Cisco Pix IPSEC VPN to Cisco VPN Client Connection Error 412

erick-christy · ‎12-27-2012

I have a Pix 515E with a VPN setup. I recently tried to connect

VPN Client and get the following error:

"Secure VPN Connection terminated locally by the client. Reason 412: The remote peer is no longer responding"

I have previously been able to connect to this VPN using Cisco VPN Client without issue.

Below is a copy of my config and VPN Client log & debug logs from Pix. We have Newwave Communications Cable internet, which i just found out the the ISP has recently implemented DOCSIS 3.0. (i'm not sure if that matters). Any assistance is greatly appreciated.

*******************************************************************************************************************************************

pix1(config)# sh run

: Saved

:

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password ********encrypted

passwd ******** encrypted

hostname ABC

domain-name abc.com

clock timezone CST -6

clock summer-time CDT recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list 102 permit ip 10.10.10.0 255.255.255.0 192.168.100.0 255.255.255.0

pager lines 24

logging on

icmp deny any outside

mtu outside 1500

mtu inside 1500

ip address outside xx.xx.xx.xx xx.xx.xx.xx

ip address inside 10.10.10.200 255.255.255.0

ip verify reverse-path interface outside

ip audit info action alarm

ip audit attack action alarm

ip local pool vpnpool1 192.168.100.1-192.168.100.254

arp timeout 14400

global (outside) 1 xx.xx.xx.xx

nat (inside) 0 access-list 102

nat (inside) 1 10.10.10.0 255.255.255.0 0 0

outbound 10 deny 0.0.0.0 0.0.0.0 0 tcp

outbound 10 deny 0.0.0.0 0.0.0.0 0 esp

outbound 10 permit 10.10.0.0 255.255.0.0 21 tcp

outbound 10 permit 10.10.0.0 255.255.0.0 53 tcp

outbound 10 permit 10.10.0.0 255.255.0.0 53 udp

outbound 10 permit 10.10.0.0 255.255.0.0 443 tcp

outbound 10 permit 10.10.0.0 255.255.0.0 443 udp

outbound 10 permit 10.10.0.0 255.255.0.0 21 udp

outbound 10 permit 10.10.0.0 255.255.0.0 110 tcp

outbound 10 permit 10.10.0.0 255.255.0.0 143 tcp

outbound 10 permit 10.10.0.0 255.255.0.0 80 tcp

outbound 10 permit 10.10.0.0 255.255.0.0 20 tcp

outbound 10 permit 10.10.0.0 255.255.0.0 23 tcp

outbound 10 permit 10.10.0.0 255.255.0.0 25 tcp

outbound 10 permit 10.10.0.0 255.255.0.0 1494 tcp

outbound 10 permit 10.10.0.0 255.255.0.0 22 tcp

outbound 10 permit 10.10.0.0 255.255.0.0 22 udp

outbound 10 permit 0.0.0.0 0.0.0.0 0 udp

outbound 10 permit 10.10.10.0 255.255.255.0 0 udp

outbound 11 permit 0.0.0.0 0.0.0.0 0 tcp

outbound 11 permit 0.0.0.0 0.0.0.0 0 udp

outbound 11 permit 0.0.0.0 0.0.0.0 0 esp

apply (inside) 10 outgoing_src

route outside 0.0.0.0 0.0.0.0 63.142.125.193 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community ABC-manage

no snmp-server enable traps

tftp-server inside 10.10.10.230 \

floodguard enable

sysopt connection tcpmss 0

sysopt connection permit-ipsec

crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac

crypto dynamic-map map2 10 set transform-set trmset1

crypto map map1 10 ipsec-isakmp dynamic map2

crypto map map1 interface outside

isakmp enable outside

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes-256

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup VPN1 address-pool vpnpool1

vpngroup VPN1 dns-server 10.10.10.1

vpngroup VPN1 wins-server 10.10.10.1

vpngroup VPN1 split-tunnel 102

vpngroup VPN1 idle-time 1800

vpngroup VPN1 password ********

telnet timeout 15

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:296bd7d8bf19bb87f2545918c45288bd

: end

****************************VPN Client Log*********************************

sco Systems VPN Client Version 5.0.07.0290

Client Type(s): Windows, WinNT

Running on: 6.1.7601 Service Pack 1

54 09:59:29.733 12/27/12 Sev=Info/4 CM/0x63100002

Begin connection process

55 09:59:29.733 12/27/12 Sev=Info/4 CVPND/0xE3400001

Microsoft IPSec Policy Agent service stopped successfully

56 09:59:29.733 12/27/12 Sev=Info/4 CM/0x63100004

Establish secure connection

57 09:59:29.733 12/27/12 Sev=Info/4 CM/0x63100024

Attempt connection with server "x.x.x.x"

58 09:59:29.733 12/27/12 Sev=Info/6 IKE/0x6300003B

Attempting to establish a connection with x.x.x.x.

59 09:59:29.733 12/27/12 Sev=Info/4 IKE/0x63000001

Starting IKE Phase 1 Negotiation

60 09:59:29.748 12/27/12 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to x.x.x.x

61 09:59:29.748 12/27/12 Sev=Info/4 IPSEC/0x63700008

IPSec driver successfully started

62 09:59:29.748 12/27/12 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

63 09:59:34.943 12/27/12 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

64 09:59:34.943 12/27/12 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to x.x.x.x

65 09:59:40.013 12/27/12 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

66 09:59:40.013 12/27/12 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to x.x.x.x

67 09:59:45.083 12/27/12 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

68 09:59:45.083 12/27/12 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to x.x.x.x

69 09:59:50.153 12/27/12 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=D1F224471B8BBF55 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

70 09:59:51.167 12/27/12 Sev=Info/4 IKE/0x6300004B

Discarding IKE SA negotiation (I_Cookie=D1F224471B8BBF55 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

71 09:59:51.167 12/27/12 Sev=Info/4 CM/0x63100014

Unable to establish Phase 1 SA with server "x.x.x.x" because of "DEL_REASON_PEER_NOT_RESPONDING"

72 09:59:51.167 12/27/12 Sev=Info/5 CM/0x63100025

Initializing CVPNDrv

73 09:59:51.167 12/27/12 Sev=Info/6 CM/0x63100046

Set tunnel established flag in registry to 0.

74 09:59:51.167 12/27/12 Sev=Info/4 IKE/0x63000001

IKE received signal to terminate VPN connection

75 09:59:51.167 12/27/12 Sev=Info/4 IKE/0x63000086

Microsoft IPSec Policy Agent service started successfully

76 09:59:51.167 12/27/12 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

77 09:59:51.167 12/27/12 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

78 09:59:51.167 12/27/12 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

79 09:59:51.167 12/27/12 Sev=Info/4 IPSEC/0x6370000A

IPSec driver successfully stopped

***********************PIX DEBUG INFO************************

crypto_isakmp_process_block:src:y.y.y.y, dest:x.x.x.x spt:500 dpt:

500

OAK_AG exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are acceptable. Next payload is 3

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): processing vendor id payload

ISAKMP (0:0): vendor ID is NAT-T

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a Unity client

ISAKMP (0): ID payload

next-payload : 10

type : 1

protocol : 17

port : 0

length : 8

ISAKMP (0): Total payload length: 12

ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3

ISAKMP (0:0): constructed HIS NAT-D

ISAKMP (0:0): constructed MINE NAT-D

ISAKMP (0:0): Detected port floating

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:y.y.y.y, dest:x.x.x.x spt:500 dpt:

500

VPN Peer:ISAKMP: Peer Info for y.y.y.y/500 not found - peers:0

ISAKMP: larval sa found

crypto_isakmp_process_block:src:y.y.y.y, dest:x.x.x.x spt:500 dpt:

500

VPN Peer:ISAKMP: Peer Info for y.y.y.y/500 not found - peers:0

ISAKMP: larval sa found

ISAKMP (0): retransmitting phase 1 (0)...

crypto_isakmp_process_block:src:y.y.y.y, dest:x.x.x.x spt:500 dpt:

500

VPN Peer:ISAKMP: Peer Info for y.y.y.y/500 not found - peers:0

ISAKMP: larval sa found

Jitendra Siyag · ‎12-28-2012

have you tried from any other PC.

what i found is that you problem is here.

ISAKMP: larval sa found

crypto_isakmp_process_block:src:y.y.y.y, dest:x.x.x.x spt:500 dpt:

500

VPN Peer:ISAKMP: Peer Info for y.y.y.y/500 not found - peers:0

ISAKMP: larval sa found

ISAKMP (0): retransmitting phase 1 (0)...

crypto_isakmp_process_block:src:y.y.y.y, dest:x.x.x.x spt:500 dpt:

500

VPN Peer:ISAKMP: Peer Info for y.y.y.y/500 not found - peers:0

ISAKMP: larval sa found

try to remove and reapply the crypto map using below command and try again.

no crypto map map1 interface outside

crypto map map1 interface outside

erick-christy · ‎12-28-2012

I have tried this from many different pc's (XP Pro, Win7 Pro), from different networks with the same results.

I had already completely redone the ENTIRE config from scratch, but i just redid the two commands that you suggested along with writing to memory then rebooting the pix, with the same results

Could there be anything the ISP is doing to block this? This same config had been working for years and now it is not.

Jouni Forss · ‎12-28-2012

Hi,

Does seem like a strange problem.

Personally I find some of the debugging and log output of Cisco devices and software really hard to make sense of especially when I cant find supporting documentation to know what some messages means.

You say that this same setup has worked for years and no suddenly you cant connect?

Has the ISP made any changes to your Internet connection or perhaps to routers infront of the PIX? Could it be possible that the VPN Connection from the client is coming to the PIX but the traffic from the PIX towards the client is getting blocked? This would ofcourse mean that the ISP has somekind of access rules perhaps on a router that will simply block the traffic towards the client. But to me this seems like a long shot still I cant think of anything else myself either.

What makes it even more wierd is the fact that the PIX debug/log says that it sees the connection attempt from the Client and has already gone through its policys for Phase1 and seen that it has the policy matching the proposed values from the Client. Yet I cant understand why the Client would give an error message that the PIX isnt responding.

Have you tried perhaps configuring another VPN Client connection profile to the PIX and try to connect using it and see if there is anykind of difference?

- Jouni

erick-christy · ‎12-28-2012

Yes i have created my VPN Profile from scratch as well as using a previous profile. x86 or x64 clients, any version of windows. I had even went as far as setting up a Pix at my office where we use the same provider and i have the same problem with the vpn, so i keep thinking the ISP, the only thing that they have changed that i know of is they implemented Docsis 3.0. I also created a PPTP IPSEC VPN at my clients location and had similar results with that also...no connection...HELP i am out of ideas.

bmurray · ‎12-28-2012

I dont see the following command isakmp key ********* address 0.0.0.0 netmask 0.0.0.0

bmurray · ‎12-28-2012

ISAKMP is failing because the packets the VPN client is sending are not getting to the PIX (or the response packets from the PIX are not getting to you. So this would indicate the Isp is blocking something.

bmurray · ‎12-28-2012

The DOCSIS 3.0 has changed to use Aes but both ends must support it.

Can you change the

isakmp policy 10 encryption aes-256

to aes and try it.

erick-christy · ‎12-31-2012

I tried using just aes...same results

I then added the line suggested by bmurray, and below is the output of the debug

I am also checking with the ISP to see if they can assist

ISAKMP (0): deleting SA: src x.x.x.x, dst x.x.x.xcr

ISADB: reaper checking SA 0xd601bc, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for x.x.x.x/500 not found - peers:0

ypto ipsec

FRKpix1(config)# debug crypto engine

FRKpix1(config)#

crypto_isakmp_process_block:src:x.x.x.x, dest:x.x.x.x spt:500 dpt:

500

OAK_AG exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 128

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 128

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 128

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 128

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP (0): atts are not acceptable.

crypto_isakmp_process_block:src:x.x.x.227, dest:x.x.x.218 spt:500 dpt:

500

VPN Peer:ISAKMP: Peer Info for x.x.x.x/500 not found - peers:0

ISAKMP: larval sa found

crypto_isakmp_process_block:src:x.x.x.x, dest:x.x.x.218 spt:500 dpt:

500

VPN Peer:ISAKMP: Peer Info for x.x.x.x/500 not found - peers:0

ISAKMP: larval sa found

crypto_isakmp_process_block:src:x.x.x.x, dest:x.x.x.x spt:500 dpt:

500

VPN Peer:ISAKMP: Peer Info for x.x.x.x/500 not found - peers:0

ISAKMP: larval sa found

Jouni Forss · ‎12-31-2012

Hi,

Now it states that there are no matching Phase1 parameters/policys on the firewall that could be agreed on with the Client?

Have you had on the following debugs on the firewall

debug crypto isakmp sa

debug crypto ipsec sa

I'm not sure if the above commands are different depending on software. I sometimes mix up the commands as I jump back and forth between IOS and ASA/PIX devices. (They might have a number value at the end to determine how much information is viewed in the output)

If you want to make some test profile on the PIX (that doesnt forward traffic anywhere) and provide me with Group name, PSK and test username/password I guess I could try if it gives me the samekind of output when attempting to connect with VPN Client. (Through private message)

EDIT: Typos

- Jouni