09-26-2012 08:51 AM - edited 03-11-2019 04:59 PM
Hi,
I am having a firewall Pix 515e with Firewall Version 6.3(5) and PDM Version 3.0(4). The firewall having more than 5 site to site VPN’s and 20 above dialer VPN’s .
Two 2 days back , I have modified some configuration changes, removed unwanted dialer VPN’s and site to site VPN’s and access rules , unfortunately after that I can’t able to connect any of the dialer vpn . but all site to site VPN’s are working fine.
I have restarted the firewall removed all dialer VPN’s and recreate a fresh one , but no hope. (site to site VPN working without any issues).
During the debugging section, I have noticed that the Phase 1 is complete after that the Mode configuration is failed.
When I monitor the Cisco vpn client Ver 5 log, its saying “Received a NOTIFY message with an invalid protocol id (0)” .
I have tried lots of online documents but I couldn’t find a solution for this . Can you please help me out.
Am attaching the debug messages for Pix and Cisco vpn client
<---------------- Debug log FROM PIX 515e -------------------->
SAKMP (0): SA has been authenticated
ISAKMP: Created a peer struct for xxx.xxx.14.125, peer port 39172
return status is IKMP_NO_ERROR
ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify
ISAKMP (0): sending NOTIFY message 24576 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:xxx.xxx.14.125/1177 Total VPN Peers:3
VPN Peer: ISAKMP: Peer ip:xxx.xxx.14.125/1177 Ref cnt incremented to:1 Total VPN
Peers:3
ISAKMP: peer is a remote access client
crypto_isakmp_process_block:src:xxx.xxx.14.125, dest:xxx.xxx.14.6 spt:1177 dpt:5
00
ISAKMP_TRANSACTION exchange
ISAKMP (0:0): processing transaction payload from xxx.xxx.14.125. message ID = 1
6621404
ISAKMP: Config payload CFG_REQUEST
ISAKMP (0:0): checking request:
ISAKMP: attribute IP4_ADDRESS (1)
ISAKMP: attribute IP4_NETMASK (2)
ISAKMP: attribute IP4_DNS (3)
ISAKMP: attribute IP4_NBNS (4)
ISAKMP: attribute ADDRESS_EXPIRY (5)
Unsupported Attr: 5
ISAKMP: attribute UNKNOWN (28672)
Unsupported Attr: 28672
ISAKMP: attribute UNKNOWN (28673)
Unsupported Attr: 28673
ISAKMP: attribute ALT_DEF_DOMAIN (28674)
ISAKMP: attribute ALT_SPLIT_INCLUDE (28676)
ISAKMP: attribute ALT_SPLITDNS_NAME (28675)
ISAKMP: attribute ALT_PFS (28679)
ISAKMP: attribute UNKNOWN (28683)
Unsupported Attr: 28683
ISAKMP: attribute ALT_BACKUP_SERVERS (28681)
ISAKMP: attribute UNKNOWN (28684)
Unsupported Attr: 28684
ISAKMP: attribute APPLICATION_VERSION (7)
ISAKMP: attribute UNKNOWN (28680)
Unsupported Attr: 28680
ISAKMP: attribute UNKNOWN (28682)
Unsupported Attr: 28682
ISAKMP: attribute UNKNOWN (28677)
Unsupported Attr: 28677
ISAKMP (0:0): responding to peer config from xxx.xxx.14.125. ID = 812360839
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:xxx.xxx.14.125, dest:xxx.xxx.14.6 spt:1177 dpt:5
00
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 190216805
<---------------- Debug log FROM PIX 515e -------------------->
<---------------- Debug log FROM Cisco VPN client -------------------->
38 10:19:41.593 09/25/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to xxx.xxx.14.6
39 10:19:41.593 09/25/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xxx.xxx.14.6
40 10:19:41.593 09/25/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from xxx.xxx.14.6
41 10:19:41.593 09/25/12 Sev=Warning/3 IKE/0xA300004B
Received a NOTIFY message with an invalid protocol id (0)
42 10:19:46.890 09/25/12 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
<---------------- Debug log FROM Cisco VPN client -------------------->
Appreciate if you can resolve this issue. also i want to know if I upgraded the firewall to higher version will solve this issue ?
Regards
Kamalji
09-26-2012 10:59 PM
Hello kamalji,
Please post the running config of the PIX to do more investigation
regards
Harish.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide