Solved: IPSec Client error through ASA5540

ken.montgomery · ‎02-28-2013

Hi Everyone,

We have an ASA 5540 successfully using SSL VPN Client Tunnels with no issues, and have been attempting to build the ability for IPSec Clients to connect as well. I have the authentication working, yet cannot complete the establishment of the tunnel for the client. The client receives an error of "Secure VPn Connection terminated by Peer, Reason 433: (Reason not specified by Peer)".

In the log on the client, I see the following when the connection drops:

(this is after successful connection, split tunnel setups, then this set of items appears in the log)

377 09:29:08.071 02/28/13 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from <outside IP of ASA>

378 09:29:08.071 02/28/13 Sev=Info/5 IKE/0x63000045

RESPONDER-LIFETIME notify has value of 86400 seconds

379 09:29:08.071 02/28/13 Sev=Info/5 IKE/0x63000047

This SA has already been alive for 4 seconds, setting expiry to 86396 seconds from now

380 09:29:08.071 02/28/13 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = <outside IP of ASA>

381 09:29:08.071 02/28/13 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK INFO *(HASH, DEL) from <outside IP of ASA>

382 09:29:08.071 02/28/13 Sev=Info/5 IKE/0x6300003C

Received a DELETE payload for IKE SA with Cookies: I_Cookie=5E1213254915B44F R_Cookie=D80631768AD86493

383 09:29:08.071 02/28/13 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to <outside IP of ASA>

384 09:29:08.071 02/28/13 Sev=Info/4 IKE/0x63000049

Discarding IPsec SA negotiation, MsgID=8A3649A8

385 09:29:08.071 02/28/13 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=5E1213254915B44F R_Cookie=D80631768AD86493) reason = PEER_DELETE-IKE_DELETE_UNSPECIFIED

386 09:29:08.414 02/28/13 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

etc.etc.etc... goes through tunnel closing and deletion

So, I have turned on debugging of everything I can think of in the ASA, and the only thing I can find that might be relevant is this:

ENTER SESS_Mgmt_CalculateLicenseLimit < 08B053E4 < 086AB182 < 0869FB4F < 08063BA3

Calculating idle time for session: 0x1FD000, direction: Receive

Tunnel: 0x1FD002: timestamp: 6731252, now: 6731290, idle: 38, using this tunnel for idle

IDLE = 38

ENTER SESS_Mgmt_UpdateSessStartTime < 08B056FE < 084DC614 < 084E2379 < 084A73B3 < 0931C3FF < 084A64FB < 084B6467 < 084B6F73

SESS_Mgmt_UpdateSessStartTime: session 0 not found

ENTER SESS_Mgmt_CheckLicenseLimitReached < 08B09A7E < 084AC8B0 < 0931C3FF < 084A64FB < 084B6467 < 084B6F73 < 08063BA3

ENTER SESS_Mgmt_CalculateLicenseLimit < 08B099CB < 084AC8B0 < 0931C3FF < 084A64FB < 084B6467 < 084B6F73 < 08063BA3

ENTER SESS_Mgmt_CreateSession < 08B0A09A < 084AC541 < 0931C3FF < 084A64FB < 084B6467 < 084B6F73 < 08063BA3

ENTER SESS_Mgmt_CheckLicenseLimitReached < 08B09A7E < 08B09FD2 < 084AC541 < 0931C3FF < 084A64FB < 084B6467 < 084B6F73 < 08063BA3

ENTER SESS_Mgmt_CalculateLicenseLimit < 08B099CB < 08B09FD2 < 084AC541 < 0931C3FF < 084A64FB < 084B6467 < 084B6F73 < 08063BA3

ENTER SESS_Util_CreateSession < 08B0343E < 08B0A007 < 084AC541 < 0931C3FF < 084A64FB < 084B6467 < 084B6F73 < 08063BA3

ENTER SESS_Mgmt_GetLoginCount < 08B18D71 < 0806E65E < 08072627 < 08077013 < 0931C3FF < 080749CA < 08074AE8 < 08063BA3

ENTER SESS_Mgmt_AddEntry < 08B088BE < 08509B43 < 084A9097 < 0931C3FF < 084A64FB < 084B6467 < 084B6F73 < 08063BA3

VPN-SESSION_DB in SESS_Mgmt_AddEntry p->........

Protocol = 1

EncrAlg = 2

HashAlg = 2

ignoreAcct = 0

CompAlg = 0

SSOType = 0

pfsGroup = 0

IkeNegMode = 2

EncapMode = 0

AuthenModeIKE = 1

AuthenModeSSL = 0

AuthenModePPP = 0

AuthenModeX = 3

AuthorModeX = 1

DiffHelmanGrp = 2

*TunnelGroupName = IPSECVPNClients

server_group_Id = 0

RekeyTime = 2147483

RekeyKBytes = 0

pGetCounters = 0x0

pClearCounters = 0x0

pGetfSessData = 0x0

IdleTime = 0

ConnectTime = 0

pKill = 0x8506020

*handle = 0x200000

publicIpAddr = <IP ADDRESS OF VPN CLIENT ATTEMPTING TO CONNECT>

LocAddrType = 0

LocProxyAddr1 = 0.0.0.0

LocProxyAddr2 = 0.0.0.0

LocProxyProtocol = 0x0

LocProxyPort = 0x0

RemAddrType = 0

RemProxyAddr1 = 0.0.0.0

RemProxyAddr2 = 0.0.0.0

RemProxyProtocol = 0x0

RemProxyPort = 0x0

assignedIpAddr = <VALID INTERNAL ASSIGNED ADDRESS>

assignedIpv6Addr = ::

hubInterface = 1.0.0.0

WINSServer->server_type = 0

WINSServer->server_count= 0

WINSServer->server_addr_array[0] = 0x0

DNSServer->server_type = 0

DNSServer->server_count = 0

DNSServer->server_addr_array[0] = 0x0

*UserName = <VALID USERNAME>

*ClientOSVendor = WinNT

*ClientOSVersion = 5.0.07.0440

*ClientVendor =

*ClientVersion =

InstId = 2097152

TcpSrcPort = 0

TcpDstPort = 0

UdpSrcPort = 13583

UdpDstPort = 500

filterId = 0

*aclId =

ipv6filterId = 0

*ipv6aclId =

vcaSession = 0

sessIndex = 0x200000

ENTER SESS_Util_CreateTunnel < 08B036E0 < 08B08A33 < 08509B43 < 084A9097 < 0931C3FF < 084A64FB < 084B6467 < 084B6F73 < 08063BA3

ENTER SESS_Mgmt_AddSessionToTunnelGroup < 08B1781E < 08B092F4 < 08509B43 < 084A9097 < 0931C3FF < 084A64FB < 084B6467 < 084B6F73

ENTER SESS_Util_FindTunnelGroup < 08B16FCE < 08B17751 < 08B092F4 < 08509B43 < 084A9097 < 0931C3FF < 084A64FB < 084B6467

SESS_Mgmt_AddSessionToTunnelGroup: UserName = <VALID USERNAME>

ENTER SESS_Util_AddUser < 08B1922D < 08B1779C < 08B092F4 < 08509B43 < 084A9097 < 0931C3FF < 084A64FB < 084B6467 < 084B6F73

ENTER SESS_Util_AddUser < 08B1922D < 08B0930F < 08509B43 < 084A9097 < 0931C3FF < 084A64FB < 084B6467 < 084B6F73 < 08063BA3

ENTER SESS_MIB_AddUser < 08B198AD < 08B094F7 < 08509B43 < 084A9097 < 0931C3FF < 084A64FB < 084B6467 < 084B6F73 < 08063BA3

ENTER SESS_Mgmt_CheckActiveSessionTrapThreshold < 08B09697 < 08509B43 < 084A9097 < 0931C3FF < 084A64FB < 084B6467 < 084B6F73

SESS_Mgmt_StartAcct: Account start failure

SESS_Mgmt_AddEntry: Created Tunnel: 00200001, protocol: 1

VPN-SESSION_DB in SESS_Mgmt_UpdateEntry p->........

Protocol = 1

EncrAlg = 2

HashAlg = 2

ignoreAcct = 0

CompAlg = 0

SSOType = 0

pfsGroup = 0

IkeNegMode = 2

EncapMode = 0

AuthenModeIKE = 1

AuthenModeSSL = 0

AuthenModePPP = 0

AuthenModeX = 3

AuthorModeX = 1

DiffHelmanGrp = 2

*TunnelGroupName = IPSECVPNClients

server_group_Id = 0

RekeyTime = 2147483

RekeyKBytes = 0

pGetCounters = 0x0

pClearCounters = 0x0

pGetfSessData = 0x0

IdleTime = 0

ConnectTime = 0

pKill = 0x8506020

*handle = 0x200000

publicIpAddr = <IP ADDRESS OF VPN CLIENT ATTEMPTING TO CONNECT>

LocAddrType = 0

LocProxyAddr1 = 0.0.0.0

LocProxyAddr2 = 0.0.0.0

LocProxyProtocol = 0x0

LocProxyPort = 0x0

RemAddrType = 0

RemProxyAddr1 = 0.0.0.0

RemProxyAddr2 = 0.0.0.0

RemProxyProtocol = 0x0

RemProxyPort = 0x0

assignedIpAddr = <VALID INTERNAL ASSIGNED ADDRESS>

assignedIpv6Addr = ::

hubInterface = 1.0.0.0

WINSServer->server_type = 0

WINSServer->server_count= 0

WINSServer->server_addr_array[0] = 0x0

DNSServer->server_type = 0

DNSServer->server_count = 0

DNSServer->server_addr_array[0] = 0x0

*UserName = <VALID USERNAME>

*ClientOSVendor = WinNT

*ClientOSVersion = 5.0.07.0440

*ClientVendor =

*ClientVersion =

InstId = 2097152

TcpSrcPort = 0

TcpDstPort = 0

UdpSrcPort = 13583

UdpDstPort = 500

filterId = 0

*aclId =

ipv6filterId = 0

*ipv6aclId =

vcaSession = 0

sessIndex = 0x200000

Exiting SESS_Mgmt_UpdateEntry: Return code = 0

VPN-SESSION_DB in SESS_Mgmt_UpdateEntry p->........

Protocol = 1

EncrAlg = 2

HashAlg = 2

ignoreAcct = 0

CompAlg = 0

SSOType = 0

pfsGroup = 0

IkeNegMode = 2

EncapMode = 0

AuthenModeIKE = 1

AuthenModeSSL = 0

AuthenModePPP = 0

AuthenModeX = 3

AuthorModeX = 1

DiffHelmanGrp = 2

*TunnelGroupName = IPSECVPNClients

server_group_Id = 0

RekeyTime = 86400

RekeyKBytes = 0

pGetCounters = 0x0

pClearCounters = 0x0

pGetfSessData = 0x0

IdleTime = 0

ConnectTime = 0

pKill = 0x8506020

*handle = 0x200000

publicIpAddr = <IP ADDRESS OF VPN CLIENT ATTEMPTING TO CONNECT>

LocAddrType = 0

LocProxyAddr1 = 0.0.0.0

LocProxyAddr2 = 0.0.0.0

LocProxyProtocol = 0x0

LocProxyPort = 0x0

RemAddrType = 0

RemProxyAddr1 = 0.0.0.0

RemProxyAddr2 = 0.0.0.0

RemProxyProtocol = 0x0

RemProxyPort = 0x0

assignedIpAddr = <VALID INTERNAL ASSIGNED ADDRESS>

assignedIpv6Addr = ::

hubInterface = 1.0.0.0

WINSServer->server_type = 0

WINSServer->server_count= 0

WINSServer->server_addr_array[0] = 0x0

DNSServer->server_type = 0

DNSServer->server_count = 0

DNSServer->server_addr_array[0] = 0x0

*UserName = <VALID USERNAME>

*ClientOSVendor = WinNT

*ClientOSVersion = 5.0.07.0440

*ClientVendor =

*ClientVersion =

InstId = 2097152

TcpSrcPort = 0

TcpDstPort = 0

UdpSrcPort = 13583

UdpDstPort = 500

filterId = 0

*aclId =

ipv6filterId = 0

*ipv6aclId =

vcaSession = 0

sessIndex = 0x200000

Exiting SESS_Mgmt_UpdateEntry: Return code = 0

ENTER SESS_Mgmt_DeleteEntryFileLineFunc < 08B05ECE < 084CFA02 < 084D1D93 < 084B6C3E < 084B6F73 < 08063BA3

SESS_Mgmt_DeleteEntryFileLineFunc: index = 200001, reason = 0

SESS_Mgmt_DeleteEntryFileLineFunc: Index: 0x00200001, Reason: Unknown (0 => 0) @ isadb.c:5539@isadb_set_cond_dead

ENTER SESS_Mgmt_DeleteEntryInt < 08B0B473 < 084CFA02 < 084D1D93 < 084B6C3E < 084B6F73 < 08063BA3

SESS_Mgmt_DeleteEntryInt: index = 0x00200001, reason = 0

ENTER SESS_Mgmt_DeleteTunnel < 08B0B2B5 < 08B0B4F9 < 084CFA02 < 084D1D93 < 084B6C3E < 084B6F73 < 08063BA3

SESS_Mgmt_DeleteTunnel: ID: 0x00200001, Reason: Unknown, Kill: Yes, Active

SESS_Mgmt_DeleteEntryInt: session to be terminated after tunnel delete

ENTER SESS_Mgmt_FreeSessionFileLineFunc < 08B08043 < 084D28C8 < 084B6C3E < 084B6F73 < 08063BA3

SESS_Mgmt_FreeSessionFileLineFunc: Index: 0x00200000 ACTIVE @ isadb.c:1922@isadb_delete_entry

ENTER SESS_Mgmt_RemoveSessionFromTunnelGroup < 08B17A3E < 08B07BBE < 084D28C8 < 084B6C3E < 084B6F73 < 08063BA3

ENTER SESS_Util_FindTunnelGroup < 08B16FCE < 08B179B2 < 08B07BBE < 084D28C8 < 084B6C3E < 084B6F73 < 08063BA3

ENTER SESS_Util_DeleteUser < 08B1906D < 08B179F5 < 08B07BBE < 084D28C8 < 084B6C3E < 084B6F73 < 08063BA3

ENTER SESS_Util_DeleteUser < 08B1906D < 08B07BD0 < 084D28C8 < 084B6C3E < 084B6F73 < 08063BA3

ENTER SESS_MIB_DeleteUser < 08B196DD < 08B07FB0 < 084D28C8 < 084B6C3E < 084B6F73 < 08063BA3

I see the message where it terminates and where is says 'Account Start Failure' but I can't figure out what that is indicating... anyone have any suggestions on what to look for?

Patrick0711 · ‎02-28-2013

You only need 1 debug for this.

debug crypto isakmp 254

Post the output from this when you try to connect, along with the sanitized output of:

show run crypto

sh run tunnel-group

sh run group-policy

sh run ip local pool

and we can get a better idea of where the problem lies.

View solution in original post

Patrick0711 · ‎02-28-2013

You only need 1 debug for this.

debug crypto isakmp 254

Post the output from this when you try to connect, along with the sanitized output of:

show run crypto

sh run tunnel-group

sh run group-policy

sh run ip local pool

and we can get a better idea of where the problem lies.

ken.montgomery · ‎03-01-2013

I found that in my IPSEC group policy attributes, I had inadvertently put the vpn-tunnel-protocol svc command, which was providing conflicting tunnel protocols. Removing this command allowed the tunnel to immediately work as expected.

Thanks for the advice patrick, I actually found it using the debug vpn-sessiondb command.