Error: "Error connecting tunnel to xxx.xxx.xxx.xxx: Operation Failed, Terminating connect operation."

Article:TECH86728  |  Created: 2007-01-01  |  Updated: 2007-01-22  |  Article URL http://www.symantec.com/docs/TECH86728
Article Type
Technical Solution

Issue



Error: "Error connecting tunnel to xxx.xxx.xxx.xxx: Operation Failed, Terminating connect operation."

Symptoms
You see one of two errors when you attempt to connect a Symantec Client VPN client tunnel to a Symantec Gateway Security appliance:
  • Error connecting tunnel to xxx.xxx.xxx.xxx: Operation Failed
  • Terminating connect operation - Connection to gateway xxx.xxx.xxx.xxx unsuccessful

In the firewall logs, you see a log message stating "Established ISAKMP SA," followed by another log message stating "Disconnected Client VPN."
 



Cause



This error occurs when no defined tunnels exist for the user.
There are several possible solutions.

Solution



Solution 1:
In the client settings, enable IKE Config Mode.
  1. Log into the Symantec Client VPN console.
  2. On the Gateways tab, highlight the gateway that does not connect, then click Properties.
  3. On the General tab, check the checkbox below the Gateway Address.
    The option has different names depending on the version of the VPN client:
    Version 7.x: "Symantec Enterprise Gateway"
    Version 8.x: "Download VPN Policy"
    Version 9.x: "Download VPN Tunnels"
Solution 2:
On the firewall, set the User's Primary IKE User Group
  1. Log into the Symantec Gateway Management Interface.
  2. In the left pane, under Assets, click Users.
  3. On the Network Users tab, double-click the user.
  4. On the VPN tab, set the Primary IKE User Group dropdown to the appropriate group.
  5. Click OK.
  6. In the toolbar click the Activate icon.
    When asked to save, click Yes.
Solution 3:
On the firewall, define a Client VPN tunnel for the user or user group.
  1. Log into the Symantec Gateway Management Interface.
  2. In the left pane, under Policy, click VPN.
  3. On the Tunnels tab, click New > IPsec Client VPN.
  4. In the Remote Endpoint dropdown, choose either the user or its Primary IKE User Group.
  5. Fill in the rest of the tunnel details.
  6. Click OK.
  7. In the toolbar click the Activate icon.
    When asked to save, click Yes.
Solution 4:
On the firewall, enable Perfect Forward Secrecy.
  1. Log into the Symantec Gateway Management Interface.
  2. In the left pane, under Policy, click VPN.
  3. On the VPN Policies tab, double-click the policy selected in the tunnel.
  4. On the General tab, check Enable Perfect Forward Secrecy.
  5. Click OK.
  6. In the toolbar click the Activate icon.
    When asked to save, click Yes.






Legacy ID



2007566119730598


Article URL http://www.symantec.com/docs/TECH86728


Terms of use for this information are found in Legal Notices