Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1146
Views
0
Helpful
4
Replies

Unable to establish Remote VPN thorugh any cisco anyconnect vpn client

rafat0426
Level 1
Level 1

‎04-01-2011 12:40 AM - edited ‎03-11-2019 01:15 PM

Hi,

we have ASA5510 with version 7.x and asdm 5.X, i upgraded it to 8.3 and asdm 6.2, and i got vpn peers 250 and 2 ssl.

when i try to connect through client software , i can see in the logs UDP 500 port is created as shown below.

Mar 31 2011 23:54:40 302015 94.97.180.0 57013 x.x.x.x 500 Built inbound UDP connection 56694 for outside:94.97.180.0/57013 (94.97.180.0/57013) to identity:x.x.x.x/500 (x.x.x.x/500)

no other things are going on , and i get error as shown below.

Secure VPN Connection terminated Locally by the client

Reason 412: Remote peer is no longer Responding

Connection terminated on.

i am suspecting it is VPN-3DES-AES activation key issue.

when i go to Remote Access VPN ---Advanced---SSL Seetings--From Left Encryption Panel Available Algorithems i have DES-SHA1 when i try to drag it tto Right panel of Active algorithems it gives me error ass below

[ERROR] sl encryption rc4-sha1 des-sha1

The 3DES/AES algorithms require a VPN-3DES-AES activation key

and currently in right panel of Active Algorithms i have only RC4-SHA1,

kindly anyone suggest me what is the issue or is this related to any license/activation key issue.

Labels:
0 Helpful
4 Replies 4

Yudong Wu
Level 7
Level 7

‎04-01-2011 01:13 PM

You can go to the following link to get 3des license (need cco account)

https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet?FormId=139

UDP 500 is used by ISAKMP for negociating VPN tunnel.

After you apply the license to enable your 3DES (you can check it via "show ver"), try to connect your vpn client again. If it is still not working, please provide the following info,

- running configuration

- the following debug output when you are trying to connect your vpn client

  deb cry isa 128

  deb cry ipsec 128

0 Helpful

rafat0426
Level 1
Level 1
In response to Yudong Wu

‎04-01-2011 10:30 PM

Hi ,

Thanks for your valuable time. and this is very very urgent for me if the problem is with the license i can go for that or from configuration than guide me ,

i am really very thankful for you response.

sh activatio-key

Running Permanent Activation Key: 0xaa03fc46 0xccdae02f 0x50325198 0xa7009cc4 0x

cd081ab0

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited perpetual

Maximum VLANs : 50 perpetual

Inside Hosts : Unlimited perpetual

Failover : Disabled perpetual

VPN-DES : Enabled perpetual

VPN-3DES-AES : Disabled perpetual

Security Contexts : 0 perpetual

GTP/GPRS : Disabled perpetual

SSL VPN Peers : 2 perpetual

Total VPN Peers : 250 perpetual

Shared License : Disabled perpetual

AnyConnect for Mobile : Disabled perpetual

AnyConnect for Cisco VPN Phone : Disabled perpetual

AnyConnect Essentials : Disabled perpetual

Advanced Endpoint Assessment : Disabled perpetual

UC Phone Proxy Sessions : 2 perpetual

Total UC Proxy Sessions : 2 perpetual

Botnet Traffic Filter : Disabled perpetual

Intercompany Media Engine : Disabled perpetual

This platform has a Base license.

The flash permanent activation key is the SAME as the running permanent key.

sh version

Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1599 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

Boot microcode : CN1000-MC-BOOT-2.00

SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06

0: Ext: Ethernet0/0 : address is c84c.7561.65cc, irq 9

1: Ext: Ethernet0/1 : address is c84c.7561.65cd, irq 9

2: Ext: Ethernet0/2 : address is c84c.7561.65ce, irq 9

3: Ext: Ethernet0/3 : address is c84c.7561.65cf, irq 9

4: Ext: Management0/0 : address is c84c.7561.65d0, irq 11

5: Int: Not used : irq 11

6: Int: Not used : irq 5

debug cry isa 128

debug cry ips 128

Apr 01 21:59:43 [IKEv1]: IP = 88.85.229.110, IKE_DECODE RECEIVED Messag

e (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR

(13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total l

ength : 864

Apr 01 21:59:43 [IKEv1 DEBUG]: IP = 88.85.229.110, processing SA payload

Apr 01 21:59:43 [IKEv1 DEBUG]: IP = 88.85.229.110, processing ke payload

Apr 01 21:59:43 [IKEv1 DEBUG]: IP = 88.85.229.110, processing ISA_KE payload

Apr 01 21:59:43 [IKEv1 DEBUG]: IP = 88.85.229.110, processing nonce payload

Apr 01 21:59:43 [IKEv1 DEBUG]: IP = 88.85.229.110, processing ID payload

Apr 01 21:59:43 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload

Apr 01 21:59:43 [IKEv1 DEBUG]: IP = 88.85.229.110, Received xauth V6 VID

Apr 01 21:59:43 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload

Apr 01 21:59:43 [IKEv1 DEBUG]: IP = 88.85.229.110, Received DPD VID

Apr 01 21:59:43 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload

Apr 01 21:59:43 [IKEv1 DEBUG]: IP = 88.85.229.110, Received Fragmentation VID

Apr 01 21:59:43 [IKEv1 DEBUG]: IP = 88.85.229.110, IKE Peer included IKE fragmen

tation capability flags: Main Mode: True Aggressive Mode: False

Apr 01 21:59:43 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload

Apr 01 21:59:43 [IKEv1 DEBUG]: IP = 88.85.229.110, Received NAT-Traversal ver 02

VID

Apr 01 21:59:43 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload

Apr 01 21:59:43 [IKEv1 DEBUG]: IP = 88.85.229.110, Received Cisco Unity client V

ID

Apr 01 21:59:43 [IKEv1]: IP = 88.85.229.110, Connection landed on tunnel_group A

SLAK-ANY-CLIENT-VPN

Apr 01 21:59:43 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,

processing IKE SA payload

Apr 01 21:59:43 [IKEv1]: IP = 88.85.229.110, IKE_DECODE SENDING Message (msgid=0

) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 596

Apr 01 21:59:43 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,

All SA proposals found unacceptable

Apr 01 21:59:43 [IKEv1]: IP = 88.85.229.110, All IKE SA proposals found unaccept

able!

Apr 01 21:59:43 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,

IKE AM Responder FSM error history (struct &0xad35c1d8) , : AM_

DONE, EV_ERROR-->AM_BLD_MSG2, EV_PROCESS_SA-->AM_BLD_MSG2, EV_GROUP_LOOKUP-->AM_

BLD_MSG2, EV_PROCESS_MSG-->AM_BLD_MSG2, EV_CREATE_TMR-->AM_START, EV_RCV_MSG-->A

M_START, EV_START_AM-->AM_START, EV_START_AM

Apr 01 21:59:43 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,

IKE SA AM:df0356aa terminating: flags 0x0100c001, refcnt 0, tuncnt 0

Apr 01 21:59:43 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,

sending delete/delete with reason message

Apr 01 21:59:48 [IKEv1]: IP = 88.85.229.110, IKE_DECODE RECEIVED Message (msgid=

0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + V

ENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 8

64

Apr 01 21:59:48 [IKEv1 DEBUG]: IP = 88.85.229.110, processing SA payload

Apr 01 21:59:48 [IKEv1 DEBUG]: IP = 88.85.229.110, processing ke payload

Apr 01 21:59:48 [IKEv1 DEBUG]: IP = 88.85.229.110, processing ISA_KE payload

Apr 01 21:59:48 [IKEv1 DEBUG]: IP = 88.85.229.110, processing nonce payload

Apr 01 21:59:48 [IKEv1 DEBUG]: IP = 88.85.229.110, processing ID payload

Apr 01 21:59:48 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload

Apr 01 21:59:48 [IKEv1 DEBUG]: IP = 88.85.229.110, Received xauth V6 VID

Apr 01 21:59:48 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload

Apr 01 21:59:48 [IKEv1 DEBUG]: IP = 88.85.229.110, Received DPD VID

Apr 01 21:59:48 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload

Apr 01 21:59:48 [IKEv1 DEBUG]: IP = 88.85.229.110, Received Fragmentation VID

Apr 01 21:59:48 [IKEv1 DEBUG]: IP = 88.85.229.110, IKE Peer included IKE fragmen

tation capability flags: Main Mode: True Aggressive Mode: False

Apr 01 21:59:48 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload

Apr 01 21:59:48 [IKEv1 DEBUG]: IP = 88.85.229.110, Received NAT-Traversal ver 02

VID

Apr 01 21:59:48 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload

Apr 01 21:59:48 [IKEv1 DEBUG]: IP = 88.85.229.110, Received Cisco Unity client V

ID

Apr 01 21:59:48 [IKEv1]: IP = 88.85.229.110, Connection landed on tunnel_group A

SLAK-ANY-CLIENT-VPN

Apr 01 21:59:48 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,

processing IKE SA payload

Apr 01 21:59:48 [IKEv1]: IP = 88.85.229.110, IKE_DECODE SENDING Message (msgid=0

) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 596

Apr 01 21:59:48 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,

All SA proposals found unacceptable

Apr 01 21:59:48 [IKEv1]: IP = 88.85.229.110, All IKE SA proposals found unaccept

able!

Apr 01 21:59:48 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,

IKE AM Responder FSM error history (struct &0xad35c1d8) , : AM_

DONE, EV_ERROR-->AM_BLD_MSG2, EV_PROCESS_SA-->AM_BLD_MSG2, EV_GROUP_LOOKUP-->AM_

BLD_MSG2, EV_PROCESS_MSG-->AM_BLD_MSG2, EV_CREATE_TMR-->AM_START, EV_RCV_MSG-->A

M_START, EV_START_AM-->AM_START, EV_START_AM

Apr 01 21:59:48 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,

IKE SA AM:151b9de7 terminating: flags 0x0100c001, refcnt 0, tuncnt 0

Apr 01 21:59:48 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,

sending delete/delete with reason message

Apr 01 21:59:53 [IKEv1]: IP = 88.85.229.110, IKE_DECODE RECEIVED Message (msgid=

0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + V

ENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 8

64

Apr 01 21:59:53 [IKEv1 DEBUG]: IP = 88.85.229.110, processing SA payload

Apr 01 21:59:53 [IKEv1 DEBUG]: IP = 88.85.229.110, processing ke payload

Apr 01 21:59:53 [IKEv1 DEBUG]: IP = 88.85.229.110, processing ISA_KE payload

Apr 01 21:59:53 [IKEv1 DEBUG]: IP = 88.85.229.110, processing nonce payload

Apr 01 21:59:53 [IKEv1 DEBUG]: IP = 88.85.229.110, processing ID payload

Apr 01 21:59:53 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload

Apr 01 21:59:53 [IKEv1 DEBUG]: IP = 88.85.229.110, Received xauth V6 VID

Apr 01 21:59:53 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload

Apr 01 21:59:53 [IKEv1 DEBUG]: IP = 88.85.229.110, Received DPD VID

Apr 01 21:59:53 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload

Apr 01 21:59:53 [IKEv1 DEBUG]: IP = 88.85.229.110, Received Fragmentation VID

Apr 01 21:59:53 [IKEv1 DEBUG]: IP = 88.85.229.110, IKE Peer included IKE fragmen

tation capability flags: Main Mode: True Aggressive Mode: False

Apr 01 21:59:53 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload

Apr 01 21:59:53 [IKEv1 DEBUG]: IP = 88.85.229.110, Received NAT-Traversal ver 02

VID

Apr 01 21:59:53 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload

Apr 01 21:59:53 [IKEv1 DEBUG]: IP = 88.85.229.110, Received Cisco Unity client V

ID

Apr 01 21:59:53 [IKEv1]: IP = 88.85.229.110, Connection landed on tunnel_group A

SLAK-ANY-CLIENT-VPN

Apr 01 21:59:53 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,

processing IKE SA payload

Apr 01 21:59:53 [IKEv1]: IP = 88.85.229.110, IKE_DECODE SENDING Message (msgid=0

) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 596

Apr 01 21:59:53 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,

All SA proposals found unacceptable

Apr 01 21:59:53 [IKEv1]: IP = 88.85.229.110, All IKE SA proposals found unaccept

able!

Apr 01 21:59:53 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,

IKE AM Responder FSM error history (struct &0xad35c1d8) , : AM_

DONE, EV_ERROR-->AM_BLD_MSG2, EV_PROCESS_SA-->AM_BLD_MSG2, EV_GROUP_LOOKUP-->AM_

BLD_MSG2, EV_PROCESS_MSG-->AM_BLD_MSG2, EV_CREATE_TMR-->AM_START, EV_RCV_MSG-->A

M_START, EV_START_AM-->AM_START, EV_START_AM

Apr 01 21:59:53 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,

IKE SA AM:44661018 terminating: flags 0x0100c001, refcnt 0, tuncnt 0

Apr 01 21:59:53 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,

sending delete/delete with reason message

Apr 01 21:59:58 [IKEv1]: IP = 88.85.229.110, IKE_DECODE RECEIVED Message (msgid=

0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + V

ENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 8

64

Apr 01 21:59:58 [IKEv1 DEBUG]: IP = 88.85.229.110, processing SA payload

Apr 01 21:59:58 [IKEv1 DEBUG]: IP = 88.85.229.110, processing ke payload

Apr 01 21:59:58 [IKEv1 DEBUG]: IP = 88.85.229.110, processing ISA_KE payload

Apr 01 21:59:58 [IKEv1 DEBUG]: IP = 88.85.229.110, processing nonce payload

Apr 01 21:59:58 [IKEv1 DEBUG]: IP = 88.85.229.110, processing ID payload

Apr 01 21:59:58 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload

Apr 01 21:59:58 [IKEv1 DEBUG]: IP = 88.85.229.110, Received xauth V6 VID

Apr 01 21:59:58 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload

Apr 01 21:59:58 [IKEv1 DEBUG]: IP = 88.85.229.110, Received DPD VID

Apr 01 21:59:58 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload

Apr 01 21:59:58 [IKEv1 DEBUG]: IP = 88.85.229.110, Received Fragmentation VID

Apr 01 21:59:58 [IKEv1 DEBUG]: IP = 88.85.229.110, IKE Peer included IKE fragmen

tation capability flags: Main Mode: True Aggressive Mode: False

Apr 01 21:59:58 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload

Apr 01 21:59:58 [IKEv1 DEBUG]: IP = 88.85.229.110, Received NAT-Traversal ver 02

VID

Apr 01 21:59:58 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload

Apr 01 21:59:58 [IKEv1 DEBUG]: IP = 88.85.229.110, Received Cisco Unity client V

ID

Apr 01 21:59:58 [IKEv1]: IP = 88.85.229.110, Connection landed on tunnel_group A

SLAK-ANY-CLIENT-VPN

Apr 01 21:59:58 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,

processing IKE SA payload

Apr 01 21:59:58 [IKEv1]: IP = 88.85.229.110, IKE_DECODE SENDING Message (msgid=0

) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 596

Apr 01 21:59:58 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,

All SA proposals found unacceptable

Apr 01 21:59:58 [IKEv1]: IP = 88.85.229.110, All IKE SA proposals found unaccept

able!

Apr 01 21:59:58 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,

IKE AM Responder FSM error history (struct &0xad35c1d8) , : AM_

DONE, EV_ERROR-->AM_BLD_MSG2, EV_PROCESS_SA-->AM_BLD_MSG2, EV_GROUP_LOOKUP-->AM_

BLD_MSG2, EV_PROCESS_MSG-->AM_BLD_MSG2, EV_CREATE_TMR-->AM_START, EV_RCV_MSG-->A

M_START, EV_START_AM-->AM_START, EV_START_AM

Apr 01 21:59:58 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,

IKE SA AM:7916e0b5 terminating: flags 0x0100c001, refcnt 0, tuncnt 0

Apr 01 21:59:58 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,

sending delete/delete with reason message

0 Helpful

Yudong Wu
Level 7
Level 7
In response to rafat0426

‎04-02-2011 05:51 PM

From debug output, you can see that all SA proposals form client are not acceptable by ASA.

Apr 01 21:59:43 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,

All SA proposals found unacceptable

Apr 01 21:59:43 [IKEv1]: IP = 88.85.229.110, All IKE SA proposals found unaccept

able!

In general, VPN client's SA proposal might include 3DES. So, you have to enable 3DES on your ASA and then configure a ISAKMP policy with 3DES.

You can go the link I posted in the previous response to get 3DES license.

And then you can run "debug cry isa 255" and "debug cry ipsec 255" to see what SA proposals are sent by VPN clients. And then configure one on your ASA to match it.

0 Helpful

rafat0426
Level 1
Level 1
In response to Yudong Wu

‎04-03-2011 11:58 AM

Hi,

After Activating VPN-DES-AES key it is working,

i really thankful to you.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card