Cisco VPN-Client FAQ


The CISCO VPN Services will be deactivated soon! Please migrate to our OpenVPN Services instead.

Depending on your internet-connection, it may be neccessary to change a parameter of the VPN-Client which tries to bypass your net-restrictions.

cisco_faq_1.jpg NAT/PAT/ACLs/Firewalls/…

If no connection can be established, you can try to change the TCP/UDP setting to the respective alternative:
“Connection Entries”→“VPN@BIT-…”→Modify→Tab “Transport”. In priciple VPN@BIT does support both as well as NAT-T.
  • Allow IPSec over UDP
  • Use IPSec over TCP
The default-setting “TCP” does normally make the fewest problems.
- ACLs/Firewalls

For usage of the VPN, you need to allow the following connections:
From your own System port 500/udp to at the moment
From your own system to at the moment (eventually udp too).

In the case you connect to the B-IT through an NAT-device which is already serving another connection on port 500/udp or blocking port 500, the client will automatically try to use NAT-T. You need to open port 4500/udp for this to work.

For all connections the opposite way has to be opened too, of course!
cisco_faq_2.jpg - MTU

Another pitfall might be a wrong MTU of the “physical” ethernet-adaper, which is used by the VPN-Adapter to tunnel the vpn-connection. For VPN you should use a MTU of 1300, but for the physical adapter you have to set the MTU to a noticeable higher value. (Ethernet/WLAN: 1500, DSL 1492). Note that this is an aproximate value especially for DSL. Please set this values, so that MTU of VPN-adapter ⇐ MTU of physical adapter applies. Windows doesn`t offer any tools for that, so use the menu-entry “Set MTU” whithin the Cisco VPN Client and reboot. (reboot!)
cisco_faq_2_002.jpg Look for the adapter you want to change and change the “MTU Options” to “Custom”. Now you can change the MTU-value manually.

ICS has to be disabled.

In Windows 2000/XP you may have to disable the following services: (we are talking about the Microsoft originals, not about eventually installed third-party software)
  • IPSec Services
  • Internet Connection Sharing
  • Network bridges to different Interfaces
  • fast user switching
cisco_faq_3_003.jpg The Cisco Client has a log-function:
Enable it through “Log” → “Enable”.
cisco_faq_3.jpg Under “Log” → “Log Settings” you shoult set the prioritys to “high”, to be sure that everything is logged.
cisco_faq_3_002.jpg Under “Log” → “Log Window” you can see the log.
Connections through VPN@BIT

Whenever a VPN-Connection is established, all connections are running throught the B-IT-Network in principle and appears with an IP-Address from within the B-IT-Network.
Tip: With an right-click on the VPN@BIT-… connection you can create an shortcut onto the desktop.
If you have further questions please contact the B-IT Systems Group (

In case of problems: Please note that the SGBIT cannot give individual support for private systems. We will try to solve your problem within the realms of our possibilities. If you contact us, we assume that you have already took attention the above hints! Please forward all information which may be relevant. That means in particular error-messages, logfiles, the time when you tried it and the from the VPN-Client used IP-Address.
pnas_en/vpn/faq.txt · Last modified: 2015/10/21 13:57 by thielt