I’m trying to connect to my university’s server with VPN using Cisco VPN Client version 5.0.04, but after 5 seconds it disconnects with the error message 422: Lost contact with the secure gateway. Check your connection.
From my research on the net it seems this could be because it tries to find my IP, and finds out that this is 127.0.0.1. Then 5 seconds later it discovers that I have a new IP (my actual IP), and it disconnects because I’m not allowed to change IP.
Does anyone know how I could fix this, or if there is another reason i get this error?
Update
I looked through the log, and found this error, which confirms what I thought, except it gets the correct IP first, then changes it to localhost.
87 18:56:53.250 08/24/09
Sev=Warning/3 CM/0xA3100027 Adapter
address changed from 149.171.237.25.
Current address(es): 127.0.0.1.
Я пытаюсь подключиться к серверу моего университета с VPN с помощью Cisco VPN Client версии 5.0.04, но через 5 секунд он отключается с сообщением об ошибке 422: потерянный контакт с безопасным шлюзом. Проверьте подключение.
из моих исследований в сети кажется, что это может быть потому, что он пытается найти мой IP, и узнает, что это 127.0.0.1. Затем через 5 секунд он обнаруживает, что у меня есть новый IP (мой фактический IP), и он отключается, потому что мне не разрешено изменять ИНТЕЛЛЕКТУАЛЬНАЯ СОБСТВЕННОСТЬ.
кто-нибудь знает как я могу это исправить, или если есть другая причина, я получаю эту ошибку?
обновление
Я просмотрел журнал и нашел эту ошибку, которая подтверждает то, что я думал, за исключением того, что сначала получает правильный IP, а затем изменяет его на localhost.
87 18:56:53.250 08/24/09
Sev = предупреждение / адаптер 3 см / 0xA3100027
адрес изменен с 149.171.237.25.
Текущий адрес(адреса): 127.0.0.1.
5 ответов
на основе этой теме и этой теме, похоже, что могло быть много причин, почему Cisco VPN client возвращает эту ошибку. Эти причины могут включать в себя конфликт маршрутизации, конфликт с программой на вашем компьютере (например, Toshiba ConfigFree utility) или некоторые проблемы с обходом NAT. Хорошая диагностика будет пытаться подключиться с отключенным брандмауэром (Как упоминалось Col), пытаясь подключиться с прямым подключением к интернету (не позади маршрутизатора), и смотрящий журнал (расположенный во вкладке Log окна VPN-клиента). Если вы не можете определить, в чем проблема, опубликуйте журнал в своем вопросе, чтобы кто-то другой мог посмотреть на него.
2
отвечен Samuel Karp 2023-03-30 08:31
Если вы подключаетесь через USB-ключ для доступа в интернет, например, через movistar или Huawei соединения или что у вас есть, убедитесь, что ваш аэропорт выключен, и вы не обмена интернет.
если он включен, он регистрирует два разных IP-адреса и не будет работать.
1
отвечен Anthony 2023-03-30 10:48
это фиксирует его на VMWare Fusion:
(в /библиотеки/application поддержки/компания VMware Фьюжн/)
sudo ./vmnet-apps.sh --stop
1
отвечен zachary 2023-03-30 13:05
Это не относится к вашим вопросам, но многие проблемы с VPN вызваны брандмауэрами. В качестве теста попробуйте временно отключить любое программное обеспечение брандмауэра (включая Windows, Встроенный в один) и посмотреть, если он работает. Если это так, вам, вероятно, потребуется открыть некоторые порты или добавить исключения для программного обеспечения vpn.
0
отвечен Col 2023-03-30 15:22
У меня получилось, я знаю почему, и сомневаюсь, что у кого-то будет такая же проблема, как у меня.
мое имя компьютера всегда было localhost (нет, на самом деле, в диалоговом окне system->computer name я назвал его localhost). Это портит сеть для других компьютеров windows, так как при попытке ввести localhost в адресной строке Windows сообщает о конфликте сетевых имен.
и, видимо, Cisco VPN тоже не нравится мое имя компьютера.
0
отвечен Marius 2023-03-30 17:39
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS
Contact US
Thanks. We have received your request and will respond promptly.
Log In
Come Join Us!
Are you a
Computer / IT professional?
Join Tek-Tips Forums!
- Talk With Other Members
- Be Notified Of Responses
To Your Posts - Keyword Search
- One-Click Access To Your
Favorite Forums - Automated Signatures
On Your Posts - Best Of All, It’s Free!
*Tek-Tips’s functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.
Posting Guidelines
Promoting, selling, recruiting, coursework and thesis posting is forbidden.
Students Click Here
cisco vpn client and error 422.cisco vpn client and error 422.(OP) 24 Mar 10 12:05 When I try to connect to the cisco vpn client, I get this error: secure vpn: connection terminated locally by the client I googled this error, and several sites suggested uninstalling/reinstalling cisco vpn client. That didn’t help. Couple other sites suggest disabling internet connection sharing on vista. This is a windows xp machine with sp3. In my LAN properties, the «internet connection sharing» checkbox is unchecked. There are couple firewalls, which I disabled. Still no luck. I had a pc problem couple weeks ago, and I had to reinstall everything from scratch. I didn’t receive this error before. Thanks in advance. www.fuzzysiberians.com Red Flag SubmittedThank you for helping keep Tek-Tips Forums free from inappropriate posts. |
Join Tek-Tips® Today!
Join your peers on the Internet’s largest technical computer professional community.
It’s easy to join and it’s free.
Here’s Why Members Love Tek-Tips Forums:
Talk To Other Members- Notification Of Responses To Questions
- Favorite Forums One Click Access
- Keyword Search Of All Posts, And More…
Register now while it’s still free!
Already a member? Close this window and log in.
Join Us Close
Contents
Introduction
This document lists the VPN Client GUI error, reason, and warning messages along with a description/action. These messages are for use by Cisco Technical Support and Engineering Support.
The information enables the Cisco Technical Support engineer to resolve your problem faster and more efficiently when you open a Technical Support service request. It also further familiarizes you with the problem and the associated debugs to identify the problem source.
Prerequisites
Requirements
In order to benefit from these VPN Client GUI messages, you need access to your network and the ability to turn on debugs and capture output.
Components Used
This document is not restricted to specific software and hardware versions.
Conventions
For more information on document conventions, see the Cisco Technical Tips Conventions.
VPN Client GUI Messages
Errors
| Number | Message | Description or Action |
|---|---|---|
| 1 | The command line parameter %1 cannot be used in conjunction with the command line parameter %2. |
The two command line parameters stated within quotation marks conflict with one another and cannot be used together in any given command line. |
| 2 | Invalid Connection Entry name. The Connection Entry name cannot contain any of the following characters… |
An invalid character was entered in the connection entry name field of the dialog for creating new, or modifying existing connection entries. |
| 3 | Invalid TCP port specified. Valid range is %1 to %2. | An invalid TCP port number was entered on the Transport tab of the dialog for creating new, or modifying existing connection entries. |
| 4 | Invalid Peer Response Timeout specified. Valid range is %1 to %2. | An invalid peer response timeout was entered on the Transport tab of the dialog for creating new, or modifying existing connection entries. |
| 5 | No hostname exists for this connection entry. Unable to make VPN connection. | A connection attempt was made using a connection entry that does not contain a host name/address entry. A host name or address must be specified in the connection entry in order to attempt a VPN connection. |
| 6 | The connection entry %1 does not exist. | The command line specified a connection entry that does not exist. |
| 7 | Group passwords do not match. Enter the same password in both text boxes. | The group authentication password fields on the Authentication tab of the dialog for creating new, or modifying existing connection entries, have different values. The Password and Confirm Password fields must contain the same values. |
| 8 | Unable to update Start Before Logon setting. | The VPN Client was unable to save the start before logon setting of the Windows Logon Properties dialog to the file vpnclient.ini. The file attributes may have been changed to read only or there may be a problem with the file system. |
| 9 | Unable to update Disconnect VPN connection when logging off setting. | The VPN Client was unable to save the Disconnect VPN connection when logging off setting of the Windows Logon Properties dialog to the file vpnclient.ini. The file attributes may have been changed to read only or there may be a problem with the file system. |
| 10 | Unable to update Allow launching of third party applications before logon setting. | The VPN Client was unable to save the Allow launching of third party applications before logon setting of the Windows Logon Properties dialog to the Windows registry. The user must have administrator privileges to save this setting, though the setting should be grayed out if this is not the case. There is likely a system problem with the registry. |
| 11 | Registration of CSGINA.DLL failed. | The VPN Client was unable to register its CSGINA.DLL with the Windows operating system. The DLL may have been altered or corrupted. |
| 12 | Unable to retrieve auto-initiation status. | The VPN Client was unable to retrieve the current status for determining if automatic VPN initiation must be initiated. The VPN Client service or daemon may be stopped, hung, or not running; or inter-process communication between the service/daemon and the GUI application may have failed. |
| 13 | Unable to update Automatic VPN Initiation Enable setting. | The VPN Client was unable to save the Automatic VPN Initiation Enable setting of the Automatic VPN Initiation dialog to the file vpnclient.ini. The file attributes may have been changed to read only or there may be a problem with the file system. |
| 14 | Unable to update Automatic VPN Initiation Retry Interval setting. | The VPN Client was unable to save the Automatic VPN Initiation Retry Interval setting of the Automatic VPN Initiation dialog to the file vpnclient.ini. The file attributes may have been changed to read only or there may be a problem with the file system. |
| 15 | Invalid Retry Interval specified. Valid range is %1 to %2. | An invalid retry interval was entered in the Automatic VPN Initiation Retry Interval field of the Automatic VPN Initiation dialog. The value must be within the range specified in the error message. |
| 16 | The connection entry %1 already exists. Choose a different name. | The user is attempting to create a new connection entry with the same name as an existing connection entry. |
| 17 | Unable to create connection entry. | The VPN Client was unable to save the new connection entry to a file on the hard drive. There may be a problem with the file system. |
| 18 | Unable to rename connection entry. | The VPN Client was unable to rename the connection entry. The new connection entry name may already exist, or there may be a problem with the file system. |
| 19 | Unable to save the modified connection entry. | The VPN Client was unable to save the modified connection entry to its file on the hard drive. The file attributes may have been changed to read only or there may be a problem with the file system. |
| 20 | Unable to duplicate connection entry. | The VPN Client was unable to duplicate the connection entry. The duplicate connection entry name may already exist or be too long, or there may be a problem with the file system. |
| 21 | Unable to delete connection entry %1. | The VPN Client was unable to delete the connection entry. The file containing the connection entry may no longer exist or may be protected, or there may be a problem with the file system. |
| 22 | Unable to import connection entry %1. | The VPN Client was unable to import the connection entry. The connection entry attempting to import may not exist. A connection entry with the same name as the entry being imported may already exist. There may be a problem with the file system. |
| 23 | Unable to erase encrypted password for connection entry %1. | The VPN Client was unable to erase the encrypted user password in the connection entry. The connection entry file attributes may have been changed to read only or there may be a problem with the file system. |
| 24 | Unable to update connection entry %1. | The VPN Client was unable to write the connection entry modifications to the connection entry’s file on the hard drive. The file attributes may have been changed to read only or there may be a problem with the file system. |
| 25 | %1() for the short cut file %2 failed with %3h. | The function specified in the error message failed while attempting to create a short cut file to the VPN Client GUI for a particular connection entry. The hexadecimal number in the error message is the error returned by the function specified. |
| 26 | Unable to build a fully qualified file path while creating the short cut file %1. | The VPN Client was unable to build a fully qualified file path for the shortcut file. There may be a problem with the file system. |
| 27 | Unable to create the shortcut file %1. | The VPN Client was unable to get a pointer to the IShellLink interface from the system in order to create the shortcut file. |
| 28 | Reached end of log, no match found. | The VPN Client could not find a match for the search string in the log. |
| 29 | The third-party dial-up program could not be started. | The VPN Client was unable to launch the third-party dial-up program specified in the connection entry in order to establish a VPN connection. |
| 30 | The selected connection entry uses the Microsoft CryptoAPI certificate store. This connection entry can not be used until you have logged in to your workstation. | The user is attempting to establish a VPN connection before logon using a connection entry that is configured to use a Microsoft CryptoAPI certificate for authentication. Such a certificate cannot be used until after the user has logged into the workstation. |
| 31 | The certificate %1 associated with this Connection Entry no longer exists or failed to open. Please select another certificate. | The user is attempting to establish a VPN connection using a connection entry that is configured to use a certificate for authentication that does not exist or cannot be opened. |
| 32 | Unable to verify certificate %1. | The selected certificate could not be verified. Possible misconfiguration issue with the certificate authentication (CA) server. |
| 33 | Unable to delete certificate %1 from certificate store. | The VPN Client was unable to successfully delete the selected certificate from the certificate store. |
| 34 | Unable to show details for certificate %1. | The VPN Client was unable to successfully open and access the selected certificate in order to display the certificate’s details. |
| 35 | Unable to export certificate. Invalid path %1. | The export path provided for the certificate is invalid. |
| 36 | Unable to export certificate %1. | The export source or destination for the certificate was invalid and the certificate could not be exported. |
| 37 | An export path must be specified. | The user did not provide a file path for exporting the selected certificate |
| 38 | Certificate passwords do not match. Enter the same password in both text boxes. | The Password and Confirm Password fields of the Export Certificate dialog must both contain the same values. |
| 39 | Unable to import certificate. | The VPN Client was unable to import the certificate. The file path for the certificate may be incorrect or there may be a problem with the file system. |
| 40 | An import path must be specified. | The user did not provide a file path for import a certificate. |
| 41 | Certificate passwords do not match. Enter the same password in both text boxes. | The New Password and Confirm Password fields of the Import Certificate dialog must both contain the same values. |
| 42 | Unable to create certificate enrollment request. | The VPN Client was unable to create an enrollment request to enroll the certificate with a certificate authority. |
| 43 | Certificate enrollment failed, or was not approved. | The certificate enrollment request failed or was not approved by the certificate authority. |
| 44 | Certificate is not valid, or not an online enrollment request. | The user attempted to resume enrollment of a certificate that is not valid or does not have a pending enrollment request. |
| 45 | Passwords do not match. Try again. | The value entered in the Confirm new password dialog did not match the value entered in the Enter new password dialog when attempting to change a certificate password. |
| 46 | Change password for certificate %1 failed. | The VPN Client was unable to change the password for the certificate. |
| 47 | Failed to load ipseclog.exe. | The VPN Client was unable to launch the ipseclog.exe application. Log messages will not be saved to the log file. |
| 48 | Unable to stop service/daemon. | The VPN Client was unable to stop the service/daemon. The service/daemon may be hung or there is a problem with the system’s service/daemon management. |
| 49 | GI_VPNStop failed. Unable to disconnect. | The VPN Client failed to send a stop request for terminating the VPN connection to the service/daemon. The service/daemon may be stopped, hung, or not running. Communication with the service/daemon may have failed. |
| 50 | Service/daemon is not running. | The VPN Client service/daemon is not running. VPN connections cannot be established/terminated via the GUI. |
| 51 | IPC socket allocation failed with error %1h. | The VPN Client failed to create an inter-process communication socket in order to communicate with the service/daemon. VPN connections cannot be established/terminated via the GUI. Refer to Related Information for link to search on Cisco bug ID CSCed05004. |
| 52 | IPC socket deallocation failed with error %1h. | The VPN Client failed to close an inter-process communication socket that is used to communicate with the service/daemon while terminating. Subsequent use of the GUI may be unable to communicate with the service/daemon. |
| 53 | Secure connection to %1 was unexpectedly dropped. | The VPN connection was lost due to something other than termination by the VPN Client GUI. The connection could have been terminated by the user via the CLI, or internet connectivity may have been lost. |
| 54 | The authentication passwords do not match. Enter the same password in both text boxes. | The user was asked to enter a new authentication password in the extend authentication dialog and did not enter the same values into the New Password and Confirm Password fields. Both fields must contain the same values. |
| 55 | The authentication PINs do not match. Enter the same PIN in both text boxes. | The user was asked to enter a new authentication PIN in the extend authentication dialog and did not enter the same values into the New PIN and Confirm PIN fields. Both fields must contain the same values. |
| 56 | Unable to start the VPN connection. | The VPN Client failed to send a start request for establishing the VPN connection to the service/daemon. The service/daemon may be stopped, hung, or not running. Communication with the service/daemon may have failed. |
Reasons
| Number | Message | Description or Action |
|---|---|---|
| 401 | An unrecognized error occurred while establishing the VPN connection. | VPN connection was not established because of an unrecognized reason. Please check client logs for details. |
| 402 | The Connection Manager was unable to read the connection entry, or the connection entry has missing or incorrect information. | Either the connection profile is missing or does not have all the information. To fix this problem, you can either select another connection profile, or fix the current connection entry. Connection profiles are located in <client installation directory>profiles. On most machines, this is C:Program FilesCisco SystemsVPN Clientprofiles. To fix this problem, replace the connection profile file from the profiles directory. This file can be copied from a machine that has the correct entry of this file. |
| 403 | Unable to contact the security gateway. | This can happen because of multiple reasons. One of the reasons that users can get this message is because IKE negotiations failed. Check the client logs for details. |
| 404 | The remote peer terminated the connection during negotiation of security policies. | Check the remote peer (head-end) logs to determine the cause for this failure. |
| 405 | The remote peer terminated connection during user authentication. | This reason is not currently used. |
| 406 | Unable to establish a secure communication channel. | This reason is not currently used. |
| 407 | User authentication was cancelled by the user. | A user hit the cancel button (instead of OK) in the VPN Client user authentication dialog. |
| 408 | A VPN connection is already in the process of being established. | A connection is already in process. |
| 409 | A VPN connection already exists. | A VPN connection already exists. |
| 410 | The Connection Manager was unable to forward the user authentication request. | This is not currently used. |
| 411 | The remote peer does not support the required VPN Client protocol. | The remote peer is either not a Cisco device or it does not support the VPN Client protocol specification. |
| 412 | The remote peer is no longer responding. | The remote peer is not responding to the client’s request to establish the connection. Make sure you can ping the remote peer, or check remote peer logs for why it is not responding to the client. |
| 413 | User authentication failed. | Either the user entered wrong user authentication information, or the client was not able to launch the XAuth (user authentication) process. |
| 414 | Failed to establish a TCP connection. | The VPN Client was not able to establish the TCP connection for IPSec over TCP connection mode. Please try IPSec over UDP or straight IPSec. Please look at client logs for details. |
| 415 | A required component PPPTool.exe is not present among the installed client software. | Please make sure that ppptool.exe is present in the client installation directory (this is generally C:Program FilesCisco SystemsVPN Client. If this file is not present, uninstall and reinstall the client. |
| 416 | Remote peer is load balancing. | The peer has advised you to use a different gateway. |
| 417 | The required firewall software is no longer running. | The required firewall is not running. |
| 418 | Unable to configure the firewall software. | The peer sent an unrecognized firewall message. |
| 419 | No connection exists. | This is an unexpected error. Please check client logs for details. |
| 420 | The application was unable to allocate some system resources and cannot proceed. | The system ran out of memory. If you think the system has enough memory, reboot the machine and try again. |
| 421 | Failed to establish a connection to your ISP. | Failed to establish a dialup connection. View the client logs for details. |
| 422 | Lost contact with the security gateway. Check your network connection. | The machine’s IP address changed or the machine is no longer connected to the Internet. Note: The VPN Client is required to disconnect the VPN tunnel for security reasons, if the machines IP Address has changed. |
| 423 | Your VPN connection has been terminated. | Either the user disconnected the VPN tunnel, or there was an unexpected error. |
| 424 | Connectivity to Client Lost by Peer. | Connection disconnected by the peer. Check the peer logs for details. |
| 425 | Manually Disconnected by Administrator. | Administrator manually disconnected the VPN tunnel. |
| 426 | Maximum Configured Lifetime Exceeded. | The VPN Client exceeded the maximum configured lifetime for a session. This value is configured on the peer (head-end) device. |
| 427 | Unknown Error Occurred at Peer. | Peer disconnected tunnel. Check the peer logs for details. |
| 428 | Peer has been Shut Down. | Peer was shut down. |
| 429 | Unknown Severe Error Occurred at Peer. | Check the peer logs for details. |
| 430 | Configured Maximum Connection Time Exceeded. | VPN Client has been connected for longer than allowed by the peer. |
| 431 | Configured Maximum Idle Time for Session Exceeded. | The VPN connection was idle for longer than the time allowed by the administrator. |
| 432 | Peer has been Rebooted. | The peer has been rebooted. |
| 433 | Reason Not Specified by Peer. | The peer gave no reason for disconnecting the tunnel. Check the peer logs for details. |
| 434 | Policy Negotiation Failed. | Client and peer policies do not match. Try changing peer policies (try using 3DES, AES, and so forth) and then try again. |
| 435 | Firewall Policy Mismatch. | Firewall policies do not match with what was configured by the peer. |
| 436 | Certificates used have Expired. | The certificate used in the connection profile has expired. Update the certificate configured in the client profile, and then try again. |
| 437 | Bad parameter was provided. | Check spelling and syntax of profile or command line parameters. |
| 438 | Different components of the client can’t communicate. Try stopping any personal firewalls that might be installed on the client machine, and then try again. | The VPN Client GUI uses ports to communicate with the VPN Client driver and service. Firewalls lie in between these two components and may block traffic. Allow all traffic to the 127.0.0.1 address. |
| 439 | Start the Cisco VPN Client Service. | This can be done by _net start cvpnd_ on command prompt, or by going to service manager and starting the VPN service. _net start cvpnd_ and _net stop cvpnd_ are used to start and stop the VPN service. The Windows system log may also be checked to see why the service might not have started. Note: Do not type the _ character when you enter these commands. |
| 440 | Cannot start the driver. Make sure DNE is installed correctly. Make sure that _cvpndrva_ is installed correctly. | Ensure that the DNE driver is loaded. Go to command prompt and type _net stop dne_. It should not be able to be stopped. However, if it cannot be found, then it is not installed. If installed, try _net stop cvpndrva_ and _net start cvpndrva_. This can’t be done via service manager. Note: Do not type the _ character when you enter these commands. |
| 441 | Out of backup servers. Tried contacting all backup servers (if available), but still could not connect. | The VPN Client was unable to make contact with a head end device after checking all backup servers. Ensure connectivity and name resolution to head end devices from the workstation. |
| 442 | Failed to enable virtual adapter. | Attempt a reboot before trying again. Or go to network connection property pages and try to manually enable/disable the _Cisco Systems VPN Adapter_. Also try to add the following line to vpnclient.ini: [main] VAEnableAlt=0. |
| 443 | Smart card associated with the certificate was removed. Please re-insert the smart card. | Certificates residing outside the workstation must remain connected during the VPN Client session. |
Warnings
| Number | Message | Description or Action |
|---|---|---|
| 201 | The command line parameter %1 cannot be used in conjunction with the command line parameter %2. |
The two command line parameters stated within quotation marks conflict with one another and cannot be used together in any given command line. |
| 202 | If you disable this feature, the %1 will not automatically disconnect your VPN connection when you logoff. As a result, your computer may remain connected after logoff. | The user has disabled the Disconnect VPN connection when logging off setting of the Windows Logon Properties dialog. |
| 203 | You do not have write privileges for this connection entry. It will be opened read-only. | The user is attempting to modify a connection entry whose file attributes have been set to read only. |
| 204 | The certificate %1 associated with this Connection Entry could not be found. Please select a different certificate or click Cancel. | The user is attempting to modify a connection entry that has a certificate associated with it. But the certificate associated with the profile was not found. It could be that the certificate lives on a smart card which is not connected to the system right now. Therefore, hitting cancel is a valid option. |
| 205 | You must use a Smart Card with this connection. Please insert the Smart Card before attempting a connection. | This warning means that the current profile requires the use of smart card, and no smart card is present on the system. The user should insert the correct smart card and should re-connect, or the user should select a different profile to connect. |
Related Information
- Cisco Bug ID CSCed05004 (registered customers only)
- IPSec Negotiation/IKE Protocols Support Page
- Technical Support & Documentation — Cisco Systems
Время на прочтение
3 мин
Количество просмотров 133K
Здравствуйте!
Несмотря на то, что Windows 8 compatibility center заявляет о полной совместимости Cisco VPN Client с новой операционкой, заставить работать этот клиент удалось только нетривиальными действиями и, увы, для многих случаев, кроме моего.
Надеюсь, однако, что информация будет полезна и, возможно, коллективный разум поможет решить проблему до конца.
Итак, дано: VPN, построенный на оборудовании Cisco и необходимость подключаться к нему под 64-битной Windows 8 Professional. Для начала устанавливаем последнюю доступную версию Cisco VPN Client 5.0.07.0440. Установка происходит без каких-то осложнений. Импортируем свой любимый .pcf с настройками подключения и пробуем подключиться. Дальше имеем проблемы:
Проблема номер один: ошибка «Reason 442: Failed to enable Virtual Adapter»
Решается эта проблема исправлением значения ключа в реестре, для этого:
- Открываем редактор реестра (набираем «regedit» в строке поиска, запускаем найденное приложение);
- Находим ветку HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesCVirtA;
- Находим параметр DisplayName;
- Значение этого параметра содержит что-то вроде «oem4.inf,%CVirtA_Desc%;Cisco Systems VPN Adapter for 64-bit Windows». Необходимо изменить это значение, оставив только «Cisco Systems VPN Adapter for 64-bit Windows».
После корректировки реестра перезагрузка не требуется. Итак, виртуальный адаптер теперь благополучно находится, и, если аутентификация осуществляется по Shared Key (не требует сертификата клиента), проблемы на этом исчерпаны.
Если же аутентификация осуществляется по сертификату, имеем следующее:
Проблема номер два: «Reason 403: Unable to contact security gateway»
Подразумевается, что сертификат (не требующий private key на отдельном устройстве типа eToken) по обыкновению загружен в пользовательское хранилище сертификатов (User Storage). При этом в логе клиента имеем следующее сообщение: «Could not load certificate [описание сертификата] from store Microsoft User Certificate. Reason: store empty». То есть, несмотря на наличие сертификата в хранилище, VPN Client его не видит.
Нашлось два пути решения этой проблемы:
- Переместить сертификат из User Store в Local Computer Store;
- Изменить настройки службы «Cisco Systems, Inc. VPN Service» на закладке «Log On», заставив службу запускаться под пользовательским аккаунтом (тем же самым аккаунтом, под которым вошли в систему сами и пытаемся подключиться).
Переходим на следующий уровень: теперь у нас аутентификация по ключу с использованием e-token (Alladin). Имеем программу, поставляемую с ключом (eToken PKI Client), которая при подключении USB-токена к машине автоматически помещает находящийся на токене сертификат в пользовательское хранилище сертификатов (именно поэтому проблему номер два я решил вторым методом). При попытке подключения к VPN в такой конфигурации получаем следующую ошибку:
Проблема номер три (не решенная): «Reason 401: An unrecognized error occured while establishing the VPN connection»
В логе клиента можно увидеть сообщение «Failed to generate signature: signature generation failed» и прочие еще менее информативные формулировки. Здесь, к сожалению, тупик: сообщения лога не проливают свет на суть проблемы, в какую сторону копать дальше — не известно.
Надеюсь, не одинок в этом вопросе и кто-то окажется более сообразителен и удачлив.
UPD: В качестве альтернативного варианта для подключения можно использовать Shrew Soft VPN Client, который не имеет проблем при запуске в Windows 8 (статья про установку и настройку этой программы уже проскакивала на хабре). У программы один минус — не умеет работать с сертификатами из хранилищ сертификатов Windows (сертификаты нужно загружать из файла при настройке соединения), что для случая с ключом на eToken тоже не подходит.