PDA

View Full Version : 11" Macbook Cisco VPN connection issue




bigslacker666
Jul 19, 2012, 10:17 AM
Hi all, hopefully someone can help me with this. I've got a new MBA I'm trying to get set up for business travel. Everything has gone well EXCEPT for my VPN connections. A little background:

MBA 11" running 10.7.4
Connecting to a Cisco VPN 3000 concentrator (stable and in use for years)
Using either the Cisco IPsec VPN client 4.9 (had to reboot in 32 bit mode) or the mac builtin client
Multiple devices on my home network can connect to this same VPN INCLUDING a 15" MBP with the builtin client (also running 10.7.4) and a windows 7 laptop.
Both devices above connect wirelessly which is how the MBA is connecting as well
The above means that we can probably isolate the issue to the MBA
I'm personally very familiar with IPsec (have a CCIE security and often work setting up corporate VPN. That doesn't mean I didn't make a stupid mistake, but I'm not shooting in the dark here at least)

Ok, so with that out of the way here is what happens. The error message is very vague, just saying "A configuration error has occured. Verify your settings and try reconnecting". A little googling led me to try connecting with the console open to see debugging. That didn't really give me much more info except the below. I can see that it resolves the DNS address for the VPN concentrator just fine. I can also see it starts Ike phase 1, however I don't know if it actually sent the initial proposal and it got rejected or if it simply "started" and didn't do anything.

7/19/12 8:00:20.223 AM configd: IPSec connecting to server x.x.x.x
7/19/12 8:00:20.223 AM configd: SCNC: start, triggered by SystemUIServer, type IPSec, status 0
7/19/12 8:00:20.278 AM configd: IPSec Phase1 starting.
7/19/12 8:00:30.280 AM configd: IPSec disconnecting from server x.x.x.x
7/19/12 8:00:30.287 AM racoon: IPSec disconnecting from server x.x.x.x

So, any help? Anywhere I can find additional logging info? I'm pretty stumped here as the settings are correct and work with another macbook running the same OS version, same client, same settings. I've already triple checked everything, deleted the connection and recreated multiple times, etc... Logging in the Cisco client gives a similar result.



bigslacker666
Jul 20, 2012, 09:33 AM
Just as an update, not that anyone replied but I still haven't solved the problem. I have narrowed it down though. I fired up wireshark and then tried to connect. I can see DNS lookup/resolution but then nothing. It's not even sending out a packet to the address of the VPN headend.

I did a little fooling around and if I type in *ANY* address within a large IP range (just short of a /8) which this address falls under there is no initial IKE packet sent. If I put in any other address outside this range, say google's 8.8.8.8 DNS server it DOES send out the initial IKE packet.

I want to be clear that this is a public IP address I'm trying to connect to, not an RFC 1918. I'm not running apple's firewall or any third party firewall.

Final odd note, I can ping or telnet to this address in terminal and I can browse to it in chrome. :eek:

I don't know enough about the underlying subsystems in macos is troubleshoot any further. I called apple support. After some initial stuff that didn't work it got escalated up and its now been sent from support to their engineering team. I'll update with a resolution of whatever sort I get.

bt22
Jul 20, 2012, 08:37 PM
I do not have anything to add here, except I am not able to get Cisco VPN client to work for me either. You have a lot more knowledge about this, but I am anxious to see if you get this resolved.

belvdr
Jul 21, 2012, 05:19 PM
The fact you have another machine running 10.7.4 that connects eliminates a bug in the OS.

I hate to say this, but have you tried wiping out your OS and trying the VPN from scratch?