More update:

Here is the log from the vpn client. Dont know if this helps but it looks to me as if the client is not getting the responce from the ASA and therefore sens again and again until the ASA terminates.

Anyone have a solution for this?

/H

1      19:38:07.129  04/09/13  Sev=Info/6     IKE/0x6300003B

Attempting to establish a connection with 80.181.36.30.

2      19:38:07.144  04/09/13  Sev=Info/4     IKE/0x63000001

Starting IKE Phase 1 Negotiation

3      19:38:07.144  04/09/13  Sev=Info/4     IKE/0x63000013

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 80.181.36.30

4      19:38:12.183  04/09/13  Sev=Info/4     IKE/0x63000021

Retransmitting last packet!

5      19:38:12.183  04/09/13  Sev=Info/4     IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 80.181.36.30

6      19:38:17.300  04/09/13  Sev=Info/4     IKE/0x63000021

Retransmitting last packet!

7      19:38:17.300  04/09/13  Sev=Info/4     IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 80.181.36.30

8      19:38:22.371  04/09/13  Sev=Info/4     IKE/0x63000021

Retransmitting last packet!

9      19:38:22.371  04/09/13  Sev=Info/4     IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 80.181.36.30

10     19:38:27.441  04/09/13  Sev=Info/4     IKE/0x63000017

Marking IKE SA for deletion  (I_Cookie=807FD9825CFD1067 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

11     19:38:27.956  04/09/13  Sev=Info/4     IKE/0x6300004B

Discarding IKE SA negotiation (I_Cookie=807FD9825CFD1067 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

12     19:38:27.956  04/09/13  Sev=Info/4     IKE/0x63000001

IKE received signal to terminate VPN connection

Hello,

Exactly,

Can you run a debug crypto isakmp while trying to connect from that site

Hi

Thanks for the input.

Since there are many using the remote vpn i get lots of traffic. i have set up a new remote access vpn and get the same problem. Is it possible for me te filter the log so i see only the "test" tunnel. The logs run away and when i stop then it is to late

I have tried to run

debug crypto isakmp 1

debug crypto isakmp 2

debug crypto isakmp 50

Is there any one special level i should try?

if i understand there are 255 levels

/Hilmar

is there one in particular that i should try?

debug crypto condition username xxxx ( The username you are providing)

or

debug crypto condition Peer   x.x.x.x ( Ip address of your client) Public ofcourse

Then add the debug crypto isakmp 255

and try to connect

Hi,

debug crypto condition user VpnTest

Gives no output

debug crypto condition Peer 197.195.111.153

Gives no output

debug crypto isakmp 2

Apr 15 14:14:18 [IKEv1]IP =  197.195.111.153 , Connection landed on tunnel_group In_VPN

Apr 15 14:14:18 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5

Apr 15 14:14:18 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5

Apr 15 14:14:18 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5

Apr 15 14:14:18 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5

Apr 15 14:14:18 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5

Apr 15 14:14:18 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5

Apr 15 14:14:18 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5

Apr 15 14:14:18 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5

Apr 15 14:14:18 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5

Apr 15 14:14:18 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5

Apr 15 14:14:18 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5

Apr 15 14:14:18 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5

Apr 15 14:14:18 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5

Apr 15 14:14:23 [IKEv1]IP = 197.195.111.153 , Duplicate first packet detected.  Ignoring packet.

Apr 15 14:14:28 [IKEv1]IP = 197.195.111.153 , Duplicate first packet detected.  Ignoring packet.

Apr 15 14:14:33 [IKEv1]IP = 197.195.111.153 , Duplicate first packet detected.  Ignoring packet.

debug crypto isakmp 255 it just runs away in the terminal and the information im looking for cant be coppied. Im assuming this is because i have a lot of vpn tunnel up and running.

Does this give you an idea of the problem?

/H

Hi,

Hope this gives you guys some more info.

Here is an output from

debug crypto isakmp 7

Apr 15 15:09:22 [IKEv1]IP = 197.195.111.153, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 852

Apr 15 15:09:22 [IKEv1 DEBUG]IP = 197.195.111.153, processing SA payload

Apr 15 15:09:22 [IKEv1 DEBUG]IP = 197.195.111.153, processing ke payload

Apr 15 15:09:22 [IKEv1 DEBUG]IP = 197.195.111.153, processing ISA_KE payload

Apr 15 15:09:22 [IKEv1 DEBUG]IP = 197.195.111.153, processing nonce payload

Apr 15 15:09:22 [IKEv1 DEBUG]IP = 197.195.111.153, processing ID payload

Apr 15 15:09:22 [IKEv1 DEBUG]IP = 197.195.111.153, processing VID payload

Apr 15 15:09:22 [IKEv1 DEBUG]IP = 197.195.111.153, Received xauth V6 VID

Apr 15 15:09:22 [IKEv1 DEBUG]IP = 197.195.111.153, processing VID payload

Apr 15 15:09:22 [IKEv1 DEBUG]IP = 197.195.111.153, Received DPD VID

Apr 15 15:09:22 [IKEv1 DEBUG]IP = 197.195.111.153, processing VID payload

Apr 15 15:09:22 [IKEv1 DEBUG]IP = 197.195.111.153, Received Fragmentation VID

Apr 15 15:09:22 [IKEv1 DEBUG]IP = 197.195.111.153, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  False

Apr 15 15:09:22 [IKEv1 DEBUG]IP = 197.195.111.153, processing VID payload

Apr 15 15:09:22 [IKEv1 DEBUG]IP = 197.195.111.153, Received NAT-Traversal ver 02 VID

Apr 15 15:09:22 [IKEv1 DEBUG]IP = 197.195.111.153, processing VID payload

Apr 15 15:09:22 [IKEv1 DEBUG]IP = 197.195.111.153, Received Cisco Unity client VID

Apr 15 15:09:22 [IKEv1]IP = 197.195.111.153, Connection landed on tunnel_group Inex_VPN

Apr 15 15:09:22 [IKEv1 DEBUG]Group = Inex_VPN, IP = 197.195.111.153, processing IKE SA payload

Apr 15 15:09:22 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5

Apr 15 15:09:22 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5

Apr 15 15:09:22 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5

Apr 15 15:09:22 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5

Apr 15 15:09:22 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5

Apr 15 15:09:22 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5

Apr 15 15:09:22 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5

Apr 15 15:09:22 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5

Apr 15 15:09:22 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5

Apr 15 15:09:22 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5

Apr 15 15:09:22 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5

Apr 15 15:09:22 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5

Apr 15 15:09:22 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5

Apr 15 15:09:22 [IKEv1 DEBUG]Group = Inex_VPN, IP = 197.195.111.153, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 2

Apr 15 15:09:22 [IKEv1 DEBUG]Group = Inex_VPN, IP = 197.195.111.153, constructing ISAKMP SA payload

Apr 15 15:09:22 [IKEv1 DEBUG]Group = Inex_VPN, IP = 197.195.111.153, constructing ke payload

Apr 15 15:09:22 [IKEv1 DEBUG]Group = Inex_VPN, IP = 197.195.111.153, constructing nonce payload

Apr 15 15:09:22 [IKEv1 DEBUG]Group = Inex_VPN, IP = 197.195.111.153, Generating keys for Responder...

Apr 15 15:09:22 [IKEv1 DEBUG]Group = Inex_VPN, IP = 197.195.111.153, constructing ID payload

Apr 15 15:09:22 [IKEv1 DEBUG]Group = Inex_VPN, IP = 197.195.111.153, constructing hash payload

Apr 15 15:09:22 [IKEv1 DEBUG]Group = Inex_VPN, IP = 197.195.111.153, Computing hash for ISAKMP

Apr 15 15:09:22 [IKEv1 DEBUG]Group = Inex_VPN, IP = 197.195.111.153, constructing Cisco Unity VID payload

Apr 15 15:09:22 [IKEv1 DEBUG]Group = Inex_VPN, IP = 197.195.111.153, constructing xauth V6 VID payload

Apr 15 15:09:22 [IKEv1 DEBUG]Group = Inex_VPN, IP = 197.195.111.153, constructing dpd vid payload

Apr 15 15:09:22 [IKEv1 DEBUG]Group = Inex_VPN, IP = 197.195.111.153, constructing NAT-Traversal VID ver 02 payload

Apr 15 15:09:22 [IKEv1 DEBUG]Group = Inex_VPN, IP = 197.195.111.153, constructing NAT-Discovery payload

Apr 15 15:09:22 [IKEv1 DEBUG]Group = Inex_VPN, IP = 197.195.111.153, computing NAT Discovery hash

Apr 15 15:09:22 [IKEv1 DEBUG]Group = Inex_VPN, IP = 197.195.111.153, constructing NAT-Discovery payload

Apr 15 15:09:22 [IKEv1 DEBUG]Group = Inex_VPN, IP = 197.195.111.153, computing NAT Discovery hash

Apr 15 15:09:22 [IKEv1 DEBUG]Group = Inex_VPN, IP = 197.195.111.153, constructing Fragmentation VID + extended capabilities payload

Apr 15 15:09:22 [IKEv1 DEBUG]Group = Inex_VPN, IP = 197.195.111.153, constructing VID payload

Apr 15 15:09:22 [IKEv1 DEBUG]Group = Inex_VPN, IP = 197.195.111.153, Send Altiga/Cisco VPN3000/Cisco ASA GW VID

Apr 15 15:09:22 [IKEv1]IP = 197.195.111.153, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 444

Apr 15 15:09:27 [IKEv1]IP = 197.195.111.153, Duplicate first packet detected.  Ignoring packet.

Apr 15 15:09:32 [IKEv1]IP = 197.195.111.153, Duplicate first packet detected.  Ignoring packet.

Apr 15 15:09:54 [IKEv1 DEBUG]Group = Inex_VPN, IP = 197.195.111.153, IKE AM Responder FSM error history (struct &0xae9f33d8)  , :  AM_DONE, EV_ERROR-->AM_WAIT_MSG3, EV_PROB_AUTH_FAIL-->AM_WAIT_MSG3, EV_TIMEOUT-->AM_WAIT_MSG3, NullEvent-->AM_SND_MSG2, EV_CRYPTO_ACTIVE-->AM_SND_MSG2, EV_SND_MSG-->AM_SND_MSG2, EV_START_TMR-->AM_SND_MSG2, EV_RESEND_MSG

Apr 15 15:09:54 [IKEv1 DEBUG]Group = Inex_VPN, IP = 197.195.111.153, IKE SA AM:ea1917e9 terminating:  flags 0x0104c001, refcnt 0, tuncnt 0

Apr 15 15:09:54 [IKEv1 DEBUG]Group = Inex_VPN, IP = 197.195.111.153, sending delete/delete with reason message

Apr 15 15:09:54 [IKEv1 DEBUG]Group = Inex_VPN, IP = 197.195.111.153, constructing blank hash payload

Apr 15 15:09:54 [IKEv1 DEBUG]Group = Inex_VPN, IP = 197.195.111.153, constructing IKE delete payload

Apr 15 15:09:54 [IKEv1 DEBUG]Group = Inex_VPN, IP = 197.195.111.153, constructing qm hash payload

Apr 15 15:09:54 [IKEv1]IP = 197.195.111.153, IKE_DECODE SENDING Message (msgid=9e17efb1) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80

Hi again,

Output from

debug crypto isakmp 5

The last line gives a litle bit more information, however i do not know if it is relevant.

Apr 15 15:53:53 [IKEv1 DEBUG]IP = 197.195.111.153, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  False

Apr 15 15:53:53 [IKEv1]IP = 197.195.111.153, Connection landed on tunnel_group Inex_VPN

Apr 15 15:53:53 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5

Apr 15 15:53:53 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5

Apr 15 15:53:53 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5

Apr 15 15:53:53 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5

Apr 15 15:53:53 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5

Apr 15 15:53:53 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5

Apr 15 15:53:53 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5

Apr 15 15:53:53 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5

Apr 15 15:53:53 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5

Apr 15 15:53:53 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5

Apr 15 15:53:53 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5

Apr 15 15:53:53 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5

Apr 15 15:53:53 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5

Apr 15 15:53:53 [IKEv1 DEBUG]Group = Inex_VPN, IP = 197.195.111.153, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 2

Apr 15 15:53:59 [IKEv1]IP = 197.195.111.153, Duplicate first packet detected.  Ignoring packet.

Apr 15 15:54:04 [IKEv1]IP = 197.195.111.153, Duplicate first packet detected.  Ignoring packet.

Apr 15 15:54:09 [IKEv1]IP = 197.195.111.153, Duplicate first packet detected.  Ignoring packet.

Apr 15 15:54:25 [IKEv1 DEBUG]Group = Inex_VPN, IP = 197.195.111.153, IKE AM Responder FSM error history (struct &0xaf58a950)  , :  AM_DONE, EV_ERROR-->AM_WAIT_MSG3, EV_PROB_AUTH_FAIL-->AM_WAIT_MSG3, EV_TIMEOUT-->AM_WAIT_MSG3, NullEvent-->AM_SND_MSG2, EV_CRYPTO_ACTIVE-->AM_SND_MSG2, EV_SND_MSG-->AM_SND_MSG2, EV_START_TMR-->AM_SND_MSG2, EV_RESEND_MSG

Best regards

/Hilmar

Hello,

Apr 15 14:14:18 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5

Can you change the diffie helmman group from 5 to 2?

Regards

I have tried to set up three test tunnels one with DH1 one with DH2 and one with DH5. The result is always the same.

these lines always come in the log, even if it works to connect. im assuming it first tests DH2 it doesnt work then it tests DH5 and it works.

It looks like the problem is with.

Apr 15 15:54:09 [IKEv1]IP = 197.195.111.153, Duplicate first packet detected.  Ignoring packet.

However i dont know why it is happening.

/H

Do you still get the mismatch on the DH group after the changes or now just the duplicate?

I still get the missmatch. When i try from home i have no problem connecting and still the missmatch is shown in the logs. when trying from the shared meeting local in the building i get the missmatch, duplicate and cannot connect.

It looks like the laptop is not getting any answer from the ASA, either ASA is not sending it or the laptop is not receiving it. And i have no idea how to see which is the problem.

/H

Hello Hilmar,

Is there a way you could share the configuration?

Though i have not solved the issue i have set up AnyConnect ssl vpn clients and that works with out a hitch. I think i will be using that solution since the licensing is not that expencive if one accepts that there is no clientless ssl.

Thanks for your help jcarvaja.

/Hilmar