You cannot connect to a Cisco ASA Series VPN server by using an L2TP/IPsec-based VPN connection in Windows Vista

Article translations Article translations
Article ID: 942429 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

You cannot connect a computer that is running Windows Vista to a Cisco ASA Series VPN server by using a virtual private network (VPN) connection that is based on the "Layer 2 Tunneling Protocol with IPsec" (L2TP/IPsec) protocol. This problem occurs if another Windows Vista-based computer is already connecting to the VPN server through a L2TP/IPsec-based VPN connection. You cannot connect to the VPN server until the other computer disconnects from the VPN server.

This behavior does not occur on a computer that is running Windows XP or Windows Server 2003.

CAUSE

This behavior occurs because of changes in Windows Vista that help improve security.

When the Cisco ASA Series VPN server performs a L2TP/IPsec negotiation, the server uses the message ID to identify the client. This negotiation is a phase 2 quick-mode negotiation. However, in a quick-mode negotiation, all Windows Vista-based VPN clients use the same message ID for their initial messages. Therefore, when a Windows Vista-based VPN client connects to a VPN server, message IDs from other Windows Vista-based VPN clients are considered duplicate IDs. Therefore, the VPN server refuses the other connections.

MORE INFORMATION

Windows XP and Windows Server 2003 use a randomly generated message ID during phase 2 quick mode negotiation. Therefore, the problem does not occur on these operating systems.

Windows Vista uses a monotonically increasing sequence number for phase 2 quick mode negotiation. This behavior more strictly verifies incoming message IDs from different Windows Vista-based computers. This behavior also helps prevent untrusted phase 2 replay attacks. Random message IDs cannot be used to effectively implement such attacks.

To view the RFC document for the Internet Key Exchange (IKE), visit the following IETF Web site:
http://www.ietf.org/rfc/rfc2409.txt
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.

Properties

Article ID: 942429 - Last Review: October 31, 2007 - Revision: 1.4
APPLIES TO
  • Windows Vista Home Premium
  • Windows Vista Ultimate
  • Windows Vista Business
  • Windows Vista Enterprise
  • Windows Vista Home Premium 64-bit Edition
  • Windows Vista Ultimate 64-bit Edition
  • Windows Vista Business 64-bit Edition
  • Windows Vista Enterprise 64-bit Edition
Keywords: 
kbtshoot kbexpertiseadvanced kbprb KB942429

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com