Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- Technology and Support
- Security
- VPN
- Anyconnect error: Authentication Failure or timeout
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
3921
Views
0
Helpful
3
Replies
Anyconnect error: Authentication Failure or timeout
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-18-2021 11:36 AM - edited 05-18-2021 11:46 AM
Hi,
Once I confirm certificate(self signed) and after entering credentials i get the following authentication error:
I am using local AAA and credentials are correct.
Any input would be much appreciated.
Is this possibly a certificate error?
The router is a CA at the moment.
I included debug crypto ikev, AAA authentication and autherization
Many thanks in advanced!
Current configuration : 6532 bytes
!
! Last configuration change at 16:38:32 UTC Tue May 18 2021
!
version 15.7
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot system flash0:c2900-universalk9-mz.SPA.157-3.M3.bin
boot-end-marker
!
!
!
aaa new-model
!
!
aaa authentication login AAA_AUTHENTICATION_LOGIN local
aaa authorization network AAA_AUTHORIZATION_NETWORK local
!
!
!
!
!
!
aaa session-id common
!
!
!
!
!
!
!
!
!
!
!
!
ip domain name NWL.LAB
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
crypto pki server R1-CA
no database archive
issuer-name cn="R1-CA"
grant auto
!
crypto pki trustpoint R1-CA
revocation-check crl
rsakeypair R1-CA
!
crypto pki trustpoint R1-CLIENT
enrollment url http://192.168.1.1:80
subject-name cn=R1-CLIENT.LAB.NWL
revocation-check crl
!
!
crypto pki certificate chain R1-CA
certificate ca 01
308201F9 30820162 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
10310E30 0C060355 04031305 52312D43 41301E17 0D323130 35313831 34353333
305A170D 32343035 31373134 35333330 5A301031 0E300C06 03550403 13055231
2D434130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
F0BD87AF 9E7CEE8F E594A8FC E74152EB CA2E4C7B 3E824249 F448E94E 510135C2
B4F8D804 20C13EC3 4DB30E47 854F4FC5 B497FAAD A3C03542 601BED1E D5ACFD0D
FB506400 F4181F69 95DE4DF0 D925362F 93C71C0E 53428858 F21CA879 C1A6E12E
C7781405 854DBCBC FFF6195F 41D4AFD1 A4FC4626 DCE4F893 93C0172E 812B1F4B
02030100 01A36330 61300F06 03551D13 0101FF04 05300301 01FF300E 0603551D
0F0101FF 04040302 0186301F 0603551D 23041830 16801448 817159D8 99FADAFD
41BAE703 BC67058E B2926930 1D060355 1D0E0416 04144881 7159D899 FADAFD41
BAE703BC 67058EB2 9269300D 06092A86 4886F70D 01010405 00038181 0021449A
35FB6FE0 CC05D08D DE708A9F 107CF73A C792324C 7979F415 46B6CD0E 19D5B1A3
2686DE11 2A6ED3FF B3E07C4D DB64EE7E A62F1B0B 6DADC4DE 7FD6187A 658D8AC3
0CA1F7C8 F7E4C9B9 967A2B2B 105012E5 EAB5492A 830B1D00 27907B7A CF3687BA
A2DB0523 5D6DD967 588D4AF7 6B69AE8F F515F934 B66E5D74 6EDFF1D5 E9
quit
crypto pki certificate chain R1-CLIENT
certificate 02
3082020C 30820175 A0030201 02020102 300D0609 2A864886 F70D0101 05050030
10310E30 0C060355 04031305 52312D43 41301E17 0D323130 35313831 34353933
375A170D 32323035 31383134 35393337 5A303731 1A301806 03550403 13115231
2D434C49 454E542E 4C41422E 4E574C31 19301706 092A8648 86F70D01 0902160A
52312E4E 574C2E4C 41423081 9F300D06 092A8648 86F70D01 01010500 03818D00
30818902 818100B2 1468C024 BE50C862 879E751C 67432243 8A0B8CE6 68107F45
0A9E84E7 A197DB52 BD274AE6 CF881EC0 2AE57EAB CEFE62FE 05DFD5FE 3D7A6485
1BC3EC73 613A5FA5 E8756A04 ADC003DE 30DE778B DDC8955D A7ED36BB C4BF1003
42215247 EB1E6AFD 745CF612 8DC7CA30 FC9B566B 571F3DDC 9F83D2C2 650542B5
5B40FBF6 ED7EB102 03010001 A34F304D 300B0603 551D0F04 04030205 A0301F06
03551D23 04183016 80144881 7159D899 FADAFD41 BAE703BC 67058EB2 9269301D
0603551D 0E041604 14804E74 653CFABF 1984788B 9A231896 829A34DC 3D300D06
092A8648 86F70D01 01050500 03818100 4CD4FEBF E026AC3D 893E16A3 F4328F46
A449F6F0 62D315D8 81B1983E 64DA304E CD89948B DF78C64F 03A3A3C3 65791C5D
586826AC FB29BBA9 399E7AEC 4347ECAB D4FEFBFE C28A9534 F7662794 0169BF7C
EA1A2638 B9081AED B36A94BF 1B5DF537 9C31FB4D 48D7B7ED 58284D15 FD221186
4AA3E3F8 AD461E8C D21E4069 8B9DD5B7
quit
certificate ca 01
308201F9 30820162 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
10310E30 0C060355 04031305 52312D43 41301E17 0D323130 35313831 34353333
305A170D 32343035 31373134 35333330 5A301031 0E300C06 03550403 13055231
2D434130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
F0BD87AF 9E7CEE8F E594A8FC E74152EB CA2E4C7B 3E824249 F448E94E 510135C2
B4F8D804 20C13EC3 4DB30E47 854F4FC5 B497FAAD A3C03542 601BED1E D5ACFD0D
FB506400 F4181F69 95DE4DF0 D925362F 93C71C0E 53428858 F21CA879 C1A6E12E
C7781405 854DBCBC FFF6195F 41D4AFD1 A4FC4626 DCE4F893 93C0172E 812B1F4B
02030100 01A36330 61300F06 03551D13 0101FF04 05300301 01FF300E 0603551D
0F0101FF 04040302 0186301F 0603551D 23041830 16801448 817159D8 99FADAFD
41BAE703 BC67058E B2926930 1D060355 1D0E0416 04144881 7159D899 FADAFD41
BAE703BC 67058EB2 9269300D 06092A86 4886F70D 01010405 00038181 0021449A
35FB6FE0 CC05D08D DE708A9F 107CF73A C792324C 7979F415 46B6CD0E 19D5B1A3
2686DE11 2A6ED3FF B3E07C4D DB64EE7E A62F1B0B 6DADC4DE 7FD6187A 658D8AC3
0CA1F7C8 F7E4C9B9 967A2B2B 105012E5 EAB5492A 830B1D00 27907B7A CF3687BA
A2DB0523 5D6DD967 588D4AF7 6B69AE8F F515F934 B66E5D74 6EDFF1D5 E9
quit
license udi pid CISCO2921/K9 sn FCZ181960B7
!
!
username test password 0 cisco123
username tame password 0 tame2011
!
redundancy
!
crypto ikev2 authorization policy IKEV2_AUTHORIZATION_POLICY
pool VPN_POOL
dns 1.1.1.1
def-domain NWL.LAB
route set remote ipv4 1.1.1.1 255.255.255.255
!
crypto ikev2 proposal IKEV2_PROPOSAL
encryption aes-cbc-256
integrity sha256
group 15
!
!
!
crypto ikev2 profile IKEV2_PROFILE
match identity remote key-id *$AnyConnectClient$*
authentication local rsa-sig
authentication remote anyconnect-eap aggregate
pki trustpoint R1-CLIENT
aaa authentication anyconnect-eap AAA_AUTHENTICATION_LOGIN
aaa authorization group anyconnect-eap list AAA_AUTHORIZATION_NETWORK
virtual-template 1
!
!
!
!
!
!
crypto ipsec transform-set TRANSFORM_SET esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile IKEV2_PROFILE
set transform-set TRANSFORM_SET
set ikev2-profile IKEV2_PROFILE
!
!
!
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
ip mtu 1400
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile IKEV2_PROFILE
!
ip local pool VPN_POOL 192.168.10.5 192.168.10.10
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
!
!
!
!
!
!
control-plane
!
!
vstack
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
transport input all
!
scheduler allocate 20000 1000
!
endMay 18 19:23:02.483: IKEv2:Received Packet [From 192.168.1.101:53924/To 192.168.1.1:500/VRF i0:f0] Initiator SPI : 56990E50ADB8675E - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID CFG NOTIFY(REDIRECT_SUPPORTED) May 18 19:23:02.483: IKEv2:(SESSION ID = 28,SA ID = 1):Verify SA init message May 18 19:23:02.483: IKEv2:(SESSION ID = 28,SA ID = 1):Insert SA May 18 19:23:02.483: IKEv2:Searching Policy with fvrf 0, local address 192.168.1.1 May 18 19:23:02.483: IKEv2:Using the Default Policy for Proposal May 18 19:23:02.483: IKEv2:Found Policy 'default' May 18 19:23:02.483: IKEv2:(SESSION ID = 28,SA ID = 1):Processing IKE_SA_INIT message May 18 19:23:02.483: IKEv2:(SESSION ID = 28,SA ID = 1):Received valid config mode data May 18 19:23:02.483: IKEv2:Config data recieved: May 18 19:23:02.483: IKEv2:(SESSION ID = 28,SA ID = 1):Config-type: Config-request May 18 19:23:02.483: IKEv2:(SESSION ID = 28,SA ID = 1):Attrib type: unknown, length: 2, data: 0x2 0x40 May 18 19:23:02.483: IKEv2:IKEv2 responder - ignoring config data received in IKE_SA_INIT exch May 18 19:23:02.483: IKEv2:(SESSION ID = 28,SA ID = 1):Set received config mode data May 18 19:23:02.483: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s) May 18 19:23:02.483: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'R1-CLIENT' 'R1-CA' May 18 19:23:02.483: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints May 18 19:23:02.483: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED May 18 19:23:02.483: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session May 18 19:23:02.483: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED May 18 19:23:02.483: IKEv2:(SESSION ID = 28,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 2 May 18 19:23:02.503: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED May 18 19:23:02.503: IKEv2:(SESSION ID = 28,SA ID = 1):Request queued for computation of DH key May 18 19:23:02.503: IKEv2:(SESSION ID = 28,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 2 May 18 19:23:02.523: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED May 18 19:23:02.523: IKEv2:(SESSION ID = 28,SA ID = 1):Request queued for computation of DH secret May 18 19:23:02.523: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA May 18 19:23:02.523: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED May 18 19:23:02.523: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch May 18 19:23:02.523: IKEv2:(SESSION ID = 28,SA ID = 1):Generating IKE_SA_INIT message May 18 19:23:02.523: IKEv2:(SESSION ID = 28,SA ID = 1):IKE Proposal: 2, SPI size: 0 (initial negotiation), Num. transforms: 4 AES-CBC SHA512 SHA512 DH_GROUP_1024_MODP/Group 2 May 18 19:23:02.523: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s) May 18 19:23:02.523: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'R1-CLIENT' 'R1-CA' May 18 19:23:02.523: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints May 18 19:23:02.523: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED May 18 19:23:02.523: IKEv2:(SESSION ID = 28,SA ID = 1):Sending Packet [To 192.168.1.101:53924/From 192.168.1.1:500/VRF i0:f0] Initiator SPI : 56990E50ADB8675E - Responder SPI : F0CBD35705DD4B3D Message id: 0 IKEv2 IKE_SA_INIT Exchange RESPONSE Payload contents: SA KE N VID VID VID VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) May 18 19:23:02.523: IKEv2:(SESSION ID = 28,SA ID = 1):Completed SA init exchange May 18 19:23:02.523: IKEv2:(SESSION ID = 28,SA ID = 1):Starting timer (30 sec) to wait for auth message May 18 19:23:02.555: IKEv2:(SESSION ID = 28,SA ID = 1):Received Packet [From 192.168.1.101:61436/To 192.168.1.1:500/VRF i0:f0] Initiator SPI : 56990E50ADB8675E - Responder SPI : F0CBD35705DD4B3D Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: VID IDi CERTREQ CFG SA NOTIFY(IPCOMP_SUPPORTED) TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) May 18 19:23:02.555: IKEv2:(SESSION ID = 28,SA ID = 1):Stopping timer to wait for auth message May 18 19:23:02.555: IKEv2:(SESSION ID = 28,SA ID = 1):Checking NAT discovery May 18 19:23:02.555: IKEv2:(SESSION ID = 28,SA ID = 1):NAT OUTSIDE found May 18 19:23:02.555: IKEv2:(SESSION ID = 28,SA ID = 1):NAT detected float to init port 61436, resp port 4500 May 18 19:23:02.555: IKEv2:(SESSION ID = 28,SA ID = 1):Searching policy based on peer's identity '*$AnyConnectClient$*' of type 'key ID' May 18 19:23:02.555: IKEv2:found matching IKEv2 profile 'IKEV2_PROFILE' May 18 19:23:02.555: IKEv2:Searching Policy with fvrf 0, local address 192.168.1.1 May 18 19:23:02.555: IKEv2:Using the Default Policy for Proposal May 18 19:23:02.555: IKEv2:Found Policy 'default' May 18 19:23:02.555: IKEv2:(SESSION ID = 28,SA ID = 1):not a VPN-SIP session May 18 19:23:02.555: IKEv2:(SESSION ID = 28,SA ID = 1):Verify peer's policy May 18 19:23:02.555: IKEv2:(SESSION ID = 28,SA ID = 1):Peer's policy verified May 18 19:23:02.555: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es) May 18 19:23:02.555: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): NONE May 18 19:23:02.555: IKEv2:% Received cert hash is invalid, using configured trustpoints from profile for signing May 18 19:23:02.555: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting cert chain for the trustpoint R1-CLIENT May 18 19:23:02.559: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of cert chain for the trustpoint PASSED May 18 19:23:02.559: IKEv2:(SESSION ID = 28,SA ID = 1):Check for EAP exchange May 18 19:23:02.559: IKEv2:(SESSION ID = 28,SA ID = 1):Check for EAP exchange May 18 19:23:02.559: IKEv2:(SESSION ID = 28,SA ID = 1):Generate my authentication data May 18 19:23:02.559: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data May 18 19:23:02.559: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED May 18 19:23:02.559: IKEv2:(SESSION ID = 28,SA ID = 1):Get my authentication method May 18 19:23:02.559: IKEv2:(SESSION ID = 28,SA ID = 1):My authentication method is 'RSA' May 18 19:23:02.559: IKEv2:(SESSION ID = 28,SA ID = 1):Sign authentication data May 18 19:23:02.559: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting private key May 18 19:23:02.559: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of private key PASSED May 18 19:23:02.559: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Sign authentication data May 18 19:23:02.595: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] Signing of authenticaiton data PASSED May 18 19:23:02.595: IKEv2:(SESSION ID = 28,SA ID = 1):Authentication material has been sucessfully signed May 18 19:23:02.595: IKEv2:(SESSION ID = 28,SA ID = 1):Generating AnyConnect EAP request May 18 19:23:02.595: IKEv2:(SESSION ID = 28,SA ID = 1):Sending AnyConnect EAP 'hello' request May 18 19:23:02.595: IKEv2:(SESSION ID = 28,SA ID = 1):Constructing IDr payload: '192.168.1.1' of type 'IPv4 address' May 18 19:23:02.595: IKEv2:(SESSION ID = 28,SA ID = 1):Building packet for encryption. Payload contents: VID IDr CERT CERT AUTH EAP May 18 19:23:02.599: IKEv2:(SESSION ID = 28,SA ID = 1):Sending Packet [To 192.168.1.101:61436/From 192.168.1.1:4500/VRF i0:f0] Initiator SPI : 56990E50ADB8675E - Responder SPI : F0CBD35705DD4B3D Message id: 1 IKEv2 IKE_AUTH Exchange RESPONSE Payload contents: ENCR May 18 19:23:02.599: IKEv2:(SESSION ID = 28,SA ID = 1):Starting timer (90 sec) to wait for auth message May 18 19:23:05.215: IKEv2:(SESSION ID = 28,SA ID = 1):Received Packet [From 192.168.1.101:61436/To 192.168.1.1:4500/VRF i0:f0] Initiator SPI : 56990E50ADB8675E - Responder SPI : F0CBD35705DD4B3D Message id: 2 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: EAP May 18 19:23:05.215: IKEv2:(SESSION ID = 28,SA ID = 1):Stopping timer to wait for auth message May 18 19:23:05.219: IKEv2:(SESSION ID = 28,SA ID = 1):Processing AnyConnect EAP response May 18 19:23:05.219: IKEv2:(SESSION ID = 28,SA ID = 1):Checking for Dual Auth May 18 19:23:05.219: IKEv2:(SESSION ID = 28,SA ID = 1):Generating AnyConnect EAP AUTH request May 18 19:23:05.219: IKEv2:(SESSION ID = 28,SA ID = 1):Sending AnyConnect EAP 'auth-request' May 18 19:23:05.219: IKEv2:(SESSION ID = 28,SA ID = 1):Building packet for encryption. Payload contents: EAP May 18 19:23:05.219: IKEv2:(SESSION ID = 28,SA ID = 1):Sending Packet [To 192.168.1.101:61436/From 192.168.1.1:4500/VRF i0:f0] Initiator SPI : 56990E50ADB8675E - Responder SPI : F0CBD35705DD4B3D Message id: 2 IKEv2 IKE_AUTH Exchange RESPONSE Payload contents: ENCR May 18 19:23:05.219: IKEv2:(SESSION ID = 28,SA ID = 1):Starting timer (90 sec) to wait for auth message May 18 19:23:11.651: IKEv2:(SESSION ID = 28,SA ID = 1):Received Packet [From 192.168.1.101:61436/To 192.168.1.1:4500/VRF i0:f0] Initiator SPI : 56990E50ADB8675E - Responder SPI : F0CBD35705DD4B3D Message id: 3 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: EAP May 18 19:23:11.655: IKEv2:(SESSION ID = 28,SA ID = 1):Stopping timer to wait for auth message May 18 19:23:11.655: IKEv2:(SESSION ID = 28,SA ID = 1):Processing AnyConnect EAP response May 18 19:23:11.655: AAA/BIND(00000037): Bind i/f May 18 19:23:11.655: IKEv2:Using authentication method list AAA_AUTHENTICATION_LOGIN May 18 19:23:11.655: AAA/AUTHEN/LOGIN (00000037): Pick method list 'AAA_AUTHENTICATION_LOGIN' May 18 19:23:11.655: IKEv2:(SA ID = 1):[IKEv2 -> AAA] Authentication request sent May 18 19:23:11.655: IKEv2-ERROR:AnyConnect EAP - failed to get author list May 18 19:23:11.655: IKEv2:Received response from aaa for AnyConnect EAP May 18 19:23:11.655: IKEv2:(SESSION ID = 28,SA ID = 1):Generating AnyConnect EAP VERIFY request May 18 19:23:11.659: IKEv2:(SESSION ID = 28,SA ID = 1):Sending AnyConnect EAP 'VERIFY' request May 18 19:23:11.659: IKEv2:(SESSION ID = 28,SA ID = 1):Building packet for encryption. Payload contents: EAP May 18 19:23:11.659: IKEv2:(SESSION ID = 28,SA ID = 1):Sending Packet [To 192.168.1.101:61436/From 192.168.1.1:4500/VRF i0:f0] Initiator SPI : 56990E50ADB8675E - Responder SPI : F0CBD35705DD4B3D Message id: 3 IKEv2 IKE_AUTH Exchange RESPONSE Payload contents: ENCR May 18 19:23:11.659: IKEv2:(SESSION ID = 28,SA ID = 1):Starting timer (90 sec) to wait for auth message May 18 19:23:11.663: IKEv2:(SESSION ID = 28,SA ID = 1):Received Packet [From 192.168.1.101:61436/To 192.168.1.1:4500/VRF i0:f0] Initiator SPI : 56990E50ADB8675E - Responder SPI : F0CBD35705DD4B3D Message id: 4 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: EAP May 18 19:23:11.663: IKEv2:(SESSION ID = 28,SA ID = 1):Stopping timer to wait for auth message May 18 19:23:11.663: IKEv2:(SESSION ID = 28,SA ID = 1):Processing AnyConnect EAP ack response May 18 19:23:11.663: IKEv2:(SESSION ID = 28,SA ID = 1):Generating AnyConnect EAP success request May 18 19:23:11.663: IKEv2:(SESSION ID = 28,SA ID = 1):Sending AnyConnect EAP success status message May 18 19:23:11.663: IKEv2:(SESSION ID = 28,SA ID = 1):Building packet for encryption. Payload contents: EAP May 18 19:23:11.663: IKEv2:(SESSION ID = 28,SA ID = 1):Sending Packet [To 192.168.1.101:61436/From 192.168.1.1:4500/VRF i0:f0] Initiator SPI : 56990E50ADB8675E - Responder SPI : F0CBD35705DD4B3D Message id: 4 IKEv2 IKE_AUTH Exchange RESPONSE Payload contents: ENCR May 18 19:23:11.663: IKEv2:(SESSION ID = 28,SA ID = 1):Starting timer (90 sec) to wait for auth message May 18 19:23:11.667: IKEv2:(SESSION ID = 28,SA ID = 1):Received Packet [From 192.168.1.101:61436/To 192.168.1.1:4500/VRF i0:f0] Initiator SPI : 56990E50ADB8675E - Responder SPI : F0CBD35705DD4B3D Message id: 5 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: AUTH May 18 19:23:11.667: IKEv2:(SESSION ID = 28,SA ID = 1):Stopping timer to wait for auth message May 18 19:23:11.667: IKEv2:(SESSION ID = 28,SA ID = 1):Send AUTH, to verify peer after EAP exchange May 18 19:23:11.667: IKEv2:(SESSION ID = 28,SA ID = 1):Verify peer's authentication data May 18 19:23:11.667: IKEv2:(SESSION ID = 28,SA ID = 1):Use preshared key for id *$AnyConnectClient$*, key len 64 May 18 19:23:11.667: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data May 18 19:23:11.667: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED May 18 19:23:11.667: IKEv2:(SESSION ID = 28,SA ID = 1):Verification of peer's authenctication data PASSED May 18 19:23:11.667: IKEv2:(SESSION ID = 28,SA ID = 1):Processing INITIAL_CONTACT May 18 19:23:11.667: IKEv2:Using mlist AAA_AUTHORIZATION_NETWORK and username tame for group author request May 18 19:23:11.667: AAA/BIND(00000038): Bind i/f May 18 19:23:11.667: AAA/AUTHOR (0x38): Pick method list 'AAA_AUTHORIZATION_NETWORK' May 18 19:23:11.667: IKEv2:(SA ID = 1):[IKEv2 -> AAA] Authorisation request sent - FAIL May 18 19:23:11.667: IKEv2:(SA ID = 1):[AAA -> IKEv2] Received AAA authorisation response May 18 19:23:11.671: IKEv2-ERROR:AAA authorization request failed May 18 19:23:11.671: IKEv2-ERROR:(SESSION ID = 0,SA ID = 1):AAA group authorization failed May 18 19:23:11.671: IKEv2-ERROR:(SESSION ID = 0,SA ID = 1): May 18 19:23:11.671: IKEv2:(SESSION ID = 28,SA ID = 1):Verification of peer's authentication data FAILED May 18 19:23:11.671: IKEv2:(SESSION ID = 28,SA ID = 1):Sending authentication failure notify May 18 19:23:11.671: IKEv2:(SESSION ID = 28,SA ID = 1):Building packet for encryption. Payload contents: NOTIFY(AUTHENTICATION_FAILED) May 18 19:23:11.671: IKEv2:(SESSION ID = 28,SA ID = 1):Sending Packet [To 192.168.1.101:61436/From 192.168.1.1:4500/VRF i0:f0] Initiator SPI : 56990E50ADB8675E - Responder SPI : F0CBD35705DD4B3D Message id: 5 IKEv2 IKE_AUTH Exchange RESPONSE Payload contents: ENCR May 18 19:23:11.671: IKEv2:(SESSION ID = 28,SA ID = 1):Auth exchange failed May 18 19:23:11.671: IKEv2-ERROR:(SESSION ID = 28,SA ID = 1):: Auth exchange failed May 18 19:23:11.671: IKEv2:(SESSION ID = 28,SA ID = 1):Abort exchange May 18 19:23:11.671: IKEv2:(SESSION ID = 28,SA ID = 1):Deleting SA May 18 19:23:11.671: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session May 18 19:23:11.671: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED May 18 19:28:14.359: IKEv2:Received Packet [From 192.168.1.101:55475/To 192.168.1.1:500/VRF i0:f0] Initiator SPI : D09BA6128C571BA9 - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID CFG NOTIFY(REDIRECT_SUPPORTED) May 18 19:28:14.363: IKEv2:(SESSION ID = 29,SA ID = 1):Verify SA init message May 18 19:28:14.363: IKEv2:(SESSION ID = 29,SA ID = 1):Insert SA May 18 19:28:14.363: IKEv2:Searching Policy with fvrf 0, local address 192.168.1.1 May 18 19:28:14.363: IKEv2:Using the Default Policy for Proposal May 18 19:28:14.363: IKEv2:Found Policy 'default' May 18 19:28:14.363: IKEv2:(SESSION ID = 29,SA ID = 1):Processing IKE_SA_INIT message May 18 19:28:14.363: IKEv2:(SESSION ID = 29,SA ID = 1):Received valid config mode data May 18 19:28:14.363: IKEv2:Config data recieved: May 18 19:28:14.363: IKEv2:(SESSION ID = 29,SA ID = 1):Config-type: Config-request May 18 19:28:14.363: IKEv2:(SESSION ID = 29,SA ID = 1):Attrib type: unknown, length: 2, data: 0x2 0x40 May 18 19:28:14.363: IKEv2:IKEv2 responder - ignoring config data received in IKE_SA_INIT exch May 18 19:28:14.363: IKEv2:(SESSION ID = 29,SA ID = 1):Set received config mode data May 18 19:28:14.363: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s) May 18 19:28:14.363: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'R1-CLIENT' 'R1-CA' May 18 19:28:14.363: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints May 18 19:28:14.363: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED May 18 19:28:14.363: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session May 18 19:28:14.363: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED May 18 19:28:14.363: IKEv2:(SESSION ID = 29,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 2 May 18 19:28:14.383: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED May 18 19:28:14.383: IKEv2:(SESSION ID = 29,SA ID = 1):Request queued for computation of DH key May 18 19:28:14.383: IKEv2:(SESSION ID = 29,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 2 May 18 19:28:14.403: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED May 18 19:28:14.403: IKEv2:(SESSION ID = 29,SA ID = 1):Request queued for computation of DH secret May 18 19:28:14.403: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA May 18 19:28:14.403: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED May 18 19:28:14.403: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch May 18 19:28:14.403: IKEv2:(SESSION ID = 29,SA ID = 1):Generating IKE_SA_INIT message May 18 19:28:14.403: IKEv2:(SESSION ID = 29,SA ID = 1):IKE Proposal: 2, SPI size: 0 (initial negotiation), Num. transforms: 4 AES-CBC SHA512 SHA512 DH_GROUP_1024_MODP/Group 2 May 18 19:28:14.403: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s) May 18 19:28:14.403: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'R1-CLIENT' 'R1-CA' May 18 19:28:14.403: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints May 18 19:28:14.403: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED May 18 19:28:14.403: IKEv2:(SESSION ID = 29,SA ID = 1):Sending Packet [To 192.168.1.101:55475/From 192.168.1.1:500/VRF i0:f0] Initiator SPI : D09BA6128C571BA9 - Responder SPI : 65C48A6041771B07 Message id: 0 IKEv2 IKE_SA_INIT Exchange RESPONSE Payload contents: SA KE N VID VID VID VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) May 18 19:28:14.403: IKEv2:(SESSION ID = 29,SA ID = 1):Completed SA init exchange May 18 19:28:14.403: IKEv2:(SESSION ID = 29,SA ID = 1):Starting timer (30 sec) to wait for auth message May 18 19:28:14.435: IKEv2:(SESSION ID = 29,SA ID = 1):Received Packet [From 192.168.1.101:55476/To 192.168.1.1:500/VRF i0:f0] Initiator SPI : D09BA6128C571BA9 - Responder SPI : 65C48A6041771B07 Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: VID IDi CERTREQ CFG SA NOTIFY(IPCOMP_SUPPORTED) TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) May 18 19:28:14.439: IKEv2:(SESSION ID = 29,SA ID = 1):Stopping timer to wait for auth message May 18 19:28:14.439: IKEv2:(SESSION ID = 29,SA ID = 1):Checking NAT discovery May 18 19:28:14.439: IKEv2:(SESSION ID = 29,SA ID = 1):NAT OUTSIDE found May 18 19:28:14.439: IKEv2:(SESSION ID = 29,SA ID = 1):NAT detected float to init port 55476, resp port 4500 May 18 19:28:14.439: IKEv2:(SESSION ID = 29,SA ID = 1):Searching policy based on peer's identity '*$AnyConnectClient$*' of type 'key ID' May 18 19:28:14.439: IKEv2:found matching IKEv2 profile 'IKEV2_PROFILE' May 18 19:28:14.439: IKEv2:Searching Policy with fvrf 0, local address 192.168.1.1 May 18 19:28:14.439: IKEv2:Using the Default Policy for Proposal May 18 19:28:14.439: IKEv2:Found Policy 'default' May 18 19:28:14.439: IKEv2:(SESSION ID = 29,SA ID = 1):not a VPN-SIP session May 18 19:28:14.439: IKEv2:(SESSION ID = 29,SA ID = 1):Verify peer's policy May 18 19:28:14.439: IKEv2:(SESSION ID = 29,SA ID = 1):Peer's policy verified May 18 19:28:14.439: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es) May 18 19:28:14.439: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): NONE May 18 19:28:14.439: IKEv2:% Received cert hash is invalid, using configured trustpoints from profile for signing May 18 19:28:14.439: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting cert chain for the trustpoint R1-CLIENT May 18 19:28:14.439: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of cert chain for the trustpoint PASSED May 18 19:28:14.439: IKEv2:(SESSION ID = 29,SA ID = 1):Check for EAP exchange May 18 19:28:14.439: IKEv2:(SESSION ID = 29,SA ID = 1):Check for EAP exchange May 18 19:28:14.439: IKEv2:(SESSION ID = 29,SA ID = 1):Generate my authentication data May 18 19:28:14.439: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data May 18 19:28:14.439: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED May 18 19:28:14.439: IKEv2:(SESSION ID = 29,SA ID = 1):Get my authentication method May 18 19:28:14.439: IKEv2:(SESSION ID = 29,SA ID = 1):My authentication method is 'RSA' May 18 19:28:14.439: IKEv2:(SESSION ID = 29,SA ID = 1):Sign authentication data May 18 19:28:14.439: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting private key May 18 19:28:14.439: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of private key PASSED May 18 19:28:14.439: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Sign authentication data May 18 19:28:14.479: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] Signing of authenticaiton data PASSED May 18 19:28:14.479: IKEv2:(SESSION ID = 29,SA ID = 1):Authentication material has been sucessfully signed May 18 19:28:14.479: IKEv2:(SESSION ID = 29,SA ID = 1):Generating AnyConnect EAP request May 18 19:28:14.479: IKEv2:(SESSION ID = 29,SA ID = 1):Sending AnyConnect EAP 'hello' request May 18 19:28:14.479: IKEv2:(SESSION ID = 29,SA ID = 1):Constructing IDr payload: '192.168.1.1' of type 'IPv4 address' May 18 19:28:14.479: IKEv2:(SESSION ID = 29,SA ID = 1):Building packet for encryption. Payload contents: VID IDr CERT CERT AUTH EAP May 18 19:28:14.479: IKEv2:(SESSION ID = 29,SA ID = 1):Sending Packet [To 192.168.1.101:55476/From 192.168.1.1:4500/VRF i0:f0] Initiator SPI : D09BA6128C571BA9 - Responder SPI : 65C48A6041771B07 Message id: 1 IKEv2 IKE_AUTH Exchange RESPONSE Payload contents: ENCR May 18 19:28:14.479: IKEv2:(SESSION ID = 29,SA ID = 1):Starting timer (90 sec) to wait for auth message May 18 19:28:39.419: IKEv2:(SESSION ID = 29,SA ID = 1):Received Packet [From 192.168.1.101:55476/To 192.168.1.1:4500/VRF i0:f0] Initiator SPI : D09BA6128C571BA9 - Responder SPI : 65C48A6041771B07 Message id: 2 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: EAP May 18 19:28:39.423: IKEv2:(SESSION ID = 29,SA ID = 1):Stopping timer to wait for auth message May 18 19:28:39.423: IKEv2:(SESSION ID = 29,SA ID = 1):Processing AnyConnect EAP response May 18 19:28:39.423: IKEv2:(SESSION ID = 29,SA ID = 1):Checking for Dual Auth May 18 19:28:39.423: IKEv2:(SESSION ID = 29,SA ID = 1):Generating AnyConnect EAP AUTH request May 18 19:28:39.423: IKEv2:(SESSION ID = 29,SA ID = 1):Sending AnyConnect EAP 'auth-request' May 18 19:28:39.423: IKEv2:(SESSION ID = 29,SA ID = 1):Building packet for encryption. Payload contents: EAP May 18 19:28:39.423: IKEv2:(SESSION ID = 29,SA ID = 1):Sending Packet [To 192.168.1.101:55476/From 192.168.1.1:4500/VRF i0:f0] Initiator SPI : D09BA6128C571BA9 - Responder SPI : 65C48A6041771B07 Message id: 2 IKEv2 IKE_AUTH Exchange RESPONSE Payload contents: ENCR May 18 19:28:39.423: IKEv2:(SESSION ID = 29,SA ID = 1):Starting timer (90 sec) to wait for auth message May 18 19:28:55.315: IKEv2:(SESSION ID = 29,SA ID = 1):Received Packet [From 192.168.1.101:55476/To 192.168.1.1:4500/VRF i0:f0] Initiator SPI : D09BA6128C571BA9 - Responder SPI : 65C48A6041771B07 Message id: 3 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: EAP May 18 19:28:55.315: IKEv2:(SESSION ID = 29,SA ID = 1):Stopping timer to wait for auth message May 18 19:28:55.315: IKEv2:(SESSION ID = 29,SA ID = 1):Processing AnyConnect EAP response May 18 19:28:55.315: AAA/BIND(00000039): Bind i/f May 18 19:28:55.315: IKEv2:Using authentication method list AAA_AUTHENTICATION_LOGIN May 18 19:28:55.315: AAA/AUTHEN/LOGIN (00000039): Pick method list 'AAA_AUTHENTICATION_LOGIN' May 18 19:28:55.315: IKEv2:(SA ID = 1):[IKEv2 -> AAA] Authentication request sent May 18 19:28:55.319: IKEv2-ERROR:AnyConnect EAP - failed to get author list May 18 19:28:55.319: IKEv2:Received response from aaa for AnyConnect EAP May 18 19:28:55.319: IKEv2:(SESSION ID = 29,SA ID = 1):Generating AnyConnect EAP VERIFY request May 18 19:28:55.319: IKEv2:(SESSION ID = 29,SA ID = 1):Sending AnyConnect EAP 'VERIFY' request May 18 19:28:55.319: IKEv2:(SESSION ID = 29,SA ID = 1):Building packet for encryption. Payload contents: EAP May 18 19:28:55.319: IKEv2:(SESSION ID = 29,SA ID = 1):Sending Packet [To 192.168.1.101:55476/From 192.168.1.1:4500/VRF i0:f0] Initiator SPI : D09BA6128C571BA9 - Responder SPI : 65C48A6041771B07 Message id: 3 IKEv2 IKE_AUTH Exchange RESPONSE Payload contents: ENCR May 18 19:28:55.319: IKEv2:(SESSION ID = 29,SA ID = 1):Starting timer (90 sec) to wait for auth message May 18 19:28:55.347: IKEv2:(SESSION ID = 29,SA ID = 1):Received Packet [From 192.168.1.101:55476/To 192.168.1.1:4500/VRF i0:f0] Initiator SPI : D09BA6128C571BA9 - Responder SPI : 65C48A6041771B07 Message id: 4 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: EAP May 18 19:28:55.347: IKEv2:(SESSION ID = 29,SA ID = 1):Stopping timer to wait for auth message May 18 19:28:55.347: IKEv2:(SESSION ID = 29,SA ID = 1):Processing AnyConnect EAP ack response May 18 19:28:55.347: IKEv2:(SESSION ID = 29,SA ID = 1):Generating AnyConnect EAP success request May 18 19:28:55.347: IKEv2:(SESSION ID = 29,SA ID = 1):Sending AnyConnect EAP success status message May 18 19:28:55.351: IKEv2:(SESSION ID = 29,SA ID = 1):Building packet for encryption. Payload contents: EAP May 18 19:28:55.351: IKEv2:(SESSION ID = 29,SA ID = 1):Sending Packet [To 192.168.1.101:55476/From 192.168.1.1:4500/VRF i0:f0] Initiator SPI : D09BA6128C571BA9 - Responder SPI : 65C48A6041771B07 Message id: 4 IKEv2 IKE_AUTH Exchange RESPONSE Payload contents: ENCR May 18 19:28:55.351: IKEv2:(SESSION ID = 29,SA ID = 1):Starting timer (90 sec) to wait for auth message May 18 19:28:55.351: IKEv2:(SESSION ID = 29,SA ID = 1):Received Packet [From 192.168.1.101:55476/To 192.168.1.1:4500/VRF i0:f0] Initiator SPI : D09BA6128C571BA9 - Responder SPI : 65C48A6041771B07 Message id: 5 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: AUTH May 18 19:28:55.351: IKEv2:(SESSION ID = 29,SA ID = 1):Stopping timer to wait for auth message May 18 19:28:55.351: IKEv2:(SESSION ID = 29,SA ID = 1):Send AUTH, to verify peer after EAP exchange May 18 19:28:55.351: IKEv2:(SESSION ID = 29,SA ID = 1):Verify peer's authentication data May 18 19:28:55.351: IKEv2:(SESSION ID = 29,SA ID = 1):Use preshared key for id *$AnyConnectClient$*, key len 64 May 18 19:28:55.351: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data May 18 19:28:55.351: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED May 18 19:28:55.355: IKEv2:(SESSION ID = 29,SA ID = 1):Verification of peer's authenctication data PASSED May 18 19:28:55.355: IKEv2:(SESSION ID = 29,SA ID = 1):Processing INITIAL_CONTACT May 18 19:28:55.355: IKEv2:Using mlist AAA_AUTHORIZATION_NETWORK and username test for group author request May 18 19:28:55.355: AAA/BIND(0000003A): Bind i/f May 18 19:28:55.355: AAA/AUTHOR (0x3A): Pick method list 'AAA_AUTHORIZATION_NETWORK' May 18 19:28:55.355: IKEv2:(SA ID = 1):[IKEv2 -> AAA] Authorisation request sent - FAIL May 18 19:28:55.355: IKEv2:(SA ID = 1):[AAA -> IKEv2] Received AAA authorisation response May 18 19:28:55.355: IKEv2-ERROR:AAA authorization request failed May 18 19:28:55.355: IKEv2-ERROR:(SESSION ID = 0,SA ID = 1):AAA group authorization failed May 18 19:28:55.355: IKEv2-ERROR:(SESSION ID = 0,SA ID = 1): May 18 19:28:55.355: IKEv2:(SESSION ID = 29,SA ID = 1):Verification of peer's authentication data FAILED May 18 19:28:55.355: IKEv2:(SESSION ID = 29,SA ID = 1):Sending authentication failure notify May 18 19:28:55.355: IKEv2:(SESSION ID = 29,SA ID = 1):Building packet for encryption. Payload contents: NOTIFY(AUTHENTICATION_FAILED) May 18 19:28:55.355: IKEv2:(SESSION ID = 29,SA ID = 1):Sending Packet [To 192.168.1.101:55476/From 192.168.1.1:4500/VRF i0:f0] Initiator SPI : D09BA6128C571BA9 - Responder SPI : 65C48A6041771B07 Message id: 5 IKEv2 IKE_AUTH Exchange RESPONSE Payload contents: ENCR May 18 19:28:55.355: IKEv2:(SESSION ID = 29,SA ID = 1):Auth exchange failed May 18 19:28:55.355: IKEv2-ERROR:(SESSION ID = 29,SA ID = 1):: Auth exchange failed May 18 19:28:55.359: IKEv2:(SESSION ID = 29,SA ID = 1):Abort exchange May 18 19:28:55.359: IKEv2:(SESSION ID = 29,SA ID = 1):Deleting SA May 18 19:28:55.359: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session May 18 19:28:55.359: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED R1#
Labels:
- Labels:
-
AnyConnect
-
FlexVPN
-
VPN
3 Replies 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-30-2022 07:56 PM
I have the exactly same problem.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-30-2022 11:32 PM
Are you use asa dns name in certificate??
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-31-2022 02:02 AM - edited 10-31-2022 08:18 PM
Hi, I have managed to resolve the issue with the certificate, I always use the domain name (in both side configuration) and it matches the domain name in the certificate.
Now the anyconnect client can successfully authenticate to my ISR-4331 router. From router's point of view, the client has been passed eap authentication, and the router has set up IKE sa and IPsec sa.
But the anyconnect client strangely drops the connection, saying user authentication failed.
Router Debug:
Oct 31 13:12:47.450: IKEv2:% DVTI Vi1 created for profile PROF_IKE_OFFICE_VPN_ANYCONNECT with PSH index 1.
Oct 31 13:12:47.451: IKEv2:% Adding assigned IP address 192.168.14.139 to TSi.
Oct 31 13:12:47.451: IKEv2:(SESSION ID = 44,SA ID = 1):IPSec policy validate request sent for profile PROF_IKE_OFFICE_VPN_ANYCONNECT with psh index 1.
Oct 31 13:12:47.454: IKEv2:(SESSION ID = 44,SA ID = 1):(SA ID = 1):[IPsec -> IKEv2] Callback received for the validate proposal - PASSED.
Oct 31 13:12:47.454: IKEv2:No reconnect for PSH: 1
Oct 31 13:12:47.454: IKEv2:(SESSION ID = 44,SA ID = 1):Config data to send:
Oct 31 13:12:47.454: IKEv2:(SESSION ID = 44,SA ID = 1):Config-type: Config-reply
Oct 31 13:12:47.454: IKEv2:(SESSION ID = 44,SA ID = 1):Attrib type: ipv4-addr, length: 4, data: 192.168.14.139
Oct 31 13:12:47.454: IKEv2:(SESSION ID = 44,SA ID = 1):Attrib type: ipv4-netmask, length: 4, data: 255.255.255.240
Oct 31 13:12:47.455: IKEv2:(SESSION ID = 44,SA ID = 1):Attrib type: ipv4-dns, length: 4, data: 192.168.15.20
Oct 31 13:12:47.455: IKEv2:(SESSION ID = 44,SA ID = 1):Attrib type: ipv4-dns, length: 4, data: 192.168.15.20
Oct 31 13:12:47.455: IKEv2:(SESSION ID = 44,SA ID = 1):Attrib type: app-version, length: 255, data: Cisco IOS Software [Amsterdam], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 17.3.5, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2022 by Cisco Systems, Inc.
Compiled Wed 09-Feb-22 10:37 by mcpre
Oct 31 13:12:47.455: IKEv2:(SESSION ID = 44,SA ID = 1):Have config mode data to send
Oct 31 13:12:47.455: IKEv2:(SESSION ID = 44,SA ID = 1):Get my authentication method
Oct 31 13:12:47.455: IKEv2:(SESSION ID = 44,SA ID = 1):My authentication method is 'PSK'
Oct 31 13:12:47.455: IKEv2:(SESSION ID = 44,SA ID = 1):Get peer's preshared key for *$AnyConnectClient$*
Oct 31 13:12:47.455: IKEv2:(SESSION ID = 44,SA ID = 1):Generate my authentication data
Oct 31 13:12:47.455: IKEv2:(SESSION ID = 44,SA ID = 1):Use preshared key for id vpn.office.tjbn.net, key len 32
Oct 31 13:12:47.455: IKEv2:(SESSION ID = 44,SA ID = 1):[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
Oct 31 13:12:47.455: IKEv2:(SESSION ID = 44,SA ID = 1):[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
Oct 31 13:12:47.455: IKEv2:(SESSION ID = 44,SA ID = 1):Get my authentication method
Oct 31 13:12:47.455: IKEv2:(SESSION ID = 44,SA ID = 1):My authentication method is 'PSK'
Oct 31 13:12:47.455: IKEv2:(SESSION ID = 44,SA ID = 1):Generate my authentication data
Oct 31 13:12:47.455: IKEv2:(SESSION ID = 44,SA ID = 1):Use preshared key for id vpn.office.tjbn.net, key len 32
Oct 31 13:12:47.455: IKEv2:(SESSION ID = 44,SA ID = 1):[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
Oct 31 13:12:47.455: IKEv2:(SESSION ID = 44,SA ID = 1):[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
Oct 31 13:12:47.455: IKEv2:(SESSION ID = 44,SA ID = 1):Send AUTH, to verify peer after EAP exchange
Oct 31 13:12:47.455: IKEv2:(SESSION ID = 44,SA ID = 1):ESP Proposal: 2, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
AES-CBC SHA256 Don't use ESN
Oct 31 13:12:47.456: IKEv2:(SESSION ID = 44,SA ID = 1):Building packet for encryption.
Payload contents:
AUTH CFG SA TSi TSr NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
Oct 31 13:12:47.456: IKEv2:(SESSION ID = 44,SA ID = 1):Sending Packet [To 111.30.231.214:10508/From 192.168.15.22:4500/VRF i0:f0]
Initiator SPI : 01BD3FEC7CDA6C02 - Responder SPI : 37D9DAEDBA3912D6 Message id: 5
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR
Oct 31 13:12:47.456: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
Oct 31 13:12:47.456: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED
Oct 31 13:12:47.456: IKEv2:(SESSION ID = 44,SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
Oct 31 13:12:47.457: IKEv2:(SESSION ID = 44,SA ID = 1):Session with IKE ID PAIR (taolei@wisetv.com.cn, vpn.office.tjbn.net) is UP
Oct 31 13:12:47.457: IKEv2:(SESSION ID = 0,SA ID = 0):IKEv2 MIB tunnel started, tunnel index 1
Oct 31 13:12:47.457: IKEv2:(SESSION ID = 44,SA ID = 1):Load IPSEC key material
Oct 31 13:12:47.457: IKEv2:(SESSION ID = 44,SA ID = 1):(SA ID = 1):[IKEv2 -> IPsec] Create IPsec SA into IPsec database
Oct 31 13:12:47.468: IKEv2:(SESSION ID = 44,SA ID = 1):(SA ID = 1):[IPsec -> IKEv2] Creation of IPsec SA into IPsec database PASSED
Oct 31 21:12:47.468 cst: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up
Oct 31 13:12:47.472: IKEv2:(SA ID = 1):[IKEv2 -> AAA] Accounting start request sent successfully
Oct 31 13:12:47.472: IKEv2:(SESSION ID = 44,SA ID = 1):Checking for duplicate IKEv2 SA
Oct 31 13:12:47.472: IKEv2:(SESSION ID = 44,SA ID = 1):No duplicate IKEv2 SA found
Oct 31 13:12:47.472: IKEv2:(SESSION ID = 44,SA ID = 1):Starting timer (8 sec) to delete negotiation context
Client Debug:
[10-31-22 21:17:42:716] Info: Function: ikev2_log File: ikev2_anyconnect_osal.cpp Line: 3311 Sending ID payload without AUTH intend to do EAP [ISPI: 0x5F0A0DF35C9D93D4 RSPI: 0x794C4296760AA506]
[10-31-22 21:17:42:716] Info: [vpn_ipsec_ikev2] ikev2_anyconnect_osal.cpp:3307(ikev2_log) Constructing IDi payload: '*$AnyConnectClient$*' of type 'Group name'
[10-31-22 21:17:42:716] Info: [vpn_ipsec_ikev2] ikev2_anyconnect_osal.cpp:3307(ikev2_log) ESP Proposal: 1, SPI size: 4 (IPSec negotiation), Num. transforms: 5 AES-GCM AES-GCM AES-GCM None Don't use ESN ESP Proposal: 2, SPI size: 4 (IPSec negotiation), Num. transforms: 8 AES-CBC AES-CBC AES-CBC SHA256 SHA384 SHA96 SHA512 Don't use ESN
[10-31-22 21:17:42:716] Warning: Function: ikev2_get_custom_notify_from_platform File: ikev2_anyconnect_osal.cpp Line: 1979 Headend does not support AnyConnect VPN STRAP
[10-31-22 21:17:42:717] Info: [vpn_ipsec_ikev2] ikev2_anyconnect_osal.cpp:3307(ikev2_log) Building packet for encryption. Payload contents: VID Next payload: IDi, reserved: 0x0, length: 20 IDi Next payload: CERTREQ, reserved: 0x0, length: 28 Id type: Group name, Reserved: 0x0 0x0 CERTREQ Next payload: CFG, reserved: 0x0, length: 25 Cert encoding X.509 Certificate - signature CFG Next payload: SA, reserved: 0x0, length: 292 cfg type: CFG_REQUEST, reserved: 0x0, reserved: 0x0 attrib type: internal IP4 address, length: 0 attrib type: internal IP4 netmask, length: 0 attrib type: internal IP4 DNS, length: 0 attrib type: internal IP4 NBNS, length: 0 attrib type: internal address expiry, length: 0 attrib type: application version, length: 52 attrib type: internal IP4 subnet, length: 0 attrib type: internal IP6 address, length: 0 attrib type: internal IP6 DNS, length: 0 attrib type: internal IP6 subnet, length: 0 attrib type: Unknown - 28682, length: 13 attrib type: session timeout, length: 0 attrib type: Unknown - 28742, length: 0 attrib type: Unknown - 28743, length: 0 attrib type: idle timeout, length: 0 attrib type: disconnected timeout, length: 0 attrib type: keep, length: 0 attrib type: homepage, length: 0 attrib type: DPD, length: 0 attrib type: keepalive, length: 0 attrib type: banner, length: 0 attrib type: scard removal, length: 0 attrib type: IP MTU, length: 2 attrib type: default domain, length: 0 attrib type: split exclude, length: 0 attrib type: split DNS, length: 0 attrib type: PFS, length: 0 attrib type: proxy setting, length: 0 attrib type: license, length: 7 attrib type: session token, length: 0 attrib type: session id, length: 0 attrib type: session data, length: 0 attrib type: profile URI, length: 0 attrib type: profile SHA1 hash, length: 0 attrib type: FW rule, length: 0 attrib type: MUS host, length: 0 attrib type: DAP user message, length: 0 attrib type: quarantine, length: 0 attrib type: disable forced VPN, length: 0 attrib type: AnyConnect XML, length: 0 attrib type: Unknown - 28729, length: 0 attrib type: Unknown - 28730, length: 0 attrib type: Unknown - 28731, length: 0 attrib type: Unknown - 28732, length: 0 attrib type: Unknown - 28734, length: 0 attrib type: Unknown - 28736, length: 0 attrib type: Unknown - 28733, length: 4 attrib type: Unknown - 28735, length: 4 attrib type: Unknown - 28737, length: 0 attrib type: Unknown - 28738, length: 2 SA Next payload: NOTIFY, reserved: 0x0, length: 156 last proposal: 0x2, reserved: 0x0, length: 64 Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 5 last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-GCM last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-GCM last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-GCM last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: None last transform: 0x0, reserved: 0x0: length: 8 type: 5, reserved: 0x0, id: Don't use ESN last proposal: 0x0, reserved: 0x0, length: 88 Proposal: 2, Protocol id: ESP, SPI size: 4, #trans: 8 last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-CBC last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-CBC last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-CBC last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA256 last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA384 last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA96 last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA512 last transform: 0x0, reserved: 0x0: length: 8 type: 5, reserved: 0x0, id: Don't use ESN NOTIFY(IPCOMP_SUPPORTED) Next payload: TSi, reserved: 0x0, length: 11 Security protocol id: IKE, spi size: 0, type: IPCOMP_SUPPORTED TSi Next payload: TSr, reserved: 0x0, length: 64 Num of TSs: 2, reserved: 0x0, reserved: 0x0 TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16 start port: 0, end port: 65535 start addr: 0.0.0.0, end addr: 255.255.255.255 TS type: TS_IPV6_ADDR_RANGE, proto id: 0, length: 40 start port: 0, end port: 65535 start addr: 0:0:0:0:0:0:0:0, end addr: FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF TSr Next payload: NOTIFY, reserved: 0x0, length: 64 Num of TSs: 2, reserved: 0x0, reserved: 0x0 TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16 start port: 0, end port: 65535 start addr: 0.0.0.0, end addr: 255.255.255.255 TS type: TS_IPV6_ADDR_RANGE, proto id: 0, length: 40 start port: 0, end port: 65535 start addr: 0:0:0:0:0:0:0:0, end addr: FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF NOTIFY(INITIAL_CONTACT) Next payload: NOTIFY, reserved: 0x0, length: 8 Security protocol id: IKE, spi size: 0, type: INITIAL_CONTACT NOTIFY(ESP_TFC_NO_SUPPORT) Next payload: NOTIFY, reserved: 0x0, length: 8 Security protocol id: IKE, spi size: 0, type: ESP_TFC_NO_SUPPORT NOTIFY(NON_FIRST_FRAGS) Next payload: NONE, reserved: 0x0, length: 8 Security protocol id: IKE, spi size: 0, type: NON_FIRST_FRAGS
[10-31-22 21:17:42:717] Info: [vpn_ipsec_ikev2] ikev2_anyconnect_osal.cpp:3307(ikev2_log) Sending Packet [To 111.30.65.66:4500/From 192.168.1.3:4500/VRF i0:f0] Initiator SPI : 5F0A0DF35C9D93D4 - Responder SPI : 794C4296760AA506 Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: INITIATOR Message id: 1, length: 752 Payload contents: ENCR Next payload: VID, reserved: 0x0, length: 724
[10-31-22 21:17:42:717] Info: Function: connectTransport File: IPsecProtocol.cpp Line: 2057 Opened IKE socket. Local Addr: [192.168.1.3]:58268, Remote Addr: [111.30.65.66]:4500
[10-31-22 21:17:42:738] Info: [vpn_ipsec_ikev2] ikev2_anyconnect_osal.cpp:3307(ikev2_log) Received Packet [From 192.168.1.3:4500/To 111.30.65.66:4500/VRF i0:f0] Initiator SPI : 5F0A0DF35C9D93D4 - Responder SPI : 794C4296760AA506 Message id: 1 IKEv2 IKE_AUTH Exchange RESPONSE Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE Message id: 1, length: 4272 Payload contents: VID Next payload: IDr, reserved: 0x0, length: 20 IDr Next payload: CERT, reserved: 0x0, length: 27 Id type: FQDN, Reserved: 0x0 0x0 CERT Next payload: CERT, reserved: 0x0, length: 913 Cert encoding X.509 Certificate - signature CERT Next payload: AUTH, reserved: 0x0, length: 908 Cert encoding X.509 Certificate - signature AUTH Next payload: EAP, reserved: 0x0, length: 264 Auth method RSA, reserved: 0x0, reserved: 0x0 EAP Next payload: NONE, reserved: 0x0, length: 2068 Code: request: id: 59, length: 2064 Type: expanded
[10-31-22 21:17:42:738] Info: [vpn_ipsec_ikev2] ikev2_anyconnect_osal.cpp:3307(ikev2_log) Process auth response notify
[10-31-22 21:17:42:738] Info: [vpn_ipsec_ikev2] ikev2_anyconnect_osal.cpp:3307(ikev2_log) Searching policy based on peer's identity 'vpn.office.tjbn.net' of type 'FQDN'
[10-31-22 21:17:42:739] Info: [vpn_ipsec_ikev2] ikev2_anyconnect_osal.cpp:3307(ikev2_log) Verify peer's policy
[10-31-22 21:17:42:739] Info: [vpn_ipsec_ikev2] ikev2_anyconnect_osal.cpp:3307(ikev2_log) Peer's policy verified
[10-31-22 21:17:42:739] Info: [vpn_ipsec_ikev2] ikev2_anyconnect_osal.cpp:3307(ikev2_log) Get peer's authentication method
[10-31-22 21:17:42:739] Info: [vpn_ipsec_ikev2] ikev2_anyconnect_osal.cpp:3307(ikev2_log) Peer's authentication method is 'RSA'
[10-31-22 21:17:42:740] Info: Function: VerifyServerCertificate File: CertIKEAdapter.cpp Line: 290 Waiting for Server Certificate Verification from VPN API.
[10-31-22 21:17:42:740] Error: Function: getCertificateInfo File: UserAuthenticationTlv.cpp Line: 3522 Invoked Function: UserAuthenticationTlv::GetInfoByType Return Code: -32440304 (0xFE110010) Description: TLV_ERROR_NO_ATTRIBUTE
[10-31-22 21:17:42:740] Info: Function: ikev2_verify_X509_SIG_certs File: ikev2_anyconnect_osal.cpp Line: 2599 Requesting certificate acceptance from user
[10-31-22 21:17:42:740] Warning: Function: GetCertificatePins File: PreferenceMgr.cpp Line: 2016 Invoked Function: ProfileMgr::GetProfileNameFromAddress Return Code: -26083317 (0xFE72000B) Description: PROFILEMGR_ERROR_HOST_ADDRESS_NOT_FOUND_IN_ANY_PROFILE Server address vpn.office.tjbn.net not found in any profile.
[10-31-22 21:17:42:740] Info: [vpn_ipsec_ikev2] ikev2_anyconnect_osal.cpp:3307(ikev2_log)
[10-31-22 21:17:42:744] Info: [vpn_ipsec_ikev2] ikev2_anyconnect_osal.cpp:3307(ikev2_log) Save pubkey
[10-31-22 21:17:42:744] Info: [vpn_ipsec_ikev2] ikev2_anyconnect_osal.cpp:3307(ikev2_log) Verify peer's authentication data
[10-31-22 21:17:42:744] Info: [vpn_ipsec_ikev2] ikev2_anyconnect_osal.cpp:3307(ikev2_log) Verification of peer's authenctication data PASSED
[10-31-22 21:17:42:745] Info: Function: ikev2_log File: ikev2_anyconnect_osal.cpp Line: 3311 Processing EAP request [ISPI: 0x5F0A0DF35C9D93D4 RSPI: 0x794C4296760AA506]
[10-31-22 21:17:42:745] Info: Function: dataRequestCB File: EAPMgr.cpp Line: 403 EAP proposed type: EAP-ANYCONNECT
[10-31-22 21:17:42:748] Info: Function: GetACIdentifierExts File: ACIdentifierExts.cpp Line: 422 device IMEI is not supported
[10-31-22 21:17:42:748] Error: Function: getCertificateInfo File: UserAuthenticationTlv.cpp Line: 3522 Invoked Function: UserAuthenticationTlv::GetInfoByType Return Code: -32440304 (0xFE110010) Description: TLV_ERROR_NO_ATTRIBUTE
[10-31-22 21:17:42:748] Error: Function: getAggAuthCertificateInfo File: UserAuthenticationTlv.cpp Line: 3837 Invoked Function: UserAuthenticationTlv::GetInfoByType Return Code: -32440304 (0xFE110010) Description: TLV_ERROR_NO_ATTRIBUTE
[10-31-22 21:17:42:748] Info: [vpn_ipsec_ikev2] ikev2_anyconnect_osal.cpp:3307(ikev2_log) Received response from authenticator
[10-31-22 21:17:42:749] Info: Function: ikev2_log File: ikev2_anyconnect_osal.cpp Line: 3311 Sending EAP response [ISPI: 0x5F0A0DF35C9D93D4 RSPI: 0x794C4296760AA506]
[10-31-22 21:17:42:749] Info: [vpn_ipsec_ikev2] ikev2_anyconnect_osal.cpp:3307(ikev2_log) Building packet for encryption. Payload contents: EAP Next payload: NONE, reserved: 0x0, length: 601 Code: response: id: 59, length: 597 Type: expanded
[10-31-22 21:17:42:749] Info: [vpn_ipsec_ikev2] ikev2_anyconnect_osal.cpp:3307(ikev2_log) Sending Packet [To 111.30.65.66:4500/From 192.168.1.3:4500/VRF i0:f0] Initiator SPI : 5F0A0DF35C9D93D4 - Responder SPI : 794C4296760AA506 Message id: 2 IKEv2 IKE_AUTH Exchange REQUEST Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: INITIATOR Message id: 2, length: 672 Payload contents: ENCR Next payload: EAP, reserved: 0x0, length: 644
[10-31-22 21:17:42:757] Info: [vpn_ipsec_ikev2] ikev2_anyconnect_osal.cpp:3307(ikev2_log) Received Packet [From 192.168.1.3:4500/To 111.30.65.66:4500/VRF i0:f0] Initiator SPI : 5F0A0DF35C9D93D4 - Responder SPI : 794C4296760AA506 Message id: 2 IKEv2 IKE_AUTH Exchange RESPONSE Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE Message id: 2, length: 2144 Payload contents: EAP Next payload: NONE, reserved: 0x0, length: 2068 Code: request: id: 2, length: 2064 Type: expanded
[10-31-22 21:17:42:758] Info: Function: ikev2_log File: ikev2_anyconnect_osal.cpp Line: 3311 Processing EAP request [ISPI: 0x5F0A0DF35C9D93D4 RSPI: 0x794C4296760AA506]
[10-31-22 21:17:42:758] Info: Function: handleClientServicesPort File: ConnectMgr.cpp Line: 11843 HTTP access is not allowed due to SG policy.
[10-31-22 21:17:42:758] Info: Function: ProcessPromptData File: SDIMgr.cpp Line: 336 Authentication is not token based (OTP).
[10-31-22 21:17:42:758] Info: Message type prompt sent to the user: Please provide your credentials
[10-31-22 21:17:42:759] Info: Function: WMHintCB File: ClientIfc.cpp Line: 169 User did not implement WMHintCB.
[10-31-22 21:17:42:759] Info: Function: UserPromptCB File: AnyConnectAuthenticator.cpp Line: 2725 Sending prompt: Please provide your credentials to App
[10-31-22 21:17:47:322] Info: Function: -[PacketTunnelProvider handleNWPathUpdate:] File: PacketTunnelProvider.mm Line: 1409 handleNWPathUpdate block invoked on WorkQueue
[10-31-22 21:17:47:323] Info: Function: -[PacketTunnelProvider handleNWPathUpdate:] File: PacketTunnelProvider.mm Line: 1416 Path: satisfied (Path is satisfied), interface: en0, scoped, ipv4, ipv6, dns
[10-31-22 21:17:47:323] Info: Function: -[PacketTunnelProvider handleNWPathUpdate:] File: PacketTunnelProvider.mm Line: 1450 Interface: WiFi, path is Satisfied
[10-31-22 21:17:47:347] Info: Function: -[PacketTunnelProvider handleNWPathUpdate:] File: PacketTunnelProvider.mm Line: 1502 Ignoring network status change
[10-31-22 21:17:49:182] Info: Function: userResponse File: ConnectMgr.cpp Line: 1683 Processing user response.
[10-31-22 21:17:49:196] Info: Function: GetACIdentifierExts File: ACIdentifierExts.cpp Line: 422 device IMEI is not supported
[10-31-22 21:17:49:197] Error: Function: getCertificateInfo File: UserAuthenticationTlv.cpp Line: 3522 Invoked Function: UserAuthenticationTlv::GetInfoByType Return Code: -32440304 (0xFE110010) Description: TLV_ERROR_NO_ATTRIBUTE
[10-31-22 21:17:49:197] Error: Function: getAggAuthCertificateInfo File: UserAuthenticationTlv.cpp Line: 3837 Invoked Function: UserAuthenticationTlv::GetInfoByType Return Code: -32440304 (0xFE110010) Description: TLV_ERROR_NO_ATTRIBUTE
[10-31-22 21:17:49:197] Info: [vpn_ipsec_ikev2] ikev2_anyconnect_osal.cpp:3307(ikev2_log) Received response from authenticator
[10-31-22 21:17:49:198] Info: Function: ikev2_log File: ikev2_anyconnect_osal.cpp Line: 3311 Sending EAP response [ISPI: 0x5F0A0DF35C9D93D4 RSPI: 0x794C4296760AA506]
[10-31-22 21:17:49:198] Info: [vpn_ipsec_ikev2] ikev2_anyconnect_osal.cpp:3307(ikev2_log) Building packet for encryption. Payload contents: EAP Next payload: NONE, reserved: 0x0, length: 732 Code: response: id: 2, length: 728 Type: expanded
[10-31-22 21:17:49:198] Info: [vpn_ipsec_ikev2] ikev2_anyconnect_osal.cpp:3307(ikev2_log) Sending Packet [To 111.30.65.66:4500/From 192.168.1.3:4500/VRF i0:f0] Initiator SPI : 5F0A0DF35C9D93D4 - Responder SPI : 794C4296760AA506 Message id: 3 IKEv2 IKE_AUTH Exchange REQUEST Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: INITIATOR Message id: 3, length: 800 Payload contents: ENCR Next payload: EAP, reserved: 0x0, length: 772
[10-31-22 21:17:49:766] Info: [vpn_ipsec_ikev2] ikev2_anyconnect_osal.cpp:3307(ikev2_log) Received Packet [From 192.168.1.3:4500/To 111.30.65.66:4500/VRF i0:f0] Initiator SPI : 5F0A0DF35C9D93D4 - Responder SPI : 794C4296760AA506 Message id: 3 IKEv2 IKE_AUTH Exchange RESPONSE Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE Message id: 3, length: 2144 Payload contents: EAP Next payload: NONE, reserved: 0x0, length: 2068 Code: request: id: 3, length: 2064 Type: expanded
[10-31-22 21:17:49:766] Info: Function: ikev2_log File: ikev2_anyconnect_osal.cpp Line: 3311 Processing EAP request [ISPI: 0x5F0A0DF35C9D93D4 RSPI: 0x794C4296760AA506]
[10-31-22 21:17:49:773] Info: Function: GetACIdentifierExts File: ACIdentifierExts.cpp Line: 422 device IMEI is not supported
[10-31-22 21:17:49:773] Error: Function: getCertificateInfo File: UserAuthenticationTlv.cpp Line: 3522 Invoked Function: UserAuthenticationTlv::GetInfoByType Return Code: -32440304 (0xFE110010) Description: TLV_ERROR_NO_ATTRIBUTE
[10-31-22 21:17:49:773] Error: Function: getAggAuthCertificateInfo File: UserAuthenticationTlv.cpp Line: 3837 Invoked Function: UserAuthenticationTlv::GetInfoByType Return Code: -32440304 (0xFE110010) Description: TLV_ERROR_NO_ATTRIBUTE
[10-31-22 21:17:49:774] Info: [vpn_ipsec_ikev2] ikev2_anyconnect_osal.cpp:3307(ikev2_log) Received response from authenticator
[10-31-22 21:17:49:774] Info: Function: ikev2_log File: ikev2_anyconnect_osal.cpp Line: 3311 Sending EAP response [ISPI: 0x5F0A0DF35C9D93D4 RSPI: 0x794C4296760AA506]
[10-31-22 21:17:49:774] Info: [vpn_ipsec_ikev2] ikev2_anyconnect_osal.cpp:3307(ikev2_log) Building packet for encryption. Payload contents: EAP Next payload: NONE, reserved: 0x0, length: 425 Code: response: id: 3, length: 421 Type: expanded
[10-31-22 21:17:49:774] Info: [vpn_ipsec_ikev2] ikev2_anyconnect_osal.cpp:3307(ikev2_log) Sending Packet [To 111.30.65.66:4500/From 192.168.1.3:4500/VRF i0:f0] Initiator SPI : 5F0A0DF35C9D93D4 - Responder SPI : 794C4296760AA506 Message id: 4 IKEv2 IKE_AUTH Exchange REQUEST Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: INITIATOR Message id: 4, length: 496 Payload contents: ENCR Next payload: EAP, reserved: 0x0, length: 468
[10-31-22 21:17:49:784] Info: [vpn_ipsec_ikev2] ikev2_anyconnect_osal.cpp:3307(ikev2_log) Received Packet [From 192.168.1.3:4500/To 111.30.65.66:4500/VRF i0:f0] Initiator SPI : 5F0A0DF35C9D93D4 - Responder SPI : 794C4296760AA506 Message id: 4 IKEv2 IKE_AUTH Exchange RESPONSE Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE Message id: 4, length: 2144 Payload contents: EAP Next payload: NONE, reserved: 0x0, length: 2068 Code: success: id: 4, length: 2064 Type: expanded
[10-31-22 21:17:49:785] Info: [vpn_ipsec_ikev2] ikev2_anyconnect_osal.cpp:3307(ikev2_log) Process auth response notify
[10-31-22 21:17:49:785] Info: [vpn_ipsec_ikev2] ikev2_anyconnect_osal.cpp:3307(ikev2_log) Processing EAP status message
[10-31-22 21:17:49:785] Info: Function: ikev2_log File: ikev2_anyconnect_osal.cpp Line: 3311 Send AUTH, to verify peer after EAP exchange [ISPI: 0x5F0A0DF35C9D93D4 RSPI: 0x794C4296760AA506]
[10-31-22 21:17:49:785] Info: [vpn_ipsec_ikev2] ikev2_anyconnect_osal.cpp:3307(ikev2_log) Generate my authentication data
[10-31-22 21:17:49:786] Info: [vpn_ipsec_ikev2] ikev2_anyconnect_osal.cpp:3307(ikev2_log) Use preshared key for id *$AnyConnectClient$*, key len 48
[10-31-22 21:17:49:786] Info: [vpn_ipsec_ikev2] ikev2_anyconnect_osal.cpp:3307(ikev2_log) Get my authentication method
[10-31-22 21:17:49:786] Info: [vpn_ipsec_ikev2] ikev2_anyconnect_osal.cpp:3307(ikev2_log) My authentication method is 'PSK'
[10-31-22 21:17:49:786] Info: Function: ikev2_log File: ikev2_anyconnect_osal.cpp Line: 3311 Send AUTH, to verify peer after EAP exchange [ISPI: 0x5F0A0DF35C9D93D4 RSPI: 0x794C4296760AA506]
[10-31-22 21:17:49:786] Info: [vpn_ipsec_ikev2] ikev2_anyconnect_osal.cpp:3307(ikev2_log) Building packet for encryption. Payload contents: AUTH Next payload: NONE, reserved: 0x0, length: 56 Auth method PSK, reserved: 0x0, reserved: 0x0
[10-31-22 21:17:49:787] Info: [vpn_ipsec_ikev2] ikev2_anyconnect_osal.cpp:3307(ikev2_log) Sending Packet [To 111.30.65.66:4500/From 192.168.1.3:4500/VRF i0:f0] Initiator SPI : 5F0A0DF35C9D93D4 - Responder SPI : 794C4296760AA506 Message id: 5 IKEv2 IKE_AUTH Exchange REQUEST Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: INITIATOR Message id: 5, length: 128 Payload contents: ENCR Next payload: AUTH, reserved: 0x0, length: 100
[10-31-22 21:17:51:791] Info: [vpn_ipsec_ikev2] ikev2_anyconnect_osal.cpp:3307(ikev2_log) Retransmitting packet
[10-31-22 21:17:51:792] Info: [vpn_ipsec_ikev2] ikev2_anyconnect_osal.cpp:3307(ikev2_log) Sending Packet [To 111.30.65.66:4500/From 192.168.1.3:4500/VRF i0:f0] Initiator SPI : 5F0A0DF35C9D93D4 - Responder SPI : 794C4296760AA506 Message id: 5 IKEv2 IKE_AUTH Exchange REQUEST Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: INITIATOR Message id: 5, length: 128 Payload contents: ENCR Next payload: AUTH, reserved: 0x0, length: 100
[10-31-22 21:17:51:829] Info: Function: ikev2_log File: ikev2_anyconnect_osal.cpp Line: 3311 Received N[ESP_TFC_NO_SUPPORT]
[10-31-22 21:17:51:831] Info: Function: ikev2_log File: ikev2_anyconnect_osal.cpp Line: 3311 Received N[NON_FIRST_FRAGS]
[10-31-22 21:17:51:833] Info: [vpn_ipsec_ikev2] ikev2_anyconnect_osal.cpp:3307(ikev2_log) Received Packet [From 192.168.1.3:4500/To 111.30.65.66:4500/VRF i0:f0] Initiator SPI : 5F0A0DF35C9D93D4 - Responder SPI : 794C4296760AA506 Message id: 5 IKEv2 IKE_AUTH Exchange RESPONSE Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE Message id: 5, length: 544 Payload contents: AUTH Next payload: CFG, reserved: 0x0, length: 56 Auth method PSK, reserved: 0x0, reserved: 0x0 CFG Next payload: SA, reserved: 0x0, length: 299 cfg type: CFG_REPLY, reserved: 0x0, reserved: 0x0 attrib type: internal IP4 address, length: 4 attrib type: internal IP4 netmask, length: 4 attrib type: internal IP4 DNS, length: 4 attrib type: internal IP4 DNS, length: 4 attrib type: application version, length: 255 SA Next payload: TSi, reserved: 0x0, length: 44 last proposal: 0x0, reserved: 0x0, length: 40 Proposal: 2, Protocol id: ESP, SPI size: 4, #trans: 3 last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-CBC last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA256 last transform: 0x0, reserved: 0x0: length: 8 type: 5, reserved: 0x0, id: Don't use ESN TSi Next payload: TSr, reserved: 0x0, length: 24 Num of TSs: 1, reserved: 0x0, reserved: 0x0 TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16 start port: 0, end port: 65535 start addr: 192.168.14.140, end addr: 192.168.14.140 TSr Next payload: NOTIFY, reserved: 0x0, length: 24 Num of TSs: 1, reserved: 0x0, reserved: 0x0 TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16 start port: 0, end port: 65535 start addr: 0.0.0.0, end addr: 255.255.255.255 NOTIFY(SET_WINDOW_SIZE) Next payload: NOTIFY, reserved: 0x0, length: 12 Security protocol id: Unknown - 0, spi size: 0, type: SET_WINDOW_SIZE NOTIFY(ESP_TFC_NO_SUPPORT) Next payload: NOTIFY, reserved: 0x0, length: 8 Security protocol id: Unknown - 0, spi size: 0, type: ESP_TFC_NO_SUPPORT NOTIFY(NON_FIRST_FRAGS) Next payload: NONE, reserved: 0x0, length: 8 Security protocol id: Unknown - 0, spi size: 0, type: NON_FIRST_FRAGS
[10-31-22 21:17:51:835] Info: [vpn_ipsec_ikev2] ikev2_anyconnect_osal.cpp:3307(ikev2_log) Process auth response notify
[10-31-22 21:17:51:837] Info: [vpn_ipsec_ikev2] ikev2_anyconnect_osal.cpp:3307(ikev2_log) Received valid config mode data
[10-31-22 21:17:51:841] Info: Current Profile: none Received VPN Session Configuration Settings: Keep Installed: enabled Proxy Setting: do not modify Proxy Server: none Proxy PAC URL: none Proxy Exceptions: none Proxy Lockdown: enabled IPv4 Split Exclude: disabled IPv6 Split Exclude: disabled IPv4 Dynamic Split Exclude: disabled IPv6 Dynamic Split Exclude: disabled IPv4 Split Include: disabled IPv6 Split Include: disabled IPv4 Dynamic Split Include: disabled IPv6 Dynamic Split Include: disabled IPv4 Split DNS: disabled IPv6 Split DNS: disabled Tunnel all DNS: disabled IPv4 Local LAN Wildcard: disabled IPv6 Local LAN Wildcard: disabled Firewall Rules: none Client Address: 192.168.14.140 Client Mask: 255.255.255.240 Client IPv6 Address: FE80:0:0:0:4FA6:D69F:54E3:4001 (auto-generated) Client IPv6 Mask: FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFC MTU: none IKE Keep Alive: disabled IKE DPD: 30 seconds Session Timeout: none Session Timeout Alert Interval: none Session Timeout Remaining: none Disconnect Timeout: none Idle Timeout: none Server: Cisco IOS Software [Amsterdam], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 17.3.5, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2022 by Cisco Systems, Inc. Compiled Wed 09-Feb-22 10:37 by mcpre MUS Host: unknown DAP User Message: none Quarantine State: unknown Always On VPN: unknown Lease Duration: none Default Domain: unknown Home page: unknown Smart Card Removal Disconnect: enabled License Response: unknown SG TCP Keep Alive: enabled Peer's Local IPv4 Address: N/A Peer's Local IPv6 Address: N/A Peer's Remote IPv4 Address: N/A Peer's Remote IPv6 Address: N/A Peer's host name: N/A Client Protocol Bypass: false Cluster Reconnect: disabled Tunnel Optimization: disabled
[10-31-22 21:17:51:843] Info: [vpn_ipsec_ikev2] ikev2_anyconnect_osal.cpp:3307(ikev2_log) Set received config mode data
[10-31-22 21:17:51:845] Info: [vpn_ipsec_ikev2] ikev2_anyconnect_osal.cpp:3307(ikev2_log) Verify peer's authentication data
[10-31-22 21:17:51:846] Info: [vpn_ipsec_ikev2] ikev2_anyconnect_osal.cpp:3307(ikev2_log) Use preshared key for id vpn.office.tjbn.net, key len 48
[10-31-22 21:17:51:847] Info: [vpn_ipsec_ikev2] ikev2_anyconnect_osal.cpp:3307(ikev2_log) Failed to authenticate the IKE SA
[10-31-22 21:17:51:848] Info: [vpn_ipsec_ikev2] ikev2_anyconnect_osal.cpp:3307(ikev2_log) Verification of peer's authentication data FAILED
[10-31-22 21:17:51:849] Info: [vpn_ipsec_ikev2] ikev2_anyconnect_osal.cpp:3307(ikev2_log) Auth exchange failed
[10-31-22 21:17:51:850] Info: [vpn_ipsec_ikev2] ikev2_anyconnect_osal.cpp:3307(ikev2_log) Auth exchange failed Auth exchange failed
[10-31-22 21:17:51:851] Info: Function: ikev2_log File: ikev2_anyconnect_osal.cpp Line: 3311 Negotiation aborted due to ERROR: Failed to authenticate the IKE SA
[10-31-22 21:17:51:852] Info: [vpn_ipsec_ikev2] ikev2_anyconnect_osal.cpp:3307(ikev2_log) Abort exchange
[10-31-22 21:17:51:853] Error: IKE SA request failure: during rekey?:N - (5) 'Authentication failure'
[10-31-22 21:17:51:854] Error: Function: OnTunnelInitiateComplete File: IPsecTunnelStateMgr.cpp Line: 1053 Invoked Function: Initiate tunnel callback status Return Code: -27394027 (0xFE5E0015) Description: IPSECPROTOCOL_ERROR_USER_AUTHENTICATION_FAILED tunnel state AUTHENTICATING
[10-31-22 21:17:51:855] Error: Function: OnTunnelInitiateComplete File: IPsecTunnelMgr.cpp Line: 717 Invoked Function: CIPsecTunnelStateMgr::OnTunnelInitiateComplete Return Code: -27394027 (0xFE5E0015) Description: IPSECPROTOCOL_ERROR_USER_AUTHENTICATION_FAILED callback
[10-31-22 21:17:51:855] Info: [vpn_ipsec_ikev2] ikev2_anyconnect_osal.cpp:3307(ikev2_log) Deleting SA
[10-31-22 21:17:51:856] Info: Using default preferences. Some settings (e.g. certificate matching) may not function as expected if a local profile is expected to be used. Verify that the selected host is in the server list section of the profile and that the profile is configured on the secure gateway.
[10-31-22 21:17:51:857] Error: Function: processInitiateTunnelComplete File: VpnMgr.cpp Line: 6747 Invoked Function: Initiate Tunnel Status Code Return Code: -27394027 (0xFE5E0015) Description: IPSECPROTOCOL_ERROR_USER_AUTHENTICATION_FAILED
[10-31-22 21:17:51:858] Error: Termination reason code 87: An IPsec VPN connection failed due to an authentication failure or timeout.
[10-31-22 21:17:51:859] Warning: Function: main File: VpnMgr.cpp Line: 2080 Invoked Function: CVpnMgr::initiateTunnel Return Code: -32964592 (0xFE090010) Description: VPNMGR_ERROR_TERMINATING:The requested function could not be performed or was aborted because the VPN session is terminating.
[10-31-22 21:17:51:859] Error: Termination reason code 16: Failed to fully establish a connection to the secure gateway (proxy authentication, handshake, bad cert, etc.).
[10-31-22 21:17:51:860] Info: The IPsec connection to the secure gateway is being torn down.
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
Customers Also Viewed These Support Documents