Cisco vpn client for windows 98

All sustaining and build releases are cumulative, and not all build numbers will be released externally. These release notes specify which build numbers have been released. These release notes refer to the VPN Client 4. Distributions like RedHat 9 and SuSe 9 comply with these requirements. Do not use this version with dual processor platforms running Mac OS X Dual processor platforms running Mac OS X Eliminating the pop-up prompts means that the user does not have the option to suspend the service, because suspending might bypass their security.

The Virtual Adapter was introduced with the 4. This firewall blocks all traffic on eth0, except for tunneled traffic. Group Authentication is a method that uses pre-shared keys for mutual authentication. This is a symmetrical form of authentication since both sides use the same authentication method during their negotiations. Mutual group authentication is asymmetrical in that each side uses a different method to authenticate the other while establishing a secure tunnel to form the basis for group authentication.

In this method, authentication happens in two stages. During the first stage, the VPN central-site device authenticates itself using public-key techniques digital signature and the two sides negotiate to establish a secure channel for communication. Since this approach does not use pre-shared keys for peer authentication, it provides greater security than group authentication alone, as it is not vulnerable to a man-in-the-middle attack.

To use mutual group authentication, the remote user's VPN Client system must have a root certificate installed. If needed, you can install a root certificate automatically by placing it on the VPN Client system during installation. The certificate must be in a file named rootcert, with no extension, and must be placed in the installation directory for the remote user's VPN Client system.

In an automatic update, the VPN Client downloads a new version of the software and installs all related components automatically for users.

This feature also allows the administrator to distribute and update profiles automatically. For the initial release, the update Otherwise, the update file adds no value to users installing the initial version 4. During mode config, the VPN Client negotiates a new mode config attribute to determine whether to change the value of a user's browser proxy setting. This feature is being implemented for Windows all platforms only and for Internet Explorer only. The settings are on the Client Config tab of Group configuration.

After disconnecting, proxy settings are restored to what they were before the VPN connection was established. If a workstation is improperly shut down or rebooted while a VPN connection is established, proxy settings will be restored on boot-up.

To obtain documentation, a sample program, or help for the use of the API please send mail to vpn-client-api-support cisco. Connect on open lets a user connect to the default user profile when starting the VPN Client.

This feature is implemented on all platforms except Linux and Solaris. This feature is implemented on all Windows platforms. The maximum pre-shared key length for the VPN Client is now characters. The previous limit was 32 characters. The increased key size works only with central-site devices that support characters for example, an ASA device.

If the central-site device does not support characters for example, a VPN Concentrator , you would receive the same log messages as if the pre-shared key were wrong.

The log messages are as follows:. Note These log messages might change in the future. Rebranded splash-screen graphics must now be at least pixels wide to accommodate the box that displays the status text.

There must be a full-width blank area at the bottom of the graphic at least 36 pixels in height. Once you have done this forward the account ID to the vpn-client-api-support cisco. All API commands require that the 4. If you are planning on using C, we recommend you call the vpnapi. The example is compatible with Visual Studio This section lists issues to consider before installing Release 4. In addition, you should be aware of the open caveats regarding this release. Refer to "Open Caveats" on page 36 of these Release Notes for the list of known problems.

You might encounter the following compatibility issues when using the VPN Client with specific applications. Whenever possible, this list describes the circumstances under which an issue might occur and workarounds for potential problems.

VPN Client Releases 3. The following known issues might occur with the indicated Microsoft Windows operating systems and applications software. Note Do not upgrade to Release 4.

For static configurations, users must manually configure the adapters with WINS information. The VPN Client does not see a dialup connection made with Microsoft Connection Manager because of incompatibilities between the requirements of the two applications.

Wait a minute. If the PC is still not responding, press the reset button. When the PC reboots, it should not run through ScanDisk, indicating the shutdown was successful in closing all open files.

This problem may occur on some PCs and not on others, and we are looking for a solution. Windows 98 shutdown has numerous issues, as can be seen the following Microsoft Knowledge Base Article:. The login prompt that is posted by the Aladdin etoken when connecting the VPN Client can get hidden in the background. If this happens, the VPN connection can timeout and fail with the following event:.

A side effect of this is that the VPN Client's service and dialer might become out of synch, and the PC might need to be restarted. To work around this problem, do one of the following:. If you are having problems, check your network properties and remove the WINS entries if they are not correct for your network. However, it does not conflict with an installed Token Ring interface. This is a mandatory step for making a connection requiring BlackICE.

BlackICE Defender version 2. Run Microsoft Outlook and set it as the default mail client. This message does not affect operation of the VPN Client. The issue occurs when Microsoft Outlook is installed but not configured for email, although it is the default mail client. It is caused by a Registry Key that is set when the user installs Outlook. VPN Encapsulation adds to the overall message length. The default MTU adjusted value is for all adapters.

If the default adjustments are not sufficient, you may experience problems sending and receiving data. To avoid fragmented packets, you can change the MTU size, usually to a lower value than the default. Refer to the following table for the specific procedures for each type of connection. The MTU is the largest number of bytes a frame can carry, not counting the frame's header and trailer.

A frame is a single unit of transportation on the Data Link Layer. It consists of header data, plus data that was passed down from the Network Layer, plus sometimes trailer data. An Ethernet frame has an MTU of bytes, but the actual size of the frame can be up to bytes byte header, 4-byte CRC trailer.

Common failure indications include the following:. If you are not experiencing a problem, do not change the MTU value. Usually, an MTU value of works. Decrement the MaxFrameSize value by 50 or until it works. The following table shows how to set the MTU value for each type of connection. The Network window opens. Change the value here. The value varies from case to case. The range can be from to The Network and Dial-Up Connections window opens.

WinPoet does not provide a user interface to control the MTU size, but you can control it by explicitly setting the following registry key:. The GUID and adapter number can vary on different systems. Browse through the registry, looking for the MaxFrameSize value. Version 2. Nexland has fixed this problem in the Nexland Pro series of routers. This will not cause any problems and can be ignored. AOL Version 6. AOL Version 7.

This requires the use of split tunneling to support the polling mechanism. Without split tunneling, AOL disconnects after a period of time between 5 and 30 minutes. When making a dialup connection with AOL 7. The AOL dialup process uses a fallback method which, if your initial attempt to connect fails, resorts to a different connection type for the second attempt. When this happens, the VPN Client cannot connect.

This is a known issue, and AOL is investigating the problem. The workaround is to try to reconnect the dialup connection to try to avoid getting two PPP adapters. The following known issues might occur when using the VPN Client with the indicated browser software. This can occur with Internet Explorer 4.

Both the VPN Client and the Certificate Manager can see and validate the Certificate, but when you try to connect using that Certificate, you get a message in the Connection History dialog that says, "Failed to establish a secure connection to the security gateway". This delay varies, depending on your Entrust CA configuration. If you experience this delay, do one of the following:. The easiest way to log out of Entrust is to right-click on the Entrust tray icon gold key and select "Log out of Entrust.

It is really logged in, just not in the normal Windows desktop. The reason for this is that the context that Entrust was logged into was on the "Logon desktop". It may appear this way even after the Entrust client has successfully communicated with the Entrust i directory. To work around this issue, do one of the following:. This manually puts Entrust online. When using the Release 3. Upgrading to Entrust Entelligence 5. The first time the VPN Client dialer and service access the Entrust certificates, it prompts for a security check.

This prompt displays in Windows, but not at the logon screen. Once you have done this you can use it at the logon desktop. Other Entrust Entelligence operations using older versions work properly. The Glossary button at the top of all Help screens tries to contact univercd at www. This connection requires connectivity to Cisco's main web site.

If your PC does not have a corporate Internet connection or your firewall blocks access, the following error appears when you attempt to access the Glossary:. You will need to restart the program. EXE, generated an application error. The result of this error is that the ZoneAlarm GUI does not run, and therefore a user can not change any settings in ZoneAlarm Plus or allow new programs to access the Internet.

Additionally, the VPN Concentrator's address is automatically added to the "Trusted Zone" when a connection is made. Upgrading ZoneAlarm Pro version 3. Linux users running 2. This message indicates that the VPN Client kernel module is not licensed under the GPL, so the Linux kernel developers will not debug any kernel problems that occur while this kernel module is loaded. This message does not affect the operation of the VPN Client in any way.

In a Windows or Windows XP environment, if the public network matches the private network for example, a public IP address of The same problem can occur if you are using a virtual adapter and the public metric is smaller than the virtual adapter metric.

In Windows and Windows XP, you can increase the metric of the public network by doing the following steps:. Step 2 Select the public interface and click properties for the public interface. Step 4 Click Advanced, and set the interface metric to 2 or greater. When a VPN connection is up, data meant for the private network stays local. For example: In some cases, it is impossible for the VPN Client to make this modification.

To work around this problem, make the change manually, using the following procedure:. Step 2 Right-click on the adapter in question and select Properties. Step 4 Click Advanced and increase the number in the "Interface metric" box by 1 it is usually 1, so making it 2 works. Step 5 Click OK to exit out of all dialogs. Step 6 The VPN connection should now work. The supported version of Sygate Personal Firewall is version 5. We recommend updating your operating system to a newer version of Windows.

There is no limit to the size of the log when logging is enabled. The file will continue to grow in size until logging is disabled or the VPN Client program is closed. The log is still available for viewing until the VPN Client program is re-launched, at which time the display on the log tab and log window are cleared. The log file remains on the system and a new log file is created when the VPN Client, with logging enabled, is launched.

If your certificate has private key protection enabled, every time you use the certificate keys you are either prompted for a password to access the key, or notified with a dialog and asked to click OK. The prompt displayed when using a certificate with private key protection appears on the Windows Desktop.

You do not see this message while at the "Logon" desktop, therefore the VPN Client cannot gain the access to the certificate needed to connect. The reason for this is that the file csgina. If the VPN Client is downgraded to version 3. Follow this procedure to drop back to the VPN Client version 3. Step 2 After rebooting, search for csgina. This file is found in the System32 directory.

Step 3 Rename csgina. The Certificates need not be present on the Smart Card itself. To configure this feature, add the following line to the user's client profile, specifying the appropriate vendor for your Smart Card:. If you are using pre-shared keys instead of Certificates, this requirement is not enforced, even if configured. It produces an error if it fails to do so. Since Release 4. C, the VPN Client GUI connection history dialog box displays as the first entry the name of the certificate used for establishing the connection.

Versions of the Zone Labs Integrity Server earlier than 2. On the Integrity Flex client agent , under "Policies", the "Integrity Server" column flashes "Connected" then "Disconnected" over and over. The instruction at "0xca" referenced memory at "0x". The memory could not be "read". This error is caused by an InstallShield component, possibly because of a run-once stale remnant.

To recover, you must reboot. The InstallShield Knowledge base article q addresses this problem. To view this article go to the following URL:. Microsoft has a fix for this issue. For more information and to obtain the fix, go to the following URL:. To do this, you must be administrator. Follow these steps:. Step 2 Select the Local Area Connection you use. Caveats describe unexpected behavior or defects in Cisco software releases. The following lists are sorted by identifier number. Disconnecting and reconnecting may fix the problem.

But it did locate the adapter for complete pc management NIC adapter - Deterministic Network Enhancer Miniport adapter through which your network server is reachable. Do you want to switch to this adapter?

Answer Yes every time this question appears. The installation then continues normally. But it did locate the adapter through which your network server is reachable. Do you want to switch? Yes No". This could be an issue with other legacy NIC cards as well. Troubleshooting Browsing with Client for Microsoft Networks. Default Node Type for Microsoft Clients. Double-click on the Network Neighborhood icon. Check that some or all network resources and PCs are shown.

For Windows 9x and ME clients , verify that the network client is loaded. This is not supported on XP Home. Do you see any log in failure event messages on your domain controller when you turn on audit trails?

Right-click on Network Neighborhood. Select Properties. Install these features if they are not already installed. Restart the computer if you are prompted to do so. It prompts you to log on to the domain when you boot up your machine. If you try to establish a connection from a remote site without access to the domain in other words, you are not on the internal network , you get an error message which indicates that "No Domain Controller could be found.

Instead, you are able to continue with a secure link. Map a drive if you have not done so to log on to the domain. Double-click on the mapped drive to get the password prompt so that you can log on to the network. Check the networking properties on the machine to ensure that the PC has been configured with the correct domain name, and so on. Note: If you want to run logon scripts through the NT machine, enable the Enable start before logon feature in the client.

By default, these features are not enabled. However, they are required to run Microsoft services. Note If you disable, then re-enable Start before Logon, this entry is added again and must be removed. The only indication you have is in the log file. A message does appear if you are using the VPN Client command line - vpnclient. Additionally, the following error appears after about two minutes:. You can not connect to the remote VPN server. Step 2 Click on the "Programs" Tab.

Click under "Trusted" and select "Allow". Step 4 Reboot the PC. Step 5 When the PC boots back up, the client will launch normally. If the ipseclog is running before the GUI client starts, the application quits. If the ipseclog is running manually in a terminal window, terminate the log using ctrl-c. If the GUI client had logging enabled and it quit unexpectedly for any reason, the ipseclog might still be running.

In this case, open a terminal window and use "sudo killall -9 ipseclog" to terminate the process. The following Notification might occur if the Cisco Systems Integrated Client is required to make a connection.

Cisco Systems Integrated Client should be enabled or installed on your computer. When this occurs, the connection is not allowed. If this Notification appears, click Close and attempt to reconnect. If this second attempt to connect fails, reboot the PC. The connection should succeed at this point.

This problem has two facets. This problem might occur if the VPN Client logging has been enabled, disabled, or cleared. After the user enters the username and password, the VPN Client machine might go blank for a moment and then continue.

This behavior has not shown any negative effect on the tunnel connection or the user's ability to use the PC. Using the 4. Workaround :. The drawback of this is that if the ISP changes their DNS server addresses, the user must find out the hard way and hard code these new addresses once more. The PKCS 10 thumbprint for the certificate request is missing on 4. This command should return the state of the firewall at all times, not just when the VPN Client is connected. After connecting, a "classfull" route is installed in the routing table, due to not receiving a subnet mask.

The VPN4. Then the central-site Concentrator sends back a delete notification, which the client ignores because the SPI doesn't actually exist in the VPN Client. This does not affect any functions. I play around all the settings including "check uncheck CA chain" on the Client end, as well as the Concentrator end, "Certificate Group Matching", IKE group 1 or group2, no matter what I do, it does not work. Using VPN Client version is 4.

When installing a customized VPN Client InstallPath, a pop-up box appears during the installation with the following message:.

NetBIOS packets fail to be encrypted. Windows VPN Client version 4. The following error results:. E and higher no longer supports Mac OS X VPN Client Release 4. C is the last released client compatible with Mac OS X Terminating the cvpnd or vpnclient process causes the VPN Client to claim that it is already connected.

You should terminate the VPN Client connection only by using the vpnclient disconnect command. Terminate any residual vpnclient and cvpnd processes that might still be running. When attempting to tab through the options of a new profile, the Mutual Group Authentication button is never highlighted. It should be highlighted right after the Group Authentication button.

On a linux multiprocessor kernel the VPN Client seems to pass traffic much slower than on a single processor kernel with the same hardware. In order to work with an SMP kernel the VPN Client was modified in such a way that the performance is lower than the same client run with a single processor kernel. VPN client fails to connect to Virtual Cluster master real address. Client Firewall is enabled. The delay is introduced, because VPN-client drops A-queries with split-dns suffix aa.

Problem after receiving a Novell log message using Internet Explorer browser proxy. Using the Windows 4. The last log message from the client is "Novell not installed.

Entrust certificates that do not expire until do not work with the VPN Client; it shows the expiry date as To fix this, the VPN Client needs to support bit time fields.

We have reproduced this in our lab using latest VPN client 4. After making a VPN Client connection with split tunneling, traffic to a local NFS server that bypasses the tunnel does not work properly. Files may be put onto the server while the tunnel is up, but getting files from the server fails with the following ipsec log message:. VPN Client version 3. Use smaller certs, don't send chain, install needed certs on both ends if possible. A VPN Client using large certs bit keys and sending the cert chain fails to connect under the following conditions: connecting into a VPN Concentrator using a bit cert and with send chain configured.

When using "start before login", the Cancel connect button does not work. When connecting a Windows VPN Client, the pushed browser proxy settings are not applied when working under the following conditions.

Avoid using Fast User Switching or stop the cvpnd service before leaving the previous user:. A chained Identity Cert is in use on the Concentrator. Only XP and dialup exhibit the issue. The following program error with dr.

Enable KeepAlives on the Concentrator with the default 30 second interval, lengthen the period of the IPSec rekey, or disable the built in XP firewall. This is the default for the VPN Concentrator. Alternatively, configure the Windows XP Firewall to allow traffic from port Running VPN-Client in a windows environment in combination with NAC, although start-before-logon is configured, logon-scripts might fail. SSH, telnet, ping, http This effectively cuts off all other communications to the DHCP server.

Use split tunnels and exclude the DHCP server's address from being tunneled. This allows all traffic to the local DHCP server to be bypassed. While using the Linux bit capable client, the following error appears when a connection attempt occurs:. This usually appears when a VPN Client has been disconnected and reconnected quickly, without enough time for the Client to properly shut down. When running Integrity Desktop v5.

In rare situations, the GUI stops responding. Wireless connectivity is lost and immediately regained. VPN service is properly disconnect before the system goes into standby mode. This happens if the VPN Client is not properly disconnected before being put to sleep or location switched. Once the MTU has dropped, it can be reset with the following command or a reboot:.

On a Mac This happens only on OS X Put in any DNS or search list to allow the pushed information to be populated. This "may" only be an ICMP issue. Apple no longer supports classic on OS X All of the profiles contain only the following after this occurs:. When trying to change from Wi-Fi connection to the Wireless connection and visa versa, the operating system crashes. The user receives the error message, "unexpected kernel mode trap" and must restart the host.

This does not happen if VPN Client is not installed. Disable the current connection type first, then enable the second one and restart the host.

Pings whose IP size is less than or equal to bytes are successful and without fragmentation; Pings whose IP size is within the range bytes through bytes are successful, but the Windows system fragment all outgoing packets. Pings whose IP size is greater than or equal to bytes are unsuccessful.

This problem occurs when the machine running the VPN Client is located in a network that overlaps with the private network that the VPN client is trying to access. As an example, if the machine running the VPN client obtains the address This scenario is possible in places like hotels that offer high-speed Internet access, especially if the hotel chooses to use a big IP network for its internal network; for example, When using tunnel-default-gateway, VPN Client to Client communication does not work unless the packet is first sent from the client that connected first to the client that connected afterwards.

When an MSI installation is automated through Active Directory, the software gets installed in a system context and the virtual adapter MTU is not set. When using the Server version of OS X It is similar to an OS X Now the Server version on OS X OS X versions lower than Need to document a new feature that allows the installation of the Windows VPN Client without installing a new vsdata.

See the Documentation Changes for this documentation. When exporting certificates with the VPN Client from inside the Cisco store, the exported file isn't a pkcs 12 format but a proprietary one. This should be mentioned in documentation. Certificates are stored in the Cisco certificate store. Do not upgrade to releases 4. Enrollment requests generated by the VPN Client have an associated sha1 thumbprint. This thumbprint does not match that generated by an external authority openssl.

Split DNS works only when specific networks are tunneled, not excluded. Feature to add more than one domain to the VPN Client workstation search list during a connection. Currently, on the Client, the pushed Default Domain Name is added to the search list. Installing the VPN Client does not produce an install shield log file. When the customer tries to install another VPN Client, the installation hangs.

A VPN Client connection connects successfully and passes traffic but later dies due to a loss of connection with the gateway even when traffic was passing. If the workstation is on a network with more than one gateway, it could be receiving an ICMP redirect from the default gateway that is directing traffic for the Concentrator through a different gateway.

Unplugging the firewire resolves the issue. Create a custom web page and point the VPN Client at the online web page rather the Cisco help file using the 4.

The following keyword in the vpnclient. The value for vpnclient. The software license presented during client installation was not updated when the hardcopy software license was revised. Some terms of licensing have been changed. To enable logging, please allow IPSecLog process. Log messages do not show up till the log file is touched. This appears only when using the "vpnclient disconnect" CLI command and does properly disconnect the VPN Client without any adverse effects.

This appears only in kernel versions above 2. RedHat installs with this kernel size by default above 2. This happens under the following conditions:. If NAC was not enabled, uninstall goes smoothly. Reboot before uninstall or make sure no connection attempt was made to the VPN since last reboot. This workaround does not apply when using the AutoUpdate function, because the AutoUpdate starts the uninstall process right after disconnecting from VPN PPC platforms still work fine.

Using Mac OS X Note When enrolling online using the 4. The "chgrp" command, part of the "coreutils" package that ships with FC5 behaves in a different way from previous versions. When running chgrp to change the group ownership of a setuid file, the setuid flag is turned off during the process of setting the group ownership. The install script uses the chgrp command on this file after having first flipped on the setuid flag, turning it off again before completion.

This issue begins with the 4. The nslookup feature is not supported with Split DNS. After a vpn session is connected between 30 seconds and one hour, a blue screen of death occurs. The conditions are as follows:.

This does not occur with 4. The following sections list the caveats resolved in each release. For your convenience, resolved caveats are listed by operating system, with the most recent release first.

Within each grouping, resolved caveats are listed in ascending alphanumeric order. This occurs when Split Tunneling is in use. The Server edition does not respond to the same calls as the other Windows platforms and does not add the proper routing information for the Split Tunnels. Although the routes are not added to the routing table, they may be manually added using the "route add" syntax. Tunnel all does work properly. Unable to retrieve DNS parameters. Once the PC is in this condition, if we start the service manually using the CLI, it comes up; but if we stop it, leave the Service to start automatically, and reboot the PC, the Service never starts.

We see an event id The cvpnd service was successfully sent a stop control. Only domains matching the Split DNS list will be tunneled when the feature is properly configured. In the future, the Current Cisco VPN Client help files will be moved to an external web server and not installed on the workstation. This will cut down on the size of the installation. After completing an autoupdate which pushes a set of profiles to the VPN Client, the Client does not close, nor does it list the added profiles.

In addition, when you try to connect, nothing happens. To recover from this situation, you must close the GUI and reopen it. This then lists the added profiles, and connection works again. CLI was also devoid of these values. Searching the client log, I could not find any of the values for these fields with all log levels set to VPN Concentrator version was 4. C at first.