Barracuda Network Access Client

Barracuda Network Access Client



Troubleshooting

Last update: Tuesday, 7. May 2013

This page provides you with solutions to some common problems concerning the Barracuda Network Access Client.

Troubleshooting

ProblemSolution

Connection to the VPN server breaks immediately after establishing.

A firewall rule set may have been damaged during transfer from the VPN server to the client. Disconnect all applications and connect again to solve the issue. This behavior may also occur with slow connections. Increase the Keep alive (seconds) parameter (see Advanced Settings Tab) if you encounter any problems.

Connection breaks if IP address assignment via DHCP is used.

A connection problem occurs when the firewall slot is closed too early. Create a local firewall rule set to solve the issue: Action > Pass Service > BOOTPS (out: UDP 67; in: UDP 68).

VPN Gateway not reachable via VPN tunnel is logged into the Events window.

Open the Expert tab  (see Advanced Settings Tab) and change the value from Virtual Adapter Configuration to Direct assignment or the other way around.

Session PHS: signature check failed (bad decrypt) is logged into the Events window.

Deactivate Private Encrypt (see Connection Dialog, X.509 Authentication).

Error code 0x0000142 is continuously thrown by phionHADlg.exe in Barracuda NG Access Client 2.0 SPx.

The following error popup shows permanently up in Windows XP:

image2013-5-2 18:0:44.png

This is an operating system issue (see also this Microsoft article: http://support.microsoft.com/kb/950312/en-us).

As a workaround, you may disable the respective process entry in the Microsoft Event Monitor by disabling the process monitor for the Barracuda NG Access Client 2.0 SPx. To do so, set this DWORD registry entry to a value of "0":

HKEY_USERS\.DEFAULT\Software\Phion\phionvpn\settings\ProcessMonitor

Subsequently restart the computer.

Authentication using X.509 and eToken / SmartCard fails in Barracuda NG Access Client 2.0 SPx.

The following error message is generated into VPN client log while trying to connect to the VPN server:

ERROR: Crypto Key Provider doesn't support 
native RSA CryptEncrypt/CryptDecrypt

The crypto service provider (e.g., Smartcard from aTrust) does not support native RSA access.

In this case, set the Probe Encryption option within VPN Profile > Properties > Connection Entries to No. Thereby, the probe encryption will not be executed prior to the actual connecting process. The user is then prompted for the PIN and will have 20 seconds to enter it before the timeout at the VPN service is reached.

image2013-5-2 18:1:56.png

A VPN connection can not be not established due to a Firewall Status mismatch error. 

The VPN Service on the Barracuda NG Firewall drops incoming connection request by a Barracuda NG Network Access Client with a version number below 2.0 SP3 and generates the following error message into the VPN Log:

Warning Session PGRP-AUTH-user01: 
reply unsuccesful handshake:
100 36 Firewall Status mismatch

Barracuda NG Network Access Clients prior to version 2.0 SP3 cannot interpret the VPN Service's Firewall Always ON option which therefore effectively prevents connection establishment for these clients.

To allow these older clients to connect to the VPN service, navigate in Barracuda NG Admin to Config > Box > Virtual Servers > [Servername] > Assigned Services > [Servicename] > Client to Site > External CA > Group Policy and clear the Firewall Always ON check box. Ask your administrator to process this if you have no access to the Barracuda NG Firewall by yourself.

image2013-5-2 18:2:53.png

 

The VPN Client cannot open a connection due to a timeout.

Barracuda NG Network Access Client 2.0 SPx breaks the VPN connection and generates the following error message into the client log:

Could not connect to serverConnectLib,
Open() failed: could not open DIRECT connection,
IOStreamSock: Connect(x.x.x.x:691): TIMEOUT
Error while connect to x.x.x.x:691 (proto=TCP)

This message appears only if the server's IP address is reachable, but at the same time no listen port (UDP/TCP 691) is available.

The VPN Service listens by default on the first and the second server IP address. For additional server IP addresses, it is necessary to bind the service manually to these additional IP addresses. Navigate to Config > Box > Virtual Servers > [Servername] > Assigned Services > [Servicename] > Service Properties > Service Availability in order to achieve this.


Feedback
If you have a technical issue with the product, please contact Barracuda Networks Technical Support. Did you find this article helpful: |