Article ID: 942429 - View products that this article applies to.
You cannot connect a computer that is running Windows Vista to a Cisco ASA Series VPN server by using a virtual private network (VPN) connection that is based on the "Layer 2 Tunneling Protocol with IPsec" (L2TP/IPsec) protocol. This problem occurs if another Windows Vista-based computer is already connecting to the VPN server through a L2TP/IPsec-based VPN connection. You cannot connect to the VPN server until the other computer disconnects from the VPN server.
This behavior does not occur on a computer that is running Windows XP or Windows Server 2003.
This behavior occurs because of changes in Windows Vista that help improve security.
When the Cisco ASA Series VPN server performs a L2TP/IPsec negotiation, the server uses the message ID to identify the client. This negotiation is a phase 2 quick-mode negotiation. However, in a quick-mode negotiation, all Windows Vista-based VPN clients use the same message ID for their initial messages. Therefore, when a Windows Vista-based VPN client connects to a VPN server, message IDs from other Windows Vista-based VPN clients are considered duplicate IDs. Therefore, the VPN server refuses the other connections.
Windows XP and Windows Server 2003 use a randomly generated message ID during phase 2 quick mode negotiation. Therefore, the problem does not occur on these operating systems.
Windows Vista uses a monotonically increasing sequence number for phase 2 quick mode negotiation. This behavior more strictly verifies incoming message IDs from different Windows Vista-based computers. This behavior also helps prevent untrusted phase 2 replay attacks. Random message IDs cannot be used to effectively implement such attacks.
To view the RFC document for the Internet Key Exchange (IKE), visit the following IETF Web site:
http://www.ietf.org/rfc/rfc2409.txtThe third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.
Article ID: 942429 - Last Review: October 31, 2007 - Revision: 1.4
Contact us for more help
Connect with Answer Desk for expert help.