Video Screencast Help

VPN Problem after upgrading to SEP 11

Created: 31 Dec 2007 • Updated: 21 May 2010 | 8 comments

Hello all,

We currently have a support case on this open but it isn't going anywhere so I'm looking to the user community for help.  I have a hard time believing we are the only company who is having this problem.

 

We had SAV 10.1 and the Cisco VPN 4.7 client installed and working great.  When the laptop is off the network the windows firewall is enabled and when the VPN connection is initiated the Cisco statefull firewall is enabled.  Everything worked great until we started to upgrade to SEP 11.  We only have the antivirus, antispyware, and proactive threat protection enabled.  We do NOT have the Network Threat Protection enabled but have noticed that it still installs.  Symantec told us that it is how the client communicates with the host server.

 

After upgrading the SEP 11 when we connect we get the error message from the VPN client: “The client did not match the firewall policy configured on the central site VPN device.  Cisco Systems Integrated Client Firewall should be enabled or installed on your computer” and there is an error in the Event Log from the TrueVector Service stating: “TreuVector driver: Driver install or load failure: LoadNTDeviceDriver. Win32 error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it”

 

If we enable the Cisco Firewall (always on) there are errors that it cannot be found.  We reboot the laptop, with the firewall enabled, and when Windows loads the errors are gone.  We attempt to connect through the VPN and it works.  We change the Cisco firewall to only enabling when we need it, reboot, and it fails again with the same errors listed above.

 

We have upgraded to the latest Cisco VPN client 5.0 and the MR1 for SEP11 and still get the errors.  Has anyone else had similar problems?  How have you resolved this?

Comments 8 CommentsJump to latest comment

Jainam Technologies(Amol S)'s picture
Hi,
 
    Same think happened here. You are open case in Symantec support. I have also open case in Symantec & last one months they are working on this case. When you get the solution from Symantec support please provide me
 
Thanks,
Amol Sahare.
nakkinhead's picture
Hi All,
Here is how I fixed this problem on my 2 computers.
I uninstalled Endpoint protection  and Put 10.1 back on the computer,
Uninstall Cisco VPN 4.02 ....  Installed Zone Labs  ZoneAlarm, reboot, Install Cisco VPN client, reboot, Manually Restart the Cisco VPN service,,,, Zone alarm will want to know if it is OK to allow the process/ service... Answer Yes...
 
This scenario also works with Cisco 5.x   Apparently installing zone alarm fixes the Firewall issue.  I got this information off another forum (can't remember where) but the author on the other forum said you could copy some files, uninstall ZA then copy the files back to the computer but he must have had a different version of ZA since I could not find all the files he mentioned.
 
I have not tried but I'm guessing that you should be able to install Endpoint 11 then ZA and this may allow Cisco (Make sure you restart the VPN service) to work BUT once you install Endpoint 11 it breaks Cisco and I have not found another way to fix it... Keep in mind, I have not tried this but if you do please let me know if it works.
 
fjorq's picture
We also have this issue.  From what I have found out this is due to a setting in the VPN concentrator that checks to make sure that the cisco client vpn firewall is "ON".  SEP 11 blocks the ability for the VPN concentrator to perform this check, therefore users get this VPN policy error when they connect.  To workaround this (until there is a solution), you can disable the "check" option on your VPN concentrator. 
In our case, out systems that have SEP connect to a VPN tunnel that does not check for this or via SSL VPN.
nakkinhead's picture
From my post above, here is the link to fixing the firewall issue, I tried this but could not find the file vsutil_loc040.dll that he referenced...
I'm using ZoneAlarm version:7.0.462.000
TrueVector version:7.0.462.000
Driver version:7.0.462.000
 
 
 
 
 
 
No good deed goes unpunished.
0WN3D's picture
Well, if you want to create more work for yourself, you can uninstall everything and install something else OR...change your concentrator policy to use the Sygate (OTHER) guise.  Works here.
 
 
pnpn's picture
Hi there, here's my solution for this issue - it's easy and quick, no software unistallation involved.
 
Go to  My Computer - Property - Hardware - Device Manager
 
In the Device Manager, go to view - show hidden devices, go through the device tree, expand Non-Plug and Play Drivers, locate "vsdatant", double-click it.
 
Go to the Driver tab, you may see the status is stopped. Change the startup to "Demand", click Ok. re-open the property of vsdatant, start this device.
 
Once this driver starts, your Cisco VPN should work.
 
Vsdatant is the device that Cisco VPN integrated firewall relys on.
 
BUT when you restart your system, this device will be set to type as "Disable". I think it is because SEP does this. You have to manully change it again, if you don't do so, when next time you reboot your machine, this device won't start. This issue occurs again.
 
To prevent the SEP from disabling this device during the booting, you can include the "sc" command in your startup script to adjust the startup type change made by SEP.
 
sc config vsdatant start= demand
 
Good luck!
Paolo's picture
My pc have WindowsXP Sp2 on a Lenovo R61 notebook.
I haven't that non-p&p driver.
I see it into registry using Regedit.
But, I don't the meaning of the "Reg_Dword" used to define the Start and the Type: could you help me?
Which is the value for "Demand"? Now it's "2".
 
Paolo