Connected to VPN but unable to take remote desktop
Saturday, 17 October 2009 09:49 | 
Author: Karthik Chandran | 
I am a Network Security consultant supporting from offshore and I was connecting to my client's network via Checkpoint VPN client installed on my Windows XP machine.
Initially my client was using Checkpoint firewall in their network with VPN access enabled for their remote users. I was successfully connecting remotely via Checkpoint VPN client
and was using the Windows Remote Desktop Protocol to access the Security Servers (deployed on Windows 2003 platforms), http access to applications, etc. After a few months, they migrated from Checkpoint firewall to Cisco ASA firewall based on the company's new policy of standardization. The new Cisco ASA was configured and implemented while the Checkpoint firewall was retired. Simultaneously, Cisco VPN client was installed on my machine and imported the .pcf file given by my client to connect to their network.
After the installation and configuration of the Cisco VPN client, I tried to connect to my client's network. I got the login prompt; I entered my credentials and successfully got connected.
But I was unable to RDP to the servers, get http access to the applications, etc. So we checked for the access rights from our side, checked with ping, tracert, etc. From analysis everything was fine but still I was unable to RDP or access via http, etc. even though the VPN connection was successful.
We tried installing the higher versions of Cisco VPN clients but still the problem existed. That is when I noticed that the Checkpoint VPN client was not uninstalled from my machine. So we uninstalled the Checkpoint VPN client and Cisco VPN client and reinstalled Cisco VPN client. Then I connected to the VPN and tried to RDP. It worked perfectly fine. I was also able to get http access to my applications.
Root Cause:
The Cisco VPN client uses shared files (vsdatant.sys, vsdata.dll and vsinit.dll in the Windows\system32 directory) with the Check Point client. The Cisco version of these files may not match the Checkpoint Integrity files and are locked when the Integrity client is installed.
Solution:
To avoid this issue, install the Cisco VPN client version 4.7 and above, using the NOVSDATA option. This installs the Cisco VPN client without the shared Check Point DLLs. For further information see Using MSI to Install the Windows VPN Client without Stateful Firewall in the Cisco knowledgebase.
The recommended combination is to install Cisco VPN client 4.8 and Checkpoint clients 5.0 and above.
Also Read Issues accessing network resources over VPN
-
|2009-11-11 00:40:50 Arun NairHi Bipin,
Thanks for posting your question.
Are you able to establish the VPN connection successfully ? If not first delete your existing VPN profiles (the .pcf files) and re-import them. If that does not work, check for the error message that you are getting from the VPN client. Refer this link - http://www.chicagotech.net/vpnissues/ciscoerror10.htm for all the Cisco VPN client error messages. Ping the host name that is shown under "Host" in the Cisco VPN client and see if you get a reply. It is not necessary that you will get a reply because it depends on whether your client is allowing ICMP traffic or not. But 99.99% they will allow ICMP traffic for troubleshooting purpose. The reason Im asking you to Ping is to check if your computer is resolving the correct IP address for the hostname to which the Cisco VPN client is connecting. So verify with your client if the IP address that you get when you Ping is correct. If not run the command ipconfig/flushdns and make sure you do not have any entry for the VPN hostname in the "hosts" file in C:\windows\system32\drivers\etc. If you have any delete that and save the file.
Now all the above steps are to be done if you are not able to establish a VPN connection at all. But if you are able to establish the VPN connection but not able to RDP to the computer, try what Karthik has mentioned above. Also make sure Port TCP 3389 is added as an exception to the Windows firewall on the computer that you are trying to take RDP. And check if your client's firewall has an exception for port 3389.
Karthik,
Any more suggestions ???
Regards,
Arun Nair
-
|2009-11-11 13:06:10 Mohamed Ibrahim - I agree with ArunThe comment provided by Arun is correct.
First i would like to know is it single user issue or multiple user issue.
Actually the VPN connectivity is to connect from one network to other network. After getting in to other network we will not have access to any resources that belongs to the network. so we will need to have special permission to access the resoruce of the network which we connected to. So please check the ACL of the CISCO firewall to confirm you are having access to RDP and http port through VPN.
Please provide the above info, let me give further details.
Thanks
Mohamed Ibrahim..
-
|2009-11-11 14:44:03 Karthik ChandranHi Bipin,
Thanks for your question..Please confirm the scenarios mentioned by Arun Nair and Mohamed Ibrahim.
Case 1 : Unable to establish a VPN connection at all?
Case 2 : You are able to establish the VPN connection but unable to RDP to the remote computer.
Try to connect from a PC directly (outside office)through the Internet i.e; for eg; install the cisco VPN client to your PC at home and import the same .pcf file which you are using at office and try connecting to the remote machine.
After trying this if you are able to establish the VPN connection and able to connect to the remote machine, then the issue may be with the access provided to your machine's IP address in your office network.
Then check with the network administrator in your office whether the access has been provided for your machine's IP address from your office network to access the new IP address.
Because usually the network administrators from office give access to the user machines to only the mentioned IP addresses of the remote machines depending on the project requirements. Initially you (IP address of your PC at office ) were having access to remote machine which had a different IP address. So you were connecting successfully and now the remote machine is assigned with a new IP address. So the necessary configurations are needed from your company's network i.e; the administrator have to configure rules in network device to allow the source IP address ( IP address of your machine) to connect to destination IP address (new IP address of the remote machine).
Hope this helps you..
-
|2009-11-12 14:28:06 Bipin - @ Arun, Mohamed & KarthikThanks for all your support,
1. I am able to establish VPN connection.
2. BUT, I am NOT able to establish a RDP to the remote computer.
I have raised request to add exception to port 3389 to the remote machine. Have also requested the remote network's administrator to check on the rules to allow my IP to access the machine.
Will keep you posted on the updates. Thanks a ton.
Bipin
I am currently facing a similar issue.
I had been connecting to a machine using RDP. I am having Cisco VPN client 4.0.5. The remote machine was a client machine.
Recently the clients moved to a new location and hence a new set of computers and network security. I am not aware of any details of the new configuration.
After the clients office was shifted, I am not able to connect to the remote machine (using the new IP address). Since it was not a priority task, I did not follow up on why the problem occurred.
What do you think are the possible causes? I dont see any duplicate VPN clients in the machine. I can think of any firewall that might be blocking the access. Please share your thoughts on this.
Thanks,
Bipin