Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1108
Views
0
Helpful
1
Replies

Cisco VPN Client error connecting to Cisco 877 Router

iboreaniz
Level 1
Level 1

‎04-28-2014 01:11 PM

I am unable to connect to the vpn I set up on my Cisco877 router using the Cisco VPN Client on a Windows 7 machine. The log of the vpn client and the config of the router are below. Any help in resolving this is appreciated.

Thanks in advance.

-------VPN CLIENT LOGS------

Cisco Systems VPN Client Version 5.0.07.0410
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7601 Service Pack 1

316    10:07:52.075  04/27/14  Sev=Info/4    CM/0x63100002
Begin connection process

317    10:07:52.091  04/27/14  Sev=Info/4    CM/0x63100004
Establish secure connection

318    10:07:52.091  04/27/14  Sev=Info/4    CM/0x63100024
Attempt connection with server "195.120.214.243"

319    10:07:52.091  04/27/14  Sev=Info/6    IKE/0x6300003B
Attempting to establish a connection with 195.120.214.243.

320    10:07:52.107  04/27/14  Sev=Info/4    IKE/0x63000001
Starting IKE Phase 1 Negotiation

321    10:07:52.107  04/27/14  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 195.120.214.243

322    10:07:52.668  04/27/14  Sev=Info/4    IPSEC/0x63700008
IPSec driver successfully started

323    10:07:52.668  04/27/14  Sev=Info/4    IPSEC/0x63700014
Deleted all keys

324    10:07:52.668  04/27/14  Sev=Info/4    IPSEC/0x6370000D
Key(s) deleted by Interface (10.0.0.11)

325    10:07:52.777  04/27/14  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 195.120.214.243

326    10:07:52.777  04/27/14  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?), VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D, NAT-D) from 195.120.214.243

327    10:07:52.777  04/27/14  Sev=Info/5    IKE/0x63000001
Peer is a Cisco-Unity compliant peer

328    10:07:52.777  04/27/14  Sev=Info/5    IKE/0x63000001
Peer supports DPD

329    10:07:52.777  04/27/14  Sev=Info/5    IKE/0x63000001
Peer supports DWR Code and DWR Text

330    10:07:52.933  04/27/14  Sev=Info/6    GUI/0x63B00012
Authentication request attributes is 6h.

331    10:07:52.777  04/27/14  Sev=Info/5    IKE/0x63000001
Peer supports XAUTH

332    10:07:52.777  04/27/14  Sev=Info/5    IKE/0x63000001
Peer supports NAT-T

333    10:07:52.793  04/27/14  Sev=Info/6    IKE/0x63000001
IOS Vendor ID Contruction successful

334    10:07:52.793  04/27/14  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 195.120.214.243

335    10:07:52.793  04/27/14  Sev=Info/6    IKE/0x63000055
Sent a keepalive on the IPSec SA

336    10:07:52.793  04/27/14  Sev=Info/4    IKE/0x63000083
IKE Port in use - Local Port =  0xF4C0, Remote Port = 0x1194

337    10:07:52.793  04/27/14  Sev=Info/5    IKE/0x63000072
Automatic NAT Detection Status:
   Remote end is NOT behind a NAT device
   This   end IS behind a NAT device

338    10:07:52.793  04/27/14  Sev=Info/4    CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

339    10:07:52.918  04/27/14  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 195.120.214.243

340    10:07:52.918  04/27/14  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 195.120.214.243

341    10:07:52.918  04/27/14  Sev=Info/5    IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds

342    10:07:52.918  04/27/14  Sev=Info/5    IKE/0x63000047
This SA has already been alive for 0 seconds, setting expiry to 86400 seconds from now

343    10:07:52.918  04/27/14  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 195.120.214.243

344    10:07:52.918  04/27/14  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 195.120.214.243

345    10:07:52.918  04/27/14  Sev=Info/4    CM/0x63100015
Launch xAuth application

346    10:08:01.435  04/27/14  Sev=Info/4    CM/0x63100017
xAuth application returned

347    10:08:01.435  04/27/14  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 195.120.214.243

348    10:08:01.560  04/27/14  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 195.120.214.243

349    10:08:01.560  04/27/14  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 195.120.214.243

350    10:08:01.560  04/27/14  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 195.120.214.243

351    10:08:01.560  04/27/14  Sev=Info/4    CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

352    10:08:01.576  04/27/14  Sev=Info/5    IKE/0x6300005E
Client sending a firewall request to concentrator

353    10:08:01.576  04/27/14  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 195.120.214.243

354    10:08:01.716  04/27/14  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 195.120.214.243

355    10:08:01.716  04/27/14  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 195.120.214.243

356    10:08:01.716  04/27/14  Sev=Info/5    IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.192

357    10:08:01.716  04/27/14  Sev=Info/5    IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 10.51.121.193

358    10:08:01.716  04/27/14  Sev=Info/5    IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 10.51.121.245

359    10:08:01.716  04/27/14  Sev=Info/5    IKE/0xA3000017
MODE_CFG_REPLY: The received (INTERNAL_ADDRESS_EXPIRY) attribute and value (171145717) is not supported

360    10:08:01.716  04/27/14  Sev=Info/5    IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000

361    10:08:01.716  04/27/14  Sev=Info/5    IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001

362    10:08:01.716  04/27/14  Sev=Info/5    IKE/0x6300000F
SPLIT_NET #1
    subnet = 10.51.121.192
    mask = 255.255.255.192
    protocol = 0
    src port = 0
    dest port=0

363    10:08:01.716  04/27/14  Sev=Info/5    IKE/0xA3000015
MODE_CFG_REPLY: Received MODECFG_UNITY_SPLITDNS_NAME attribute with no data

364    10:08:01.716  04/27/14  Sev=Info/5    IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT: , value = 0x00000000

365    10:08:01.716  04/27/14  Sev=Info/5    IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.4(24)T4, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Fri 03-Sep-10 17:16 by prod_rel_team

366    10:08:01.716  04/27/14  Sev=Info/5    IKE/0x6300000D
MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194

367    10:08:01.716  04/27/14  Sev=Warning/2    IKE/0xE3000023
No private IP address was assigned by the peer

368    10:08:01.716  04/27/14  Sev=Warning/2    IKE/0xE300009B
Failed to process ModeCfg Reply (NavigatorTM:175)

369    10:08:01.716  04/27/14  Sev=Info/4    IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=E05DA34CC8BBFB4B R_Cookie=21467F818568561B) reason = DEL_REASON_IKE_NEG_FAILED

370    10:08:01.716  04/27/14  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to 195.120.214.243

371    10:08:01.716  04/27/14  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 195.120.214.243

372    10:08:01.716  04/27/14  Sev=Info/4    IKE/0x63000058
Received an ISAKMP message for a non-active SA, I_Cookie=E05DA34CC8BBFB4B R_Cookie=21467F818568561B

373    10:08:01.716  04/27/14  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(Dropped) from 195.120.214.243

374    10:08:04.836  04/27/14  Sev=Info/4    IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=E05DA34CC8BBFB4B R_Cookie=21467F818568561B) reason = DEL_REASON_IKE_NEG_FAILED

375    10:08:04.836  04/27/14  Sev=Info/4    CM/0x6310000F
Phase 1 SA deleted before Mode Config is completed cause by "DEL_REASON_IKE_NEG_FAILED".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

376    10:08:04.836  04/27/14  Sev=Info/5    CM/0x63100025
Initializing CVPNDrv

377    10:08:04.852  04/27/14  Sev=Info/6    CM/0x63100046
Set tunnel established flag in registry to 0.

378    10:08:04.852  04/27/14  Sev=Info/4    IKE/0x63000001
IKE received signal to terminate VPN connection

379    10:08:05.850  04/27/14  Sev=Info/4    IPSEC/0x63700014
Deleted all keys

380    10:08:05.850  04/27/14  Sev=Info/4    IPSEC/0x63700014
Deleted all keys

381    10:08:05.850  04/27/14  Sev=Info/4    IPSEC/0x63700014
Deleted all keys

382    10:08:05.850  04/27/14  Sev=Info/4    IPSEC/0x6370000A
IPSec driver successfully stopped

-----ROUTER CONFIGURATION---------

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname AgeSoffiano
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200 warnings
enable secret 5 $1$K4v3$hVwC0KjjjjSQcEa.IZHUl1
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login fondiaria local
aaa authorization exec default local
aaa authorization network fondiaria local
!
!
aaa session-id common
clock timezone GMT+1 1
clock summer-time summertime recurring last Sun Mar 3:00 last Sun Oct 3:00
!
crypto pki trustpoint innocenti
 enrollment selfsigned
 subject-name CN=cn=IOS-Self-Signed-Certificate-1286547895
 revocation-check none
 rsakeypair innocenti
!
!
crypto pki certificate chain innocenti
 certificate self-signed 01
  3082022F 308201D9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  61313230 30060355 04031329 636E3D49 4F532D53 656C662D 5369676E 65642D43
  65727469 66696361 74652D31 32383635 34373839 35312B30 2906092A 864886F7
  0D010902 161C4167 65536F66 6669616E 6F2E616C 69636562 7573696E 6573732E
  6974301E 170D3131 30343230 31303430 33325A17 0D323030 31303130 30303030
  305A3061 31323030 06035504 03132963 6E3D494F 532D5365 6C662D53 69676E65
  642D4365 72746966 69636174 652D3132 38363534 37383935 312B3029 06092A86
  4886F70D 01090216 1C416765 536F6666 69616E6F 2E616C69 63656275 73696E65
  73732E69 74305C30 0D06092A 864886F7 0D010101 0500034B 00304802 4100BBBC
  17AB6222 EAC5894C C3B249A3 766341D4 25F4B80B B7FA8E42 8B1C0DC7 758DAE92
  A4F3BDE6 680E4DA7 3FCD909A 4DB92F46 B0554FB7 A733BB8B 70C1A904 38E90203
  010001A3 7C307A30 0F060355 1D130101 FF040530 030101FF 30270603 551D1104
  20301E82 1C416765 536F6666 69616E6F 2E616C69 63656275 73696E65 73732E69
  74301F06 03551D23 04183016 80146A1E E2912AE8 86778ADC 7B9F6CE3 A6F44D2E
  D84B301D 0603551D 0E041604 146A1EE2 912AE886 778ADC7B 9F6CE3A6 F44D2ED8
  4B300D06 092A8648 86F70D01 01040500 03410089 336DAD89 CA7BE32E C8C01650
  D4A2CE4F C8A33272 0352AB90 BBD8C314 B6681CED 34E1C153 1EB59802 F83B923A
  371232DA ED165794 FD83AD33 1C407B31 5009A7
        quit
dot11 syslog
ip source-route
!
!
ip cef
ip domain name alicebusiness.it
ip name-server 151.99.125.1
ip name-server 151.99.125.2
!
!
!
!
username innofondi privilege 15 password 7 06370B255F1D5F4B2D0E
username Simetel privilege 15 password 7 01200F095E1F030304424947485C4E475A
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group vpn
 key xxxxxxxxxxx
 dns 10.51.121.193 10.51.121.245
 pool fondiariapool
 acl 101
 include-local-lan
 max-logins 1
 netmask 255.255.255.192
!
!
crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-md5-hmac
!
crypto dynamic-map fondiariamap 1
 set transform-set esp-3des-sha
 reverse-route
!
!
crypto map cfondiariamap local-address Loopback2
crypto map cfondiariamap client authentication list fondiaria
crypto map cfondiariamap isakmp authorization list fondiaria
crypto map cfondiariamap client configuration address respond
crypto map cfondiariamap 65535 ipsec-isakmp dynamic fondiariamap
!
archive
 log config
  hidekeys
!
!
!
!
!
interface Loopback0
 ip address 195.120.214.241 255.255.255.255
!
interface Loopback1
 ip address 195.120.214.242 255.255.255.255
!
interface Loopback2
 ip address 195.120.214.243 255.255.255.255
!
interface Tunnel0
 ip unnumbered Loopback0
 keepalive 10 3
 tunnel source Loopback0
 tunnel destination 95.242.189.204
 tunnel mode ipip
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
 ip address 194.243.173.178 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 pvc 8/35
  encapsulation aal5snap
 !
 crypto map cfondiariamap
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 ip address 10.51.121.196 255.255.255.192
 ip nat inside
 ip virtual-reassembly
!
ip local pool fondiariapool 10.51.121.253
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip route 10.30.0.0 255.255.0.0 10.51.121.194
ip route 10.50.0.0 255.255.0.0 10.51.121.194
ip route 10.55.121.192 255.255.255.240 Tunnel0
ip route 10.56.121.192 255.255.255.224 Tunnel0
ip route 10.60.0.0 255.255.0.0 10.51.121.194
ip route 10.128.0.0 255.128.0.0 10.51.121.194
ip http server
ip http secure-server
!
ip nat inside source static tcp 10.51.121.200 10099 interface Loopback0 10099
ip nat inside source static tcp 10.51.121.200 3478 interface Loopback0 3478
ip nat inside source static udp 10.51.121.200 3478 interface Loopback0 3478
ip nat inside source static udp 10.51.121.200 8003 interface Loopback0 8003
ip nat inside source static udp 10.51.121.200 8002 interface Loopback0 8002
ip nat inside source static udp 10.51.121.200 8001 interface Loopback0 8001
ip nat inside source static udp 10.51.121.200 8000 interface Loopback0 8000
ip nat inside source static tcp 10.51.121.200 443 interface Loopback0 443
ip nat inside source static udp 10.51.121.200 5060 interface Loopback0 5060
ip nat inside source static tcp 10.51.121.200 5060 interface Loopback0 5060
ip nat inside source route-map nonat interface Loopback2 overload
!
access-list 101 permit ip 10.51.121.192 0.0.0.63 any
access-list 111 deny   ip 10.51.121.192 0.0.0.63 host 10.51.121.253
access-list 111 permit ip 10.51.121.192 0.0.0.63 any
no cdp run

!
!
!
route-map nonat permit 65535
 match ip address 111
!
!
control-plane
!
!
line con 0
 password 7 112035244640580F0B24382B2436
 no modem enable
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 password 7 132C3B335A5E573E2E28263621
 transport input telnet ssh
!
scheduler max-task-time 5000
ntp server 193.204.114.232
end


------DEBUG CRYPTO ISAKMP------

.Apr 27 08:15:42.528: ISAKMP (0): received packet from 87.16.120.230 dport 500 sport 51622 Global (N) NEW SA
.Apr 27 08:15:42.528: ISAKMP: Created a peer struct for 87.16.120.230, peer port 51622
.Apr 27 08:15:42.528: ISAKMP: New peer created peer = 0x8327AE20 peer_handle = 0x80000011
.Apr 27 08:15:42.528: ISAKMP: Locking peer struct 0x8327AE20, refcount 1 for crypto_isakmp_process_block
.Apr 27 08:15:42.528: ISAKMP:(0):Setting client config settings 846FBD94
.Apr 27 08:15:42.528: ISAKMP:(0):(Re)Setting client xauth list  and state
.Apr 27 08:15:42.528: ISAKMP/xauth: initializing AAA request
.Apr 27 08:15:42.532: ISAKMP: local port 500, remote port 51622
.Apr 27 08:15:42.532: ISAKMP:(0):insert sa successfully sa = 8327D8D8
.Apr 27 08:15:42.532: ISAKMP:(0): processing SA payload. message ID = 0
.Apr 27 08:15:42.532: ISAKMP:(0): processing ID payload. message ID = 0
.Apr 27 08:15:42.532: ISAKMP (0): ID payload
        next-payload : 13
        type         : 11
        group id     : vpn
        protocol     : 17
        port         : 500
        length       : 11
.Apr 27 08:15:42.532: ISAKMP:(0):: peer matches *none* of the profiles
.Apr 27 08:15:42.532: ISAKMP:(0): processing vendor id payload
.Apr 27 08:15:42.532: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch
.Apr 27 08:15:42.532: ISAKMP:(0): vendor ID is XAUTH
.Apr 27 08:15:42.532: ISAKMP:(0): processing vendor id payload
.Apr 27 08:15:42.532: ISAKMP:(0): vendor ID is DPD
.Apr 27 08:15:42.532: ISAKMP:(0): processing vendor id payload
.Apr 27 08:15:42.532: ISAKMP:(0): processing IKE frag vendor id payload
.Apr 27 08:15:42.532: ISAKMP:(0):Support for IKE Fragmentation not enabled
.Apr 27 08:15:42.532: ISAKMP:(0): processing vendor id payload
.Apr 27 08:15:42.532: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
.Apr 27 08:15:42.532: ISAKMP:(0): vendor ID is NAT-T v2
.Apr 27 08:15:42.532: ISAKMP:(0): processing vendor id payload
.Apr 27 08:15:42.532: ISAKMP:(0): vendor ID is Unity
.Apr 27 08:15:42.536: ISAKMP:(0): Authentication by xauth preshared
.Apr 27 08:15:42.536: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
.Apr 27 08:15:42.536: ISAKMP:      encryption AES-CBC
.Apr 27 08:15:42.536: ISAKMP:      hash SHA
.Apr 27 08:15:42.536: ISAKMP:      default group 2
.Apr 27 08:15:42.536: ISAKMP:      auth XAUTHInitPreShared
.Apr 27 08:15:42.536: ISAKMP:      life type in seconds
.Apr 27 08:15:42.536: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
.Apr 27 08:15:42.536: ISAKMP:      keylength of 256
.Apr 27 08:15:42.536: ISAKMP:(0):Encryption algorithm offered does not match policy!
.Apr 27 08:15:42.536: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Apr 27 08:15:42.536: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
.Apr 27 08:15:42.536: ISAKMP:      encryption AES-CBC
.Apr 27 08:15:42.536: ISAKMP:      hash MD5
.Apr 27 08:15:42.536: ISAKMP:      default group 2
.Apr 27 08:15:42.536: ISAKMP:      auth XAUTHInitPreShared
.Apr 27 08:15:42.536: ISAKMP:      life type in seconds
.Apr 27 08:15:42.536: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
.Apr 27 08:15:42.536: ISAKMP:      keylength of 256
.Apr 27 08:15:42.536: ISAKMP:(0):Encryption algorithm offered does not match policy!
.Apr 27 08:15:42.536: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Apr 27 08:15:42.536: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy
.Apr 27 08:15:42.536: ISAKMP:      encryption AES-CBC
.Apr 27 08:15:42.536: ISAKMP:      hash SHA
.Apr 27 08:15:42.536: ISAKMP:      default group 2
.Apr 27 08:15:42.536: ISAKMP:      auth pre-share
.Apr 27 08:15:42.536: ISAKMP:      life type in seconds
.Apr 27 08:15:42.536: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
.Apr 27 08:15:42.536: ISAKMP:      keylength of 256
.Apr 27 08:15:42.540: ISAKMP:(0):Encryption algorithm offered does not match policy!
.Apr 27 08:15:42.540: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Apr 27 08:15:42.540: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy
.Apr 27 08:15:42.540: ISAKMP:      encryption AES-CBC
.Apr 27 08:15:42.540: ISAKMP:      hash MD5
.Apr 27 08:15:42.540: ISAKMP:      default group 2
.Apr 27 08:15:42.540: ISAKMP:      auth pre-share
.Apr 27 08:15:42.540: ISAKMP:      life type in seconds
.Apr 27 08:15:42.540: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
.Apr 27 08:15:42.540: ISAKMP:      keylength of 256
.Apr 27 08:15:42.540: ISAKMP:(0):Encryption algorithm offered does not match policy!
.Apr 27 08:15:42.540: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Apr 27 08:15:42.540: ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy
.Apr 27 08:15:42.540: ISAKMP:      encryption AES-CBC
.Apr 27 08:15:42.540: ISAKMP:      hash SHA
.Apr 27 08:15:42.540: ISAKMP:      default group 2
.Apr 27 08:15:42.540: ISAKMP:      auth XAUTHInitPreShared
.Apr 27 08:15:42.540: ISAKMP:      life type in seconds
.Apr 27 08:15:42.540: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
.Apr 27 08:15:42.540: ISAKMP:      keylength of 128
.Apr 27 08:15:42.540: ISAKMP:(0):Encryption algorithm offered does not match policy!
.Apr 27 08:15:42.540: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Apr 27 08:15:42.540: ISAKMP:(0):Checking ISAKMP transform 6 against priority 1 policy
.Apr 27 08:15:42.540: ISAKMP:      encryption AES-CBC
.Apr 27 08:15:42.540: ISAKMP:      hash MD5
.Apr 27 08:15:42.540: ISAKMP:      default group 2
.Apr 27 08:15:42.540: ISAKMP:      auth XAUTHInitPreShared
.Apr 27 08:15:42.540: ISAKMP:      life type in seconds
.Apr 27 08:15:42.540: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
.Apr 27 08:15:42.540: ISAKMP:      keylength of 128
.Apr 27 08:15:42.544: ISAKMP:(0):Encryption algorithm offered does not match policy!
.Apr 27 08:15:42.544: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Apr 27 08:15:42.544: ISAKMP:(0):Checking ISAKMP transform 7 against priority 1 policy
.Apr 27 08:15:42.544: ISAKMP:      encryption AES-CBC
.Apr 27 08:15:42.544: ISAKMP:      hash SHA
.Apr 27 08:15:42.544: ISAKMP:      default group 2
.Apr 27 08:15:42.544: ISAKMP:      auth pre-share
.Apr 27 08:15:42.544: ISAKMP:      life type in seconds
.Apr 27 08:15:42.544: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
.Apr 27 08:15:42.544: ISAKMP:      keylength of 128
.Apr 27 08:15:42.544: ISAKMP:(0):Encryption algorithm offered does not match policy!
.Apr 27 08:15:42.544: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Apr 27 08:15:42.544: ISAKMP:(0):Checking ISAKMP transform 8 against priority 1 policy
.Apr 27 08:15:42.544: ISAKMP:      encryption AES-CBC
.Apr 27 08:15:42.544: ISAKMP:      hash MD5
.Apr 27 08:15:42.544: ISAKMP:      default group 2
.Apr 27 08:15:42.544: ISAKMP:      auth pre-share
.Apr 27 08:15:42.544: ISAKMP:      life type in seconds
.Apr 27 08:15:42.544: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
.Apr 27 08:15:42.544: ISAKMP:      keylength of 128
.Apr 27 08:15:42.544: ISAKMP:(0):Encryption algorithm offered does not match policy!
.Apr 27 08:15:42.544: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Apr 27 08:15:42.544: ISAKMP:(0):Checking ISAKMP transform 9 against priority 1 policy
.Apr 27 08:15:42.544: ISAKMP:      encryption 3DES-CBC
.Apr 27 08:15:42.544: ISAKMP:      hash SHA
.Apr 27 08:15:42.544: ISAKMP:      default group 2
.Apr 27 08:15:42.544: ISAKMP:      auth XAUTHInitPreShared
.Apr 27 08:15:42.544: ISAKMP:      life type in seconds
.Apr 27 08:15:42.544: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
.Apr 27 08:15:42.544: ISAKMP:(0):atts are acceptable. Next payload is 3
.Apr 27 08:15:42.544: ISAKMP:(0):Acceptable atts:actual life: 86400
.Apr 27 08:15:42.544: ISAKMP:(0):Acceptable atts:life: 0
.Apr 27 08:15:42.544: ISAKMP:(0):Fill atts in sa vpi_length:4
.Apr 27 08:15:42.544: ISAKMP:(0):Fill atts in sa life_in_seconds:2147483
.Apr 27 08:15:42.544: ISAKMP:(0):Returning Actual lifetime: 86400
.Apr 27 08:15:42.544: ISAKMP:(0)::Started lifetime timer: 86400.

.Apr 27 08:15:42.548: ISAKMP:(0): processing KE payload. message ID = 0
.Apr 27 08:15:42.588: ISAKMP:(0): processing NONCE payload. message ID = 0
.Apr 27 08:15:42.592: ISAKMP:(0): vendor ID is NAT-T v2
.Apr 27 08:15:42.592: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
.Apr 27 08:15:42.592: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_AM_AAA_AWAIT

.Apr 27 08:15:42.596: ISAKMP:(2009): constructed NAT-T vendor-02 ID
.Apr 27 08:15:42.596: ISAKMP:(2009):SA is doing pre-shared key authentication plus XAUTH using id type ID_IPV4_ADDR
.Apr 27 08:15:42.596: ISAKMP (2009): ID payload
        next-payload : 10
        type         : 1
        address      : 195.120.214.243
        protocol     : 0
        port         : 0
        length       : 12
.Apr 27 08:15:42.596: ISAKMP:(2009):Total payload length: 12
.Apr 27 08:15:42.596: ISAKMP:(2009): sending packet to 87.16.120.230 my_port 500 peer_port 51622 (R) AG_INIT_EXCH
.Apr 27 08:15:42.596: ISAKMP:(2009):Sending an IKE IPv4 Packet.
.Apr 27 08:15:42.596: ISAKMP:(2009):Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY
.Apr 27 08:15:42.596: ISAKMP:(2009):Old State = IKE_R_AM_AAA_AWAIT  New State = IKE_R_AM2

.Apr 27 08:15:42.652: ISAKMP (2009): received packet from 87.16.120.230 dport 4500 sport 51623 Global (R) AG_INIT_EXCH
.Apr 27 08:15:42.652: ISAKMP:(2009): processing HASH payload. message ID = 0
.Apr 27 08:15:42.652: ISAKMP:(2009): processing NOTIFY INITIAL_CONTACT protocol 1
        spi 0, message ID = 0, sa = 8327D8D8
.Apr 27 08:15:42.652: ISAKMP:received payload type 20
.Apr 27 08:15:42.652: ISAKMP (2009): His hash no match - this node outside NAT
.Apr 27 08:15:42.652: ISAKMP:received payload type 20
.Apr 27 08:15:42.656: ISAKMP (2009): His hash no match - this node outside NAT
.Apr 27 08:15:42.656: ISAKMP:(2009):SA authentication status:
        authenticated
.Apr 27 08:15:42.656: ISAKMP:(2009):SA has been authenticated with 87.16.120.230
.Apr 27 08:15:42.656: ISAKMP:(2009):Detected port,floating to port = 51623
.Apr 27 08:15:42.656: ISAKMP: Trying to find existing peer 195.120.214.243/87.16.120.230/51623/
.Apr 27 08:15:42.656: ISAKMP:(2009):SA authentication status:
        authenticated
.Apr 27 08:15:42.656: ISAKMP:(2009): Process initial contact,
bring down existing phase 1 and 2 SA's with local 195.120.214.243 remote 87.16.120.230 remote port 51623
.Apr 27 08:15:42.656: ISAKMP:(2009):returning IP addr to the address pool
.Apr 27 08:15:42.656: ISAKMP: Trying to insert a peer 195.120.214.243/87.16.120.230/51623/,  and inserted successfully 8327AE20.
.Apr 27 08:15:42.656: ISAKMP:(2009):Returning Actual lifetime: 86400
.Apr 27 08:15:42.656: ISAKMP: set new node 847504956 to CONF_XAUTH
.Apr 27 08:15:42.660: ISAKMP:(2009):Sending NOTIFY RESPONDER_LIFETIME protocol 1
        spi 2211104144, message ID = 847504956
.Apr 27 08:15:42.660: ISAKMP:(2009): sending packet to 87.16.120.230 my_port 4500 peer_port 51623 (R) QM_IDLE
.Apr 27 08:15:42.660: ISAKMP:(2009):Sending an IKE IPv4 Packet.
.Apr 27 08:15:42.660: ISAKMP:(2009):purging node 847504956
.Apr 27 08:15:42.660: ISAKMP: Sending phase 1 responder lifetime 86400

.Apr 27 08:15:42.660: ISAKMP:(2009):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
.Apr 27 08:15:42.660: ISAKMP:(2009):Old State = IKE_R_AM2  New State = IKE_P1_COMPLETE

.Apr 27 08:15:42.660: ISAKMP:(2009):Need XAUTH
.Apr 27 08:15:42.664: ISAKMP: set new node 799694834 to CONF_XAUTH
.Apr 27 08:15:42.664: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
.Apr 27 08:15:42.664: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2
.Apr 27 08:15:42.664: ISAKMP:(2009): initiating peer config to 87.16.120.230. ID = 799694834
.Apr 27 08:15:42.664: ISAKMP:(2009): sending packet to 87.16.120.230 my_port 4500 peer_port 51623 (R) CONF_XAUTH
.Apr 27 08:15:42.664: ISAKMP:(2009):Sending an IKE IPv4 Packet.
.Apr 27 08:15:42.664: ISAKMP:(2009):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
.Apr 27 08:15:42.664: ISAKMP:(2009):Old State = IKE_P1_COMPLETE  New State = IKE_XAUTH_REQ_SENT

.Apr 27 08:15:50.497: ISAKMP (2009): received packet from 87.16.120.230 dport 4500 sport 51623 Global (R) CONF_XAUTH
.Apr 27 08:15:50.497: ISAKMP:(2009):processing transaction payload from 87.16.120.230. message ID = 799694834
.Apr 27 08:15:50.497: ISAKMP: Config payload REPLY
.Apr 27 08:15:50.497: ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2
.Apr 27 08:15:50.497: ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2
.Apr 27 08:15:50.501: ISAKMP:(2009):deleting node 799694834 error FALSE reason "Done with xauth request/reply exchange"
.Apr 27 08:15:50.501: ISAKMP:(2009):Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY
.Apr 27 08:15:50.501: ISAKMP:(2009):Old State = IKE_XAUTH_REQ_SENT  New State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT

.Apr 27 08:15:50.501: ISAKMP: set new node 1469417995 to CONF_XAUTH
.Apr 27 08:15:50.501: ISAKMP:(2009): initiating peer config to 87.16.120.230. ID = 1469417995
.Apr 27 08:15:50.501: ISAKMP:(2009): sending packet to 87.16.120.230 my_port 4500 peer_port 51623 (R) CONF_XAUTH
.Apr 27 08:15:50.501: ISAKMP:(2009):Sending an IKE IPv4 Packet.
.Apr 27 08:15:50.505: ISAKMP:(2009):Input = IKE_MESG_FROM_AAA, IKE_AAA_CONT_LOGIN
.Apr 27 08:15:50.505: ISAKMP:(2009):Old State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT  New State = IKE_XAUTH_SET_SENT

.Apr 27 08:15:50.541: ISAKMP (2009): received packet from 87.16.120.230 dport 4500 sport 51623 Global (R) CONF_XAUTH
.Apr 27 08:15:50.545: ISAKMP:(2009):processing transaction payload from 87.16.120.230. message ID = 1469417995
.Apr 27 08:15:50.545: ISAKMP: Config payload ACK
.Apr 27 08:15:50.545: ISAKMP:(2009):       (blank) XAUTH ACK Processed
.Apr 27 08:15:50.545: ISAKMP:(2009):deleting node 1469417995 error FALSE reason "Transaction mode done"
.Apr 27 08:15:50.545: ISAKMP:(2009):Talking to a Unity Client
.Apr 27 08:15:50.545: ISAKMP:(2009):Input = IKE_MESG_FROM_PEER, IKE_CFG_ACK
.Apr 27 08:15:50.545: ISAKMP:(2009):Old State = IKE_XAUTH_SET_SENT  New State = IKE_P1_COMPLETE

.Apr 27 08:15:50.545: ISAKMP:(2009):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
.Apr 27 08:15:50.545: ISAKMP:(2009):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

.Apr 27 08:15:50.549: ISAKMP (2009): received packet from 87.16.120.230 dport 4500 sport 51623 Global (R) QM_IDLE
.Apr 27 08:15:50.549: ISAKMP: set new node -431589285 to QM_IDLE
.Apr 27 08:15:50.549: ISAKMP:(2009):processing transaction payload from 87.16.120.230. message ID = -431589285
.Apr 27 08:15:50.549: ISAKMP: Config payload REQUEST
.Apr 27 08:15:50.549: ISAKMP:(2009):checking request:
.Apr 27 08:15:50.549: ISAKMP:    IP4_ADDRESS
.Apr 27 08:15:50.549: ISAKMP:    IP4_NETMASK
.Apr 27 08:15:50.549: ISAKMP:    IP4_DNS
.Apr 27 08:15:50.549: ISAKMP:    IP4_NBNS
.Apr 27 08:15:50.549: ISAKMP:    ADDRESS_EXPIRY
.Apr 27 08:15:50.549: ISAKMP:    MODECFG_BANNER
.Apr 27 08:15:50.549: ISAKMP:    MODECFG_SAVEPWD
.Apr 27 08:15:50.549: ISAKMP:    DEFAULT_DOMAIN
.Apr 27 08:15:50.549: ISAKMP:    SPLIT_INCLUDE
.Apr 27 08:15:50.549: ISAKMP:    SPLIT_DNS
.Apr 27 08:15:50.553: ISAKMP:    PFS
.Apr 27 08:15:50.553: ISAKMP:    MODECFG_BROWSER_PROXY
.Apr 27 08:15:50.553: ISAKMP:    BACKUP_SERVER
.Apr 27 08:15:50.553: ISAKMP:    MODECFG_SMARTCARD_REMOVAL_DISCONNECT
.Apr 27 08:15:50.553: ISAKMP:    APPLICATION_VERSION
.Apr 27 08:15:50.553: ISAKMP:    FW_RECORD
.Apr 27 08:15:50.553: ISAKMP:    MODECFG_HOSTNAME
.Apr 27 08:15:50.553: ISAKMP/author: Author request for group vpnsuccessfully sent to AAA
.Apr 27 08:15:50.553: ISAKMP:(2009):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST
.Apr 27 08:15:50.553: ISAKMP:(2009):Old State = IKE_P1_COMPLETE  New State = IKE_CONFIG_AUTHOR_AAA_AWAIT

.Apr 27 08:15:50.557: ISAKMP:(2009):attributes sent in message:
.Apr 27 08:15:50.557:         Address: 0.2.0.0
.Apr 27 08:15:50.557: ISAKMP:(2009):Could not get address from pool!
.Apr 27 08:15:50.557: ISAKMP:(2009):peer does not do paranoid keepalives.

.Apr 27 08:15:50.557: ISAKMP:(2009):peer does not do paranoid keepalives.

.Apr 27 08:15:50.557: ISAKMP:(2009):deleting SA reason "Fail to allocate ip address" state (R) CONF_ADDR     (peer 87.16.120.230)
.Apr 27 08:15:50.557: ISAKMP: Sending subnet mask: 255.255.255.192
.Apr 27 08:15:50.557: ISAKMP: Sending IP4_DNS server address: 10.51.121.193
.Apr 27 08:15:50.557: ISAKMP: Sending IP4_DNS server address: 10.51.121.245
.Apr 27 08:15:50.557: ISAKMP: Sending ADDRESS_EXPIRY seconds left to use the address: 86391
.Apr 27 08:15:50.557: ISAKMP: Sending save password reply value 0
.Apr 27 08:15:50.557: ISAKMP: Sending split include name 101 network 10.51.121.192 mask 255.255.255.192 protocol 0, src port 0, dst port 0

.Apr 27 08:15:50.557: ISAKMP: Sending smartcard_removal_disconnect reply
                  value 0
.Apr 27 08:15:50.557: ISAKMP: Sending APPLICATION_VERSION string: Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.4(24)T4, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Fri 03-Sep-10 17:16 by prod_rel_team
.Apr 27 08:15:50.557: ISAKMP (2009): Unknown Attr: MODECFG_HOSTNAME (0x700A)
.Apr 27 08:15:50.561: ISAKMP:(2009): responding to peer config from 87.16.120.230. ID = -431589285
.Apr 27 08:15:50.561: ISAKMP: Marking node -431589285 for late deletion
.Apr 27 08:15:50.561: ISAKMP:(2009): sending packet to 87.16.120.230 my_port 4500 peer_port 51623 (R) CONF_ADDR
.Apr 27 08:15:50.561: ISAKMP:(2009):Sending an IKE IPv4 Packet.
.Apr 27 08:15:50.561: ISAKMP:(2009):Talking to a Unity Client
.Apr 27 08:15:50.561: ISAKMP:(2009):Input = IKE_MESG_FROM_AAA, IKE_AAA_GROUP_ATTR
.Apr 27 08:15:50.561: ISAKMP:(2009):Old State = IKE_CONFIG_AUTHOR_AAA_AWAIT  New State = IKE_P1_COMPLETE

.Apr 27 08:15:50.561: ISAKMP:FSM error - Message from AAA grp/user.

.Apr 27 08:15:50.565: ISAKMP: set new node -1863103934 to QM_IDLE
.Apr 27 08:15:50.565: ISAKMP:(2009): sending packet to 87.16.120.230 my_port 4500 peer_port 51623 (R) QM_IDLE
.Apr 27 08:15:50.565: ISAKMP:(2009):Sending an IKE IPv4 Packet.
.Apr 27 08:15:50.565: ISAKMP:(2009):purging node -1863103934
.Apr 27 08:15:50.565: ISAKMP:(2009):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
.Apr 27 08:15:50.565: ISAKMP:(2009):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

.Apr 27 08:15:50.565: ISAKMP:(2009):deleting SA reason "No reason" state (R) QM_IDLE       (peer 87.16.120.230)
.Apr 27 08:15:50.565: ISAKMP:(0):Can't decrement IKE Call Admission Control stat incoming_active since it's already 0.
.Apr 27 08:15:50.569: ISAKMP: Unlocking peer struct 0x8327AE20 for isadb_mark_sa_deleted(), count 0
.Apr 27 08:15:50.569: ISAKMP: Deleting peer node by peer_reap for 87.16.120.230: 8327AE20
.Apr 27 08:15:50.569: ISAKMP:(2009):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
.Apr 27 08:15:50.569: ISAKMP:(2009):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

.Apr 27 08:15:50.569: ISAKMP:(2009):deleting SA reason "Fail to allocate ip address" state (R) MM_NO_STATE (peer 87.16.120.230)
.Apr 27 08:15:50.573: ISAKMP:(0):Can't decrement IKE Call Admission Control stat incoming_negotiating since it's already 0.
.Apr 27 08:15:50.573: ISAKMP:(2009):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
.Apr 27 08:15:50.573: ISAKMP:(2009):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

.Apr 27 08:15:50.605: ISAKMP (2009): received packet from 87.16.120.230 dport 4500 sport 51623 Global (R) MM_NO_STATE


Very Best Regards.

Ilaria.

Labels:
0 Helpful
1 Reply 1

David_Che
Level 1
Level 1

‎04-28-2014 07:55 PM

Hi,

This issue was caused by Router 877 unable to assign IP address from local pool to the remote vpn client. Please check your local pool and then try.

.Apr 27 08:15:50.557: ISAKMP:(2009):attributes sent in message:
.Apr 27 08:15:50.557:         Address: 0.2.0.0
.Apr 27 08:15:50.557: ISAKMP:(2009):Could not get address from pool!
.Apr 27 08:15:50.557: ISAKMP:(2009):peer does not do paranoid keepalives.

.Apr 27 08:15:50.557: ISAKMP:(2009):peer does not do paranoid keepalives.

.Apr 27 08:15:50.557: ISAKMP:(2009):deleting SA reason "Fail to allocate ip address" state (R) CONF_ADDR     (peer 87.16.120.230)

0 Helpful
Customers Also Viewed These Support Documents