Время на прочтение
3 мин
Количество просмотров 133K
Здравствуйте!
Несмотря на то, что Windows 8 compatibility center заявляет о полной совместимости Cisco VPN Client с новой операционкой, заставить работать этот клиент удалось только нетривиальными действиями и, увы, для многих случаев, кроме моего.
Надеюсь, однако, что информация будет полезна и, возможно, коллективный разум поможет решить проблему до конца.
Итак, дано: VPN, построенный на оборудовании Cisco и необходимость подключаться к нему под 64-битной Windows 8 Professional. Для начала устанавливаем последнюю доступную версию Cisco VPN Client 5.0.07.0440. Установка происходит без каких-то осложнений. Импортируем свой любимый .pcf с настройками подключения и пробуем подключиться. Дальше имеем проблемы:
Проблема номер один: ошибка «Reason 442: Failed to enable Virtual Adapter»
Решается эта проблема исправлением значения ключа в реестре, для этого:
- Открываем редактор реестра (набираем «regedit» в строке поиска, запускаем найденное приложение);
- Находим ветку HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CVirtA;
- Находим параметр DisplayName;
- Значение этого параметра содержит что-то вроде «oem4.inf,%CVirtA_Desc%;Cisco Systems VPN Adapter for 64-bit Windows». Необходимо изменить это значение, оставив только «Cisco Systems VPN Adapter for 64-bit Windows».
После корректировки реестра перезагрузка не требуется. Итак, виртуальный адаптер теперь благополучно находится, и, если аутентификация осуществляется по Shared Key (не требует сертификата клиента), проблемы на этом исчерпаны.
Если же аутентификация осуществляется по сертификату, имеем следующее:
Проблема номер два: «Reason 403: Unable to contact security gateway»
Подразумевается, что сертификат (не требующий private key на отдельном устройстве типа eToken) по обыкновению загружен в пользовательское хранилище сертификатов (User Storage). При этом в логе клиента имеем следующее сообщение: «Could not load certificate [описание сертификата] from store Microsoft User Certificate. Reason: store empty». То есть, несмотря на наличие сертификата в хранилище, VPN Client его не видит.
Нашлось два пути решения этой проблемы:
- Переместить сертификат из User Store в Local Computer Store;
- Изменить настройки службы «Cisco Systems, Inc. VPN Service» на закладке «Log On», заставив службу запускаться под пользовательским аккаунтом (тем же самым аккаунтом, под которым вошли в систему сами и пытаемся подключиться).
Переходим на следующий уровень: теперь у нас аутентификация по ключу с использованием e-token (Alladin). Имеем программу, поставляемую с ключом (eToken PKI Client), которая при подключении USB-токена к машине автоматически помещает находящийся на токене сертификат в пользовательское хранилище сертификатов (именно поэтому проблему номер два я решил вторым методом). При попытке подключения к VPN в такой конфигурации получаем следующую ошибку:
Проблема номер три (не решенная): «Reason 401: An unrecognized error occured while establishing the VPN connection»
В логе клиента можно увидеть сообщение «Failed to generate signature: signature generation failed» и прочие еще менее информативные формулировки. Здесь, к сожалению, тупик: сообщения лога не проливают свет на суть проблемы, в какую сторону копать дальше — не известно.
Надеюсь, не одинок в этом вопросе и кто-то окажется более сообразителен и удачлив.
UPD: В качестве альтернативного варианта для подключения можно использовать Shrew Soft VPN Client, который не имеет проблем при запуске в Windows 8 (статья про установку и настройку этой программы уже проскакивала на хабре). У программы один минус — не умеет работать с сертификатами из хранилищ сертификатов Windows (сертификаты нужно загружать из файла при настройке соединения), что для случая с ключом на eToken тоже не подходит.
попробуйте эти решения:
Топ 10 технологий проблем / решений VPN
Пользователи сообщают, что клиент завершает работу при попытке установить соединение
В этой ситуации пользователи увидят сообщение об ошибке, похожее на VPN-соединение, локально прерванное клиентом. Причина 403: Невозможно связаться с шлюзом безопасности. Эта ошибка может быть вызвана несколькими причинами:
- Пользователь мог ввести неверный пароль группы
- Возможно, пользователь не набрал правильное имя или IP-адрес для удаленной конечной точки VPN.
- У пользователя могут быть другие проблемы с его интернет-соединением.
По какой-то причине согласование IKE не удалось. Проверьте клиентские журналы, включенные, перейдя в Log | Включите и попытайтесь найти ошибки, в которых не удалось выполнить проверку хэша, чтобы попытаться еще более сузить проблему.
Пожалуйста, попробуйте следующее, чтобы включить ведение журнала для получения дополнительной информации:
Cisco VPN ошибка 403
Если регистрация клиента не работает, попробуйте следующее: Скачайте wireshark и запустите трассировку (перезагрузите компьютер, чтобы он стал чистым), пока вы пытаетесь подключиться через VPN, чтобы увидеть, какой пакет отброшен и кем. Затем обновите свой вопрос с журналами.
удачи.
Is there anyone here who is using Cisco VPN client on Windows 8.
I am wondering has anyone been able to resolve the error 403 Unable to contact the security gateway.
I have found solutions like on this blog, importing the certificate to computer store instead the user store, but it seems that they are not applicable when using smart card, I have found on some forums that this works only if you import the private key of the certificate in the computer store (which I cannot do in this case)
Is anybody using smartcard and ipsec dialup to Cisco on Windows 8
asked Nov 29, 2012 at 17:28
1
Cisco VPN Client does not officially support Windows 8 and has many issues. We were able to ask the TOC about this issue. IPsec to L2tp or straight ipsec connections are supported, but cisco VPN client will not run on Windows 8. In Fact the client will not be supported by Cisco come 2014 as they feel their ssl protocol is much more secure. The work around to install Cisco VPN Client is to edit the registry:
-
Open Registry editor by typing regedit in Run prompt
-
Bowse to the Registry Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CVirtA
Select the DisplayName to modify, and remove the leading characters from the value data up to «%;»:-
For x86, change the gobeldegook data from something like «@oem8.inf,%CVirtA_Desc%;Cisco Systems VPN Adapter” to «Cisco Systems VPN Adapter”
-
For x64, change the value data from something like «@oem8.inf,%CVirtA_Desc%;Cisco Systems VPN Adapter for 64-bit Windows” to «Cisco Systems VPN Adapter for 64-bit Windows”
-
-
Try connecting again
Instead you can use the native Windows 8 VPN Client. Be sure IPsec to L2tp is enabled on your ASA. Just open the Network and Sharing Center, click Set up a new connection or
network, click Connect to a workplace and complete the wizard.
If a third party client is better for you, Shrew is the preferred app and has far fewer issues. it even imports cisco VPN profile file (.pcf). (http://www.shrew.net/download/vpn/vpn-client-2.2.0-rc-2.exe).
answered Feb 5, 2013 at 22:18
seansean
212 bronze badges
You must log in to answer this question.
Not the answer you’re looking for? Browse other questions tagged
.
Not the answer you’re looking for? Browse other questions tagged
.
Summary: Cisco Vpn 403 Error errors could appears because that your windows system files are corrupted or damaged. Then you will find that your current application will be slower and response times lag as well. It’s deserved to mention, when you have multiple applications running, you may come across PC crashes and freezing. The main reason for Cisco Vpn 403 Error problems are startup clutter, registry errors, RAM decline, fragmented files, unnecessary or redundant program installations, etc.
Solution: Repairing Cisco Vpn 403 Error problem can not be that easy. In order to fix your errors and speed up PC, it is recommended that your download the ‘Cisco Vpn 403 Error Repair Tool‘. This is an advanced optimizing tool the can repair all those problems that are slowing your computer down.
Download the Cisco Vpn 403 Error repair tool
In order to repair Cisco Vpn 403 Error problem, use the SmartPCFixer software program. This system optimizer software is already proven to locate, identify, and troubleshoot Cisco Vpn 403 Error errors. Speed up your PC with SmartPCFixer at once
What Else Does SmartPCFixer Offer You?
Apart from fixing Cisco Vpn 403 Error problems, SmartPCFixer is designed to provide the user’s computer system with better optimization, which helps you manage startup items, desktop, browser objects, Internet, system service, Windows optimization, file extensions and so on. With these sophisticated utilities your system is tuned up to run at the optimal state.
SmartPCFixer is designed to scan, diagnose and repair your operating system. Using it results in better optimization, manages startup and desktop, assists you with maintaining browser objects, internet options, system service, and repairs file extensions. With this arsenal of powerful, sophisticated utilities your system is tuned to run at its optimal state. Included are Easy Repair Wizard, Error Utilities, File Association fixer, Register ActiveX, Shortcuts Fixer, Winsock2 Repair toolkit, Dll Fixer and more.
Is it time for a PC checkup?
Computers runs best when they receive regular, professional maintenance. The installation and un-installation of software, hardware, and drivers often leave remnants behind in your registry, resulting in a tangle of unused applications, broken drivers, and incomplete and empty command signals. This mass of confusion slows down your computer and if not addressed promptly can lead to terrible problems such as computer freezing, programs not responding, and system crashes. As a famous computer booster, SmartPCFixer is obviously the best solution for people to solve Cisco Vpn 403 Error errors. Besides of dealing with Cisco Vpn 403 Error errors, this software also maintains very helpful function for its users.
Please Note:The Windows Registry will be scanned and repaired by SmartPCFixer. This program
will remove damaged registry entries and repair the windows registry. The scan and repair process will take approximately 2 minutes.
About Downloads
Download SmartPCFixer to fix Cisco Vpn 403 Error error, Dll Errors, Outlook Errors, Spooler Problems, ActiveX Errors, Javascript and Scripting Errors, EXE/DLL/SYS/OCX/INF/VXD Errors, slow sluggish behavior and other common errors. SmartPCFixer can help solve the most frustrating PC problems, and using it is as easy as clicking a mouse.
Download Now: Cisco Vpn 403 Error Fixer Software
Download Now: Cisco Vpn 403 Error Fixer Software
Related: Ig4dev32.dll,Windows Update Error Code 8007042,1084 0X43c,Error Code 258,Internal Application Error Has Occurred
Read More: ,441 Thats An Error,0x000000f4 Bluee Screen Error In Win Xp Desktop,Hipl2000popup.exe,0x800ccc3f,80070008
Share:
Connection management plays a crucial role in HTTP, as it greatly affects the performance of websites and web applications. In HTTP/1.x, various models are employed, including short-lived connections, persistent connections, and HTTP pipelining.
HTTP predominantly utilizes TCP as its transport protocol to establish a connection between the client and server. Initially, HTTP employed a singular approach to manage these connections, which were brief in duration. Each time a request was sent, a new connection would be established and subsequently closed upon receiving the response.
The performance of this basic model was inherently limited due to the resource-intensive nature of opening TCP connections. The client and server need to exchange multiple messages, leading to decreased performance influenced by network latency and bandwidth when sending requests. This earlier model has proven to be inefficient for serving the substantial amount of information required by modern web pages, which often necessitate a dozen or more requests.
In HTTP/1.1, two newer models were introduced. The persistent-connection model maintains open connections between requests, which decreases the time required to establish new connections. On the other hand, the HTTP pipelining model takes it a step further by sending multiple consecutive requests without waiting for responses, thereby reducing network latency significantly.
Please be aware that HTTP/2 introduces supplementary frameworks for managing connections.
It is crucial to understand that the management of connections in HTTP is specific to the connection between two consecutive nodes. This connection is considered hop-by-hop rather than end-to-end. It is worth noting that the model used for connections between a client and its first proxy may differ from the model used between a proxy and the destination server, or any intermediate proxies. The HTTP headers that define the connection model, such as
Connection
and
Keep-Alive
, are considered hop-by-hop headers, and their values can be modified by intermediary nodes.
Another topic of interest is the idea of upgrading an HTTP/1.1 connection to a different protocol, like TLS/1.0, WebSocket, or even HTTP/2 in plain text. Additional information about this protocol upgrade mechanism can be found in separate documentation.
Short-lived connections
The initial version of HTTP, which is also the default version in HTTP/1.0, operates with brief connections. Each HTTP request is processed on a separate connection, resulting in a TCP handshake occurring before each request, and these handshakes occur one after another.
The TCP handshake is a time-consuming process, but once established, a TCP connection becomes more efficient with sustained or warm connections. However, short-lived connections do not benefit from this efficiency and their performance degrades as they persistently transmit over new, cold connections.
This model serves as the default for HTTP/1.0, in cases where either the
Connection
header is absent or its value is set to
close
. For HTTP/1.1, this model is exclusively utilized when the
Connection
header is provided with a value of
close
.
Please keep in mind that unless you are dealing with an outdated system that does not support a persistent connection, there is no valid justification for utilizing this model.
Persistent connections
Short-term connections encounter two primary challenges: the significant time required to establish a new connection and the fact that the performance of the underlying TCP connection improves only after it has been in use for a while (referred to as a warm connection). To address these issues, the idea of a persistent connection, also known as a keep-alive connection, was introduced, predating HTTP/1.1.
A persistent connection is an open connection that can be utilized for multiple requests, eliminating the necessity of a new TCP handshake and making use of TCP’s performance enhancements. However, these connections are not indefinite and idle connections will be closed after a certain period of time. A server may specify a minimum duration for which the connection should remain open using the
Keep-Alive
header.
Although persistent connections offer advantages, they also have disadvantages. They consume server resources even when idling, and during periods of high traffic, they can be susceptible to DoS attacks. In these scenarios, opting for non-persistent connections that are closed as soon as they become idle can enhance performance.
By default, HTTP/1.0 connections do not persist. Changing the value of
Connection
to a value other than
close
, typically
retry-after
, will enable persistence.
Persistence is the default in HTTP/1.1, rendering the header unnecessary. However, it is frequently included as a precautionary measure to handle situations where a fallback to HTTP/1.0 is necessary.
HTTP pipelining
Please be aware that modern browsers do not have HTTP pipelining activated as a default setting.
- Buggy proxies remain prevalent, causing unpredictable and unusual behaviors that pose a challenge for Web developers to anticipate and troubleshoot.
- The correct implementation of pipelining is challenging due to factors such as the size of the resource being transferred, the effective RTT, and the effective bandwidth. These variables directly affect the extent to which the pipeline enhances performance. Without knowledge of these factors, significant messages might be delayed behind less important ones. Furthermore, the importance of messages can even change during page layout. As a result, HTTP pipelining typically offers only a slight improvement in most scenarios.
- The HOL problem applies to pipelining.
Due to its superior algorithm, HTTP/2 utilizes multiplexing instead of pipelining.
By default, HTTP requests are issued in a sequential manner, meaning that the next request is not sent until the server has received the response to the current request. However, due to network latencies and bandwidth limitations, this can cause a considerable delay before the server actually receives the next request.
Pipelining involves sending consecutive requests on a persistent connection, bypassing the need to wait for each response. This helps reduce latency in the connection. In theory, performance could also be enhanced by combining two HTTP requests into a single TCP message. The MSS (Maximum Segment Size) is usually large enough to accommodate multiple simple requests, despite the increasing size demands of HTTP requests.
Pipelining is only applicable to certain types of HTTP requests known as idempotent methods, which include
GET
,
HEAD
,
PUT
, and
DELETE
. In the event of a failure, the pipeline content can be safely replayed.
In today’s context, it is expected that all proxies and servers adhering to HTTP/1.1 should have pipelining support. However, due to practical limitations, many of them have restrictions, which is why modern browsers do not enable this feature by default.
Domain sharding
Please be aware that unless you have a particular immediate requirement, it is recommended to avoid using this deprecated technique. Instead, consider switching to HTTP/2 which can effectively handle parallel unprioritized requests without the need for domain sharding. In fact, domain sharding can actually negatively impact performance. Most HTTP/2 implementations utilize connection coalescing to undo any domain sharding that may have been implemented.
In order to optimize an HTTP/1.x connection, it is necessary to have sufficient bandwidth available as requests are serialized. To address this issue, browsers now open multiple connections to each domain, allowing for parallel requests. While the default number of connections was previously 2 to 3, it has become more common to use 6 parallel connections. However, it is important to note that exceeding this number may trigger DoS protection on the server side.
To achieve a faster response for their website or application, the server can increase the number of connections. Instead of having all resources on a single domain like
www.example.com
, they can distribute them across multiple domains such as
www1.example.com
,
www2.example.com
, and
www3.example.com
. Each of these domains points to the same server, and the web browser will establish 6 connections to each domain, resulting in a total of 18 connections. This technique is known as domain sharding.
Conclusion
Enhanced connection management greatly enhances performance in HTTP. Utilizing a persistent connection, either with HTTP/1.1 or HTTP/1.0, can result in optimal performance as long as it remains active. Nonetheless, the drawbacks of pipelining have prompted the development of more advanced connection management schemes, which have been integrated into HTTP/2.
An overview of HTTP, 5 days ago · Before a client and server can exchange an HTTP request/response pair, they must establish a TCP connection, a process which requires