cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1696
Views
0
Helpful
1
Replies

anyconnect Failed to receive the AUTH msg before the timer expired

ino
Level 1
Level 1

trying to set up flexvpn over a g4 lte connection

i am stuck with 

Failed to receive the AUTH msg before the timer expired

the router is a c1111 with ios xe 16.9.6

i can connect to it by:

windows anyconnect --> c2960 --> c1111 LAN port   the vpn connection working

windows anyconnect -->  c1111 LAN port      NOT tested

windows anyconnect -->  c1111 WAN port   the vpn connection working

windows anyconnect --> cisco autonomous AP --> c2960 --> c1111 LAN port   the vpn connection working

windows anyconnect --> cisco autonomous AP --> c2960 --> c1111 WAN port      NOT tested

windows anyconnect --> mobile G4 lte hotspot an phone --> internet --> c1111 Cellular LTE interface --> i get the time out

windows anyconnect --> wire connection --> internet --> c1111 Cellular LTE interface     NOT tested i am in a remote area have no wired net

i put a webserver on port 4500 to see if its blocked by the isp but i can reach it 

i compared the debug outputs from a working connection over LAN to the non working LTE but i see no difference 

till the point where the timeout occurs

 

 

,
,,
,,,,
016604: Aug 10 2022 05:22:47.295 SST: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
016605: Aug 10 2022 05:22:47.295 SST: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED

016606: Aug 10 2022 05:22:47.295 SST: IKEv2:(SESSION ID = 54,SA ID = 1):Sending Packet [To 84.225.x.10:59391/From 84.224.x.123:500/VRF i0:f0]
Initiator SPI : E603E227A2419B6C - Responder SPI : BBAD0930203164CB Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
016607: Aug 10 2022 05:22:47.296 SST: IKEv2-PAK:(SESSION ID = 54,SA ID = 1):Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE Message id: 0, length: 429
Payload contents:
 SA  Next payload: KE, reserved: 0x0, length: 48
  last proposal: 0x0, reserved: 0x0, length: 44
  Proposal: 2, Protocol id: IKE, SPI size: 0, #trans: 4    last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
    last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA384
    last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA256
    last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_256_ECP/Group 19
 KE  Next payload: N, reserved: 0x0, length: 72
    DH group: 19, Reserved: 0x0
 N  Next payload: VID, reserved: 0x0, length: 36
 VID  Next payload: VID, reserved: 0x0, length: 23
 VID  Next payload: VID, reserved: 0x0, length: 19
 VID  Next payload: VID, reserved: 0x0, length: 59
 VID  Next payload: VID, reserved: 0x0, length: 19
 VID  Next payload: VID, reserved: 0x0, length: 23
 VID  Next payload: NOTIFY, reserved: 0x0, length: 21
 NOTIFY(NAT_DETECTION_SOURCE_IP)  Next payload: NOTIFY, reserved: 0x0, length: 28
    Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_SOURCE_IP
 NOTIFY(NAT_DETECTION_DESTINATION_IP)  Next payload: CERTREQ, reserved: 0x0, length: 28
    Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
 CERTREQ  Next payload: NONE, reserved: 0x0, length: 25
    Cert encoding X.509 Certificate - signature


016608: Aug 10 2022 05:22:47.298 SST: IKEv2:(SESSION ID = 54,SA ID = 1):Completed SA init exchange
016609: Aug 10 2022 05:22:47.298 SST: IKEv2:(SESSION ID = 54,SA ID = 1):Starting timer (30 sec) to wait for auth message
016610: Aug 10 2022 05:23:17.295 SST: IKEv2-ERROR:(SESSION ID = 54,SA ID = 1):: Failed to receive the AUTH msg before the timer expired
016611: Aug 10 2022 05:23:17.296 SST: IKEv2:(SESSION ID = 54,SA ID = 1):Auth exchange failed
016612: Aug 10 2022 05:23:17.296 SST: IKEv2-ERROR:(SESSION ID = 54,SA ID = 1):: Auth exchange failed
016613: Aug 10 2022 05:23:17.297 SST: IKEv2:(SESSION ID = 54,SA ID = 1):Abort exchange

 

the WAN port and the LTE port should be the same from a routing / NAT perspective i think?!

with the difference that the LTE is a dynamic ip the WAN port which i usually dont use is set up static for this test 

the setup is done by this example:

https://www.rmtechcentral.com/ikev2-ipsec-client-to-site-vpn-configuration-cisco-ios-cisco-anyconnect/

 

 

the LTE on the router is a business contract with dynamic ip

the one on the phone (hotspot) is a normal one with dynamic ip and is not reachable from the outside (port forwarding)

any one any suggestion?

 

1 Accepted Solution

Accepted Solutions

ino
Level 1
Level 1

some how my phones apn was set to ipv6

setting it to ipv4 solved the problem

interesting that the initial part of the connection was working

 

View solution in original post

1 Reply 1

ino
Level 1
Level 1

some how my phones apn was set to ipv6

setting it to ipv4 solved the problem

interesting that the initial part of the connection was working