Cisco Network Security Troubleshooting Handbook

This section discusses some of the common problems and resolution with VPN 3000 series Concentrator.

1

Is Outlook Web Access (OWA) 2003 or Exchange 2003 supported on SSL VPN?

Answer:

Support for Outlook Web Access (OWA) 2003 and Exchange 2003 Server are as follows:

- OWA 2003 is supported in Version 4.1.7.

- Outlook thick client connecting to an Exchange 2003 server using Exchange (MAPI) is not supported until full tunneling (Version 4.7).

- Outlook thick client e-mail is supported using the Port Forwarding client as long as the e-mail client is not Outlook 2003. Outlook 2003 will be supported with WebVPN Version 4.7 and the full tunneling feature.

- The use of OWA2003 with S/MIME has not been specifically tested with Version 4.7; however, this is not an issue with the full tunneling support in Version 4.7.

2

My VPN Client with IPSEC over TCP is not working on Windows XP SP2. What should I do?

Answer:

If your IPSEC over TCP VPN is not working on Windows XP running SP2, then you need to add a rule in the Microsoft firewall to allow UDP/62515. You can do this either through the Microsoft Firewall GUI by adding an Exception rule or you can do it by entering the following command from a DOS prompt:

netsh fi add port UDP 62515 "Cisco VPN Service" enable all

To verify if the built-in firewall that comes with XP SP2 is causing the VPN client connection problem for IPsec over TCP, disable the Windows Firewall.

If the VPN connection comes up successfully, refer to the following link:

http://support.microsoft.com/?id=884020%3Ehttp://support.microsoft.com/?id=884020

Programs that connect to IP addresses that are in the loopback address range may not work as you expect in Windows XP Service Pack 2. This problem occurs if the program connects to a loopback address other than 127.0.0.1. Windows XP Service Pack 2 (SP2) prevents connections to all IP addresses that are in the loopback address range except for 127.0.0.1.

3

What are the functions of UDP ports 625xx on VPN Client PC?

Answer:

The ports are used for the VPN Client communication between the actual shim/Deterministic NDIS Extender (DNE) and the TCP/IP stack of the PC. For example, port 62515 is used by the VPN Client for sending information to the VPN Client log.

4

How can I collect full memory dumps on Windows Operating Systems?

Answer:

Work through the following steps to collect the full memory dump on Windows XP (other Windows Operating Systems can use a similar procedure):

Step 1.

Go to the Start > Settings > Control Panel > System > Advanced Tab.

Step 2.

Then click the Settings button under the Startup and Recovery section.

Step 3.

Under Write Debugging Information, select Complete memory dump.

5

What should I do if I receive the message "VPN Sub-System Not Available" after upgrading VPN Client on some XP Machines?

Answer:

This error message indicates that some service is causing the VPN client not to respond in a timely fashion to the GUI. To work around this problem, work through the following steps:

Step 1.

Stop and start the cvpnd service. This can be done through the services control panel, or through command prompt, by typing the following two commands:

net stop cvpnd net start cvpnd

Step 2.

If the installation never worked before, reinstall the VPN Client software, which requires a reboot. This should resolve the problem.

6

Is there a limit to the number of Cisco Secure Desktop (CSD) locations that can be defined?

Answer:

No, there is no limit.

7

Can the files that are created within the CSD vault be saved onto the guest PC, external media, or shared network folders?

Answer:

Following is a list of different media that can or cannot be used to save the files created in CSD vault:

- Guest PC Files that are created within the CSD vault cannot be saved to the Guest PC. One caution to this is that certain e-mail applications such as Outlook, Outlook Express, Eudora, and Lotus Notes operate as they would on the client PC. These applications are not generally found in public domain PCs.
- External media such as USB fob, floppies, and so on Files created within CSD vault can be saved onto an external media such as USB fob, floppy, and so on. However, the data is encrypted and will be removed once the vault is uninstalled, and will not be visible if the key is removed.

- Shared network folders Files created within CSD vault can be saved into the shared network folders that exist as part of the Network Neighborhood on the client PC. Then they will also appear on the Secure Desktop Network Neighborhood.
8

When a file is created or amended within the Secure Desktop space, can it be saved to a Network Neighborhood if a network connection via SSL or IPSEC exists?

Answer:

Yes.

9

When is the keystroke logger initiated?

Answer:

It is initiated at the creation of the secure desktop space. Note that this requires that the user has admin privileges to operate.

10

Does the keystroke logger produce events in the VPN 3000 Concentrator logs?

Answer:

No.

11

When specifying a valid antivirus package, how does the concentrator verify the date? Does it just verify that a valid antivirus product is installed regardless of its being up-to-date?

Answer:

With Cisco Secure Desktop (SSL VPN) in Version 4.7, the verification is performed by checking when it was last updated (in terms of days). For IPsec and NAC (Version 4.7), this is done using Cisco Trust Agent and all of the regularly available functionality with NAC.

12

Even if ActiveX and Java are disabled, can I execute the CSD installation via browser?

Answer:

Yes, if both Active X and Java are not detected on the client PC, then a full .exe package (instful.exe) will be downloaded onto the PC to be executed by the user for installation of the CSD package.

13

Is there any restriction of Sun JVM for Cisco Secure Desktop and SSL VPN Client?

Answer:

No there are no restrictions for Cisco Secure Desktop or the SSL VPN Client. However, it is advisable to use a Sun JVM of greater than 1.5.x.

14

Does the Cisco Security Agent (CSA) Version 4.5 inter-operate with CSD and SVC?

Answer:

Yes it does. CSA Version 4.5 now supports and is fully compatible with both CSD and SVC. Initial implementations of CSA earlier than Version 4.5 build 550 required that CSA services were stopped using the net stop csagent command or removed completely (if earlier than Version 4.5). These issues have now been resolved in the Version 4.5 release.

15

What should I do if I get CSD fails with "error initializing Main application window" and "HTTP 404 Not Found (/CACHE/sdesktop/install/css/Main.css)" Errors?

Answer:

Be sure that the CPU does not spike to 100 percent. If so, close down all other foreground and background applications that are running. Also, check to ensure that the Kernel Driver "twingostoragedriver" is present on the PC. To perform this task, right-click on My Computer, and select Manage, which will bring up the Computer Management window. In the Computer Management window, go to Computer Management (Local) > System Tools > System Information > Software Environment > Drivers. If the driver is not present, re-install CSD while all other applications are closed down to ensure that there are sufficient resources to allocate to this task.

16

If ActiveX and Java are disabled, how can I execute SVC installation via browser?

Answer:

If both Active X and Java fail to be detected on the client PC, the user will simply be directed to the WebVPN portal page only if the "Require Cisco SSL VPN Client" option under the WebVPN parameters for the group of interest is not checked. If this option is checked, the redirect to the WebVPN portal page will not occur. There is no option to download an install package for the SSL VPN Client. Remember, however, that there is an sslclient-win-1.0.0.x.zip file that contains a pre-install package to install the SVC Agent service (using Admin privileges) onto a client PC. This install procedure is detailed in the release notes. Once installed, this allows for the full SSL VPN Client package to be downloaded and installed while in non-admin mode using the ActiveX/Java download mechanism which needs to be enabled on the client PC.

17

What privileges are required to be present within Internet Explorer (IE) to allow for ActiveX to function for SSL VPN client installation?

Answer:

If you have a "Guest" account created on a client PC, it is important to determine which group that "Guest" account is associated with. This can be achieved by right-clicking on "My Computer" and selecting Manage > Local users and Groups > Users > Select a user. Double-click and find out what group that user is a member of. The list includes Administrators, Power Users, and Users. The Users group does not allow ActiveX to function, whereas the others do.

18

Is there anything that can be done to check the platform before the VPN is established or even before authentication for the SSL VPN tunnel?

Answer:

Yes, use Cisco Secure Desktop with the registry, file/hash, or digital certificate to make this determination.

19

Does Installation of the SVC work with Microsoft Java Virtual Machine (MS JVM)?

Answer:

Yes, but remember that Microsoft will not support this past December 31, 2007, and in fact this can no longer be downloaded from the Microsoft website. Refer to the following link for details: http://www.microsoft.com/mscorp/java/

20

Which Operating Systems SVC Client is supported?

Answer:

Only Windows 2000 and XP are supported because only those Windows operating systems permit the installation of a network driver without rebooting.

21

Is RADIUS with Expiry and MS IAS Supported with the SSL VPN Client?

Answer:

No. RADIUS with expiry is not supported for SSL VPN.

22

Are any FAQs maintained on CCO for VPN 3000 and Secure Desktop?

Answer:

Yes, refer to the following locations:

http://www.cisco.com/warp/customer/471/vpn_3000_faq.shtml

http://www.cisco.com/univercd/cc/td/doc/product/vpn/ciscosec/csd/csd30/csdfaq.htm

Категории