“User did not acknowledge the banner” – Nortel VPN Client connection failure

A common reason for the banner message to hang is a firewall or router, placed somewhere along the path from the remote computer to the gateway, blocks ESP or AH traffic. 

User did not acknowledge banner

The follwing error can also be seen in the Nortel logs:

Nortel Log

The firewall can be a personal firewall installed on the remote computer, a firewall or router at the Internet Service Provider (ISP), or a corporate firewall. In this situation, IPSec ISAKMP traffic that negotiates the tunnel establishment, the tunnel establishes, but the ESP- or AH-encapsulted traffic inside the tunnel does not get through. When the banner text is retrieved through the established tunnel, the banner message or any other traffic secured by the ESP or AH never reaches the client and the NVC continues to wait for response from the gateway until a timeout period is reached.

To resolve this issue, ensure the following traffic is allowed to pass through the firewalls along the path: 

  • UDP protocol (17) port 500, both inbound and outbound
  • ESP protocol (50), both inbound and outbound
  • AH protocol (51), both inbound and outbound

It is not necessary to specify source and destination ports for ESP or AH protocols, but if a particular firewall implementation requires it, use zero or N/A as ports dependent on firewall or router requirements.

The following rule example is for Sophos:

Sophos FW rule



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: