ISEKI Swimming Pool OL 5450 10 User Manual

Release Notes for VPN Client,  
Release 4.0 through Release 4.0.5.D  
CCO Date: December 6, 2004  
Part Number OL-5450-10  
Note  
You can find the most current documentation for the VPN Client at  
http://www.cisco.com or http://cco.cisco.com. These electronic documents may  
contain updates and changes made after the hard copy documents were printed.  
These release notes support VPN Client software Release 4.0 through  
Release 4.0.5.D. These release notes describe new features, limitations and  
restrictions, caveats, and related documentation. Please read the release notes  
interoperability considerations and other issues you should be aware of when  
Contents  
Introduction, page 3  
System Requirements, page 3  
Co rp o ra t e He a d q u a rt e rs :  
Cis c o S ys t e m s , In c ., 1 7 0 We s t Ta s m a n Drive , S a n J o s e , CA 9 5 1 3 4 -1 7 0 6 US A  
Copyright © 2004 Cisco System s, Inc. All rights reserved.  
 
Introduction  
Documentation Feedback, page 96  
Obtaining Technical Assistance, page 96  
Obtaining Additional Publications and Information, page 99  
Introduction  
®
®
The VPN Client is an application that runs on a Microsoft Windows -based PC,  
a Sun ultraSPARC workstations, a Linux desktop, or a Macintosh (Mac) personal  
computer that meets the system requirements stated in the next section. In this  
document, the term “PC” applies generically to all these computers, unless  
specified otherwise.  
The VPN Client on a remote PC, communicating with a Cisco VPN device at an  
enterprise or service provider, creates a secure connection over the Internet that  
lets you access a private network as if you were an on-site user. This secure  
connection is a Virtual Private Network (VPN).  
System Requirements  
Refer to Chapter 2, “Installing the VPN Client,” in the VPN Client User Guide for  
Windows, Release 4.0 or Cisco VPN Client User Guide for Mac OS X, as  
appropriate for your platform, for a complete list of system requirements and  
installation instructions.  
To install the VPN Client on any system, you need  
CD-ROM drive (if you are installing from CD-ROM)  
Administrator privileges  
The following table indicates the system requirements to install the VPN  
Client on each of the supported platforms.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
3
 
   
System Requirements  
Computer  
Operating System  
Requirements  
®
®
Computer with a  
Pentium -class  
processor or  
greater  
Microsoft Windows 98 or  
Windows 98 (second edition)  
Microsoft TCP/IP installed.  
®
(Confirm via Start > Settings >  
Control Panel > Network >  
Protocols or Configuration.)  
Windows ME  
®
Windows NT 4.0 (with Service  
50 MB hard disk space.  
RAM:  
Pack 6, or higher)  
Windows 2000  
Windows XP  
32 MB for Windows 98  
64 MB for Windows NT and  
Windows ME  
64 MB for Windows 2000  
(128 MB recommended)  
128 MB for Windows XP  
(256 MB recommended)  
Computer with RedHat Version 6.2 or later Linux  
32 MB Ram  
and Intel x86  
processor  
(Intel), or compatible libraries with glibc  
Version 2.1.1-6 or later, using kernel  
Versions 2.2.12 or later  
50 MB hard disk space  
Note  
The VPN Client does not support  
SMP (multiprocessor) kernels.  
Sun  
UltraSPARC  
computer  
32-bit or 64-bit Solaris kernel OS  
Version 2.6 or later  
32 MB Ram  
50 MB hard disk space  
®
®
Macintosh  
Mac OS X, Version 10.2.0 or later  
50 MB hard disk space  
computer  
The VPN Client supports the following Cisco VPN devices:  
Cisco VPN 3000 Concentrator Series, Version 3.0 and later.  
Cisco PIX Firewall, Version 6.2.2(122) or Version 6.3(1).  
Cisco IOS Routers, Version 12.2(8)T and later  
If you are using Internet Explorer, use version 5.0, Service Pack 2 or higher.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
4
 
Installation Notes  
Installation Notes  
Because of platform differences, the installation instructions for Windows and  
non-Windows platforms also differ.  
Refer to the VPN Client User Guide for Windows, Release 4.0, Chapter 2, for  
complete installation instructions for Windows users.  
Refer to the Cisco VPN Client user Guide for Mac OS X, Chapter 2, for  
complete installation information for those platforms.  
The following notes are important for users who are upgrading to Windows XP  
and users who want to downgrade to an earlier version of the VPN Client  
software.  
Installing Release 4.0.3  
Release 4.0.3 on Windows operating systems is localized for Canadian French  
and Japanese, as well as English. The following sections describe how to install  
this version on a Windows system.  
Overriding the MSI Installation Language.  
To perform this action you must already have Windows Installer Version 2.0  
installed. You can determine which version you have by executing msiexec.exe  
without parameters. If the version is lower than 2.0, execute instmsiw.exe, which  
updates the software to the correct version.  
Note  
You must run the following commands from the command line, and the current  
directory must be the install source.  
The default installation is in English. To specify a language other than English,  
enter the following command, all on the same line:  
msiexec /i vpnclient_setup.msi  
TRANSFORMS=vpnclient_<language>.mst;vpnclient_help_<language>.mst  
The supported language codes are:  
fc (Canadian French)  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
 
OL-5450-10  
5
 
Installation Notes  
jp (Japanese)  
To force an English only language install, enter the following command:  
msiexec /i vpnclient_setup.msi  
To force a Canadian French language installation, enter the following command,  
all on the same line:  
msiexec /i vpnclient_setup.msi TRANSFORMS=vpnclient_fc.mst;vpnclient_help_fc.mst  
To force a Japanese language installation, enter the following command, all on the  
same line:  
msiexec /i vpnclient_setup.msi TRANSFORMS=vpnclient_jp.mst;vpnclient_help_jp.mst  
Overriding IS Installation Language:  
The install image must contain a vpnclient.ini file with the following two lines:  
[main]  
ClientLanguage=<language code>  
The supported language codes are  
fc (Canadian French)  
jp (Japanese)  
Non-localized Features  
The following parts of the VPN Client are not localized:  
VPN Client GUI Splash Screen  
Copyright statements  
Log Messages  
Any text pushed down from the VPN 3000 Concentrator. This includes the  
banner and the user authentication request text message (which most often  
appears as “Enter User Name and Password”).  
InstallShield text. We are localizing only the MSI install text.  
The company name, “Cisco Systems”, and product name, “VPN Client”.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
6
 
Installation Notes  
Installation Notes - Windows Platforms  
In addition to the installation considerations for Release 4.0.3, Release 4.0.x  
includes the following installation considerations for Windows users:  
Installing the VPN Client Software Using InstallShield  
Installing the VPN Client software on Windows NT, Windows 2000, or Windows  
XP with InstallShield requires Administrator privileges. If you do not have  
Administrator privileges, you must have someone who has Administrator  
privileges install the product for you.  
Note  
The VPN Client Installer does not allow installations from a network drive  
(CSCeb43490).  
Installing the VPN Client Software Using the MSI Installer  
If you are using the MSI installer, you must have Windows NT-based products  
such as Windows NT 4.0 (with SP6), Windows 2000, or Windows XP. Installing  
with MSI also requires Administrator privileges.  
Note  
Windows Installer 2.0 must be installed on a Windows NT or Windows 2000 PC  
before configuring the PC for a Restricted User with Elevated Privileges  
(CSCea37900).  
VPN Client Installation Using Windows Installer (MSI) Requires Windows NT SP6  
When you attempt to install the VPN Client using MSI install (vpnclient_en.exe)  
on NT SP3, SP4, or SP5, the error messages do not indicate that the VPN Client  
cannot be installed on those operating systems because they are unsupported.  
Once the errors occur, no other messages are displayed and the installation is  
aborted.  
When you attempt to run vpnclient_en.exe on Windows NT SP3, SP4, or SP5 you  
see the following messages:  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
7
 
Installation Notes  
“Cannot find the file instmsiw.exe (or one of its components). Make sure the path  
and filename are correct and that all the required libraries are available.”  
-then-  
“Cannot find the file MSIEXEC (or one of its components). Make sure the path  
and filename are correct and that all the required libraries are available.”  
The Windows Installer (MSI) can be installed only on NT SP6, so the error  
messages you see using earlier service packs are due to an MSI incompatibility  
(CSCdy05049).  
Installation Notes - Solaris Platforms  
The following sections describe actions you must take when installing the VPN  
Client on a Solaris platform.  
Uninstall an Older VPN Client If Present on a Solaris Platform  
If you have a previous version of the VPN Client running under Solaris, you must  
uninstall the older VPN Client before installing a new VPN Client. You are not  
required to uninstall an old VPN Client, if one is present, before installing a new  
VPN Client for Linux or Mac OS X.  
Refer to the Cisco VPN Client User Guide for Linux, Solaris, and Mac OS X,  
Chapter 2, for complete uninstallation information.  
Disable the ipfilter Firewall Kernel Module Before Installing the VPN Client on a  
Solaris Platform  
If you have an IP firewall installed on your workstation, the reboot after  
installation of the VPN Client takes an inordinate amount of time. This is caused  
by a conflict between the vpnclient kernel module cipsec and the ipfilter firewall  
module. To work around this issue, disable the ipfilter firewall kernel module  
before you install the VPN Client (CSCdw27781).  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
8
 
New Features in Release 4.0.5  
Using the VPN Client  
To use the VPN Client, you need:  
Direct network connection (cable or DSL modem and network  
adapter/interface card), or  
Internal or external modem, and  
To connect using a digital certificate for authentication, you need a digital  
certificate signed by one of the following Certificate Authorities (CAs)  
installed on your PC:  
Baltimore Technologies (www.baltimoretechnologies.com)  
Entrust Technologies (www.entrust.com)  
Netscape (www.netscape.com)  
Verisign, Inc. (www.verisign.com)  
Microsoft Certificate Services — Windows 2000  
A digital certificate stored on a smart card. The VPN Client supports  
smart cards via the MS CAPI Interface.  
New Features in Release 4.0.5  
Release 4.0.5 of the VPN Client software includes the following new features.  
Mutual Group Authentication  
Note  
This feature addresses a VPN Client group password vulnerability identified in  
the following Security Notice: http://www.cisco.com/en/US/tech/tk583/tk372/  
technologies_security_notice09186a0080215981.html (CSCed41329).  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
9
 
New Features in Release 4.0.5  
Group Authentication is a method that uses pre-shared keys for mutual  
authentication. In this method, the VPN Client and the VPN central-site device  
use a group name and password to validate the connection. This is a symmetrical  
form of authentication since both sides use the same authentication method during  
their negotiations.  
Mutual group authentication is asymmetrical in that each side uses a different  
method to authenticate the other while establishing a secure tunnel to form the  
basis for group authentication. In this method, authentication happens in two  
stages. During the first stage, the VPN central-site device authenticates itself  
using public-key techniques (digital signature) and the two sides negotiate to  
establish a secure channel for communication. During the second stage, the actual  
authentication of the VPN Client user by the central-site VPN device takes place.  
Since this approach does not use pre-shared keys for peer authentication, it  
provides greater security than group authentication alone, as it is not vulnerable  
to a man-in-the-middle attack.  
To use mutual group authentication, the remote user’s VPN Client system must  
have a root certificate installed. If needed, you can install a root certificate  
automatically by placing it on the VPN Client system during installation. The  
certificate must be in a file named rootcert, with no extension, and must be placed  
in the installation directory for the remote user’s VPN Client system.  
For more information on mutual group authentication, see the VPN Client  
Administrator Guide, Chapter 1.  
You must configure both the VPN Client and the VPN Concentrator to allow  
mutual group authentication (Hybrid mode). Ensure that the Certificate Authority  
being used on both the VPN Client and the VPN Concentrator is the same.  
Configure the VPN Concentrator in a similar fashion to the use of User  
Certificates.  
1. Select an IKE Proposal that allows HYBRID mode authentication such  
as those listed in Table 8-3 of the VPN Client Administrator's Guide.  
HYBRID-AES256-SHA-RSA for example.  
2. Configure an IPSec SA to use the appropriate Identity Certificate to be  
authenticated with the CA certifcate of the VPN Client. If certificates  
have not yet been obtained for the VPN Concentrator, please refer to the  
VPN 3000 Series Concentrator Reference Volume I: Configuration  
Release 4.1.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
1 0  
 
New Features in Release 4.0  
3. Configure a VPN Group to use the new IPSec SA from step 2. The VPN  
Clients under test for Mutual Group Authentication will be connecting to  
this group.  
New Features in Release 4.0  
Release 4.0 of the VPN Client software includes the following new features.  
Virtual Adapter  
A virtual adapter is a software-only driver that acts as a valid interface in the  
system. Its purpose is to solve protocol incompatibility problems. The virtual  
adapter appears in the network properties list just like a physical adapter.  
Note  
When installing the Release 4.0 VPN Client on a Windows 2000 system, the  
following warning appears during the virtual adapter installation, indicating that  
no digital signature was found and asking whether to continue the installation:  
The Microsoft digital signature affirms that software has been tested  
with Windows and that the software has not been altered since it was  
tested.  
The software you are about to install does not have a Microsoft digital  
signature. Therefore, there is no guarantee that this software works  
correctly with Windows.  
Cisco Systems VPN Adapter  
If you want to search for Microsoft digitally signed software, visit  
the Windows Update Web site at http://windowsupdate.microsoft.com to  
see if one is available.  
Do you want to continue the installation?  
If you see this message, click “Yes” to continue (CSCdz14583).  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
1 1  
 
 
New Features in Release 4.0  
Common Graphical Interface for Windows and Mac VPN Clients  
In Release 4.0, the VPN Client provides a consistent graphical user interface  
across all supported Windows operating systems and Mac OS X, recognizing that  
the Windows and Mac operating systems follow different conventions, and that  
the Windows version has additional features. The VPN Client documentation is  
based on this new user interface.  
Alerts (Delete With Reason)  
In Release 4.0, the VPN Client can display to the user the reason for a VPN 3000  
Concentrator-initiated disconnection. If the VPN 3000 Concentrator, Release 4.0,  
disconnects the VPN Client and tears down the tunnel, the VPN Client, Release  
4.0, displays a popup window showing the reason for the disconnect and also logs  
a message to the Notifications log and the IPSec log file. For IPSec deletes that  
do not tear down the connection, the event message appears only in the log file.  
The administrator on the VPN 3000 Concentrator can enable or disable this  
feature, called Alerts in the VPN Concentrator configuration. It is not  
configurable on the VPN Client. When this feature is enabled, the VPN 3000  
Concentrator and the VPN Client negotiate whether to display these messages.  
See the Cisco VPN Client User Guide, Release 4.0, for a description of the  
conditions that can cause such disconnects.  
Single IPSec-SA  
Rather than creating a host-to-network security association (SA) pair for each  
split-tunneling network, this feature provides a host-to-ALL approach, creating  
one tunnel for all appropriate network traffic apart from whether split-tunneling  
is in use. With this feature, the VPN Client supports a single SA per VPN  
connection and directs all the appropriate traffic through this tunnel, regardless of  
whether split tunneling is in use. The Statistics page on the VPN Client reflects  
the traffic for this single SA.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
1 2  
 
New Features in Release 4.0  
Personal Firewall Enhancements  
In Release 4.0, the VPN Client supports Sygate Personal Firewall and Sygate  
Personal Firewall Pro, Version 5.0, Build 1175 and higher. Other supported  
features new with this release include:  
The ability to enable or disable stateful firewalls from the command line.  
Configurable ICMP permissions.  
Coexistence with Third-Party VPN Vendors  
In Release 4.0, the VPN Client is compatible with VPN clients from Microsoft,  
Nortel, Checkpoint, Intel, and others. This feature offers the ability to use other  
VPN products while the Cisco VPN Client is installed.  
Improved RADIUS SDI XAuth Request Handling  
The VPN Client, Release 4.0, includes improvements in RADIUS SDI XAuth  
handling, which may improve performance. Administrators can configure this  
feature in the .pcf file and the .ini file. For information, see VPN Client  
Administrator Guide, Release 4.0, Chapter 2.  
New, ISO-Standard Format for Log File Names  
The format of the names of log files generated by the VPN Client GUI has  
changed to LOG-yyyy-MM-dd-hh-mm-ss.txt from MMM-d-yyyy-hh-mm-ss.log.  
This new format complies with the ISO 8601 extended specification for  
representations of dates and times and avoids issues with localization.  
The new log file names have a chronological order that is the same as their  
alphanumeric order. This provides for a method of enumerating only the log files  
generated by the GUI.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
1 3  
 
Usage Notes  
Enhancements to GINA  
Release 4.0.2 includes an improved application launch verification mechanism  
employed by the Graphical Identification and Authentication (GINA)  
dynamic-link library (DLL). This affects only the Windows NT4, Windows 2000,  
and Windows XP platforms (CSCeb12179).  
Usage Notes  
This section lists issues to consider before installing Release 4.0.x of the VPN  
Client software.  
In addition, you should be aware of the open caveats regarding this release. Refer  
to “Open Caveats” on page 37 of these Release Notes for the list of known  
problems.  
Potential Application Compatibility Issues  
You might encounter the following compatibility issues when using the VPN  
Client with specific applications. Whenever possible, this list describes the  
circumstances under which an issue might occur and workarounds for potential  
problems.  
Windows Interoperability Issues  
The following known issues might occur with the indicated Microsoft Windows  
operating systems and applications software.  
WINS Support  
On Windows 95 and Windows 98, dynamic WINS support works with  
DHCP-enabled adapters (for example, PPP or NIC adapters that get their IP  
information dynamically). For static configurations, users must manually  
configure the adapters with WINS information.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
1 4  
 
 
Usage Notes  
Windows NT  
Users running Windows NT 4.0 with Service Pack 4 require a hot fix from  
Microsoft for proper operation. This fix is available on the Microsoft  
http://support.microsoft.com/support/kb/articles/Q217/0/01.ASP.  
Importing a Microsoft Certificate Using Windows NT SP3  
The following problem has occurred on some Windows NT SP3 systems  
(CSCdt11315).  
When using the Client with digital certificates stored in the Microsoft certificate  
store, the Client may fail to connect. This is accompanied by the following Client  
event in the Log Viewer:  
4101 13:41:48.557 01/05/01 Sev=Warning/2 CERT/0xA3600002  
Could not load certificate (null) from the store.  
Workaround: Two workarounds exist. Choose one of the following:  
Import the certificate from the Microsoft certificate store into the Cisco  
certificate store using the Cisco Certificate Manager. Refer to “Importing a  
Certificate” in the VPN Client User Guide for Windows, Release 4.0,  
Chapter 6.  
Alternatively, upgrade to a Windows Service Pack later than SP3.  
VPN Client Cannot Launch Microsoft Connection Manager  
The VPN Client does not see a dialup connection made with Microsoft  
Connection Manager because of incompatibilities between the requirements of  
the two applications (CSCdx85663).  
Windows 98 Might Hang on Shutdown  
On some Windows 98 PCs with the VPN Client installed, if you restart the PC, it  
may stop responding (that is, “hang”) on the screen that says “Windows is  
shutting down”.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
1 5  
 
Usage Notes  
Wait a minute. If the PC is still not responding, press the reset button. When the  
PC reboots, it should not run through ScanDisk, indicating the shutdown was  
successful in closing all open files. This problem may occur on some PCs and not  
on others, and we are looking for a solution. Windows 98 shutdown has numerous  
issues, as can be seen the following Microsoft Knowledge Base Article:  
“Q238096 - How to Troubleshoot Windows 98 Second Edition Shutdown  
Problems” (CSCdt00729).  
Windows 2000 (only) Requires Adding Client for MS Networks for Dialup Connections  
For the Cisco VPN Client running on a Windows 2000 system, you cannot access  
Microsoft resources unless you add the Client for Microsoft Networks for the  
Dial-up adapter.  
Aladdin Runtime Environment (RTE) Issue with Windows NT and Windows 2000  
Using versions of the Aladdin Runtime Environment (RTE) on Windows NT and  
Windows 2000 can cause the following behavior. The login prompt that is posted  
by the Aladdin etoken when connecting the VPN Client can get hidden in the  
background. If this happens, the VPN connection can timeout and fail with the  
following event:  
“System Error: Connection Manager failed to respond.”  
A side effect of this is that the VPN Client’s service and dialer might become out  
of synch, and the PC might need to be restarted (CSCdv47999). To avoid this  
issue, use the Aladdin Runtime Environment (RTE) version 2.65 or later.  
Microsoft MSN Installation  
Microsoft’s MSN installation fails if you have already installed the VPN Client.  
Uninstall the VPN Client before you install MSN. After MSN has completed  
installation, you can install the VPN Client.  
WINS Information Might Not Be Removed from Windows Servers If Not Disconnected Before Shutdown  
If the VPN Concentrator is configured to send WINS server addresses down to the  
VPN Client and the PC is shut down or restarted without first disconnecting the  
VPN Client, the WINS servers are not removed from the network properties. This  
might cause local PC registration and name resolution problems while not  
connected with VPN.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
1 6  
 
Usage Notes  
To work around this problem, do one of the following:  
Be sure to disconnect the VPN Client before shutting down. If you are having  
problems, check your network properties and remove the WINS entries if  
they are not correct for your network.  
Alternatively, enable “Disconnect VPN connection when logging off”. Go to  
Options > Windows Logon Properties, check Disconnect VPN connection  
when logging off (CSCdv65165).  
VPN Client May Falsely Trigger Auto Initiation Connection Event though the NIC Card Has Been Removed  
The 4.0 VPN Client with Auto Initiation enabled on a Windows NT system may  
exhibit the following behavior. After removing a NIC card, the VPN Client may  
continue to trigger an Auto Initiation connection event though the NIC card has  
been removed. To stop its connection attempts, you can place the VPN Client in  
Suspended mode after a failed or canceled VPN connection. You can also disable  
this feature from the GUI by using Options > Automatic VPN Initiation, and  
unchecking “Enable”. If you add a new NIC, the problem goes away.  
(CSCdx46812).  
DNS  
For DNS resolution, if the DOMAIN NAME is not configured on the network  
interface, you need to enter the fully qualified domain name of the host that needs  
to be resolved.  
Network Interfaces  
The VPN Client does not support Point-to-Point Protocol over ATM  
(PPPoA).  
The VPN Client cannot establish tunnels over Token Ring. However, it does  
not conflict with an installed Token Ring interface.  
DELL Docking Station users running the VPN Client on Windows NT may  
experience bluescreen failures if the latest version of Softex Docking  
Services has not been installed. The Softex Docking Service utilities are  
available directly from the DELL Support Web site,  
http://search.dell.com/index.asp. Select the checkbox for the File Library and  
search for the term “Softex Docking Services”.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
1 7  
 
Usage Notes  
Network ICE BlackICE Defender Configuration  
Network ICE's BlackICE Defender is a traffic monitoring security product. If you  
properly configure it, BlackICE Defender can work with the VPN Client. You  
must configure BlackICE Defender for Trusting, Nervous, or Cautious mode. If  
you use Nervous or Cautious mode, add the public IP address of the VPN  
Concentrator to the list of trusted addresses. You can now configure the VPN  
Client to work with BlackICE Defender configured for Paranoid mode when in  
Tunnel-everything mode. Split Tunneling requires BlackICE to be in Trusting,  
Nervous, or Cautious mode.  
The Cisco VPN Client firewall has the following requirements for BlackICE  
(BlackICE Defender 2.5 or greater or BlackICE Agent 2.5 or greater). For  
BlackICE Defender 2.5, copy the BICTRL.DLL file from the Cisco installation  
release medium to the BlackICE installation directory on the VPN Client PC. This  
is a mandatory step for making a connection requiring BlackICE.  
BlackICE Defender version 2.9 and greater includes the BICTRL.DLL file in the  
Network ICE distribution medium, so that you do not need to copy it from the  
Cisco installation release medium.  
Microsoft Outlook Error Occurs on Connection or Disconnect  
The following Microsoft Outlook error might occur when the VPN Client  
connects or disconnects:  
“Either there is no default mail client, or the current mail client cannot fulfill the  
messaging request. Run Microsoft Outlook and set it as the default mail client.”  
This message does not affect operation of the VPN Client. The issue occurs when  
Microsoft Outlook is installed but not configured for email, although it is the  
default mail client. It is caused by a Registry Key that is set when the user installs  
Outlook.  
To eliminate this message, do one of the following:  
Right-click the Outlook icon, go to Properties, and configure it to use  
Microsoft Exchange or Internet Mail as the default mail client.  
Use Internet Explorer to configure the system to have no default mail client.  
Configure Outlook as the default mail client (CSCdv67594).  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
1 8  
 
Usage Notes  
Adjusting the Maximum Transmission Unit (MTU) Value - Windows Only  
VPN Encapsulation adds to the overall message length. To avoid refragmentation  
of packets, the VPN Client must reduce the MTU settings. The default MTU  
adjusted value is 1300 for all adapters. If the default adjustments are not  
sufficient, you may experience problems sending and receiving data. To avoid  
fragmented packets, you can change the MTU size, usually to a lower value than  
the default. To change the MTU size, use the VPN Client SetMTU utility. If you  
are using PPPoE, you may also have to set the MTU in other locations. Refer to  
the following table for the specific procedures for each type of connection.  
The MTU is the largest number of bytes a frame can carry, not counting the  
frame's header and trailer. A frame is a single unit of transportation on the Data  
Link Layer. It consists of header data, plus data that was passed down from the  
Network Layer, plus (sometimes) trailer data. An Ethernet frame has an MTU of  
1500 bytes, but the actual size of the frame can be up to 1526 bytes (22-byte  
header, 4-byte CRC trailer).  
Recognizing a Potential MTU Problem  
If you can connect with the Cisco VPN Client but cannot send or receive data, this  
is likely an MTU problem. Common failure indications include the following:  
You can receive data, such as mail, but not send it.  
You can send small messages (about 10 lines), but larger ones time out.  
You cannot send attachments in email.  
Setting the MTU Value  
If you are not experiencing a problem, do not change the MTU value. Usually, an  
MTU value of 1300 works. If it doesn’t, the end user must decrease the value until  
the Cisco VPN Client passes data. Decrement the MaxFrameSize value by 50 or  
100 until it works.  
The following table shows how to set the MTU value for each type of connection.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
1 9  
 
Usage Notes  
Connection  
Type  
Procedure  
Physical  
Adapters  
Use the SetMTU utility supplied with the Cisco VPN Client.  
Dial-up  
Use the SetMTU utility supplied with the Cisco VPN Client.  
PPPoE - All Windows XP only  
Vendors  
Use SetMTU  
PPPoE -  
EnterNet  
Windows 98  
On the main desktop, right click on My Network Places and go to Properties. The  
Network window opens.  
Double-click the Network TeleSystems PPPoE Adapter.  
On the Network TeleSystems window, click the Advanced tab, and then click  
MaxFrameSize. Change the value here. The value varies from case to case. The  
range can be from 1200 to 1400.  
Windows 2000  
On the main desktop, right-click My Network Places and go to Properties. The  
Network and Dial-Up Connections window opens.  
Right-click and go to Properties on each connection until you find the connection  
that has the NTS EnterNet PPPoE Adapter.  
Once you find the correct connection, click Configure on the right side of the  
window.  
On the next window, click the Advanced tab, then click MaxFrameSize. Change the  
value here. The value varies from case to case. The range can be from 1200 to 1400.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
2 0  
 
Usage Notes  
Connection  
Type  
Procedure  
PPPoE -  
WinPoet  
Windows 98: WinPoet does not provide user control over the PPPoE MTU under  
Windows 98.  
Windows 2000  
WinPoet does not provide a user interface to control the MTU size, but you can control  
it by explicitly setting the following registry key:  
HKLM/system/currentcontrolset/control/class/<guid>/<adapternumber>  
adapter(000x):  
Value: MaxFrameSize  
Value type: DWORD  
Data: 1300 (or less)  
The GUID and adapter number can vary on different systems. Browse through the  
registry, looking for the MaxFrameSize value (CSCdu80463).  
Caution  
Edit the registry only if you are comfortable doing so. Incorrect registry  
entries can make your PC unstable or unusable.  
PPPoE -  
Windows 98  
RasPPPoE  
On the main desktop, right-click My Network Places and go to Properties. The  
Network window opens.  
Find the PPP over Ethernet Protocol that is bound to the Network card that is in  
your PC, then double click on it.  
In the General Tab check Override Maximum Transfer Unit. Change the value here.  
The value varies from case to case. The range can be from 1200 to 1400.  
Windows 2000  
On the main desktop, right-click My Network Places and go to properties. The  
Network and Dial-Up Connections window opens.  
Right-click the connection the PPPoE Protocol was installed to, and go to  
properties.  
When the window opens, double-click PPP over Ethernet Protocol.  
In the General Tab, check Override Maximum Transfer Unit. Change the value  
here. The value varies from case to case. The range can be from 1200 to 1400.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
2 1  
 
Usage Notes  
Asante FR3004 Cable/DSL Routers Require Asante Firmware Version 2.15 or Later  
Versions of the Asante firmware caused a problem with rekeying and keepalives  
when a VPN Client had an all-or-nothing connection to a VPN Concentrator  
through an Asante FR3004 Cable/DSL router. Version 2.15 (or later) of the  
Asante firmware resolves these issues. For more information about Asante  
cable/DSL routers, see the following Web sites:  
Using Nexland Cable/DSL Routers for Multiple Client Connections  
All Nexland Pro routers support passing multiple IPSec sessions through to Cisco  
VPN 3000 Series Concentrators. To enable this function, the Nexland user must  
select IPSec Type 2SPI-C on the Nexland options page.  
The discontinued Nexland ISB2LAN product correctly handles a single  
connection, but problems can occur when attempting to make multiple client  
connections to the same Secure Gateway from behind an ISB2LAN Nexland  
Cable/DSL router. Nexland has fixed this problem in the Nexland Pro series of  
routers (CSCdt10266).  
Cert DN Matching Cannot Match on Email Field EA  
You cannot match on the Cert DN field (EA) when using the Peer Cert DN  
Verification feature because the VPN Concentrator does not assign a value to that  
field (CSCdx25994).  
VPN Dialer Application Can Load During OS Shutdown or Restart  
When using the VPN Client’s Start Before Logon feature (Windows NT, Windows  
2000, or Windows XP) in “fallback” mode, the VPN dialer application loads  
during a shutdown or restart of the operating system. This will not cause any  
problems and can be ignored (CSCdu02071).  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
2 2  
 
Usage Notes  
America Online (AOL) Interoperability Issues  
AOL Versions 5.0 and 6.0  
The VPN Client supports AOL Version 5.0. AOL Version 6.0 is also supported,  
with one limitation: when connected, browsing in the network neighborhood is  
not available.  
AOL Version 7.0  
AOL Version 7.0 uses a proprietary heartbeat polling of connected clients. This  
requires the use of split tunneling to support the polling mechanism. Without split  
tunneling, AOL disconnects after a period of time between 5 and 30 minutes.  
AOL 7 Disconnects after VPN Authentication  
When making a dialup connection with AOL 7.0 Revision 4114.537 (for Windows  
95, 98, ME, Windows 2000 and XP), then attempting to connect with the VPN  
Client, AOL might disconnect while the user is being authenticated. This is an  
AOL issue, not a VPN Client problem (CSCdy45351).  
VPN Client Fails to Connect over Some AOL Dialup Connections  
The Cisco VPN Client connecting over an AOL dialup connection fails to  
complete the connection, particularly when using AOL 7.0 and 8.0.  
The AOL dialup process uses a fallback method which, if your initial attempt to  
connect fails, resorts to a different connection type for the second attempt. This  
second attempt can sometimes cause AOL to communicate over two PPP adapters  
(visible in ipconfig /all output). When this happens, the VPN Client cannot  
connect. This is a known issue, and AOL is investigating the problem.  
The workaround is to try to reconnect the dialup connection to try to avoid getting  
two PPP adapters (CSCea29056).  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
2 3  
 
Usage Notes  
Browser Interoperability Issues  
The following known issues might occur when using the VPN Client with the  
indicated browser software.  
Issues Loading Digital Certificate from Microsoft Certificate Store on Windows NT SP5 and on IE 4.0 SP2  
The following error occurs in the VPN Client log when using a Digital Certificate  
from the Microsoft Certificate Store. This can occur on Windows NT 4.0 with  
Service Pack 5 and on Internet Explorer 4.0 with SP2 and using the VPN Client  
v3.1 or v3.5:  
“Could not load certificate cn=Joe  
Smith,ou=Engineering,o=MyCompany,l=Buffalo, st=new  
york,c=US,[email protected] from the Unsupported Store store”  
Both the VPN Client and the Certificate Manager can see and validate the  
Certificate, but when you try to connect using that Certificate, you get a message  
in the Connection History dialog that says, “Failed to establish a secure  
connection to the security gateway”.  
To fix this problem, do one of the following:  
Upgrade to Internet Explorer v5.0 or greater.  
Upgrade the PC to Service Pack 6.0a (CSCdv70215).  
Requirements for using VPN Client for Windows Using Digital Certificate With Non-exportable Keys  
To use certificates with non-exportable keys, you must have the VPN Client,  
Release 3.6 or 4.0, and your PC must have Internet Explorer version 5.0 SP2  
or later installed to function properly. (CSCdx90228).  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
2 4  
 
Usage Notes  
Entrust Entelligence Issues  
The following known issues might occur when using Entrust Entelligence  
software with the VPN Client.  
Potential Connection Delay  
Using the VPN Client with Entrust Entelligence might result in a delay of  
approximately 30 seconds if you are trying to connect while Entrust is “online”  
with the CA. This delay varies, depending on your Entrust CA configuration. If  
the Entrust CA is on the private network, then the chance of Entrust being online  
are low, since the VPN connection is needed to communicate with the CA.  
If you experience this delay, do one of the following:  
Wait for the delay to end and proceed with the VPN connection normally.  
Before initiating the VPN Client connection, log out of Entrust. The VPN  
Client will initiate the Entrust Login Interface with the “work offline”  
checkbox checked, which alleviates the problem. The easiest way to log out  
of Entrust is to right-click on the Entrust tray icon (gold key) and select “Log  
out of Entrust” (CSCdu25495).  
Entrust System Tray Icon Might Erroneously Indicate Logout  
When using VPN Client with Start Before Logon (Windows NT and 2000) and  
Entrust Entelligence, the Entrust system tray icon indicates that it is “logged out”  
once in Windows. It is really logged in, just not in the normal Windows desktop.  
The reason for this is that the context that Entrust was logged into was on the  
“Logon desktop”. This is an Entrust issue, not a VPN Client problem.  
Entrust operates normally once logged into within Windows (CSCdu29239).  
Entrust Client May Appear Offline  
After establishing a VPN connection with Entrust Entelligence certificates, the  
Entrust client may appear offline. It may appear this way even after the Entrust  
client has successfully communicated with the Entrust i500 directory.  
To work around this issue, do one of the following:  
Upgrade to Entrust Entelligence version 5.1 SP3 or later.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
2 5  
 
Usage Notes  
Once connected, right click on the Entrust tray icon (gold key) and uncheck  
“Work Offline”. This manually puts Entrust online (CSCdu33638).  
Use Entrust Entelligence 4.0 with VPN Client Release 3.5.1 or 3.1 Start Before Logon  
When using the Release 3.5.1 or 3.1 VPN Client with the Entrust Entelligence 4.0  
software, the Start Before Logon feature does not function properly. Upgrading to  
Entrust Entelligence 5.1 resolves this problem (CSCdu61926).  
Some Entrust Dialogs Do Not Display Properly When Using VPN Client Start Before Logon  
When using the VPN Client with Start Before Logon and Entrust Entelligence,  
some Entrust dialogs do not display properly on the logon desktop that displays  
before going into Windows NT or Windows 2000. The first time the VPN Client  
dialer and service access the Entrust certificates, it prompts for a security check.  
This prompt displays in Windows, but not at the logon screen.  
To work around this problem, connect the VPN Client once, while in Windows  
and after installing, to register the VPN applications (ipsecdialer.exe and  
cvpnd.exe) with Entrust. Once you have done this you can use it at the logon  
desktop (CSCdu62212).  
Renewing Entrust Entelligence Certificate (Key Update) Requires Entrust Version 5.1 SP 3 or Later  
Entrust Entelligence certificate renewal (key update) will not work over a VPN  
Client connection unless Entrust Entelligence version 5.1 SP3 or later is being  
used. Other Entrust Entelligence operations using older versions work properly.  
To work around this issue, do one of the following:  
Upgrade to Entrust Entelligence version 5.1 SP3 or later.  
Computers need to have Entrust digital certificates renewed by placing them  
directly on the network during the renewal period to get updated  
(CSCdu84038).  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
2 6  
 
Usage Notes  
Accessing Online Glossary Requires Connection to Cisco.com  
The Glossary button at the top of all Help screens tries to contact univercd at  
www.cisco.com (the Cisco documentation site). This connection requires  
connectivity to Cisco's main web site. If your PC does not have a corporate  
Internet connection or your firewall blocks access, the following error appears  
when you attempt to access the Glossary:  
“The page cannot be displayed.”  
To access the Glossary, you must be connected to www.cisco.com (CSCdy14238).  
ZoneAlarm Plus Versions 3.1.274 and Earlier Are Incompatible with VPN Client  
The following known incompatibility exists between the Cisco VPN Client and  
Zone Labs ZoneAlarm Plus version 3.1.274 and earlier. If you are using such a  
version of ZoneAlarm Plus, please visit http://www.zonelabs.com or contact your  
Zone Labs representative for an update.  
On a PC with ZoneAlarm Plus version 3.1.274 (or earlier) and the VPN Client,  
the following errors occur when the PC boots:  
On Windows 2000:  
ZAPLUS.exe has generated errors and will be closed by Windows. You will  
need to restart the program.  
An error log is being generated.  
The Application Log states:  
The application, ZAPLUS.EXE, generated an application error. The error  
occurred on 7/23/2002... The exception was c0000005 at address 00401881  
(<nosymbols>).  
Similar errors occur on other Windows operating systems.  
The result of this error is that the ZoneAlarm GUI does not run, and therefore a  
user can not change any settings in ZoneAlarm Plus or allow new programs to  
access the Internet.(CSCdy16607).  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
2 7  
 
Usage Notes  
ZoneLabs Automatically Adds Loopback and VPN 3000  
Concentrator Addresses to Trusted Zone for Windows NT PCs  
The Loopback address and the VPN 3000 Concentrator’s address are  
automatically added to the ZoneLabs “Trusted Zone” on Windows NT-based  
systems.  
If a Windows NT based-PC has ZoneAlarm, ZoneAlarm Pro, or Zone Labs  
Integrity Agent, and the VPN Client Release 4.0 installed on it, the loopback  
address (127.0.0.1) is automatically added to Zone Labs “Trusted Zone” when the  
Client service is started. Additionally, the VPN 3000 Concentrator’s address is  
automatically added to the “Trusted Zone” when a connection is made  
(CSCea61272).  
Upgrading Zone-Alarm Pro to Version 3.7.098 Causes Error When  
VPN Client Is Already Installed on the PC  
Upgrading ZoneAlarm Pro version 3.5.xxx to ZoneAlarm Pro version 3.7.098  
when the VPN Client is installed on the PC might cause the following error to  
appear:  
“The procedure entry point DbgProcessReset could not be located in the  
dynamic link library VSUTIL.dll.”  
Click OK, and the installation continues (CSCea25991). See ZoneLabs’ bug  
number 10182.  
Harmless Warning Might Occur with Linux Kernel 2.4  
Linux users running 2.4 kernels may encounter the following warning when the  
VPN Client kernel module is loaded:  
Warning: loading /lib/modules/2.4.18-3/CiscoVPN/cisco_ipsec will taint the  
kernel: no license  
This message indicates that the VPN Client kernel module is not licensed under  
the GPL, so the Linux kernel developers will not debug any kernel problems that  
occur while this kernel module is loaded. This message does not affect the  
operation of the VPN Client in any way (CSCdy31826).  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
2 8  
 
Usage Notes  
DHCP Route Renewal in Windows 2000 and Windows XP  
In a Windows 2000 or Windows XP environment, if the public network matches  
the private network (for example, a public IP address of 192.168.1.5, with a  
subnet mask of 255.255.0.0, and an identical private IP address) and the public  
network’s route metric is 1, then traffic might not be tunneled to the private  
network (CSCdz88896). The same problem can occur if you are using a virtual  
adapter and the public metric is smaller than the virtual adapter metric.  
In Windows 2000 and Windows XP, you can increase the metric of the public  
network by doing the following steps:  
Step 1  
Step 2  
Step 3  
Select Start > Settings > Control Panel > Network and Dial-up Connections.  
Select the public interface and click properties for the public interface.  
Select Internet Protocol (TCP/IP) and get the properties for the Internet Protocol  
(TCP/IP).  
Step 4  
Click Advanced, and set the interface metric to 2 or greater.  
Solaris Client Using Routed RIP Might Lose Connectivity  
If the VPN Client running in the Solaris environment uses routed RIP to learn its  
default route, you might lose connectivity. This is because RIP is blocked when  
the VPN Client is connected in all tunneling mode (CSCdv75825).  
Data Meant for Private Network Stays Local if VPN Clients Local  
Network Is on Same IP Subnet as Remote Private Network  
This problem occurs only with the VPN Client, Release 4.0 and only with Virtual  
Adapter (Windows 2000 and Windows XP), when the VPN Client’s local network  
is on the same IP subnet as the remote private network. When a VPN connection  
is up, data meant for the private network stays local. For example:  
192.168.1.0/255.255.255.0  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
2 9  
 
Usage Notes  
The VPN Client, Release 4.0, with Virtual Adapter attempts to modify local route  
metrics to allow data to pass over the VPN tunnel. In some cases, it is impossible  
for the VPN Client to make this modification (CSCdz38680).  
To work around this problem, make the change manually, using the following  
procedure:  
Step 1  
Run > Control Panel > Network and Dialup Connections.  
Right-click on the adapter in question and select Properties.  
Step 2  
Step 3  
From the Adapter Properties dialog, select TCP/IP from the list and click  
Properties.  
Step 4  
Click Advanced and increase the number in the “Interface metric” box by 1 (it is  
usually 1, so making it 2 works).  
Step 5  
Step 6  
Click OK to exit out of all dialogs.  
The VPN connection should now work.  
DNS Server on Private Network with Split DNS Causes Problems  
When an ISP’s DNS server is included in the Split Tunneling Network List and  
Split DNS Names are configured, all DNS queries to domains other than those in  
the Split DNS Names list are not resolved.  
By definition, split DNS is used so that only certain domains get resolved by  
corporate DNS servers, while rest go to public (ISP-assigned) DNS servers. To  
enforce this feature, the VPN Client direcds DNS queries that are about hosts on  
the Split DNS Names list to corporate DNS servers, and discards all DNS queries  
that are not part of the Split DNS Names list.  
The problem is when the ISP-assigned DNS servers are in the range of the Split  
Tunneling Network List. In that case, all DNS queries for non-split-DNS  
domains are discarded by the VPN Client.  
To avoid this problem, remove the ISP-assigned DNS server from the range of the  
Split Tunneling Network List, or do not configure split DNS (CSCee66180).  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
3 0  
 
Usage Notes  
VPN Client Supports Sygate Personal Firewall V. 5.0, Build 1175  
The supported version of Sygate Personal Firewall is version 5.0, build 1175.  
Earlier versions might cause the following Blue screen to occur on a Windows  
NT-based system that has made many connects/disconnects with the VPN Client  
(CSCdy62426):  
Stop: 000000d1 (BAD0B0B8, 00000002, 00000000, BFF12392)  
Driver_IRQL_Not_Less_Or_Equal  
***Address BFF12392 base at BFF10000, Datestamp 3CCDEC2C - Teefer.sys  
The 4.0 VPN Client Is Not Supported on Windows 95  
The VPN Client for Windows, Release 4.0, requires the use of the Windows 98 or  
later operating system. We recommend updating your Operating system to a  
newer version of Windows (CSCea06231).  
VPN Client Not Supported on Windows NT Servers  
The VPN Client is not supported on any Windows NT server version (including  
Windows 2000 and Windows XP/.NET/2003 servers). Only Windows NT 4.0  
Workstation and Windows 2000 Workstation are the supported platforms.  
No Limit to Size of Log File  
When logging is enabled on the VPN Client, all of the log files are placed in the  
Program Files\Cisco Systems\VPN Client\logs directory and are date and time  
stamped. There is no limit to the size of the log when logging is enabled. The file  
will continue to grow in size until logging is disabled or the VPN Client program  
is closed. The log is still available for viewing until the VPN Client program is  
re-launched, at which time the display on the log tab and log window are cleared  
(CSCdy87504). The log file remains on the system and a new log file is created  
when the VPN Client, with logging enabled, is launched.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
3 1  
 
Usage Notes  
Start Before Logon and Microsoft Certificate with Private Key  
Protect Fails  
Trying to connect the VPN client using Start Before Logon (SBL) and Microsoft  
Machine-based certificates fails. This is a Microsoft issue, not a VPN Client  
problem.  
If your certificate has private key protection enabled, every time you use the  
certificate keys you are either prompted for a password to access the key, or  
notified with a dialog and asked to click OK.  
The prompt displayed when using a certificate with private key protection appears  
on the Windows Desktop. You do not see this message while at the “Logon”  
desktop, therefore the VPN Client cannot gain the access to the certificate needed  
to connect.  
Use one of the following workarounds:  
Get a certificate without private key protection (just make sure it is  
machine-based, otherwise it won't be accessible before logging on).  
Instead of using Start Before Logon, log on to the PC using cached  
credentials, make the VPN connection, and— using the “stay connected at  
logoff” feature—logoff/logon with the VPN established to complete the  
domain logon (CSCea03349).  
Downgrading VPN Client from Release 4.0 Causes Start Before  
Logon Failure  
Start Before Logon fails if the VPN Client is downgraded from Release 4.0 to 3.6.  
The reason for this is that the file csgina.dll is upgraded when the VPN Client  
version 4.0 is installed. If the VPN Client is downgraded to version 3.6, the  
csgina.dll file for version 4.0 is not replaced, and this breaks ability in the VPN  
Client version 3.6 to Start Before Logon (CSCea03685).  
Follow this procedure to drop back to the VPN Client version 3.6 from version  
4.0.  
Step 1  
Step 2  
Uninstall the VPN Client version 4.0.  
After rebooting, search for csgina.dll. This file is found in the System32 directory.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
3 2  
 
Usage Notes  
Step 3  
Step 4  
Rename csgina.dll to something like csgina.old.  
Install the VPN Client version 3.6.  
Linksys Wireless AP Cable/DSL Router Version 1.44 or Higher  
Firmware Requirement  
To use the VPN Client behind a Linsksys Wireless AP Cable/DSL router model  
BEFW11S4, the Linksys router must be running version 1.44 or higher firmware.  
The VPN Client cannot connect when located behind a Linsksys Wireless AP  
Cable/DSL router model BEFW11S4 running version 1.42.7 firmware. The VPN  
Client may see the prompt for username/password, then it disappears  
(CSCdz52156).  
Faultlog.txt File Logs Severity 1 Events  
The faultlog.txt file is created when severity 1 events occur. It logs only severity 1  
events. All severity 1 log messages go to the logs and also to faultlog.txt. This file  
exists in the installation directory of the VPN Client.  
The advantage that the faultlog.txt file provides is that messages are logged even  
when the log viewer is not running. For example, errors during service  
initialization can't be logged to the log viewer, because these errors happen even  
before the service has attached itself to the log viewer.  
Certificates exported from Netscape 7 do not import into the VPN  
Client Macintosh Version  
This incompatibility exists with Netscape 7.0 and the Release 3.7.x Macintosh  
versions of the VPN Client. Netscape 7.0 uses the latest RSA libraries that are not  
compatible with the previous RSA libraries that the Clients are using. Previous  
versions of Netscape are still compatible with the VPN Client.  
To work around this issue, export the certificate using a browser other than  
Netscape 7.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
3 3  
 
Usage Notes  
On the Mac OS X platform, Internet Explorer 5.2 that comes installed does not  
allow certificates to be exported. The best course of action for these users is to  
either enroll and export the certificate from a Windows workstation and email it  
to the Mac user or to use direct enrollment from the Client itself.  
Verisign works fine with the Macintosh version of the VPN Client. But the  
“browsers” available on the Macintosh don't export certificates (Verisign or  
others) in the proper format for the VPN Client to receive them, or they don't  
allow the export of certificates at all (IE). This is because IE is a Windows product  
and doesn't support on the Macintosh platform everything the normal Windows IE  
does (CSCdz23397).  
VPN Client Can Require Smart Card When Using Certificates  
For Windows 2000 and Windows XP systems, you can configure the VPN Client  
to require the presence of a Smart Card when Certificates are used. If this feature  
is configured, the VPN Client displays an error message if a Smart Card is not  
present. The Certificates need not be present on the Smart Card itself. To  
configure this feature, add the following line to the user’s client profile, specifying  
the appropriate vendor for your Smart Card:  
SmartCardName=<Name of Smart Card Vendor>  
If you are using pre-shared keys instead of Certificates, this requirement is not  
enforced, even if configured.  
To disable the Smart Card verification function, completely delete the entry:  
SmartCardName=<text> from the user’s client profile (CSCec82220).  
VPN Client GUI Connection History Display Lists Certificate Used  
In Release 4.0.3.C, the VPN Client GUI connection history dialog box now  
displays as the first entry the name of the certificate used for establishing the  
connection (CSCec79691).  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
3 4  
 
Usage Notes  
Use Zone Labs Integrity Server 2.1.052.0 or Higher with VPN  
Client 4.0  
Versions of the Zone Labs Integrity Server earlier than 2.1.052.0 exhibit the  
following problem. If two or more VPN Clients (running on Windows 2000 or  
XP) are connected to a VPN 3000 Series Concentrator and receive firewall policy  
from a ZoneLabs Integrity Server, the Integrity Server registers only one  
connection.  
On the Integrity Flex (client agent), under “Policies”, the “Integrity Server”  
column flashes “Connected” then “Disconnected” over and over. Also, the VPN  
Client log includes the following event: “The firewall, configured for  
Client/Server, returned a status of lost connection to server.” Zone Labs Integrity  
Server version 2.1.052.0 fixes this issue (CSCea66549).  
Restart VPN Client Service If You Install VPN Client Before Zone  
Alarm  
The Firewall Enhancement, “Prevent VPN Traffic Blocking”, automatically adds  
the Loopback address (127.0.0.1) and the address of the VPN 3000 Concentrator  
to the ZoneAlarm or ZoneAlarmPro trusted zone.  
An exception to this, however, occurs if the VPN Client is installed before Zone  
Alarm. Then the VPN Client’s service must be restarted by rebooting the PC or  
stopping and restarting the service through the Control Panel (on Windows  
NT-based PCs) (CSCea16012).  
InstallShield Error Might occur during VPN Client Installation  
The following error message might occur during VPN Client installation:  
IKernel.exe - Application Error  
The instruction at “0x771c741a” referenced memory at “0x00163648”. The  
memory could not be “read”.  
This error is caused by an InstallShield component, possibly because of a  
run-once stale remnant. To recover, you must reboot.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
3 5  
 
Usage Notes  
The InstallShield Knowledge base article q108020 addresses this problem. To  
view this article go to the following URL (CSCea43117):  
http://support.installshield.com/kb/view.asp?articleid=q108020  
Microsoft has a fix for this issue. For more information and to obtain the fix, go  
to the following URL:  
http://support.microsoft.com/default.aspx?scid=kb;en-us;329623  
VPN Client cTCP Connection Fails If Checkpoint Client Is  
Installed  
When the Checkpoint VPN-1 Securemote client is installed with the 4.0 VPN  
Client, and the VPN Client attempts to connect using cTCP, the 4.0 VPN Client  
cannot make the connection. Connections do work with UDP, NAT-T, and  
non-NAT connections.  
To make a connection with cTCP when the Checkpoint VPN-1 Securemote is  
installed, you must disable the Check Point SecuRemote driver in the Connections  
Properties. To do this, you must be administrator. Follow these steps:  
Step 1  
Step 2  
Step 3  
Step 4  
Click Start > Settings > Control Panel >Network and Dial-up Connections.  
Select the Local Area Connection you use.  
Click on File > Properties.  
Uncheck Check Point SecuRemote, and click OK.  
(CSCea31192)  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
3 6  
 
Open Caveats  
Open Caveats  
Caveats describe unexpected behavior or defects in Cisco software releases. The  
following lists are sorted by identifier number.  
Note  
If you have an account with CCO, you can use Bug Navigator II to find caveats of  
any severity for any release. To reach Bug Navigator II on CCO, choose Software  
http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl.  
This section lists open caveats for the VPN Client running on a Windows  
platform.  
CSCdt07491  
The VPN Client may swap Primary and Secondary WINS received from the  
Concentrator. In a few cases, the VPN Client receives a Primary and a  
Secondary WINS server from the Concentrator but swaps them when they are  
added to the IP Configuration. If this happens, it may cause browsing  
problems if the Secondary WINS server is not as populated as the Primary.  
Disconnecting and reconnecting may fix the problem.  
CSCdt07673  
When the VPN Client is installed on a Windows 2000 PC with the Efficient  
Networks NTS EnterNet 300 PPPoE version 1.41 or 1.5c, the following  
message appears:  
“EnterNet could not find the (adapter) for complete pc management NIC  
(adapter). But it did locate the (adapter) for complete pc management NIC  
(adapter) - Deterministic Network Enhancer Miniport adapter through which  
your network server is reachable. Do you want to switch to this adapter?”  
Answer Yes every time this question appears. The installation then continues  
normally.  
A similar message appears on Windows NT 4.0. The message is:  
“EnterNet could not find the (adapter). But it did locate the (adapter) through  
which your network server is reachable. Do you want to switch? Yes No”  
Answer Yes to this question. The installation then continues normally.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
3 7  
 
 
Open Caveats  
If the VPN Client is uninstalled, the next time the NTS EnterNet 300 PPPoE  
version 1.41 is used the message, “EnterNet could not find the (adapter). But  
it did locate the (adapter) through which your network server is reachable. Do  
you want to switch? Yes No”  
Answer Yes to this question. The installation then continues normally.  
CSCdt07787  
Problems have occurred when an ISA legacy NIC card (IBM Etherjet 10MB)  
is used in a PC with PnP OS enabled. The WINS servers did not function  
correctly when a VPN Client connection was made. This could be an issue  
with other legacy NIC cards as well.  
The end results are that the WINS servers sent from the Secure Gateway  
cannot be viewed in the Network configuration, and problems with  
browsing/logon over the VPN connection may occur.  
Workaround:  
Disable PnP OS in the PC's BIOS or statically configure the WINS servers.  
CSCdt13380  
When you connect the VPN Client to a VPN 3000 Concentrator that issues  
two DNS servers, both appear under ipconfig /all, but only one appears under  
the Network settings TCP/IP Properties. DNS server appears to be missing  
under TCP/IP Properties (Advanced button, DNS TAB). We do not know  
whether this causes any problems.  
CSCdt56343  
You might see the following problem on systems running Windows NT and  
Windows 2000 when you are using the Start Before Logon feature of the VPN  
Client with third-party dialer. If the third-party dialer does not get set to the  
foreground when launched, add the following parameter to the vpnclient.ini  
file in the VPN Client directory (\Program Files\Cisco Systems\VPN  
Client\Profiles):  
[main]  
TopMostDelay=2500  
The value is the time in milliseconds that the VPN Client waits for the third  
party dialer to load before attempting to place it in the foreground. The  
default time is 1000 milliseconds.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
3 8  
 
Open Caveats  
Workaround:  
For problem dialers/applications, try 2500 milliseconds or greater.  
CSCdu22174  
SCEP enrollment might fail to complete successfully after the PKI  
administrator has granted your request.  
Workaround:  
If this happens, delete your failed request and submit a new one.  
To delete the request, click the Certificate tab, select the failed request, and  
click Delete on the toolbar. Alternatively, open the Certificates menu and  
select Delete.  
CSCdu50445  
The following issue can exist when using the VPN Client Start Before Logon  
feature with Entrust SignOn. Entrust SignOn is an add-on to the Entrust  
Entelligence client that allows logging into the Entrust profile and the NT  
domain from a single login.  
The Entrust SignOn GINA dll does not support chaining to other GINA dll  
files. To make the Entrust SignOn product and the VPN Client with Start  
Before Logon function properly together, install the VPN Client after Entrust  
SignOn. The VPN Client replaces the Entrust GINA (etabcgin.dll) with its  
own (csgina.dll).  
CSCdu62275  
VPN Client and Entrust Entelligence - VPN Connection timeout.  
In version 3.1, the potential exists for the VPN Client Connection Manager  
and the VPN dialer to get out of sync with each other. This occurs only after  
a VPN Client upgrade on the first time the VPN Client accesses a given  
Entrust profile. The following sequence outlines how a user could get the  
connection into this state:  
Step 1  
Step 2  
Step 3  
In the VPN dialer, the user clicks Connect.  
Entrust prompts for password and security hash check. The user clicks Yes.  
Entrust prompts for password for cvpnd.exe security access.  
If the user waits here or walks away from PC, the VPN Connection times out in 3  
minutes.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
3 9  
 
Open Caveats  
Step 4  
The user returns and enters the Entrust password, then clicks Yes to the security  
hash check question.  
Step 5  
Step 6  
The VPN connection completes, and data can be passed. The VPN dialer appears  
as not connected.  
Clicking Connect returns “A connection already exists”. The user clicks Cancel,  
and the dialer appears connected in the system tray.  
The VPN connection can be used as a normal connection.  
CSCdu70660  
This issue occurs on a Windows NT PC that is running ZoneAlarm or Sygate  
Personal Firewall, if the VPN Client is set to Start Before Logon and an  
upgrade to the VPN Client is implemented. Do not attempt a connection  
before the logon when you reboot, because both firewalls do not  
automatically give the VPN Client permission to access the Internet. Both  
firewalls see the upgrade as a new application attempting to access the  
Internet, and it requires user permission through its pop-up menus. The user  
must logon to the Windows NT PC using cached credentials, then launch a  
VPN connection. The firewall then asks permission to allow the VPN Client  
to connect. Answer yes to each connection. After that, Start Before Logon  
works fine.  
CSCdu77405  
The message, “The necessary VPN sub-system is not available. You will not  
be able to make a connection to the remote IPSec server.” might appear on a  
PC when Start Before Logon is enabled on the Client and ZoneAlarm is also  
running. The message appears when the ctrl+alt+del key combination is  
pressed. This has happened because the Cisco Systems VPN Service has  
terminated unexpectedly.  
Workaround:  
Logon to the PC with cached credentials, open “Services” in control panel  
and start the VPN service. A connection to the VPN Concentrator will be  
possible once the service has started.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
4 0  
 
Open Caveats  
CSCdu81905  
When connecting to a VPN 3000 Concentrator over PPPoE using the  
EnterNet 300 client software from Efficient Networks, Inc., if a firewall is  
required by the VPN Concentrator, the following message might appear:  
“The Client did not match any of the Concentrator's firewall configurations...”  
If this message appears, click OK and then click Connect. The connection to  
the VPN Concentrator then proceeds successfully.  
CSCdu83054  
If you make connections from the command line interface, the following  
problem can occur. When a firewall is required to connect and the firewall  
fails or is shut down, you do not see any message giving the reason for the  
lost connection.  
CSCdu86399  
If you use the VPN Client with a Digital Certificate and your Client sits  
behind a Cable/DSL router or some other NAT device, you might not be able  
to connect to your VPN Gateway device (that is, the VPN 3000  
Concentrator). The problem is not with the VPN Client or the Gateway; it is  
with the Cable/DSL router. When the VPN Client uses a Digital Certificate,  
it sends the Certificate to the VPN Gateway. Most of the time, the packet with  
the Certificate is too big for a standard Ethernet frame (1500), so it is  
fragmented. Many Cable/DSL routers do not transmit fragmented packets, so  
the connection negotiation fails (IKE negotiation).  
This problem might not occur if the Digital Certificate you are using is small  
enough, but this is only in rare cases. This fragmentation problem happens  
with the D-Link DI-704 and many other Cable/DSL routers on the market. We  
have been in contact with a few of these vendors to try to resolve the issue.  
Testing with the VPN Client Release 3.1 indicates that VPN Client  
connections using Digital Certificates can be made using the following  
Cable/DSL routers with the following firmware:  
Linksys BEFSRxx  
v1.39 or v1.40.1  
SMC 7004BR Barricade R1.93e  
Nexland Pro400  
NetGear RT314  
Asante FR3004  
V1 Rel 3M  
V3.24(CA.0)  
V2.15 or later  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
 
OL-5450-10  
4 1  
Open Caveats  
Others like 3COM 3C510, and D-Link DI-704 either had updated firmware  
that was tested and failed, or had Beta firmware that was NOT tested because  
the firmware notes did not indicate a fix specifically for fragmentation.  
CSCdu87521  
The following message might appear when a connection using the EnterNet  
300 version 1.4 PPPoE software and transferring via FTP:  
93 09:42:06.020 08/02/01 Sev=Warning/2 IPSEC/0xE3700002  
Function CniInjectSend() failed with an error code of 0xe4510000  
(IPSecDrvCB:517)  
This does not interfere with your connection. You can ignore this message.  
CSCdv40009  
When Zone Alarm's Internet setting is set to high and the VPN Concentrator  
sends a CPP firewall policy that allows inbound traffic on a specific port, the  
CPP rule takes precedence over the Zone Alarm rule allowing the specified  
port to be open.  
CSCdv42414  
Importing a PKCS12 (*.p12 or *.pfx) certificate using the Certificate  
Manager that has not been password protected will fail with the following  
error:  
“Please make sure your import password and your certificate protection  
password (if for file based enrollment) are correct and try again.”  
Workaround:  
Get a *.p12 certificate that has been password protected.  
CSCdv44529  
Attempting to install/uninstall Gemplus Workstation version 2.x or earlier  
while the Cisco VPN Client and its GINA (csgina.dll) is installed will cause  
the following error, and Gemplus will not install/uninstall:  
“A 3rd party GINA has been detected on your system. Please uninstall it  
before installing this product.”  
Workaround:  
Do one of the following:  
Uninstall the VPN Client and reinstall it after Gemplus software.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
4 2  
 
Open Caveats  
or  
Use Gemplus version 3.0.30 that no longer installs the gemgina.dll  
CSCdv46591  
When a CPP Firewall policy is in place that drops all inbound and outbound  
traffic and no WINS address is sent to the VPN Client from the 3000 series  
Concentrator, Start Before Logon fails. If a WINS address is in place, Start  
Before Logon works fine. Also, if a WINS address is sent and the CPP rule  
drops all inbound traffic, but allows all outbound traffic, Start Before Logon  
works fine.  
CSCdv46937  
Using the Aladdin “R2” model etoken, certain functions can be performed  
using the certificate even after the R2 token has been detached from the  
system (USB port). The VPN Client, for instance, can perform an IKE rekey  
without the token attached to the system. The reason for this is the design of  
the “R2” etoken: it does not contain the RSA key functions needed and must  
upload the private key to the system for these functions.  
In contrast, the Aladdin “PRO” etoken must be connected to the USB port  
during an IKE rekey, otherwise the VPN Client connection terminates. This  
is Aladdin’s problem; it is not a VPN Client problem.  
CSCdv55730  
Using the Solaris VPN Client, some applications are unable to operate  
properly. A possible indicator of the problem is that a large ping is unable to  
pass through the VPN Tunnel.  
No problem exists when passing large packets using cTcp or normal IPSec.  
When using IPSec over UDP, Path MTU Discovery problems exist, as a result  
of which large packets cannot be transmitted.  
An MTU issue currently exists with the Solaris VPN Client that causes  
fragmentation errors that might affect applications passing traffic through the  
VPN Tunnel.  
To identify whether the VPN Client is properly fragmenting packets, use the  
following commands:  
ping -n <known good ping target address>  
ping -n -s <known good ping target address> 2500  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
4 3  
 
Open Caveats  
The first command ensures that the target is reachable, and the second  
determines whether fragmentation is an issue.  
Workaround:  
Step 1  
Before opening the tunnel, bring down the MTU of the point-to-point interface to  
the MTU of the rest of the path to the concentrator (generally 1500). This would  
allow large packets to pass through, when using IPSec over UDP. No problems  
exist when using normal IPSec or cTcp.  
Step 2  
Set IP Compression to “LZS” in the VPN Group on the Concentrator. This  
decreases the size of the encrypted packet and might allow the smaller packet to  
avoid fragmentation. If you are using NAT, switching the NAT method of the  
client from cTCP (TunnelingMode=1) to UDP (TunnelingMode=0) might also  
reduce the size of the packet.  
CSCdv62613  
When you have multiple VPN Client connections behind Linksys Cable/DSL  
router, the following problem can occur. Due to a Linksys problem with  
firmware versions 1.39 and 1.40.1, making multiple VPN Client connections  
enabling the feature “Allow IPSec over UDP” (transparent tunneling) may  
cause data transfer problems.  
Allow IPSec over UDP is a VPN Client feature that allows ESP packets to be  
encapsulated in UDP packets so they traverse firewall and NAT/PAT devices.  
Some or all of the clients may not be able to send data. This is due to a  
Linksys port mapping problem, that Linksys has been notified of.  
Workaround:  
Use a newer version of Linksys code (higher than firmware version 1.40.1).  
If you must use one of the problem versions, do not use the “Allow IPSec over  
UDP” (transparent tunneling) feature when you have multiple VPN Client  
connections behind Linksys Cable/DSL router.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
4 4  
 
Open Caveats  
CSCdv67594  
The following Microsoft Outlook error might occur when the VPN Client  
connects or disconnects. This occurs when Microsoft Outlook is installed but  
not configured.  
Either there is no default mail client or the current mail  
client cannot fulfill the messaging request. Pun Microsoft  
Outlook and set it as the default mail client.  
To set Microsoft Outlook as the default mail client, right-click on the Outlook  
icon, go to Properties, and configure it to use Microsoft Exchange or Internet  
Mail.  
CSCdv73541  
The make module process fails during installation of the VPN Client for  
Linux.  
Workaround:  
The module build process must use the same configuration information as  
your running kernel. To work around this problem, do one of the following:  
If you are running the kernels from Red Hat, you must install the  
corresponding kernel-sources rpm. On a Red Hat system with  
kernel-sources installed, there is a symlink from  
/lib/modules/2.4.2-2/build to the source directory. The VPN Client looks  
for this link first, and it should appear as the default value at the kernel  
source prompt.  
If you are running your own kernel, you must use the build tree from the  
running kernel to build the VPN Client. Merely unpacking the source  
code for the version of the kernel you are running is insufficient.  
CSCdw60866  
Getting Entrust certificates using SCEP does not get the Root CA certificate.  
The Entrust CA does not send the whole certificate chain when enrolling with  
SCEP. Therefore, making a VPN Client connection might require the manual  
installation of the Root certificate before or after SCEP enrollment. Without  
the existence of the Root CA certificate, the VPN Client fails to validate the  
certificate and fails with the following VPN Client event/error messages:  
“Get certificate validity failed”  
“System Error: Unable to perform validation of certificate  
<certificate_name>.”  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
4 5  
 
Open Caveats  
CSCdw73886  
If an attempt to load the VPN Client is made before the Clients Service loads,  
the following error occurs: “The necessary VPN sub-system is not available.  
You will not be able to make a connection to the remote IPSec server.”  
Workaround:  
Wait until the Service has loaded, then start the VPN Client.  
CSCdx04343  
A customer had problems enrolling the Mac OS version of the VPN Client.  
Following some troublesome attempts at debugging the enrollment of the  
MacOS VPN Client with a Baltimore CA, it was felt that the Documentation  
should be improved and the Certificate Manager enhanced.  
Workaround:  
It seems that the critical thing as far as Baltimore is concerned is to put either  
or both of the challenge phrase (-chall) and the host's FQDN (-dn) in the  
request. This appears to be similar for the successful SCEP enrolment in a  
Verisign Onsite PKI. Perhaps there's a case for tweaking the interface a bit,  
or at least making some notes in the manual!  
Just doing cisco_cert_mgr -U -op enroll only asks for a Common Name,  
which is not enough. The request that succeeded on two separate Baltimore  
installations, one of which had an expired RA certificate, was as follows  
(switches only shown for brevity):  
cisco_cert_mgr -U -op enroll -cn -ou -o -c -caurl -cadn -chall -dn  
The ou is required for connecting to a Cisco 3030 VPN Concentrator and is  
the group name. On almost every attempt, the certificate manager dies after  
starting to poll the CA, with an error in the log: “Could not get data portion  
of HTTP request”.  
If this happens, it is possible to resume the enrollment with cisco_cert_mgr  
-E -op enroll_resume. The last attempt didn't fail at all though, and the  
certificate manager kept running until the request was approved, which is how  
it should behave.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
4 6  
 
Open Caveats  
CSCdx51632  
If the computer is powered off or loses power during an MSI installation of  
the VPN Client, the VPN Client may not be registered in Control Panel, and  
the following may occur when attempting to reinstall:  
A message may appear stating:  
Deterministic Network Enhancer Add Plugin Failed  
Click the “OK” button.  
Error 1722. There is a problem with this Windows Installer package. A  
program as part of the setup did not finish as expected. Contact your  
Support personnel or package vendor. Click the “OK” button.  
Error 1101. Error reading from file c:\config.msi\laff4.rbs. Verify that the  
file exits and you can access it. Click the “OK” button.  
Error 1712. One or more of the files required to restore your computer to  
its previous state could not be found. Restoration is not possible. Click  
the “OK” button.  
After clearing the last message box, restart MSI installation. It should  
successfully install the VPN Client.  
CSCdx57197  
If IOS sends a split tunnel attribute that is host-based (255.255.255.255  
mask), the VPN Client uses the host in a QM, but it passes the  
IPV4_ADDR_SUBNET in the ID payload.  
IOS expects IPV4_ADDR, as this is a host ID. This causes connectivity  
issues.  
CSCdx70223  
The VPN Client’s xauth dialog always stays in the foreground so it doesn't  
get “lost” (on XP it goes to the background and then jumps forward within  
seconds). The xauth dialog does not have focus, however, and it can be  
difficult to enter the username/password without first clicking on it with the  
mouse. This was observed on Windows 2000 and Windows XP; we have not  
checked Windows 98.  
CSCdx72463  
Installing the VPN Client using the Microsoft Windows Installer (MSI)  
displays “Time Remaining” for the installation. This time is not very accurate  
and should be ignored.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
4 7  
 
Open Caveats  
CSCdx77292  
Microsoft article Q234859 states that for the resiliency feature to work on  
Windows 4.0, IE 4.01 sp1 and shell32.dll version 4.72.3110.0 or greater must  
be installed on the computer.  
CSCdx78868  
The Microsoft Installer (MSI) resiliency (self healing) feature does not  
restore all files that are installed with the VPN Client. The files that will be  
restored are files that are associated with the shortcuts under Start | Program  
Files | Cisco Systems VPN Client.  
CSCdx81491  
An issue can occur when using the Release 4.0VPN Client with Start Before  
Logon (SBL), after enabling SBL. The first time you log out of Windows, the  
VPN Client does not load after you press the CTRL+ALT+DEL key  
combination at the Windows logon prompt.  
Workaround:  
Reboot the PC after enabling Start Before Logon; after a subsequent logout,  
the VPN Client should operate properly.  
CSCdx83687  
The following error occurs after the resiliency feature has reinstalled a  
missing file on Windows NT 4.0:  
c:\winnt\profiles\all users\start menu\programs\cisco systems  
vpnclient\xxx.lnk  
The Windows installer failed to install the program associated with this  
file.  
Please contact your system administrator.  
xxx.lnk is whatever file is being restored.  
When you click OK, the PC reboots and the file is restored. The resiliency  
feature is working, but the error should not appear.  
CSCdx88063  
When attempting to launch the dialer when the dialer is already running on  
the logon desktop (due to SBL or SBL and AI), the following error occurs  
instead of the VPN Client dialer loading:  
“Single dialer instance event creation failed with error 5.”  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
4 8  
 
Open Caveats  
This is most likely to happen when Start Before Logon and Auto Initiate are  
being used on a Windows NT/2000/XP system.  
Workaround:  
This is due to the fact that the VPN Client dialer is already running on the  
“logon desktop”. Most likely during Windows logon the dialer launched and  
posted an error, the Windows logon was completed and the error was never  
closed. To work around this error, do the following:  
Step 1  
Step 2  
Step 3  
Press CTRL+ALT+DEL to get to the logon desktop.  
Look for and close any VPN Client error dialogs.  
Press ESC to return to the normal Windows desktop; the VPN Client should load  
normally.  
CSCdy14218  
During installation of the VPN Client on a PC that already has the Enternet  
v.1.5c or v. 1.5c SP2, the following error might appear:  
“SVCHOST.EXE has generated errors and will be closed by Windows.”  
Workaround:  
If this message appears, click OK, then reboot the PC when the VPN Client  
prompts for the reboot. After this, The message does not reappear and all  
connections work fine.  
CSCdy50648  
InstallShield's “Tuner” application produces warnings and errors when  
validating the Cisco MSI installation package.  
CSCdy68888  
On a Windows 98 PC that has the Sygate Personal Firewall, the following  
message may appear in the VPN Client log file:  
“Packet size greater than ip header”  
This message does not interfere with the VPN Client’s ability to pass data and  
can be ignored.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
4 9  
 
Open Caveats  
CSCdy70168  
A user with the VPN Client cannot establish an IPSec tunnel to a VPN  
Concentrator running over an Internet satellite connection.  
There are three observed results:  
User is never prompted for XAUTH username and password.  
After successfully authenticating, the user cannot transmit/receive any  
data.  
After successfully transmitting data for approximately 5 minutes, the  
VPN session is disconnected regardless of the user activity at the time of  
disconnect.  
This problem occurs only if IPSec over TCP is used.  
Workaround:  
Use IPSec over UDP.  
CSCdy79358  
The following error might occur on Windows 98 when making many VPN  
connections without closing the VPN Client between connections:  
VPNGUI caused an invalid page fault in module MSVCRT.DLL at  
0167:78002f52.  
To avoid this error, exit the VPN Client after disconnecting.  
CSCdz48584  
The VPN Client on Windows XP using native XP PPPoE client fails to  
connect when using IPSec/TCP.  
Workaround:  
Make sure that the Windows XP Internet Connection Firewall is disabled for  
the PPPoE connection. This feature defaults to enabled when the connection  
entry is created. To disable it do the following:  
Step 1  
Step 2  
Run Control Panel, then click on Network Connections.  
Right click on the PPPoE connection entry (may be called “Broadband”) and  
select “Properties”.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
5 0  
 
Open Caveats  
Step 3  
Change to the Advanced Tab and uncheck the “Internet Connection Firewall”  
option.  
CSCdz56076  
Some AOL applications might not be usable while a 4.0 VPN Client  
connection is active. These include the AOL integrated web browser and  
some internal links. Using external web browsers and other applications  
should work over the VPN. These issues were seen most recently using AOL  
version 7.0 and 8.0.  
CSCdz71367  
To connect to a VPN 3000 Concentrator requiring Sygate Personal Firewall,  
Sygate Personal Firewall Pro, using Are You There (AYT), the version of the  
firewall must be 5.0, build 1175 or later. The VPN Client might not detect an  
earlier version of the Sygate Personal Firewall and therefore, a connection  
will not be allowed.  
CSCdz74310  
After upgrading, the VPN Client is unable to connect to the VPN 3000  
Concentrator. The ability for the VPN Client to negotiate an AES-192 IKE  
Proposal has been removed. This change affects all VPN Client versions  
greater than 3.7.2.  
Workaround:  
Reconfigure the VPN Concentrator so that it does not require an AES-192  
IKE Proposal for VPN Client connections.  
CSCdz75892  
The Equant remote access dialer does not automatically connect the Release  
4.0 VPN Client, as it could when using the Release 3.x VPN Client. If you  
have the Equant dialer configured to establish your VPN connection, the VPN  
Client appears, but you must manually click Connect to connect. An updated,  
Cisco-specific .dll file is available from Equant to fix this problem.  
CSCdz87404  
The 4.0 VPN Client (on Windows 2000 or Windows XP) connects but is  
unable to pass data over the VPN tunnel. Viewing the routing table using  
“route print” at a command prompt shows the default gateway has been  
modified incorrectly as in the example below.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
5 1  
 
Open Caveats  
0.0.0.0 255.255.255.255 n.n.n.n n.n.n.n  
1
Where n.n.n.n is the IP address assigned to the VPN.  
Workaround:  
This is due to a misconfiguration on the VPN3000 at the central site. Make  
sure that the Group | Client Config settings for Split Tunneling Policy are  
correct. If the group is set to “Only tunnel networks in the list” and the Split  
Tunneling Network List is the predefined “VPN CLient Local LAN” list this  
problem will occur.  
If split tunneling is the desired result, change the Split Tunneling Network  
List to an appropriate list, otherwise make sure that the Split Tunneling Policy  
is set to “Tunnel Everything” and check “Allow the networks in the list to  
bypass the tunnel”. This allows for proper Local LAN function.  
CSCea03597  
When the VPN Client is installed and Start before Logon is configured,  
logging into an Active Directory Domain might take a long time, with or  
without a VPN connection.  
This issue occurs under the following conditions:  
The VPN Client is installed on Windows 2000 or Windows XP  
Professional.  
You have enabled “Start before Logon” in the VPN Client.  
You are logging in to a Windows Active Directory domain (not an NT 4  
Domain).  
Workaround:  
This problem occurs because of a fix that was added for CSCdu20804. This  
fix adds the following parameter to the registry every time Start before Logon  
is enabled:  
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetL  
ogon\Parameters  
ExpectedDialupDelay  
Removing “ExpectedDialupDelay” from the registry (then rebooting) should  
fix the problem with slow logons to an Active Directory Domain.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
5 2  
 
Open Caveats  
Caution  
Note  
This procedure contains information about editing the registry. Before  
you edit the registry, make sure you understand how to restore it if a  
problem occurs.  
If you disable, then re-enable Start before Logon, this entry is added again  
and must be removed.  
CSCea16482  
If the Digital Certificate you are using has expired, the Windows VPN Client  
GUI does not popup with an error message indicating it has expired. The only  
indication you have is in the log file.  
A message does appear if you are using the VPN Client command line -  
vpnclient.exe  
CSCea17705  
If a ZoneLabs product such as ZoneAlarm or ZoneAlarm Pro is installed on  
the PC and the VPN Client is installed or upgraded, ZoneAlarm blocks the  
VPN Client service (cvpnd.exe). The VPN Client’s splash screen appears, but  
the GUI does not. ZoneAlarm does not ask the user whether to allow the VPN  
Client to access the Internet. Additionally, the following error appears after  
about two minutes:  
“The necessary VPN sub-system is not available. You can not connect to the  
remote VPN server.”  
Workaround:  
Do the following steps:  
Step 1  
Step 2  
Step 3  
Open the ZoneLabs product and select “Program Control”.  
Click on the “Programs” Tab  
Cisco Systems VPN Client's Access permission is a ?. Click under “Trusted” and  
select “Allow”. The ? mark changes change to a Check mark.  
Step 4  
Reboot the PC.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
5 3  
 
Open Caveats  
Step 5  
When the PC boots back up, the client will launch normally.  
CSCea25682  
The following Notification might occur if the Cisco Systems Integrated  
Client is required to make a connection:  
“The Client did not match the firewall configured on the central site VPN  
device. Cisco Systems Integrated Client should be enabled or installed on  
your computer.”  
When this occurs, the connection is not allowed. If this Notification appears,  
click Close and attempt to reconnect. If this second attempt to connect fails,  
reboot the PC. The connection should succeed at this point.  
CSCea27524  
This problem has two facets. You cannot select text from the VPN Client log  
tab, and trying to save the VPN Client log results in an empty (zero byte) file.  
This problem might occur if the VPN Client logging has been enabled,  
disabled, or cleared.  
Workaround:  
If the all or part of the log must saved, you can select the text with the mouse  
or by using CTRL+A, and then copy it using CTRL+C. You can then paste it  
as usual using CTRL+V in Notepad or your favorite editor.  
As an alternative, the VPN Client log files are saved to the directory  
c:\Program Files\Cisco Systems\VPN Client\Logs by default and can be  
opened and viewed using a text editor and saved as a different name if needed.  
CSCea29976  
After the user enters the username and password, the VPN Client machine  
might go blank for a moment and then continue. This behavior has not shown  
any negative effect on the tunnel connection or the user's ability to use the PC.  
CSCea44601  
The VPN Client does not put any limit to the number of log files that are saved  
in the \VPN Client\Logs directory. Users must manually delete these files to  
remove all or some of them.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
5 4  
 
Open Caveats  
CSCea62229  
Using the 4.0 VPN Client with Entrust Entelligence certificates, the “Send  
CA Certificate Chain” option should be grayed out and unavailable, but it is  
not.  
Workaround:  
Checking the “Send CA Certificate Chain” option when using Entrust  
Entelligence certificates makes the VPN Client connection fail to complete,  
leave this option unchecked.  
CSCea63957  
If you uninstall the VPN Client from a Windows 2000 or Windows XP  
Computer with RASPPPOE, the following message box might appear:  
Failed to uninstall the Cisco Network Adaptor.  
Error: 0xe000020b  
Click OK. The Client uninstallation then continues normally.  
CSCea75956  
The following problem has occurred with non-Windows VPN Clients. While  
connected to the VPN Client, DNS resolution to the internal network works  
at first but fails later in the connection.  
If the workstation is set to use DHCP and receives a DNS address from the  
DHCP server, the new DNS overwrites the VPN Concentrator's pushed DNS  
that had been resolving internal network devices. Once the new DNS has  
overwritten the Concentrator-pushed DNS, internal devices are no longer  
resolved properly.  
Workaround:  
After connecting to the ISP, record the DNS addresses assigned by the DHCP  
server and hard code them into the workstation. This prevents the workstation  
from accepting the DHCP-pushed DNS addresses in the future but still allows  
resolution when not connected over VPN.  
The drawback of this is that if the ISP changes their DNS server addresses,  
the user must find out the hard way and hard code these new addresses once  
more.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
5 5  
 
Open Caveats  
CSCea92185  
The PKCS#10 thumbprint for the certificate request is missing on 4.x VPN  
Client, so it is impossible for the CA to verify the user's request by comparing  
the thumbprint.  
Workaround:  
Downgrade to 3.6.X VPN Client.  
CSCea93535  
Performance issues exist with H.323 and the 4.0 VPN Client virtual adapter.  
These performance issues could be related to MTU.  
Workaround:  
To use this workaround, you need to be running VPN Client Release 4.0.3.C  
or later. Set the Virtual Adapter MTU at the MAC layer to 1500 (default value  
is 1300). To do this, run the command “SetMTU.exe /va 1500”, then  
re-establishing the tunnel. (A reboot is not required.) SetMTU.exe should be  
located in the VPN Client installation directory. Please use “SetMTU.exe /?”  
for other options.  
CSCeb48663  
The ‘vpnclient stat firewall’ command cannot be run while not connected.  
This command should return the state of the firewall at all times, not just  
when the VPN Client is connected.  
CSCeb68102  
CVPND does not free file handles when it disconnects from the VPN  
gateway. This might cause an out-of-resources situation. This problem  
occurred under Windows NT, running VPN Client version 4.0. No problem  
running with Windows 2000.  
CSCeb83746  
The following problem occurs when using the VPN Client, Release 4.0  
running on MS Windows 2000 or Windows XP. After connecting, a  
“classfull” route is installed in the routing table, due to not receiving a subnet  
mask.  
CSCec00525  
IPSec SA rekeying fails on VPN Client 4.0.2A/B. The VPN4.0.2A/B and  
IPSec SA Lifetime Measurement is configured as Data on the VPN 3000  
Concentrator.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
5 6  
 
Open Caveats  
Workaround:  
Use Time Lifetime on the VPN 3000 Concentrator.  
CSCec18923  
After the Cisco VPN Client is connected, the PC stops receiving the local  
multicast traffic. The “Allow Local LAN Access” check box is checked, and  
the multicast addresses are also included in the bypass list on the VPN 3000  
Concentrator.  
CSCec20680  
The ForceNetLogin feature might not work properly with Entrust Intelligence  
client version 6.1.  
CSCec22783  
VPN Client sends the first ESP packet after IKE negotiation is successful  
using an SPI number that doesn't exist. Then the central-site Concentrator  
sends back a delete notification, which the client ignores because the SPI  
doesn't actually exist in the VPN Client. This does not affect any functions.  
CSCec30347  
A customer installed an RSA Keon CA server with root and subordinate CA.  
When we are using the VPN Client, Release 3.1 with the certificates, we can  
connect to VPN 3000 Concentrator running either 3.x or 4.0.1D  
(Concentrator code does not matter).  
Once I upgrade the VPN Client to 3.6.x or 4.0.x, I can no longer get a  
connection to VPN 3000 Concentrator.  
I play around all the settings including “check uncheck CA chain” on the  
Client end, as well as the Concentrator end, “Certificate Group Matching”,  
IKE group 1 or group2, no matter what I do, it does not work.  
Workaround:  
Downgrade the VPN client to 3.1.  
CSCed05004  
With the VPN Client, Release 4.0.x installed on a Windows XP (tablet  
edition) system, whenever the VPN dialer is opened we get an error “System  
Error: IPC Socket allocation failed with error ffffffff8h” and then it cannot go  
out to the DHCP server and get an IP address.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
5 7  
 
Open Caveats  
CSCed11256  
When installing a customized VPN Client InstallPath, a pop-up box appears  
during the installation with the following message:  
Usage:  
VAInstaller i <INF Location> <HardwareID>  
r <HardwareID>  
f <HardwareID>  
Options:  
i - installs the Virtual Adapter  
r - removes the Virtual Adapter  
f - finds if the Virtual Adapter in installed  
Workaround:  
If the installation path includes $BASEDIR\Program Files\, then the  
InstallPath works.  
CSCed26068  
Using VPN Client, Release 4.0.3.C running under Windows 95, Windows 98,  
or Windows ME, we can not log in to the Microsoft network using the  
Command-Line Interface to connect VPN communication. NetBIOS packets  
fail to be encrypted.  
CSCee08782  
Mac OS X VPN Client Release 4.0.3.E and higher no longer supports  
Mac OS X 10.1.5. VPN Client Release 4.0.2.C is the last released client  
compatible with Mac OS X 10.1.5.  
Workaround:  
Install the Mac OS X VPN Client Release 4.0.2.C.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
5 8  
 
Caveats Resolved in Release 4.0.5.D  
Caveats Resolved in Release 4.0.5.D  
Release 4.0.5.D resolves the following issues:  
CSCed49306  
If a user is member of at least 500 groups in the domain (Win2000), the VPN  
Client cannot open a connection. A message in the log says that the certificate  
could not be retrieved because the store is empty. The same user can connect  
without a problem if the number of groups he belongs to is less than 500.  
CSCef69451  
An error is generated on the VPN Client when trying to connect after a  
certificate renewal is performed:  
"Error 31: The certificate "User Name" associated with this Connection Entry  
no longer exists or failed to open. Please select another certificate."  
CSCef82642  
The VPN Client software is unable to verify some user certificates.  
CSCeg14196  
This was introduced in 4.0.3.C. If the user has more than 10 certificates, and  
wants to select a certificate number 10 or higher, the wrong certificate is  
selected.  
CSCeg30023  
The VPN Client's DPD processing is correct, but it was logging the wrong  
DPD sequence number in the logs.  
CSCsa41980  
In rare cases in which IKE packets are fragmented and received out of order,  
it is possible for the Cisco VPN Client to terminate abruptly.  
CSCsa42416  
If Netopia's NetOctopus is installed on the host, the Cisco VPN Client cannot  
disable the Virtual Adapter at tunnel disconnect.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
5 9  
 
 
Caveats Resolved in Release 4.0.5.C  
Caveats Resolved in Release 4.0.5.C  
Release 4.0.5.C resolves the following issues:  
CSCeb04745  
Can't Install the Virtual Adapter after removing a VPN 5000 client. This  
happens because some of the VPN 5000 Registry keys are not removed by the  
Uninstall.  
CSCef84479  
Client fails when Sygate firewall is installed and the system is not configured  
with correct DNS servers.  
If Ethernet or wireless is connected after logging into Windows and the DNS  
server is not reachable, you get warning201 on the GUI, and then you get the  
XAuth prompt. You are eventually connected, but after the connection, you  
cannot pass any traffic. But from the second connection onwards, everything  
works just fine.  
CSCef89853  
There is currently no way to differentiate certificates that have the same  
common name and reside in the same store. The VPN GUI does not allow  
users to associate a different certificate with same name in the profile.  
CSCef93731  
The parent suffix is not appended by VPN Client even if  
"AppendOriginalSuffix" value is present in vpnclient.ini under [DNS]  
section. This could be seen by a DEBUG log message that the correct value  
was present in vpnclient.ini. Windows network connection property pages  
also had the right checkbox selected to append the parent suffix.  
Caveats Resolved in Release 4.0.5.B  
Release 4.0.5.B resolves the following issue:  
CSCef46893  
When the VPN Client and the head-end device are using different subordinate  
digital certificates, IKE authentication fails.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
6 0  
 
   
Caveats Resolved in Release 4.0.5.A  
Caveats Resolved in Release 4.0.5.A  
Release 4.0.5.A resolves the following issues:  
CSCdz58488  
Cisco-proprietary NAT Transparency can be enabled in environments where  
NAT/PAT is not used, but perhaps a firewall allows UDP but not ESP packets.  
The standards-based implementation does not allow for this option, since it  
is autodetecting the need for NAT transparency based on whether or not the  
client is in a NAT/PAT environment.  
Requesting a mechanism per profile to force use of NAT-T even if the VPN  
Client or VPN Concentrator do not detect that they are behind a NAT/PAT  
device.  
CSCeb11271  
When trying to import a certificate, on the GUI, the “Unable to import  
certificate” message is displayed. A password has been provided when  
generating the Certificate request file. This password has been correctly  
re-entered in the “Import Password” field.  
CSCeb15093  
When a connection is made with the VPN Client using a certificate in the  
Cisco store that does not contain a password, the GUI still prompts the user  
for a password. This problem happens only if the certificate is in Cisco store.  
CSCec47637  
Using the VPN Client with multiple-monitor display enabled on a Windows  
XP machine, the VPN Client authentication dialog box appears split between  
the two monitors rather than completely in one side or the other.  
CSCed25166  
If entrust certificates are used with the VPN Client, the Client writes the  
timeout values to entrust.ini file. The VPN Client deletes comments in the  
entrust.ini file when it writes the timeout values.  
CSCee13237  
When fast user switching is enabled in Windows XP and multiple users log  
in, the VPN username/password prompt window always shows up in the first  
user's desktop. All other users cannot see this window when opening a VPN  
connection. They may think the VPN Client is stuck.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
6 1  
 
 
Caveats Resolved in Release 4.0.5  
CSCef15043  
When connecting from the VPN Client to the VPN 3000 Concentrator, with  
Cisco Pushed Policy enabled, the Firewall tab on the VPN Client is disabled  
and is therefore unusable.  
CSCef50703  
The VPN Client cannot load a certificate that has an incorrect value for the  
CRL Distribution Point extension. Since this field is not used by the VPN  
Client, it should ignore this field.  
Caveats Resolved in Release 4.0.5  
Release 4.0.5 resolves the following issues:  
CSCed13978  
Rebranding of the Cisco VPN Client (4.0.3) does not update the VPN Client  
title bar correctly and/or automatically. When the steps are followed, the VPN  
Client installation creates a folder called oem.ini and then put the actual  
"oem.ini" file within this folder.  
The title bar is correctly rebranded if the oem.ini file is moved from the  
previously mentioned directory to the C:\Program Files\Cisco Systems\VPN  
Client\ folder (which is the default client installation folder) or whatever  
folder the client was installed on.  
CSCee22560  
When the 4.0.3.F VPN Client is installed in a directory other than the default  
(C:\Program Files\Cisco Systems\VPN Client), the virtual adapter can not be  
installed on Windows 2000 or Windows XP. The installation displays the  
following error message:  
Failed to install Cisco Network Adapter. Error: 0x3.  
Please uninstall this client and try the install again.  
CSCee88153  
If the connection profile uses certificates, the VPN Client requires users to  
enter the CertSubjectName field in the profile. This happens to be fairly large,  
something like:  
CertSubjectName=cn=Test1,ou=rootou,o=cisco,l=city,st=state,c=US,e=som  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
6 2  
 
 
Caveats Resolved in Release 4.0.4.D  
The client should allow users to just enter the CertName field in the profile.  
The VPN Client should not force the use of SubjectName, as it is long and  
hard to enter in the profile. The CertName field for the above subject name  
looks like:  
CertName=Test1  
CSCef17800  
If you want the DNS suffix to be appended to the actual list, you will have to  
add AppendOriginalSuffix=1 in the vpnclient.ini file. Otherwise the existing  
DNS suffixes are overwritten by default. The purpose of this DDTS is to  
change this default.  
Caveats Resolved in Release 4.0.4.D  
Release 4.0.4.D resolves the following issues:  
CSCdv54087  
When connected over a PPP connection using any of the Linux, Solaris, or  
Mac VPN Clients, the Excluded networks do not allow traffic to the network  
directly connected to the workstations ethernet adapters.  
The EnableLocalLan keyword combined with the proper Concentrator Group  
configuration should allow the client to pass traffic to the workstations local  
ethernet network. An issue with the client prevents traffic only to the network  
directly attached to the workstation. Other networks excluded from the  
tunnel pass traffic normally.  
CSCea65854  
VPN Clients should exclude all local networks with wildcard push.  
The VPN Client feature to push the 0.0.0.0/0.0.0.0 wildcard during the  
excluded networks negotiation only excludes the network currently  
connected to the VPN Concentrator. The client SHOULD be excluding ALL  
local interfaces and networks.  
If a user has Ethernet and PPP and dials in to connect to a group with a  
wildcard exclude, they will only exclude their PPP interfaces network. The  
Ethernet network is NOT excluded.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
6 3  
 
 
Caveats Resolved in Release 4.0.4.D  
With this change, ALL interface networks will be excluded so that the user  
will be able to access their home network over Ethernet while connected to  
the tunnel over PPP. Should they have two Ethernets, the same would apply.  
Prior to this change, the admin would have to push individual networks along  
with the wildcard to support home networks with more than one interface.  
CSCed08103  
Access to overlapping subnet over tunnel fails - supernet mask:  
Split tunneling from network X.X.14.0/23 (255.255.254.0) and tunneling in  
to a Concentrator that assigns a Y.Y.A.B address and includes X.X.0.0/16  
(255.255.0.0) in the split tunneling list. With all versions of the client prior  
to 4.x on Windows, the customer could access the X.X.14.0/23 network  
across the tunnel, this no longer works with 4.x and the virtual adapter.  
The issue appears to be that when the concentrator passes down the less  
specific mask, the routing table entry for the specific mask (X.X.14.0/23) is  
not modified, so it is always preferred.  
The client should be looking at the routing table and adding more specific  
metric routes for any specific masks covered under a split tunneling list when  
a user connects/disconnects.  
If the customer changes the split tunneling list specifically to X.X.14.0/23,  
then this network is accessible via the tunnel, however, this does not work for  
production since all networks under X.X.0.0/16 must go through the tunnel.  
CSCee65964  
Cisco Systems VPN adapter not removed after upgrading VPN Client.  
When the Windows 2000 VPN Client is updated with an installation of VPN  
Client Release 4.0.4, problems can occur if the InstallShield installation  
method is chosen.  
During the installation process, the old version is automatically uninstalled  
prior to installation of the new version. However, sometimes the prior "Cisco  
Systems VPN adapter" does not get uninstalled, and Release 4.0.4 installs a  
second "Cisco Systems VPN adapter."  
This can lead to mysterious failed connection attempts to the VPN  
Concentrator.  
If the VPN Client Release 4.0.4 is installed a second time, the duplicate  
"Cisco Systems VPN adapter" is gone.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
6 4  
 
Caveats Resolved in Release 4.0.4.B  
CSCee66699  
When trying to install the 4.0.4 version of the VPN Client on a Windows 2000  
PC which was built with a ghost image, we get the error,  
"Error 28001 MS TCP/IP is not installed"  
and cannot install the VPN Client.  
CSCee84411  
Split-tunneling does not work under certain circumstances for 4.0.4.C version  
of the VPN Client.  
Caveats Resolved in Release 4.0.4.B  
Release 4.0.4.B resolves the following issues:  
CSCdt41308  
You may see a problem with FTP file transfers over a long period of time  
(hours) while connected with the VPN Client. The symptom is that the FTP  
session never starts (no response to the 'open' command) and the Client Log  
Viewer shows the following events:  
74 22:31:08.704 02/08/01 Sev=Warning/2 IPSEC/0xE370000C  
Failed to acquire a TCP control resource, the queue is empty.  
75 22:31:08.704 02/08/01 Sev=Warning/2 IPSEC/0xA370001A  
VRS processing failed, discarding packet  
Other applications like PING and HTTP should work fine, but for FTP to  
work again, you must disconnect and reconnect the VPN Client.  
CSCec43877  
While attempting to connect a Linux VPN Client, the client seems to lock up  
after the certificate password has been entered. Beginning with the Release  
4.0.3.B Linux VPN Client, if the VerifyCertDN field is in use within the  
profile and it does not match the server certificate sent by the VPN 3000  
Concentrator, the client will hang.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
6 5  
 
 
Caveats Resolved in Release 4.0.4.B  
CSCee30728  
When the VPN Client Release 4.0.3.F is installed, uninstalled, and  
reinstalled, the VPN Client cannot establish a tunnel. The client logs have the  
message:  
Failed to initialize the ipsec driver! Returned 1  
CSCee50403  
The Linux VPN Client 4.0.4.A will not install on the SuSe 9.1 OS.  
CSCee50587  
Certificate import screens introduced in the 4.0 VPN Client that say that a  
password is optional may be confusing to some users. Customer would like  
the message changed to say that a password may be required instead of that a  
password is optional.  
CSCee54475  
Firewall dialog box needs to be disabled if firewall is not used.  
At SBL (Start Before Login), the VPN Client checks to see if any supported  
firewalls (Zone, BlackIce, etc.) are installed on the system. If they are, the  
client checks to see if they are up and running. If they are not up and running,  
the client displays a dialog box letting the user know that we are waiting for  
the firewall to start before continuing with the VPN connection. Users have  
an option for canceling this dialog box and continuing even though the  
firewall has not started. This happens before the client has sent any messages  
to the VPN 3000 Concentrator; therefore, the client has no idea if a firewall  
is in fact required by the VPN 3000 Concentrator. We wait because we don't  
want to start a connection to the VPN 3000 Concentrator until an installed  
firewall is up and running, for security reasons.  
This needs to be done because sometimes at SBL, the Cisco VPN Service  
would come up before other services (like the firewall), or the TCP stack.  
This is seen more often on Windows XP, because XP has the fast boot option  
where a user is allowed to log on the system even before all the services are  
up. If a firewall is required by the VPN 3000 Concentrator device, we want to  
make sure that the firewall is up.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
6 6  
 
Caveats Resolved in Release 4.0.4  
The problem is, the client installs the stateful firewall on the machine. It trips  
over stateful firewall (if it is not started) even when customers don't have the  
stateful firewall turned on. As a fix, if the stateful firewall is not started by  
end-users, and if that is the only firewall installed on the system, the client  
will not display a dialog box.  
If stateful firewall is turned on, and if it is not started at SBL, the VPN Client  
still displays the dialog box. If there are other Cisco supported firewalls on  
the system that are not started, we display the dialog box.  
CSCee54533  
Windows 2000 OS-added route doesn’t get incremented after client connects.  
On Windows 2000 machines the operating system adds routes (routes that are  
added by default when an interface comes up). These routes have a metric of  
1, and we do not increment the metric of the original route. We do not see this  
issue in Windows XP.  
CSCee55801  
The VPN Client graphical user interface hangs or displays “Warning 201: The  
Cisco Vpn service is not responding” at Start Before Login.  
This happens only when Zone service (vsmon.exe) is installed on the system.  
This service is installed by Zone Alarm Pro or Zone Integrity Agent.  
Cisco VPN service adds a rule to the Zone service to allow VPN traffic when  
Cisco VPN service is first started. But it is possible that the OS starts the  
Cisco VPN service before the Zone service is started. In that case, the Cisco  
service gets blocked while trying to add those rules.  
Caveats Resolved in Release 4.0.4  
Release 4.0.4 resolves the following issues:  
CSCed50673  
If an IPSec SA has expired and has not been renewed by the VPN 3000  
Concentrator, the system displays an INTERNAL ERROR: INVALID  
REASON CODE message when you issue the VPN Client stat command.  
CSCed72716  
On a Linux machine running version 2.6.2 kernel or higher, the Cisco Linux  
VPN Client 4.0.3(B) hangs when trying to connect.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
6 7  
 
 
Caveats Resolved in Release 4.0.3.F  
CSCed80758  
The VPN Client stat repeat command produces the following error when the  
client disconnects:  
INTERNAL ERROR: INVALID REASON CODE  
This is only a message from theVPN Client stat command and does not  
indicate any problems with the VPN Client.  
Caveats Resolved in Release 4.0.3.F  
Release 4.0.3.F resolves the following issues:  
CSCea93535  
There are MTU-related performance issues with H.323 and the VPN Client  
virtual adapter.  
CSCed50615  
Using the CLI under Windows XP, if you try to connect when the VPN Client  
is already connected, the existing tunnel connection fails.  
CSCed61937  
When using Radius with Expiry, the user is prompted for a username,  
password, and domain. If the domain name is 15 chararcters long, it is  
truncated to 14 characters in the VPN Client profile.  
CSCed62239  
If a central-site concentrator with DPD keepalives disabled deletes an  
ISAKMP SA, VPN Clients are not updated. The client repeatedly tries to  
negotiate new IPSEC SAs using the old ISAKMP SA.  
CSCed63571  
Import of base-64 encoded certificates fails in version 4.0.3.B of VPN Client.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
6 8  
 
 
Caveats Resolved in Release 4.0.3.E  
Caveats Resolved in Release 4.0.3.E  
Release 4.0.3.E resolves the following issues:  
CSCea04848  
The silent disconnect option of VPN Client for Windows does not suppress  
the message:  
“Do you wish to disconnect your Dialup Networking connection?”  
For VPN Client Release 4.0.2, the behavior is somewhat different. The sd flag  
suppresses the message, but the dialup connection remains in place.  
Disconnecting the connection requires user intervention when the VPN  
Client exits.  
CSCec77189  
Using VPN Client Release 4.0.2.C for MacOS X on MacOS X 10.3, after  
installing the Mac VPN Client on MacOS X 10.3 (Panther), you get an error  
message that the “VPN SubSystem [is] not available.” Restarting the Mac  
causes the message to go away, as does manually starting the service.  
CSCec82493  
When using the Release 4.0.3.C VPN Client for MacOS X under Panther  
(MacOS X 10.3), you might see drop-down lists appear in odd places on the  
screen. For example, the Profile list in Simple mode appear in a different part  
of the screen when you click the drop-down list.  
Caveats Resolved in Release 4.0.3.D  
Release 4.0.3.D resolves the following issues:  
CSCea30026  
The 4.0 VPN Client running on Windows 2000 or Windows XP is unable to  
connect. The following event appears in the log:  
“The Client was unable to enable the Virtual Adapter because it could not  
open the device.”  
This can happen as a result of the VPN Client’s virtual adapter not being  
installed.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
6 9  
 
   
Caveats Resolved in Release 4.0.3.C  
CSCeb41256  
A VPN Client, version 4.0.1, can't initialize the virtual adapter while  
attempting an IPSEC connection after “undocking” from a docking station.  
When attempting a connection the following message appears in the VPN  
Client logs:  
Sev=Warning/2IKE/0xE3000099  
Failed to active IPSec SA: Unable to enable Virtual Adapter  
(NavigatorQM:938)  
In summary:  
Docked- successful connect  
Undocked- failure to enable adapter  
Redocked- failure to enable adapter  
The only way to recover is to reboot the system.  
CSCed01742  
When the VPN Client connection is initiated via CLI from Terminal Server  
client, and no one is logged on the Terminal server, then the VPN Connection  
fails.  
CSCed38308  
Release 4.x VPN Client for Windows with Auto-initiation prompts to  
disconnect or suspend when the Windows machine is shutdown. This happens  
with all Release 4.x VPN Clients with auto-initiation turned on.  
Caveats Resolved in Release 4.0.3.C  
Release 4.0.3.C resolves the following issues:  
CSCdz64545  
With Datakey Smart Cards, after a user logs off a Windows session and logs  
back in, the user is not prompted to re-enter the Smart Card credentials by  
receiving a prompt for a password.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
7 0  
 
 
Caveats Resolved in Release 4.0.3.C  
CSCea65393  
Using the 4.0 VPN Client with the virtual adapter (Windows 2000 or  
Windows XP) in a multiple NIC environment, the VPN Client might not pass  
data while connected.  
When the VPN Client PC has multiple network interfaces and the default  
gateway is on the non-VPN interface, the default gateway metric is not  
incremented. This might result in data that is bound for the VPN going to the  
non-VPN default gateway and being dropped. This problem is clearly  
identifiable by looking at the routing table while a VPN (All Tunneling)  
connection is active, where the two default routes appear with equal metrics.  
CSCeb77199  
The 4.0 VPN Client requires a specific route to the DHCP server so that this  
doesn't break after the connection is established. If users are connecting to the  
external interface and using a local DHCP server there is a specific route to  
that server created pointing to the NIC, not the virtual adapter.  
If other services are running on that same server, such as WINS, DNS, and  
such, this route breaks these services once the VPN session is established. If  
you remove this route, everything works as it should. This occurs regardless  
of whether you use tunnel everything or split tunneling.  
CSCeb77706  
VPN Client, Release 4.0.2.B causes system failure (blue screen) when using  
IPSec/TCP.  
CSCec61723  
Cisco VPN traffic seems to top off at 1352 (IP datagram), which includes  
1324 (ESP packet). This happens even when the interface MTU is set to 1400  
or more.  
CSCec62565  
In a load-balanced configuration running VPN Client Releases 4.0.1, 4.0.1.A,  
4.0.2.C - E, 4.0.3, and VPN Concentrator Releases 4.0, 4.0.1.A - E, the DPD  
fails to disconnect the Client IPSec session when the Client connects to the  
load-balanced cluster IP address.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
7 1  
 
Caveats Resolved in Release 4.0.3.B  
CSCec78515  
When a profile that uses a certificate is used to establish a connection to the  
central site, the VPN GUI verifies the certificate before establishing the  
connection. But because of this problem, it verifies the first certificate in the  
list, instead of the certificate associated with the profile.  
Generally users would not notice this because the verification of the  
certificate is successful. But if the first certificate in the list is not valid, the  
connection fails.  
CSCed02998  
On very rare occasions, in Release 4.0 and higher of the VPN Client GUI,  
IPSecLog.exe fails when you change the log settings in the VPN GUI.  
CSCed07108  
Feature Request: Allow customers to modify the VA MTU (at MAC layer)  
during Install Shield installation.  
CSCed09553  
The Release 4.0 VPN Client must notify Novell once the VPN Tunnel comes  
up.  
Caveats Resolved in Release 4.0.3.B  
Release 4.0.3.B does not contain any new resolved caveats.  
Caveats Resolved in Release 4.0.3.A  
Release 4.0.3.A resolves the following issues:  
CSCdz14583  
When installing the Release 4.0 VPN Client on Windows 2000, a driver  
signing warning appears, asking whether or not to continue the installation.  
The Release 4.0 VPN Client, when installed on Windows 2000 or Windows  
XP has a new Virtual Adapter feature. On Windows 2000 systems, the VPN  
Client installs a Virtual Adapter driver that is not yet signed, so when  
installing the VPN Client on Windows 2000 systems, a warning might appear.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
7 2  
 
   
Caveats Resolved in Release 4.0.3  
CSCec42345  
Using Windows NT 4.0, SP 6, and Windows XP Home, the VPN Clients CLI  
cannot start a third-party dial-up program when a connection profile is  
configured to do so. The following error appears: “The third-party dial-up  
program could not be started.”  
CSCec59997  
When attempting to connect with the Linux VPN Client, the VPN Client fails  
if the interface routing to the concentrator is down, because the client cannot  
bind to it. This could happen if the Ethernet cable is unplugged. This problem  
does not occur with the Linux VPN Client, Release 4.0.3 or higher.  
CSCec61062  
VPN Client, Release 4.0.3, cannot connect to a VPN Server. The following  
error messages appear on the VPN client logs:  
API Failure - Function call ControlService returned 1062  
Failed to active IPSec SA: Unable to enable Virtual Adapter  
Caveats Resolved in Release 4.0.3  
Release 4.0.3 resolves the following issues:  
CSCec01510  
Windows VPN Client (version 4.x) fails to connect to a VPN 3000 Series  
Concentrator from a Windows Terminal Services Connection. This was  
possible with earlier 3.6.x versions. The problem occurs when a user connects  
to a Windows 2000 server running terminal services and from the terminal  
services session launches the VPN Client to connect to a VPN 3000  
Concentrator (configured to do split tunneling). With versions4.x using the  
new Virtual Adapter, this is not possible; however, it was possible with  
versions 3.6.x.  
CSCdz25788  
When using the VPN Client, Release 3.6.2B on Windows XP PCs, if “register  
this address to DNS” was not Checked on a PPP adapter side, Split-DNS  
behavior differs.  
If checked, Split-DNS behaves normally.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
7 3  
 
 
Caveats Resolved in Release 4.0.2.E  
If not checked, Split-DNS functions normally, but after disconnecting  
from the internet, it never refers to the DNS of the Internet side.  
CSCeb47765  
Name resolution can take up to 40 seconds when a tunnel has been  
established. This problem occurs only on WIN XP. This problem was not  
evident in 3.6.x VPN Client code.  
CSCeb67454  
Symptom: With the VPN Client 4.x on Windows XP, using split tunneling and  
split DNS, the DNS lookup does not use DNS servers.  
The following observations pertain to this issue:  
All or nothing tunnel works fine.  
This problem occurs only with split tunnel and split tunnel with split  
DNS.  
If you use nslookup to resolve the PINGed server, it might give the right  
info.  
This problem exists for both FQDN and unqualified name.  
Caveats Resolved in Release 4.0.2.E  
Release 4.0.2.E resolves the following issue:  
CSCeb80558  
If vpnclient.ini option “AppendOriginalSuffix” has a value of 1 or 2, the VPN  
Client should append the primary suffix of the machine at tunnel  
establishment.  
Caveats Resolved in Release 4.0.2.D  
Release 4.0.2.D resolves the following issues:  
CSCdy67438  
VPN Client, Release 3.6.2 is installed on the Windows 2000 and Windows XP  
machines using the customized (OEM) installation (InstallShield Install).  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
7 4  
 
   
Caveats Resolved in Release 4.0.2.D  
To activate “Start before Logon”, oem.ini and vpnclient.ini are present in the  
installation package. Once the machine is rebooted after the installation, the  
“Start before Logon” feature does not work.  
CSCeb12483  
When making changes to the vpnclient.ini and preceding [CertEnrollment]  
parameters with an exclamation point (!) character, the fields are still editable  
after installation. The exclamation point should make these fields uneditable,  
but users can still edit the fields after installation and rebooting.  
CSCeb27643  
Information like Department information does not get filled in using v4.0.1  
of the VPN Client. When using Certificate Enrollment, the CA url info is  
correctly saved, but other information is ignored.  
CSCeb66861  
On an XP PC with the 4.0 or 4.0.1 VPN Client, a user may experience DNS  
issues upon connection. After connecting to a VPN 3000 Concentrator  
(Release 4.0), the VPN Client can ping resources on the private network by  
IP, but not by name. Once this happens on the XP PC, you can go to  
network connections->advanced->advanced settings and change the order of  
the adapters, or actually move a different (doesn't matter which) one to the  
top of the list and hit OK. You can then ping by name.  
If you disconnect the VPN Client and reconnect, you get the same results, but  
the adapter at the top of the list is the one you moved there previously. You  
cannot ping by name until you move a different adapter to the top of the list  
and hit OK.  
CSCeb70819  
The VPN Client intermittently takes as much as 30 seconds to launch. This  
happens only intermittently. It takes about 15 seconds for the splash screen to  
come up, and another 15 seconds for the GUI to come up. If you launch the  
GUI from the command line or Windows Explorer by executing vpngui.exe  
directly, it takes half that time.  
This problem exists only in Releases 4.0.2, 4.0.2.A and 4.0.2.B of the VPN  
Client. If VPN Client logs are disabled, this problem completely goes away.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
7 5  
 
Caveats Resolved in Release 4.0.2.C  
CSCeb74792  
The silent uninstall feature of the VPN client does not uninstall the Profiles  
and certificates folder from the Program Files folder:  
C:\Program Files\Cisco Systems\VPN Client  
CSCeb80558  
If vpnclient.ini option “AppendOriginalSuffix” has a value of 1 or 2, the VPN  
Client should append the primary suffix of the machine at tunnel  
establishment.  
Caveats Resolved in Release 4.0.2.C  
Release 4.0.2.C resolves the following issues:  
CSCdz76316  
Disable the VPN Client log, stops logging to the file and screen. Re-enabling  
logging first clears the screen and reloads all the text from the file back to the  
screen. Log output should start to appear on the screen and file.  
CSCea52757  
When installing from a CD, where all the files are Read-Only by default, the  
MSI installer copies the VPNCLIENT.INI and .PCF files to the destination  
but does not change the file attributes from Read-Only to Read+Write.  
CSCdz57585  
There is no way to prevent the “sample.pcf” file from appearing in the VPN  
Client connection entries after installing the Mac VPN Client GUI. It is  
unnecessary to see “sample.pcf” in the GUI connection entries. It should  
remain as a template for hand-made profiles but not appear on the GUI. The  
Windows VPN Client already behaves in this fashion.  
CSCea35578  
After waking from a workstation sleep, the Mac VPN Client still shows that  
it is connected, even though it is not tunneling or blocking any traffic.  
If the VPN Client is connected when the workstation is put to sleep, it might  
not realize that it has lost its connection.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
7 6  
 
 
Caveats Resolved in Release 4.0.2.B  
CSCeb21138  
At VPN Client initialization, the version string is overlaid in text on top of  
the splash screen. There is no may to modify this string for OEM  
customization. It should be removed.  
Caveats Resolved in Release 4.0.2.B  
Release 4.0.2.B resolves the following issues:  
CSCeb19862  
VPN Clients, version 4.0.x, do not produce an informative Delete with  
Reason message when the VPN Concentrator has been configured to  
disconnect the Client due to “Type and Version Limiting”.  
Type and Version Limiting was introduced with the 4.1 Concentrator code  
and does not trigger an informative message from the VPN Client. The  
current message is:  
Secure VPN Connection terminated by Peer.  
Reason: Unknown Error Occurred at Peer.  
CSCeb40034  
The VPN Client is terminating the connection prematurely during rekey.  
The scenario is:  
1. The initial IKE SA (SA1) comes up.  
2. Rekey is initiated. P1 is complete by establishing SA2.  
3. Xauth is in progress.  
4. SA1 is deleted. In this case, the remote peer sends a Delete message.  
5. The VPN Client detects that there is no user authenticated IKE SA in the  
system and brings down the connection.  
Although SA2 is not yet authenticated, it is still a valid IKE SA. The VPN  
Client should not bring down the connection at this point and should let the  
rekey complete.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
7 7  
 
 
Caveats Resolved in Release 4.0.2.A  
CSCeb52019  
DNS suffix search list gets replaced when CVPN Client 4.x is used for VPN  
tunnel establishment.  
CSCeb54855  
Unable to autopopulate the CertSerialHash value in the .PCF file. The  
customer creates a customized profile and installs the certificate in the  
Personal store on the PC. When the end user uses the VPN Client for first  
time, it does not populate the CERTSERIALHASH value under the .PCF file,  
which was working in earlier code.  
Caveats Resolved in Release 4.0.2.A  
Release 4.0.2.A resolves the following issues:  
CSCeb35709  
The VPN Client does not handle stdin / stdout data correctly.  
CSCeb38492  
The VPN Client user interface terminates unexpectedly with the following  
error when a third-party dialer is misconfigured or the Client can't find the  
dialer at the path specified:  
vpngui.exe has generated errors and will be closed by Windows. You will  
need to restart the application. An error log is being created.  
If you specify the path correctly, the error does not occur.  
CSCeb39137  
The TunnelEstablished flag is set to 1 (Connected) before user has accepted  
the banner. This is an issue now that Release 4.0 prevents communication  
across the tunnel before the banner is acknowledged.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
7 8  
 
 
Caveats Resolved in Release 4.0.2  
Caveats Resolved in Release 4.0.2  
Release 4.0.2 resolves the following issues:  
CSCdz32866  
The Macintosh OS X version of VPN Client does not save the location & size  
of the external Log Window so it must be resized and moved every time you  
open it.  
CSCdz58821  
Using the Linux version of the VPN Client over a SuSe native PPPoE  
connection, the VPN Client fails to connect. The Mandrake platform exhibits  
the same symptoms. The VPN Client is unable to bind to the type of PPPoE  
used natively by SuSe and Mandrake.  
CSCdz78215  
While attempting to make a connection using the Linux version of the VPN  
Client, the workstation crashes if PPPoE is activated during the connection.  
That is, if a VPN Client connection is in progress while PPPoE is being  
brought up, the workstation crashes.  
CSCdz88631  
When installing the Linux version of the VPN Client on a Red Hat 8.1 beta  
installation, a number of disquieting warnings appear during installation as  
well as a strange binary message while connecting the VPN Client. These  
messages do not affect the performance of the VPN Client.  
CSCea22263  
If the certificate which is to be used by the VPN client, contains the  
non-ASCII characters in the CN and Subject (letters with umlaut, various  
kinds of accents, copyright character), then after selecting the certificate in  
the VPN dialer, closing the VPN dialer, and reopening the same connection  
entry, there is an error message, “The certificate <name>, associated with this  
Connection Entry, no longer exists. Please select another certificate.”  
In the certificate list, though, this certificate is still present and can be  
selected.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
7 9  
 
 
Caveats Resolved in Release 4.0.2  
CSCea65315  
Rebranding the VPN Client Release 4.0 for Mac OS X is not currently  
possible. If you drop a png file into the Resources folder of the installer disk  
image, when you install the VPN Client, the png file is not copied into the  
/etc/CiscoSystemsVPNClient/Resources/ folder.  
CSCeb00549  
The Linux VPN Client does not install on platforms with kernel versions of  
2.5 or 2.6. These kernel versions are not yet supported with the 4.0 Release  
or any previous versions of the VPN Client.  
CSCeb07131  
Using the Windows 4.0 VPN Client with certificates, we are unable to disable  
certificate expiry message.  
CSCeb08604  
The VPN Client should treat profile names as case insensitive.  
If there is a profile PROFILE1.pcf and the following command is executed  
from command prompt:  
ipsecdialer /c /user <UserName> /pwd <UserPassword> profile1  
or  
vpngui /c /user <UserName> /pwd <UserPassword> profile1  
The above commands should work. "profile1" should NOT be treated as case  
sensitive. This is a regression from 3.6 GUI.  
CSCeb09593  
When the silent disconnect option is used with the VPN Client, the “You've  
been disconnected” dialog is still shown after a "VPNCLIENT  
DISCONNECT" is issued.  
CSCeb17553  
In the 4.0 version of the VPN Client, vpnclient.exe no longer supports the  
“-sd” command line option. If I have an old shortcut for vpnclient.exe that  
uses this option, I get a Usage output stating that this option is no longer  
supported. This breaks all the 3.x shortcuts that use this option.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
8 0  
 
Caveats Resolved in Release 4.0.1  
CSCeb35613  
Cvpnd.exe (Cisco VPN Service) crashes when trying to establish a tunnel. If  
you run into this problem, the last entry in the logs should say:  
Unable to forward xAuth request data to xAuth application. Error code  
<error code>  
This generally occurs if a severe error is encountered while trying to XAuth.  
Specifically, this happens if we can't spawn a process to do XAuth. Some  
reasons for that would be if some of the VPN Client execuatbles files are  
deleted or modified.  
CSCeb37036  
On rare occasions, the Release 4.0 VPN Client disconnects the tunnel right  
after establishing it. This happens only when using a dialup connection to  
Internet (or PPPoE).  
The following messages appear in the VPN Client logs:  
05 14:04:02.745 06/11/03 Sev=Warning/3 CM/0xA310002C  
Adapter address changed from <IP Address>. Current address(es): <Current  
IP Addresses>.  
CSCec43986  
After upgrading to 4.0.1D or E concentrator tries to authenticate users to the  
Base Group instead of the defined group.  
Errors seen on the logs add extra characters to the GROUP.  
Caveats Resolved in Release 4.0.1  
Release 4.0.1 fixes the following issues that existed in earlier software releases:  
CSCea39719  
When the vpnclient.ini has the setting, “StatefulFirewallAllowICMP=1”, and  
StatefulFirewall (Always On) is suspended, then resumed, the Stateful  
Firewall does not allow ICMP traffic to pass unless the service is stopped and  
restarted.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
8 1  
 
 
Caveats Resolved in Release 4.0.1  
CSCea47454  
Buttons in Certificates->Import/Export windows are truncated when using  
system Large Fonts (120dpi) setting.  
CSCea76011  
IPSec over TCP and/or Split tunneling does not work on certain machines.  
This issue is the same as CSCdz51629, and CSCdy80016. For example, using  
a Sierra SMC2632W wireless card, and building a VPN tunnel to a PIX  
firewall, if split-tunneling is used, then no SAs are built for the networks in  
the split tunnel list, resulting in no traffic flow over the tunnel.  
CSCea86293  
The VPN Client continually prompts for the password when using the  
following command line:  
ipsecdialer.exe /c /user USERNAME /pwd PASSWORD PROFILE  
CSCea88456  
When installing Release 4.0 of the VPN Client on Japanese Windows 2000,  
the virtual adapter installer hangs.  
CSCea93394  
This problem occurs only on the Windows version of the Release 4.0 VPN  
Client, not on non-Windows platforms or earlier versions of the VPN Client.  
When a tunnel is established, the central site Concentrator could send a DNS  
domain to be used by the VPN Client by mode configuration. The VPN Client  
makes the changes to the system to use the DNS suffix pushed by the  
central-site Concentrator. This works fine, but when the tunnel is  
disconnected, the DNS suffix change that was made when the tunnel  
connected is not undone.  
CSCeb00459  
When the Cisco VPN Client disconnects, it logs the following message in a  
file called faultlog.txt, located in C:\Program Files\Cisco Systems\VPN 3000  
Client:  
27 22:50:50.401 04/27/03 Sev=Critical/1 CVPND/0xE3400001  
Microsoft IPSec Policy Agent service started successfully  
The message appears only when we disconnect the Client. The Client  
functions without any problems.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
8 2  
 
Caveats Resolved in Release 4.0  
The level for this message should be changed and this file should probably be  
documented.  
Caveats Resolved in Release 4.0  
This section lists the caveats fixed since Release 3.6.3 (Windows) or Release 3.7.2  
(Linux, Solaris, and Mac OS X). If you have an account on CCO you can check  
the status of any caveat by using Bug Navigator II.  
To reach Bug Navigator II on CCO, choose Software & Support: Online Technical  
http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl  
CSCdt42661  
When using the VPN Client behind an ESP-aware NAT/Firewall, the port on  
the NAT/Firewall device may be closed due to the VPN Client’s keepalive  
implementation, called DPD (Dead Peer Detection). When a Client is idle, it  
does not send a keepalive until it sends data and gets no response.  
Refer to “Connection Profile Configuration Parameters” in the VPN Client  
Administrator Guide for a detailed description of creating profiles.  
CSCdv64330  
The VPN client cannot connect using digital certificates issued from an RSA  
Keon CA if the “Send CA certificate chain” option is selected. The feature  
defaults to disabled.  
CSCdw61796  
The Cisco VPN Client fails to connect while configured for digital certificates  
and posts the following error in the Log Viewer:  
“Get certificate validity failed”  
Some of the reasons this event could have occurred are:  
The received certificate has an incomplete chain.  
The received certificate is either expired or not valid yet. Check the time  
on the certificate.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
8 3  
 
 
Caveats Resolved in Release 4.0  
CSCdx89940  
A Restricted, Standard, or Limited user (Windows 2000) cannot install the  
VPN Client using the Windows Installer (MSI), even if elevated privileges are  
set for the user and the PC.  
CSCdy30098  
While using the Solaris VPN Client and its pppd 4.0 driver over PPPoE, the  
VPN Client can make a connection, but not pass any traffic.  
Due to an initialization issue in the VPN Client code, the Solaris VPN Client  
cannot pass traffic if it is first used with a PPPoE connection exclusively. It  
must first have attempted an hme connection (even a failed one) to properly  
ready itself for the PPPoE connection.  
CSCdy62397  
The following Blue Screen failure might occur on a Windows NT-based PC  
that has the Sygate Personal Firewall installed and has had a VPN connection  
going for three or more days:  
Stop:000000d1 (e572685c, 00000002, 00000000, bff110bc)  
***Address bff110bc base at bff0f000, datestamp 3e1cdf98 -- Teefer.sys  
CSCdy65549  
If a you install the Cisco VPN client and you are not a local administrator, but  
you are a domain user that has been added to the local administrator group,  
the install completes successfully, but you may get the error “VPN subsystem  
unavailable” when trying to use the VPN Client, and you will be unable to use  
the VPN Client.  
If the user installing the VPN Client is a local administrator, then the error  
does not occur when running the VPN Client.  
CSCdz07114  
For the Cisco VPN Client version 3.6 and earlier, you had the ability to  
replace Company Name, Product Name, bitmaps, icons, and the folder in  
which the Client was installed. For the new version 4.0 VPN Client this  
capability has changed somewhat.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
8 4  
 
Caveats Resolved in Release 4.0  
CSCdz09585  
If you select “Delete” from within the Certificate tab, you are prompted with  
the following message: “Are you sure you want to delete the certificate?” In  
that window, there is an 'X' in the upper right corner. Clicking the 'X' to close  
out the window instead of pressing one of the buttons, deletes the digital  
certificate.  
CSCdz24962  
In the Release 3.7 VPN Client GUI, the Certificate enrollment dialog where  
the user enters the DN information should include the DN field abbreviations  
after the field names in parenthesis; for example, “Common Name (CN):” or  
“Department (OU):” since much of the product documentation makes  
reference to “OU” for group selection.  
The common DN parameters are:  
Common Name - CN  
Email - E  
Department - OU  
Company - O  
State - ST  
Country - C  
CSCdz25064  
In the Release 3.7 VPN Client MacOS X GUI, the Certificates tab has a  
Validity” tab. For a digital certificate that is not valid yet, it shows “invalid:  
expired on Jun 4, 2003 14:15:49” where it should display something like “not  
valid until <date> <time>” or at a minimum just state “expired or not valid  
yet” without the date and time to not be misleading.  
CSCdz25200  
The Release 4.0 VPN Client cannot currently import a Microsoft CAPI based  
certificate directly into the Cisco certificate store. The certificate must be  
manually exported from Microsoft Internet Explorer and then imported into  
the Cisco certificate store.  
CSCdz26241  
The Release 4.0 VPN Client prompts you to insert your Smartcard when  
loading even though you are not using certificates with the VPN Client.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
8 5  
 
Caveats Resolved in Release 4.0  
In this case, the VPN Client is installed on a PC with Smartcard-based  
certificates or Entrust Entelligence-based certificates. The VPN Client  
attempts to enumerate the list of installed certificates, including ones that are  
Smartcard- or Entelligence-based and may prompt the user.  
CSCdz26449  
On the Release 3.7 VPN Client Mac GUI, on a new installation of the VPN  
Client, the “Edit Settings” button launches the “Logging Options” window.  
When you do this, all logging levels are set to 3 by default. However, the  
vpnclient.ini logging levels are set to one. The default button is “Cancel”. If  
a customer presses the Enter key, the levels stay at 1.  
The Logging Options window does not read from the vpnclient.ini file.  
CSCdz29463  
Using the Release 3.7 VPN Client, there is a parameter in the pcf files that  
controls whether the VPN Client allows the use of split DNS when connected.  
This value should default to 1, which means enabled. It currently defaults to  
0, which makes the feature appear broken. Setting it to 1 in the pcf allows split  
DNS to function.  
CSCdz38680  
This issue applies only to the Release 4.0 VPN Client and only with Virtual  
Adapter (Windows 2000 and Windows XP). The VPN Client’s local network  
happens to be of the same IP subnet as the remote private network. When a  
VPN connection is up data meant for the private network stays local; for  
example, 192.168.1.0/255.255.255.0  
CSCdz40609  
In a Windows 2000 or Windows XP environment, if the public network  
matches the private network (for example, a public IP address of 192.168.1.5,  
with a subnet mask of 255.255.0.0, and an identical private IP address) and  
the public network's route metric is 1, then traffic might not be tunneled to the  
private network. The same problem can occur if you are using a virtual  
adapter and the public metric is smaller than the virtual adapter metric.  
CSCdz48154  
If the parameter “StatefulFirewallAllowTunnelTraffic=0” is placed into the  
the [main] section of the vpnclient.ini and Stateful Firewall (Always On) is  
enabled, no inbound or outbound tunneled traffic will pass. Either remove this  
setting from the vpnclient.ini or set it to “=1”.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
8 6  
 
Caveats Resolved in Release 4.0  
CSCdz52058  
If you attempt to Import a Connection Entry with the same name as one that  
already exists, you are asked if you would like to overwrite the existing entry.  
If you choose to overwrite the entry, an error appears and the entryis not  
overwritten.  
CSCdz56021  
For Release 4.0, Beta release 1, the Cisco VPN Client does not coexist with  
the Nortel VPN client. When version 4.0 Cisco VPN Client is installed on a  
system running an existing third party VPN client (for example, the Nortel  
client - not Microsoft), a conflict occurs with the services started by Cisco.  
This prevents other clients from successfully establishing remote access  
sessions.  
CSCdz74850  
The Release 4.0 VPN Client Statistics | Routes dialog displays a  
0.0.0.0/0.0.0.0 entry even during a split tunnel connection.  
This occurs only if the VPN Client has made an all-or-nothing connection  
prior to the split tunnel connection without exiting the VPN Client  
application between connections.  
CSCdz76582  
If you try to delete a personal Certificate, you are prompted only for the  
Certificate password, then the certificate is deleted. You are not given a  
second chance message like other certificates (root, subordinate, etc) where  
it says “Are you sure you want to delete the certificate?”  
CSCdz81671  
The Release 4.0 VPN Client, when using the virtual adapter (Windows  
2000/Windows XP only) and Split DNS feature, might send all DNS requests  
over the VPN tunnel.  
Due to the addition of the virtual adapter in the Release 4.0 VPN Client, Split  
DNS functionality now partially depends on the Windows operating systems  
to choose the correct pass for DNS requests. DNS requests meant only for the  
VPN are sent only through the VPN. DNS requests that do not match the VPN  
domain suffixes will also go through the VPN when they should not.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
8 7  
 
Caveats Resolved in Release 4.0  
CSCdz83065  
Uninstalling the VPN Client using the Microsoft Installer (MSI) does not  
detect that the VPN Client is connected and the uninstall completes. We  
highly recommend you disconnect and exit the VPN Client before  
uninstalling.  
This issue occurs only if VPNGUI.EXE is hidden; that is, it is configured  
under Options | Preferences to “Hide upon connect” and you have the Client  
connected, or have just disconnected and it is still in the systray. Any time the  
GUI is open (unhidden) and an MSI uninstall is started, the presence of the  
VPN Client prevents you from uninstalling.  
CSCdz83461  
Unable to pass data after disconnecting the Release 4.0 VPN Client on  
Windows 2000 or Windows XP. The Release 4.0 VPN Client has a virtual  
adapter that could have failed to disable after disconnecting.  
CSCdz88476  
When Start Before Logon is configured on the VPN Client on Windows XP,  
and you install the Release 4.0 VPN Client, upon reboot you will see the  
following message for 1-2 minutes:  
“System initialization in progress. Creating a secure connection to your  
network requires that MS networking be allowed to complete its  
initialization. If you do not wish to create a VPN connection to a remote  
network, you may click the CANCEL button...”  
On subsequent reboots you will see this message, but it stays on the screen  
for only 5-10 seconds instead of minutes.  
This problem also occur on Windows 2000, but a little differently. After  
installing and rebooting, and before you see the dialog that prompts you to  
press CTRL-ALT-DEL, you see a window that says “Preparing network  
connections...”. During this time, there is a 1-2 minute delay which goes away  
after subsequent reboots.  
CSCdz88896  
The Release 4.0 VPN Client on Windows 2000 or Windows XP can connect  
but cannot pass data. This problem occurs only with the Windows 2000 or  
Windows XP when the VPN Client is connecting from an IP subnet that  
matches or closely resembles the private network that it is making the VPN  
connection to.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
8 8  
 
Caveats Resolved in Release 4.0  
This is most commonly seen in an environment where the VPN Client is  
behind a NAT device that is using a common private IP address range like  
10.x.x.x.  
CSCea03326  
The feature that was added in Release 3.6.2 called “Automatic logoff after  
VPN” does not currently work in v4.0.  
This feature replaced Start before Logon for some users. It allows a user to  
establish a VPN connection first, and then the user is automatically logged  
out and the VPN connection is maintained. This allows the user to log into  
the Domain during the VPN connection, without the need for a custom GINA  
to be installed.  
CSCea04522  
When installing The VPN Client for Mac, version 4.0.int_73 over top of an  
earlier version of the VPN Client, it fails to unload the old NKE and load the  
new one.  
If you are upgrading from an earlier 4.0 version, “kextstat|grep cisco” returns  
nothing and returns you to a prompt. If you are upgrading from a 3.7.x VPN  
Client, “kextstat | grep cisco” returns both the old NKE and the new one.  
If you reboot, the NKE loads correctly.  
If you are upgrading from a previous 4.0 VPN Client, re-running the installer  
loads the NKE correctly.  
Uninstalling the earlier version before installing the new version also works  
correctly.  
CSCea04814  
When using a Digital Certificate for VPN Client connections, there is no  
indication that your Certificate is about to expire. In previous versions of the  
VPN Client, 30 days before the certificate was set to expire, a message would  
pop up upon connection stating that your Certificate would expire soon.  
CSCea05185  
The InstallShield version of the 4.0 VPN Client, as well as 3.6 versions, do  
NOT detect an existing Cisco IT 3.5(A) VPN Client is installed on your PC  
and will install the new version right on top of old one. The VPN Client  
REQUIRES the old version to be uninstalled first or else the new installation  
may not properly update required files.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
8 9  
 
Caveats Resolved in Release 4.0  
If you are a Cisco employee, you MUST first check to see if you have the  
Cisco IT 3.5(A) version of the VPN Client installed and manually uninstall it  
before installing the 4.0 VPN Client.  
CSCea05304  
The 4.0 VPN Client feature, Delete-with-Reason, does not work in the Beta  
release 1 version.  
CSCea05360  
The Virtual Adapter in the Release 4.0 VPN Client does not appear in the  
Cisco SetMTU utility.  
CSCea07430  
The Release 4.0 VPN Client is launched and the splash screen appears briefly,  
but the VPN Client dialog doesn't appear for approximately one minute,  
along with the following error:  
The necessary VPN sub-system is not available. You can not connect to  
the remote VPN server.  
Something has caused the VPN client service not to load.  
CSCea07466  
If logging is started from the command line application Ipseclog.exe, the  
VPN Client GUI does not display any events in its log. Do not start  
Ipseclog.exe in a separate window if you intend to use the VPN Client  
Graphical User Interface (GUI). Use Ipseclog.exe only when using the VPN  
Client command line (vpnclient.exe) option.  
CSCea10174  
Some of the VPN Client dialogs show a question mark (?) in the upper-right  
corner, which is usually an indication of context sensitive help using  
Windows Help. The VPN Client does not use Windows Help and therefore  
these question marks do not bring up any available help for that dialog.  
CSCea12268  
The Virtual Adapter keeps its interface data from the VPN connection even  
after it is disconnected. The interface is disabled correctly but the IP address,  
mask, DG, DNS and WINs are all visible by looking at the adapter properties.  
This data should be cleared out after disconnecting.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
9 0  
 
Caveats Resolved in Release 4.0  
CSCea13071  
On the VPN Client for Mac, the Release 4.0 VPN Client banner is smaller  
than the 3.x VPN Client banner and may not display your entire banner and  
your users may have to use the scroll bar to see the entire message.  
CSCea13395  
VPN Client connections using IPSec over TCP do not see the status bar  
update when the VPN Client attempts a connection to one of the configured  
backup servers.  
The user sees only the primary server when connecting. For example:  
Initializing TCP to xxx.xxx.xxx.xxx...  
CSCea14713  
If the Ethernet interface loses link during a VPN Client connection, the  
following bogus error message appears:  
Secure VPN Connection terminated locally by the Client  
Reason: An unrecognized error occurred while establishing the VPN  
connection.  
This message should indicate you have lost a connection with the peer.  
CSCea18578  
When using Start before Logon and a connection entry with a Microsoft  
digital certificate, you see an error indicating the certificate cannot be used.  
After the error message occurs, the VPN Client still displays the button  
[Cancel Connect] instead of [Connect]. Simply choose another connection  
entry and click [Cancel Connect] to attempt another connection. In this state,  
the [Cancel Connect] button functions as if it were the [Connect] button.  
CSCea18601  
The Force Network Login feature (also known as Netlogin or Automatic  
logoff) does not currently display any events in the VPN Client Event log.  
CSCea19946  
The VPN Client Banner has a feature that will require the user to scroll down  
to read the entire banner before continuing. This happens only if the Banner  
has a lot of text and is many lines long. On slower PCs, this feature does not  
work in some cases, and they can to continue connecting without reading all  
the banner text.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
9 1  
 
Caveats Resolved in Release 4.0  
CSCea20120  
Using Start before Logon, if you press ENTER to try to connect, depending  
on what TAB you left the VPN Client in last time, it either does nothing or  
shows a Cert View for one of your Certificates. You must click Connect to  
establish a VPN connection.  
CSCea22221  
The VPN Client does not add the Loopback address (127.0.0.1) to  
ZoneAlarm or ZoneAlarm Pro's Trusted Zone.  
CSCea22491  
The VPN Client for Mac, Release 4.0 Beta 2, does not work on a system  
running OS X 10.1.5.  
The Beta 2 VPN Client connects properly only on workstations with OS X  
10.2.x.  
CSCea23182  
On Windows 2000 and/or Windows XP if the VPN Client loses its connection  
or fails to connect it might leave the virtual adapter enabled and cause  
network connectivity problems.  
After losing the client connection or failing to connect the PC cannot  
communicate on the network. The output of an ipconfig /all command shows  
the virtual adapter as one of the PC's active interfaces.  
CSCea24882  
After connecting and disconnecting multiple times, the ability to connect  
might be lost, and the following error might occur on a Windows NT 4.0 SP6  
system:  
“The necessary VPN sub-system is not available. You can not connect to the  
remote VPN server.”  
CSCea35228  
High levels of VPN Client log activity might cause periods of sluggish client  
performance. This is most likely to happen when log levels are set to 3-HIGH  
and many events are being generated. An example would be having all event  
classes set to 3-HIGH, and while connecting, the large amount of IKE events  
may cause the VPN Client to “hang” for a period of time.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
9 2  
 
Caveats Resolved in Release 4.0  
CSCea35592  
The VPN Client event log displays the following events on Windows 2000  
and/or Windows XP systems:  
76 14:14:51.082 03/04/03 Sev=Warning/2CVPND/0xA3400011  
Could not find (null) in IpHlpApi.DLL  
These events will only appear on operating systems that use the Virtual  
Adapter (Windows 2000 and Windows XP).  
CSCea38204  
When connecting the Release 4.0 Cisco VPN Client to an IOS VPN gateway,  
the VPN Client might initiate multiple IKE rekeys and then disconnect.  
CSCea38022  
Upgrading the Release 4.0 VPN Client using InstallShield on a Windows NT  
system might result in the VPN Client failing to connect. If the connection  
fails, the VPN Client displays the following event message:  
1
11:29:16.928 03/06/03 Sev=Critical/1CM/0xE3100004  
Failed to initialize the ipsec driver! Returned 1  
The problem is that the VPN Client’s IPSec driver is not installed correctly.  
This problem occurs only after an upgrade with InstallShield, not after a clean  
installation. This problem should not be an issue when using the VPN Client’s  
MSI-based install. If you encounter this problem, uninstall the VPN Client,  
reboot the PC, then the reinstall the VPN Client.  
CSCea38311  
When the Release 4.0 VPN Concentrator is configured to send Alerts (Delete  
with Reason (DWR) messages) and the Release 4.0 VPN Client is configured  
to Auto Initiate, the Client does not suppress DWR messages and the user  
must click OK to clear the message to allow Auto Initiation to continue. This  
behavior is different from the Release 3.6 VPN Client, which does not display  
disconnect messages when Auto Initiation is in use.  
This occurs only when using a Release 4.0 VPN Concentrator and a Release  
4.0 VPN Client.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
9 3  
 
Documentation Updates  
Documentation Updates  
The following VPN Client documentation has been updated for Release 4.0.  
These documents contain information for all platforms on which the VPN Client  
runs:  
VPN Client Administrator Guide, Release 4.0  
VPN Client User Guide for Windows, Release 4.0  
The most recent information specifically for the VPN Client for Linux, Solaris,  
and Mac OS X is in the following document, which was not updated for Release  
4.0:  
Cisco VPN Client User Guide for Mac OS X  
Cisco VPN Client User Guide for Linux and Solaris  
Documentation Corrections  
The following corrections have been made since publication of the  
documentation.  
Outlook/Exchange Polling Behavior  
In the VPN Client Administrator Guide, Release 4.0, on page 2-7, in Table 2-1,  
“vpnclient.ini file parameters,” make the following change to the information in  
the Values column for the OutlookNotify parameter. This parameter controls  
Microsoft Outlook to Microsoft Exchange polling behavior:  
0 = Enable (Default)—Outlook polls every minute for new mail notifications.  
This might cause Outlook Folder Synchronization issues. The default state, if  
OutlookNotify is not present in the vpnclient.ini file, is Enable.  
1 = Disable—Prevent the VPN Client from forcing Outlook to poll for new mail,  
thus avoiding the synchronization process. In this case, new mail is detected only  
on a background 30 minute polling cycle, or when the user initiates a manual  
send/receive or switches between folders.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
9 4  
 
 
Obtaining Documentation  
Removing a VPN Client Version Installed with MSI Installer  
In VPN Client User Guide for Windows, Release 4.0, in the section “Removing a  
VPN Client Version Installed with MSI Installer,” (page 2-8 in the hard-copy  
edition), in Steps 4 and 5, remove Figures 2-8 and 2-9 and the text references to  
these figures. These dialog boxes do not appear when uninstalling the VPN Client  
using the MSI Installer.  
Related Documentation  
VPN 3000 Series Concentrator Reference Volume I: Configuration, Release  
4.1  
VPN 3000 Series Concentrator Reference Volume II: Administration and  
Management, Release 4.1  
VPN 3000 Series Concentrator Getting Started, Release 4.1  
Obtaining Documentation  
Cisco documentation and additional literature are available on Cisco.com. Cisco  
also provides several ways to obtain technical assistance and other technical  
resources. These sections explain how to obtain technical information from Cisco  
Systems.  
Cisco.com  
You can access the most current Cisco documentation at this URL:  
You can access the Cisco website at this URL:  
You can access international Cisco websites at this URL:  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
9 5  
 
 
Documentation Feedback  
Ordering Documentation  
You can find instructions for ordering documentation at this URL:  
You can order Cisco documentation in these ways:  
Registered Cisco.com users (Cisco direct customers) can order Cisco product  
documentation from the Ordering tool:  
Nonregistered Cisco.com users can order documentation through a local  
account representative by calling Cisco Systems Corporate Headquarters  
(California, USA) at 408 526-7208 or, elsewhere in North America, by  
calling 1 800 553-NETS (6387).  
Documentation Feedback  
You can send comments about technical documentation to [email protected].  
You can submit comments by using the response card (if present) behind the front  
cover of your document or by writing to the following address:  
Cisco Systems  
Attn: Customer Document Ordering  
170 West Tasman Drive  
San Jose, CA 95134-9883  
We appreciate your comments.  
Obtaining Technical Assistance  
For all customers, partners, resellers, and distributors who hold valid Cisco  
service contracts, Cisco Technical Support provides 24-hour-a-day,  
award-winning technical assistance. The Cisco Technical Support Website on  
Cisco.com features extensive online support resources. In addition, Cisco  
do not hold a valid Cisco service contract, contact your reseller.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
9 6  
 
   
Obtaining Technical Assistance  
Cisco Technical Support Website  
The Cisco Technical Support Website provides online documents and tools for  
troubleshooting and resolving technical issues with Cisco products and  
technologies. The website is available 24 hours a day, 365 days a year, at this  
URL:  
Access to all tools on the Cisco Technical Support Website requires a Cisco.com  
user ID and password. If you have a valid service contract but do not have a user  
ID or password, you can register at this URL:  
Note  
Use the Cisco Product Identification (CPI) tool to locate your product serial  
number before submitting a web or phone request for service. You can access the  
CPI tool from the Cisco Technical Support Website by clicking the Tools &  
Resources link under Documentation & Tools. Choose Cisco Product  
Identification Tool from the Alphabetical Index drop-down list, or click the  
Cisco Product Identification Tool link under Alerts & RMAs. The CPI tool  
offers three search options: by product ID or model name; by tree view; or for  
certain products, by copying and pasting show command output. Search results  
show an illustration of your product with the serial number label location  
highlighted. Locate the serial number label on your product and record the  
information before placing a service call.  
Submitting a Service Request  
Using the online TAC Service Request Tool is the fastest way to open S3 and S4  
service requests. (S3 and S4 service requests are those in which your network is  
minimally impaired or for which you require product information.) After you  
describe your situation, the TAC Service Request Tool provides recommended  
solutions. If your issue is not resolved using the recommended resources, your  
service request is assigned to a Cisco TAC engineer. The TAC Service Request  
Tool is located at this URL:  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
9 7  
 
Obtaining Technical Assistance  
For S1 or S2 service requests or if you do not have Internet access, contact the  
Cisco TAC by telephone. (S1 or S2 service requests are those in which your  
production network is down or severely degraded.) Cisco TAC engineers are  
assigned immediately to S1 and S2 service requests to help keep your business  
operations running smoothly.  
To open a service request by telephone, use one of the following numbers:  
Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)  
EMEA: +32 2 704 55 55  
USA: 1 800 553-2447  
For a complete list of Cisco TAC contacts, go to this URL:  
Definitions of Service Request Severity  
To ensure that all service requests are reported in a standard format, Cisco has  
established severity definitions.  
Severity 1 (S1)—Your network is “down,” or there is a critical impact to your  
business operations. You and Cisco will commit all necessary resources around  
the clock to resolve the situation.  
Severity 2 (S2)—Operation of an existing network is severely degraded, or  
significant aspects of your business operation are negatively affected by  
inadequate performance of Cisco products. You and Cisco will commit full-time  
resources during normal business hours to resolve the situation.  
Severity 3 (S3)—Operational performance of your network is impaired, but most  
business operations remain functional. You and Cisco will commit resources  
during normal business hours to restore service to satisfactory levels.  
Severity 4 (S4)—You require information or assistance with Cisco product  
capabilities, installation, or configuration. There is little or no effect on your  
business operations.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
9 8  
 
Obtaining Additional Publications and Information  
Obtaining Additional Publications and Information  
Information about Cisco products, technologies, and network solutions is  
available from various online and printed sources.  
Cisco Marketplace provides a variety of Cisco books, reference guides, and  
logo merchandise. Visit Cisco Marketplace, the company store, at this URL:  
The Cisco Product Catalog describes the networking products offered by  
Cisco Systems, as well as ordering and customer support services. Access the  
Cisco Product Catalog at this URL:  
Cisco Press publishes a wide range of general networking, training and  
certification titles. Both new and experienced users will benefit from these  
publications. For current Cisco Press titles and other information, go to Cisco  
Press at this URL:  
Packet magazine is the Cisco Systems technical user magazine for  
maximizing Internet and networking investments. Each quarter, Packet  
delivers coverage of the latest industry trends, technology breakthroughs, and  
Cisco products and solutions, as well as network deployment and  
troubleshooting tips, configuration examples, customer case studies,  
certification and training information, and links to scores of in-depth online  
resources. You can access Packet magazine at this URL:  
iQ Magazine is the quarterly publication from Cisco Systems designed to  
help growing companies learn how they can use technology to increase  
revenue, streamline their business, and expand services. The publication  
identifies the challenges facing these companies and the technologies to help  
solve them, using real-world case studies and business strategies to help  
readers make sound technology investment decisions. You can access iQ  
Magazine at this URL:  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
9 9  
 
 
Obtaining Additional Publications and Information  
Internet Protocol Journal is a quarterly journal published by Cisco Systems  
for engineering professionals involved in designing, developing, and  
operating public and private internets and intranets. You can access the  
Internet Protocol Journal at this URL:  
World-class networking training is available from Cisco. You can view  
current offerings at this URL:  
This document is to be used in conjunction with the documents listed in the “Related Documentation” section.  
CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, Cisco Unity, Follow Me Browsing,  
FormShare, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and  
Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA,  
CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo,  
Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation,  
Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, GigaDrive, GigaStack, HomeLink, Internet  
Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace,  
MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing,  
ProConnect, RateMUX, Registrar, ScriptShare, SlideCast, SMARTnet, StrataView Plus, SwitchProbe, TeleRouter,  
The Fastest Way to Increase Your Internet Quotient, TransPath, and VCO are registered trademarks of Cisco Systems,  
Inc. and/or its affiliates in the United States and certain other countries.  
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of  
the word partner does not imply a partnership relationship between Cisco and any other company. (0403R)  
Copyright © 2004 Cisco Systems, Inc. All rights reserved.  
Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D  
OL-5450-10  
1 0 0  
 

Ingersoll Rand Heat Pump 67317 X User Manual
Init TV Video Accessories NT C3015 User Manual
Insignia Flat Panel Television NS LCD42HD User Manual
Jenoptik Camcorder JD 41Z8 User Manual
Jura Capresso Coffeemaker IMPRESSA X9 User Manual
JVC Speaker TS C500SPG User Manual
Kenmore Sewing Machine 38515202 User Manual
Kenwood CD Player CD 424M User Manual
KitchenAid Range YKGRT507 User Manual
KitchenAid Washer Dryer 8578194 User Manual