- Cisco Community
- Technology and Support
- Security
- VPN
- VPN authenticates then drops connection.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
VPN authenticates then drops connection.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-03-2011 12:33 PM
Im using a Cisco ASA 5505 at the head end and the Cisco VPN client 5.0.06.0160 on the client side.
In the VPN Client logs it authenticates, grabs an IP, DNS and domain info and then drops the connection. I'm sitting at home sick today and am getting beyond frustrated. Can anyone point me in the right direction?
Here is the client log.
1 12:05:57.052 02/03/11 Sev=Info/4 CM/0x63100002
Begin connection process
2 12:05:57.164 02/03/11 Sev=Info/4 CM/0x63100004
Establish secure connection
3 12:05:57.164 02/03/11 Sev=Info/4 CM/0x63100024
Attempt connection with server "xxx.xxx.xxx.102"
4 12:05:57.174 02/03/11 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with xxx.xxx.xxx.102.
5 12:05:57.204 02/03/11 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation
6 12:05:57.254 02/03/11 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Unity)) to xxx.xxx.xxx.102
7 12:05:57.274 02/03/11 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
8 12:05:57.274 02/03/11 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
9 12:05:57.304 02/03/11 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xxx.xxx.xxx.102
10 12:05:57.354 02/03/11 Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 6h.
11 12:05:57.304 02/03/11 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Frag), VID(?)) from xxx.xxx.xxx.102
12 12:05:57.304 02/03/11 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
13 12:05:57.304 02/03/11 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
14 12:05:57.304 02/03/11 Sev=Info/5 IKE/0x63000001
Peer supports DPD
15 12:05:57.314 02/03/11 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
16 12:05:57.324 02/03/11 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, VID(?), VID(Unity)) to xxx.xxx.xxx.102
17 12:05:57.324 02/03/11 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0xC2D7, Remote Port = 0x01F4
18 12:05:57.324 02/03/11 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
19 12:05:57.344 02/03/11 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xxx.xxx.xxx.102
20 12:05:57.344 02/03/11 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from xxx.xxx.xxx.102
21 12:05:57.344 02/03/11 Sev=Info/4 CM/0x63100015
Launch xAuth application
22 12:06:02.448 02/03/11 Sev=Info/4 CM/0x63100017
xAuth application returned
23 12:06:02.449 02/03/11 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to xxx.xxx.xxx.102
24 12:06:02.479 02/03/11 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xxx.xxx.xxx.102
25 12:06:02.479 02/03/11 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from xxx.xxx.xxx.102
26 12:06:02.479 02/03/11 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to xxx.xxx.xxx.102
27 12:06:02.480 02/03/11 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
28 12:06:02.488 02/03/11 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator
29 12:06:02.489 02/03/11 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to xxx.xxx.xxx.102
30 12:06:02.523 02/03/11 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xxx.xxx.xxx.102
31 12:06:02.523 02/03/11 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from xxx.xxx.xxx.102
32 12:06:02.523 02/03/11 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 10.10.1.200
33 12:06:02.524 02/03/11 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0
34 12:06:02.524 02/03/11 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 10.10.1.5
35 12:06:02.524 02/03/11 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 10.10.1.2
36 12:06:02.524 02/03/11 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000001
37 12:06:02.524 02/03/11 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = contoso.net
38 12:06:02.524 02/03/11 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000001
39 12:06:02.524 02/03/11 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5505 Version 7.2(4) built by builders on Sun 06-Apr-08 13:39
40 12:06:02.524 02/03/11 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT: , value = 0x00000001
41 12:06:02.529 02/03/11 Sev=Info/4 CM/0x63100019
Mode Config data received
42 12:06:02.542 02/03/11 Sev=Info/4 IKE/0x63000056
Received a key request from Driver: Local IP = 10.10.1.200, GW IP = xxx.xxx.xxx.102, Remote IP = 0.0.0.0
43 12:06:02.638 02/03/11 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, KE, ID, ID) to xxx.xxx.xxx.102
44 12:06:02.669 02/03/11 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
45 12:06:02.680 02/03/11 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xxx.xxx.xxx.102
46 12:06:02.680 02/03/11 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from xxx.xxx.xxx.102
47 12:06:02.681 02/03/11 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 1000 seconds
48 12:06:02.681 02/03/11 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 5 seconds, setting expiry to 995 seconds from now
49 12:06:02.710 02/03/11 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xxx.xxx.xxx.102
50 12:06:02.711 02/03/11 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:INVALID_ID_INFO) from xxx.xxx.xxx.102
51 12:06:02.712 02/03/11 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to xxx.xxx.xxx.102
52 12:06:02.712 02/03/11 Sev=Info/4 IKE/0x63000049
Discarding IPsec SA negotiation, MsgID=BB8B5AF1
53 12:06:02.713 02/03/11 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=4CF73749E903A056 R_Cookie=3A748E506137AC1B) reason = DEL_REASON_IKE_NEG_FAILED
54 12:06:02.714 02/03/11 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xxx.xxx.xxx.102
55 12:06:02.714 02/03/11 Sev=Info/4 IKE/0x63000058
Received an ISAKMP message for a non-active SA, I_Cookie=4CF73749E903A056 R_Cookie=3A748E506137AC1B
56 12:06:02.714 02/03/11 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(Dropped) from xxx.xxx.xxx.102
57 12:06:05.719 02/03/11 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=4CF73749E903A056 R_Cookie=3A748E506137AC1B) reason = DEL_REASON_IKE_NEG_FAILED
58 12:06:05.719 02/03/11 Sev=Info/4 CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED". 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
59 12:06:05.719 02/03/11 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
60 12:06:05.799 02/03/11 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
61 12:06:05.799 02/03/11 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
62 12:06:06.222 02/03/11 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
63 12:06:06.222 02/03/11 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
64 12:06:06.222 02/03/11 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
65 12:06:06.223 02/03/11 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
- Labels:
-
VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-04-2011 07:30 PM
Hi,
It seems there's a problem with the address assigned but this should not drop the connection.
Seems like something else is going on perhaps a not-supported parameter on the VPN configuration for the VPN client.
Can you post the VPN configuration?
Federico.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-04-2011 08:20 PM
I got this issue sorted today. I'll post my config below.
I had been using the ASDM for all my configuration and the VPN wizzard as I was not well versed in the CCO CLI. I dumped my config to compare to an example from the CCO site and saw what a mess it was so I started reading and learning the CLI. In the guide I was reading I came across this little nugget:
ISAKMP Policy Group
Cisco VPN Client Version 3.x or higher requires a minimum of group 2. (If you configure DH Group 1, the VPN Client cannot connect)
Well, because there is no explanation of the difference between groups in the literature that came with the ASA, or any of the dozens of CCO configuration examples they have on their site, mine was set to group 1. Why group 1? Because until now I couldn't find a reason not to.
Changed that, cleaned up the a lot of the nonsense the ASDM was tossing around and the client now connects.
So currently I can connect and ping anything on my internal network but i'm not getting name resolution. I'll try to figure that out tomorrow but here is the original config created by the ASDM. It's crap. Hopefully this helps someone else down the road.
ASA Version 7.2(4)
!
hostname xyz-BackDraft
domain-name ACME.net
enable password yAvIrfiKDu/oTQ1m encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name xxx.xxx.xxx.201 The.Cloud
!
interface Vlan1
nameif ACME
security-level 100
ip address 10.10.1.10 255.255.255.0
!
interface Vlan2
nameif The.Cloud
security-level 0
pppoe client vpdn group ACME
ip address pppoe setroute
!
interface Vlan3
nameif dmz
security-level 50
ip address 10.10.2.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 3
!
interface Ethernet0/7
switchport access vlan 3
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup ACME
dns server-group DefaultDNS
name-server 10.10.1.5
name-server 10.10.1.2
domain-name ACME.net
access-list ACME.Remote.Users_splitTunnelAcl remark ACME Internal Network
access-list ACME.Remote.Users_splitTunnelAcl standard permit 10.10.1.0 255.255.255.0
access-list The.Cloud_cryptomap_65535.1 extended permit ip any 10.10.1.0 255.255.255.0
access-list The.Cloud_access_in extended permit ip any any
access-list ACME_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu The.Cloud 1500
mtu ACME 1500
mtu dmz 1500
ip local pool RemotePool#1 10.10.1.200-10.10.1.225 mask 255.255.255.0
no failover
monitor-interface The.Cloud
monitor-interface ACME
monitor-interface dmz
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
global (The.Cloud) 1 interface
nat (ACME) 1 0.0.0.0 0.0.0.0
access-group The.Cloud_access_in in interface The.Cloud
access-group ACME_access_in in interface ACME
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 10.10.1.0 255.255.255.0 ACME
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map dmz_dyn_map 20 set pfs group1
crypto dynamic-map dmz_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map The.Cloud_dyn_map 1 match address The.Cloud_cryptomap_65535.1
crypto dynamic-map The.Cloud_dyn_map 1 set transform-set TRANS_ESP_3DES_SHA ESP-DES-SHA ESP-3DES-SHA ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-256-SHA
crypto map dmz_map 65535 ipsec-isakmp dynamic dmz_dyn_map
crypto map The.Cloud_map 65535 ipsec-isakmp dynamic The.Cloud_dyn_map
crypto map The.Cloud_map interface The.Cloud
crypto isakmp enable The.Cloud
crypto isakmp enable ACME
crypto isakmp policy 1
authentication rsa-sig
encryption des
hash sha
group 1
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group ACME request dialout pppoe
vpdn group ACME localname ACME9870@static.att.net
vpdn group ACME ppp authentication pap
vpdn username ACME9870@static.att.net password *********
dhcpd auto_config The.Cloud
!
dhcpd address 10.10.1.11-10.10.1.254 ACME
!
webvpn
enable The.Cloud
svc image disk0:/sslclient-win-1.1.0.154.pkg 1
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server value 10.10.1.5 10.10.1.2
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 5
vpn-idle-timeout 30
vpn-session-timeout 122
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs enable
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools value RemotePool#1
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc enable
svc keep-installer installed
svc keepalive 240
svc rekey time none
svc rekey method ssl
svc dpd-interval client 300
svc dpd-interval gateway 300
svc compression deflate
group-policy ACME internal
group-policy ACME attributes
dns-server value 10.10.1.5 10.10.1.2
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
re-xauth enable
group-lock value ACME
pfs enable
ipsec-udp enable
split-tunnel-policy tunnelall
split-tunnel-network-list value ACME.Remote.Users_splitTunnelAcl
default-domain value ACME
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout none
leap-bypass disable
nem disable
nac enable
nac-sq-period 300
nac-reval-period 36000
webvpn
svc enable
username ACME password ffOM3eyv4/xVNg2D encrypted
username ACME attributes
vpn-group-policy DfltGrpPolicy
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage enable
group-lock none
webvpn
svc enable
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc dpd-interval client 600
svc dpd-interval gateway 600
username cisco password Sg/lWA234RgHr./6 encrypted privilege 0
tunnel-group DefaultRAGroup general-attributes
address-pool RemotePool#1
authorization-server-group LOCAL
authorization-server-group (The.Cloud) LOCAL
authorization-required
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool RemotePool#1
authorization-server-group LOCAL
authorization-required
tunnel-group DefaultWEBVPNGroup webvpn-attributes
nbns-server 10.10.1.5 master timeout 2 retry 2
nbns-server 10.10.1.2 master timeout 2 retry 2
tunnel-group ACME type ipsec-ra
tunnel-group ACME general-attributes
address-pool RemotePool#1
default-group-policy ACME
tunnel-group ACME ipsec-attributes
pre-shared-key *
tunnel-group ACME ppp-attributes
authentication ms-chap-v2
tunnel-group-map enable rules
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:921858bf7696cc78f05656914f2eb6f0
: end
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: