (if you are installing from CD-ROM)

Administrator privileges

The following table indicates the system requirements to install the VPN Client on each of the supported platforms.

Computer
Operating System
Requirements

Computer with a Pentium®-class processor or greater

Windows 2000

Windows XP

Note Windows® 98 or Windows 98 (second edition), Windows ME, and Windows NT® 4.0 (with Service Pack 6, or higher) are supported only on VPN Client versions prior to 4.6.03.0043.

Microsoft TCP/IP installed. (Confirm via Start > Settings > Control Panel > Network > Protocols or Configuration.)

50 MB hard disk space.

RAM:

128 MB for Windows XP
(256 MB recommended)

64 MB for Windows 2000
(128 MB recommended)

32 MB for Windows 98 (See note under Operating Systems.)

64 MB for Windows NT and Windows ME (See note under Operating Systems.)

Computer with and Intel x86 processor

RedHat Version 6.2 or later Linux (Intel), or compatible libraries with glibc Version 2.1.1-6 or later, using kernel Versions 2.2.12 or later

Note The VPN Client does not support SMP (multiprocessor) or 64-bit processor kernels.

32 MB Ram

50 MB hard disk space

Sun UltraSPARC computer

32-bit or 64-bit Solaris kernel OS Version 2.6 or later

32 MB Ram

50 MB hard disk space

Macintosh computer

Mac OS X, Version 10.2.0 or later

50 MB hard disk space

PPC only. None of the Release 4.6.x versions supports Mac OS X on Intel processors.


The VPN Client supports the following Cisco VPN devices:

Cisco VPN 3000 Series Concentrator, Version 3.0 and later. Using IPsec over TCP requires VPN 3000 Series Concentrator version 3.6.7.a and later (CSCsq87252).

Cisco PIX Firewall, Version 6.2.2(122) or Version 6.3(1).

Cisco IOS Routers, Version 12.2(8)T and later

If you are using Internet Explorer, use version 5.0, Service Pack 2 or higher.

Installation Notes

The following tables list the files included in each release:

vpnclient-win-msi-4.6.00.0049-k9.zip

Windows client MSI installer

vpnclient-win-is-4.6.00.0045-k9.zip

Windows client IS installer

vpnclient-darwin-4.6.00.0045-GUI-k9.dmg

Mac OS X installer

vpnclient-linux-4.6.00.0045-k9.tar.gz

Linux package

vpnclient-solaris-4.6.00.0045-k9.tar.Z

Solaris package

vpn3000-4.1.6.bin

VPN 30xx Concentrator code

vpn3005-4.1.6.bin

VPN 3005 Concentrator code

update-4.6.00.0045.zip

VPN Client AutoUpdate package


Because of platform differences, the installation instructions for Windows and non-Windows platforms also differ.

Refer to the Cisco VPN Client User Guide for Windows, Chapter 2, for complete installation instructions for Windows users.

Refer to the Cisco VPN Client User Guide for Mac OS X, Chapter 2, for complete installation information for those platforms.

The following notes are important for users who are upgrading to Windows XP and users who want to downgrade to an earlier version of the VPN Client software.

Installation Notes - Windows Platforms

Release 4.6 includes the following installation considerations for Windows users:

Installing the VPN Client Software Using InstallShield

Installing the VPN Client software on Windows NT, Windows 2000, or Windows XP with InstallShield requires Administrator privileges. If you do not have Administrator privileges, you must have someone who has Administrator privileges install the product for you.

Note The VPN Client Installer does not allow installations from a network drive (CSCeb43490).

Installing the VPN Client Software Using the MSI Installer

Note The Windows MSI installation package was first released with version number 4.6.00.0049. No other packages were released from build number 4.6.00.0049.

If you are using the MSI installer, you must have Windows NT-based products such as Windows NT 4.0 (with SP6), Windows 2000, or Windows XP. Installing with MSI also requires Administrator privileges.

When installing the Windows MSI installation package, the user must manually uninstall the previous VPN Client if it is older than version 4.6. The version 4.6 MSI installer does not detect older versions, and the installer will attempt to install before aborting gracefully. Once a version 4.6 MSI package has been installed, future client versions will be able to detect the existing version 4.6 installation and automatically begin the uninstallation process.

Note Windows Installer 2.0 must be installed on a Windows NT or Windows 2000 PC before configuring the PC for a Restricted User with Elevated Privileges (CSCea37900).

VPN Client Installation Using Windows Installer (MSI) Requires Windows NT SP6

When you attempt to install the VPN Client using MSI install (vpnclient_en.exe) on NT SP3, SP4, or SP5, the error messages do not indicate that the VPN Client cannot be installed on those operating systems because they are unsupported. Once the errors occur, no other messages are displayed and the installation is aborted.

When you attempt to run vpnclient_en.exe on Windows NT SP3, SP4, or SP5 you see the following messages:

"Cannot find the file instmsiw.exe (or one of its components). Make sure the path and filename are correct and that all the required libraries are available."

-then-

"Cannot find the file MSIEXEC (or one of its components). Make sure the path and filename are correct and that all the required libraries are available."

The Windows Installer (MSI) can be installed only on NT SP6, so the error messages you see using earlier service packs are due to an MSI incompatibility (CSCdy05049).

Installation Notes - Solaris Platforms

The following sections describe actions you must take when installing the VPN Client on a Solaris platform.

Uninstall an Older VPN Client If Present on a Solaris Platform

If you have a previous version of the VPN Client running under Solaris, you must uninstall the older VPN Client before installing a new VPN Client. You are not required to uninstall an old VPN Client, if one is present, before installing a new VPN Client for Linux or Mac OS X.

Refer to the Cisco VPN Client User Guide for Linux, Solaris, and Mac OS X, Chapter 2, for complete uninstallation information.

Disable the ipfilter Firewall Kernel Module Before Installing the VPN Client on a Solaris Platform

If you have an IP firewall installed on your workstation, the reboot after installation of the VPN Client takes an inordinate amount of time. This is caused by a conflict between the vpnclient kernel module cipsec and the ipfilter firewall module. To work around this issue, disable the ipfilter firewall kernel module before you install the VPN Client (CSCdw27781).

Using the VPN Client

To use the VPN Client, you need

Direct network connection (cable or DSL modem and network adapter/interface card), or

Internal or external modem, and

To connect using a digital certificate for authentication, you need a digital certificate signed by one of the following Certificate Authorities (CAs) installed on your PC:

Baltimore Technologies (www.baltimoretechnologies.com)

Entrust Technologies (www.entrust.com)

Netscape (www.netscape.com)

Verisign, Inc. (www.verisign.com)

Microsoft Certificate Services — Windows 2000

A digital certificate stored on a smart card. The VPN Client supports smart cards via the MS CAPI Interface.

New Features in Release 4.6.x

These Release Notes cover several releases in the 4.6.x sequence. Some of these releases offer new features, as detailed in the following sections.

About Version Numbers

Beginning with the VPN Client 4.6 release, an all-numeric version numbering system has been adopted for VPN Client software to facilitate the automatic update function. Release numbers are represented in the format:

<major release>:<minor release>:<sustaining release>:<build>

The major and minor release numbers represent the feature level of the product. Major and minor releases implement new product capabilities. The sustaining and build release numbers represent significant or minor patch levels, respectively. For example, 4.6.00.0045 represents feature release 4.6, build 45.

All sustaining and build releases are cumulative, and not all build numbers will be released externally. These release notes specify which build numbers have been released.

These release notes refer to the VPN Client 4.6 software generically where appropriate, and more specifically where necessary to differentiate between patch releases.

New Features in Release 4.6.03.190 (Linux)

This release is a Beta for the VPN Client installed on biarch1 Linux systems for x86_64 platforms.

This release of the VPN Client is NOT compatible with pure 64-bit operating systems.

The VPN Client operates on both 32-bit i386 and biarch x86_64 operating systems.

On i386 32-bit operating systems, this release is not considered a Beta.

The VPN Client now requires GLIBC_2.2 and libstdc++.so.5. Distributions like RedHat 9 and SuSe 9 comply with these requirements.

New Feature in Release 4.6.03.160 (Mac OS X)

This is the first Cisco VPN Client version to support Mac OS X 10.4, but only with single processors. Do not use this version with dual processor platforms running Mac OS X 10.4. Dual processor platforms running Mac OS X 10.2.x through 10.3.x can use this version.

New Feature in Release 4.6.2.0011 for Windows

Release 4.6.2.0011 introduced a feature that lets the administrator configure a user's system to eliminate pop-up messages for an always-up VPN connection.

AutoInitiation Enhancement for Windows VPN Client

With this enhanced AutoInitiation feature configured, AutoInitiation with the Windows VPN Client does not prompt the user about whether to suspend the service. The result is a "transparent" Client that only has the VPN lock in the icon tray when using AutoInitiation. Eliminating the pop-up prompts means that the user does not have the option to suspend the service, because suspending might bypass their security (CSCeg75699).

New Features in Release 4.6.02.0030 and 4.6.03.190 for Linux

The VPN Client for Linux, Release 4.6.02.0030, supports the following feature.

Support for Solaris 10

The VPN Client for Linux, Release 4.6.02.0030 officially supports Solaris 10.

Firewall Configuration for the VPN Client for Linux with Virtual Adapter

Cisco has designed the following firewall configuration for the VPN Client for Linux that works with the Virtual Adapter. The Virtual Adapter was introduced with the 4.6.02.0030 Linux release. This firewall blocks all traffic on eth0, except for tunneled traffic.

# Firewall configuration written by Cisco Systems 

# Designed for the Linux VPN Client 4.6.02.0030 and 4.6.03.0190 
Virtual Adapter

# Blocks ALL traffic on eth0 except for tunneled traffic

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]


# Allow all traffic in both directions through the VA adapter

-A INPUT -i cipsec0 -j ACCEPT

-A OUTPUT -o cipsec0 -j ACCEPT


# Accept all encrypted VPN Client traffic in either direction on eth0

-A INPUT -i eth0 -p udp -s 0/0 --sport 500 -d 0/0 --dport 500 -j 
ACCEPT 

-A OUTPUT -o eth0 -p udp -s 0/0 --sport 500 -d 0/0 --dport 500 -j 
ACCEPT 


-A INPUT -i eth0 -p udp -s 0/0 --sport 4500 -d 0/0 --dport 4500 -j 
ACCEPT 

-A OUTPUT -o eth0 -p udp -s 0/0 --sport 4500 -d 0/0 --dport 4500 -j 
ACCEPT 


-A OUTPUT -o eth0 -p udp -s 0/0 --sport 1024: -d 0/0 --dport 29747 -j 
ACCEPT 


# Block all other traffic in either direction on eth0

-A INPUT -i eth0 -j REJECT 

-A OUTPUT -o eth0 -j REJECT

COMMIT

New Features in Release 4.6.00

Release 4.6.00 of the VPN Client software includes the following new features.

Mutual Group Authentication

Auto Update (Windows 2000 and Windows XP only)

Browser Proxy Config (Internet Explorer for Windows only)

Client API support (all platforms except Solaris)

Connect on Open (Windows and Macintosh)

Section 508 Accessibility Compliance (Windows)

Mutual Group Authentication

Group Authentication is a method that uses pre-shared keys for mutual authentication. In this method, the VPN Client and the VPN central-site device use a group name and password to validate the connection. This is a symmetrical form of authentication since both sides use the same authentication method during their negotiations.

Mutual group authentication is asymmetrical in that each side uses a different method to authenticate the other while establishing a secure tunnel to form the basis for group authentication. In this method, authentication happens in two stages. During the first stage, the VPN central-site device authenticates itself using public-key techniques (digital signature) and the two sides negotiate to establish a secure channel for communication. During the second stage, the actual authentication of the VPN Client user by the central-site VPN device takes place. Since this approach does not use pre-shared keys for peer authentication, it provides greater security than group authentication alone, as it is not vulnerable to a man-in-the-middle attack.

To use mutual group authentication, the remote user's VPN Client system must have a root certificate installed. If needed, you can install a root certificate automatically by placing it on the VPN Client system during installation. The certificate must be in a file named rootcert, with no extension, and must be placed in the installation directory for the remote user's VPN Client system.

For more information on mutual group authentication, see the VPN Client Administrator Guide, Chapter 1.

You must configure both the VPN Client and the VPN Concentrator to allow mutual group authentication (Hybrid mode). Ensure that the Certificate Authority being used on both the VPN Client and the VPN Concentrator is the same. Configure the VPN Concentrator in a similar fashion to the use of User Certificates.

1. Select an IKE Proposal that allows HYBRID mode authentication such as those listed in Table 8-3 of the VPN Client Administrator's Guide. HYBRID-AES256-SHA-RSA for example.

2. Configure an IPSec SA to use the appropriate Identity Certificate to be authenticated with the CA certificate of the VPN Client. If certificates have not yet been obtained for the VPN Concentrator, please refer to the VPN 3000 Series Concentrator Reference Volume I: Configuration Release 4.1.

3. Configure a VPN Group to use the new IPSec SA from step 2. The VPN Clients under test for Mutual Group Authentication will be connecting to this group.

Automatic Updates

In an automatic update, the VPN Client downloads a new version of the software and installs all related components automatically for users. This feature also allows the administrator to distribute and update profiles automatically.

Once Windows VPN Client version 4.6.00 has been installed, only the VPN Concentrator and Web server need be configured to initiate Automatic Updates of the Client. Please refer to the VPN Client Administrator's Guide, Chapter 3, for details on the configuration options.

For the initial release, the update-4.6.00.0045.zip file provided is for use by users who participated in the Beta program so that they may use AutoUpdate to upgrade their Beta clients to the released version. Otherwise, the update file adds no value to users installing the initial version 4.6 Windows VPN Client other than reviewing its contents to become familiar with its components.

Browser Proxy Configuration

Browser proxy configuration is ONLY available using the Release 4.1.6 VPN Concentrator code.

During mode config, the VPN Client negotiates a new mode config attribute to determine whether to change the value of a user's browser proxy setting. The VPN Client administrator controls the setting of the attribute through a parameter in the PCF file. This feature is being implemented for Windows (all platforms) only and for Internet Explorer only.

You can configure the VPN Concentrator to push proxy configuration settings into Microsoft Internet Explorer when Windows clients connect to it. The settings are on the Client Config tab of Group configuration. You can configure the VPN Concentrator to not modify proxy settings ("Do not modify proxy settings"), to push settings to disable existing proxy configuration ("No Proxy Settings"), to push settings to auto-detect a proxy ("Auto-Detect Proxy settings"), and to push explicit proxy settings ("Use Proxy Server/Port listed below").

With the "Use Proxy Server/Port listed below" setting, you can push a proxy server address, a proxy exception list, and whether the browser will exclude the proxy for local addresses.

After disconnecting, proxy settings are restored to what they were before the VPN connection was established. If a workstation is improperly shut down or rebooted while a VPN connection is established, proxy settings will be restored on boot-up.

VPN Client API Support

Release 4.6.00 provides an API for performing VPN Client operations without using the command-line or GUI interfaces that Cisco provides. To obtain documentation, a sample program, or help for the use of the API please send mail to vpn-client-api-support@cisco.com.

Connect on Open

Connect on open lets a user connect to the default user profile when starting the VPN Client. This feature is implemented on all platforms except Linux and Solaris.

You can configure the Windows and Macintosh VPN clients to connect automatically to the default connection profile when the VPN Client is launched. Configure this in the "Options" dialog of the VPN Client, by checking the "Auto-connect to Default on open" check box.

Section 508 Accessibility Compliance

Release 4.6.x brings the VPN Client in compliance with all Section 508 standards for accessibility. This feature is implemented on all Windows platforms.

Maximum Preshared Key Length is 128 Characters

The maximum pre-shared key length for the VPN Client is now 128 characters. The previous limit was 32 characters. The increased key size works only with central-site devices that support 128 characters (for example, an ASA device). If the central-site device does not support 128 characters (for example, a VPN 3000 Concentrator), you would receive the same log messages as if the pre-shared key were wrong. The log messages are as follows (CSCed68659): 


386    15:39:39.010  03/30/05  Sev=Warning/3						IKE/0xE3000056

The received HASH payload cannot be verified


387    15:39:39.010  03/30/05  Sev=Warning/2						IKE/0xE300007D

Hash verification failed... may be configured with invalid group 
password.

Note These log messages might change in the future.

Benign Connection Message Removed

When the VPN Client connects to an ASA device using IPSec over TCP, the Client no longer logs the following message: 

973 10:10:00.619 03/29/05 Sev=Warning/2 IPSEC/0x6370001E Unexpected 
TCP control packet received from 10.10.10.10, src port 10000, dst port 
1495, flags 18h.

This benign but extraneous message has been removed (CSCsa79704).

Initialization Status Splash Screen Display -- Changed Requirements

Rebranded splash-screen graphics must now be at least 280 pixels wide to accommodate the box that displays the status text. There must be a full-width blank area at the bottom of the graphic at least 36 pixels in height.

New Command Line Argument Allows Minimization on Startup

The command line for the VPN Client now has a new argument that minimizes the VPN Client to the system tray on startup. Administrators can now append /minimized to the VPN Client shortcut to achieve this behavior on users' computers (CSCeg11404).

API for Cisco VPN Client

The Cisco VPN Client offers an application programming interface (API). The software, sample program, and documentation are available at http://www.cisco.com/pcgi-bin/tablebuild.pl/windows, along with the rest of the VPN Client downloads. The file name is APIExample_Rev4.zip.

If you do not have a CCO account, please visit http://tools.cisco.com/RPF/register/register.do and register for a guest account. Once you have done this forward the account ID to the vpn-client-api-support@cisco.com so that we can publish the file to you.

Note The Solaris VPN Client does not provide API support.

All API commands require that the 4.6.x and later of the VPN Client be fully installed.

If you are planning on using C, we recommend you call the vpnapi.dll directly; however, if you plan on using C++, then use the example provided in the zip file. The example is compatible with Visual Studio 2005. The documentation in the zip file will work for both C & C++.

Usage Notes

This section lists issues to consider before installing Release 4.6 of the VPN Client software.

In addition, you should be aware of the open caveats regarding this release. Refer to "Open Caveats" on page 38 of these Release Notes for the list of known problems.

Potential Application Compatibility Issues

You might encounter the following compatibility issues when using the VPN Client with specific applications. Whenever possible, this list describes the circumstances under which an issue might occur and workarounds for potential problems.

No Support for ipdptp Dialup Interface on Solaris

VPN Client Releases 3.7.2 and higher no longer support the ipdptp dialup interface on Solaris platforms.

Windows Interoperability Issues

The following known issues might occur with the indicated Microsoft Windows operating systems and applications software.

Note Do not upgrade to Release 4.6.0.3.21 if you depend on Split DNS configurations.

Windows NT Support Ends with VPN Client Release 4.6.04.0043

VPN Client for Windows, Release 4.6.04.0043 is the final version that supports Windows NT.

WINS Support

On Windows 95 and Windows 98, dynamic WINS support works with DHCP-enabled adapters (for example, PPP or NIC adapters that get their IP information dynamically). For static configurations, users must manually configure the adapters with WINS information.

Windows NT

Users running Windows NT 4.0 with Service Pack 4 require a hot fix from Microsoft for proper operation. This fix is available on the Microsoft GetHostByName API Returns Unbindable Address page: http://support.microsoft.com/support/kb/articles/Q217/0/01.ASP.

Importing a Microsoft Certificate Using Windows NT SP3

The following problem has occurred on some Windows NT SP3 systems (CSCdt11315).

When using the Client with digital certificates stored in the Microsoft certificate store, the Client may fail to connect. This is accompanied by the following Client event in the Log Viewer:

4101 13:41:48.557 01/05/01 Sev=Warning/2 CERT/0xA3600002
Could not load certificate (null) from the store.

Workaround: Two workarounds exist. Choose one of the following:

Import the certificate from the Microsoft certificate store into the Cisco certificate store using the Cisco Certificate Manager. Refer to "Importing a Certificate" in the Cisco VPN Client User Guide for Windows, Release 4.0,
Chapter 6.

Alternatively, upgrade to a Windows Service Pack later than SP3.

VPN Client Cannot Launch Microsoft Connection Manager

The VPN Client does not see a dialup connection made with Microsoft Connection Manager because of incompatibilities between the requirements of the two applications (CSCdx85663).

Windows 98 Might Hang on Shutdown

On some Windows 98 PCs with the VPN Client installed, if you restart the PC, it may stop responding (that is, "hang") on the screen that says "Windows is shutting down".

Wait a minute. If the PC is still not responding, press the reset button. When the PC reboots, it should not run through ScanDisk, indicating the shutdown was successful in closing all open files. This problem may occur on some PCs and not on others, and we are looking for a solution. Windows 98 shutdown has numerous issues, as can be seen the following Microsoft Knowledge Base Article:

"Q238096 - How to Troubleshoot Windows 98 Second Edition Shutdown Problems" (CSCdt00729).

Windows 2000 (only) Requires Adding Client for MS Networks for Dialup Connections

For the Cisco VPN Client running on a Windows 2000 system, you cannot access Microsoft resources unless you add the Client for Microsoft Networks for the Dial-up adapter.

Aladdin Runtime Environment (RTE) Issue with Windows NT and Windows 2000

Using versions of the Aladdin Runtime Environment (RTE) on Windows NT and Windows 2000 can cause the following behavior. The login prompt that is posted by the Aladdin etoken when connecting the VPN Client can get hidden in the background. If this happens, the VPN connection can timeout and fail with the following event:

"System Error: Connection Manager failed to respond."

A side effect of this is that the VPN Client's service and dialer might become out of synch, and the PC might need to be restarted (CSCdv47999). To avoid this issue, use the Aladdin Runtime Environment (RTE) version 2.65 or later.

Microsoft MSN Installation

Microsoft's MSN installation fails if you have already installed the VPN Client. Uninstall the VPN Client before you install MSN. After MSN has completed installation, you can install the VPN Client.

WINS Information Might Not Be Removed from Windows Servers If Not Disconnected Before Shutdown

If the VPN Concentrator is configured to send WINS server addresses down to the VPN Client and the PC is shut down or restarted without first disconnecting the VPN Client, the WINS servers are not removed from the network properties. This might cause local PC registration and name resolution problems while not connected with VPN.

To work around this problem, do one of the following:

Be sure to disconnect the VPN Client before shutting down. If you are having problems, check your network properties and remove the WINS entries if they are not correct for your network.

Alternatively, enable "Disconnect VPN connection when logging off". Go to Options > Windows Logon Properties, check Disconnect VPN connection when logging off (CSCdv65165).

VPN Client May Falsely Trigger Auto Initiation Connection Event though the NIC Card Has Been Removed

The 4.6 VPN Client with Auto Initiation enabled on a Windows NT system may exhibit the following behavior. After removing a NIC card, the VPN Client may continue to trigger an Auto Initiation connection event though the NIC card has been removed. To stop its connection attempts, you can place the VPN Client in Suspended mode after a failed or canceled VPN connection. You can also disable this feature from the GUI by using Options > Automatic VPN Initiation, and unchecking "Enable". If you add a new NIC, the problem goes away. (CSCdx46812).

DNS

For DNS resolution, if the DOMAIN NAME is not configured on the network interface, you need to enter the fully qualified domain name of the host that needs to be resolved.

Network Interfaces

The VPN Client does not support Point-to-Point Protocol over ATM (PPPoA).

The VPN Client cannot establish tunnels over Token Ring. However, it does not conflict with an installed Token Ring interface.

DELL Docking Station users running the VPN Client on Windows NT may experience bluescreen failures if the latest version of Softex Docking Services has not been installed. The Softex Docking Service utilities are available directly from the DELL Support Web site, http://search.dell.com/index.asp. Select the checkbox for the File Library and search for the term "Softex Docking Services".

Network ICE BlackICE Defender Configuration

Network ICE's BlackICE Defender is a traffic monitoring security product. If you properly configure it, BlackICE Defender can work with the VPN Client. You must configure BlackICE Defender for Trusting, Nervous, or Cautious mode. If you use Nervous or Cautious mode, add the public IP address of the VPN Concentrator to the list of trusted addresses. You can now configure the VPN Client to work with BlackICE Defender configured for Paranoid mode when in Tunnel-everything mode. Split Tunneling requires BlackICE to be in Trusting, Nervous, or Cautious mode.

The Cisco VPN Client firewall has the following requirements for BlackICE (BlackICE Defender 2.5 or greater or BlackICE Agent 2.5 or greater). For BlackICE Defender 2.5, copy the BICTRL.DLL file from the Cisco installation release medium to the BlackICE installation directory on the VPN Client PC. This is a mandatory step for making a connection requiring BlackICE.

BlackICE Defender version 2.9 and greater includes the BICTRL.DLL file in the Network ICE distribution medium, so that you do not need to copy it from the Cisco installation release medium.

Microsoft Outlook Error Occurs on Connection or Disconnect

The following Microsoft Outlook error might occur when the VPN Client connects or disconnects:

"Either there is no default mail client, or the current mail client cannot fulfill the messaging request. Run Microsoft Outlook and set it as the default mail client."

This message does not affect operation of the VPN Client. The issue occurs when Microsoft Outlook is installed but not configured for email, although it is the default mail client. It is caused by a Registry Key that is set when the user installs Outlook.

To eliminate this message, do one of the following:

Right-click the Outlook icon, go to Properties, and configure it to use Microsoft Exchange or Internet Mail as the default mail client.

Use Internet Explorer to configure the system to have no default mail client.

Configure Outlook as the default mail client (CSCdv67594).

Adjusting the Maximum Transmission Unit (MTU) Value - Windows Only

VPN Encapsulation adds to the overall message length. To avoid refragmentation of packets, the VPN Client must reduce the MTU settings. The default MTU adjusted value is 1300 for all adapters. If the default adjustments are not sufficient, you may experience problems sending and receiving data. To avoid fragmented packets, you can change the MTU size, usually to a lower value than the default. To change the MTU size, use the VPN Client SetMTU utility. If you are using PPPoE, you may also have to set the MTU in other locations. Refer to the following table for the specific procedures for each type of connection.

The MTU is the largest number of bytes a frame can carry, not counting the frame's header and trailer. A frame is a single unit of transportation on the Data Link Layer. It consists of header data, plus data that was passed down from the Network Layer, plus (sometimes) trailer data. An Ethernet frame has an MTU of 1500 bytes, but the actual size of the frame can be up to 1526 bytes (22-byte header, 4-byte CRC trailer).

Recognizing a Potential MTU Problem

If you can connect with the Cisco VPN Client but cannot send or receive data, this is likely an MTU problem. Common failure indications include the following:

You can receive data, such as mail, but not send it.

You can send small messages (about 10 lines), but larger ones time out.

You cannot send attachments in email.

Setting the MTU Value

If you are not experiencing a problem, do not change the MTU value. Usually, an MTU value of 1300 works. If it doesn't, the end user must decrease the value until the Cisco VPN Client passes data. Decrement the MaxFrameSize value by 50 or 100 until it works.

The following table shows how to set the MTU value for each type of connection.

Connection Type
Procedure

Physical Adapters

Use the SetMTU utility supplied with the Cisco VPN Client.

Dial-up

Use the SetMTU utility supplied with the Cisco VPN Client.

PPPoE - All Vendors

Windows XP only

Use SetMTU

PPPoE -

EnterNet

Windows 98

On the main desktop, right click on My Network Places and go to Properties. The Network window opens.

Double-click the Network TeleSystems PPPoE Adapter.

On the Network TeleSystems window, click the Advanced tab, and then click MaxFrameSize. Change the value here. The value varies from case to case. The range can be from 1200 to 1400.

Windows 2000

On the main desktop, right-click My Network Places and go to Properties. The Network and Dial-Up Connections window opens.

Right-click and go to Properties on each connection until you find the connection that has the NTS EnterNet PPPoE Adapter.

Once you find the correct connection, click Configure on the right side of the window.

On the next window, click the Advanced tab, then click MaxFrameSize. Change the value here. The value varies from case to case. The range can be from 1200 to 1400.

PPPoE - WinPoet

Windows 98: WinPoet does not provide user control over the PPPoE MTU under Windows 98.

Windows 2000

WinPoet does not provide a user interface to control the MTU size, but you can control it by explicitly setting the following registry key:

HKLM/system/currentcontrolset/control/class/<guid>/<adapternumber>

adapter(000x):
Value: MaxFrameSize
Value type: DWORD
Data: 1300 (or less)

The GUID and adapter number can vary on different systems. Browse through the registry, looking for the MaxFrameSize value (CSCdu80463).

Caution Edit the registry only if you are comfortable doing so. Incorrect registry entries can make your PC unstable or unusable.

PPPoE - RasPPPoE

Windows 98

On the main desktop, right-click My Network Places and go to Properties. The Network window opens.

Find the PPP over Ethernet Protocol that is bound to the Network card that is in your PC, then double click on it.

In the General Tab check Override Maximum Transfer Unit. Change the value here. The value varies from case to case. The range can be from 1200 to 1400.

Windows 2000

On the main desktop, right-click My Network Places and go to properties. The Network and Dial-Up Connections window opens.

Right-click the connection the PPPoE Protocol was installed to, and go to properties.

When the window opens, double-click PPP over Ethernet Protocol.

In the General Tab, check Override Maximum Transfer Unit. Change the value here. The value varies from case to case. The range can be from 1200 to 1400.


Asante FR3004 Cable/DSL Routers Require Asante Firmware Version 2.15 or Later

Versions of the Asante firmware caused a problem with rekeying and keepalives when a VPN Client had an all-or-nothing connection to a VPN Concentrator through an Asante FR3004 Cable/DSL router. Version 2.15 (or later) of the Asante firmware resolves these issues. For more information about Asante cable/DSL routers, see the following Web sites:

http://www.asante.com/products/routers/index.html

http://www.practicallynetworked.com/pg/router_guide_index.asp

Using Nexland Cable/DSL Routers for Multiple Client Connections

All Nexland Pro routers support passing multiple IPSec sessions through to Cisco VPN 3000 Series Concentrators. To enable this function, the Nexland user must select IPSec Type 2SPI-C on the Nexland options page.

The discontinued Nexland ISB2LAN product correctly handles a single connection, but problems can occur when attempting to make multiple client connections to the same Secure Gateway from behind an ISB2LAN Nexland Cable/DSL router. Nexland has fixed this problem in the Nexland Pro series of routers (CSCdt10266).

Cert DN Matching Cannot Match on Email Field EA

You cannot match on the Cert DN field (EA) when using the Peer Cert DN Verification feature because the VPN Concentrator does not assign a value to that field (CSCdx25994).

VPN Dialer Application Can Load During OS Shutdown or Restart

When using the VPN Client's Start Before Logon feature (Windows NT, Windows 2000, or Windows XP) in "fallback" mode, the VPN dialer application loads during a shutdown or restart of the operating system. This will not cause any problems and can be ignored (CSCdu02071).

America Online (AOL) Interoperability Issues

AOL Versions 5.0 and 6.0

The VPN Client supports AOL Version 5.0. AOL Version 6.0 is also supported, with one limitation: when connected, browsing in the network neighborhood is not available.

AOL Version 7.0

AOL Version 7.0 uses a proprietary heartbeat polling of connected clients. This requires the use of split tunneling to support the polling mechanism. Without split tunneling, AOL disconnects after a period of time between 5 and 30 minutes.

AOL 7 Disconnects after VPN Authentication

When making a dialup connection with AOL 7.0 Revision 4114.537 (for Windows 95, 98, ME, Windows 2000 and XP), then attempting to connect with the VPN Client, AOL might disconnect while the user is being authenticated. This is an AOL issue, not a VPN Client problem (CSCdy45351).

VPN Client Fails to Connect over Some AOL Dialup Connections

The Cisco VPN Client connecting over an AOL dialup connection fails to complete the connection, particularly when using AOL 7.0 and 8.0

The AOL dialup process uses a fallback method which, if your initial attempt to connect fails, resorts to a different connection type for the second attempt. This second attempt can sometimes cause AOL to communicate over two PPP adapters (visible in ipconfig /all output). When this happens, the VPN Client cannot connect. This is a known issue, and AOL is investigating the problem.

The workaround is to try to reconnect the dialup connection to try to avoid getting two PPP adapters (CSCea29056).

Browser Interoperability Issues

The following known issues might occur when using the VPN Client with the indicated browser software.

Issues Loading Digital Certificate from Microsoft Certificate Store on Windows NT SP5 and on IE 4.0 SP2

The following error occurs in the VPN Client log when using a Digital Certificate from the Microsoft Certificate Store. This can occur on Windows NT 4.0 with Service Pack 5 and on Internet Explorer 4.0 with SP2 and using the VPN Client v3.1 or v3.5:

"Could not load certificate cn=Joe Smith,ou=Engineering,o=MyCompany,l=Buffalo, st=new york,c=US,e=jsmith@mycompany.com from the Unsupported Store store"

Both the VPN Client and the Certificate Manager can see and validate the Certificate, but when you try to connect using that Certificate, you get a message in the Connection History dialog that says, "Failed to establish a secure connection to the security gateway".

To fix this problem, do one of the following:

Upgrade to Internet Explorer v5.0 or greater.

Upgrade the PC to Service Pack 6.0a (CSCdv70215).

Requirements for using VPN Client for Windows Using Digital Certificate With Non-exportable Keys

To use certificates with non-exportable keys, you must have the VPN Client, Release 3.6, 4.0 or 4.6, and your PC must have Internet Explorer version 5.0 SP2 or later installed to function properly. (CSCdx90228).

Entrust Entelligence Issues

The following known issues might occur when using Entrust Entelligence software with the VPN Client.

Potential Connection Delay

Using the VPN Client with Entrust Entelligence might result in a delay of approximately 30 seconds if you are trying to connect while Entrust is "online" with the CA. This delay varies, depending on your Entrust CA configuration. If the Entrust CA is on the private network, then the chance of Entrust being online are low, since the VPN connection is needed to communicate with the CA.

If you experience this delay, do one of the following:

Wait for the delay to end and proceed with the VPN connection normally.

Before initiating the VPN Client connection, log out of Entrust. The VPN Client will initiate the Entrust Login Interface with the "work offline" checkbox checked, which alleviates the problem. The easiest way to log out of Entrust is to right-click on the Entrust tray icon (gold key) and select "Log out of Entrust" (CSCdu25495).

Entrust System Tray Icon Might Erroneously Indicate Logout

When using VPN Client with Start Before Logon (Windows NT and 2000) and Entrust Entelligence, the Entrust system tray icon indicates that it is "logged out" once in Windows. It is really logged in, just not in the normal Windows desktop. The reason for this is that the context that Entrust was logged into was on the "Logon desktop". This is an Entrust issue, not a VPN Client problem.

Entrust operates normally once logged into within Windows (CSCdu29239).

Entrust Client May Appear Offline

After establishing a VPN connection with Entrust Entelligence certificates, the Entrust client may appear offline. It may appear this way even after the Entrust client has successfully communicated with the Entrust i500 directory.

To work around this issue, do one of the following:

Upgrade to Entrust Entelligence version 5.1 SP3 or later.

Once connected, right click on the Entrust tray icon (gold key) and uncheck "Work Offline". This manually puts Entrust online (CSCdu33638).

Use Entrust Entelligence 4.0 with VPN Client Release 3.5.1 or 3.1 Start Before Logon

When using the Release 3.5.1 or 3.1 VPN Client with the Entrust Entelligence 4.0 software, the Start Before Logon feature does not function properly. Upgrading to Entrust Entelligence 5.1 resolves this problem (CSCdu61926).

Some Entrust Dialogs Do Not Display Properly When Using VPN Client Start Before Logon

When using the VPN Client with Start Before Logon and Entrust Entelligence, some Entrust dialogs do not display properly on the logon desktop that displays before going into Windows NT or Windows 2000. The first time the VPN Client dialer and service access the Entrust certificates, it prompts for a security check. This prompt displays in Windows, but not at the logon screen.

To work around this problem, connect the VPN Client once, while in Windows and after installing, to register the VPN applications (ipsecdialer.exe and cvpnd.exe) with Entrust. Once you have done this you can use it at the logon desktop (CSCdu62212).

Renewing Entrust Entelligence Certificate (Key Update) Requires Entrust Version 5.1 SP 3 or Later

Entrust Entelligence certificate renewal (key update) will not work over a VPN Client connection unless Entrust Entelligence version 5.1 SP3 or later is being used. Other Entrust Entelligence operations using older versions work properly.

To work around this issue, do one of the following:

Upgrade to Entrust Entelligence version 5.1 SP3 or later.

Computers need to have Entrust digital certificates renewed by placing them directly on the network during the renewal period to get updated (CSCdu84038).

Accessing Online Glossary Requires Connection to Cisco.com

The Glossary button at the top of all Help screens tries to contact univercd at www.cisco.com (the Cisco documentation site). This connection requires connectivity to Cisco's main web site. If your PC does not have a corporate Internet connection or your firewall blocks access, the following error appears when you attempt to access the Glossary:

"The page cannot be displayed."

To access the Glossary, you must be connected to www.cisco.com (CSCdy14238).

ZoneAlarm Plus Versions 3.1.274 and Earlier Are Incompatible with VPN Client

The following known incompatibility exists between the Cisco VPN Client and Zone Labs ZoneAlarm Plus version 3.1.274 and earlier. If you are using such a version of ZoneAlarm Plus, please visit http://www.zonelabs.com or contact your Zone Labs representative for an update.

On a PC with ZoneAlarm Plus version 3.1.274 (or earlier) and the VPN Client, the following errors occur when the PC boots:

On Windows 2000:

ZAPLUS.exe has generated errors and will be closed by Windows. You will need to restart the program.

An error log is being generated.

The Application Log states:

The application, ZAPLUS.EXE, generated an application error. The error occurred on 7/23/2002... The exception was c0000005 at address 00401881 (<nosymbols>).

Similar errors occur on other Windows operating systems.

The result of this error is that the ZoneAlarm GUI does not run, and therefore a user can not change any settings in ZoneAlarm Plus or allow new programs to access the Internet.(CSCdy16607).

ZoneLabs Automatically Adds Loopback and VPN 3000 Concentrator Addresses to Trusted Zone for Windows NT PCs

The Loopback address and the VPN 3000 Concentrator's address are automatically added to the ZoneLabs "Trusted Zone" on Windows NT-based systems.

If a Windows NT based-PC has ZoneAlarm, ZoneAlarm Pro, or Zone Labs Integrity Agent, and the VPN Client Release 4.0 installed on it, the loopback address (127.0.0.1) is automatically added to Zone Labs "Trusted Zone" when the Client service is started. Additionally, the VPN 3000 Concentrator's address is automatically added to the "Trusted Zone" when a connection is made (CSCea61272).

Upgrading Zone-Alarm Pro to Version 3.7.098 Causes Error When VPN Client Is Already Installed on the PC

Upgrading ZoneAlarm Pro version 3.5.xxx to ZoneAlarm Pro version 3.7.098 when the VPN Client is installed on the PC might cause the following error to appear:

"The procedure entry point DbgProcessReset could not be located in the dynamic link library VSUTIL.dll."

Click OK, and the installation continues (CSCea25991). See ZoneLabs' bug number 10182.

Harmless Warning Might Occur with Linux Kernel 2.4

Linux users running 2.4 kernels may encounter the following warning when the VPN Client kernel module is loaded:

Warning: loading /lib/modules/2.4.18-3/CiscoVPN/cisco_ipsec will taint the kernel: no license

This message indicates that the VPN Client kernel module is not licensed under the GPL, so the Linux kernel developers will not debug any kernel problems that occur while this kernel module is loaded. This message does not affect the operation of the VPN Client in any way (CSCdy31826).

DHCP Route Renewal in Windows 2000 and Windows XP

In a Windows 2000 or Windows XP environment, if the public network matches the private network (for example, a public IP address of 192.168.1.5, with a subnet mask of 255.255.0.0, and an identical private IP address) and the public network's route metric is 1, then traffic might not be tunneled to the private network (CSCdz88896). The same problem can occur if you are using a virtual adapter and the public metric is smaller than the virtual adapter metric.

In Windows 2000 and Windows XP, you can increase the metric of the public network by doing the following steps:

Step 1 Select Start > Settings > Control Panel > Network and Dial-up Connections.

Step 2 Select the public interface and click properties for the public interface.

Step 3 Select Internet Protocol (TCP/IP) and get the properties for the Internet Protocol (TCP/IP).

Step 4 Click Advanced, and set the interface metric to 2 or greater.

Solaris Client Using Routed RIP Might Lose Connectivity

If the VPN Client running in the Solaris environment uses routed RIP to learn its default route, you might lose connectivity. This is because RIP is blocked when the VPN Client is connected in all tunneling mode (CSCdv75825).

Data Meant for Private Network Stays Local if VPN Client's Local Network Is on Same IP Subnet as Remote Private Network

This problem occurs only with the VPN Client, Release 4.6 and only with Virtual Adapter (Windows 2000 and Windows XP), when the VPN Client's local network is on the same IP subnet as the remote private network. When a VPN connection is up, data meant for the private network stays local. For example: 192.168.1.0/255.255.255.0

The VPN Client, Release 4.6, with Virtual Adapter attempts to modify local route metrics to allow data to pass over the VPN tunnel. In some cases, it is impossible for the VPN Client to make this modification (CSCdz38680).

To work around this problem, make the change manually, using the following procedure:

Step 1 Run > Control Panel > Network and Dialup Connections.

Step 2 Right-click on the adapter in question and select Properties.

Step 3 From the Adapter Properties dialog, select TCP/IP from the list and click Properties.

Step 4 Click Advanced and increase the number in the "Interface metric" box by 1 (it is usually 1, so making it 2 works).

Step 5 Click OK to exit out of all dialogs.

Step 6 The VPN connection should now work.

DNS Server on Private Network with Split DNS Causes Problems

When an ISP's DNS server is included in the Split Tunneling Network List and Split DNS Names are configured, all DNS queries to domains other than those in the Split DNS Names list are not resolved.

By definition, split DNS is used so that only certain domains get resolved by corporate DNS servers, while rest go to public (ISP-assigned) DNS servers. To enforce this feature, the VPN Client directs DNS queries that are about hosts on the Split DNS Names list to corporate DNS servers, and discards all DNS queries that are not part of the Split DNS Names list.

The problem is when the ISP-assigned DNS servers are in the range of the Split Tunneling Network List. In that case, all DNS queries for non-split-DNS domains are discarded by the VPN Client.

To avoid this problem, remove the ISP-assigned DNS server from the range of the Split Tunneling Network List, or do not configure split DNS (CSCee66180).

VPN Client Supports Sygate Personal Firewall V. 5.0, Build 1175

The supported version of Sygate Personal Firewall is version 5.0, build 1175. Earlier versions might cause the following Blue screen to occur on a Windows NT-based system that has made many connects/disconnects with the VPN Client (CSCdy62426):

Stop: 000000d1 (BAD0B0B8, 00000002, 00000000, BFF12392)

Driver_IRQL_Not_Less_Or_Equal

***Address BFF12392 base at BFF10000, Datestamp 3CCDEC2C - Teefer.sys

The 4.6 VPN Client Is Not Supported on Windows 95

The VPN Client for Windows, Release 4.0 and higher, requires the use of the Windows 98 or later operating system. We recommend updating your operating system to a newer version of Windows (CSCea06231).

VPN Client Not Supported on Windows NT Servers

The VPN Client is not supported on any Windows NT server version (including Windows 2000 and Windows XP/.NET/2003 servers). Only Windows NT 4.0 Workstation and Windows 2000 Workstation are supported platforms.

No Limit to Size of Log File

When logging is enabled on the VPN Client, all of the log files are placed in the Program Files\Cisco Systems\VPN Client\logs directory and are date and time stamped. There is no limit to the size of the log when logging is enabled. The file will continue to grow in size until logging is disabled or the VPN Client program is closed. The log is still available for viewing until the VPN Client program is re-launched, at which time the display on the log tab and log window are cleared (CSCdy87504). The log file remains on the system and a new log file is created when the VPN Client, with logging enabled, is launched.

Start Before Logon and Microsoft Certificate with Private Key Protect Fails

Trying to connect the VPN client using Start Before Logon (SBL) and Microsoft Machine-based certificates fails. This is a Microsoft issue, not a VPN Client problem.

If your certificate has private key protection enabled, every time you use the certificate keys you are either prompted for a password to access the key, or notified with a dialog and asked to click OK.

The prompt displayed when using a certificate with private key protection appears on the Windows Desktop. You do not see this message while at the "Logon" desktop, therefore the VPN Client cannot gain the access to the certificate needed to connect.

Use one of the following workarounds:

Get a certificate without private key protection (just make sure it is machine-based, otherwise it won't be accessible before logging on).

Instead of using Start Before Logon, log on to the PC using cached credentials, make the VPN connection, and— using the "stay connected at logoff" feature—logoff/logon with the VPN established to complete the domain logon (CSCea03349).

Downgrading VPN Client from Release 4.6 Causes Start Before Logon Failure

Start Before Logon fails if the VPN Client is downgraded from Release 4.6 to 3.6. The reason for this is that the file csgina.dll is upgraded when the VPN Client version 4.6 is installed. If the VPN Client is downgraded to version 3.6, the csgina.dll file for version 4.6 is not replaced, and this breaks ability in the VPN Client version 3.6 to Start Before Logon (CSCea03685).

Follow this procedure to drop back to the VPN Client version 3.6 from version 4.6.

Step 1 Uninstall the VPN Client version 4.6.

Step 2 After rebooting, search for csgina.dll. This file is found in the System32 directory.

Step 3 Rename csgina.dll to something like csgina.old.

Step 4 Install the VPN Client version 3.6.

Linksys Wireless AP Cable/DSL Router Version 1.44 or Higher Firmware Requirement

To use the VPN Client behind a Linsksys Wireless AP Cable/DSL router model BEFW11S4, the Linksys router must be running version 1.44 or higher firmware. The VPN Client cannot connect when located behind a Linsksys Wireless AP Cable/DSL router model BEFW11S4 running version 1.42.7 firmware. The VPN Client may see the prompt for username/password, then it disappears (CSCdz52156).

VPN Client Can Require Smart Card When Using Certificates

For Windows 2000 and Windows XP systems, you can configure the VPN Client to require the presence of a Smart Card when Certificates are used. If this feature is configured, the VPN Client displays an error message if a Smart Card is not present. The Certificates need not be present on the Smart Card itself. To configure this feature, add the following line to the user's client profile, specifying the appropriate vendor for your Smart Card:

SmartCardName=<Name of Smart Card Vendor>

If you are using pre-shared keys instead of Certificates, this requirement is not enforced, even if configured.

To disable the Smart Card verification function, completely delete the entry: SmartCardName=<text> from the user's client profile (CSCec82220).

VPN Client GUI Connection History Display Lists Certificate Used

Since Release 4.0.3.C, the VPN Client GUI connection history dialog box displays as the first entry the name of the certificate used for establishing the connection (CSCec79691).

Use Zone Labs Integrity Server 2.1.052.0 or Higher with VPN Client 4.0

Versions of the Zone Labs Integrity Server earlier than 2.1.052.0 exhibit the following problem. If two or more VPN Clients (running on Windows 2000 or XP) are connected to a VPN 3000 Series Concentrator and receive firewall policy from a ZoneLabs Integrity Server, the Integrity Server registers only one connection.

On the Integrity Flex (client agent), under "Policies", the "Integrity Server" column flashes "Connected" then "Disconnected" over and over. Also, the VPN Client log includes the following event: "The firewall, configured for Client/Server, returned a status of lost connection to server." Zone Labs Integrity Server version 2.1.052.0 fixes this issue (CSCea66549).

Restart VPN Client Service If You Install VPN Client Before Zone Alarm

The Firewall Enhancement, "Prevent VPN Traffic Blocking", automatically adds the Loopback address (127.0.0.1) and the address of the VPN 3000 Concentrator to the ZoneAlarm or ZoneAlarmPro trusted zone.

An exception to this, however, occurs if the VPN Client is installed before Zone Alarm. Then the VPN Client's service must be restarted by rebooting the PC or stopping and restarting the service through the Control Panel (on Windows NT-based PCs) (CSCea16012).

InstallShield Error Might occur during VPN Client Installation

The following error message might occur during VPN Client installation:

IKernel.exe - Application Error

The instruction at "0x771c741a" referenced memory at "0x00163648". The memory could not be "read".

This error is caused by an InstallShield component, possibly because of a run-once stale remnant. To recover, you must reboot.

The InstallShield Knowledge base article q108020 addresses this problem. To view this article go to the following URL (CSCea43117):

http://support.installshield.com/kb/view.asp?articleid=q108020

Microsoft has a fix for this issue. For more information and to obtain the fix, go to the following URL:

http://support.microsoft.com/default.aspx?scid=kb;en-us;329623

VPN Client cTCP Connection Fails If Checkpoint Client Is Installed

When the Checkpoint VPN-1 Securemote client is installed with the 4.6 VPN Client, and the VPN Client attempts to connect using cTCP, the 4.6 VPN Client cannot make the connection. Connections do work with UDP, NAT-T, and non-NAT connections.

To make a connection with cTCP when the Checkpoint VPN-1 Securemote is installed, you must disable the Check Point SecuRemote driver in the Connections Properties. To do this, you must be administrator. Follow these steps (CSCea31192):

Step 1 Click Start > Settings > Control Panel >Network and Dial-up Connections.

Step 2 Select the Local Area Connection you use.

Step 3 Click on File > Properties.

Step 4 Uncheck Check Point SecuRemote, and click OK.

Open Caveats

Caveats describe unexpected behavior or defects in Cisco software releases. The following lists are sorted by identifier number.

Note If you have an account with CCO, you can use Bug Navigator II to find caveats of any severity for any release. To reach Bug Navigator II on CCO,