Troubleshooting Cisco VPN


This is a DRAFT document and may contain errors.  It is provided as a short-term troubleshooting resource for DSL customers who are having difficulty using the Cisco VPN client. 


These suggestions are in no particular order, and are numbered only for easier reference.


1.   SciFinder users: use a “VPN – Library” certificate.
The instructions at describe two different networks that a certificate can be registered under: “VPN – General Users” and “VPN – Library”. 

A VPN with a General Users certificate will route any traffic to a CMU address through the VPN, but all other traffic will go through your ISP without using VPN.  This is ideal if you only use the VPN for accessing CMU IP-restricted web pages or for accessing Chemserv via file sharing rather than SFTP.  The SciFinder software accesses a non-CMU server, and that server checks to see if your source address is a CMU address before granting access.  Because the server is a non-CMU address, it won’t go through the VPN if you use a General User certificate, and the source address will be on your ISP’s network and thus denied access to the SciFinder database.

A VPN with a Library certificate will route all traffice through the VPN.  This means requests to the SciFinder servers will appear to originate from a CMU address and be granted access.

If you’ve already configured VPN with the General Users certificate, you can register, issue, download and import a new Library certificate, and modify the existing TCP and UDP entries to use that certificate instead.

2.   Install the latest version.
Version 4.8 for Windows and 4.9 for OS X were released to on 4/18/2006.  The Mac version requires OS X 10.4.

3.   Mac OS X clients – manually set MTU value.
The Cisco 4.9 VPN client for OS X has a known bug that causes it to ignore the MTU (Maximum Transmission Unit size) value sent by Verizon’s network, preventing the VPN connection from being established.  Until Cisco releases a newer version of the client which fixes the problem, the workaround is to manually set the MTU value for your computer to 1400 by following the steps at  Be sure to change the settings for the adapter that you’re using (Ethernet or Wireless).  MTU changes to a wired Ethernet connection persist across reboots, but changes to wireless do not and need to be re-made after every reboot prior to making a VPN connection.

4.   Default to ‘Connect with TCP’
The instructions at default to connecting with UDP, but in many cases connecting with UDP does not work with DSL routers.  TCP introduces a small amount of network overhead which can make it slower than UDP, but is more likely to work from home.

5.   Disable any 3rd party firewall software, such as ZoneAlarm or Norton Security Suite.

6.   Temporarily disable the Windows Firewall.
If VPN works when Windows Firewall is disabled, confirm that your settings match what are outlined at

7.   Try multiple times.
In a few cases it has been reported that the first click of ‘Connect to VPN’ fails, but the 2nd or 3rd click, a second or two apart, succeeds.  If it doesn’t connect by the 3rd attempt, subsequent attempts are not likely to succeed.

8.   If this is a laptop, try establishing the VPN from on-campus.
If the same machine can establish a VPN from on-campus but not at home, this will assert that your VPN software and firewall settings are configured correctly, and the trouble is likely outside your computer, such as the DSL router.

9.   (Where possible…) Connect directly to the DSL modem.
A pure DSL modem has one phone line input and only one Ethernet output.  Home networks might then include a separate router which allows multiple computers to share the single IP address provided to the modem via NAT- Network Address Translation.  If your network setup has discrete modem and router components, disconnect your router and attach the computer in question directly to the modem.  You may need to reboot both the modem and computer.  Once you confirm that you have a working network connection (ie: can access web pages), try establishing the VPN.  If it works, then the problem is likely with the router, which might be fixable via a firmware update to the router or configuration changes to the router’s integrated webpage.

Many new DSL modems provided by Verizon now integrate the modem, router, NAT, and a firewall into the same physical device, in which case it is not possible to connect directly to the modem.

10. Update DSL modem/router firmware.
Firmware is software embedded into the modem and acts as the modem’s operating system.  Firmware can be updated to fix bugs or add features.  In particular, the NAT software built into DSL modems may have settings or behaviors that interfere with VPN, which may be resolved with a firmware update.  How to update the firmware depends on the make and model of your modem.  Contact your ISP for instructions on updating your modem’s firmware.

11. Configure DSL modem firewall settings.
Some DSL modems include a firewall which may interfere with VPN.  Such firewalls can often be configured or disabled via the modem’s web administration interface.  The modem’s web address is the same as your home computer’s gateway address.  On OSX, look for the gateway address in the network system preferences.  On Windows, go to the Start menu, Run, CMD, and in the command window run ipconfig/all.  Then in a web browser enter that address.  For example:  If possible, try temporarily disabling the firewall entirely.  If that works, you can try re-enabling the firewall with the following ports open: UDP 62515, TCP 10000, UDP 4500, UDP 500.

12. Request a modem-only solution.
If you only have one computer at home, and it’s attached via Ethernet (as opposed to wireless), your ISP may be able to provide you with a modem-only DSL modem, as opposed to a modem that integrates router/NAT/firewall.