Cisco VPN Client: Reason 412 – The remote peer is no longer responding

 

The error: "Secure VPN connection terminated locally by the Client. Reason 412: The remote peer is no longer responding" means the software VPN Client detected that the VPN server is not responding anymore and deleted the connection. This is caused by several different reasons, for example:

  • The user is behind a firewall that is blocking ports UDP 4500/500 and/or ESP.
  • The VPN client is using connecting on TCP and the default TCP port 10000 for NATT is blocked.
  • The internet connection is not stable and some packets are not reaching the VPN concentrator/server or the replies from the server/concentrator aren’t getting to the client, hence the client thinks the server is no longer available.
  • The VPN client is behind a NAT device and the VPN Server doesn’t have NAT-T enabled. In this case the user will not be able to send or receive traffic at all. It will be able to connect but that’s all. After some time the software client deletes the VPN tunnel.

Suggested solutions:

  • If you are using wireless, try to connect with cable
  • Turn your firewall off, then test the connection to see whether the problem still occurs. If it doesn’t then you can turn your firewall back on, add exception rules for port 500, port 4500 and the ESP protocol in your firewall
  • Turn on NAT-T/TCP in your profile ( remember to unblock port 10000 in your firewall)
  • Edit your profile with your editor and change ForceKeepAlive=0 to 1
  • Digg
  • del.icio.us
  • Facebook
  • Mixx
  • Google Bookmarks
  • StumbleUpon
  • Ma.gnolia
  • Reddit

Related posts:

Comments 36

  1. Ojo wrote:

    Since my company IT support can’t help to solve my issues for a while.
    I found this and your post very helpful for me.

    Thanks.

    Posted 12 Dec 2008 at 12:20 pm
  2. Wildan Usman wrote:

    Hi, your solution to turn off the windows firewall helps me.
    Thanks.

    Happy New Year 2009!!!!

    Posted 24 Dec 2008 at 2:56 pm
  3. Steve Mayer wrote:

    I get this error but it is after the VPN connection has been up and working for quite some time successfully. I find that it frequently happens after 23 hours and xx minutes (frequently 59 minutes). This makes me think that there is something on the server or client that has a timeout which fires after the connection has been up for 24 hours. However, it is not consistent. Some times I can stay up for days, sometimes for only 10-12 hours, but when I get the error I would say 70% of the time it occurs after 23 hours and 59 minutes. Any ideas on what I should check for?

    Thanks, Steve

    Posted 21 Jan 2009 at 11:51 pm
  4. Derrick G. wrote:

    Steve, as I understand it, the ISAKMP lifetime is by default 86,400 seconds (i.e. 24 hours) and when this is up, the connection fails. Here’s a link with the details: http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#Solution1

    Cheers.

    Posted 05 Feb 2009 at 8:43 pm
  5. Rafael wrote:

    I´ve the same error but I tried all the sugestions and my vpn doesn’t work yet.
    Do you have more suggestions??

    Hugs!

    Posted 28 Feb 2009 at 3:03 am
  6. Patrick J. wrote:

    I was having this same problem with a client of mines and I tried disabling the on board network controller. It worked immediately. I was able to be login to cisco vpn. I didn’t get the error 412. The on board nic for this laptop was a broadcom nextreme 57xx Gigabit Controller. I checked the driver version in which was 3/26/2007. I wasn’t able to try and update the driver because Dell website was slow or something.

    let me know if this helps!

    Posted 31 Mar 2009 at 9:30 pm
  7. Lamnk wrote:

    Thank you for sharing tip with us, Patrick. This is unfortunately only applicable for computers with more than one network adapter and laptops don’t have this luxury. May I suggest updating the onboard controller’s driver first ? ;-)

    Posted 01 Apr 2009 at 2:20 pm
  8. Lamnk wrote:

    @Steve: If that is the case, your admin probably has set the maximal lifetime for a VPN connection to 24 hours. The connection, however, can drop sooner due to other reasons. I know because we have this policy at my university :)

    Posted 01 Apr 2009 at 2:24 pm
  9. J007 wrote:

    We have 15 police patrol cars with laptops to access Internet thru. SPRINT wireless USB card.

    All laptop have Cisco VPN Client 5 installed and can VPN into HQ LAN server thru. Internet.

    Now we encounter the Error 412 problem – VPN client keep(Randomly) dropping connection to the server but the Internet connection are active.

    I tried all the way from this web site and no lucky.
    Two things show that VPN server works O.K.:
    1. If Laptop VPN into server thru wired network, it’s OK.
    2.If after VPN into the server and keep PING the server ( ping x.x.x.x -t), it works O.K.

    Any idea that what the problem is or do I have to reconfig VPN server ?

    Many Thanks,

    Jim

    Posted 12 May 2009 at 10:03 pm
  10. Mahamadali wrote:

    “Secure VPN connection terminated locally by the Client. Reason 412: The remote peer is no longer responding”

    I am getting this error using one ISP connection but if use other ISP connection then VPN works fine. How can it work for one ISP and not for other ?

    Posted 30 May 2009 at 4:16 am
  11. Accelya Spain wrote:

    Thank you very much for the post!!!

    Posted 09 Jun 2009 at 6:00 am
  12. russds wrote:

    nice short and simple, i like it.

    Posted 30 Jun 2009 at 7:47 pm
  13. Nosleep wrote:

    I installed the VPN client on Vista 64bit and when I go to the client I receive “Secure VPN connection terminated locally by the Client Reason 440: Driver Failure” Can you help

    Posted 09 Jul 2009 at 7:30 am
  14. Lamnk wrote:

    Hi,

    Cisco Client doesn't run on Windows 64. Why ? Because Cisco refuses to offer/develope 64 bit version of VPN Client. You can use Shrew Soft VPN Client instead.

    Posted 09 Jul 2009 at 2:35 pm
  15. Justin Stoltz wrote:

    If you have 64 bit clients you can use the Cisco Anyconnect client (SSL). It is a better solution for road warriors as SSL is rarely blocked at hotels, corporate offices, etc… IPSec ports maybe blocked and render the VPN client useless.

    The Cisco IPSec client does not support 64 bit.

    Posted 10 Aug 2009 at 7:09 am
  16. Lamnk wrote:

    AnyConnect supports 64 bit on Windows but not on Linux ! And good luck if you have a Nokia phone with Symbian or an iPhone.

    Otherwise AnyConnect is not compatible with IPsec VPN server (Concentrator 3000 series). Switching to Anyconnect requires your organization to completely change the VPN infrastructure ! And those Cisco hardwares are definitely not cheap. I’ve heard some people said Cisco intends to not offer 64bit version of Cisco VPN Client so that IPsec users must switch to SSL VPN, therefore pay a nice hefty upgrade price.

    Posted 13 Aug 2009 at 10:45 am
  17. akhlaqahmad wrote:

    check your internet. i think your internet is giving drops or losing communication packets.
    make sure your internet is not losing communication packets.

    Posted 10 Oct 2009 at 12:54 am
  18. gifts for her wrote:

    The 5.x client is supported on Vista, I use 5.0.01.0600 on Vista Ultimate
    32-bit. There is no Cisco VPN client for any of the 64-bit Vistas.

    Posted 29 Oct 2009 at 4:25 am
  19. nokfarang002 wrote:

    It's a simple for make it.

    งาน
    งาน
    งาน part time
    งานราชการ

    Posted 17 Nov 2009 at 12:38 pm
  20. reiner wrote:

    This is very interesting

    Posted 08 Jan 2010 at 6:02 am
  21. DaveKan wrote:

    This tip did the trick for me, I am using windows 7, I went back and undid all the other things I tried and this one change to the PCF file got it working.
    ———————-

    Windows Vista Error 412
    When running under Windows Vista, you might encounter error 412: The remote peer is no longer responding.

    To work around this error, upgrade the local NAT device firmware. If this is not possible, switch to TCP. If switching to TCP is not possible, use the following keyword in the connection profile (*.pcf):

    UseLegacyIKEPort=1

    Posted 08 Jan 2010 at 8:29 pm
  22. gisnap wrote:

    Thanks for sharing, i love this post

    http://currnews.com/
    currnews.com
    Very much live news

    Posted 24 Jan 2010 at 9:28 am
  23. luisitguy wrote:

    If you are trying from within the network it will not work…and will give you that error 412. try accessing form a remote location.

    Posted 02 Mar 2010 at 7:33 pm
  24. Free VPN wrote:

    really good And Free working

    Posted 23 May 2010 at 11:31 am
  25. Thank you wrote:

    Thank you Very much, seems my ISP made some modifications on the central because I wasn't able to connect from one day to another, but sugestion 3 help me to connect back again, thank you very much :)

    Posted 31 May 2010 at 10:59 pm
  26. Partha wrote:

    Hi,
    I have windows 7 installed & when i am trying to connect through cisco VPN, im getting Reason:412 The remote peer is no longer responding. i want to allow UDP port 500,4500.Please help me how can i allow.
    Please help me with steps also.if it can be possible.

    Thanks in Advance

    Posted 04 Jun 2010 at 7:05 pm
  27. Richard Lamers wrote:

    Dave, the UseLegacyIKEPort=1 option in the .pcf file is *THE* solution!!! many thanks, you saved the day ;-)

    Posted 08 Jun 2010 at 1:48 pm
  28. Mark wrote:

    where do I use the keyword UseLegacyIKEPort=1.

    Posted 08 Jun 2010 at 7:46 pm
  29. Nathan wrote:

    Try changing the Cisco Client to TCP (under Options, Transport). Worked for me.

    Posted 11 Jun 2010 at 9:37 pm
  30. Dfullen wrote:

    Take a look at this post that offers an easy way to solve the problem of Cisco 412 Error.

    http://links.maas360.com/cisco412Error

    Posted 23 Jun 2010 at 6:42 pm
  31. Nike air force wrote:

    Here elaborates the matter not only extensively but also detailly .I support the
    write's unique louis vuitton bags point.It is useful and benefit to your daily life.You can go those
    sits to know more relate things.They are strongly recommended by friends.Personally
    I feel quite well.
    sits to know more relate things.They are strongly recommended by friends.Personally
    I feel quite well.

    Posted 05 Jul 2010 at 7:26 am
  32. Guest wrote:

    Not completely correct… Cisco may well have refused to “CERTIFY” a 64-bit version of the ipsec based VPN client with Microsoft. I wouldn't fault them for that considering the cost and effort involved in doing so.

    Also, if you know anything about Cisco you'll know that all current versions of PIX / ASA support the AnyVPN client with SSL functionality – which is “Certified for Windows”

    Posted 19 Jul 2010 at 7:33 pm
  33. Lamnk wrote:

    I don't know what you mean with “certify”. But at my university we requested 64bit version of the ipsec client for many years already, and only until recently released Cisco one that works for Windows Vista and 7. Considering from say2 years ago a lot of recent laptops/computers were already shipped with 4GB RAM, it's quite ignorance of Cisco, at least from my perspective.

    I'm not a Cisco expert but i do know that Cisco ASA line offers SSL VPN with 64bit capable AnyConnect client. However a lot of universities in Germany use old Concentrator 3000 series due to licensing cost. Switching to newer ASA 5500 line requires budget and affects many users (more than 30000 students and employees in Heidelberg). Maybe that's the reason Cisco doesn't want to release a 64bit IPsec client: to force buyers upgrade to SSL VPN so they can sell more devices.

    Posted 19 Jul 2010 at 11:44 pm
  34. Bobbydrake wrote:

    thanks! this worked!

    Posted 01 Aug 2010 at 1:04 am
  35. Tac wrote:

    5.0.07.0290 has been released from beta and is official Cisco support for Windows 7. There is a 32bit and 64bit binary available.

    Posted 07 Aug 2010 at 8:41 am
  36. Lamnk wrote:

    Yes i knew that. After how many years ? I worked as a VPN assistant for 2 years now, since the beginning there were always requests for 64-bit version. All i can said to them was sorry, cisco doesn’t offer 64bit, i can’t help you there.

    Oh, and the linux client always has problem whenever a new kernel is released. People always have to patch this or that file in order to compile Cisco client. It’s simply not maintained.

    Posted 12 Aug 2010 at 2:53 pm

Trackbacks & Pingbacks 1

  1. From Linux and Cisco VPN Client “Remote peer is no longer responding” « sonia hamilton – life on the digital bikepath – sonia@snowfrog.net on 09 Nov 2009 at 9:10 pm

    [...] from the obvious firewall/nat checks [1][2], a solution seems to be to edit the .pcf file, bump up the timeout and force [...]

Post a Comment

Your email is never published nor shared. Required fields are marked *

blog comments powered by Disqus