Category Archives: VPN

Site to site VPN between Azure and Cisco ASA

Azure, wow isn’t it amazing? IAAS has arrived, and you can do some pretty cool stuff with azure, without worrying about licensing or hardware, beyond the size and spec of your virtual machines in their Data Centres. But that’s just the bloody problem isn’t it? it’s in their network, not yours! So, you need to set up a site to site link between Azure and your local supported device.

Click here to view a list of supported devices and their configuration instructions. This will tell you what type of VPN your equipment will support, and what you should deploy in Azure portal.

My local supported device is a Cisco ASA, which you will notice is only supported for Policy Based, not route Based VPN, so you need to start out right or you’re going to waste a lot of time deploying VPN gateways in Azure, which takes about 45 minutes. The instructions on GitHub are easy to follow and available here [.docx].

If you follow these instructions, you will get going fairly quickly, but if you have multiple subnets you want to allow to communicate with Azure you will have to make some modifications. For example, my protected wireless network should have access to Azure, because I’m going to put a domain controller on a virtual machine there, to handle DHCP (not supported!), DNS, and 802.1x authentication in a Disaster Recovery scenario.

You will need to modify your NAT like this:

first create names for the networks you want to access your azure networks:

config t
object network mgmtnet
 subnet 10.87.0.0 255.255.255.0
object network wirelessnet
 subnet 10.87.20.0 255.255.255.0

Then create corresponding NAT rules;

nat (inside,outside) source static mgmtnet mgmtnet destination static AzureNetworks AzureNetworks
nat (Wireless,outside) source static wirelessnet wirelessnet destination static AzureNetworks AzureNetworks

Hope this saves you a little bit of time getting multiple subnets to work on your ASA to Azure VPN, if you’re in a rush and follow the instructions a little blindly, but who does that? Not you!

Cisco VPN Client on Windows 10

OK, so I thought I was pretty lucky to install Windows 10, and the only thing it broke was itself. I turns out I was not so lucky and it has broken my Cisco VPN Client aswell, I am now greeted with the pretty serious looking message shown below, after what looks like the client trying to install itself again after trying to run it:

cisco open install error

Error 27850. Unable to manage networking component. Operating system corruption may be preventing installation.

So, Windows 10 is a corrupted operating system? nice one – I just installed it and now it’s corrupt. Really??! No, but it was fun to procastinate.

So first reaction that something in the Windows 10 upgrade has changed the networking configuration, so we should allow the client to try to repair the install through programs and features control panel, this (sort of expectedly) failed with the same error. But at least we tried it, right?

So lets propperly remove the client and do a full reinstall. Uninstalling the client was unnerving, which is not something I have ever felt when uninstalling an application! The windows installer loading bar, loaded and exited without any prompts, and the client was removed from the list of installed applications. You can see an example of the windows installer progress bar above.

The software failed to install with the same error message we’ve seen twice now. Frustrating? Just a little.

Lets try DNE! Ok so some rebooting invloved here unfortunatly. And also an enlightening experience thinking about my Windows 10  issues. When installng the client after performing the DNE update as per my earlier post, I got some installation problems relating to folder redirection, so I had to install the client using a local admin account. This sort of confirms my suspicious that folder redirection is causing issues with my machine more investigation required on that one I think, I’ll let you know.

Now, rather alarmingly, it seems that the client is on an offical Windows 10 unsupported list, in that if you try to run the .exe to install the VPN client, you get directed to a windows 10 incompatible app page. Run the .msi, everything will be OK..

Back on track, and having now installed the software using the .msi and a local admin account (you will not need to do this if your machine is not domain joined), I have logged back on using my domain account, and hey presto, the client seems to be working. It loads without warning, anyway, it won’t connect though. The log reads Failed to download keys. Error 433, Bitch.

So, apparantly installing another vpn client, the Sonic Wall 32bit or 64 bit client first then installing the cisco client prevents the problem from occouring. So here we go… again… uninstall the cisco VPN client… and reboot.. then uninstall the DNE Update. Then reboot and run winfix again. Reboot, then install sonic wall then cisco VPN client, make sure you apply the registry fix if you get the cannot enable virtual adapter error, and away you go. In business.. 2 hours later…

So, In Summary :

There you go, eight simple steps to get it working again. Simple when you know how.

And the cause? Well Microsoft will update their operating systems from time to time, and Cisco want you to use anyconnect now so havent supported this client for some time, this will get you running for now, but maybe it’s time to start thinking about a new platform?

The Cisco VPN Client used was vpnclient-winx64-msi-5.0.07.0440-k9

Let me know if this works for you, or if it doesn’t!

Cisco VPN wont connect error 442

Welcome to August, let’s kick things off with a classic, this one’s really common, and it’s really super simple to fix. I’ve only seen it on 64bit installations of the Cisco VPN client.

  • Open regedit
  • Find HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CVirtA
  • There is a String Value called DisplayName Right click and modify 
  • remove @oemX.inf,%CVirtA_Desc%;. The Value data should only contain Cisco Systems VPN Adapter for 64-bit Windows.
  • Reopen the VPN Client

Boom!

Hope this helps

 

UPDATE 20/7/16:

Also seen on Windows 10 32bit, only the string is @oem25.inf,%CVirtA_Desc%;

VPN connects but no traffic passes

OK, lets start this off with a fairly uncommon problem that allows a VPN to connect but does not pass any traffic. The VPN profile and account are tested on another machine and found to be working, so the problem is (gasp!)… the client machine!

You can verify this problem by noticing an ‘error with call to iphlpapi.dll’ in the cisco client logs (you may need to enable them on the logs tab of the client).

The rather irritating resolution to this is:

1. Remove Cisco VPN Client
2. Reboot
3. Download ftp://files.citrix.com/winfix.exe and run it
4. Reboot again!
5. download ftp://files.citrix.com/dneupdate.msi for 32-bit or ftp://files.citrix.com/dneupdate64.msi and run the relevant file..
6. Reboot
7. Reinstall the VPN Client.
8. Reboot.
9. The Cisco VPN client should now connect and allow traffic to pass.

This seems to be a problem with DNE, which appears to do some pretty important things with VPN traffic, more information on it is available here: https://www.citrix.com/go/lp/dne.html

I hope this saves you time, and stress, in the future.

 

Update:

I have seen this resolve problems in similar circumstances with WatchGaurd  as well as Cisco ASA’s (5505 or 5510) VPNs aswell, only they actually don’t seem to connect at all, I haven’t seen the error message but if I find it I’ll put it here. Thanks to “The other Martin” for the tip.