Bitdefender 2008 And Cisco Vpn Client On Vista Ultimate Options

[Pall Bjornsson]

I have Bitdefender 2008 Internet security on a Vista Ultimate.

I have problems with using Cisco VPN Client to connect from my Vista computer to a VPN remote end.

Cicso VPN is v 5.0.01.0600

Running the VPN client with BD Firewall disabled is working.

When opening a VPN connection, I get to the cisco VPN client login screen and when I put in my username and password, there is a delay for 15 - 20 secs, and then I get BD block screen with:

The Cisco Systems VPN client is trying to open a server port. File path: c:\program ....\cvpnd.exe, Protocol: UDP / Port: 62515

The reccommended action is Allow, but at the same time the VPN client fails, so I'm always to late to Allow :-(

The cvpnd.exe program is in the exceptions list of the firewall with UDP all ports, both directions allowed.

At the time the vpn client is trying to connect, a new zone is temporarily added the BD zone list, which is then removed after the failing attempt. I can see though that it gets the "Trusted" status.

Apart from that, I'm stuck.

How can I allow the vpn to proceed with the connection?

Palli

[Pall Bjornsson]

Here is the log from the Cisco client, if that can help:

Cisco Systems VPN Client Version 5.0.01.0600
Copyright © 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.0.6000
Config file directory: C:\Program Files\Cisco Systems\VPN Client\

1 00:38:45.194 10/14/07 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: unable CreateUnicastIpAddressEntry, error 0

2 00:39:00.199 10/14/07 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route: code 5010
Destination 0.0.0.0
Netmask 0.0.0.0
Gateway 10.9.200.1
Interface 10.9.207.1

3 00:39:00.199 10/14/07 Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: 0, Netmask: 0, Interface: a09cf01, Gateway: a09c801.

4 00:39:00.199 10/14/07 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: DeleteIpForwardEntry, error 1168

5 00:39:00.199 10/14/07 Sev=Warning/2 CM/0xA3100025
Unable to delete route. Network: c0a801ff, Netmask: ffffffff, Interface: c0a80123, Gateway: c0a80123.

6 00:39:00.206 10/14/07 Sev=Warning/2 CVPND/0xA3400019
Error binding socket: -9. (DRVIFACE:2958)

7 00:39:00.206 10/14/07 Sev=Warning/2 CM/0xE3100009
Failed to register public interface

8 00:39:00.848 10/14/07 Sev=Warning/2 IKE/0xE300009B
Failed to active IPSec SA: Unable to enable Virtual Adapter (NavigatorQM:936)

9 00:39:00.848 10/14/07 Sev=Warning/2 IKE/0xE30000A7
Unexpected SW error occurred while processing Quick Mode negotiator:(Navigator:2238)

[Pall Bjornsson]

I seem to have found the reason, but how to change ?

When the VPN connection is initially made, the BD firewall switches to another profile, as it's another network.

In that profile, the vpn client is not allowed as exception.

By being quick enough and put the vpn client into the exception list, before the connection attempt timed out (15-20 sec), I managed to get it into the exception list for the vpn network profile.

But this is quite cumbersome, having to be that quick adding it into the profile. So, how can I edit a profile of the vpn network without having that profile active in BD, and without having the BD firewall network zone even existing ?

Regards,
Palli

[Cris]

Hi Palli,

Currently, BD2008 (IS and TS) doesn't have the option to apply the same profile when the network changes. This is a big problem also for users who have dynamic IPs and BitDefender doesn't seem to remember the profiles (which makes BD ask over and over again about the same applications).
You can post this suggestion in the Requested features section.

I'll also try to contact someone about this issue, but I don't know if I'll manage to get in touch with anyone on Sunday... (IMG:http://forum.bitdefender.com/style_emoticons/default/sad.gif)

Cris.

[Pall Bjornsson]

Hi Chris !

No, no, Monday will be fine (IMG:http://forum.bitdefender.com/style_emoticons/default/rolleyes.gif)

I'll just hang in there for a few days.

I appreciate your help.

Palli

[Pall Bjornsson]

Hi again Chris !

A little more on the same issue.

There obviously is more to it than changing the profile to allow just get the VPN client to make a connection. After I manage to connect, being quick enough to add an exception to the temp profile just loaded, I can not communicate through the VPN tunnel. Probably this temp profile needs to be edited to allow that, I have not examined. Editing that new profile seems pointless, as after the next restart, a new temp profile name is introduced when I vpn connect, and then my changes will be lost!

The only way I can make the vpn connection is to turn off the BD firewall!

That is however no good to have no firewall, and it's also no good to have to remember to turn it off before every vpn connection attempt !

So, is it an option turning BD firewall off permanently, and use the Vista firewall instead, having BD handle the rest, like viruses etc?

Palli

[Cris]

Hi Palli,

When you connect to VPN, don't you have always the same IP? If you don't, can't you set it so you'll have the same IP?

BD selects the profiles depending on your IP. If, when you connect through VPN, you'll have the same IP like the last time you connected, then BD will apply the same profile as it did last time.

If you don't always have the same IP and you cannot make it so you do, then there's not much you can do then turn off BD Firewall and trust Windows Firewall.

After I talk to someone, if they fix this issue, you shouldn't have any other problems whatever IP you have. But I don't guarantee anything because I don't work for BitDefender, so all I can do is report this bug.

Cris.

[Pall Bjornsson]

Hi Cris !

Nope, I can't guarantee the same IP on each connection. The connection is made to a cisco VPN concentrator box, which DHCP's it's allocation of IP addresses. Usually I get the same IP, but the IP addresses are allocated sequentially as it seams, so if there's someone connected to the VPN box before me, I will get another address.

I kind of suspected that you were not working for BitDefender, so I didn't get my hopes up very high, don't worry about that.

From my point of view, then either one fixed profile for all the zones (i.e. one global profile without profile switching), or configurable static profiles for the other zones would probably fix this isssue. Those static profiles will however have to be configurable up front that is, before a switch is made to that profile.

Actually, those zone adding and removing might be the source of the problem. If you could manually add a zone for the VPN network, and edit the profile, the problem would probably be fixed? Currently, I can't add a zone for my VPN network, as it doesn't exist on the network list until a connection is made. Then when I connect, BD addes the zone dynamically, and removes it after a connection is dropped. So, manually adding a zone not currently in the network list, and editing the profile for that zone, wouldn't that be a fix ?

Best regards,
Palli

[RunningRoach]

Hi..

i have been having the same problem. I am using:

Lenovo X61
Vista Business
Cisco VPN 5.0.00.0340
Bit Defender Internet Security 2008

Would love to help in any way i could to solve this problem. Also would like to know where to download the latest Cisco VPN Client from. My workplace is still not 'Vista' ready for their VPN clients.

[Pall Bjornsson]

Hi RunningRoach !

Well, I'm all set up to help in troubleshoot the problem too, but there hasn't been much traffic on this thread since its early days :-(

Anyway, I didn't have time to wait for a fix, so what I did was to deactivate the BD firewall and activate the Vista Firewall instead.

I have not studied the Vista firewall in detail, but it seems to be much improved from the XP one, and it's two-way now.

I can use the Cisco VPN client through the Vista firewall, but the VPN client does some harm to the IP environment as it seems, because after the VPN has been loaded once, and then unloaded, the workstation doesn't accept incoming remote desktop connections (and possibly more), unless a reboot is performed.

This implies that the BD problems probably aren't all BD related, but also Cisco VPN client related.

Regarding the download of VPN client software for Cisco, then that is not publicly available, and must be obtained through some Cisco special support contracts.

There is a newer version available than yours 5.0.00.0340. I think the newest version is .0600.

In my case, the new version didn't fix my problems, so I'm still waiting for a newer release.

Palli

[Kris]

Anyway, I didn't have time to wait for a fix, so what I did was to deactivate the BD firewall and activate the Vista Firewall instead.

I have not studied the Vista firewall in detail, but it seems to be much improved from the XP one, and it's two-way now.

I can use the Cisco VPN client through the Vista firewall, but the VPN client does some harm to the IP environment as it seems, because after the VPN has been loaded once, and then unloaded, the workstation doesn't accept incoming remote desktop connections (and possibly more), unless a reboot is performed.

Hi Pall,

I am having the same problem with BD 2008 and the Cisco VPN software. If anybody comes up with a solution, please let us know.

I have also experienced some network difficulties after using both the Nortel and Cisco VPN clients. It seems that under Vista, running either of these VPN programs prevents certain networking activity (for me it is Windows file sharing) until a reboot, even if the VPN clients are closed.

Regards,
Kris

[pti]

Hi Pall,

I am having the same problem with BD 2008 and the Cisco VPN software. If anybody comes up with a solution, please let us know.

I have also experienced some network difficulties after using both the Nortel and Cisco VPN clients. It seems that under Vista, running either of these VPN programs prevents certain networking activity (for me it is Windows file sharing) until a reboot, even if the VPN clients are closed.

Regards,
Kris

Hi,

I was struggling with the same, did a re-install of the VPN client version 5.0.00.0340 after having installed BD 2008; then disabled the BD 2008 firewall for 5 minutes; activated the VPN client (and logged into my remote system); then when after a while (I assume 5 minutes) the firewall asked to allow the VPN client to go through, I acknowledged.

Now it is working fine when I launch the VPN client, no need to disable the firewall.

Paul

[Drew]

Hi Palli, I'm the same as you. I even tried the 5.0.02.0060 beta but that didn't help.

And I found the profiles as you did that keep changing every time you connect.

I thought I had things working for one brief moment when I turned off the firewall, made the vpn connection and then added cvpnd.exe to that profile. Only to find out that the next time you connect, it will randomly choose some other profile name! :-(

So as you found out, if you want to use BD and the Cisco VPN, turn off the Firewall :-(

I hope BD fixes it soon...

Drew

I have Bitdefender 2008 Internet security on a Vista Ultimate.

I have problems with using Cisco VPN Client to connect from my Vista computer to a VPN remote end.

Cicso VPN is v 5.0.01.0600

Running the VPN client with BD Firewall disabled is working.

[RTT]

I wonder if the issue is not BitDefender blocking cvpnd or the remote IP. In my case (BD IS 2008 + Cisco VPN 5.00.0030 + WinXP SP2) I see the VPN establishing ok and my corporate network (which is a 10.2.x.x network) being added as a local network, but if I check the BitDefender firewall logs I see a stream of the following:

2007/12/09 15:28:06.233 [BDFNDISF][FILTER] Denied UDP packet. (dir = OUTBOUND, src addr = 192.168.1.109, src port = 10000, dst addr = vpnserver_IP_address, dst port = 10000)
2007/12/09 15:28:06.233 [BDFTDIF][FILTER] Packet received for closed port.

Where vpnserver_IP_address is the IP address of the VPN server. With VPN you actually have two IP headers, the outer header with the vpnserver IP is what is received on the port, but BD installs the network of the inner IP address (the corporate network, or 10.2.x.x in my case) as a trusted network.

It might be that the issue is with tunnelled IP packets such as this.

[odhinswarrior]

I have a similar problem using BD Total Security 2008 + Cisco VPN Client 4.6.04.0043 + Win XP SP2.
In my case, I can connect to VPN Client, but once connected to the VPN Client when I attempt to connect to my remote desktop using Windows RDC (Remote Desktop Control) the remote desktop can not be found.

When I turn BD's Firewall off for 5 minutes, even while leaving the VPN Client connected, then I can connect to the Remote Desktop without problem. As soon as BD's Firewall get activated again the Remote Desktop immediately loose connection.

I have been battling with BitDefender's so-called customer tech support for a week with no help in sight.
The worst tech support I have ever encountered, and I used Norton, McAfee and Zone Alarm before.
I'm on the verge of uninstalling this useless BitDefender and just go back to Norton or McAfee.

Please let me know if there's someone out there with a solution to this problem.

[RTT]

I have been battling with BitDefender's so-called customer tech support for a week with no help in sight.
The worst tech support I have ever encountered, and I used Norton, McAfee and Zone Alarm before.
I'm on the verge of uninstalling this useless BitDefender and just go back to Norton or McAfee.

Please let me know if there's someone out there with a solution to this problem.

Speaking as an impartial 3rd party, isn't that a bit hasty?

All Internet security suites seem prone to incompabilities. In my case I spent many cycles arm wrestling with Kaspersky and finally had to uninstall it due to an incompatibility that could *only* be resolved through an uninstall (simply disabling Kaspersky did not help). For me BitDefender has worked very well in almost all situations except with Cisco VPN.

In this case it seems a workaround exists (disable BD firewall, enable Windows firewall) so unless you have other issues, would it not be wiser to live with this incompatilibility as opposed to spending the time fighting with a new internet security suite, assuming the other BD features work well for you?

Just trying to be helpful...

[odhinswarrior]

Speaking as an impartial 3rd party, isn't that a bit hasty?

All Internet security suites seem prone to incompabilities. In my case I spent many cycles arm wrestling with Kaspersky and finally had to uninstall it due to an incompatibility that could *only* be resolved through an uninstall (simply disabling Kaspersky did not help). For me BitDefender has worked very well in almost all situations except with Cisco VPN.

In this case it seems a workaround exists (disable BD firewall, enable Windows firewall) so unless you have other issues, would it not be wiser to live with this incompatilibility as opposed to spending the time fighting with a new internet security suite, assuming the other BD features work well for you?

Just trying to be helpful...

Thanks RTT,
Yes, i agree with you!
I actually do not have the time on this stage to battle installing another 3rd party Firewall.
That is what I have been doing, simply work remotely relying on Windows XP's Firewall...

I also didn't want to go out and spend more money on yet another 3rd party Security product, so for time being I'll just stick with BD.

Besides, that is the only major headaches I've had the last 2 weeks since installing BD

[Andrei Dumitru]

A solution will be released soon, more exactly you will be able to keep the same profile regardless of the connection. It will be a generic profile, just like the one the firewall in BitDefender 10 had. This is released to address the Cisco VPN issue and the dynamic IP address allocation issues previously reported in this forum.

Andrei

[SVX]

I too am having this problem with my companies VPN software, BD Total Security 2008, and Windows XP SP2 (on a Thinkpad T61p) - I have tried both AT&T Network Client 6.9.0.3006 and Lotus Mobility Client 5.1.1.4. Neither will connect if the firewall is active. In fact, Mobility Client will not connect if the A/V is active when attempting to connect (can re-enable once connected and am ok). If I try to turn the firewall on while on VPN, it kills it.

Needless to say this is somewhat frustrating. Out of all my research BD was consistently rated best and based on my experience and testing thus far, it appears to be true (especially with its low resource usage). The only kicker is this VPN issue which needs to be addressed. I did not have this problem using Symantec Client Security 3.1.5.5000 or Windows One Care both versions 1 or 2. I have debated trying McAfee, Norton 360, or ZA, but would hate to do so. The other three either hog resources (Norton/McAfee) or are unstable (ZA).

Andrei, what is the eta for this fix? I would like to test it before my trial runs out in 3 weeks.

[dyugle]

Here is my solution. Hope it works for you. Firewall, Traffic, Edit profile. Then add rule as attached for the 192.168.0.0 subnets and then move rule to top. Change as required for other subnets or computers. [attachment=1429:firewall...defender.doc]

This post has been edited by dyugle: Feb 4 2008, 07:40 PM

Attached File(s)

 firewall_vpn_bitdefender.doc ( 122K ) Number of downloads: 121