I'm a software developer contractor, and I've been given Cisco VPN access to a customer's network. It's a typical set up, using an RSA SecureID soft token, and I'm successfully able to connect through VPN Client (v 5.0.07.0440) when I run it within a VirtualBox instance (Win 7) on my development workstation.
However, when I run VPN Client directly on the development workstation's OS itself (also Win 7), it has been failing, and gives me Authentication Error 413. That error is normally attributed to bad credentials having been entered, and every troubleshooting reference I've found points to user error being the only possible cause.
Yet I'm certain that's not the issue here, as I can easily prove to myself when using the VPN Client on the VM and changing nothing else. I'm at a loss as to what that relevant difference is between the two environments. Any guidance would be appreciated.
Log from VPN Client follows. (I've redacted specific server & IP values and replaced them with {text}.)
Cisco Systems VPN Client Version 5.0.07.0440
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7601 Service Pack 1
1 15:54:10.121 01/24/14 Sev=Info/4 CM/0x63100002
Begin connection process
2 15:54:10.132 01/24/14 Sev=Info/4 CM/0x63100004
Establish secure connection
3 15:54:10.132 01/24/14 Sev=Info/4 CM/0x63100024
Attempt connection with server "{server name}"
4 15:54:10.139 01/24/14 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with {IP}.
5 15:54:10.144 01/24/14 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation
6 15:54:10.284 01/24/14 Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 102h.
7 15:54:10.149 01/24/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to {IP}
8 15:54:10.155 01/24/14 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
9 15:54:10.155 01/24/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
10 15:54:10.207 01/24/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = {IP}
11 15:54:10.207 01/24/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from {IP}
12 15:54:10.207 01/24/14 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
13 15:54:10.207 01/24/14 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
14 15:54:10.207 01/24/14 Sev=Info/5 IKE/0x63000001
Peer supports DPD
15 15:54:10.207 01/24/14 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
16 15:54:10.207 01/24/14 Sev=Info/5 IKE/0x63000001
Peer supports IKE fragmentation payloads
17 15:54:10.212 01/24/14 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
18 15:54:10.212 01/24/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to {IP}
19 15:54:10.213 01/24/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
20 15:54:10.213 01/24/14 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = {port}, Remote Port = {port}
21 15:54:10.213 01/24/14 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device
22 15:54:10.213 01/24/14 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
23 15:54:10.272 01/24/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = {IP}
24 15:54:10.273 01/24/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from {IP}
25 15:54:10.273 01/24/14 Sev=Info/4 CM/0x63100015
Launch xAuth application
26 15:54:20.310 01/24/14 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
27 15:54:28.172 01/24/14 Sev=Info/4 CM/0x63100017
xAuth application returned
28 15:54:28.172 01/24/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to {IP}
29 15:54:30.396 01/24/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = {IP}
30 15:54:30.397 01/24/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from {IP}
31 15:54:30.397 01/24/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to {IP}
32 15:54:30.397 01/24/14 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie={cookie} R_Cookie={cookie}) reason = DEL_REASON_WE_FAILED_AUTH
33 15:54:30.398 01/24/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to {IP}
34 15:54:30.453 01/24/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = {IP}
35 15:54:30.454 01/24/14 Sev=Info/4 IKE/0x63000058
Received an ISAKMP message for a non-active SA, I_Cookie={Cookie} R_Cookie={Cookie}
36 15:54:30.454 01/24/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(Dropped) from {IP}
37 15:54:30.965 01/24/14 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie={Cookie} R_Cookie={Cookie}) reason = DEL_REASON_WE_FAILED_AUTH
38 15:54:30.965 01/24/14 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "{server}" because of "DEL_REASON_WE_FAILED_AUTH"
39 15:54:30.965 01/24/14 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
40 15:54:30.979 01/24/14 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
41 15:54:30.979 01/24/14 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
42 15:54:30.987 01/24/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
43 15:54:30.987 01/24/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
44 15:54:30.987 01/24/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
45 15:54:30.987 01/24/14 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
Best Answer
This may be a shot in the dark, but have you tried the DNE (Deterministic Network Enhancer) update from Citrix? I've had it magically fix issues with the legacy Cisco VPN client in the past. It's obviously not necessary on a fresh Win7 install. But if it's an older, cruftier install, that has possibly had multiple VPN clients installed in its lifetime mucking about with the network stack, it seems to tweak things and make them happy again. It's also one of the keys to making that legacy client work in Windows 8 and beyond. From the site:
If you want to try it, do the following: