Re: Cisco AnyConnect IPsec VPN (not on ASA) fails with "MPPE-Send-Key length is bogus"

bkingstonmnc · ‎09-18-2019

I am working to configure a Cisco IOS based AnyConnect IPsec VPN. This requires us to use MSCHAPv2 and forward to an additional RADIUS system, which is Windows NPS in our environment.

I have the Duo 2FA working correctly, however when the Access-Accept is received, I also see the below:

Sep 18 16:07:15.092: RADIUS: MPPE-Send-Key length is bogus, [00] sendkeylen=140, Send-Key=<omitted>

Which results in the VPN tunnel is not established. I'm not sure where to ask the VPN MSP to check in the Cisco config as I'm not familiar with any MPPE configuration beyond setting the encryption strength on NPS.
Below is the full debugging output from the Cisco router.

Sep 18 16:07:05.694: RADIUS/ENCODE(0000120A):Orig. component type = VPN IPSEC
Sep 18 16:07:05.695: RADIUS/ENCODE(0000120A): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
Sep 18 16:07:05.695: RADIUS(0000120A): Config NAS IP: xx.xx.xx.xx
Sep 18 16:07:05.695: RADIUS(0000120A): Config NAS IPv6: ::
Sep 18 16:07:05.695: RADIUS/ENCODE(0000120A): acct_session_id: 8850
Sep 18 16:07:05.695: RADIUS(0000120A): sending
Sep 18 16:07:05.696: RADIUS: Message Authenticator encoded
Sep 18 16:07:05.696: RADIUS(0000120A): Send Access-Request to xx.xx.xx.xx:1812 id 1645/6, len 235
RADIUS: authenticator 6A 42 6A A7 DB 49 90 BB - 0F 72 CE 1C D3 4C 2E 77
Sep 18 16:07:05.696: RADIUS: Service-Type [6] 6 Login [1]
Sep 18 16:07:05.696: RADIUS: Vendor, Cisco [26] 26
Sep 18 16:07:05.696: RADIUS: Cisco AVpair [1] 20 "service-type=Login"
Sep 18 16:07:05.696: RADIUS: Vendor, Cisco [26] 47
Sep 18 16:07:05.696: RADIUS: Cisco AVpair [1] 41 "isakmp-phase1-id=xx.xx.xx.xx"
Sep 18 16:07:05.697: RADIUS: Calling-Station-Id [31] 16 "xx.xx.xx.xx"
Sep 18 16:07:05.697: RADIUS: Vendor, Cisco [26] 69
Sep 18 16:07:05.697: RADIUS: Cisco AVpair [1] 63 "audit-session-id=xx.xx.xx.xx"
Sep 18 16:07:05.697: RADIUS: User-Name [1] 11 "name"
Sep 18 16:07:05.697: RADIUS: EAP-Message [79] 16
RADIUS: 02 3B 00 0E 01 62 6B 69 6E 67 73 74 6F 6E [ ;name]
Sep 18 16:07:05.697: RADIUS: Message-Authenticato[80] 18
RADIUS: 0B FF 34 C9 87 68 1D C5 3E A0 CE 28 9D 5D 8A 12 [ 4h>(]]
Sep 18 16:07:05.698: RADIUS: NAS-IP-Address [4] 6 xx.xx.xx.xx
Sep 18 16:07:05.698: RADIUS(0000120A): Sending a IPv4 Radius Packet
Sep 18 16:07:05.698: RADIUS(0000120A): Started 30000 sec timeout
Sep 18 16:07:08.637: RADIUS: Received from id 1645/6 xx.xx.xx.xx:1812, Access-Challenge, len 119
RADIUS: authenticator 6A C6 AC D8 16 79 4D 5F - 39 3D A0 55 48 17 F1 81
Sep 18 16:07:08.637: RADIUS: State [24] 38
RADIUS: 1F 4C 02 C7 00 00 01 37 00 01 02 00 0A 08 05 DD 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 44 D9 28 4E [ L7D(N]
Sep 18 16:07:08.637: RADIUS: Message-Authenticato[80] 18
RADIUS: 41 B3 91 BB B2 33 06 1A 8C 81 07 AF EC 4A A2 63 [ A3Jc]
Sep 18 16:07:08.638: RADIUS: Session-Timeout [27] 6 60
Sep 18 16:07:08.638: RADIUS: EAP-Message [79] 37
RADIUS: 01 3C 00 23 1A 01 3C 00 1E 10 EB C2 AA 8A 16 BA 86 0B 82 C2 2C 9A F8 15 20 91 50 48 58 56 57 50 43 31 31 [ <#<, PHXVWPC11]
Sep 18 16:07:08.638: RADIUS(0000120A): Received from id 1645/6
RADIUS/DECODE: EAP-Message fragments, 35, total 35 bytes
Sep 18 16:07:08.677: RADIUS/ENCODE(0000120A):Orig. component type = VPN IPSEC
Sep 18 16:07:08.677: RADIUS/ENCODE(0000120A): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
Sep 18 16:07:08.677: RADIUS(0000120A): Config NAS IP: xx.xx.xx.xx
Sep 18 16:07:08.677: RADIUS(0000120A): Config NAS IPv6: ::
Sep 18 16:07:08.678: RADIUS/ENCODE(0000120A): acct_session_id: 8850
Sep 18 16:07:08.678: RADIUS(0000120A): sending
Sep 18 16:07:08.678: RADIUS: Message Authenticator encoded
Sep 18 16:07:08.678: RADIUS(0000120A): Send Access-Request to xx.xx.xx.xx:1812 id 1645/7, len 327
RADIUS: authenticator 88 4F 8A 94 8A 96 95 3B - 12 18 84 BE 21 E5 37 77
Sep 18 16:07:08.679: RADIUS: Service-Type [6] 6 Login [1]
Sep 18 16:07:08.679: RADIUS: Vendor, Cisco [26] 26
Sep 18 16:07:08.679: RADIUS: Cisco AVpair [1] 20 "service-type=Login"
Sep 18 16:07:08.679: RADIUS: Vendor, Cisco [26] 47
Sep 18 16:07:08.679: RADIUS: Cisco AVpair [1] 41 "isakmp-phase1-id=xx.xx.xx.xx"
Sep 18 16:07:08.680: RADIUS: Calling-Station-Id [31] 16 "xx.xx.xx.xx"
Sep 18 16:07:08.680: RADIUS: Vendor, Cisco [26] 69
Sep 18 16:07:08.680: RADIUS: Cisco AVpair [1] 63 "audit-session-id=xx.xx.xx.xx"
Sep 18 16:07:08.680: RADIUS: User-Name [1] 11 "name"
Sep 18 16:07:08.681: RADIUS: EAP-Message [79] 70
RADIUS: 02 3C 00 44 1A 02 3C 00 3F 31 A2 61 77 93 E8 0B 94 11 87 84 67 42 CB 63 4E 73 00 00 00 00 00 00 00 00 08 56 09 8B 10 2E 5F E3 5B [<D<?1awgBcNs V._[]
RADIUS: 58 3F 20 75 04 AB FB C6 B0 7D CE 7C 8E 8D 3B 00 62 6B 69 6E 67 73 74 6F 6E [ X? u}|;name]
Sep 18 16:07:08.681: RADIUS: Message-Authenticato[80] 18
RADIUS: 61 E4 72 A3 00 41 8F E3 40 02 B6 A1 63 9A 3A 22 [ arA@c:"]
Sep 18 16:07:08.681: RADIUS: State [24] 38
RADIUS: 1F 4C 02 C7 00 00 01 37 00 01 02 00 0A 08 05 DD 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 44 D9 28 4E [ L7D(N]
Sep 18 16:07:08.682: RADIUS: NAS-IP-Address [4] 6 166.60.177.13
Sep 18 16:07:08.682: RADIUS(0000120A): Sending a IPv4 Radius Packet
Sep 18 16:07:08.682: RADIUS(0000120A): Started 30000 sec timeout
Sep 18 16:07:08.832: RADIUS: Received from id 1645/7 xx.xx.xx.xx:1812, Access-Challenge, len 135
RADIUS: authenticator 1C B5 FE D4 20 D4 A9 E8 - 24 9E 4A A2 DA 1B 95 4E
Sep 18 16:07:08.833: RADIUS: State [24] 38
RADIUS: 1F 4C 02 C7 00 00 01 37 00 01 02 00 0A 08 05 DD 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 44 D9 28 4E [ L7D(N]
Sep 18 16:07:08.833: RADIUS: Message-Authenticato[80] 18
RADIUS: 1D 10 D9 C2 A3 EB 7A CF FB 7F 1F 20 DA 75 F9 98 [ z u]
Sep 18 16:07:08.833: RADIUS: Session-Timeout [27] 6 60
Sep 18 16:07:08.833: RADIUS: EAP-Message [79] 53
RADIUS: 01 3D 00 33 1A 03 3C 00 2E 53 3D 34 34 45 37 43 33 45 32 38 42 [=3<.S=44E7C3E28B]
RADIUS: 35 33 32 39 39 30 38 41 39 38 35 35 36 36 34 33 [5329908A98556643]
RADIUS: 31 35 35 33 35 45 39 46 43 39 30 35 44 35 [ 15535E9FC905D5]
Sep 18 16:07:08.834: RADIUS(0000120A): Received from id 1645/7
RADIUS/DECODE: EAP-Message fragments, 51, total 51 bytes
Sep 18 16:07:08.871: RADIUS/ENCODE(0000120A):Orig. component type = VPN IPSEC
Sep 18 16:07:08.871: RADIUS/ENCODE(0000120A): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
Sep 18 16:07:08.871: RADIUS(0000120A): Config NAS IP: xx.xx.xx.xx
Sep 18 16:07:08.871: RADIUS(0000120A): Config NAS IPv6: ::
Sep 18 16:07:08.871: RADIUS/ENCODE(0000120A): acct_session_id: 8850
Sep 18 16:07:08.871: RADIUS(0000120A): sending
Sep 18 16:07:08.871: RADIUS: Message Authenticator encoded
Sep 18 16:07:08.871: RADIUS(0000120A): Send Access-Request to xx.xx.xx.xx:1812 id 1645/8, len 265
RADIUS: authenticator CF 93 53 97 46 1F 7E 12 - EF 83 37 67 9B 8F ED 0E
Sep 18 16:07:08.871: RADIUS: Service-Type [6] 6 Login [1]
Sep 18 16:07:08.872: RADIUS: Vendor, Cisco [26] 26
Sep 18 16:07:08.872: RADIUS: Cisco AVpair [1] 20 "service-type=Login"
Sep 18 16:07:08.872: RADIUS: Vendor, Cisco [26] 47
Sep 18 16:07:08.872: RADIUS: Cisco AVpair [1] 41 "isakmp-phase1-id=xx.xx.xx.xx"
Sep 18 16:07:08.872: RADIUS: Calling-Station-Id [31] 16 "xx.xx.xx.xx"
Sep 18 16:07:08.872: RADIUS: Vendor, Cisco [26] 69
Sep 18 16:07:08.872: RADIUS: Cisco AVpair [1] 63 "audit-session-id=xx.xx.xx.xx"
Sep 18 16:07:08.872: RADIUS: User-Name [1] 11 "name"
Sep 18 16:07:08.872: RADIUS: EAP-Message [79] 8
RADIUS: 02 3D 00 06 1A 03 [ =]
Sep 18 16:07:08.872: RADIUS: Message-Authenticato[80] 18
RADIUS: 28 97 D9 C5 72 FE CB EE 01 50 84 ED 95 4D B4 D8 [ (rPM]
Sep 18 16:07:08.872: RADIUS: State [24] 38
RADIUS: 1F 4C 02 C7 00 00 01 37 00 01 02 00 0A 08 05 DD 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 44 D9 28 4E [ L7D(N]
Sep 18 16:07:08.873: RADIUS: NAS-IP-Address [4] 6 xx.xx.xx.xx
Sep 18 16:07:08.873: RADIUS(0000120A): Sending a IPv4 Radius Packet
Sep 18 16:07:08.873: RADIUS(0000120A): Started 30000 sec timeout
Sep 18 16:07:15.090: RADIUS: Received from id 1645/8 xx.xx.xx.xx:1812, Access-Accept, len 283
RADIUS: authenticator 66 08 03 3A B3 6F 71 CD - 19 08 35 5D C4 D2 4C CD
Sep 18 16:07:15.090: RADIUS: Vendor, Microsoft [26] 42
Sep 18 16:07:15.090: RADIUS: MS-MPPE-Send-Key [16] 36 *
Sep 18 16:07:15.090: RADIUS: Service-Type [6] 6 Framed [2]
Sep 18 16:07:15.090: RADIUS: Vendor, Microsoft [26] 18
Sep 18 16:07:15.090: RADIUS: MS-CHAP-DOMAIN [10] 12 "xx.xx.xx.xx"
Sep 18 16:07:15.090: RADIUS: Vendor, Microsoft [26] 42
Sep 18 16:07:15.090: RADIUS: MS-MPPE-Recv-Key [17] 36 *
Sep 18 16:07:15.090: RADIUS: Framed-Protocol [7] 6 PPP [1]
Sep 18 16:07:15.091: RADIUS: EAP-Message [79] 6
RADIUS: 03 3D 00 04 [ =]
Sep 18 16:07:15.091: RADIUS: Message-Authenticato[80] 18
RADIUS: D8 08 D2 F5 D1 DB 61 2E 16 22 25 D5 0D DB 07 AA [ a."?]
Sep 18 16:07:15.091: RADIUS: Reply-Message [18] 28
RADIUS: 53 75 63 63 65 73 73 2E 20 4C 6F 67 67 69 6E 67 [Success. Logging]
RADIUS: 20 79 6F 75 20 69 6E 2E 2E 2E [ you in...]
Sep 18 16:07:15.091: RADIUS: Vendor, Microsoft [26] 51
Sep 18 16:07:15.091: RADIUS: MS-CHAP-V2-Success [26] 45 "S=xx.xx.xx.xx"
Sep 18 16:07:15.091: RADIUS: Class [25] 46
RADIUS: 54 10 05 0D 00 00 01 37 00 01 02 00 0A 08 05 DD 00 00 00 00 00 00 00 00 00 00 00 00 01 D5 6D D7 79 7A 0B C1 00 00 00 00 00 00 00 04 [ T7myz]
Sep 18 16:07:15.092: RADIUS(0000120A): Received from id 1645/8
Sep 18 16:07:15.092: RADIUS: MPPE-Send-Key length is bogus, [00] sendkeylen=140, Send-Key=xx.xx.xx.xx
{)o
Sep 18 16:07:15.092: RADIUS/DECODE: decoder; FAIL
Sep 18 16:07:15.092: RADIUS/DECODE: attribute MS-MPPE-Send-Key; FAIL
Sep 18 16:07:15.092: RADIUS/DECODE: error in Microsoft VSA 16; FAIL
Sep 18 16:07:15.092: RADIUS/DECODE: VSA; FAIL
Sep 18 16:07:15.092: RADIUS/DECODE: decoder; FAIL
Sep 18 16:07:15.092: RADIUS/DECODE: attribute Vendor-Specific; FAIL
Sep 18 16:07:15.092: RADIUS/DECODE: parse response op decode; FAIL
Sep 18 16:07:15.094: %IKEV2-3-NEG_ABORT: Negotiation aborted due to ERROR: Extensible Authentication Protocol failed

issor1 · ‎04-08-2020

did you resolve the issue? If so, can you please share the workaround?