This is a DRAFT document and may contain errors. It is provided as a short-term troubleshooting resource for DSL customers who are having difficulty using the Cisco VPN client.
These suggestions are in no particular order, and are numbered only for easier reference.
1. SciFinder users: use a “VPN – Library” certificate.
The instructions at http://www.cmu.edu/computing/documentation/VPN/vpn_client.html#step2
describe two different networks that a certificate can be registered under:
“VPN – General Users” and “VPN – Library”.
A VPN with a General Users certificate will route any traffic to a CMU address
through the VPN, but all other traffic will go through your ISP without using
VPN. This is ideal if you only use the VPN for accessing CMU IP-restricted web
pages or for accessing Chemserv via file sharing rather than SFTP. The
SciFinder software accesses a non-CMU server, and that server checks to see if your
source address is a CMU address before granting access. Because the server is
a non-CMU address, it won’t go through the VPN if you use a General User
certificate, and the source address will be on your ISP’s network and thus
denied access to the SciFinder database.
A VPN with a Library certificate will route all traffice through the
VPN. This means requests to the SciFinder servers will appear to originate
from a CMU address and be granted access.
If you’ve already configured VPN with the General Users certificate, you can
register, issue, download and import a new Library certificate, and modify the
existing TCP and UDP entries to use that certificate instead.
2. Install the latest version.
Version 4.8 for Windows and 4.9 for OS X were released to http://www.cmu.edu/myandrew/ on
4/18/2006. The Mac version requires OS X 10.4.
3. Mac OS X clients – manually set MTU value.
The Cisco 4.9 VPN client for OS X has a known bug that causes it to ignore
the MTU (Maximum Transmission Unit size) value sent by Verizon’s network,
preventing the VPN connection from being established. Until Cisco releases a
newer version of the client which fixes the problem, the workaround is to
manually set the MTU value for your computer to 1400 by following the steps at http://docs.info.apple.com/article.html?artnum=303192.
Be sure to change the settings for the adapter that you’re using (Ethernet or
Wireless). MTU changes to a wired Ethernet connection persist across reboots,
but changes to wireless do not and need to be re-made after every reboot prior
to making a VPN connection.
4. Default to ‘Connect with TCP’
The instructions at http://www.cmu.edu/computing/documentation/VPN/vpn_client.html
default to connecting with UDP, but in many cases connecting with UDP does not
work with DSL routers. TCP introduces a small amount of network overhead
which can make it slower than UDP, but is more likely to work from home.
5. Disable any 3rd party firewall software, such as ZoneAlarm or Norton Security Suite.
6. Temporarily disable the Windows Firewall.
If VPN works when Windows Firewall is disabled, confirm that your settings
match what are outlined at http://www.cmu.edu/computing/documentation/VPN/vpn_client.html#firewall.
7. Try multiple times.
In a few cases it has been reported that the first click of ‘Connect to VPN’
fails, but the 2nd or 3rd click, a second or two apart,
succeeds. If it doesn’t connect by the 3rd attempt, subsequent
attempts are not likely to succeed.
8. If this is a laptop, try establishing the VPN
from on-campus.
If the same machine can establish a VPN from on-campus but not at home, this
will assert that your VPN software and firewall settings are configured correctly,
and the trouble is likely outside your computer, such as the DSL router.
9. (Where possible…) Connect directly to the DSL
modem.
A pure DSL modem has one phone line input and only one Ethernet output.
Home networks might then include a separate router which allows multiple
computers to share the single IP address provided to the modem via NAT- Network
Address Translation. If your network setup has discrete modem and router
components, disconnect your router and attach the computer in question directly
to the modem. You may need to reboot both the modem and computer.
Once you confirm that you have a working network connection (ie: can access web
pages), try establishing the VPN. If it works, then the problem is likely
with the router, which might be fixable via a firmware update to the router or
configuration changes to the router’s integrated webpage.
Many new DSL modems provided by Verizon now integrate the modem, router, NAT,
and a firewall into the same physical device, in which case it is not possible
to connect directly to the modem.
10. Update DSL modem/router firmware.
Firmware is software embedded into the modem and acts as the modem’s operating
system. Firmware can be updated to fix bugs or add features. In
particular, the NAT software built into DSL modems may have settings or
behaviors that interfere with VPN, which may be resolved with a firmware
update. How to update the firmware depends on the make and model of your
modem. Contact your ISP for instructions on updating your modem’s
firmware.
11. Configure DSL modem firewall settings.
Some DSL modems include a firewall which may interfere with VPN. Such
firewalls can often be configured or disabled via the modem’s web
administration interface. The modem’s web address is the same as your
home computer’s gateway address. On OSX, look for the gateway address in
the network system preferences. On Windows, go to the Start menu, Run,
CMD, and in the command window run ipconfig/all. Then in a web browser
enter that address. For example: http://192.168.1.1.
If possible, try temporarily disabling the firewall entirely. If that
works, you can try re-enabling the firewall with the following ports open: UDP
62515, TCP 10000, UDP 4500, UDP 500.
12. Request a modem-only solution.
If you only have one computer at home, and it’s attached via Ethernet (as
opposed to wireless), your ISP may be able to provide you with a modem-only DSL
modem, as opposed to a modem that integrates router/NAT/firewall.