Re: VPN Connection Issue - PIX 506E (Windows 7 VPN and Clisco Cl

jones-jeremy · ‎06-29-2012

I am trying to connect to my pix using the Cisco Client V5.0 or Windows VPN

Neither Connects and I am not even seeeing the traffic hit the firewall.

Any help would be appreciated.

VPN Client Config

IPSEC over UDP

Username - vpngroup1

password-xxxxxx

Windows VPN

Type - Automatic

Encryption - Optional

Checked are PAP and CHAP

Error Messages

VPN Client

Secure VPN Connection terminated locally by client

Reason 412:The remote peer is no longer responding

Windows VPN

Error 919: The connection could not be established because the

authentication protocol used by the RAS/VPN server to verify your username

and password could not be matched with the settings in your connection

profile Error 919: The connection could not be established because the
authentication protocol used by the RAS/VPN server to verify your username
and password could not be matched with the settings in your connection
profile

Firewall Configuration

PIX Version 6.3(4)

fixup protocol dns maximum-length 512

access-list outside_access_in permit tcp any host xx.xx.xx.xx eq smtp

access-list outside_access_in permit tcp any host xx.xx.xx.xx eq pptp

access-list outside_access_in permit gre any host xx.xx.xx.xx

access-list outside_access_in deny ip 10.0.0.0 255.0.0.0 any

access-list outside_access_in deny ip 172.16.0.0 255.240.0.0 any

access-list outside_access_in deny ip 127.0.0.0 255.0.0.0 any

access-list outside_access_in deny ip 224.0.0.0 224.0.0.0 any

access-list outside_access_in deny ip 248.0.0.0 248.0.0.0 any

access-list outside_access_in deny ip 0.0.0.0 255.0.0.0 any

access-list outside_access_in permit ip host xx.xx.xx.xx any

access-list acl_in permit ip any any

access-list inside_outbound_nat0_acl permit ip JA_Office_Internal 255.255.255.0 Data_Center_internal 255.255.255.0

access-list outside_cryptomap_20 permit ip JA_Office_Internal 255.255.255.0 Data_Center_internal 255.255.255.0

pager lines 24

logging on

logging timestamp

logging monitor informational

logging buffered debugging

logging trap notifications

logging host outside xx.xx.xx.xx

mtu outside 1500

mtu inside 1500

ip address outside xx.xx.xx.xx 255.255.255.252

ip address inside xx.xx.xx.xx 255.255.0.0

ip audit info action alarm

ip audit attack action alarm

ip local pool Remote-dhcp-pool xx.xx.xx.xx1-xx.xx.xx.xx

pdm location xx.xx.xx.xx 255.255.255.255 inside

pdm locationxx.xx.xx.xx 255.255.255.0 inside

pdm location 0.0.0.0 255.0.0.0 outside

pdm location 10.0.0.0 255.0.0.0 outside

pdm location 127.0.0.0 255.0.0.0 outside

pdm location 172.16.0.0 255.240.0.0 outside

pdm location 248.0.0.0 248.0.0.0 outside

pdm location 224.0.0.0 224.0.0.0 outside

pdm location JA_Office_Internal 255.255.255.0 inside

pdm location Data_Center_internal 255.255.255.0 outside

pdm location xx.xx.xx.xx 255.255.255.255 outside

pdm logging debugging 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) xx.xx.xx.xx netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group acl_in in interface inside

route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx

route inside JA_Office_Internal 255.255.255.0 xx.xx.xx.xxtimeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

aaa-server vpnauth protocol radius

aaa-server vpnauth max-failed-attempts 3

aaa-server vpnauth deadtime 10

aaa authentication ssh console LOCAL

http server enable

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer xx.xx.xx.xx

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address xx.xx.xx.xx netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes-256

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption 3des

isakmp policy 30 hash sha

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

vpngroup vpngrp1 address-pool Remote-dhcp-pool

vpngroup vpngrp1 dns-server xx.xx.xx.xx

vpngroup vpngrp1 default-domain lexja.local

vpngroup vpngrp1 idle-time 1800

vpngroup vpngrp1 password ********

telnet xx.xx.xx.xx 255.255.255.0 inside

telnet timeout 5

ssh timeout 30

console timeout 0

vpdn group PPTP-VPDN-GROUP ppp authentication pap

vpdn group PPTP-VPDN-GROUP ppp authentication chap

vpdn group PPTP-VPDN-GROUP ppp authentication mschap

vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto

vpdn group PPTP-VPDN-GROUP client configuration address local Remote-dhcp-pool

vpdn group PPTP-VPDN-GROUP client configuration dns xx.xx.xx.xx

vpdn group PPTP-VPDN-GROUP pptp echo 60

vpdn group PPTP-VPDN-GROUP client authentication local

vpdn username XXXX password *********

vpdn enable outside

username XXXX password sGwmrerTEergtETxm/uwysret8jT encrypted privilege 15

terminal width 80

Cryptochecksum:e80d3aa79b72f4c8c34b0c5bc04bd959

Jennifer Halim · ‎06-30-2012

If you are not seeing the traffic hits the firewall, it seems more to be issue with your laptop/client side.

Are other people able to connect and you are the only one with the issue? or noone is able to connect at all?

jones-jeremy · ‎07-01-2012

I have VPN connections to 5500 Series and PIX that connect without issue.

I have also tried this connection from another pc, witht the same error messages.

Jennifer Halim · ‎07-02-2012

Can you please share the error logs from the PC

jones-jeremy · ‎07-02-2012

Cisco VPN Client Log

Cisco Systems VPN Client Version 5.0.07.0290
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7601 Service Pack 1

2 10:56:25.431 07/02/12 Sev=Critical/1 CVPND/0xE3400003
Function SocketApiBind() failed with an error code of 0xFFFFFFF8(C:\temp\build\rel_5.0.70.246728277571-Tue-23-Mar-2010-19-10-12\rel_5.0.7\PubKeyPK\SRC\ike-init-state.cpp:412)

Windows VPN Client Log

Event Type:     Error                                                  
Event Source:   RasMan                                                  
Event Category: None                                                  
Event ID:       20276                                                  
Date:           7/2/2012                                                  
Time:           11:03:44 AM                                                  
User:           N/A                                                  
Computer:       xxxxx -PC.XXXXX.local                                                  
Description:
: The connection attempt failed on port: VPN3-1 because of the authentication protocol selected. Check to see if the authentication protocol is supported in the operating systems at the client and server ends of the connection                                                     
                                                                     

Event Type:     Error                                                  
Event Source:   RasMan                                                  
Event Category: None                                                  
Event ID:       20276                                                  
Date:           7/2/2012                                                  
Time:           10:59:36 AM                                                  
User:           N/A                                                  
Computer:       XXXXX-PC.XXXX.local                                                  
Description:
: The connection attempt failed on port: VPN3-1 because of the authentication protocol selected. Check to see if the authentication protocol is supported in the operating systems at the client and server ends of the connection

Jennifer Halim · ‎07-02-2012

Do you have any other software or application running on the pc that might be listening on UDP/500?

Pls disable that application and connect the vpn client.

To check, run "netstat -an" from DOS prompt.

jones-jeremy · ‎07-02-2012

No there should be nothign using UDP/500

Netstat -an

UDP 0.0.0.0:67 *:*

UDP 0.0.0.0:68 *:*

UDP 0.0.0.0:69 *:*

UDP 0.0.0.0:123 *:*

UDP 0.0.0.0:138 *:*

UDP 0.0.0.0:162 *:*

UDP 0.0.0.0:500 *:*

UDP 0.0.0.0:1196 *:*

UDP 0.0.0.0:1900 *:*

UDP 0.0.0.0:3702 *:*

UDP 0.0.0.0:4500 *:*

UDP 0.0.0.0:5353 *:*

UDP 0.0.0.0:5355 *:*

UDP 0.0.0.0:6004 *:*

UDP 0.0.0.0:8082 *:*

UDP 0.0.0.0:10115 *:*

UDP 0.0.0.0:49154 *:*

UDP 0.0.0.0:49788 *:*

UDP 0.0.0.0:54295 *:*

UDP 0.0.0.0:58627 *:*

UDP 0.0.0.0:59797 *:*

UDP 0.0.0.0:59799 *:*

UDP 127.0.0.1:1900 *:*

UDP 127.0.0.1:49152 *:*

UDP 127.0.0.1:49153 *:*

UDP 127.0.0.1:49156 *:*

UDP 127.0.0.1:49157 *:*

UDP 127.0.0.1:49158 *:*

UDP 127.0.0.1:49653 *:*

UDP 127.0.0.1:49918 *:*

UDP 127.0.0.1:50091 *:*

UDP 127.0.0.1:51125 *:*

UDP 127.0.0.1:51825 *:*

UDP 127.0.0.1:54951 *:*

UDP 127.0.0.1:55581 *:*

UDP 127.0.0.1:55750 *:*

UDP 127.0.0.1:56285 *:*

UDP 127.0.0.1:58254 *:*

UDP 127.0.0.1:59276 *:*

UDP 127.0.0.1:59534 *:*

UDP 127.0.0.1:61375 *:*

UDP 127.0.0.1:61479 *:*

UDP 127.0.0.1:62514 *:*

UDP 127.0.0.1:64584 *:*

UDP 192.168.100.67:137 *:*

UDP 192.168.100.67:138 *:*

UDP 192.168.100.67:1900 *:*

UDP 192.168.100.67:5353 *:*

UDP 192.168.100.67:49917 *:*

UDP [::]:123 *:*

UDP [::]:500 *:*

UDP [::]:3702 *:*

UDP [::]:4500 *:*

UDP [::]:5355 *:*

UDP [::]:8082 *:*

UDP [::]:10115 *:*

UDP [::]:49155 *:*

UDP [::]:58628 *:*

UDP [::]:59798 *:*

UDP [::]:59800 *:*

UDP [::1]:1900 *:*

UDP [::1]:5353 *:*

UDP [::1]:49916 *:*

UDP [fe80::2c5d:2b9c:7172:c3cd%11]:1900 *:*

UDP [fe80::2c5d:2b9c:7172:c3cd%11]:49915 *:*

Jennifer Halim · ‎07-02-2012

Looks like there is as UDP/500 is listed above:

UDP 0.0.0.0:500 *:*

UDP [::]:4500 *:*

VPN Connection Issue - PIX 506E (Windows 7 VPN and Clisco Client)