Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D CCO Date: December 6, 2004 Part Number OL-5450-10 Note You can find the most current documentation for the VPN Client at http://www.cisco.com or http://cco.cisco.com. These electronic documents may contain updates and changes made after the hard copy documents were printed. These release notes support VPN Client software Release 4.0 through Release 4.0.5.D.
Contents Installation Notes, page 5 New Features in Release 4.0, page 11 Usage Notes, page 14 Open Caveats, page 37 Caveats Resolved in Release 4.0.5.D, page 59 Caveats Resolved in Release 4.0.5.C, page 60 Caveats Resolved in Release 4.0.5.B, page 60 Caveats Resolved in Release 4.0.5.A, page 61 Caveats Resolved in Release 4.0.5, page 62 Caveats Resolved in Release 4.0.4.D, page 63 Caveats Resolved in Release 4.0.4.B, page 65 Caveats Resolved in Release 4.0.4, page 67 Caveats Resolved in Release 4.0.3.
Introduction Documentation Feedback, page 96 Obtaining Technical Assistance, page 96 Obtaining Additional Publications and Information, page 99 Introduction The VPN Client is an application that runs on a Microsoft® Windows®-based PC, a Sun ultraSPARC workstations, a Linux desktop, or a Macintosh (Mac) personal computer that meets the system requirements stated in the next section. In this document, the term “PC” applies generically to all these computers, unless specified otherwise.
System Requirements Computer Operating System Computer with a Pentium®-class processor or greater • Microsoft® Windows® • Windows ME • Windows NT® 4.0 (with Service Pack 6, or higher) • Windows 2000 • Windows XP 98 or Windows 98 (second edition) Requirements • Microsoft TCP/IP installed. (Confirm via Start > Settings > Control Panel > Network > Protocols or Configuration.) • 50 MB hard disk space.
Installation Notes Installation Notes Because of platform differences, the installation instructions for Windows and non-Windows platforms also differ. • Refer to the VPN Client User Guide for Windows, Release 4.0, Chapter 2, for complete installation instructions for Windows users. • Refer to the Cisco VPN Client user Guide for Mac OS X, Chapter 2, for complete installation information for those platforms.
Installation Notes • jp (Japanese) To force an English only language install, enter the following command: msiexec /i vpnclient_setup.msi To force a Canadian French language installation, enter the following command, all on the same line: msiexec /i vpnclient_setup.msi TRANSFORMS=vpnclient_fc.mst;vpnclient_help_fc.mst To force a Japanese language installation, enter the following command, all on the same line: msiexec /i vpnclient_setup.msi TRANSFORMS=vpnclient_jp.mst;vpnclient_help_jp.
Installation Notes Installation Notes - Windows Platforms In addition to the installation considerations for Release 4.0.3, Release 4.0.x includes the following installation considerations for Windows users: Installing the VPN Client Software Using InstallShield Installing the VPN Client software on Windows NT, Windows 2000, or Windows XP with InstallShield requires Administrator privileges.
Installation Notes “Cannot find the file instmsiw.exe (or one of its components). Make sure the path and filename are correct and that all the required libraries are available.” -then“Cannot find the file MSIEXEC (or one of its components). Make sure the path and filename are correct and that all the required libraries are available.” The Windows Installer (MSI) can be installed only on NT SP6, so the error messages you see using earlier service packs are due to an MSI incompatibility (CSCdy05049).
New Features in Release 4.0.5 Using the VPN Client • To use the VPN Client, you need: – Direct network connection (cable or DSL modem and network adapter/interface card), or – Internal or external modem, and • To connect using a digital certificate for authentication, you need a digital certificate signed by one of the following Certificate Authorities (CAs) installed on your PC: – Baltimore Technologies (www.baltimoretechnologies.com) – Entrust Technologies (www.entrust.com) – Netscape (www.netscape.
New Features in Release 4.0.5 Group Authentication is a method that uses pre-shared keys for mutual authentication. In this method, the VPN Client and the VPN central-site device use a group name and password to validate the connection. This is a symmetrical form of authentication since both sides use the same authentication method during their negotiations.
New Features in Release 4.0 3. Configure a VPN Group to use the new IPSec SA from step 2. The VPN Clients under test for Mutual Group Authentication will be connecting to this group. New Features in Release 4.0 Release 4.0 of the VPN Client software includes the following new features. Virtual Adapter A virtual adapter is a software-only driver that acts as a valid interface in the system. Its purpose is to solve protocol incompatibility problems.
New Features in Release 4.0 Common Graphical Interface for Windows and Mac VPN Clients In Release 4.0, the VPN Client provides a consistent graphical user interface across all supported Windows operating systems and Mac OS X, recognizing that the Windows and Mac operating systems follow different conventions, and that the Windows version has additional features. The VPN Client documentation is based on this new user interface. Alerts (Delete With Reason) In Release 4.
New Features in Release 4.0 Personal Firewall Enhancements In Release 4.0, the VPN Client supports Sygate Personal Firewall and Sygate Personal Firewall Pro, Version 5.0, Build 1175 and higher. Other supported features new with this release include: • The ability to enable or disable stateful firewalls from the command line. • Configurable ICMP permissions. Coexistence with Third-Party VPN Vendors In Release 4.
Usage Notes Enhancements to GINA Release 4.0.2 includes an improved application launch verification mechanism employed by the Graphical Identification and Authentication (GINA) dynamic-link library (DLL). This affects only the Windows NT4, Windows 2000, and Windows XP platforms (CSCeb12179). Usage Notes This section lists issues to consider before installing Release 4.0.x of the VPN Client software. In addition, you should be aware of the open caveats regarding this release.
Usage Notes Windows NT Users running Windows NT 4.0 with Service Pack 4 require a hot fix from Microsoft for proper operation. This fix is available on the Microsoft GetHostByName API Returns Unbindable Address page: http://support.microsoft.com/support/kb/articles/Q217/0/01.ASP. Importing a Microsoft Certificate Using Windows NT SP3 The following problem has occurred on some Windows NT SP3 systems (CSCdt11315).
Usage Notes Wait a minute. If the PC is still not responding, press the reset button. When the PC reboots, it should not run through ScanDisk, indicating the shutdown was successful in closing all open files. This problem may occur on some PCs and not on others, and we are looking for a solution. Windows 98 shutdown has numerous issues, as can be seen the following Microsoft Knowledge Base Article: “Q238096 - How to Troubleshoot Windows 98 Second Edition Shutdown Problems” (CSCdt00729).
Usage Notes To work around this problem, do one of the following: • Be sure to disconnect the VPN Client before shutting down. If you are having problems, check your network properties and remove the WINS entries if they are not correct for your network. • Alternatively, enable “Disconnect VPN connection when logging off”. Go to Options > Windows Logon Properties, check Disconnect VPN connection when logging off (CSCdv65165).
Usage Notes Network ICE BlackICE Defender Configuration Network ICE's BlackICE Defender is a traffic monitoring security product. If you properly configure it, BlackICE Defender can work with the VPN Client. You must configure BlackICE Defender for Trusting, Nervous, or Cautious mode. If you use Nervous or Cautious mode, add the public IP address of the VPN Concentrator to the list of trusted addresses.
Usage Notes Adjusting the Maximum Transmission Unit (MTU) Value - Windows Only VPN Encapsulation adds to the overall message length. To avoid refragmentation of packets, the VPN Client must reduce the MTU settings. The default MTU adjusted value is 1300 for all adapters. If the default adjustments are not sufficient, you may experience problems sending and receiving data. To avoid fragmented packets, you can change the MTU size, usually to a lower value than the default.
Usage Notes Connection Type Procedure Physical Adapters Use the SetMTU utility supplied with the Cisco VPN Client. Dial-up Use the SetMTU utility supplied with the Cisco VPN Client. PPPoE - All Vendors Windows XP only PPPoE - Windows 98 EnterNet Use SetMTU • On the main desktop, right click on My Network Places and go to Properties. The Network window opens. • Double-click the Network TeleSystems PPPoE Adapter.
Usage Notes Connection Type Procedure PPPoE WinPoet Windows 98: WinPoet does not provide user control over the PPPoE MTU under Windows 98. Windows 2000 WinPoet does not provide a user interface to control the MTU size, but you can control it by explicitly setting the following registry key: HKLM/system/currentcontrolset/control/class// adapter(000x): Value: MaxFrameSize Value type: DWORD Data: 1300 (or less) The GUID and adapter number can vary on different systems.
Usage Notes Asante FR3004 Cable/DSL Routers Require Asante Firmware Version 2.15 or Later Versions of the Asante firmware caused a problem with rekeying and keepalives when a VPN Client had an all-or-nothing connection to a VPN Concentrator through an Asante FR3004 Cable/DSL router. Version 2.15 (or later) of the Asante firmware resolves these issues. For more information about Asante cable/DSL routers, see the following Web sites: • http://www.asante.com/products/routers/index.html • http://www.
Usage Notes America Online (AOL) Interoperability Issues AOL Versions 5.0 and 6.0 The VPN Client supports AOL Version 5.0. AOL Version 6.0 is also supported, with one limitation: when connected, browsing in the network neighborhood is not available. AOL Version 7.0 AOL Version 7.0 uses a proprietary heartbeat polling of connected clients. This requires the use of split tunneling to support the polling mechanism. Without split tunneling, AOL disconnects after a period of time between 5 and 30 minutes.
Usage Notes Browser Interoperability Issues The following known issues might occur when using the VPN Client with the indicated browser software. Issues Loading Digital Certificate from Microsoft Certificate Store on Windows NT SP5 and on IE 4.0 SP2 The following error occurs in the VPN Client log when using a Digital Certificate from the Microsoft Certificate Store. This can occur on Windows NT 4.0 with Service Pack 5 and on Internet Explorer 4.0 with SP2 and using the VPN Client v3.1 or v3.
Usage Notes Entrust Entelligence Issues The following known issues might occur when using Entrust Entelligence software with the VPN Client. Potential Connection Delay Using the VPN Client with Entrust Entelligence might result in a delay of approximately 30 seconds if you are trying to connect while Entrust is “online” with the CA. This delay varies, depending on your Entrust CA configuration.
Usage Notes • Once connected, right click on the Entrust tray icon (gold key) and uncheck “Work Offline”. This manually puts Entrust online (CSCdu33638). Use Entrust Entelligence 4.0 with VPN Client Release 3.5.1 or 3.1 Start Before Logon When using the Release 3.5.1 or 3.1 VPN Client with the Entrust Entelligence 4.0 software, the Start Before Logon feature does not function properly. Upgrading to Entrust Entelligence 5.1 resolves this problem (CSCdu61926).
Usage Notes Accessing Online Glossary Requires Connection to Cisco.com The Glossary button at the top of all Help screens tries to contact univercd at www.cisco.com (the Cisco documentation site). This connection requires connectivity to Cisco's main web site. If your PC does not have a corporate Internet connection or your firewall blocks access, the following error appears when you attempt to access the Glossary: “The page cannot be displayed.” To access the Glossary, you must be connected to www.cisco.
Usage Notes ZoneLabs Automatically Adds Loopback and VPN 3000 Concentrator Addresses to Trusted Zone for Windows NT PCs The Loopback address and the VPN 3000 Concentrator’s address are automatically added to the ZoneLabs “Trusted Zone” on Windows NT-based systems. If a Windows NT based-PC has ZoneAlarm, ZoneAlarm Pro, or Zone Labs Integrity Agent, and the VPN Client Release 4.0 installed on it, the loopback address (127.0.0.
Usage Notes DHCP Route Renewal in Windows 2000 and Windows XP In a Windows 2000 or Windows XP environment, if the public network matches the private network (for example, a public IP address of 192.168.1.5, with a subnet mask of 255.255.0.0, and an identical private IP address) and the public network’s route metric is 1, then traffic might not be tunneled to the private network (CSCdz88896).
Usage Notes The VPN Client, Release 4.0, with Virtual Adapter attempts to modify local route metrics to allow data to pass over the VPN tunnel. In some cases, it is impossible for the VPN Client to make this modification (CSCdz38680). To work around this problem, make the change manually, using the following procedure: Step 1 Run > Control Panel > Network and Dialup Connections. Step 2 Right-click on the adapter in question and select Properties.
Usage Notes VPN Client Supports Sygate Personal Firewall V. 5.0, Build 1175 The supported version of Sygate Personal Firewall is version 5.0, build 1175. Earlier versions might cause the following Blue screen to occur on a Windows NT-based system that has made many connects/disconnects with the VPN Client (CSCdy62426): Stop: 000000d1 (BAD0B0B8, 00000002, 00000000, BFF12392) Driver_IRQL_Not_Less_Or_Equal ***Address BFF12392 base at BFF10000, Datestamp 3CCDEC2C - Teefer.sys The 4.
Usage Notes Start Before Logon and Microsoft Certificate with Private Key Protect Fails Trying to connect the VPN client using Start Before Logon (SBL) and Microsoft Machine-based certificates fails. This is a Microsoft issue, not a VPN Client problem. If your certificate has private key protection enabled, every time you use the certificate keys you are either prompted for a password to access the key, or notified with a dialog and asked to click OK.
Usage Notes Step 3 Rename csgina.dll to something like csgina.old. Step 4 Install the VPN Client version 3.6. Linksys Wireless AP Cable/DSL Router Version 1.44 or Higher Firmware Requirement To use the VPN Client behind a Linsksys Wireless AP Cable/DSL router model BEFW11S4, the Linksys router must be running version 1.44 or higher firmware. The VPN Client cannot connect when located behind a Linsksys Wireless AP Cable/DSL router model BEFW11S4 running version 1.42.7 firmware.
Usage Notes On the Mac OS X platform, Internet Explorer 5.2 that comes installed does not allow certificates to be exported. The best course of action for these users is to either enroll and export the certificate from a Windows workstation and email it to the Mac user or to use direct enrollment from the Client itself. Verisign works fine with the Macintosh version of the VPN Client.
Usage Notes Use Zone Labs Integrity Server 2.1.052.0 or Higher with VPN Client 4.0 Versions of the Zone Labs Integrity Server earlier than 2.1.052.0 exhibit the following problem. If two or more VPN Clients (running on Windows 2000 or XP) are connected to a VPN 3000 Series Concentrator and receive firewall policy from a ZoneLabs Integrity Server, the Integrity Server registers only one connection.
Usage Notes The InstallShield Knowledge base article q108020 addresses this problem. To view this article go to the following URL (CSCea43117): http://support.installshield.com/kb/view.asp?articleid=q108020 Microsoft has a fix for this issue. For more information and to obtain the fix, go to the following URL: http://support.microsoft.com/default.aspx?scid=kb;en-us;329623 VPN Client cTCP Connection Fails If Checkpoint Client Is Installed When the Checkpoint VPN-1 Securemote client is installed with the 4.
Open Caveats Open Caveats Caveats describe unexpected behavior or defects in Cisco software releases. The following lists are sorted by identifier number. Note If you have an account with CCO, you can use Bug Navigator II to find caveats of any severity for any release. To reach Bug Navigator II on CCO, choose Software & Support: Online Technical Support: Software Bug Toolkit or navigate to http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl.
Open Caveats If the VPN Client is uninstalled, the next time the NTS EnterNet 300 PPPoE version 1.41 is used the message, “EnterNet could not find the (adapter). But it did locate the (adapter) through which your network server is reachable. Do you want to switch? Yes No” Answer Yes to this question. The installation then continues normally. • CSCdt07787 Problems have occurred when an ISA legacy NIC card (IBM Etherjet 10MB) is used in a PC with PnP OS enabled.
Open Caveats Workaround: For problem dialers/applications, try 2500 milliseconds or greater. • CSCdu22174 SCEP enrollment might fail to complete successfully after the PKI administrator has granted your request. Workaround: If this happens, delete your failed request and submit a new one. To delete the request, click the Certificate tab, select the failed request, and click Delete on the toolbar. Alternatively, open the Certificates menu and select Delete.
Open Caveats Step 4 The user returns and enters the Entrust password, then clicks Yes to the security hash check question. Step 5 The VPN connection completes, and data can be passed. The VPN dialer appears as not connected. Step 6 Clicking Connect returns “A connection already exists”. The user clicks Cancel, and the dialer appears connected in the system tray. The VPN connection can be used as a normal connection.
Open Caveats • CSCdu81905 When connecting to a VPN 3000 Concentrator over PPPoE using the EnterNet 300 client software from Efficient Networks, Inc., if a firewall is required by the VPN Concentrator, the following message might appear: “The Client did not match any of the Concentrator's firewall configurations...” If this message appears, click OK and then click Connect. The connection to the VPN Concentrator then proceeds successfully.
Open Caveats Others like 3COM 3C510, and D-Link DI-704 either had updated firmware that was tested and failed, or had Beta firmware that was NOT tested because the firmware notes did not indicate a fix specifically for fragmentation. • CSCdu87521 The following message might appear when a connection using the EnterNet 300 version 1.4 PPPoE software and transferring via FTP: 93 09:42:06.
Open Caveats or – Use Gemplus version 3.0.30 that no longer installs the gemgina.dll • CSCdv46591 When a CPP Firewall policy is in place that drops all inbound and outbound traffic and no WINS address is sent to the VPN Client from the 3000 series Concentrator, Start Before Logon fails. If a WINS address is in place, Start Before Logon works fine. Also, if a WINS address is sent and the CPP rule drops all inbound traffic, but allows all outbound traffic, Start Before Logon works fine.
Open Caveats The first command ensures that the target is reachable, and the second determines whether fragmentation is an issue. Workaround: Step 1 Before opening the tunnel, bring down the MTU of the point-to-point interface to the MTU of the rest of the path to the concentrator (generally 1500). This would allow large packets to pass through, when using IPSec over UDP. No problems exist when using normal IPSec or cTcp. Step 2 Set IP Compression to “LZS” in the VPN Group on the Concentrator.
Open Caveats • CSCdv67594 The following Microsoft Outlook error might occur when the VPN Client connects or disconnects. This occurs when Microsoft Outlook is installed but not configured. Either there is no default mail client or the current mail client cannot fulfill the messaging request. Pun Microsoft Outlook and set it as the default mail client.
Open Caveats • CSCdw73886 If an attempt to load the VPN Client is made before the Clients Service loads, the following error occurs: “The necessary VPN sub-system is not available. You will not be able to make a connection to the remote IPSec server.” Workaround: Wait until the Service has loaded, then start the VPN Client. • CSCdx04343 A customer had problems enrolling the Mac OS version of the VPN Client.
Open Caveats • CSCdx51632 If the computer is powered off or loses power during an MSI installation of the VPN Client, the VPN Client may not be registered in Control Panel, and the following may occur when attempting to reinstall: – A message may appear stating: Deterministic Network Enhancer Add Plugin Failed Click the “OK” button. – Error 1722. There is a problem with this Windows Installer package. A program as part of the setup did not finish as expected.
Open Caveats • CSCdx77292 Microsoft article Q234859 states that for the resiliency feature to work on Windows 4.0, IE 4.01 sp1 and shell32.dll version 4.72.3110.0 or greater must be installed on the computer. • CSCdx78868 The Microsoft Installer (MSI) resiliency (self healing) feature does not restore all files that are installed with the VPN Client. The files that will be restored are files that are associated with the shortcuts under Start | Program Files | Cisco Systems VPN Client.
Open Caveats This is most likely to happen when Start Before Logon and Auto Initiate are being used on a Windows NT/2000/XP system. Workaround: This is due to the fact that the VPN Client dialer is already running on the “logon desktop”. Most likely during Windows logon the dialer launched and posted an error, the Windows logon was completed and the error was never closed. To work around this error, do the following: Step 1 Press CTRL+ALT+DEL to get to the logon desktop.
Open Caveats • CSCdy70168 A user with the VPN Client cannot establish an IPSec tunnel to a VPN Concentrator running over an Internet satellite connection. There are three observed results: – User is never prompted for XAUTH username and password. – After successfully authenticating, the user cannot transmit/receive any data. – After successfully transmitting data for approximately 5 minutes, the VPN session is disconnected regardless of the user activity at the time of disconnect.
Open Caveats Step 3 Change to the Advanced Tab and uncheck the “Internet Connection Firewall” option. • CSCdz56076 Some AOL applications might not be usable while a 4.0 VPN Client connection is active. These include the AOL integrated web browser and some internal links. Using external web browsers and other applications should work over the VPN. These issues were seen most recently using AOL version 7.0 and 8.0.
Open Caveats 0.0.0.0 255.255.255.255 n.n.n.n n.n.n.n 1 Where n.n.n.n is the IP address assigned to the VPN. Workaround: This is due to a misconfiguration on the VPN3000 at the central site. Make sure that the Group | Client Config settings for Split Tunneling Policy are correct. If the group is set to “Only tunnel networks in the list” and the Split Tunneling Network List is the predefined “VPN CLient Local LAN” list this problem will occur.
Open Caveats Caution Note • This procedure contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. If you disable, then re-enable Start before Logon, this entry is added again and must be removed. CSCea16482 If the Digital Certificate you are using has expired, the Windows VPN Client GUI does not popup with an error message indicating it has expired. The only indication you have is in the log file.
Open Caveats Step 5 When the PC boots back up, the client will launch normally. • CSCea25682 The following Notification might occur if the Cisco Systems Integrated Client is required to make a connection: “The Client did not match the firewall configured on the central site VPN device. Cisco Systems Integrated Client should be enabled or installed on your computer.” When this occurs, the connection is not allowed. If this Notification appears, click Close and attempt to reconnect.
Open Caveats • CSCea62229 Using the 4.0 VPN Client with Entrust Entelligence certificates, the “Send CA Certificate Chain” option should be grayed out and unavailable, but it is not. Workaround: Checking the “Send CA Certificate Chain” option when using Entrust Entelligence certificates makes the VPN Client connection fail to complete, leave this option unchecked.
Open Caveats • CSCea92185 The PKCS#10 thumbprint for the certificate request is missing on 4.x VPN Client, so it is impossible for the CA to verify the user's request by comparing the thumbprint. Workaround: Downgrade to 3.6.X VPN Client. • CSCea93535 Performance issues exist with H.323 and the 4.0 VPN Client virtual adapter. These performance issues could be related to MTU. Workaround: To use this workaround, you need to be running VPN Client Release 4.0.3.C or later.
Open Caveats Workaround: Use Time Lifetime on the VPN 3000 Concentrator. • CSCec18923 After the Cisco VPN Client is connected, the PC stops receiving the local multicast traffic. The “Allow Local LAN Access” check box is checked, and the multicast addresses are also included in the bypass list on the VPN 3000 Concentrator. • CSCec20680 The ForceNetLogin feature might not work properly with Entrust Intelligence client version 6.1.
Open Caveats • CSCed11256 When installing a customized VPN Client InstallPath, a pop-up box appears during the installation with the following message: Usage: VAInstaller i r f Options: i - installs the Virtual Adapter r - removes the Virtual Adapter f - finds if the Virtual Adapter in installed Workaround: If the installation path includes $BASEDIR\Program Files\, then the InstallPath works. • CSCed26068 Using VPN Client, Release 4.0.3.
Caveats Resolved in Release 4.0.5.D Caveats Resolved in Release 4.0.5.D Release 4.0.5.D resolves the following issues: • CSCed49306 If a user is member of at least 500 groups in the domain (Win2000), the VPN Client cannot open a connection. A message in the log says that the certificate could not be retrieved because the store is empty. The same user can connect without a problem if the number of groups he belongs to is less than 500.
Caveats Resolved in Release 4.0.5.C Caveats Resolved in Release 4.0.5.C Release 4.0.5.C resolves the following issues: • CSCeb04745 Can't Install the Virtual Adapter after removing a VPN 5000 client. This happens because some of the VPN 5000 Registry keys are not removed by the Uninstall. • CSCef84479 Client fails when Sygate firewall is installed and the system is not configured with correct DNS servers.
Caveats Resolved in Release 4.0.5.A Caveats Resolved in Release 4.0.5.A Release 4.0.5.A resolves the following issues: • CSCdz58488 Cisco-proprietary NAT Transparency can be enabled in environments where NAT/PAT is not used, but perhaps a firewall allows UDP but not ESP packets. The standards-based implementation does not allow for this option, since it is autodetecting the need for NAT transparency based on whether or not the client is in a NAT/PAT environment.
Caveats Resolved in Release 4.0.5 • CSCef15043 When connecting from the VPN Client to the VPN 3000 Concentrator, with Cisco Pushed Policy enabled, the Firewall tab on the VPN Client is disabled and is therefore unusable. • CSCef50703 The VPN Client cannot load a certificate that has an incorrect value for the CRL Distribution Point extension. Since this field is not used by the VPN Client, it should ignore this field. Caveats Resolved in Release 4.0.5 Release 4.0.
Caveats Resolved in Release 4.0.4.D The client should allow users to just enter the CertName field in the profile. The VPN Client should not force the use of SubjectName, as it is long and hard to enter in the profile. The CertName field for the above subject name looks like: CertName=Test1 • CSCef17800 If you want the DNS suffix to be appended to the actual list, you will have to add AppendOriginalSuffix=1 in the vpnclient.ini file. Otherwise the existing DNS suffixes are overwritten by default.
Caveats Resolved in Release 4.0.4.D With this change, ALL interface networks will be excluded so that the user will be able to access their home network over Ethernet while connected to the tunnel over PPP. Should they have two Ethernets, the same would apply. Prior to this change, the admin would have to push individual networks along with the wildcard to support home networks with more than one interface.
Caveats Resolved in Release 4.0.4.B • CSCee66699 When trying to install the 4.0.4 version of the VPN Client on a Windows 2000 PC which was built with a ghost image, we get the error, "Error 28001 MS TCP/IP is not installed" and cannot install the VPN Client. • CSCee84411 Split-tunneling does not work under certain circumstances for 4.0.4.C version of the VPN Client. Caveats Resolved in Release 4.0.4.B Release 4.0.4.
Caveats Resolved in Release 4.0.4.B • CSCee30728 When the VPN Client Release 4.0.3.F is installed, uninstalled, and reinstalled, the VPN Client cannot establish a tunnel. The client logs have the message: Failed to initialize the ipsec driver! Returned 1 • CSCee50403 The Linux VPN Client 4.0.4.A will not install on the SuSe 9.1 OS. • CSCee50587 Certificate import screens introduced in the 4.0 VPN Client that say that a password is optional may be confusing to some users.
Caveats Resolved in Release 4.0.4 The problem is, the client installs the stateful firewall on the machine. It trips over stateful firewall (if it is not started) even when customers don't have the stateful firewall turned on. As a fix, if the stateful firewall is not started by end-users, and if that is the only firewall installed on the system, the client will not display a dialog box. If stateful firewall is turned on, and if it is not started at SBL, the VPN Client still displays the dialog box.
Caveats Resolved in Release 4.0.3.F • CSCed80758 The VPN Client stat repeat command produces the following error when the client disconnects: INTERNAL ERROR: INVALID REASON CODE This is only a message from theVPN Client stat command and does not indicate any problems with the VPN Client. Caveats Resolved in Release 4.0.3.F Release 4.0.3.F resolves the following issues: • CSCea93535 There are MTU-related performance issues with H.323 and the VPN Client virtual adapter.
Caveats Resolved in Release 4.0.3.E Caveats Resolved in Release 4.0.3.E Release 4.0.3.E resolves the following issues: • CSCea04848 The silent disconnect option of VPN Client for Windows does not suppress the message: “Do you wish to disconnect your Dialup Networking connection?” For VPN Client Release 4.0.2, the behavior is somewhat different. The sd flag suppresses the message, but the dialup connection remains in place. Disconnecting the connection requires user intervention when the VPN Client exits.
Caveats Resolved in Release 4.0.3.C • CSCeb41256 A VPN Client, version 4.0.1, can't initialize the virtual adapter while attempting an IPSEC connection after “undocking” from a docking station.
Caveats Resolved in Release 4.0.3.C • CSCea65393 Using the 4.0 VPN Client with the virtual adapter (Windows 2000 or Windows XP) in a multiple NIC environment, the VPN Client might not pass data while connected. When the VPN Client PC has multiple network interfaces and the default gateway is on the non-VPN interface, the default gateway metric is not incremented. This might result in data that is bound for the VPN going to the non-VPN default gateway and being dropped.
Caveats Resolved in Release 4.0.3.B • CSCec78515 When a profile that uses a certificate is used to establish a connection to the central site, the VPN GUI verifies the certificate before establishing the connection. But because of this problem, it verifies the first certificate in the list, instead of the certificate associated with the profile. Generally users would not notice this because the verification of the certificate is successful.
Caveats Resolved in Release 4.0.3 • CSCec42345 Using Windows NT 4.0, SP 6, and Windows XP Home, the VPN Clients CLI cannot start a third-party dial-up program when a connection profile is configured to do so. The following error appears: “The third-party dial-up program could not be started.” • CSCec59997 When attempting to connect with the Linux VPN Client, the VPN Client fails if the interface routing to the concentrator is down, because the client cannot bind to it.
Caveats Resolved in Release 4.0.2.E – If not checked, Split-DNS functions normally, but after disconnecting from the internet, it never refers to the DNS of the Internet side. • CSCeb47765 Name resolution can take up to 40 seconds when a tunnel has been established. This problem occurs only on WIN XP. This problem was not evident in 3.6.x VPN Client code. • CSCeb67454 Symptom: With the VPN Client 4.x on Windows XP, using split tunneling and split DNS, the DNS lookup does not use DNS servers.
Caveats Resolved in Release 4.0.2.D To activate “Start before Logon”, oem.ini and vpnclient.ini are present in the installation package. Once the machine is rebooted after the installation, the “Start before Logon” feature does not work. • CSCeb12483 When making changes to the vpnclient.ini and preceding [CertEnrollment] parameters with an exclamation point (!) character, the fields are still editable after installation.
Caveats Resolved in Release 4.0.2.C • CSCeb74792 The silent uninstall feature of the VPN client does not uninstall the Profiles and certificates folder from the Program Files folder: C:\Program Files\Cisco Systems\VPN Client • CSCeb80558 If vpnclient.ini option “AppendOriginalSuffix” has a value of 1 or 2, the VPN Client should append the primary suffix of the machine at tunnel establishment. Caveats Resolved in Release 4.0.2.C Release 4.0.2.
Caveats Resolved in Release 4.0.2.B • CSCeb21138 At VPN Client initialization, the version string is overlaid in text on top of the splash screen. There is no may to modify this string for OEM customization. It should be removed. Caveats Resolved in Release 4.0.2.B Release 4.0.2.B resolves the following issues: • CSCeb19862 VPN Clients, version 4.0.
Caveats Resolved in Release 4.0.2.A • CSCeb52019 DNS suffix search list gets replaced when CVPN Client 4.x is used for VPN tunnel establishment. • CSCeb54855 Unable to autopopulate the CertSerialHash value in the .PCF file. The customer creates a customized profile and installs the certificate in the Personal store on the PC. When the end user uses the VPN Client for first time, it does not populate the CERTSERIALHASH value under the .PCF file, which was working in earlier code.
Caveats Resolved in Release 4.0.2 Caveats Resolved in Release 4.0.2 Release 4.0.2 resolves the following issues: • CSCdz32866 The Macintosh OS X version of VPN Client does not save the location & size of the external Log Window so it must be resized and moved every time you open it. • CSCdz58821 Using the Linux version of the VPN Client over a SuSe native PPPoE connection, the VPN Client fails to connect. The Mandrake platform exhibits the same symptoms.
Caveats Resolved in Release 4.0.2 • CSCea65315 Rebranding the VPN Client Release 4.0 for Mac OS X is not currently possible. If you drop a png file into the Resources folder of the installer disk image, when you install the VPN Client, the png file is not copied into the /etc/CiscoSystemsVPNClient/Resources/ folder. • CSCeb00549 The Linux VPN Client does not install on platforms with kernel versions of 2.5 or 2.6. These kernel versions are not yet supported with the 4.
Caveats Resolved in Release 4.0.1 • CSCeb35613 Cvpnd.exe (Cisco VPN Service) crashes when trying to establish a tunnel. If you run into this problem, the last entry in the logs should say: Unable to forward xAuth request data to xAuth application. Error code This generally occurs if a severe error is encountered while trying to XAuth. Specifically, this happens if we can't spawn a process to do XAuth.
Caveats Resolved in Release 4.0.1 • CSCea47454 Buttons in Certificates->Import/Export windows are truncated when using system Large Fonts (120dpi) setting. • CSCea76011 IPSec over TCP and/or Split tunneling does not work on certain machines. This issue is the same as CSCdz51629, and CSCdy80016.
Caveats Resolved in Release 4.0 The level for this message should be changed and this file should probably be documented. Caveats Resolved in Release 4.0 This section lists the caveats fixed since Release 3.6.3 (Windows) or Release 3.7.2 (Linux, Solaris, and Mac OS X). If you have an account on CCO you can check the status of any caveat by using Bug Navigator II. To reach Bug Navigator II on CCO, choose Software & Support: Online Technical Support: Software Bug Toolkit or navigate to http://www.cisco.
Caveats Resolved in Release 4.0 • CSCdx89940 A Restricted, Standard, or Limited user (Windows 2000) cannot install the VPN Client using the Windows Installer (MSI), even if elevated privileges are set for the user and the PC. • CSCdy30098 While using the Solaris VPN Client and its pppd 4.0 driver over PPPoE, the VPN Client can make a connection, but not pass any traffic.
Caveats Resolved in Release 4.0 • CSCdz09585 If you select “Delete” from within the Certificate tab, you are prompted with the following message: “Are you sure you want to delete the certificate?” In that window, there is an 'X' in the upper right corner. Clicking the 'X' to close out the window instead of pressing one of the buttons, deletes the digital certificate. • CSCdz24962 In the Release 3.
Caveats Resolved in Release 4.0 In this case, the VPN Client is installed on a PC with Smartcard-based certificates or Entrust Entelligence-based certificates. The VPN Client attempts to enumerate the list of installed certificates, including ones that are Smartcard- or Entelligence-based and may prompt the user. • CSCdz26449 On the Release 3.7 VPN Client Mac GUI, on a new installation of the VPN Client, the “Edit Settings” button launches the “Logging Options” window.
Caveats Resolved in Release 4.0 • CSCdz52058 If you attempt to Import a Connection Entry with the same name as one that already exists, you are asked if you would like to overwrite the existing entry. If you choose to overwrite the entry, an error appears and the entry is not overwritten. • CSCdz56021 For Release 4.0, Beta release 1, the Cisco VPN Client does not coexist with the Nortel VPN client. When version 4.
Caveats Resolved in Release 4.0 • CSCdz83065 Uninstalling the VPN Client using the Microsoft Installer (MSI) does not detect that the VPN Client is connected and the uninstall completes. We highly recommend you disconnect and exit the VPN Client before uninstalling. This issue occurs only if VPNGUI.EXE is hidden; that is, it is configured under Options | Preferences to “Hide upon connect” and you have the Client connected, or have just disconnected and it is still in the systray.
Caveats Resolved in Release 4.0 This is most commonly seen in an environment where the VPN Client is behind a NAT device that is using a common private IP address range like 10.x.x.x. • CSCea03326 The feature that was added in Release 3.6.2 called “Automatic logoff after VPN” does not currently work in v4.0. This feature replaced Start before Logon for some users. It allows a user to establish a VPN connection first, and then the user is automatically logged out and the VPN connection is maintained.
Caveats Resolved in Release 4.0 If you are a Cisco employee, you MUST first check to see if you have the Cisco IT 3.5(A) version of the VPN Client installed and manually uninstall it before installing the 4.0 VPN Client. • CSCea05304 The 4.0 VPN Client feature, Delete-with-Reason, does not work in the Beta release 1 version. • CSCea05360 The Virtual Adapter in the Release 4.0 VPN Client does not appear in the Cisco SetMTU utility. • CSCea07430 The Release 4.
Caveats Resolved in Release 4.0 • CSCea13071 On the VPN Client for Mac, the Release 4.0 VPN Client banner is smaller than the 3.x VPN Client banner and may not display your entire banner and your users may have to use the scroll bar to see the entire message. • CSCea13395 VPN Client connections using IPSec over TCP do not see the status bar update when the VPN Client attempts a connection to one of the configured backup servers. The user sees only the primary server when connecting.
Caveats Resolved in Release 4.0 • CSCea20120 Using Start before Logon, if you press ENTER to try to connect, depending on what TAB you left the VPN Client in last time, it either does nothing or shows a Cert View for one of your Certificates. You must click Connect to establish a VPN connection. • CSCea22221 The VPN Client does not add the Loopback address (127.0.0.1) to ZoneAlarm or ZoneAlarm Pro's Trusted Zone. • CSCea22491 The VPN Client for Mac, Release 4.
Caveats Resolved in Release 4.0 • CSCea35592 The VPN Client event log displays the following events on Windows 2000 and/or Windows XP systems: 76 14:14:51.082 03/04/03 Sev=Warning/2CVPND/0xA3400011 Could not find (null) in IpHlpApi.DLL These events will only appear on operating systems that use the Virtual Adapter (Windows 2000 and Windows XP). • CSCea38204 When connecting the Release 4.0 Cisco VPN Client to an IOS VPN gateway, the VPN Client might initiate multiple IKE rekeys and then disconnect.
Documentation Updates Documentation Updates The following VPN Client documentation has been updated for Release 4.0. These documents contain information for all platforms on which the VPN Client runs: • VPN Client Administrator Guide, Release 4.0 • VPN Client User Guide for Windows, Release 4.0 The most recent information specifically for the VPN Client for Linux, Solaris, and Mac OS X is in the following document, which was not updated for Release 4.
Obtaining Documentation Removing a VPN Client Version Installed with MSI Installer In VPN Client User Guide for Windows, Release 4.0, in the section “Removing a VPN Client Version Installed with MSI Installer,” (page 2-8 in the hard-copy edition), in Steps 4 and 5, remove Figures 2-8 and 2-9 and the text references to these figures. These dialog boxes do not appear when uninstalling the VPN Client using the MSI Installer.
Documentation Feedback Ordering Documentation You can find instructions for ordering documentation at this URL: http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm You can order Cisco documentation in these ways: • Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Ordering tool: http://www.cisco.com/en/US/partner/ordering/index.shtml • Nonregistered Cisco.
Obtaining Technical Assistance Cisco Technical Support Website The Cisco Technical Support Website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, 365 days a year, at this URL: http://www.cisco.com/techsupport Access to all tools on the Cisco Technical Support Website requires a Cisco.com user ID and password.
Obtaining Technical Assistance For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.
Obtaining Additional Publications and Information Obtaining Additional Publications and Information Information about Cisco products, technologies, and network solutions is available from various online and printed sources. • Cisco Marketplace provides a variety of Cisco books, reference guides, and logo merchandise. Visit Cisco Marketplace, the company store, at this URL: http://www.cisco.
Obtaining Additional Publications and Information • Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL: http://www.cisco.com/ipj • World-class networking training is available from Cisco. You can view current offerings at this URL: http://www.cisco.com/en/US/learning/index.