VPN errors - Page 2

lauraseymore · ‎05-24-2013

Hi all!

I have trouble with VPN access. I have search I-net but can't quite fine the solution. Please HELP!!!! below is the debug info

May 25 02:34:31.599: ISAKMP (0): received packet from xxx.xxx.xxx.xxx dport 500 sport 17348 Global (N) NEW SA

May 25 02:34:31.599: ISAKMP: Created a peer struct for xxx.xxx.xxx.xxx, peer port 17348

May 25 02:34:31.599: ISAKMP: New peer created peer = 0x2BA1981C peer_handle = 0x80000003

May 25 02:34:31.599: ISAKMP: Locking peer struct 0x2BA1981C, refcount 1 for crypto_isakmp_process_block

May 25 02:34:31.599: ISAKMP: local port 500, remote port 17348

May 25 02:34:31.599: ISAKMP:(0):insert sa successfully sa = 2BD65240

May 25 02:34:31.599: ISAKMP:(0): processing SA payload. message ID = 0

May 25 02:34:31.599: ISAKMP:(0): processing ID payload. message ID = 0

May 25 02:34:31.599: ISAKMP (0): ID payload

next-payload : 13

type : 11

group id : ECOCION-VPN

protocol : 17

port : 500

length : 19

May 25 02:34:31.603: ISAKMP:(0):: peer matches vpn-ike-profile-1 profile

May 25 02:34:31.603: ISAKMP:(0):Setting client config settings 2BA19490

May 25 02:34:31.603: ISAKMP:(0):(Re)Setting client xauth list and state

May 25 02:34:31.603: ISAKMP/xauth: initializing AAA request

May 25 02:34:31.603: ISAKMP:(0): processing vendor id payload

May 25 02:34:31.603: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch

May 25 02:34:31.603: ISAKMP:(0): vendor ID is XAUTH

May 25 02:34:31.603: ISAKMP:(0): processing vendor id payload

May 25 02:34:31.603: ISAKMP:(0): vendor ID is DPD

May 25 02:34:31.603: ISAKMP:(0): processing vendor id payload

May 25 02:34:31.603: ISAKMP:(0): processing IKE frag vendor id payload

May 25 02:34:31.603: ISAKMP:(0):Support for IKE Fragmentation not enabled

May 25 02:34:31.603: ISAKMP:(0): processing vendor id payload

May 25 02:34:31.603: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

May 25 02:34:31.603: ISAKMP:(0): vendor ID is NAT-T v2

May 25 02:34:31.603: ISAKMP:(0): processing vendor id payload

May 25 02:34:31.603: ISAKMP:(0): vendor ID is Unity

May 25 02:34:31.603: ISAKMP:(0): Authentication by xauth preshared

May 25 02:34:31.603: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy

May 25 02:34:31.603: ISAKMP: encryption AES-CBC

May 25 02:34:31.603: ISAKMP: hash SHA

May 25 02:34:31.603: ISAKMP: default group 2

May 25 02:34:31.603: ISAKMP: auth XAUTHInitPreShared

May 25 02:34:31.603: ISAKMP: life type in seconds

May 25 02:34:31.603: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

May 25 02:34:31.603: ISAKMP: keylength of 256

May 25 02:34:31.603: ISAKMP:(0):Encryption algorithm offered does not match policy!

May 25 02:34:31.603: ISAKMP:(0):atts are not acceptable. Next payload is 3

May 25 02:34:31.603: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy

May 25 02:34:31.603: ISAKMP: encryption AES-CBC

May 25 02:34:31.603: ISAKMP: hash MD5

May 25 02:34:31.603: ISAKMP: default group 2

May 25 02:34:31.603: ISAKMP: auth XAUTHInitPreShared

May 25 02:34:31.603: ISAKMP: life type in seconds

May 25 02:34:31.603: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

May 25 02:34:31.603: ISAKMP: keylength of 256

May 25 02:34:31.603: ISAKMP:(0):Encryption algorithm offered does not match policy!

May 25 02:34:31.603: ISAKMP:(0):atts are not acceptable. Next payload is 3

May 25 02:34:31.603: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy

May 25 02:34:31.603: ISAKMP: encryption AES-CBC

May 25 02:34:31.603: ISAKMP: hash SHA

May 25 02:34:31.603: ISAKMP: default group 2

May 25 02:34:31.603: ISAKMP: auth pre-share

May 25 02:34:31.603: ISAKMP: life type in seconds

May 25 02:34:31.603: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

May 25 02:34:31.603: ISAKMP: keylength of 256

May 25 02:34:31.603: ISAKMP:(0):Encryption algorithm offered does not match policy!

May 25 02:34:31.603: ISAKMP:(0):atts are not acceptable. Next payload is 3

May 25 02:34:31.603: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy

May 25 02:34:31.603: ISAKMP: encryption AES-CBC

May 25 02:34:31.603: ISAKMP: hash MD5

May 25 02:34:31.603: ISAKMP: default group 2

May 25 02:34:31.603: ISAKMP: auth pre-share

May 25 02:34:31.603: ISAKMP: life type in seconds

May 25 02:34:31.603: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

May 25 02:34:31.603: ISAKMP: keylength of 256

May 25 02:34:31.603: ISAKMP:(0):Encryption algorithm offered does not match policy!

May 25 02:34:31.603: ISAKMP:(0):atts are not acceptable. Next payload is 3

May 25 02:34:31.603: ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy

May 25 02:34:31.603: ISAKMP: encryption AES-CBC

May 25 02:34:31.603: ISAKMP: hash SHA

May 25 02:34:31.603: ISAKMP: default group 2

May 25 02:34:31.603: ISAKMP: auth XAUTHInitPreShared

May 25 02:34:31.603: ISAKMP: life type in seconds

May 25 02:34:31.603: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

May 25 02:34:31.603: ISAKMP: keylength of 128

May 25 02:34:31.603: ISAKMP:(0):Encryption algorithm offered does not match policy!

May 25 02:34:31.603: ISAKMP:(0):atts are not acceptable. Next payload is 3

May 25 02:34:31.603: ISAKMP:(0):Checking ISAKMP transform 6 against priority 1 policy

May 25 02:34:31.603: ISAKMP: encryption AES-CBC

May 25 02:34:31.603: ISAKMP: hash MD5

May 25 02:34:31.603: ISAKMP: default group 2

May 25 02:34:31.603: ISAKMP: auth XAUTHInitPreShared

May 25 02:34:31.603: ISAKMP: life type in seconds

May 25 02:34:31.603: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

May 25 02:34:31.603: ISAKMP: keylength of 128

May 25 02:34:31.603: ISAKMP:(0):Encryption algorithm offered does not match policy!

May 25 02:34:31.603: ISAKMP:(0):atts are not acceptable. Next payload is 3

May 25 02:34:31.603: ISAKMP:(0):Checking ISAKMP transform 7 against priority 1 policy

May 25 02:34:31.603: ISAKMP: encryption AES-CBC

May 25 02:34:31.603: ISAKMP: hash SHA

May 25 02:34:31.603: ISAKMP: default group 2

May 25 02:34:31.603: ISAKMP: auth pre-share

May 25 02:34:31.603: ISAKMP: life type in seconds

May 25 02:34:31.603: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

May 25 02:34:31.603: ISAKMP: keylength of 128

May 25 02:34:31.603: ISAKMP:(0):Encryption algorithm offered does not match policy!

May 25 02:34:31.603: ISAKMP:(0):atts are not acceptable. Next payload is 3

May 25 02:34:31.603: ISAKMP:(0):Checking ISAKMP transform 8 against priority 1 policy

May 25 02:34:31.603: ISAKMP: encryption AES-CBC

May 25 02:34:31.603: ISAKMP: hash MD5

May 25 02:34:31.603: ISAKMP: default group 2

May 25 02:34:31.603: ISAKMP: auth pre-share

May 25 02:34:31.603: ISAKMP: life type in seconds

May 25 02:34:31.603: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

May 25 02:34:31.603: ISAKMP: keylength of 128

May 25 02:34:31.603: ISAKMP:(0):Encryption algorithm offered does not match policy!

May 25 02:34:31.603: ISAKMP:(0):atts are not acceptable. Next payload is 3

May 25 02:34:31.603: ISAKMP:(0):Checking ISAKMP transform 9 against priority 1 policy

May 25 02:34:31.603: ISAKMP: encryption 3DES-CBC

May 25 02:34:31.603: ISAKMP: hash SHA

May 25 02:34:31.603: ISAKMP: default group 2

May 25 02:34:31.603: ISAKMP: auth XAUTHInitPreShared

May 25 02:34:31.603: ISAKMP: life type in seconds

May 25 02:34:31.603: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

May 25 02:34:31.603: ISAKMP:(0):atts are acceptable. Next payload is 3

May 25 02:34:31.603: ISAKMP:(0):Acceptable atts:actual life: 86400

May 25 02:34:31.603: ISAKMP:(0):Acceptable atts:life: 0

May 25 02:34:31.603: ISAKMP:(0):Fill atts in sa vpi_length:4

May 25 02:34:31.603: ISAKMP:(0):Fill atts in sa life_in_seconds:2147483

May 25 02:34:31.603: ISAKMP:(0):Returning Actual lifetime: 86400

May 25 02:34:31.603: ISAKMP:(0)::Started lifetime timer: 86400.

May 25 02:34:31.603: ISAKMP:(0): processing KE payload. message ID = 0

May 25 02:34:31.623: ISAKMP:(0): processing NONCE payload. message ID = 0

May 25 02:34:31.623: ISAKMP:(0): vendor ID is NAT-T v2

May 25 02:34:31.623: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH

May 25 02:34:31.623: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_AM_AAA_AWAIT

May 25 02:34:31.623: ISAKMP:(1002): constructed NAT-T vendor-02 ID

May 25 02:34:31.623: ISAKMP:(1002):SA is doing pre-shared key authentication plus XAUTH using id type ID_IPV4_ADDR

May 25 02:34:31.623: ISAKMP (1002): ID payload

next-payload : 10

type : 1

address : xxx.xxx.xxx.xxx

protocol : 0

port : 0

length : 12

May 25 02:34:31.623: ISAKMP:(1002):Total payload length: 12

May 25 02:34:31.627: ISAKMP:(1002): sending packet to xxx.xxx.xxx.xxx my_port 500 peer_port 17348 (R) AG_INIT_EXCH

May 25 02:34:31.627: ISAKMP:(1002):Sending an IKE IPv4 Packet.

May 25 02:34:31.627: ISAKMP:(1002):Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY

May 25 02:34:31.627: ISAKMP:(1002):Old State = IKE_R_AM_AAA_AWAIT New State = IKE_R_AM2

May 25 02:34:36.971: ISAKMP (1002): received packet from xxx.xxx.xxx.xxx dport 500 sport 17348 Global (R) AG_INIT_EXCH

May 25 02:34:36.971: ISAKMP:(1002): phase 1 packet is a duplicate of a previous packet.

May 25 02:34:36.971: ISAKMP:(1002): retransmitting due to retransmit phase 1

May 25 02:34:37.471: ISAKMP:(1002): retransmitting phase 1 AG_INIT_EXCH...

May 25 02:34:37.471: ISAKMP (1002): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

May 25 02:34:37.471: ISAKMP:(1002): retransmitting phase 1 AG_INIT_EXCH

May 25 02:34:37.471: ISAKMP:(1002): sending packet to xxx.xxx.xxx.xxx my_port 500 peer_port 17348 (R) AG_INIT_EXCH

May 25 02:34:37.471: ISAKMP:(1002):Sending an IKE IPv4 Packet.

May 25 02:34:42.043: ISAKMP (1002): received packet from xxx.xxx.xxx.xxx dport 500 sport 17348 Global (R) AG_INIT_EXCH

May 25 02:34:42.043: ISAKMP:(1002): phase 1 packet is a duplicate of a previous packet.

May 25 02:34:42.043: ISAKMP:(1002): retransmitting due to retransmit phase 1

May 25 02:34:42.543: ISAKMP:(1002): retransmitting phase 1 AG_INIT_EXCH...

May 25 02:34:42.543: ISAKMP (1002): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

May 25 02:34:42.543: ISAKMP:(1002): retransmitting phase 1 AG_INIT_EXCH

May 25 02:34:42.543: ISAKMP:(1002): sending packet to xxx.xxx.xxx.xxx my_port 500 peer_port 17348 (R) AG_INIT_EXCH

May 25 02:34:42.543: ISAKMP:(1002):Sending an IKE IPv4 Packet.

May 25 02:34:47.135: ISAKMP (1002): received packet from xxx.xxx.xxx.xxx dport 500 sport 17348 Global (R) AG_INIT_

May 25 02:34:47.135: ISAKMP:(1002): phase 1 packet is a duplicate of a previous packet.

May 25 02:34:47.135: ISAKMP:(1002): retransmitting due to retransmit phase 1

May 25 02:34:47.635: ISAKMP:(1002): retransmitting phase 1 AG_INIT_EXCH...

May 25 02:34:47.635: ISAKMP (1002): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

May 25 02:34:47.635: ISAKMP:(1002): retransmitting phase 1 AG_INIT_EXCH

May 25 02:34:47.635: ISAKMP:(1002): sending packet to xxx.xxx.xxx.xxx my_port 500 peer_port 17348 (R) AG_INIT_EXCH

May 25 02:34:47.635: ISAKMP:(1002):Sending an IKE IPv4 Packet.

May 25 02:34:57.635: ISAKMP:(1002): retransmitting phase 1 AG_INIT_EXCH...

May 25 02:34:57.635: ISAKMP (1002): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

May 25 02:34:57.635: ISAKMP:(1002): retransmitting phase 1 AG_INIT_EXCH

May 25 02:34:57.635: ISAKMP:(1002): sending packet to xxx.xxx.xxx.xxx my_port 500 peer_port 17348 (R) AG_INIT_EXCH

May 25 02:34:57.635: ISAKMP:(1002):Sending an IKE IPv4 Packet.no debug all

Bilal Nawaz · ‎05-28-2013

If you have telnetted or ssh to the device, please ensure 'term mon' is enabled for debug output

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

lauraseymore · ‎05-28-2013

I'm connected using consol port...

Richard Burts · ‎05-28-2013

Laura

Are we sure that the other end is attempting to connect while you are running the debug?

HTH

Rick

HTH

Rick

lauraseymore · ‎05-28-2013

Rick,

when I run debug crypto ipsec I get no output but if I run debug crypto isakmp I get the output...

Richard Burts · ‎05-28-2013

Laura

Would you post the output of show crypto isakmp sa and of show crypto ipsec sa?

HTH

Rick

HTH

Rick

lauraseymore · ‎05-28-2013

Rick,

I get no output for the sho crypto ipsec sa and the output for sho crypto isakmp sa is below

RTR#sho crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

IPv6 Crypto ISAKMP SA

Thank you very much for looking into this...

Richard Burts · ‎05-28-2013

Laura

Thank you for the output. It certainly eliminates the theory that we might be at the max number of users.

I see this in the config that you posted

client authentication list vpn_xauth_ml_1

but do not see any other reference to the authentication method. Can you tell me how the users are to be authenticated and whether there is any indication that users are attempting to authenticate in these connection attempts? And if they are attempting to authenticate whether the attempt is successful or is failure?

HTH

Rick

HTH

Rick

lauraseymore · ‎05-28-2013

Rick,

Normaly I have a window pups up on the VPN Client application asking for a user name and password. But I get an error message: "Secure VPN Connection terminated locally by the Client. Reason 412: The remote peer is no longer responding. "

Thank you

Richard Burts · ‎05-28-2013

Laura

That may be helpful information. So it looks like something is happening before the authentication step. Can you tell us how the authentication would be done if it were working?

HTH

Rick

HTH

Rick

lauraseymore · ‎05-28-2013

Normally I hit the connect button on the cisco client application and a few sec later I get a window with a user name and password. I enter user name and password and a few more sec I'm connected. If that is what u r asking? and right now I don't get the user name and password window and instead I get the error message...

Richard Burts · ‎05-28-2013

Laura

What I am asking is how the router determines whether the user ID and password are correct? Is there an authentication server that determines this? or is it on the router itself?

One thing that might help a bit with this question would be if you would post the output of this command

show run | include vpn_xauth_ml_1

HTH

Rick

HTH

Rick

lauraseymore · ‎05-29-2013

I have responded yesterday but just now realized it did not thro

Rick,

There is no server, router does it. there is a list of users with password that using vpn.. Here is the output for the command

EcocionRTR#show run | include vpn_xauth_ml_1

aaa authentication login vpn_xauth_ml_1 local

client authentication list vpn_xauth_ml_1

Again, thank you very much for your help

Richard Burts · ‎05-29-2013

Laura

Thanks for the additional information. So that eliminates the possibility that problems with an authentication server might have caused this.

What kind of VPN client is this? Are there any logs from the client that might help us understand what is going on?

HTH

Rick

HTH

Rick

lauraseymore · ‎05-29-2013

Rick,

I'm using Cisco VPN 5.0.07.0440... I tried to update to the newer one but I get error message... I use Win 7... All of the clients us Win 7 and neither one of us can connect...

Thanks

lauraseymore · ‎05-29-2013

and the log is emply there is nothing there...