cc/td/doc/product/vpn/client/3_6
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table Of Contents

Troubleshooting and Programmer Notes

Troubleshooting the VPN Client

Gathering Information for Customer Support

Solving Common Problems

Changing the MTU Size

Start Before Logon and GINAs

Programmer Notes

Testing the Connection

Command Line Switches for ipsecdialer Command

IKE Proposals


Troubleshooting and Programmer Notes

This chapter contains information to help you resolve problems installing or running the VPN Client. It also contains notes helpful to writing programs for special needs.

This chapter includes the following main topics:

Troubleshooting the VPN Client

Start Before Logon and GINAs

Programmer Notes

Troubleshooting the VPN Client

This section describes how to perform the following tasks:

Gathering Information for Customer Support

Solving Common Problems

Changing the MTU Size

Gathering Information for Customer Support

If you are having problems running the VPN Client on your PC, you can gather system information that is helpful to a customer support representative and e-mail it to us. We recommend that you do the following before you contact us.

If Your Operating System is Windows 98, 98 SE, ME, 2000, or XP

Go to the Start menu and select Programs > Accessories > System Tools > System Information.

Windows displays the Microsoft System Information screen, such as the one in Figure 6-1.

Figure 6-1 System Information Screen on Windows 98

Select a category and the screen displays details for that category. You can then execute the Export command and choose a name and destination. Windows creates a text file, which you can attach to an e-mail message and send to the support center.

If Your Operating System is Windows NT or Windows 2000

On the Windows NT or Windows 2000 operating system, you can run a utility named WINMSD from a command-line prompt. WINMSD generates a file containing information about your system configuration, and the software and drivers installed.

To use this utility, perform the following steps:

Step 1 Go to the Start menu and select Programs > Command Prompt.

This action displays a window with a DOS prompt, such as c:\.

Step 2 Type the following command at the DOS prompt:

C:\>winmsd /a /f

where /a = all and /f = write to file.

This command generates a text (.txt) file with the name of your computer and places the file in the directory from which you run the command. For example, if the name of your machine is SILVER and you execute the command from the c: drive (as shown above), the text file name is silver.txt.

If you open the file with a text editor, such as Notepad, you see a file such as the one shown in
Figure 6-2, which was from a Windows NT system.

Figure 6-2 System Text File

You can attach this file to an e-mail message and send it to the support center.

Solving Common Problems

This section describes some common problems and what to do about them.

Shutting Down on Windows 98

You may experience a problem with your Windows 98 system shutting down when the VPN Client software is installed. If so, you need to disable the fast shutdown feature, as follows:

Step 1 At the Microsoft System Information screen (shown in Figure 6-1), select Tools> System Configuration.

Microsoft displays a Properties page.

Step 2 From the General page, select the Advanced button.

Step 3 Choose the Disable Fast Shutdown option.

Booting Automatically Starts up Dial-up Networking on Windows 95

Some versions of Internet Explorer silently control startup options in Windows 95 so that every time you start your system, Dial-Up Networking launches. If this occurs, as it does in Internet Explorer 3.0, go to View > Options > Connections and uncheck the option Connect to the Internet as needed.

Changing the MTU Size

The Set MTU option is used primarily for troubleshooting connectivity problems.

Note The VPN Client automatically adjusts the MTU size to suit your environment, so running this application should not be necessary.

The maximum transmission unit (MTU) parameter determines the largest packet size in bytes that the client application can transmit through the network. If the MTU size is too large, the packets may not reach their destination. Adjusting the size of the MTU affects all applications that use the network adapter. Therefore the MTU setting you use can affect your PC's performance on the network.

MTU sizing affects fragmentation of IPSec and IPSec through NAT mode packets to your connection destination. A large size (for example, over 1300) can increase fragmentation. Using 1300 or smaller usually prevents fragmentation. Fragmentation and reassembly of packets at the destination causes slower tunnel performance. Also, many firewalls do not let fragments through.

To change the size of the MTU, use the following procedure:

Step 1 Select Start > Programs > Cisco Systems VPN Client > SetMTU.

The Set MTU window appears.

Figure 6-3 Setting MTU Size on Windows NT

Step 2 Click a network adapter on the list of network adapters.

Step 3 Click one of the following choices under MTU Options:

Default
The factory setting for this adapter type.

576 (in bytes)

The standard size for dial-up adapters.

1300 (in bytes)

The choice recommended for both straight IPSec and IPSec through NAT. Using this value guarantees that the client does not fragment packets under normal circumstances.

Custom

Enter a value in the box. The minimum value for MTU size is 68 bytes.


Step 4 Click OK.

You must restart your system for your change to take effect

Start Before Logon and GINAs

The VPN Client can load prior to logging in to a Windows NT platform (Windows NT 4.0, Windows 2000, and Windows XP). This feature lets remote users establish a VPN connection to a private network where they can successfully log in to a domain. When start before logon (SBL) is enabled on a Windows NT platform, the VPN Client tries to replace the standard Microsoft logon dialog box (the same one that appears after you press Ctrl+Alt+Del when booting your PC, called a GINA). The name of the Microsoft GINA is msgina.dll and you can find it in the registry at the location:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
GinaDLL = msgina.dll

The VPN Client replaces the msgina.dll with the VPN Client's GINA (csgina.dll), and then points to it so that you can still see and use the MS GINA. When you start your PC and press Ctrl+Alt+Del, you are launching the VPN Client Dialer application and the MS logon dialog box. The VPN Client detects whether the necessary Windows services are running and if not, displays a message asking you to wait. If you look in the VPN Client registry, you see the following parameters and values:

HKLM\Software\Cisco Systems\VPN Client\
GinaInstalled = 1
PreviousGinaPath = msgina.dll

Note When you enable start before logon for the first time, you must reboot for the system to load csgina.

Fallback Mode

In some cases a third-party program replaces the MS GINA, and in some of these cases the VPN Client works with the third-party program, while in other cases, it does not. The VPN Client maintains a list of incompatible GINAs that it does not work with, and does not replace the GINA file in use. This is called fallback mode. The list of incompatible GINAs resides in the vpnclient.ini file, and the VPN Client refers to the list only during installation. The following entry is an example.

IncompatibleGinas=PALgina.dll,nwgina.dll,logonrem.dll,ngina.dll

In fallback mode, the VPN Client performs differently when start before logon is in use. Instead of loading when you press Ctrl+Alt+Del, the VPN Dialer loads as soon as the VPN service starts. When operating in fallback mode, the VPN Client does not check to see if the necessary Windows services have started. As a result, the VPN connection could fail if initiated too quickly. In fallback mode, when the VPN connection succeeds, you then press Ctrl+Alt+Del to get to the Microsoft logon dialog box. In this mode, you see the following VPN Client registry parameters and values:

HKLM\Software\Cisco Systems\VPN Client\
GinaInstalled = 0
PreviousGinaPath = msgina.dll

Incompatible GINAs

If a new problem GINA is discovered after the VPN Client is released, you can add the GINA to the incompatible GINA list in the vpnclient.ini file. Adding the GINA to this list places it in the IncompatibleGinas list in the registry when you install the VPN Client and puts the VPN Client into fallback mode, thus avoiding possible conflicts (see section " oem.ini File Keywords and Values").

Programmer Notes

This section contains information to aid a programmer in writing programs that perform routine tasks.

Testing the Connection

As part of a program, you might want to test a connection to see if it is active before performing the tasks that are the purpose of the program. To test the connection, you can poll the TunnelEstablished entry in the HKEY_LOCAL_MACHINE registry. To see this entry, bring up the Registry Editor and go to SOFTWARE > Cisco Systems > VPN Client. (See Figure 6-4.) In the list of entries, you see TunnelEstablished. This entry can have only two values: 1 or 0. If the connection is working, the value is 1; if not, the value is 0.

Figure 6-4 Cisco Systems VPN Client Registry Entries

Command Line Switches for ipsecdialer Command

The ipsecdialer command starts a connect from the command line by bringing up the VPN Client GUI application. You can use switches to specify parameters with this command. Table 6-1 lists the switches you can include in the ipsecdialer command and describes the task that each switch performs.

Table 6-1 Command Line Switches

Switch
Parameter
Description

/c

Auto-connect

Starts the VPN Dialer application for the specified connection entry and displays the authentication dialog.

Example: ipesedialer /c towork

/eraseuserpwd

Erase User Password

Erases the user password saved on the Client PC thereby forcing the VPN Client to prompt for a password.

Example:ipsecdialer /c /eraseuserpwd towork

/user

Username

Specifies a username for authentication. Suppresses the username prompt in authentication dialog. Updates the username in the .pcf file. You can use this parameter only with the /c switch.

Example: ipsecdialer /c /user robron /pwd siltango towork

/pwd

Password

Specifies a password for authentication. Suppresses the password prompt in authentication dialog. Updates the password in the .pcf file during authentication and then clears the password from the pcf file.

Example: ipsecdialer /c /user robron /pwd siltango towork

/sd

Silent disconnect

Suppresses connection terminating messages, such as "Your IPSec connection has been terminated." You can use this parameter to improve the automatic connection process.

Example: ipsecdialer /sd towork


IKE Proposals

Table 6-2 lists the IKE proposals that the VPN Client supports.

Table 6-2 Valid VPN Client IKE Proposals

Proposal Name
Authentication
Mode
Authentication Algorithm
Encryption Algorithm
Diffie- Hellman
Group

CiscoVPNClient-3DES-MD5

Preshared Keys (XAUTH)

MD5/HMAC-128

3DES-168

Group 2
(1024 bits)

CiscoVPNClient-3DES-SHA

Preshared Keys (XAUTH)

SHA/HMAC-160

3DES-168

Group 2
(1024 bits)

CiscoVPNClient-DES-MD5

Preshared Keys (XAUTH)

MD5/HMAC-128

DES-56

Group 2
(1024 bits)

CiscoVPNClient-AES128-MD5

Preshared Keys (XAUTH)

MD5/HMAC-128

AES-128

Group 2
(1024 bits)

CiscoVPNClient-AES128-SHA

Preshared Keys (XAUTH)

SHA/HMAC-160

AES-128

Group 2
(1024 bits)

CiscoVPNClient-AES192-MD5

Preshared Keys (XAUTH)

MD5/HMAC-128

AES-192

Group 2
(1024 bits)

CiscoVPNClient-AES192-SHA

Preshared Keys (XAUTH)

SHA/HMAC-160

AES-192

Group 2
(1024 bits)

CiscoVPNClient-AES256-MD5

Preshared Keys (XAUTH)

MD5/HMAC-128

AES-256

Group 2
(1024 bits)

CiscoVPNClient-AES256-SHA

Preshared Keys (XAUTH)

SHA/HMAC-160

AES-256

Group 2
(1024 bits)

IKE-3DES-MD5

Preshared Keys

MD5/HMAC-128

3DES-168

Group 2
(1024 bits)

IKE-3DES-SHA

Preshared Keys

SHA/HMAC-160

3DES-168

Group 2
(1024 bits)

IKE-DES-MD5

Preshared Keys

MD5/HMAC-128

DES-56

Group 2
(1024 bits)

IKE-AES128-MD5

Preshared Keys

MD5/HMAC-128

AES-128

Group 2
(1024 bits)

IKE-AES128-SHA

Preshared Keys

SHA/HMAC-160

AES-128

Group 2
(1024 bits)

IKE-AES192-MD5

Preshared Keys

MD5/HMAC-128

AES-192

Group 2
(1024 bits)

IKE-AES192-SHA

Preshared Keys

SHA/HMAC-160

AES-192

Group 2
(1024 bits)

IKE-AES256-MD5

Preshared Keys

MD5/HMAC-128

AES-256

Group 2
(1024 bits)

IKE-AES256-SHA

Preshared Keys

SHA/HMAC-160

AES-256

Group 2
(1024 bits)

CiscoVPNClient-3DES-MD5-RSA

RSA Digital Certificate (XAUTH)

MD5/HMAC-128

3DES-168

Group 2
(1024 bits)

CiscoVPNClient-3DES-SHA-RSA

RSA Digital Certificate (XAUTH)

SHA/HMAC-160

3DES-168

Group 2
(1024 bits)

CiscoVPNClient-DES-MD5-RSA-DH1

RSA Digital Certificate (XAUTH)

MD5/HMAC-128

DES-56

Group 1
(768 bits)

CiscoVPNClient-AES128-MD5-RSA

RSA Digital Certificate (XAUTH)

MD5/HMAC-128

AES-128

Group 2
(1024 bits)

CiscoVPNClient-AES128-SHA-RSA

RSA Digital Certificate (XAUTH)

SHA/HMAC-160

AES-128

Group 2
(1024 bits)

CiscoVPNClient-AES256-MD5-RSA

RSA Digital Certificate (XAUTH)

MD5/HMAC-128

AES-256

Group 2
(1024 bits)

CiscoVPNClient-AES256-SHA-RSA

RSA Digital Certificate (XAUTH)

SHA/HMAC-160

AES-256

Group 2
(1024 bits)

CiscoVPNClient-3DES-MD5-RSA-DH5

RSA Digital Certificate (XAUTH)

MD5/HMAC-128

3DES-168

Group 5
(1536 bits)

CiscoVPNClient-3DES-SHA-RSA-DH5

RSA Digital Certificate (XAUTH)

SHA/HMAC-160

3DES-168

Group 5
(1536 bits)

CiscoVPNClient-AES128-MD5-RSA-DH5

RSA Digital Certificate (XAUTH)

MD5/HMAC-128

AES-128

Group 5
(1536 bits)

CiscoVPNClient-AES128-SHA-RSA-DH5

RSA Digital Certificate (XAUTH)

SHA/HMAC-160

AES-128

Group 5
(1536 bits)

CiscoVPNClient-AES192-MD5-RSA-DH5

RSA Digital Certificate (XAUTH)

MD5/HMAC-128

AES-192

Group 5
(1536 bits)

CiscoVPNClient-AES192-SHA-RSA-DH5

RSA Digital Certificate (XAUTH)

SHA/HMAC-160

AES-192

Group 5
(1536 bits)

CiscoVPNClient-AES256-MD5-RSA-DH5

RSA Digital Certificate (XAUTH)

MD5/HMAC-128

AES-256

Group 5
(1536 bits)

CiscoVPNClient-AES256-SHA-RSA-DH5

RSA Digital Certificate (XAUTH)

SHA/HMAC-160

AES-256

Group 5
(1536 bits)

IKE-3DES-MD5-RSA

RSA Digital Certificate

MD5/HMAC-128

3DES-168

Group 2
(1024 bits)

IKE-3DES-SHA-RSA

RSA Digital Certificate

SHA/HMAC-160

3DES-168

Group 2
(1024 bits)

IKE-AES128-MD5-RSA

RSA Digital Certificate

MD5/HMAC-128

AES-128

Group 2
(1024 bits)

IKE-AES128-SHA-RSA

RSA Digital Certificate

SHA/HMAC-160

AES-128

Group 2
(1024 bits)

IKE-AES256-MD5-RSA

RSA Digital Certificate

MD5/HMAC-128

AES-256

Group 2
(1024 bits)

IKE-AES256-SHA-RSA

RSA Digital Certificate

SHA/HMAC-160

AES-256

Group 2
(1024 bits)

IKE-DES-MD5-RSA-DH1

RSA Digital Certificate

MD5/HMAC-128

DES-56

Group 1
(768 bits)

IKE-3DES-MD5-RSA-DH5

RSA Digital Certificate

MD5/HMAC-128

3DES-168

Group 5
(1536 bits)

IKE-3DES-SHA-RSA-DH5

RSA Digital Certificate

SHA/HMAC-160

3DES-168

Group 5
(1536 bits)

IKE-AES128-MD5-RSA-DH5

RSA Digital Certificate

MD5/HMAC-128

AES-128

Group 5
(1536 bits)

IKE-AES128-SHA-RSA-DH5

RSA Digital Certificate

SHA/HMAC-160

AES-128

Group 5
(1536 bits)

IKE-AES192-MD5-RSA-DH5

RSA Digital Certificate

MD5/HMAC-128

AES-192

Group 5
(1536 bits)

IKE-AES192-SHA-RSA-DH5

RSA Digital Certificate

SHA/HMAC-160

AES-192

Group 5
(1536 bits)

IKE-AES256-MD5-RSA-DH5

RSA Digital Certificate

MD5/HMAC-128

AES-256

Group 5
(1536 bits)

IKE-AES256-SHA-RSA-DH5

RSA Digital Certificate

SHA/HMAC-160

AES-256

Group 5
(1536 bits)


Table 6-3 lists phase 2 proposals that the VPN Client sends.

Table 6-3 Phase 2 Proposals

AES256

MD5

IPCOMPRESSION

AES256

SHA

IPCOMPRESSION

AES128

MD5

IPCOMPRESSION

AES128

SHA

IPCOMPRESSION

AES256

MD5

 

AES256

SHA

 

AES128

MD5

 

AES128

SHA

 

3DES

MD5

IPCOMPRESSION

3DES

SHA

IPCOMPRESSION

3DES

MD5

 

3DES

SHA

 

DES

MD5

IPCOMPRESSION

DES

MD5

 

NULL

MD5

 

NULL

SHA

 

hometocprevnextglossaryfeedbacksearchhelp

Posted: Mon Apr 18 08:25:10 PDT 2005
All contents are Copyright © 1992--2005 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.