Microsoft KB Archive/942429

= You cannot connect to a Cisco ASA Series VPN server by using an L2TP/IPsec-based VPN connection in Windows Vista =

Article ID: 942429

Article Last Modified on 10/31/2007

-

APPLIES TO


 * Windows Vista Home Premium
 * Windows Vista Ultimate
 * Windows Vista Business
 * Windows Vista Enterprise
 * Windows Vista Home Premium 64-bit Edition
 * Windows Vista Ultimate 64-bit Edition
 * Windows Vista Business 64-bit Edition
 * Windows Vista Enterprise 64-bit Edition

-



SYMPTOMS
You cannot connect a computer that is running Windows Vista to a Cisco ASA Series VPN server by using a virtual private network (VPN) connection that is based on the &quot;Layer 2 Tunneling Protocol with IPsec&quot; (L2TP/IPsec) protocol. This problem occurs if another Windows Vista-based computer is already connecting to the VPN server through a L2TP/IPsec-based VPN connection. You cannot connect to the VPN server until the other computer disconnects from the VPN server.

This behavior does not occur on a computer that is running Windows XP or Windows Server 2003.



CAUSE
This behavior occurs because of changes in Windows Vista that help improve security.

When the Cisco ASA Series VPN server performs a L2TP/IPsec negotiation, the server uses the message ID to identify the client. This negotiation is a phase 2 quick-mode negotiation. However, in a quick-mode negotiation, all Windows Vista-based VPN clients use the same message ID for their initial messages. Therefore, when a Windows Vista-based VPN client connects to a VPN server, message IDs from other Windows Vista-based VPN clients are considered duplicate IDs. Therefore, the VPN server refuses the other connections.



MORE INFORMATION
Windows XP and Windows Server 2003 use a randomly generated message ID during phase 2 quick mode negotiation. Therefore, the problem does not occur on these operating systems.

Windows Vista uses a monotonically increasing sequence number for phase 2 quick mode negotiation. This behavior more strictly verifies incoming message IDs from different Windows Vista-based computers. This behavior also helps prevent untrusted phase 2 replay attacks. Random message IDs cannot be used to effectively implement such attacks.

To view the RFC document for the Internet Key Exchange (IKE), visit the following IETF Web site:

http://www.ietf.org/rfc/rfc2409.txt

For more information about Cisco ASA 5500 Series, visit the following Cisco Web site:

Using the Cisco ASA 5500 Series for VPN Connectivityhttp://www.cisco.com/en/US/products/ps6120/products_white_paper0900aecd80282f87.shtml

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.

Keywords: kbtshoot kbprb kbexpertiseadvanced KB942429

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.