02-18-2003 06:39 AM - edited 02-21-2020 12:21 PM
We have cisco pix 515 with 6.2 ios. Everything was working fine till yesterday and suddenly vpn clients were not able to connect. When client connects it initialises and then in authenticating user it just stops for 10 minutes and gives remote peer not responding.
When i issue a debug crypto isakmp command i could see the pix was trying retransmit phase 2 for about 5 times and then fails. Can some one advice me what may be the problem and how to solve the same.
Thanks in Advance
02-19-2003 05:04 PM
Hi there,
can you post the log viewer messages to see what's going on?
Jazib
02-21-2003 02:15 PM
Here is the log when i use debug crypto isakmp
User Access Verification
crypto_isakmp_process_block: src 12.109.150.150, dest 12.109.150.3
VPN Peer: ISAKMP: Added new peer: ip:12.109.150.150 Total VPN Peers:2
VPN Peer: ISAKMP: Peer ip:12.109.150.150 Ref cnt incremented to:1 Total VPN Peer
s:2
OAK_AG exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4
crypto_isakmp_process_block: src 12.109.150.150, dest 12.109.150.3
OAK_AG exchange
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
spi 0, message ID = 0
ISAKMP (0): processing notify INITIAL_CONTACT
ISAKMP (0): SA has been authenticated
return status is IKMP_NO_ERROR
ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify
ISAKMP (0): sending NOTIFY message 24576 protocol 1
ISAKMP/xauth: request attribute XAUTH_TYPE
ISAKMP/xauth: request attribute XAUTH_USER_NAME
ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD
ISAKMP (0:0): initiating peer config to 12.109.150.150. ID = 2262769582 (0x86df1
fae)
ISAKMP (0): retransmitting phase 2...
ISAKMP (0): retransmitting phase 2...
ISADB: reaper checking SA 0x81427eb0, conn_id = 0
ISADB: reaper checking SA 0x81420778, conn_id = 0
ISAKMP (0): retransmitting phase 2...
ISAKMP (0): retransmitting phase 2...
ISAKMP (0): retransmitting phase 2...
ISAKMP (0): retransmitting phase 2...
crypto_isakmp_process_block: src 12.109.150.150, dest 12.109.150.3
ISAKMP (0): processing DELETE payload. message ID = 3207911308
ISAKMP (0): deleting SA: src 12.109.150.150, dst 12.109.150.3
return status is IKMP_NO_ERR_NO_TRANS
ISADB: reaper checking SA 0x81427eb0, conn_id = 0
ISADB: reaper checking SA 0x81420778, conn_id = 0 DELETE IT!
VPN Peer: ISAKMP: Peer ip:12.109.150.150 Ref cnt decremented to:0 Total VPN Peer
s:2
VPN Peer: ISAKMP: Deleted peer: ip:12.109.150.150 Total VPN peers:1
ISADB: reaper checking SA 0x81427eb0, conn_id = 0
ISAKMP: Deleting peer node for 12.109.150.150
Thanks in Advance
03-17-2003 09:35 AM
ITS crazy same thing is happening with our 515 PIX with IOS 6.14
same thing anyone got an answer its driving me crazy was working fine and know changes were made
03-17-2003 09:43 AM
I think you may have hit the nail on the head here. I have seen a couple of similar instances at customer sites recently whereby previously working client VPN configs suddenly stop working.
By suddenly, I mean that config changes were made to the PIX - normally via PDM - to the VPN client configuration. For example, this can be by changing the IP pool (list of IP addresses served out to the clients).
The only way that I have found to get out of it - unfortunately - is to delete the VPN client config and rebuild it through the VPN Wizard. Sorry, probably not the answer you wanted, but you are not alone with this...! Whether there are any fixes for this in PIX 6.3, I'm not sure.
Regards, Barry
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide