This document addresses frequently asked questions about the Cisco VPN 5000 Series Concentrator and the Cisco VPN 5000 Client.
For more information on document conventions, see the Cisco Technical Tips Conventions.
A. This error occurs anytime the VPN Client cannot be binded, or the necessary VPN services are not accessible. The VPN 5000 Client for Windows XP includes a setup program that automatically launches a program to install the network driver. If the program fails for any reason, use this procedure to manually install the network driver.
- Install the VPN Client software using the Installing the VPN Client for Windows XP section.
- Log into the system as the administrator, or as a user with administrator privileges.
- Select Start > Settings > Network and Internet Connections > Network Connections.
- Double-click the appropriate Local Area Connection.
- Click Properties.
- Click Install.
- Select Service.
- Click Add.
- Click Have Disk.
- Enter the path to the folder in which the netcs.inf, netcs_m.inf, and step.sys files reside. In most cases, this is the same folder as the VPN Client install file.
- Click OK to install the driver.
- After the driver is installed, close the Network and Dial-up Connections window.
- Reboot your computer.
A. The VPN 5000 Concentrator has not been tested with anything beyond Macintosh Operating System (OS) 10.1.5. No support can be claimed for the Panther release. It has never been looked at in the context of the VPN 5000 Concentrator, only for that of the Cisco VPN Client. If later OS support is needed, consider moving to the Cisco VPN Client. Additionally, the Native VPN Client in 10.3 is IPSec over Layer 2 Tunneling Protocol (L2TP), which is not supported in the VPN 5000 Concentrator.
A. As stated in the Release Notes for the Cisco VPN 5000 Client Version 5.2.3 for Macintosh Operating System (OS) X, the Cisco VPN 5000 Client is supported up to version 10.1.x. It is not supported on version 10.3. It is possible, however, to make the VPN Client work. Reset the permissions on two of the installed files after you run the install script. This output is an example.
Note: This configuration is not supported by Cisco.
sudo chown -R root:wheel /System/Library/Extensions/VPN5000.kext sudo chmod -R go-w /System/Library/Extensions/VPN5000.kext
A. The typical reason this happens is because of a partial, incorrect, or missing installation of the Registration, Admission, and Status Protocol (RAS) on the system. Instead of performing a reinstall on the VPN Client, try to uninstall and reinstall Windows RAS.
A. This is a Macintosh Operating System (OS) error message that occurs when the VPN 5000 Client version 10.0 is installed on the Macintosh OS 10.1, which is not yet supported. The error is indicative of a kernel mismatch. Refer to the Bug Toolkit ( registered customers only) to look up more information on Cisco bug ID CSCdv57716. This is a sample of the error:
A. This list explains their meanings:
Error 0—This error occurs when no Internet Key Exchange (IKE) Policy section has been configured for the VPN 5000 Concentrator, or if an IKE configuration has not been configured for that VPN Group configuration.
Error 4—No VPN resources are available on the VPN 5000 Concentrator. This means that the VPN 5000 Concentrator has reached the maximum connections for this group. It can also mean that the configuration contains a LocalIPNet with an improper syntax such as "LocalIPNet=204.144.171.64" (there should be a /26 or another mask defined).
Error 6—If the VPN 5000 Concentrator was configured for a user name "Bob" and the user puts in "bob" (with the correct password), then the VPN 5000 Concentrator returns a VPN Server Error 6. If the user puts in "Bob" and the wrong password, then the VPN 5000 Concentrator also returns an Error 6. If the VPN 5000 Concentrator runs DES code and tries to use a 3DES Transform, such as ESP (MD5, 3DES), then Error 6 is returned to the VPN 5000 Client. Non-export code (3DES) has a "US" after it (for example, version 5.0US), and it is able to use 3DES encryption methods. All Cisco VPN 5000 Concentrators are shipped with DES code. Delete the 3DES Transform and use another if you only use DES code.
Error 7—This error means that your VPN 5000 Concentrator is configured with an IKE Policy that is currently inactive for the code version. Currently, for version 5.x code, all 3DES and G2 policies are inactive. Remove those and set the IKE Policy to either MD5_DES_G1 or SHA_DES_G1.
Error 14—This is a RADIUS error where the VPN 5000 Concentrator does not receive the correct information from the RADIUS server to allow the VPN 5000 Client to log in.
Affected Products:
Windows 95-98 VPN Client for the Cisco VPN 5000 Concentrator Series
Windows NT 4.0 VPN Client for the Cisco VPN 5000 Concentrator Series
Macintosh Operating System (OS) VPN Client for the Cisco VPN 5000 Concentrator Series
Linux Kernel 2.2.5 VPN Client for the Cisco VPN 5000 Concentrator Series
SPARC Solaris VPN Client for the Cisco VPN 5000 Concentrator Series
Cisco VPN 5001 Concentrator
Cisco VPN 5002 Concentrator
Cisco VPN 5008 Concentrator
Affected Versions:
All 5.x versions
A. Linksys® routers support IPSec connections only on firmware versions 1.34 or later (1.39 is the latest version). The IPSec pass through should be enabled on the Linksys® router.
A. The user name and domain are case sensitive and can be between 1 and 60 alphanumeric characters combined. This includes the "at" sign (@). Refer to VPN Users for more details.
This user name is illegal (the "-" character is invalid):
[ VPN Users ] user-2 Config="test" SharedKey="cisco"
A. It is always recommended that you use RADIUS or Secure ID (SDI) authentication for large implementations. The number of internal users are subject to the size of your configuration. The maximum configuration size is 65,500 bytes. In order to see this, review the last line of the show configuration command output. For example:
Configuration size is 6732 out of 65500 bytes.
A. The VPN 5001 Concentrator can support up to 1,500 tunnels, the VPN 5002 Concentrator can support up to 10,000 tunnels, and the VPN 5008 Concentrator can support up to 40,000 tunnels per line card.
A. The modinfo command displays what and how many modules are loaded. The dmesg command displays bootup syslog messages.
A. At installation, these files are created, or placed on your system:
/etc/vpn_config—It is recommended that you keep this one because it is the VPN 5000 Client configuration.
/etc/rc.d/init.d/vpn—This is the boot-time script that loads the "vpnmod" kernel module.
/etc/rc.d/rc3.d/s85.vpn—This is a link to /etc/rc.d/init.d/vpn.
/etc/rc.d/rc5.d/s85.vpn—This is a link to /etc/rc.d/init.d/vpn.
/usr/local/bin/open_tunnel—This opens the tunnel connection.
/usr/local/bin/close_tunnel—This closes the tunnel.
/usr/local/bin/vpn_control—This is a troubleshooting tool used to turn on debug flags. It is mostly used in development.
/lib/modules/<kernelversion>/COMPvpn/vpnmod—This is the kernel module. Execute the uname -r command to determine the <kernelversion>.
If you delete these files, then reboot, you effectively uninstall your client. Alternatively, you can run /usr/local/bin/close_tunnel and /etc/rc.d/init.d/vpnstop, and then delete the above files.
The /etc/vpn_config file is the client configuration. It contains the server, user name, and password information. If you plan to reinstall the VPN Client, it is recommended that you keep a copy of this file.
A. Cisco VPN Client version 4.0 and later can coexist. Refer to the Coexistence with Third-Party VPN Vendors section of the Release Notes for VPN Client, Release 4.0.
A. No, but there is a 3DES version available.
A. If the Over Temp LED on an Extended Services Processor (ESP) card in the VPN 5002 Concentrator is lit, or if there are other temperature problems with the unit, it can be that the built-in air filter is clogged with dirt and impeding air flow. In order to replace the air filter, consult Replacing the Air Filter for further instructions.
A. No, they cannot be supported because the IP address is embedded in the data portion of the packet. The VPN 5000 Client cannot access or modify this address.
A. This problem is usually solved by setting "keymanage=reliable"" on the VPN 5000 Concentrator configuration. However, it does not work when the Cisco IOS device has a dynamic IP address.
A. The fake TCP (fTCP) message appears when the VPN Concentrator receives a packet with port 80, and after removing the headers, has not found an ESP packet. The VPN Concentrator only takes IPSec (ESP) packets and anything else is dropped. When the Code Red worm was released on the Internet, this warning filled up the syslog buffer on many customer machines. This error message can indicate that your machine is infected and is trying to access the VPN 5000 Concentrator, via port fTCP.