VPN TROUBLESHOOTING

INTRODUCTION

This document is designed for VPN users who are having issues connecting
to the VPN service. If the VPN Service is up and running, users should follow
these troubleshooting steps before contacting C&IT Services.

Problems connecting
to VPN service

Successfully N See Section A – ISP

connected to Connection
ISP?

Does ISP allow N See Section B – ISP

VPN? Blocking

Home
router/firewall N See Section C –
set up for VPN? Home Network

Tried See Section D –

reinstalling N
Reinstall VPN Client
VPN client?

Y
See Section E –
Capture Client Log

C&IT Services Page 1 24/02/2009

VPN Troubleshooting
SECTION A – ISP CONNECTION
To connect to the VPN Service you must first have a working internet
connection. To test if you have a connection, start a browser and check that
you can access the web. If you don’t have an internet connection:

 Try rebooting your broadband modem/router.

 Contact your ISP

SECTION B – ISP BLOCKING

Most ISPs allow VPN traffic although some do not. TalkTalk started blocking
UDP ports 500 and 10000 in late 2007. These ports are required for VPN and
if they are blocked VPN will not work. Contact your ISP to check if they are
blocking any ports.

SECTION C – HOME NETWORK

Most broadband routers support VPN pass-through which allows VPN traffic
through the router firewall without any user input. In some cases you may
have to configure the router firewall to allow the following traffic:

Port number: 500

Protocol type: UDP
Direction: Send Receive

Port number: 4500

Protocol type: UDP
Direction: Send Receive

Port number: 10000

Protocol type: UDP
Direction: Send Receive

Many users will have personal firewalls installed on their home computers.
When using the Cisco VPN client you may be prompted to allow the client
through your firewall on these ports. Check that the firewall allows the 3 ports
through – if not, statically add the 3 ports listed above into your personal
firewall.

C&IT Services Page 2 24/02/2009

VPN Troubleshooting
Some firewalls have issues with the Cisco VPN client. C&IT Services have
found problems with the following firewalls:

F-Secure Firewall

 F-Secure 2007 does not work with Cisco VPN client – see F-Secure
technical note below:

Firewall in Cisco VPN Client does not work with Client Security [52211]
Cisco VPN Client has a built-in stateful firewall, which is not compatible with
F-Secure Internet Shield. If Cisco VPN is installed before F-Secure Client
Security, the side-grade component disables the firewall in Cisco VPN Client.
However, in some cases it might be that the side-grade cannot identify a new
version of VPN Client. In that case you can disable the integrated firewall
manually.

Bullguard 7.0 Firewall

Bullguard 7.0 currently causes a blue screen when using the VPN client. The
resolution is to downgrade Bullguard:

 Download BullGuard 6.1 from

http://download.bullguard.com/6/BullGuard.exe
 Close BullGuard from your computer manually by right-clicking on the
BullGuard icon in the system tray and choosing Close.
 Uninstall BullGuard by following the quick guide at
http://www.bullguard.com/support/tip_uninstall.aspx - choose not to
keep your settings.
 Restart the computer (important for the changes to take effect).
 Reinstall by following the guide at
http://www.bullguard.com/support/tip_install.aspx.
 Restart the computer again and login with BullGuard.

Broadband Router Issues

If your home network is setup correctly and your ISP isn’t blocking any ports,
there may be an issue with your broadband router. Try the following:

 If connecting to the router via a wireless connection, try connecting via

a network cable instead.
 Check if there is a known VPN issue with your router. E.g. the BT
Voyager 2091 has a known problem with the Cisco VPN client which is
resolved by a firmware update. Check with your ISP or router
manufacturer on how to upgrade your router.

C&IT Services Page 3 24/02/2009

VPN Troubleshooting
 SECTION D – REINSTALL VPN CLIENT
Some issues may be resolved by reinstalling the VPN client or checking for a
later version on the C&IT Services download page.

http://applications2.napier.ac.uk/software/default.aspx?option=VPN

SECTION E – CAPTURE CLIENT LOG

If you still have problems connecting to the VPN service, send a copy of the
log from the VPN client to the C&IT Support Desk. To do this:

Click Enable

Log window

 Click the Log tab on the VPN client

 Click Enable to start Logging. Go back to Connection Entries tab and
attempt to connect.
 Click on Log Settings and change the levels from 1-Low to 3-High for
all the settings e.g.

 After the connection attempt fails, go back to the Log tab and click Log
Window. Click Save to save the log.
 Email the file to c&it.support@napier.ac.uk

C&IT Services Page 4 24/02/2009

VPN Troubleshooting
SECTION F – Cisco VPN Error – Reason 412
The Cisco VPN error 412 on Microsoft Vista can be resolved by:

1. Navigate to the folder C:\Program Files\Cisco Systems\VPN

Client\Profiles on your home PC
2. This folder contains a file called Napier University VPN.pcf
3. Open this file in Notepad
4. Add the line UseLegacyIKEPort=1 to the bottom of the file – save and
close the file
5. Start the VPN client and connect.

SECTION G – Cisco VPN Error – Reason 422 Failed to enable

Virtual Adapter

The following error ―Reason 442: failed to enable virtual adapter‖ appears
after Vista reports a duplicate IP address detected. Subsequent connections
fail with same message, but Vista doesn't report a duplicate IP address
detected
To work around error 442, do the following steps:

Step 1 Open ―Network and Sharing Center‖.

Step 2 Select ―Manage Network Connections‖.
Step 3 Enable the Virtual Adapter (―VA‖—Cisco VPN Adapter).
Step 4 Right-click on Cisco VPN Adapter and select ―Diagnose‖ from the
context menu.
Step 5 Select ―Reset the network adapter Local Area Connection X‖.

If this procedure does not work, run the following command from cmd:
reg add HKLM\System\CurrentControlSet\Services\Tcpip\Parameters /v
ArpRetryCount /t REG_DWORD /d 0 /f
Then reboot.
This resolves the issue until Vista reports a duplicate IP address again. Follow
the preceding steps to resolve it again. If that doesn't work, you might have
UAC enabled. If so, you must run cmd as administrator and repeat the
previous registry workaround.

SECTION H – Cisco VPN Error – Reason 435 Firewall Policy

Mismatch
There is a fix for this for Vista users on the VPN download page. XP
users who get this error should contact the Support Desk.

C&IT Services Page 5 24/02/2009

VPN Troubleshooting