10-08-2002 04:46 AM - edited 02-21-2020 12:06 PM
After we upgraded the Concentrator's release from 3.6.1 to 3.6.3 we are no longer able to set up a VPN-session.
Hereby the logs from the Concentrator and the Cisco VPN Client.
For security reasons I've replaced the following info:
Concentrators IP-address = c.c.c.c
Client's ISP assigned IP-address = w.w.w.w.
Client's Concentratot assigned IP-address (from internal pool)=g.g.g.g
Primary DNS/WINS=d1.d1.d1.d1
Secondary DNS/WINS=d2.d2.d2.d2
Concentrator log:
183 10/08/2002 14:20:24.840 SEV=5 IP/49 RPT=5
Headend transmitting TCP SYN-ACK pkt to client w.w.w.w, TCP dest port 1677
184 10/08/2002 14:20:24.850 SEV=5 IP/50 RPT=9
Headend received TCP ACK pkt from client w.w.w.w, TCP source port 1677
185 10/08/2002 14:20:24.890 SEV=5 IP/50 RPT=10
Headend received TCP ACK pkt from client w.w.w.w, TCP source port 1677
186 10/08/2002 14:20:25.190 SEV=5 IP/41 RPT=5
TCP session established to client w.w.w.w, TCP source port 1677.
188 10/08/2002 14:20:37.170 SEV=4 IKE/52 RPT=5 w.w.w.w
Group [TestGroup] User [testuser]
User (testuser) authenticated.
189 10/08/2002 14:20:37.280 SEV=5 IKE/184 RPT=5 w.w.w.w
Group [TestGroup] User [testuser]
Client OS: WinNT
Client Application Version: 3.6.2 (Rel)
192 10/08/2002 14:20:37.620 SEV=4 IKE/119 RPT=5 w.w.w.w
Group [TestGroup] User [testuser]
PHASE 1 COMPLETED
193 10/08/2002 14:20:37.630 SEV=5 IKE/25 RPT=5 w.w.w.w
Group [TestGroup] User [testuser]
Received remote Proxy Host data in ID Payload:
Address g.g.g.g, Protocol 0, Port 0
196 10/08/2002 14:20:37.630 SEV=5 IKE/24 RPT=5 w.w.w.w
Group [TestGroup] User [testuser]
Received local Proxy Host data in ID Payload:
Address c.c.c.c, Protocol 0, Port 0
199 10/08/2002 14:20:37.630 SEV=5 IKE/66 RPT=5 w.w.w.w
Group [TestGroup] User [testuser]
IKE Remote Peer configured for SA: ESP-AES128-SHA
201 10/08/2002 14:20:37.630 SEV=4 IKE/0 RPT=5 w.w.w.w
Group [TestGroup] User [testuser]
All IPSec SA proposals found unacceptable!
202 10/08/2002 14:20:37.630 SEV=4 IKEDBG/0 RPT=5
QM FSM error (P2 struct &0x1d150bc, mess id 0xbac8f29)!
203 10/08/2002 14:20:37.630 SEV=4 IKEDBG/65 RPT=5 w.w.w.w
Group [TestGroup] User [testuser]
IKE QM Responder FSM error history (struct &0x1d150bc)
<state>, <event>:
QM_DONE, EV_ERROR
QM_BLD_MSG2, EV_NEGO_SA
QM_BLD_MSG2, EV_IS_REKEY
QM_BLD_MSG2, EV_CONFIRM_SA
209 10/08/2002 14:20:37.640 SEV=5 IP/43 RPT=5
Deleting TCP entry for device w.w.w.w on port 1677
Client's Log:
5 14:20:24.786 10/08/02 Sev=Info/6 DIALER/0x63300002
Initiating connection.
6 14:20:24.796 10/08/02 Sev=Info/4 CM/0x63100002
Begin connection process
7 14:20:24.796 10/08/02 Sev=Info/4 CM/0x63100004
Establish secure connection using Ethernet
8 14:20:24.796 10/08/02 Sev=Info/4 CM/0x63100026
Attempt connection with server "c.c.c.c"
9 14:20:24.796 10/08/02 Sev=Info/6 CM/0x63100033
Allocated local TCP port 1677 for TCP connection.
10 14:20:24.866 10/08/02 Sev=Info/4 CM/0x6310002D
TCP connection established on port 10001 with server "c.c.c.c"
11 14:20:24.996 10/08/02 Sev=Info/4 CM/0x63100026
Attempt connection with server "c.c.c.c"
12 14:20:24.996 10/08/02 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with c.c.c.c.
13 14:20:25.017 10/08/02 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID, VID, VID) to c.c.c.c
14 14:20:25.347 10/08/02 Sev=Info/6 IPSEC/0x6370001F
TCP SYN sent to c.c.c.c, src port 1677, dst port 10001
15 14:20:25.347 10/08/02 Sev=Info/6 IPSEC/0x6370001C
TCP SYN-ACK received from c.c.c.c, src port 10001, dst port 1677
16 14:20:25.347 10/08/02 Sev=Info/6 IPSEC/0x63700020
TCP ACK sent to c.c.c.c, src port 1677, dst port 10001
17 14:20:25.347 10/08/02 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
18 14:20:25.597 10/08/02 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = c.c.c.c
19 14:20:25.597 10/08/02 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID, VID, VID, VID, VID) from c.c.c.c
20 14:20:25.597 10/08/02 Sev=Info/5 IKE/0x63000059
Vendor ID payload = 12F5F28C457168A9702D9FE274CC0100
21 14:20:25.597 10/08/02 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
22 14:20:25.597 10/08/02 Sev=Info/5 IKE/0x63000059
Vendor ID payload = 09002689DFD6B712
23 14:20:25.597 10/08/02 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
24 14:20:25.597 10/08/02 Sev=Info/5 IKE/0x63000059
Vendor ID payload = AFCAD71368A1F1C96B8696FC77570100
25 14:20:25.597 10/08/02 Sev=Info/5 IKE/0x63000001
Peer supports DPD
26 14:20:25.597 10/08/02 Sev=Info/5 IKE/0x63000059
Vendor ID payload = 4048B7D56EBCE88525E7DE7F00D6C2D3C0000000
27 14:20:25.597 10/08/02 Sev=Info/5 IKE/0x63000059
Vendor ID payload = 1F07F70EAA6514D3B0FA96542A500306
28 14:20:25.617 10/08/02 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT) to c.c.c.c
29 14:20:25.778 10/08/02 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = c.c.c.c
30 14:20:25.778 10/08/02 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from c.c.c.c
31 14:20:25.778 10/08/02 Sev=Info/4 CM/0x63100015
Launch xAuth application
32 14:20:34.671 10/08/02 Sev=Info/4 CM/0x63100017
xAuth application returned
33 14:20:34.671 10/08/02 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to c.c.c.c
34 14:20:37.194 10/08/02 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = c.c.c.c
35 14:20:37.194 10/08/02 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from c.c.c.c
36 14:20:37.194 10/08/02 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Phase 1 SA in the system
37 14:20:37.194 10/08/02 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to c.c.c.c
38 14:20:37.204 10/08/02 Sev=Info/5 IKE/0x6300005D
Client sending a firewall request to concentrator
39 14:20:37.204 10/08/02 Sev=Info/5 IKE/0x6300005C
Firewall Policy: Product=Cisco Integrated Client, Capability= (Centralized Protection Policy).
40 14:20:37.214 10/08/02 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to c.c.c.c
41 14:20:37.375 10/08/02 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = c.c.c.c
42 14:20:37.375 10/08/02 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from c.c.c.c
43 14:20:37.375 10/08/02 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = g.g.g.g
44 14:20:37.375 10/08/02 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = d1.d1.d1.d1
45 14:20:37.375 10/08/02 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = d2.d2.d2.d2
46 14:20:37.375 10/08/02 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NBNS(1) (a.k.a. WINS) : , value = d1.d1.d1.d1
47 14:20:37.375 10/08/02 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NBNS(2) (a.k.a. WINS): , value = d2.d2.d2.d2
48 14:20:37.375 10/08/02 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_BANNER, value = WARNING:
Any use of this system may be logged or monitored without further notice, and the resulting logs may be used as evidence in court.
If you are unauthorised to use this system disconnect now!
49 14:20:37.375 10/08/02 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000
50 14:20:37.375 10/08/02 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
51 14:20:37.375 10/08/02 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc./VPN 3000 Concentrator Version 3.6.3.Rel built by vmurphy on Oct 04 2002 16:23:00
52 14:20:37.425 10/08/02 Sev=Info/4 CM/0x63100019
Mode Config data received
53 14:20:37.465 10/08/02 Sev=Info/5 IKE/0x63000055
Received a key request from Driver for IP address c.c.c.c, GW IP = c.c.c.c
54 14:20:37.465 10/08/02 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to c.c.c.c
55 14:20:37.465 10/08/02 Sev=Info/5 IKE/0x63000055
Received a key request from Driver for IP address 10.10.10.255, GW IP = c.c.c.c
56 14:20:37.465 10/08/02 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to c.c.c.c
57 14:20:37.675 10/08/02 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = c.c.c.c
58 14:20:37.675 10/08/02 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from c.c.c.c
59 14:20:37.675 10/08/02 Sev=Info/5 IKE/0x63000044
RESPONDER-LIFETIME notify has value of 86400 seconds
60 14:20:37.675 10/08/02 Sev=Info/5 IKE/0x63000046
This SA has already been alive for 13 seconds, setting expiry to 86387 seconds from now
61 14:20:37.705 10/08/02 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = c.c.c.c
62 14:20:37.705 10/08/02 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, DEL) from c.c.c.c
63 14:20:37.705 10/08/02 Sev=Info/5 IKE/0x6300003C
Received a DELETE payload for IKE SA with Cookies = 2CDEFD1BD3EFB19215350D42094312B8
64 14:20:37.705 10/08/02 Sev=Info/5 IKE/0x63000017
Marking IKE SA for deletion (COOKIES = 2CDEFD1BD3EFB192 15350D42094312B8) reason = DEL_REASON_PEER_DELETION
65 14:20:38.066 10/08/02 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
66 14:20:38.066 10/08/02 Sev=Info/6 IPSEC/0x6370002B
Sent 6 packets, 0 were fragmented.
67 14:20:38.066 10/08/02 Sev=Info/6 IPSEC/0x6370001D
TCP RST received from c.c.c.c, src port 10001, dst port 1677
68 14:20:38.366 10/08/02 Sev=Info/4 CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_PEER_DELETION". 0 Phase 1 SA currently in the system
69 14:20:38.366 10/08/02 Sev=Info/5 CM/0x63100029
Initializing CVPNDrv
70 14:20:38.366 10/08/02 Sev=Info/4 CM/0x63100031
Resetting TCP connection on port 10001
71 14:20:38.366 10/08/02 Sev=Info/6 CM/0x63100034
Removed local TCP port 1677 for TCP connection.
72 14:20:38.416 10/08/02 Sev=Warning/3 DIALER/0xE3300008
GI VPNStart callback failed "CM_IKE_RECEIVED_DELETE_NOTIFICATION" (15h).
73 14:20:39.418 10/08/02 Sev=Info/4 IPSEC/0x63700012
Delete all keys associated with peer c.c.c.c
74 14:20:39.418 10/08/02 Sev=Info/4 IPSEC/0x63700012
Delete all keys associated with peer c.c.c.c
75 14:20:39.418 10/08/02 Sev=Info/6 IPSEC/0x63700022
TCP RST sent to c.c.c.c, src port 1677, dst port 10001
76 14:20:39.418 10/08/02 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
77 14:20:39.418 10/08/02 Sev=Info/6 IPSEC/0x6370002B
Sent 4 packets, 0 were fragmented.
When I look at the SA configuration(s) active IKE proposals everything seems ok (hence everything worked fine with 3.6.1. Concentrator release).
Any suggestions would be much appreciated.
Marcel
Solved! Go to Solution.
10-11-2002 03:13 PM
OK, I tried this myself and ran into the same issue. Looks like AES is broken in 3.6.3. A bug has been created (CSCdy88797) and will be fixed shortly, but for the moment you'll have to use 3.6.1 or change ciphers if you simply must use 3.6.3.
Sorry about that.
10-08-2002 10:57 PM
Thanks for including the log files. Here's your problem:
199 10/08/2002 14:20:37.630 SEV=5 IKE/66 RPT=5 w.w.w.w
Group [TestGroup] User [testuser]
IKE Remote Peer configured for SA: ESP-AES128-SHA
201 10/08/2002 14:20:37.630 SEV=4 IKE/0 RPT=5 w.w.w.w
Group [TestGroup] User [testuser]
All IPSec SA proposals found unacceptable!
Check the "testuser" client and see what IPSec SA proposal it has configured to use (should be ESP-AES128-SHA). Check under Config - Policy Mgmt - Traffic Mgmt - SAs and see what IKE policy that policy is using. Then go under Config - System - Tunneling Prots - IPSec - IKE Proposals and make sure that proposal is active.
Basically there's something wrong with that proposal, if you weren't using it before for that username then try using just the ESP-3DES-MD5 IPSec SA, that should definately work.
10-09-2002 12:01 AM
I have the exact same problem.
In ver. 3.6.1 it worked fine but after upgrading to 3.6.3 i'm not able to connect with AES. But as You state using ESP-3DES-MD5 IPSec SA works fine.
10-09-2002 01:44 AM
Thnx Glenn for your reply.
I've verified your suggestions in both the 3.6.1 and 3.6.3 Concentrator release.
1. Groups/IPSec -> IPSec SA = ESP-AES128-SHA
2. Policy Mgmt/Traffic Mgmt/SA's -> ESP-AES128-SHA
* Authentication Algorithm = ESP/SHA/HMAC-160
* Encryption Algorithm = AES-128
* IKE Proposal = CiscoVPNClient-AES128-SHA
3. System/Tunneling Protocols/IPSec/IKE Proposals -> Active Proposals -> CiscoVPNClient-AES128-SHA
* Authentication Mode = Preshared keys (XAUTH)
* Authentication Algorithm = SHA/HMAC-160
* Encryption Algorithm = AES-128
Diffie Hellman Group = Group2 (1024 bits)
These settings are THE SAME for both the 3.61 and 3.6.3 release, but the latter allows no VPN-connections (see logs in former posting).
I still would very much like to use AES encryption instead of 3DES for various reasons.
Question: Do you have any other suggestions I can try?
Thanks in advance,
Marcel
10-11-2002 03:13 PM
OK, I tried this myself and ran into the same issue. Looks like AES is broken in 3.6.3. A bug has been created (CSCdy88797) and will be fixed shortly, but for the moment you'll have to use 3.6.1 or change ciphers if you simply must use 3.6.3.
Sorry about that.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide