10-02-2007 04:21 AM - edited 02-21-2020 03:18 PM
I'm trying to setup a VPN on my PIX 535. I created a local user and went thru the wizard to setup the VPN.
I setup a tunnel group name and a preshared key. When I look at the log on the VPN Client, it says:
Unable to establish Phase 1 SA with server because of "DEL_REASON_IKE_NEG_FAILED"
10-02-2007 04:28 AM
Hi,
Can you post the debugs from the pix and the logs from the client.
Also, check the group name and password and make sure that they match on the client and pix.
I hope it helps.
Regards,
Arul
10-02-2007 04:52 AM
Here's the client logs:
Cisco Systems VPN Client Version 4.0.4 (Rel)
Copyright (C) 1998-2003 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600
1 05:48:47.687 10/02/07 Sev=Info/4 PPP/0x63200015
Processing enumerate phone book entries command
2 05:48:47.765 10/02/07 Sev=Info/4 PPP/0x6320000D
Retrieved 5 dial entries
3 05:49:07.156 10/02/07 Sev=Info/4 PPP/0x63200015
Processing enumerate phone book entries command
4 05:49:07.234 10/02/07 Sev=Info/4 PPP/0x6320000D
Retrieved 5 dial entries
5 05:49:46.656 10/02/07 Sev=Info/4 CM/0x63100002
Begin connection process
6 05:49:46.671 10/02/07 Sev=Info/4 CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully
7 05:49:46.671 10/02/07 Sev=Info/4 CM/0x63100004
Establish secure connection using Ethernet
8 05:49:46.671 10/02/07 Sev=Info/4 CM/0x63100024
Attempt connection with server "x.x.x.x"
9 05:49:47.671 10/02/07 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with x.x.x.x.
10 05:49:47.687 10/02/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to 216.110.208.114
11 05:49:47.687 10/02/07 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
12 05:49:47.687 10/02/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
13 05:49:47.781 10/02/07 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
14 05:49:47.781 10/02/07 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from x.x.x.x
15 05:49:47.781 10/02/07 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
16 05:49:47.781 10/02/07 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
17 05:49:47.781 10/02/07 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
10-02-2007 04:52 AM
18 05:49:47.781 10/02/07 Sev=Info/5 IKE/0x63000001
Peer supports IKE fragmentation payloads
19 05:49:47.781 10/02/07 Sev=Warning/3 IKE/0xE3000056
The received HASH payload cannot be verified
20 05:49:47.781 10/02/07 Sev=Warning/2 IKE/0xE300007D
Hash verification failed... may be configured with invalid group password.
21 05:49:47.781 10/02/07 Sev=Warning/2 IKE/0xE3000099
Failed to authenticate peer (Navigator:903)
22 05:49:47.781 10/02/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO (NOTIFY:INVALID_HASH_INFO) to x.x.x.x
23 05:49:47.781 10/02/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO (NOTIFY:AUTH_FAILED) to x.x.x.x
24 05:49:47.781 10/02/07 Sev=Warning/2 IKE/0xE30000A5
Unexpected SW error occurred while processing Aggressive Mode negotiator:(Navigator:2201)
25 05:49:47.781 10/02/07 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=DD5CB2F562AC2835 R_Cookie=8ABECB968B1F8D0F) reason = DEL_REASON_IKE_NEG_FAILED
26 05:49:48.671 10/02/07 Sev=Info/4 IKE/0x6300004A
Discarding IKE SA negotiation (I_Cookie=DD5CB2F562AC2835 R_Cookie=8ABECB968B1F8D0F) reason = DEL_REASON_IKE_NEG_FAILED
27 05:49:48.671 10/02/07 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server because of "DEL_REASON_IKE_NEG_FAILED"
28 05:49:48.671 10/02/07 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
29 05:49:48.671 10/02/07 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
30 05:49:48.671 10/02/07 Sev=Info/4 IKE/0x63000085
Microsoft IPSec Policy Agent service started successfully
31 05:49:49.171 10/02/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
32 05:49:49.171 10/02/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
33 05:49:49.171 10/02/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
34 05:49:49.171 10/02/07 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
10-02-2007 08:04 AM
Thanks for the logs.
From the logs:
20 05:49:47.781 10/02/07 Sev=Warning/2 IKE/0xE300007D
Hash verification failed... may be configured with invalid group password.
This basically means the group name/password is not matching. Can you retype the groupname/password on the VPN Server as well as client and try to connect.
I hope it helps.
Regards,
Arul
** Please rate all helpful posts **
10-02-2007 12:44 PM
When you say group name/password, you're talking about the "tunnel group name" and the "pre-shared" key, right?
10-02-2007 12:54 PM
Yes.
Regards,
Arul
10-03-2007 06:32 AM
I figured out what was wrong. I didn't realize the tunnel group was case sensitive. I was using sss, instead of SSS.
My next problem with it that I got it to work now is that I can vpn in but I can access every resource. I thought I had restricted it to only 1 host. Where can I check that?
10-03-2007 02:43 PM
On the client, check securred routes, if you see only one host. If not, your split tunnel is not working.
10-03-2007 06:38 PM
I had setup my ACLs incorrectly. Actually I was just using the inherited setting. I followed a Cisco document and unchecked "filter" then added my ACL and ACE entries. It's all working now.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide