cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
621
Views
0
Helpful
4
Replies

Cisco Pix and vpn client

kjanakiraman
Level 1
Level 1

We have cisco pix 515 with 6.2 ios. Everything was working fine till yesterday and suddenly vpn clients were not able to connect. When client connects it initialises and then in authenticating user it just stops for 10 minutes and gives remote peer not responding.

When i issue a debug crypto isakmp command i could see the pix was trying retransmit phase 2 for about 5 times and then fails. Can some one advice me what may be the problem and how to solve the same.

Thanks in Advance

4 Replies 4

jfrahim
Level 5
Level 5

Hi there,

can you post the log viewer messages to see what's going on?

Jazib

Here is the log when i use debug crypto isakmp

User Access Verification

crypto_isakmp_process_block: src 12.109.150.150, dest 12.109.150.3

VPN Peer: ISAKMP: Added new peer: ip:12.109.150.150 Total VPN Peers:2

VPN Peer: ISAKMP: Peer ip:12.109.150.150 Ref cnt incremented to:1 Total VPN Peer

s:2

OAK_AG exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4

crypto_isakmp_process_block: src 12.109.150.150, dest 12.109.150.3

OAK_AG exchange

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): processing NOTIFY payload 24578 protocol 1

spi 0, message ID = 0

ISAKMP (0): processing notify INITIAL_CONTACT

ISAKMP (0): SA has been authenticated

return status is IKMP_NO_ERROR

ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify

ISAKMP (0): sending NOTIFY message 24576 protocol 1

ISAKMP/xauth: request attribute XAUTH_TYPE

ISAKMP/xauth: request attribute XAUTH_USER_NAME

ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD

ISAKMP (0:0): initiating peer config to 12.109.150.150. ID = 2262769582 (0x86df1

fae)

ISAKMP (0): retransmitting phase 2...

ISAKMP (0): retransmitting phase 2...

ISADB: reaper checking SA 0x81427eb0, conn_id = 0

ISADB: reaper checking SA 0x81420778, conn_id = 0

ISAKMP (0): retransmitting phase 2...

ISAKMP (0): retransmitting phase 2...

ISAKMP (0): retransmitting phase 2...

ISAKMP (0): retransmitting phase 2...

crypto_isakmp_process_block: src 12.109.150.150, dest 12.109.150.3

ISAKMP (0): processing DELETE payload. message ID = 3207911308

ISAKMP (0): deleting SA: src 12.109.150.150, dst 12.109.150.3

return status is IKMP_NO_ERR_NO_TRANS

ISADB: reaper checking SA 0x81427eb0, conn_id = 0

ISADB: reaper checking SA 0x81420778, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:12.109.150.150 Ref cnt decremented to:0 Total VPN Peer

s:2

VPN Peer: ISAKMP: Deleted peer: ip:12.109.150.150 Total VPN peers:1

ISADB: reaper checking SA 0x81427eb0, conn_id = 0

ISAKMP: Deleting peer node for 12.109.150.150

Thanks in Advance

dedube23
Level 1
Level 1

ITS crazy same thing is happening with our 515 PIX with IOS 6.14

same thing anyone got an answer its driving me crazy was working fine and know changes were made

I think you may have hit the nail on the head here. I have seen a couple of similar instances at customer sites recently whereby previously working client VPN configs suddenly stop working.

By suddenly, I mean that config changes were made to the PIX - normally via PDM - to the VPN client configuration. For example, this can be by changing the IP pool (list of IP addresses served out to the clients).

The only way that I have found to get out of it - unfortunately - is to delete the VPN client config and rebuild it through the VPN Wizard. Sorry, probably not the answer you wanted, but you are not alone with this...! Whether there are any fixes for this in PIX 6.3, I'm not sure.

Regards, Barry