ICS Firewall & Cisco VPN Client (TCP or UDP Transport)

If you are not a techie, then you are about to hear the trombone “teacher” voice from the old Peanuts cartoons. I hope this information is helpful. My IT team spent quite a bit of time tracking this one down. So here is information on what we were doing, the problem we had, and the answer to the problem.

What we were doing:

A wireless deployment (plain and simple). We use IBM Thinkpads, and we needed to accomplish some client software updates to complete the project. A custom perl script was written that updated to the latest wireless drivers, installed the latest version of IBM Access Connections, and then pushed down an access connections profile for the wireless network.

The problem:

The script worked well after a minimal amount of tweaking. I started to notice some problems with my Cisco VPN connectivity (post script execution). The behavior exhibited was failed connection attempts to the gateway (and even the backup gateway) that would fail to connect. You would never get prompted to login. At first we thought it might be the NIC driver uninstall and reinstall playing havoc with the VPN bindings. That was eventually ruled out. We eventually discovered that if you set the transport mechanism to UDP (instead of TCP) the connection would work.

So after lots of digging we came upon the Windows Internet Connection Sharing Firewall. Even if ICS was not being used – just having the ICS firewall on would block the Cisco VPN client from making a TCP connection.

The Answer:

The reason this popped up right now was because I, as an administrator, was getting an updated VPN profile pushed to me during the login script. The updated profile was moving me from UDP to TCP. That is why it appeared that the problem was post wireless script execution. There are several solutions or options if you are having this problem:

1. Leave the ICS firewall on and only use the Cisco VPN client via UDP transport.
2. Disable the ICS firewall and use the Cisco VPN client via UDP or TCP transport.
3. Update your Cisco VPN client to a newer version. The version I was using when I had the problem was 4.0.3d. By updating to the latest version (4.8.0 at the time this is being written), the problem went away. The latest client allows you to keep ICS firewall on and connect via TCP or UDP.

Summary

This is what makes IT fun. Searching for a needle in a haystack. Well, our team found this needle. Now it is your turn. We all learn from each other, and my biggest irritation is finding an Internet posting of a problem without a resolution. If you take the time to ask the question – be kind enough to share the solution. And if you have a tough situation like this one – by all means document it up for the next guy.

Comments are closed.

Creative Commons License Creative Commons License