The new forums will be named Coin Return (based on the most recent vote)! You can check on the status and timeline of the transition to the new forums here.
Please vote in the Forum Structure Poll. Polling will close at 2PM EST on January 21, 2025.
AVG firewall vs Cisco VPN client
Dortmunder
Registered User regular
Registered User regular
I have AVG anti-virus installed (with internet firewall) and I'm trying to get the Cisco VPN client to work.
Does anyone know, step-by-step, what I need to configure in the firewall to get it through? I checked "Allow for all" + "Save as rule" when it first prompted, but it still can't connect. There are a bunch more advanced rules that I can tinker with, down to protocols and devices and applications etc...
Pretty certain it's the firewall that is the problem, this used to work.
Thanks
Does anyone know, step-by-step, what I need to configure in the firewall to get it through? I checked "Allow for all" + "Save as rule" when it first prompted, but it still can't connect. There are a bunch more advanced rules that I can tinker with, down to protocols and devices and applications etc...
Pretty certain it's the firewall that is the problem, this used to work.
Thanks
Dortmunder on
0
Posts
Try it with avg totally disabled and you'll know for sure. I'd do that first.
Have you enabled logging? What do the logs say?
So it's not the avg firewall (or any other).
Thanks guys
When did it stop working?
I'm actually tracking down an issue that started on the 17th of this month (or very early on the 18th) that impacts IPSEC VPN systems. I'd be curious on if the Cisco client is having similar issues. Not that I expect you to know what I'm talking about, but basically the IKE authentication data is fragmenting when it shouldn't be and lots of stuff on the interwebs doesn't play nice with fragmented UDP packets.
I've got a whole bunch of people impacted by this and have literally found nothing that points to a cause yet. Even the MS patches pushed down that day don't seem to be related, and do nothing when removed.
It's not something that I use everyday, so I couldn't tell you precisely when it stopped working. Sometime within the past two months is when I first noticed it. Probably not going to help you very much.
Buh-WHAAAAaaaaaa....???
Weird. Like, the data is arriving in multiple packets (TCP fragmented)? Or the data isn't arriving fully (fragments of data)?
My thought exactly.
Spoiler for anyone that doesn't feel like reading.
Computer -->VPN server initiates Phase 1
VPN --> Computer Accepts Phase 1
VPN --> Computer initiates Phase 2
Computer --> VPN accepts Phase 2 and moves to authenticate.
Then nothing. We receive no packets, partial or otherwise destined to the VPN system at all. Something along the path is eating the UDP packets. This is obnoxiously common with fragmented UDP sadly.
Sometimes it is the local router/firewall/modem dropping the packets, sometimes it is an entire network and they can verify the phase 2 information leaving their perimeter devices.
Using a smaller payload for auth (Like an RSA SecurID token), works fine, since it's tiny.
Running a test for fragmentation identifies that PC -- VPN fragmentation threshold is typically around 1450, and our certificates (including all overhead) fit well within that. Since we went through that particular issue when we first moved to them several years ago.
TLDR:
Fragmentation should not be happening, it is anyways, and something prior to our perimeter devices is dropping it, started on the 17th/18th and impacts a fair number of people all around the country.