|
|
This chapter contains information to help you resolve problems installing or running the VPN Client. It also contains notes helpful to writing programs for special needs.
This chapter includes the following main topics:
This section describes how to perform the following tasks:
If you are having problems running the VPN Client on your PC, you can gather system information that is helpful to a customer support representative and e-mail it to us. We recommend that you do the following before you contact us.
Go to the Start menu and select Programs > Accessories > System Tools > System Information.
Windows displays the Microsoft System Information screen, such as the one in Figure 6-1.
Select a category and the screen displays details for that category. You can then execute the Export command and choose a name and destination. Windows creates a text file, which you can attach to an e-mail message and send to the support center.
On the Windows NT or Windows 2000 operating system, you can run a utility named WINMSD from a command-line prompt. WINMSD generates a file containing information about your system configuration, and the software and drivers installed.
To use this utility, perform the following steps:
This action displays a window with a DOS prompt, such as c:\.
Step 2 Type the following command at the DOS prompt:
where /a = all and /f = write to file.
This command generates a text (.txt) file with the name of your computer and places the file in the directory from which you run the command. For example, if the name of your machine is SILVER and you execute the command from the c: drive (as shown above), the text file name is silver.txt.
If you open the file with a text editor, such as Notepad, you see a file such as the one shown in
Figure 6-2, which was from a Windows NT system.
You can attach this file to an e-mail message and send it to the support center.
This section describes some common problems and what to do about them.
You may experience a problem with your Windows 98 system shutting down when the VPN Client software is installed. If so, you need to disable the fast shutdown feature, as follows:
Microsoft displays a Properties page.
Step 2 From the General page, select the Advanced button.
Step 3 Choose the Disable Fast Shutdown option.
Some versions of Internet Explorer silently control startup options in Windows 95 so that every time you start your system, Dial-Up Networking launches. If this occurs, as it does in Internet Explorer 3.0, go to View > Options > Connections and uncheck the option Connect to the Internet as needed.
The Set MTU option is used primarily for troubleshooting connectivity problems.
 |
Note The VPN Client automatically adjusts the MTU size to suit your environment, so running this application should not be necessary. |
The maximum transmission unit (MTU) parameter determines the largest packet size in bytes that the client application can transmit through the network. If the MTU size is too large, the packets may not reach their destination. Adjusting the size of the MTU affects all applications that use the network adapter. Therefore the MTU setting you use can affect your PC's performance on the network.
MTU sizing affects fragmentation of IPSec and IPSec through NAT mode packets to your connection destination. A large size (for example, over 1300) can increase fragmentation. Using 1300 or smaller usually prevents fragmentation. Fragmentation and reassembly of packets at the destination causes slower tunnel performance. Also, many firewalls do not let fragments through.
To change the size of the MTU for Windows, use the following procedure:
Step 2 Click a network adapter on the list of network adapters.
Step 3 Click one of the following choices under MTU Options:
Step 4 Click OK.
You must restart your system for your change to take effect.
Step 2 Type the following command:
(Replace the en0 with the appropriate interface, and replace 1200 with the desired mtu.)
Step 3 The changes take effect immediately.
When a disconnect occurs, the VPN Client displays a reason code or reason text. The VPN Client supports the delete with reason function for client-initiated disconnects, concentrator-initiated disconnects, and IPSec deletes.
|
Note The VPN Concentrator you are connecting to must be running software version 4.0 or later to support delete with reason functionality. |
Table 6-1 describes the reason codes and the corresponding messages.
All text messages for client-initiated disconnects begin with "Secure VPN Connection terminated terminated locally by the client".
All text messages for concentrator-initiated disconnects begin with "Secure VPN Connection terminated by Peer X.X.X.X", where X.X.X.X is the IP address of the concentrator.
The translated reason code or the reason text follows.
To receive disconnect information from a 4.0 or greater VPN Concentrator, you must configure the feature as follows:
Step 2 Check Alert when disconnecting.
Step 3 Click Apply.
Step 4 Save the configuration.
The VPN Client can load prior to logging in to a Windows NT platform (Windows NT 4.0, Windows 2000, and Windows XP). This feature lets remote users establish a VPN connection to a private network where they can successfully log in to a domain. When start before logon (SBL) is enabled on a Windows NT platform, the VPN Client tries to replace the standard Microsoft logon dialog box (the same one that appears after you press Ctrl+Alt+Del when booting your PC, called a GINA). The name of the Microsoft GINA is msgina.dll and you can find it in the registry at the location:
The VPN Client replaces the msgina.dll with the VPN Client's GINA (csgina.dll), and then points to it so that you can still see and use the MS GINA. When you start your PC and press Ctrl+Alt+Del, you are launching the VPN Client Dialer application and the MS logon dialog box. The VPN Client detects whether the necessary Windows services are running and if not, displays a message asking you to wait.
If you look in the VPN Client registry, you see the following parameters and values:
|
Note When you enable start before logon for the first time, you must reboot for the system to load csgina. |
In some cases a third-party program replaces the MS GINA, and in some of these cases the VPN Client works with the third-party program, while in other cases, it does not. The VPN Client maintains a list of incompatible GINAs that it does not work with, and does not replace the GINA file in use. This is called fallback mode. The list of incompatible GINAs resides in the vpnclient.ini file, and the VPN Client refers to the list only during installation. The following entry is an example.
In fallback mode, the VPN Client performs differently when start before logon is in use. Instead of loading when you press Ctrl+Alt+Del, the VPN Dialer loads as soon as the VPN service starts. When operating in fallback mode, the VPN Client does not check to see if the necessary Windows services have started. As a result, the VPN connection could fail if initiated too quickly. In fallback mode, when the VPN connection succeeds, you then press Ctrl+Alt+Del to get to the Microsoft logon dialog box. In this mode, you see the following VPN Client registry parameters and values:
If a new problem GINA is discovered after the VPN Client is released, you can add the GINA to the incompatible GINA list in the vpnclient.ini file. Adding the GINA to this list places it in the IncompatibleGinas list in the registry when you install the VPN Client and puts the VPN Client into fallback mode, thus avoiding possible conflicts (see section "oem.ini File Keywords and Values").
This section contains information to aid a programmer in writing programs that perform routine tasks.
As part of a program, you might want to test a connection to see if it is active before performing the tasks that are the purpose of the program. To test the connection, you can poll the TunnelEstablished entry in the HKEY_LOCAL_MACHINE registry. To see this entry, bring up the Registry Editor and go to SOFTWARE > Cisco Systems > VPN Client. (See Figure 6-4.) In the list of entries, you see TunnelEstablished. This entry can have only two values: 1 or 0. If the connection is working, the value is 1; if not, the value is 0.
The ipsecdialer command starts a connect from the command line by bringing up the VPN Client GUI application. You can use switches to specify parameters with this command. Table 6-2 lists the switches you can include in the ipsecdialer command and describes the task that each switch performs.
Table 6-2 Command Line Switches
Table 6-3 lists the IKE proposals that the VPN Client supports.
Table 6-3 Valid VPN Client IKE Proposals
| Proposal Name | Authentication Mode |
Authentication Algorithm | Encryption Algorithm | Diffie- Hellman Group |
|---|---|---|---|---|
Table 6-4 lists phase 2 proposals that the VPN Client sends.
Posted: Mon Jun 30 14:16:45 PDT 2003
All contents are Copyright © 1992--2003 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.
