cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7065
Views
4
Helpful
7
Replies

IPSEC client authentication problem

gizbri
Level 1
Level 1

ASA5520 8.2(4) Ipsec client VPN authenticating with LDAP to MS DC.

This has been up and working without issue for months. Suddenly we are getting the following message when some users attempt to login:

Apr 06 2011 15:33:02 Group = VPN, Username = jdoe, IP = x.x.x.x, Remote peer has failed user authentication -  check configured username and password

The username and password are proven good both in the MS network and when doing a AAA test on the ASA.

This is not happening to all users.

I did find some info about Kerberos and  checking this in the AD Account: Do not require kerberos pre-authentication

Modifing this did not help.

Any ideas?

Thanks

7 Replies 7

tj.mitchell
Level 4
Level 4

Check the use for password about to expire. I have seen that a bug, if the password is about to expire it will fail the user authentication web though the AAA test works.

Sent from Cisco Technical Support iPhone App

andamani
Cisco Employee
Cisco Employee

Hi,

Could you please try the following:

test aaa authentication host < ip address of AAA server> .

Please paste the output of "sh run aaa" and "sh run tunnel-group "

hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

t.j and Anisha - thnaks for the response.

t.j. - it doesnt appear we're hitting that bug

Anisha - test from ASA works fine.

What I am finding is the problem appears to be affecting certain hosts, not accounts. My account , for example, works fine on one PC , yet fails with the above error on another.

We have unistalled and re-installed the VPN client and it does not help.

Here is a log of a failing VPN client.

Cisco Systems VPN Client Version 5.0.07.0410

Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 5.1.2600 Service Pack 3

4      09:59:31.906  04/11/11  Sev=Info/6 CERT/0x63600026

Attempting to find a Certificate using Serial Hash.

5      09:59:32.031  04/11/11  Sev=Info/4 CM/0x63100002

Begin connection process

6      09:59:31.906  04/11/11  Sev=Info/6 CERT/0x63600027

Found a Certificate using Serial Hash.

7      09:59:32.046  04/11/11  Sev=Info/4 CM/0x63100004

Establish secure connection

8      09:59:31.921  04/11/11  Sev=Info/6 CERT/0x63600026

Attempting to find a Certificate using Serial Hash.

9      09:59:32.046  04/11/11  Sev=Info/4 CM/0x63100024

Attempt connection with server "X.X.X.X"

10     09:59:31.921  04/11/11  Sev=Info/6 CERT/0x63600027

Found a Certificate using Serial Hash.

11     09:59:32.046  04/11/11  Sev=Info/6 IKE/0x6300003B

Attempting to establish a connection with X.X.X.X.

12     09:59:31.921  04/11/11  Sev=Info/6 CERT/0x63600026

Attempting to find a Certificate using Serial Hash.

13     09:59:32.062  04/11/11  Sev=Info/6 CERT/0x63600026

Attempting to find a Certificate using Serial Hash.

14     09:59:31.937  04/11/11  Sev=Info/6 CERT/0x63600027

Found a Certificate using Serial Hash.

15     09:59:32.062  04/11/11  Sev=Info/6 CERT/0x63600027

Found a Certificate using Serial Hash.

16     09:59:32.031  04/11/11  Sev=Info/4 CERT/0x63600015

Cert (e=test@company.org,cn=Test VPN,o=CCCCC) verification succeeded.

17     09:59:32.125  04/11/11  Sev=Info/4 CERT/0x63600015

Cert (e=test@company.org,cn=Test VPN,o=CCCCC) verification succeeded.

18     09:59:32.125  04/11/11  Sev=Info/4 IKE/0x63000001

Starting IKE Phase 1 Negotiation

19     09:59:32.125  04/11/11  Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK MM (SA, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to X.X.X.X

20     09:59:32.203  04/11/11  Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = X.X.X.X

21     09:59:32.203  04/11/11  Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK MM (SA, VID(Nat-T), VID(Frag)) from X.X.X.X

22     09:59:32.218  04/11/11  Sev=Info/5 IKE/0x63000001

Peer supports NAT-T

23     09:59:32.218  04/11/11  Sev=Info/5 IKE/0x63000001

Peer supports IKE fragmentation payloads

24     09:59:32.218  04/11/11  Sev=Info/6 IKE/0x63000001

IOS Vendor ID Contruction successful

25     09:59:32.218  04/11/11  Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK MM (KE, NON, NAT-D, NAT-D, VID(?), VID(Unity)) to X.X.X.X

26     09:59:32.250  04/11/11  Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = X.X.X.X

27     09:59:32.250  04/11/11  Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK MM (KE, NON, CERT_REQ, VID(Unity), VID(Xauth), VID(?), VID(?), NAT-D, NAT-D) from X.X.X.X

28     09:59:32.250  04/11/11  Sev=Info/5 IKE/0x63000001

Peer is a Cisco-Unity compliant peer

29     09:59:32.250  04/11/11  Sev=Info/5 IKE/0x63000001

Peer supports XAUTH

30     09:59:32.250  04/11/11  Sev=Info/5 IKE/0x63000082

Received IOS Vendor ID with unknown capabilities flag 0x20000001

31     09:59:32.343  04/11/11  Sev=Info/6 CERT/0x63600034

Attempting to sign the hash for Windows XP or higher.

32     09:59:32.937  04/11/11  Sev=Info/6 CERT/0x63600035

Done with the hash signing with signature length of 256.

33     09:59:32.937  04/11/11  Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK MM *(ID, CERT, CERT_REQ, SIG, NOTIFY:STATUS_INITIAL_CONTACT) to X.X.X.X

34     09:59:32.937  04/11/11  Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK MM (FRAG) to X.X.X.X

35     09:59:32.937  04/11/11  Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK MM (FRAG) to X.X.X.X

36     09:59:32.937  04/11/11  Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK MM (FRAG) to X.X.X.X

37     09:59:32.937  04/11/11  Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK MM (FRAG) to X.X.X.X

38     09:59:32.937  04/11/11  Sev=Info/4 IPSEC/0x63700008

IPSec driver successfully started

39     09:59:32.937  04/11/11  Sev=Info/4 IPSEC/0x63700014

Deleted all keys

40     09:59:33.328  04/11/11  Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = X.X.X.X

41     09:59:33.328  04/11/11  Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK MM (FRAG) from X.X.X.X

42     09:59:33.328  04/11/11  Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = X.X.X.X

43     09:59:33.328  04/11/11  Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK MM (FRAG) from X.X.X.X

44     09:59:33.328  04/11/11  Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = X.X.X.X

45     09:59:33.328  04/11/11  Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK MM (FRAG) from X.X.X.X

46     09:59:33.328  04/11/11  Sev=Info/5 IKE/0x63000073

All fragments received.

47     09:59:33.328  04/11/11  Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK MM *(ID, CERT, SIG, VID(dpd)) from X.X.X.X

48     09:59:33.437  04/11/11  Sev=Info/4 CERT/0x63600015

Cert (cn=ASA5520colonie) verification succeeded.

49     09:59:33.437  04/11/11  Sev=Info/5 IKE/0x63000001

Peer supports DPD

50     09:59:33.437  04/11/11  Sev=Info/6 IKE/0x63000055

Sent a keepalive on the IPSec SA

51     09:59:33.437  04/11/11  Sev=Info/4 IKE/0x63000083

IKE Port in use - Local Port =  0x0554, Remote Port = 0x1194

52     09:59:33.453  04/11/11  Sev=Info/5 IKE/0x63000072

Automatic NAT Detection Status:

   Remote end is NOT behind a NAT device

   This   end IS behind a NAT device

53     09:59:33.453  04/11/11  Sev=Info/4 CM/0x6310000E

Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

54     09:59:34.359  04/11/11  Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = X.X.X.X

55     09:59:34.359  04/11/11  Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from X.X.X.X

56     09:59:34.359  04/11/11  Sev=Info/6 GUI/0x63B00012

Authentication request attributes is 6h.

57     09:59:34.359  04/11/11  Sev=Info/4 CM/0x63100015

Launch xAuth application

58     09:59:40.375  04/11/11  Sev=Info/4 CM/0x63100017

xAuth application returned

59     09:59:40.375  04/11/11  Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to X.X.X.X

60     09:59:40.437  04/11/11  Sev=Info/6 GUI/0x63B00012

Authentication request attributes is 6h.

61     09:59:40.421  04/11/11  Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = X.X.X.X

62     09:59:40.421  04/11/11  Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from X.X.X.X

63     09:59:40.421  04/11/11  Sev=Info/4 CM/0x63100015

Launch xAuth application

64     09:59:43.828  04/11/11  Sev=Info/6 IKE/0x63000055

Sent a keepalive on the IPSec SA

65     09:59:47.109  04/11/11  Sev=Info/4 CM/0x63100017

xAuth application returned

66     09:59:47.109  04/11/11  Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to X.X.X.X

67     09:59:53.828  04/11/11  Sev=Info/6 IKE/0x63000055

Sent a keepalive on the IPSec SA

68     10:00:03.828  04/11/11  Sev=Info/6 IKE/0x63000055

Sent a keepalive on the IPSec SA

69     10:00:13.828  04/11/11  Sev=Info/6 IKE/0x63000055

Sent a keepalive on the IPSec SA

70     10:00:17.468  04/11/11  Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = X.X.X.X

71     10:00:17.468  04/11/11  Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from X.X.X.X

72     10:00:17.468  04/11/11  Sev=Info/6 GUI/0x63B00012

Authentication request attributes is 6h.

73     10:00:17.468  04/11/11  Sev=Info/4 CM/0x63100015

Launch xAuth application

74     10:00:17.468  04/11/11  Sev=Warning/2 IKE/0xE300009B

Immature Navigation Termination due to error (Navigator:199)

75     10:00:23.828  04/11/11  Sev=Info/6 IKE/0x63000055

Sent a keepalive on the IPSec SA

76     10:00:24.484  04/11/11  Sev=Info/4 CM/0x63100017

xAuth application returned

77     10:00:24.484  04/11/11  Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to X.X.X.X

78     10:00:24.531  04/11/11  Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = X.X.X.X

79     10:00:24.531  04/11/11  Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from X.X.X.X

80     10:00:24.531  04/11/11  Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to X.X.X.X

81     10:00:24.531  04/11/11  Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion  (I_Cookie=8447269F65F34FAD R_Cookie=6A5B8C08EC8B2604) reason = DEL_REASON_WE_FAILED_AUTH

82     10:00:24.531  04/11/11  Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to X.X.X.X

83     10:00:25.328  04/11/11  Sev=Info/4 IKE/0x6300004B

Discarding IKE SA negotiation (I_Cookie=8447269F65F34FAD R_Cookie=6A5B8C08EC8B2604) reason = DEL_REASON_WE_FAILED_AUTH

84     10:00:25.328  04/11/11  Sev=Info/4 CM/0x63100014

Unable to establish Phase 1 SA with server "X.X.X.X" because of "DEL_REASON_WE_FAILED_AUTH"

85     10:00:25.328  04/11/11  Sev=Info/5 CM/0x63100025

Initializing CVPNDrv

86     10:00:25.343  04/11/11  Sev=Info/6 CM/0x63100046

Set tunnel established flag in registry to 0.

87     10:00:25.343  04/11/11  Sev=Info/4 IKE/0x63000001

IKE received signal to terminate VPN connection

88     10:00:25.343  04/11/11  Sev=Info/4 IPSEC/0x63700014

Deleted all keys

89     10:00:25.343  04/11/11  Sev=Info/4 IPSEC/0x63700014

Deleted all keys

90     10:00:25.343  04/11/11  Sev=Info/4 IPSEC/0x63700014

Deleted all keys

91     10:00:25.343  04/11/11  Sev=Info/4 IPSEC/0x6370000A

IPSec driver successfully stopped

hi,

You are right. The problem is not with the account.

The debugs clearly state the reason for delete is authentication failure.

could you please check that the password types is correct. i.e. no spaces are entered. Also are any of the other users able to connect to the client from this server?

please let me know the OS of the client.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts

password is correct. I have a different laptop next to me and authentication works fine using the same account. This is affecting only a few users, all others are funtioning normally.

Hi,

This seems to be a hardware issue. It looks like the laptop is entering "space" in between the alphabets of the password.

Could try using an extended keyboard and test?

If this still not works then, please try uninstall and re-install of the client from your laptop.

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

Un-install , re-install fixed it

thanks