Manualshelf

System information

ManualsBrandsCisco ManualsComputer equipment3005 - VPN Concentrator - Gateway
11121314151617181920
20
Release Notes for Cisco VPN 3000 Series Concentrator, Release 3.6 Through 3.6.8.B
OL-5637-02
Open Caveats for VPN 3000 Series Concentrator
CSCea08995
A VPN 3000 Concentrator fails rekey with Microsoft's L2TP/IPSec client for Windows 95 or
Windows 98 (oem'd from Safenet).
Note This does not apply to the “native” MS L2TP/IPSec client, which is included with Win2000, XP,
etc.
This was determined to be a bug in the Microsoft client. The Concentrator always initiates rekeys.
When phase 1 rekeys, we send the first main mode packet to the MS client. The Microsoft client
responds with a malformed main mode packet.
The packet that Microsoft sends contains a final payload that has the Next Payload fields set to
“vendor-id”. Since the packet does not actually contain a next payload, we fail on the packet and
thus fail the rekey. This caveat is a placeholder to track the issue.
Workaround:
The only workaround is currently to increase phase 1 rekey time(s) to a value that will not be hit.
Because IKE will negotiate the lower of the proposed rekey times, this requires a registry change on
the client PC(s), as well as a change on the concentrator.
The registry key is:
HKLM\Software\IRE\Safenet\Soft-PK\ACL\1\PH1PROPOSAL_xx, where “xx” is the number of
the proposal. The default value of these keys is 28800 (seconds) or 8 hours. This value should be
changed to a value that is high enough that users will not run into it.
CSCea11658
After working for 2 weeks, the following messages can appear on the Concentrator:
Concentrator memory resources are critical
It might fail, or you might have to reload the Concentrator manually to free the memory.
CSCea21796
The VPN3000 Concentrator will transmit data to exceed the negotiated Max Window Size. If going
through a PIX edge firewall, the PIX shuts down the session when the window size is exceeded.
This occurs only when the ACKs coming back are delayed in transit.
The default window size for cTCP is 64K. The VPN Client and VPN3002 Hardware Client both
generate ACKs at 8K intervals to avoid window issues. In this case the delays in ACK transport are
significant enough that the window size is exceeded.
CSCea41370
When split-tunnel configured, Windows XP machines with firewall enabled are not able to pass VPN
traffic to the central-site concentrator, even though Internet traffic is passing through.
The Internet Connection Firewall is incompatible because the firewall blocks IPC communication
from the VPN Client to the VPN Device Driver. In the firewall log, the log consistently blocks UDP
62515; this is the port used to establish the IPSEC SA.
CSCea48242
With the Release 3.6.3.C VPN Client connected to a Release 3.6.7.B VPN 3000 Concentrator, a
static route pointing to the exit interface (Ethernet) does not route IPSec traffic to the connected
VPN Clients, although it can route cleartext traffic just fine. The route has to point to an exit
interface instead of a next-hop router.