Reason 433: Reason not specified by peer

Kynnzak · ‎08-09-2008

Has anyone encountered this error before when trying to connect to an ASA with the VPN Client software?

I can't find any details on this error message anywhere.

dhananjoy chowdhury · ‎08-09-2008

Hi,

If this errors are for clients sitting behind some NAT device, then you need to enable NAT-T.

Use this command to enable IPSec over NAT-T globally on ASA.

isakmp nat-traversal

Kynnzak · ‎08-09-2008

Yes, the nat traversal command is already part of the ASA config. But thanks!

JORGE RODRIGUEZ · ‎08-10-2008

Kevin,

Can you provide a little more information, is this error showing on all RA VPN client customers? or is it unique to specific RA user, if unique to specific user you will need to look a the logs on the FW to determined if the user is in fact at least hiting the ASA while trying to connect.

have you ruled out any ISP issues on the user side, or better ask have the user ever VPN in successfully before or is it 1st time?

have the user turn on the VPN client LOG Enable on the upper menu, posting these logs after the user atempts to connect can help in giving us clues and determining what could the problem be.

what version of vpn client are you using or all the users are using, the more info you can gove us as well as retreaving logs the better we can help in nawrrow down the problem. Generally isakmp nat-traversal is the most common statement to solve issues but since you have it configured you will need to dig a little more.

IpSec general troubleshooting

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml

Rgds

Jorge

Jorge Rodriguez

Kynnzak · ‎08-11-2008

Thanks Jorge,

The RA VPN used to work flawlessly; the customer doesn't have the technical expertise to make any changes, and from what I can tell the configuration hasn't changed from when I initially set things up. This error is appearing globally, i.e. various VPN client versions, various ISP's, all users attempting to connect.

So far from debug crypto isakmp all I can retrieve is the following:

CSDB-Firewall# Aug 11 10:29:08 [IKEv1]: Group = csdbvpn, Username = flairdata, IP = 71.219.250.75, Removing peer from peer table failed, no match!

Aug 11 10:29:08 [IKEv1]: Group = csdbvpn, Username = flairdata, IP = 71.219.250.75, Error: Unable to remove PeerTblEntry

Kynnzak · ‎08-11-2008

Partial VPN client log:

4 10:47:15.874 08/11/08 Sev=Info/6 IKE/0x6300003B

Attempting to establish a connection with 156.108.216.189.

5 10:47:15.890 08/11/08 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 156.108.216.189

6 10:47:15.983 08/11/08 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 156.108.216.189

7 10:47:15.983 08/11/08 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from 156.108.216.189

8 10:47:15.983 08/11/08 Sev=Info/5 IKE/0x63000001

Peer is a Cisco-Unity compliant peer

9 10:47:15.983 08/11/08 Sev=Info/5 IKE/0x63000001

Peer supports XAUTH

10 10:47:15.983 08/11/08 Sev=Info/5 IKE/0x63000001

Peer supports DPD

11 10:47:15.983 08/11/08 Sev=Info/5 IKE/0x63000001

Peer supports NAT-T

12 10:47:16.077 08/11/08 Sev=Info/6 GUI/0x63B00012

Authentication request attributes is 6h.

13 10:47:15.983 08/11/08 Sev=Info/5 IKE/0x63000001

Peer supports IKE fragmentation payloads

14 10:47:15.983 08/11/08 Sev=Info/6 IKE/0x63000001

IOS Vendor ID Contruction successful

15 10:47:15.983 08/11/08 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 156.108.216.189

16 10:47:15.983 08/11/08 Sev=Info/6 IKE/0x63000055

Sent a keepalive on the IPSec SA

17 10:47:15.983 08/11/08 Sev=Info/4 IKE/0x63000083

IKE Port in use - Local Port = 0x0AB4, Remote Port = 0x1194

18 10:47:15.983 08/11/08 Sev=Info/5 IKE/0x63000072

Automatic NAT Detection Status:

Remote end is NOT behind a NAT device

This end IS behind a NAT device

19 10:47:15.983 08/11/08 Sev=Info/4 CM/0x6310000E

Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

20 10:47:16.062 08/11/08 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 156.108.216.189

21 10:47:16.062 08/11/08 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 156.108.216.189

22 10:47:16.062 08/11/08 Sev=Info/4 CM/0x63100015

Launch xAuth application

23 10:47:16.218 08/11/08 Sev=Info/4 IPSEC/0x63700008

IPSec driver successfully started

24 10:47:16.218 08/11/08 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

25 10:47:18.655 08/11/08 Sev=Info/4 CM/0x63100017

xAuth application returned

26 10:47:18.655 08/11/08 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 156.108.216.189

27 10:47:26.218 08/11/08 Sev=Info/6 IKE/0x63000055

Sent a keepalive on the IPSec SA

28 10:47:36.218 08/11/08 Sev=Info/6 IKE/0x63000055

Sent a keepalive on the IPSec SA

29 10:47:46.218 08/11/08 Sev=Info/6 IKE/0x63000055

Sent a keepalive on the IPSec SA

30 10:47:48.765 08/11/08 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 156.108.216.189

31 10:47:48.765 08/11/08 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK INFO *(HASH, DEL) from 156.108.216.189

32 10:47:48.765 08/11/08 Sev=Info/5 IKE/0x6300003C

Received a DELETE payload for IKE SA with Cookies: I_Cookie=06872765FDD402AF R_Cookie=6CF30F32F6FBA1FB

33 10:47:48.765 08/11/08 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=06872765FDD402AF R_Cookie=6CF30F32F6FBA1FB) reason = PEER_DELETE-IKE_DELETE_UNSPECIFIED

34 10:47:49.718 08/11/08 Sev=Info/4 IKE/0x6300004B

Discarding IKE SA negotiation (I_Cookie=06872765FDD402AF R_Cookie=6CF30F32F6FBA1FB) reason = PEER_DELETE-IKE_DELETE_UNSPECIFIED

35 10:47:49.718 08/11/08 Sev=Info/4 CM/0x63100014

Unable to establish Phase 1 SA with server "156.108.216.189" because of "PEER_DELETE-IKE_DELETE_UNSPECIFIED"

36 10:47:49.718 08/11/08 Sev=Info/5 CM/0x63100025

Initializing CVPNDrv

37 10:47:49.733 08/11/08 Sev=Info/6 CM/0x63100046

Set tunnel established flag in registry to 0.

38 10:47:49.733 08/11/08 Sev=Info/4 IKE/0x63000001

IKE received signal to terminate VPN connection

Kynnzak · ‎08-20-2008

This issue has been resolved. Turns out the ACS implementation had become corrupt, and was not responding to authentication requests.

Thanks to those who replied in an attempt to help!

jwaters24 · ‎08-27-2008

We are having a client with the same issues. How did you fix the ACS implentation that was corrupt?

Kynnzak · ‎08-28-2008

I was able to determine the problem was with ACS by reconfiguring the remote VPN to authenticate to the ASA locally; when that worked, I knew the VPN/Crypto configurations were fine, and that there was either a problem with the ACS itself, or the communication between the ASA and the ACS. (Customer was running ACS 4.1 on a Windows server). I then deactivated the CS Tacacs and CS Radius services on the server, and installed IAS and configured it identically to the ACS. This worked, so I knew that the ACS implementation had become corrupted somehow. They had purchased ACS 3.3 years ago, and then the appropriate upgrades to 4.1.3, so I deactivated IAS, reinstalled and reconfigured ACS, and the whole authentication scheme worked once again.

Gareth Gudger · ‎01-23-2014

I also received this error when setting up a new Remote Access VPN. I think the Logon DN value, that specified the account to do the LDAP query for AAA authentication, was in an OU that was either buried too deep or had special characters that Cisco couldn't comprehend. I moved the Login account to another OU and it solved my problem.

http://supertekboy.com/2014/01/23/cisco-vpn-reason-433-reason-not-specified-by-peer/