Laura

It is helpful to know that you are using the Cisco VPN client. It does have the ability to generate log messages that might be helpful.When you start the client there is an option in the tool bar at the top on the main screen for log. After you click that then there is an option for log settings. Please set to the high level the logs for IKE, for Connection Manager, for User Authentication, and for IPSec. This will generate log messages when the client tries to connect. After you try to connect and it does not work, then you can use the log tab in the client window or the log/Log Window from the tool bar to view the log entries.

If you set the logging levels and then try to connect it is possible that the entries in the logs might help us to figure out what is going on.

HTH

Rick

ooohhh that is how it works!!! ))))

Cisco Systems VPN Client Version 5.0.07.0440

Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 6.1.7601 Service Pack 1

Config file directory: C:\Program Files (x86)\Cisco Systems\VPN Client\

1      13:21:11.483  05/29/13  Sev=Info/4     CM/0x63100002

Begin connection process

2      13:21:11.486  05/29/13  Sev=Info/4     CM/0x63100004

Establish secure connection

3      13:21:11.486  05/29/13  Sev=Info/4     CM/0x63100024

Attempt connection with server "xxx.xxx.xxx.xxx."

4      13:21:11.488  05/29/13  Sev=Info/6     IKE/0x6300003B

Attempting to establish a connection with xxx.xxx.xxx.xxx..

5      13:21:11.492  05/29/13  Sev=Info/4     IKE/0x63000001

Starting IKE Phase 1 Negotiation

6      13:21:11.496  05/29/13  Sev=Info/4     IKE/0x63000013

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to xxx.xxx.xxx.xxx.

7      13:21:11.498  05/29/13  Sev=Info/4     IPSEC/0x63700008

IPSec driver successfully started

8      13:21:11.498  05/29/13  Sev=Info/4     IPSEC/0x63700014

Deleted all keys

9      13:21:16.883  05/29/13  Sev=Info/4     IKE/0x63000021

Retransmitting last packet!

10     13:21:16.883  05/29/13  Sev=Info/4    IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to xxx.xxx.xxx.xxx.

11     13:21:21.953  05/29/13  Sev=Info/4    IKE/0x63000021

Retransmitting last packet!

12     13:21:21.953  05/29/13  Sev=Info/4    IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to xxx.xxx.xxx.xxx.

13     13:21:27.024  05/29/13  Sev=Info/4    IKE/0x63000021

Retransmitting last packet!

14     13:21:27.024  05/29/13  Sev=Info/4    IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to xxx.xxx.xxx.xxx.

15     13:21:32.097  05/29/13  Sev=Info/4    IKE/0x63000017

Marking IKE SA for deletion  (I_Cookie=63BFB4B652B836FF R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

16     13:21:32.608  05/29/13  Sev=Info/4    IKE/0x6300004B

Discarding IKE SA negotiation (I_Cookie=63BFB4B652B836FF R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

17     13:21:32.608  05/29/13  Sev=Info/4    CM/0x63100014

Unable to establish Phase 1 SA with server "xxx.xxx.xxx.xxx." because of "DEL_REASON_PEER_NOT_RESPONDING"

18     13:21:32.608  05/29/13  Sev=Info/5    CM/0x63100025

Initializing CVPNDrv

19     13:21:32.612  05/29/13  Sev=Info/6    CM/0x63100046

Set tunnel established flag in registry to 0.

20     13:21:32.612  05/29/13  Sev=Info/4    IKE/0x63000001

IKE received signal to terminate VPN connection

21     13:21:33.109  05/29/13  Sev=Info/4    IPSEC/0x63700014

Deleted all keys

22     13:21:33.109  05/29/13  Sev=Info/4    IPSEC/0x63700014

Deleted all keys

23     13:21:33.109  05/29/13  Sev=Info/4    IPSEC/0x63700014

Deleted all keys

24     13:21:33.109  05/29/13  Sev=Info/4    IPSEC/0x6370000A

IPSec driver successfully stopped

Laura

Yes that is pretty much how it works.

The good news is that we did get some logs from the client. However the logs are not as helpful as I had hoped. The point that I think is worth noting is at msg 5 & 6 the client is starting IKE and sending parameters. Starting at msg 9 the client begins retransmitting and continues to retransmit and does not receive any response from the router. And at msg 15 the client gives up.

I thought that the router debug from early in the thread showed that IKE phase 1 had worked. Could you test again and send a fresh debug from the router?

HTH

Rick

Rick,

Here is debug crypto isakmp

EcocionRTR#debug crypto isakmp

Crypto ISAKMP debugging is on

EcocionRTR#

May 29 19:55:49.171: ISAKMP (0): received packet from ccc.ccc.ccc.ccc dport 500 sport 58089 Global (N) NEW SA

May 29 19:55:49.175: ISAKMP: Created a peer struct for 75.166.102.253, peer port 58089

May 29 19:55:49.175: ISAKMP: New peer created peer = 0x31A9393C peer_handle = 0x8000001A

May 29 19:55:49.175: ISAKMP: Locking peer struct 0x31A9393C, refcount 1 for crypto_isakmp_process_block

May 29 19:55:49.175: ISAKMP: local port 500, remote port 58089

May 29 19:55:49.175: ISAKMP:(0):insert sa successfully sa = 3199985C

May 29 19:55:49.175: ISAKMP:(0): processing SA payload. message ID = 0

May 29 19:55:49.175: ISAKMP:(0): processing ID payload. message ID = 0

May 29 19:55:49.175: ISAKMP (0): ID payload

        next-payload : 13

        type         : 11

        group id     : ECOCION-VPN

        protocol     : 17

        port         : 500

        length       : 19

May 29 19:55:49.175: ISAKMP:(0):: peer matches vpn-ike-profile-1 profile

May 29 19:55:49.175: ISAKMP:(0):Setting client config settings 307E939C

May 29 19:55:49.175: ISAKMP:(0):(Re)Setting client xauth list  and state

May 29 19:55:49.175: ISAKMP/xauth: initializing AAA request

May 29 19:55:49.175: ISAKMP:(0): processing vendor id payload

May 29 19:55:49.175: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch

May 29 19:55:49.175: ISAKMP:(0): vendor ID is XAUTH

May 29 19:55:49.175: ISAKMP:(0): processing vendor id payload

May 29 19:55:49.175: ISAKMP:(0): vendor ID is DPD

May 29 19:55:49.175: ISAKMP:(0): processing vendor id payload

May 29 19:55:49.175: ISAKMP:(0): processing IKE frag vendor id payload

May 29 19:55:49.175: ISAKMP:(0):Support for IKE Fragmentation not enabled

May 29 19:55:49.175: ISAKMP:(0): processing vendor id payload

May 29 19:55:49.175: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

May 29 19:55:49.175: ISAKMP:(0): vendor ID is NAT-T v2

May 29 19:55:49.175: ISAKMP:(0): processing vendor id payload

May 29 19:55:49.175: ISAKMP:(0): vendor ID is Unity

May 29 19:55:49.175: ISAKMP:(0): Authentication by xauth preshared

May 29 19:55:49.175: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy

May 29 19:55:49.175: ISAKMP:      encryption AES-CBC

May 29 19:55:49.175: ISAKMP:      hash SHA

May 29 19:55:49.175: ISAKMP:      default group 2

May 29 19:55:49.175: ISAKMP:      auth XAUTHInitPreShared

May 29 19:55:49.175: ISAKMP:      life type in seconds

May 29 19:55:49.175: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

May 29 19:55:49.175: ISAKMP:      keylength of 256

May 29 19:55:49.175: ISAKMP:(0):Encryption algorithm offered does not match policy!

May 29 19:55:49.175: ISAKMP:(0):atts are not acceptable. Next payload is 3

May 29 19:55:49.175: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy

May 29 19:55:49.175: ISAKMP:      encryption AES-CBC

May 29 19:55:49.175: ISAKMP:      hash MD5

May 29 19:55:49.175: ISAKMP:      default group 2

May 29 19:55:49.175: ISAKMP:      auth XAUTHInitPreShared

May 29 19:55:49.175: ISAKMP:      life type in seconds

May 29 19:55:49.175: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

May 29 19:55:49.175: ISAKMP:      keylength of 256

May 29 19:55:49.175: ISAKMP:(0):Encryption algorithm offered does not match policy!

May 29 19:55:49.175: ISAKMP:(0):atts are not acceptable. Next payload is 3

May 29 19:55:49.175: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy

May 29 19:55:49.175: ISAKMP:      encryption AES-CBC

May 29 19:55:49.175: ISAKMP:      hash SHA

May 29 19:55:49.175: ISAKMP:      default group 2

May 29 19:55:49.175: ISAKMP:      auth pre-share

May 29 19:55:49.175: ISAKMP:      life type in seconds

May 29 19:55:49.175: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

May 29 19:55:49.175: ISAKMP:      keylength of 256

May 29 19:55:49.175: ISAKMP:(0):Encryption algorithm offered does not match policy!

May 29 19:55:49.175: ISAKMP:(0):atts are not acceptable. Next payload is 3

May 29 19:55:49.175: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy

May 29 19:55:49.175: ISAKMP:      encryption AES-CBC

May 29 19:55:49.175: ISAKMP:      hash MD5

May 29 19:55:49.175: ISAKMP:      default group 2

May 29 19:55:49.175: ISAKMP:      auth pre-share

May 29 19:55:49.175: ISAKMP:      life type in seconds

May 29 19:55:49.175: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

May 29 19:55:49.175: ISAKMP:      keylength of 256

May 29 19:55:49.175: ISAKMP:(0):Encryption algorithm offered does not match policy!

May 29 19:55:49.175: ISAKMP:(0):atts are not acceptable. Next payload is 3

May 29 19:55:49.175: ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy

May 29 19:55:49.175: ISAKMP:      encryption AES-CBC

May 29 19:55:49.175: ISAKMP:      hash SHA

May 29 19:55:49.175: ISAKMP:      default group 2

May 29 19:55:49.175: ISAKMP:      auth XAUTHInitPreShared

May 29 19:55:49.175: ISAKMP:      life type in seconds

May 29 19:55:49.175: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

May 29 19:55:49.175: ISAKMP:      keylength of 128

May 29 19:55:49.175: ISAKMP:(0):Encryption algorithm offered does not match policy!

May 29 19:55:49.175: ISAKMP:(0):atts are not acceptable. Next payload is 3

May 29 19:55:49.175: ISAKMP:(0):Checking ISAKMP transform 6 against priority 1 policy

May 29 19:55:49.175: ISAKMP:      encryption AES-CBC

May 29 19:55:49.175: ISAKMP:      hash MD5

May 29 19:55:49.175: ISAKMP:      default group 2

May 29 19:55:49.175: ISAKMP:      auth XAUTHInitPreShared

May 29 19:55:49.175: ISAKMP:      life type in seconds

May 29 19:55:49.175: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

May 29 19:55:49.175: ISAKMP:      keylength of 128

May 29 19:55:49.175: ISAKMP:(0):Encryption algorithm offered does not match policy!

May 29 19:55:49.175: ISAKMP:(0):atts are not acceptable. Next payload is 3

May 29 19:55:49.175: ISAKMP:(0):Checking ISAKMP transform 7 against priority 1 policy

May 29 19:55:49.175: ISAKMP:      encryption AES-CBC

May 29 19:55:49.175: ISAKMP:      hash SHA

May 29 19:55:49.175: ISAKMP:      default group 2

May 29 19:55:49.175: ISAKMP:      auth pre-share

May 29 19:55:49.175: ISAKMP:      life type in seconds

May 29 19:55:49.175: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

May 29 19:55:49.175: ISAKMP:      keylength of 128

May 29 19:55:49.175: ISAKMP:(0):Encryption algorithm offered does not match policy!

May 29 19:55:49.175: ISAKMP:(0):atts are not acceptable. Next payload is 3

May 29 19:55:49.175: ISAKMP:(0):Checking ISAKMP transform 8 against priority 1 policy

May 29 19:55:49.175: ISAKMP:      encryption AES-CBC

May 29 19:55:49.175: ISAKMP:      hash MD5

May 29 19:55:49.175: ISAKMP:      default group 2

May 29 19:55:49.175: ISAKMP:      auth pre-share

May 29 19:55:49.175: ISAKMP:      life type in seconds

May 29 19:55:49.175: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

May 29 19:55:49.175: ISAKMP:      keylength of 128

May 29 19:55:49.175: ISAKMP:(0):Encryption algorithm offered does not match policy!

May 29 19:55:49.179: ISAKMP:(0):atts are not acceptable. Next payload is 3

May 29 19:55:49.179: ISAKMP:(0):Checking ISAKMP transform 9 against priority 1 policy

May 29 19:55:49.179: ISAKMP:      encryption 3DES-CBC

May 29 19:55:49.179: ISAKMP:      hash SHA

May 29 19:55:49.179: ISAKMP:      default group 2

May 29 19:55:49.179: ISAKMP:      auth XAUTHInitPreShared

May 29 19:55:49.179: ISAKMP:      life type in seconds

May 29 19:55:49.179: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

May 29 19:55:49.179: ISAKMP:(0):atts are acceptable. Next payload is 3

May 29 19:55:49.179: ISAKMP:(0):Acceptable atts:actual life: 86400

May 29 19:55:49.179: ISAKMP:(0):Acceptable atts:life: 0

May 29 19:55:49.179: ISAKMP:(0):Fill atts in sa vpi_length:4

May 29 19:55:49.179: ISAKMP:(0):Fill atts in sa life_in_seconds:2147483

May 29 19:55:49.179: ISAKMP:(0):Returning Actual lifetime: 86400

May 29 19:55:49.179: ISAKMP:(0)::Started lifetime timer: 86400.

May 29 19:55:49.179: ISAKMP:(0): processing KE payload. message ID = 0

May 29 19:55:49.195: ISAKMP:(0): processing NONCE payload. message ID = 0

May 29 19:55:49.195: ISAKMP:(0): vendor ID is NAT-T v2

May 29 19:55:49.195: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH

May 29 19:55:49.195: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_AM_AAA_AWAIT

May 29 19:55:49.199: ISAKMP:(1025): constructed NAT-T vendor-02 ID

May 29 19:55:49.199: ISAKMP:(1025):SA is doing pre-shared key authentication plus XAUTH using id type ID_IPV4_ADDR

May 29 19:55:49.199: ISAKMP (1025): ID payload

        next-payload : 10

        type         : 1

        address      : 97.65.195.68

        protocol     : 0

        port         : 0

        length       : 12

May 29 19:55:49.199: ISAKMP:(1025):Total payload length: 12

May 29 19:55:49.199: ISAKMP:(1025): sending packet to ccc.ccc.ccc.ccc my_port 500 peer_port 58089 (R) AG_INIT_EXCH

May 29 19:55:49.199: ISAKMP:(1025):Sending an IKE IPv4 Packet.

May 29 19:55:49.199: ISAKMP:(1025):Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY

May 29 19:55:49.199: ISAKMP:(1025):Old State = IKE_R_AM_AAA_AWAIT  New State = IKE_R_AM2

May 29 19:55:54.631: ISAKMP (1025): received packet from ccc.ccc.ccc.ccc dport 500 sport 58089 Global (R) AG_INIT_EXCH

May 29 19:55:54.631: ISAKMP:(1025): phase 1 packet is a duplicate of a previous packet.

May 29 19:55:54.631: ISAKMP:(1025): retransmitting due to retransmit phase 1

May 29 19:55:55.131: ISAKMP:(1025): retransmitting phase 1 AG_INIT_EXCH...

May 29 19:55:55.131: ISAKMP (1025): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

May 29 19:55:55.131: ISAKMP:(1025): retransmitting phase 1 AG_INIT_EXCH

May 29 19:55:55.131: ISAKMP:(1025): sending packet to ccc.ccc.ccc.ccc my_port 500 peer_port 58089 (R) AG_INIT_EXCH

May 29 19:55:55.131: ISAKMP:(1025):Sending an IKE IPv4 Packet.

May 29 19:55:59.711: ISAKMP (1025): received packet from ccc.ccc.ccc.ccc dport 500 sport 58089 Global (R) AG_INIT_EXCH

May 29 19:55:59.711: ISAKMP:(1025): phase 1 packet is a duplicate of a previous packet.

May 29 19:55:59.711: ISAKMP:(1025): retransmitting due to retransmit phase 1

May 29 19:56:00.211: ISAKMP:(1025): retransmitting phase 1 AG_INIT_EXCH...

May 29 19:56:00.211: ISAKMP (1025): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

May 29 19:56:00.211: ISAKMP:(1025): retransmitting phase 1 AG_INIT_EXCH

May 29 19:56:00.211: ISAKMP:(1025): sending packet to ccc.ccc.ccc.ccc my_port 500 peer_port 58089 (R) AG_INIT_EXCH

May 29 19:56:00.211: ISAKMP:(1025):Sending an IKE IPv4 Packet.

May 29 19:56:04.771: ISAKMP (1025): received packet from ccc.ccc.ccc.ccc dport 500 sport 58089 Global (R) AG_INIT_EXCH

May 29 19:56:04.771: ISAKMP:(1025): phase 1 packet is a duplicate of a previous packet.

May 29 19:56:04.771: ISAKMP:(1025): retransmitting due to retransmit phase 1

May 29 19:56:05.271: ISAKMP:(1025): retransmitting phase 1 AG_INIT_EXCH...

May 29 19:56:05.271: ISAKMP (1025): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

May 29 19:56:05.271: ISAKMP:(1025): retransmitting phase 1 AG_INIT_EXCH

May 29 19:56:05.271: ISAKMP:(1025): sending packet to ccc.ccc.ccc.ccc my_port 500 peer_port 58089 (R) AG_INIT_EXCH

May 29 19:56:05.271: ISAKMP:(1025):Sending an IKE IPv4 Packet.

May 29 19:56:15.271: ISAKMP:(1025): retransmitting phase 1 AG_INIT_EXCH...

May 29 19:56:15.271: ISAKMP (1025): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

May 29 19:56:15.271: ISAKMP:(1025): retransmitting phase 1 AG_INIT_EXCH

May 29 19:56:15.271: ISAKMP:(1025): sending packet to ccc.ccc.ccc.ccc my_port 500 peer_port 58089 (R) AG_INIT_EXCH

May 29 19:56:15.271: ISAKMP:(1025):Sending an IKE IPv4 Packet.no debug all

All possible debugging has been turned off

Laura

Thanks for the additional debug. Like the earlier one it seems pretty normal down to this point

IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY

May 29 19:55:49.199: ISAKMP:(1025):Old State = IKE_R_AM_AAA_AWAIT  New State = IKE_R_AM2

Then there is a bit of delay and the retransmitting begins. I am puzzled at what is going on here. Is there any chance that you are coming from a different source address or perhaps to a different server address (some DNS or DHCP change or something)?

I am wondering a bit if access list 140 is doing something. Can you check on that ACL?

HTH

Rick

Laura

Can we try another test. And in this test in addition to debug crypto isakmp can we also run debug crypto isakmp aaa and debug crypto isakmp error

HTH

Rick

Thank you for the response! Below are the outputs of the debugs

RTR#debug crypto isakmp aaa

Crypto ISAKMP AAA debugging is on

RTR#

May 30 13:55:34.527: ISAKMP AAA: NAS Port Id is set to 97.65.195.68

May 30 13:55:34.527: ISAKMP:(0):AAA: Nas Port ID set to 97.65.195.68.

May 30 13:55:34.527: ISAKMP/aaa: unique id = 56

May 30 13:55:34.547: ISAKMP:(0):ISAKMP/tunnel: setting up tunnel Client-VPN pw request

May 30 13:55:34.547: ISAKMP:(0):ISAKMP/tunnel: Tunnel Client-VPN PW Request successfully sent to AAA

May 30 13:55:34.547: ISAKMP:(0):ISAKMP/tunnel: received callback from AAA

AAA/AUTHOR/IKE: Processing AV tunnel-password

AAA/AUTHOR/IKE: Processing AV default-domain

AAA/AUTHOR/IKE: Processing AV addr-pool

AAA/AUTHOR/IKE: Processing AV inacl

AAA/AUTHOR/IKE: Processing AV dns-servers

AAA/AUTHOR/IKE: Processing AV wins-servers

AAA/AUTHOR/IKE: Processing AV route-metric

AAA/AUTHOR/IKE: Processing AV max-users

May 30 13:55:34.547: ISAKMP/tunnel: received tunnel atts

RTR#debug crypto isakmp error

Crypto ISAKMP Error debugging is on

RTR#

May 30 13:58:58.655: ISAKMP:(0):Encryption algorithm offered does not match policy!

May 30 13:58:58.655: ISAKMP:(0):atts are not acceptable. Next payload is 3

May 30 13:58:58.655: ISAKMP:(0):Encryption algorithm offered does not match policy!

May 30 13:58:58.655: ISAKMP:(0):atts are not acceptable. Next payload is 3

May 30 13:58:58.655: ISAKMP:(0):Encryption algorithm offered does not match policy!

May 30 13:58:58.655: ISAKMP:(0):atts are not acceptable. Next payload is 3

May 30 13:58:58.655: ISAKMP:(0):Encryption algorithm offered does not match policy!

May 30 13:58:58.655: ISAKMP:(0):atts are not acceptable. Next payload is 3

May 30 13:58:58.655: ISAKMP:(0):Encryption algorithm offered does not match policy!

May 30 13:58:58.655: ISAKMP:(0):atts are not acceptable. Next payload is 3

May 30 13:58:58.655: ISAKMP:(0):Encryption algorithm offered does not match policy!

May 30 13:58:58.655: ISAKMP:(0):atts are not acceptable. Next payload is 3

May 30 13:58:58.655: ISAKMP:(0):Encryption algorithm offered does not match policy!

May 30 13:58:58.655: ISAKMP:(0):atts are not acceptable. Next payload is 3

May 30 13:58:58.655: ISAKMP:(0):Encryption algorithm offered does not match policy!

May 30 13:58:58.655: ISAKMP:(0):atts are not acceptable. Next payload is 3

Laura

Thank you for running the additional tests with additional debug.

The output of debug crypto isakmp error is very consistent with what we saw in the first set of debug - eight times the client proposes a set of attributes which are not accepted and cause an error. Then the ninth set of attributes is accepted.

The output of debug crypto isakmp aaa seems to give us some information that we did not have before. I think what it is showing us is that the authentication of the group ID and password (part of the VPN client profile) is submitted and is successful. And for some reason it does not get to the point where it should prompt for the user ID and password.

I am puzzled what is causing this.

HTH

Rick

Rick,

I'm puzzled as well. It was working fine and suddenly this... I thought may be I entered some bad config and forgot so I restored the last good config and it still did not work... That is why I thought may be it was T1 issue since nothing have changed in the config...

Thank you for not giving up and trying to help...

Laura

You are quie welcome. This has become quite an interesting puzzle to try to solve. I have a couple of things that I want to look into.

There are a couple of possibilities that I want to ask about

- is it possible that there has been a code upgrade on the router or any other change in the network environment (perhaps if there is a firewall examining this traffic or something like that) that could be causing it to stop working?

- is it possible that there has been some kind of Windows update or any other administrative change that could have changed the working environment of the PCs?

HTH

Rick

There was no upgrate. I'm the only person who handles the router and I did not upgrade anything. Also there is no firewall besides this router. There is a OUTburst 1212 whichis our T1 that goes into the cisco router.... Now regarding PC... I have like 10 users who can''t use VPN due to this issue. If it was a PC it would be just one PC, all 10 PC unable to connect... I don't think this is PC...

Rick,

I think I have figured the problem. I did some mess with the firewall. I have made some changes. Now VPN Connects and gets the IP address but then I can't ping anything once I connected to the network. It says that I connected and it acts like I'm connected but no access to any servers or anything I can't even ping gateway. so I ran this:

RTR#sho crypto session detail

Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal, T - cTCP encapsulation

X - IKE Extended Authentication, F - IKE Fragmentation

Interface: Virtual-Access1

Username:CISCOUSER

Profile: vpn-ike-profile-1

Group: CISCOVPN

Assigned address:10.202.25.4

Uptime: 00:00:30

Session status: UP-ACTIVE

Peer: ccc.ccc.ccc.ccc port 13483 fvrf: (none) ivrf: (none)

      Phase1_id: CISCOVPN

      Desc: (none)

  IKEv1 SA: local xxx.xxx.xxx.xxx/4500 remote ccc.ccc.ccc.ccc/13483 Active

          Capabilities:CXN connid:1017 lifetime:23:59:24

  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.202.25.4

        Active SAs: 2, origin: crypto map

        Inbound:  #pkts dec'ed 163 drop 0 life (KB/Sec) 4385892/3569

        Outbound: #pkts enc'ed 88 drop 0 life (KB/Sec) 4385923/3569

Interface: FastEthernet0/0/1

Profile: vpn-ike-profile-1

Session status: DOWN-NEGOTIATING

Peer: ccc.ccc.ccc.ccc port 13475 fvrf: (none) ivrf: (none)

      Desc: (none)

      Phase1_id: (none)

  IKEv1 SA: local xxx.xxx.xxx.xxx/4500 remote ccc.ccc.ccc.ccc/13475 Inactive

          Capabilities:N connid:1016 lifetime:0

What do you think?

Laura

I am glad that you have made some progress with this problem and can now establish a VPN connection. I am puzzled at the symptom that you are not able to access any resources. Can I ask if that is true both for resources on inside interfaces and for resources outside of your network?

Is the address assigned (10.202.25.4 according to your display) a proper VPN address from the pool? If you do ipconfig is that the address that it shows?

I notice this in the output

Interface: FastEthernet0/0/1

Profile: vpn-ike-profile-1

Session status: DOWN-NEGOTIATING

It would seem that perhaps the negotiation is not yet completed?

I wonder if another test while running both debug crypto isakmp and debug crypto ipsec would show us anything useful?

HTH

Rick

Dear Laura,

As the crypto session is Up and active ,i think you shoudl further check the routing

Thanks

Shanil