This document answers frequently asked questions (FAQs) about the Cisco VPN 3000 Series Concentrator.
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
A. If there is no traffic sent between the VPN Concentrator and the VPN Client for a period of time, a Dead Peer Detection (DPD) packet is sent from the VPN Concentrator to the VPN Client to ensure its peer is still there. If there is a connectivity issue between the two peers where the VPN Client does not respond to the VPN Concentrator, the VPN Concentrator continues to send DPD packets over a period of time. This terminates the tunnel and generates the error if it does not receive a response during that time. Refer to Cisco bug ID CSCdz45586 ( registered customers only) .
The error should look like this:SEV=4 AUTH/28 RPT=381 XXX.XXX.XXX.XX User [SomeUser] disconnected: Duration: HH:MM:SS Bytes xmt: 19560 Bytes rcv: 17704 Reason: Lost Service YYYY/MM/DD HH:MM:SS XXX.XXX.XXX.XXX syslog notice 45549 MM/DD/YYYY HH:MM:SS SEV=4 IKE/123 RPT=XXX.XXX.XXX.XXX Group [SomeDefault] User [SomeUser] IKE lost contact with remote peer, deleting connection (keepalive type: DPD)
Cause: The remote IKE peer did not respond to keepalives within the expected window of time, so the connection to the IKE peer was deleted. The message includes the keep-alive mechanism used. This issue is only reproducible if the public interface is disconnected during an active tunnel session. The customer needs to monitor their network connectivity as these events are generated to pinpoint the root cause of their potential network connectivity issue(s).
Disable IKE keepalive by going to %System Root%\Program Files\Cisco Systems\VPN Client\Profiles on the Client PC that experiences the issue, and edit the PCF file (where applicable) for the connection.
Change the 'ForceKeepAlives=0' (default) to 'ForceKeepAlives=1'.
If the problem persists, open a Service Request with Cisco Technical Support and provide the Client "Log Viewer" and the VPN Concentrator logs as the problem occurs.
A. This error message occurs when there are too many debug events / information in the buffer. It has no negative impact other than possibly losing a few event messages. Try to reduce the events to the minimum number needed to prevent the message.
A. Copy the configuration into a text editor (such as Notepad) and manually edit or delete the affected group information denoted by [ipaddrgrouppool #.0]. Save the configuration and upload it to the VPN Concentrator. An example is shown here.!--- Change to 14.1 or any other number that is not in use !--- any number other than 0). [ipaddrgrouppool 14.0] rowstatus=1 rangename= startaddr=172.18.124.1 endaddr=172.18.124.2
A. The VPN 3000 Concentrators are only able to download one node secret file at a time. In SDI Version pre-5.0, you can add multiple SDI servers, but they must all share the same node secret file (think of it as the primary and backup servers). In SDI Version 5.0, you are only able to enter the one primary SDI server (the backup servers are listed in the node secret file) and replica servers.
A. The message indicates that your Secure Socket Layer (SSL) certificate will expire in 28 days. This certificate is used to browse into the web management via HTTPS. You can leave the certificate with the default settings, or you can configure different options before you generate the new certificate. Select Configuration > System > Management Protocols > SSL to do this. Select Administration > Certificate Management and click Generate to renew the certificate.
If you are concerned about security on your VPN Concentrator and would like to prevent unauthorized access, disable HTTP and / or HTTPS on the public interface by going to Configuration > Policy Management > Traffic Management > Filters. If you need to get to your VPN Concentrator over the Internet via HTTP or HTTPS, then you can specify access based on source address by going to Administration > Access Rights > Access Control List. You can use the help menu on the top right corner of the window to get more information.
Q. How can I view the user information in the internal user database? It is not visible when I look in the config file.
A. Select Administration > Access Rights > Access Settings, choose Config File Encryption=None, and save the config to view users and passwords. You should be able to search for the specific user.
A. The number of users is version-dependent and specified in the Configuration > User Management section of the User Guide for your VPN 3000 Concentrator release. A total of 100 users or groups (the sum of users and groups must equal 100 or less) is possible in VPN 3000 Releases 2.2 through 2.5.2. In VPN 3000 Releases 3.0 and later, the number for the 3005 and 3015 Concentrators remains at 100. For the VPN 3030 and 3020 Concentrator, the number is 500, for the VPN 3060 or 3080 Concentrators, the number is 1000. Also, using an external authentication server improves scalability and manageability.
A. The VPN 3000 Concentrator uses the tunnel default gateway to route the tunneled users within the private network (usually the inside router). The VPN Concentrator uses the default gateway to route packets to the Internet (usually the outside router).
Q. If I place my VPN 3000 Concentrator behind a firewall or router running access control lists, which ports and protocols do I need to allow through?
A. This chart lists ports and protocols.
Service Protocol Number Source Port Destination Port PPTP Control Connection 6 (TCP) 1023 1723 PPTP Tunnel Encapsulation 47 (GRE) N/A N/A ISAKMP/IPSec Key Management 17 (UDP) 500 500 IPSec Tunnel Encapsulation 50 (ESP) N/A N/A IPSec NAT Transparency 17 (UDP) 10000 (default) 10000 (default)
Note: The Network Address Translation (NAT) Transparency port is configurable to any value in the 4001 through 49151 range. In versions 3.5 or later, you can configure IPsec over TCP by going to Configuration > System > Tunneling Protocols > IPSec > IPSec over TCP. You can enter up to 10 comma-separated TCP ports (1 - 65535). If this option is configured, make sure that these ports are allowed in your firewall or router running access-control lists.
A. From the File Management screen, delete the "config" file and reboot. If this file is deleted accidentally, a backup copy, "config.bak" is kept.
A. Yes, starting in VPN 3000 Concentrator Release 3.0, you can use a TACACS+ for Administrative authentication. After you configure TACACS+, make sure you test authentication before you log out. Improper configuration of TACACS+ can lock you out. This requires a console port login in order to disable TACACS+ and rectify the problem.
A. In versions 2.5.1 and later, connect a PC to the console port of the VPN Concentrator using a straight-through RS-232 serial cable with the PC set for:
9600 bits per second
8 data bits
1 stop bit
hardware flow control on
Reboot the VPN Concentrator. After the diagnostic check is complete, a line of three dots (...) appears on the console. Press CTRL-C within three seconds after these dots appear. A menu displays that lets you reset the system passwords to their defaults.
A. The group name and group password are used to create a hash which is then used to create a security association.
A. The VPN 3000 Concentrator can be placed in front of, behind, parallel to, or in the demilitarized zone (DMZ) of a firewall. It is not advisable to have the public and private interfaces in the same virtual LAN (VLAN).
A. Proxy Address Resolution Protocol (ARP) cannot be disabled on the Cisco VPN 3000 Concentrator.
A. You can go to Configuration > System > Events > Classes and configure the specific events (such as IPsec or PPTP) to get better debugs. Debugging should only be turned on for the duration of the troubleshooting exercise because it can cause performance degradation. For IPsec debug, turn on IKE, IKEDBG, IPSEC, IPSECDBG, AUTH, and AUTHDBG. If using certificates, then add the CERT class to the list.
A. The HTML interface that comes with the VPN 3000 Concentrator allows you to have basic monitoring functionality if you look under Monitoring > Sessions. The VPN 3000 Concentrator can also be monitored through Simple Network Management Protocol (SNMP) using an SNMP manager of your choice. Alternatively, you can purchase the Cisco VPN / Security Management Solution (VMS). The Cisco VMS provides key functionality to assist you if you deploy the VPN 3000 Concentrator Series and require in-depth monitoring of remote access and site-to-site VPNs, based upon IPsec, L2TP, and PPTP. Refer to the VPN Security Management Solution for more details about VMS.
Q. Does the Cisco VPN 3000 Concentrator Series have an integrated firewall? If so, what features are supported?
A. While the series has integrated stateless port / filtering capabilities and NAT, Cisco suggests you use a device like the Cisco Secure PIX Firewall for the corporate firewall.
A. The series supports these routing options:
Routing Information Protocol (RIP)
Open Shortest Path First (OSPF)
Virtual Router Redundancy Protocol (VRRP)
Supported VPN protocols include Point-to-Point Tunneling Protocol (PPTP), L2TP, L2TP / IPsec, and IPsec with or without a NAT device between the VPN 3000 and the end client. IPsec through NAT is known as NAT Transparency.
Q. What authentication mechanisms / systems does the Cisco VPN 3000 Concentrator Series support for client PCs?
A. NT Domain, RADIUS or RADIUS proxy, RSA Security SecurID (SDI), Digital Certificates, and internal authentication are supported.
Q. Can I do static Network Address Translation (NAT) for users going out through the VPN 3000 Concentrator?
A. You can only do Port Address Translation (PAT) for the users going out. You cannot do static NAT on the VPN 3000 Concentrator.
Q. How can I assign a static IP address to a specific Point-to-Point Tunneling Protocol (PPTP) or IPsec user through the VPN 3000 Concentrator?
A. This list explains how to assign static IP addresses:
In the IP Address Management section, in addition to choosing your pool or Dynamic Host Configuration Protocol (DHCP) options, check the Use Client Address option. Then, define the user and the IP address in the VPN 3000 Concentrator. This user always get the IP address configured in the VPN Concentrator when connecting.
In the IP Address Management section, in addition to choosing to your pool or DHCP options, check the Use Address from Authentication Server option. Then, define the user and the IP address in the VPN 3000 Concentrator. This user always gets the IP address configured in the VPN Concentrator when connecting. All others that belong to the same group or to other groups gets an IP address from the global pool or DHCP.
With the Cisco VPN 3000 Concentrator software version 3.0 and later, you have the option to configure an address pool on a group basis. This feature can help you to assign a static IP address to a specific user as well. If you configure a pool for a group, the user with static IP gets the IP address assigned to them, and other members of the same group get IP addresses from the group pool. This only applies when you use the VPN Concentrator as an authentication server.
Note: If you use an external authentication server, then you need to use the external server to assign the addresses correctly.
Q. What are some known compatibility issues with Microsoft's PPTP products and the VPN 3000 Concentrator?
A. This information is based on VPN 3000 Series Concentrator Software Release 3.5 and later; VPN 3000 Series Concentrators, Models 3005, 3015, 3020, 3030, 3060, 3080; and Microsoft Operating Systems Windows 95 and later.
Windows 95 Dial-Up Networking (DUN) 1.2
Microsoft Point-to-Point Encryption (MPPE) is not supported under DUN 1.2. To connect using MPPE, install Windows 95 DUN 1.3. You can download the Microsoft DUN 1.3 upgrade from the Microsoft web site.
Windows NT 4.0
Windows NT is fully supported for Point-to-Point Tunneling Protocol (PPTP) connections to the VPN Concentrator. Service Pack 3 (SP3) or later is required. If you are running SP3, you should install the PPTP Performance and Security patches. Refer to the Microsoft web site for information about the Microsoft PPTP Performance and Security Upgrade for WinNT 4.0 .
Note that the 128-bit Service Pack 5 does not handle MPPE keys correctly, and PPTP can fail to pass data. When this occurs, the event log shows this message:103 12/09/1999 09:08:01.550 SEV=6 PPP/4 RPT=3 126.96.36.199 User [ testuser ] disconnected. Experiencing excessive packet decrypt failure.
To solve this problem, download the upgrade for How to obtain the latest Windows NT Service Pack 6a and Windows NT 4.0 Service Pack 6a Available. Refer to the Microsoft article MPPE Keys Not Handled Correctly for a 128-Bit MS-CHAP Request for more information.
A. The maximum number of filters that you can add on a VPN 30xx unit (even a 3030 or 3060) is fixed at 100. Users can find additional information about this issue by viewing Cisco bug ID CSCdw86558 ( registered customers only) .
A. The maximum number of routes are:
The VPN 3030 Concentrator has been tested up to 10,000 routes.
The routing table limit on the VPN 3030, 3060, and 3080 Concentrators is proportional to the available resources / memory in each device.
The VPN 3015 Concentrator has no predefined maximum limit. This holds true for Routing Information Protocol (RIP) and Open Shortest Path First (OSPF) protocol.
The VPN 3020 Concentrator - Due to a Microsoft limitation, Windows XP PCs are not capable of receiving a large number of Classless Static Routes (CSR). The VPN 3000 Concentrator limits the number of CSRs that are inserted into a DHCP INFORM message response when configured to do so. The VPN 3000 Concentrator limits the number of routes to 28-42, depending on the class.
A. Select Monitoring > Statistics > MIB-II > Ethernet and reset the statistics to clear statistics for the current session. Remember that this does not totally clear the statistics. You need to reboot to actually reset the statistics (versus resetting for monitoring purposes).
A. Allow TCP and UDP port 123.
A. The ports are used for the VPN Client communication between the actual shim / Deterministic NDIS Extender (DNE) and the TCP / IP stack of the PC, and are for internal developmental use only. For example, port 62515 is used by the VPN Client for sending information to the VPN Client log. Other port functions are shown here.
62514 - Cisco Systems, Inc. VPN Service to Cisco Systems IPsec Driver
62515 - Cisco Systems IPsec Driver to Cisco Systems, Inc. VPN Service
62516 - Cisco Systems, Inc. VPN Service to XAUTH
62517 - XAUTH to Cisco Systems, Inc. VPN Service
62518 - Cisco Systems, Inc. VPN Service to CLI
62519 - CLI to Cisco Systems, Inc VPN Service
62520 - Cisco Systems, Inc. VPN Service to UI
62521 - UI to Cisco Systems, Inc. VPN Service
62522 - Log Messages
62523 - Connection Manager to Cisco Systems, Inc. VPN Service
62524 - PPPTool to Cisco Systems, Inc. VPN Service
A. You cannot remove the floating tool bar nor avoid loading the floating toolbar while you establish the WebVPN session. This is because when you close this window the session is terminated immediately and when you try to login again the window is loaded again. This is the way the WebVPN sessions were designed originally. You can close the main window but it is not possible to close the floating window.
Refer to the Cisco VPN 3000 Series Concentrator documentation page for the latest documentation on the VPN 3000 Concentrator.
Q. Do I need a TFTP server to upgrade the VPN 3000 Concentrator? Is there an alternative way to upgrade the box?
A. In addition to using TFTP, you can upgrade the VPN Concentrator by downloading the latest software onto your hard drive. Then, from a browser on the system where the software is located, go to Administration > Software Update and find the downloaded software on your hard drive (just like opening a file). When you find it, select the Upload tab.
A. The "k9" designation for the image name has replaced the originally used 3DES designation (for example, vpn3000-2.5.2.F-3des.bin). Thus, the "k9" now signifies that this is a 3DES image.
A. Data compression increases the memory requirement and CPU utilization for each user session and consequently decreases the overall throughput of the VPN Concentrator. For this reason, Cisco recommends that you enable data compression only if every member of the group is a remote user that connects with a modem. If any member of the group connects through broadband, do not enable data compression for the group. Instead, divide the group into two groups, one for modem users and the other for broadband users. Enable data compression only for the group of modem users.
A. Load balancing is effective only on remote sessions initiated with the Cisco VPN Software Client (Release 3.0 and later). All other clients (PPTP, L2TP) and LAN-to-LAN connections can connect to a VPN Concentrator on which load balancing is enabled, but they cannot participate in load balancing.
A. Go to Configuration > System > Management Protocols > XML and then to administration | file management select XML format. Use the same name, or different, and open the file in order to view the passwords.
A. You cannot use load balancing with VRRP. In a VRRP configuration, the backup device remains idle unless the active VPN Concentrator fails. In a load balancing configuration, there are no idle devices.
Q. Does all remote access client VPN traffic have to go through an encrypted tunnel to the VPN Concentrator at the enterprise or service provider? For example, can plain web access to other sites go in the open, directly through the ISP's Internet connection?
A. Yes. This concept is known as "split tunneling." Split tunneling allows for secure access to corporate resources through an encrypted tunnel while it allows Internet access directly through the ISP's resources (this eliminates the corporate network from the path for web access). The Cisco VPN 3000 Concentrator Series to both the Cisco VPN Client and the VPN 3002 Hardware Client can support split tunneling. For additional security, this feature is controllable by the administrator of the VPN Concentrator and not the user.
A. Split tunneling allows you to have the convenience of browsing the Internet while connected through the VPN tunnel. However, it does pose us some risk if the VPN user connected to the corporate network is vulnerable to attacks. It is recommended that the users use a personal firewall in that case. The release notes for any given VPN Client version discuss interoperability with personal firewalls.
A. Load is calculated as a percentage derived from the active connections divided by the maximum configured connections. The master always tries to have the least load because it is burdened with the additional (inherent) load of maintaining all of the administrative LAN-to-LAN sessions, calculating all other cluster member loading, and it is responsible for all client redirects.
For a newly configured functional cluster, the master has about a 1 percent load before any connections have been established. Therefore, the master redirects connections to the backup concentrator until the percentage of load on the backup is higher than the percentage of load on the master. For example, given two VPN 3030 Concentrators in "idle" states, the master has a 1 percent load. The secondary is given 30 connections (2 percent load) before the master accepts connections.
In order to verify that the master accepts connections, go to Configuration > System > General > Sessions and lower the maximum number of connections to an artificially low number to quickly increase the load placed on the backup VPN Concentrator.
A. The VPN Monitor can track 20 headend devices. In a hub-and-spoke scenario, connections from remote sites are monitored at the headend. There is no need to monitor all the remote sites and users since that information can be traced on the hub router. These headend devices can support up to 20,000 remote users or 2,500 remote sites. A dual-homed VPN device that goes out to the spoke sites counts as two of the 20 maximum devices that can be monitored.
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.