iKey Authentication - Troubleshooting

Troubleshooting JointVPN Access with the iKey Token

[Nov 23, 2009 14:09] Web access to Microsoft Live@edu accounts now works.

Troubleshooting JointVPN Access with Your iKey

If iKey access to the JointVPN is not working, you must first determine whether the problem lies with the VPN or with the iKey.

  1. Does the passphrase change procedure work? If so, it means that the iKey software on the user's computer is able to see the iKey device. If the procedure does not work, and it has worked in the past, a simple system reboot may be all that is needed. Passphrase change must be working in order for you to test other aspects of the system.
  2. If the passphrase change procedure is working, try the web-based test described in these instructions. If the web-based test is successful, the problem is most likely with the VPN client installation itself and not with the iKey device or its software drivers.

If the tests above are successful, but VPN connections still fail, the problem is likely with the VPN itself and not with the iKey system.

  1. If your problem appears to be intermittent, remember that the iKey must be connected to your USB port for several seconds before you start the Cisco VPN client. Windows must have time to detect the iKey device and register its certificates before the VPN client is started.
  2. Verify that you have followed all steps correctly in the section on Using the JointVPN client with your hardware token.
  3. On the Cisco VPN client, select the Certificates tab. Click on the certificate from the UVa High Assurance CA (a certificate in the Microsoft store that does not contain a number after the person's name) to highlight it, and click the Verify button. If the verify test fails, you are likely missing one of the certificates that are normally installed in the section on Using the JointVPN client with your hardware token.
  4. Try disabling the Windows XP or 3rd party firewall temporarily to see if the VPN connection succeeds. If so, the PC being used does not have the correct set of ports open in its firewall configuraton for the VPN connection to work. Changing the VPN client's transparent tunnel setting from TCP to UDP may enable the connection. You can also use the ITC Microcomputer Systems Group's Windows firewall configuration script to enable the needed set of ports.

If you are having power problems with your iKey, it may need a different source for power.

  1. The iKey device requires more power than is available from many keyboard or monitor USB ports. If you are having problems, plug the iKey into a USB port that is part of the computer itself (the CPU case with a desktop computer or directly into a port on a notebook computer).

© 2009 by the Rector and Visitors of the University of Virginia.

The information contained on the University of Virginia’s Department of Information Technology and Communication (ITC) website is provided as a public service with the understanding that ITC makes no representations or warranties, either expressed or implied, concerning the accuracy, completeness, reliability or suitability of the information, including warrantees of title, non-infringement of copyright or patent rights of others. These pages are expected to represent the University of Virginia community and the State of Virginia in a professional manner in accordance with the University of Virginia’s Computing Policies.