- Cisco Community
- Technology and Support
- Security
- VPN
- Remote access ASA 5520
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Remote access ASA 5520
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-13-2012 08:57 AM - edited 02-21-2020 06:33 PM
Hi,
I am losing my mind why I can't get the remote access with the client to work. It never gets past phase 1. The clientless SSL vpn works fine. Please help.
ASA Version 8.2(5)
!
hostname Lab-ASA-2
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 10.210.16.253 255.255.240.0
!
boot system disk0:/asa825-k8.bin
ftp mode passive
object-group service tcp-ipsec tcp
port-object eq 10000
object-group service tcp-500 tcp
port-object eq 500
object-group service DM_INLINE_TCP_1 tcp
group-object tcp-500
group-object tcp-ipsec
access-list MGMT_nat0_outbound extended permit ip any 10.20.0.0 255.255.255.240
access-list outside_access_in extended permit udp any any eq isakmp
access-list outside_access_in extended permit tcp any any object-group DM_INLINE_TCP_1
pager lines 24
logging enable
logging asdm informational
mtu MGMT 1500
mtu outside 1500
ip local pool RAS-POOL 10.20.0.2-10.20.0.10 mask 255.255.255.0
ip local pool testpool 192.168.0.10-192.168.0.15
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645-106.bin
no asdm history enable
arp timeout 14400
nat (MGMT) 0 access-list MGMT_nat0_outbound
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.210.16.10 1
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192
-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map dyn1 1 set transform-set FirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
crypto isakmp enable outside
no crypto isakmp nat-traversal
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 MGMT
ssh 10.0.0.0 255.0.0.0 outside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
group-policy RAS3 internal
group-policy RAS3 attributes
dns-server value 10.210.31.24
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain value tsys.com
username testuser password IqY6lTColo8VIF24 encrypted
username geronimo password cA6efHOS3K17brzW encrypted privilege 15
tunnel-group RAS3 type remote-access
tunnel-group RAS3 general-attributes
address-pool RAS-POOL
default-group-policy RAS3
tunnel-group testgroup type remote-access
tunnel-group testgroup general-attributes
address-pool testpool
tunnel-group testgroup ipsec-attributes
pre-shared-key *****
tunnel-group SSL-ASA-VPN type remote-access
!
!
Thanks Doug
- Labels:
-
Remote Access
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-13-2012 09:17 AM
Hello Douglas,
Try the following
crypto isakmp policy 10
encryption aes
group 2
hash sha
authentication pre-share
crypto isakmp nat-traversal
Let me know
Julio
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-13-2012 10:25 AM
That policy was already in the config under number 90. I added the crypto isakmp nat-traversal. Still doesn't work.
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-13-2012 10:53 AM
Hello Douglas,
Can you try to connect and share the debugs you are getting ( debug crypto isakmp 255) Also share the logs when you attemtp to connect and the show crypto isakmp sa
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-13-2012 11:07 AM
Lab-ASA-2# debug crypto isakmp 255
Lab-ASA-2#
IKE Recv RAW packet dump
d2 5a da 68 91 c5 31 d7 00 00 00 00 00 00 00 00 | .Z.h..1.........
01 10 04 00 00 00 00 00 00 00 03 54 04 00 02 2c | ...........T...,
00 00 00 01 00 00 00 01 00 00 02 20 01 01 00 0e | ........... ....
03 00 00 28 01 01 00 00 80 01 00 07 80 02 00 02 | ...(............
80 04 00 02 80 03 fd e9 80 0b 00 01 00 0c 00 04 | ................
00 20 c4 9b 80 0e 01 00 03 00 00 28 02 01 00 00 | . .........(....
80 01 00 07 80 02 00 01 80 04 00 02 80 03 fd e9 | ................
80 0b 00 01 00 0c 00 04 00 20 c4 9b 80 0e 01 00 | ......... ......
03 00 00 28 03 01 00 00 80 01 00 07 80 02 00 02 | ...(............
80 04 00 02 80 03 00 01 80 0b 00 01 00 0c 00 04 | ................
00 20 c4 9b 80 0e 01 00 03 00 00 28 04 01 00 00 | . .........(....
80 01 00 07 80 02 00 01 80 04 00 02 80 03 00 01 | ................
80 0b 00 01 00 0c 00 04 00 20 c4 9b 80 0e 01 00 | ......... ......
03 00 00 28 05 01 00 00 80 01 00 07 80 02 00 02 | ...(............
80 04 00 02 80 03 fd e9 80 0b 00 01 00 0c 00 04 | ................
00 20 c4 9b 80 0e 00 80 03 00 00 28 06 01 00 00 | . .........(....
80 01 00 07 80 02 00 01 80 04 00 02 80 03 fd e9 | ................
80 0b 00 01 00 0c 00 04 00 20 c4 9b 80 0e 00 80 | ......... ......
03 00 00 28 07 01 00 00 80 01 00 07 80 02 00 02 | ...(............
80 04 00 02 80 03 00 01 80 0b 00 01 00 0c 00 04 | ................
00 20 c4 9b 80 0e 00 80 03 00 00 28 08 01 00 00 | . .........(....
80 01 00 07 80 02 00 01 80 04 00 02 80 03 00 01 | ................
80 0b 00 01 00 0c 00 04 00 20 c4 9b 80 0e 00 80 | ......... ......
03 00 00 24 09 01 00 00 80 01 00 05 80 02 00 02 | ...$............
80 04 00 02 80 03 fd e9 80 0b 00 01 00 0c 00 04 | ................
00 20 c4 9b 03 00 00 24 0a 01 00 00 80 01 00 05 | . .....$........
80 02 00 01 80 04 00 02 80 03 fd e9 80 0b 00 01 | ................
00 0c 00 04 00 20 c4 9b 03 00 00 24 0b 01 00 00 | ..... .....$....
80 01 00 05 80 02 00 02 80 04 00 02 80 03 00 01 | ................
80 0b 00 01 00 0c 00 04 00 20 c4 9b 03 00 00 24 | ......... .....$
0c 01 00 00 80 01 00 05 80 02 00 01 80 04 00 02 | ................
80 03 00 01 80 0b 00 01 00 0c 00 04 00 20 c4 9b | ............. ..
03 00 00 24 0d 01 00 00 80 01 00 01 80 02 00 01 | ...$............
80 04 00 02 80 03 fd e9 80 0b 00 01 00 0c 00 04 | ................
00 20 c4 9b 00 00 00 24 0e 01 00 00 80 01 00 01 | . .....$........
80 02 00 01 80 04 00 02 80 03 00 01 80 0b 00 01 | ................
00 0c 00 04 00 20 c4 9b 0a 00 00 84 66 d6 74 ca | ..... ......f.t.
3d 49 31 0f 5d 2e 85 c1 4c c4 6b da 81 d3 24 60 | =I1.]...L.k...$`
a1 07 5c 5d 1f f5 b3 e7 ad f4 6d c2 de 79 fb e3 | ..\]......m..y..
a0 6d 8e 1a 78 60 65 f7 bc ec 07 33 d7 77 45 ad | .m..x`e....3.wE.
ed d1 9c a0 31 15 6e 51 0b 68 a4 6f 30 dc 39 8e | ....1.nQ.h.o0.9.
76 57 f4 5b 8a 7b 79 98 49 1c 2d bb 8b c1 9f 5c | vW.[.{y.I.-....\
96 49 98 a6 74 c7 87 03 fa 12 d7 94 fb 0e e2 03 | .I..t...........
78 5e ec b3 0e 10 e5 88 ed 46 2d 97 83 2a ae 4b | x^.......F-..*.K
42 83 f7 df 2e f1 53 34 a4 5b b0 58 05 00 00 18 | B.....S4.[.X....
2a f3 38 81 5e 8b 54 78 82 da 53 27 54 63 81 51 | *.8.^.Tx..S'Tc.Q
6c eb f8 f8 0d 00 00 10 0b 11 01 f4 67 65 72 6f | l...........gero
6e 69 6d 6f 0d 00 00 0c 09 00 26 89 df d6 b7 12 | nimo......&.....
0d 00 00 14 af ca d7 13 68 a1 f1 c9 6b 86 96 fc | ........h...k...
77 57 01 00 0d 00 00 18 40 48 b7 d5 6e bc e8 85 | wW......@H..n...
25 e7 de 7f 00 d6 c2 d3 80 00 00 00 0d 00 00 14 | %..............
90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f | ....>.in.c...B{.
00 00 00 14 12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 | ........Eqh.p-..
74 cc 01 00 00 00 00 00 00 00 00 00 00 00 00 00 | t...............
00 00 00 00 | ....
RECV PACKET from 10.200.49.23
ISAKMP Header
Initiator COOKIE: d2 5a da 68 91 c5 31 d7
Responder COOKIE: 00 00 00 00 00 00 00 00
Next Payload: Security Association
Version: 1.0
Exchange Type: Aggressive Mode
Flags: (none)
MessageID: 00000000
Length: 852
Payload Security Association
Next Payload: Key Exchange
Reserved: 00
Payload Length: 556
DOI: IPsec
Situation:(SIT_IDENTITY_ONLY)
Payload Proposal
Next Payload: None
Reserved: 00
Payload Length: 544
Proposal #: 1
Protocol-Id: PROTO_ISAKMP
SPI Size: 0
# of transforms: 14
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 40
Transform #: 1
Transform-Id: KEY_IKE
Reserved2: 0000
Encryption Algorithm: AES-CBC
Hash Algorithm: SHA1
Group Description: Group 2
Authentication Method: XAUTH_INIT_PRESHRD
Life Type: seconds
Life Duration (Hex): 00 20 c4 9b
Key Length: 256
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 40
Transform #: 2
Transform-Id: KEY_IKE
Reserved2: 0000
Encryption Algorithm: AES-CBC
Hash Algorithm: MD5
Group Description: Group 2
Authentication Method: XAUTH_INIT_PRESHRD
Life Type: seconds
Life Duration (Hex): 00 20 c4 9b
Key Length: 256
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 40
Transform #: 3
Transform-Id: KEY_IKE
Reserved2: 0000
Encryption Algorithm: AES-CBC
Hash Algorithm: SHA1
Group Description: Group 2
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 20 c4 9b
Key Length: 256
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 40
Transform #: 4
Transform-Id: KEY_IKE
Reserved2: 0000
Encryption Algorithm: AES-CBC
Hash Algorithm: MD5
Group Description: Group 2
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 20 c4 9b
Key Length: 256
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 40
Transform #: 5
Transform-Id: KEY_IKE
Reserved2: 0000
Encryption Algorithm: AES-CBC
Hash Algorithm: SHA1
Group Description: Group 2
Authentication Method: XAUTH_INIT_PRESHRD
Life Type: seconds
Life Duration (Hex): 00 20 c4 9b
Key Length: 128
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 40
Transform #: 6
Transform-Id: KEY_IKE
Reserved2: 0000
Encryption Algorithm: AES-CBC
Hash Algorithm: MD5
Group Description: Group 2
Authentication Method: XAUTH_INIT_PRESHRD
Life Type: seconds
Life Duration (Hex): 00 20 c4 9b
Key Length: 128
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 40
Transform #: 7
Transform-Id: KEY_IKE
Reserved2: 0000
Encryption Algorithm: AES-CBC
Hash Algorithm: SHA1
Group Description: Group 2
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 20 c4 9b
Key Length: 128
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 40
Transform #: 8
Transform-Id: KEY_IKE
Reserved2: 0000
Encryption Algorithm: AES-CBC
Hash Algorithm: MD5
Group Description: Group 2
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 20 c4 9b
Key Length: 128
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 36
Transform #: 9
Transform-Id: KEY_IKE
Reserved2: 0000
Encryption Algorithm: 3DES-CBC
Hash Algorithm: SHA1
Group Description: Group 2
Authentication Method: XAUTH_INIT_PRESHRD
Life Type: seconds
Life Duration (Hex): 00 20 c4 9b
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 36
Transform #: 10
Transform-Id: KEY_IKE
Reserved2: 0000
Encryption Algorithm: 3DES-CBC
Hash Algorithm: MD5
Group Description: Group 2
Authentication Method: XAUTH_INIT_PRESHRD
Life Type: seconds
Life Duration (Hex): 00 20 c4 9b
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 36
Transform #: 11
Transform-Id: KEY_IKE
Reserved2: 0000
Encryption Algorithm: 3DES-CBC
Hash Algorithm: SHA1
Group Description: Group 2
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 20 c4 9b
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 36
Transform #: 12
Transform-Id: KEY_IKE
Reserved2: 0000
Encryption Algorithm: 3DES-CBC
Hash Algorithm: MD5
Group Description: Group 2
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 20 c4 9b
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 36
Transform #: 13
Transform-Id: KEY_IKE
Reserved2: 0000
Encryption Algorithm: DES-CBC
Hash Algorithm: MD5
Group Description: Group 2
Authentication Method: XAUTH_INIT_PRESHRD
Life Type: seconds
Life Duration (Hex): 00 20 c4 9b
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 36
Transform #: 14
Transform-Id: KEY_IKE
Reserved2: 0000
Encryption Algorithm: DES-CBC
Hash Algorithm: MD5
Group Description: Group 2
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 20 c4 9b
Payload Key Exchange
Next Payload: Nonce
Reserved: 00
Payload Length: 132
Data:
66 d6 74 ca 3d 49 31 0f 5d 2e 85 c1 4c c4 6b da
81 d3 24 60 a1 07 5c 5d 1f f5 b3 e7 ad f4 6d c2
de 79 fb e3 a0 6d 8e 1a 78 60 65 f7 bc ec 07 33
d7 77 45 ad ed d1 9c a0 31 15 6e 51 0b 68 a4 6f
30 dc 39 8e 76 57 f4 5b 8a 7b 79 98 49 1c 2d bb
8b c1 9f 5c 96 49 98 a6 74 c7 87 03 fa 12 d7 94
fb 0e e2 03 78 5e ec b3 0e 10 e5 88 ed 46 2d 97
83 2a ae 4b 42 83 f7 df 2e f1 53 34 a4 5b b0 58
Payload Nonce
Next Payload: Identification
Reserved: 00
Payload Length: 24
Data:
2a f3 38 81 5e 8b 54 78 82 da 53 27 54 63 81 51
6c eb f8 f8
Payload Identification
Next Payload: Vendor ID
Reserved: 00
Payload Length: 16
ID Type: ID_KEY_ID (11)
Protocol ID (UDP/TCP, etc...): 17
Port: 500
ID Data: geronimo
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 12
Data (In Hex): 09 00 26 89 df d6 b7 12
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 24
Data (In Hex):
40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
80 00 00 00
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 20
Data (In Hex):
12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 74 cc 01 00
Dec 13 18:25:32 [IKEv1]: IP = 10.200.49.23, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 852
Dec 13 18:25:32 [IKEv1 DEBUG]: IP = 10.200.49.23, processing SA payload
Dec 13 18:25:32 [IKEv1 DEBUG]: IP = 10.200.49.23, processing ke payload
Dec 13 18:25:32 [IKEv1 DEBUG]: IP = 10.200.49.23, processing ISA_KE payload
Dec 13 18:25:32 [IKEv1 DEBUG]: IP = 10.200.49.23, processing nonce payload
Dec 13 18:25:32 [IKEv1 DEBUG]: IP = 10.200.49.23, processing ID payload
Dec 13 18:25:32 [IKEv1 DEBUG]: IP = 10.200.49.23, processing VID payload
Dec 13 18:25:32 [IKEv1 DEBUG]: IP = 10.200.49.23, Received xauth V6 VID
Dec 13 18:25:32 [IKEv1 DEBUG]: IP = 10.200.49.23, processing VID payload
Dec 13 18:25:32 [IKEv1 DEBUG]: IP = 10.200.49.23, Received DPD VID
Dec 13 18:25:32 [IKEv1 DEBUG]: IP = 10.200.49.23, processing VID payload
Dec 13 18:25:32 [IKEv1 DEBUG]: IP = 10.200.49.23, Received Fragmentation VID
Dec 13 18:25:32 [IKEv1 DEBUG]: IP = 10.200.49.23, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False
Dec 13 18:25:32 [IKEv1 DEBUG]: IP = 10.200.49.23, processing VID payload
Dec 13 18:25:32 [IKEv1 DEBUG]: IP = 10.200.49.23, Received NAT-Traversal ver 02 VID
Dec 13 18:25:32 [IKEv1 DEBUG]: IP = 10.200.49.23, processing VID payload
Dec 13 18:25:32 [IKEv1 DEBUG]: IP = 10.200.49.23, Received Cisco Unity client VID
Dec 13 18:25:32 [IKEv1]: IP = 10.200.49.23, Received ISAKMP Aggressive Mode message 1 with unknown tunnel group name 'geronimo'.
Dec 13 18:25:32 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 10.200.49.23, processing IKE SA payload
Dec 13 18:25:32 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 10.200.49.23, IKE SA Proposal # 1, Transform # 9 acceptable Matches global IKE entry # 1
Dec 13 18:25:32 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 10.200.49.23, constructing ISAKMP SA payload
Dec 13 18:25:32 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 10.200.49.23, constructing ke payload
Dec 13 18:25:32 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 10.200.49.23, constructing nonce payload
Dec 13 18:25:32 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 10.200.49.23, Generating keys for Responder...
Dec 13 18:25:32 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 10.200.49.23, constructing ID payload
Dec 13 18:25:32 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 10.200.49.23, constructing hash payload
Dec 13 18:25:32 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 10.200.49.23, Computing hash for ISAKMP
Dec 13 18:25:32 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 10.200.49.23, constructing Cisco Unity VID payload
Dec 13 18:25:32 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 10.200.49.23, constructing xauth V6 VID payload
Dec 13 18:25:32 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 10.200.49.23, constructing dpd vid payload
Dec 13 18:25:32 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 10.200.49.23, constructing NAT-Traversal VID ver 02 payload
Dec 13 18:25:32 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 10.200.49.23, constructing NAT-Discovery payload
Dec 13 18:25:32 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 10.200.49.23, computing NAT Discovery hash
Dec 13 18:25:32 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 10.200.49.23, constructing NAT-Discovery payload
Dec 13 18:25:32 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 10.200.49.23, computing NAT Discovery hash
Dec 13 18:25:32 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 10.200.49.23, constructing Fragmentation VID + extended capabilities payload
Dec 13 18:25:32 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 10.200.49.23, constructing VID payload
Dec 13 18:25:32 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 10.200.49.23, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Dec 13 18:25:32 [IKEv1]: IP = 10.200.49.23, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 440
SENDING PACKET to 10.200.49.23
ISAKMP Header
Initiator COOKIE: d2 5a da 68 91 c5 31 d7
Responder COOKIE: 15 5d a7 fc 5e c3 0b ac
Next Payload: Security Association
Version: 1.0
Exchange Type: Aggressive Mode
Flags: (none)
MessageID: 00000000
Length: 440
Payload Security Association
Next Payload: Key Exchange
Reserved: 00
Payload Length: 56
DOI: IPsec
Situation:(SIT_IDENTITY_ONLY)
Payload Proposal
Next Payload: None
Reserved: 00
Payload Length: 44
Proposal #: 1
Protocol-Id: PROTO_ISAKMP
SPI Size: 0
# of transforms: 1
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 36
Transform #: 9
Transform-Id: KEY_IKE
Reserved2: 0000
Encryption Algorithm: 3DES-CBC
Hash Algorithm: SHA1
Group Description: Group 2
Authentication Method: XAUTH_INIT_PRESHRD
Life Type: seconds
Life Duration (Hex): 00 20 c4 9b
Payload Key Exchange
Next Payload: Nonce
Reserved: 00
Payload Length: 132
Data:
78 76 58 8d 18 a3 30 a7 c2 a9 be cc 95 72 fa 73
7b 9e db 65 6e 09 da e7 f7 52 ae 5d 4b a6 64 ba
78 c2 5e 71 85 6c e6 28 37 24 1f 87 71 e3 d4 b7
3c 05 9f 5d b7 dd 42 57 f2 58 76 66 44 f8 37 f3
1a 21 94 30 b3 ad 27 17 65 8a c7 aa c8 5b f5 32
fe c8 5e 8a a0 5c 16 d7 94 f2 42 92 bf eb e2 04
ca 47 b8 73 41 b5 2e 4f 86 32 62 c5 cd a9 e7 35
16 21 fc 20 aa 1b 24 20 3b f7 7c 22 f9 b2 2c b8
Payload Nonce
Next Payload: Identification
Reserved: 00
Payload Length: 24
Data:
8f 98 93 5f 81 f9 59 d5 28 d9 87 d3 42 a3 1f 31
04 df 39 d6
Payload Identification
Next Payload: Hash
Reserved: 00
Payload Length: 12
ID Type: IPv4 Address (1)
Protocol ID (UDP/TCP, etc...): 17
Port: 0
ID Data: 10.210.16.253
Payload Hash
Next Payload: Vendor ID
Reserved: 00
Payload Length: 24
Data:
99 01 bc 97 b1 c9 b7 f5 e5 5e 5e d0 55 90 83 51
f7 4c 0f d7
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 74 cc 01 00
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 12
Data (In Hex): 09 00 26 89 df d6 b7 12
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00
Payload Vendor ID
Next Payload: NAT-D
Reserved: 00
Payload Length: 20
Data (In Hex):
90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
Payload NAT-D
Next Payload: NAT-D
Reserved: 00
Payload Length: 24
Data:
0b 5c b8 6d 5c 99 c7 fc 5b 41 db e5 be a4 37 cc
3f 68 b4 61
Payload NAT-D
Next Payload: Vendor ID
Reserved: 00
Payload Length: 24
Data:
ff 34 bd ee 41 e9 ea 1b 07 4c a9 b7 94 d8 b5 5c
db 0d 3f c5
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 24
Data (In Hex):
40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
c0 00 00 00
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 20
Data (In Hex):
1f 07 f7 0e aa 65 14 d3 b0 fa 96 54 2a 50 01 00
Dec 13 18:25:32 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 10.200.49.23, IKE AM Responder FSM error history (struct &0xccdb2878)
Dec 13 18:25:32 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 10.200.49.23, IKE SA AM:fca75d15 terminating: flags 0x0104c001, refcnt 0, tuncnt 0
Dec 13 18:25:32 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 10.200.49.23, sending delete/delete with reason message
IKE Recv RAW packet dump
d2 5a da 68 91 c5 31 d7 15 5d a7 fc 5e c3 0b ac | .Z.h..1..]..^...
0b 10 05 00 00 00 00 00 00 00 00 38 00 00 00 1c | ...........8....
00 00 00 01 01 10 00 17 d2 5a da 68 91 c5 31 d7 | .........Z.h..1.
15 5d a7 fc 5e c3 0b ac 00 00 00 00 00 00 00 00 | .]..^...........
00 00 00 00 00 00 00 00 | ........
IKE Recv RAW packet dump
d2 5a da 68 91 c5 31 d7 15 5d a7 fc 5e c3 0b ac | .Z.h..1..]..^...
0b 10 05 00 00 00 00 00 00 00 00 38 00 00 00 1c | ...........8....
00 00 00 01 01 10 00 18 d2 5a da 68 91 c5 31 d7 | .........Z.h..1.
15 5d a7 fc 5e c3 0b ac 00 00 00 00 00 00 00 00 | .]..^...........
00 00 00 00 00 00 00 00 | ........
RECV PACKET from 10.200.49.23
ISAKMP Header
Initiator COOKIE: d2 5a da 68 91 c5 31 d7
Responder COOKIE: 15 5d a7 fc 5e c3 0b ac
Next Payload: Notification
Version: 1.0
Exchange Type: Informational
Flags: (none)
MessageID: 00000000
Length: 56
Payload Notification
Next Payload: None
Reserved: 00
Payload Length: 28
DOI: IPsec
Protocol-ID: PROTO_ISAKMP
Spi Size: 16
Notify Type: INVALID_HASH_INFO
SPI:
d2 5a da 68 91 c5 31 d7 15 5d a7 fc 5e c3 0b ac
RECV PACKET from 10.200.49.23
ISAKMP Header
Initiator COOKIE: d2 5a da 68 91 c5 31 d7
Responder COOKIE: 15 5d a7 fc 5e c3 0b ac
Next Payload: Notification
Version: 1.0
Exchange Type: Informational
Flags: (none)
MessageID: 00000000
Length: 56
Payload Notification
Next Payload: None
Reserved: 00
Payload Length: 28
DOI: IPsec
Protocol-ID: PROTO_ISAKMP
Spi Size: 16
Notify Type: AUTH_FAILED
SPI:
d2 5a da 68 91 c5 31 d7 15 5d a7 fc 5e c3 0b ac
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: