cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
853
Views
0
Helpful
4
Replies
Highlighted

Remote access ASA 5520

   Hi,

I am losing my mind why I can't get the remote access with the client to work. It never gets past phase 1. The clientless SSL vpn works fine. Please help.


ASA Version 8.2(5)
!
hostname Lab-ASA-2
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 10.210.16.253 255.255.240.0
!
boot system disk0:/asa825-k8.bin
ftp mode passive
object-group service tcp-ipsec tcp
port-object eq 10000
object-group service tcp-500 tcp
port-object eq 500
object-group service DM_INLINE_TCP_1 tcp
group-object tcp-500
group-object tcp-ipsec
access-list MGMT_nat0_outbound extended permit ip any 10.20.0.0 255.255.255.240
access-list outside_access_in extended permit udp any any eq isakmp
access-list outside_access_in extended permit tcp any any object-group DM_INLINE_TCP_1
pager lines 24
logging enable
logging asdm informational
mtu MGMT 1500
mtu outside 1500
ip local pool RAS-POOL 10.20.0.2-10.20.0.10 mask 255.255.255.0
ip local pool testpool 192.168.0.10-192.168.0.15
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645-106.bin
no asdm history enable
arp timeout 14400
nat (MGMT) 0 access-list MGMT_nat0_outbound
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.210.16.10 1

dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192

-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map dyn1 1 set transform-set FirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
crypto isakmp enable outside
no crypto isakmp nat-traversal


telnet timeout 5
ssh 10.0.0.0 255.0.0.0 MGMT
ssh 10.0.0.0 255.0.0.0 outside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
group-policy RAS3 internal
group-policy RAS3 attributes
dns-server value 10.210.31.24
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain value tsys.com
username testuser password IqY6lTColo8VIF24 encrypted
username geronimo password cA6efHOS3K17brzW encrypted privilege 15
tunnel-group RAS3 type remote-access
tunnel-group RAS3 general-attributes
address-pool RAS-POOL
default-group-policy RAS3
tunnel-group testgroup type remote-access
tunnel-group testgroup general-attributes
address-pool testpool
tunnel-group testgroup ipsec-attributes
pre-shared-key *****
tunnel-group SSL-ASA-VPN type remote-access
!
!

Thanks Doug

4 REPLIES 4
Highlighted

Remote access ASA 5520

Hello Douglas,

Try the following

crypto isakmp policy 10

encryption aes

group 2

hash sha

authentication pre-share

crypto isakmp nat-traversal

Let me know

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Highlighted

Remote access ASA 5520

That policy was already in the config under number 90. I added the crypto isakmp nat-traversal. Still doesn't work.

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

crypto isakmp policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

Highlighted

Remote access ASA 5520

Hello Douglas,

Can you try to connect and share the debugs you are getting ( debug crypto isakmp 255) Also share the logs when you attemtp to connect and the show crypto isakmp sa

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Highlighted

Remote access ASA 5520

Lab-ASA-2# debug crypto isakmp 255
Lab-ASA-2#

IKE Recv RAW packet dump
d2 5a da 68 91 c5 31 d7 00 00 00 00 00 00 00 00    |  .Z.h..1.........
01 10 04 00 00 00 00 00 00 00 03 54 04 00 02 2c    |  ...........T...,
00 00 00 01 00 00 00 01 00 00 02 20 01 01 00 0e    |  ........... ....
03 00 00 28 01 01 00 00 80 01 00 07 80 02 00 02    |  ...(............
80 04 00 02 80 03 fd e9 80 0b 00 01 00 0c 00 04    |  ................
00 20 c4 9b 80 0e 01 00 03 00 00 28 02 01 00 00    |  . .........(....
80 01 00 07 80 02 00 01 80 04 00 02 80 03 fd e9    |  ................
80 0b 00 01 00 0c 00 04 00 20 c4 9b 80 0e 01 00    |  ......... ......
03 00 00 28 03 01 00 00 80 01 00 07 80 02 00 02    |  ...(............
80 04 00 02 80 03 00 01 80 0b 00 01 00 0c 00 04    |  ................
00 20 c4 9b 80 0e 01 00 03 00 00 28 04 01 00 00    |  . .........(....
80 01 00 07 80 02 00 01 80 04 00 02 80 03 00 01    |  ................
80 0b 00 01 00 0c 00 04 00 20 c4 9b 80 0e 01 00    |  ......... ......
03 00 00 28 05 01 00 00 80 01 00 07 80 02 00 02    |  ...(............
80 04 00 02 80 03 fd e9 80 0b 00 01 00 0c 00 04    |  ................
00 20 c4 9b 80 0e 00 80 03 00 00 28 06 01 00 00    |  . .........(....
80 01 00 07 80 02 00 01 80 04 00 02 80 03 fd e9    |  ................
80 0b 00 01 00 0c 00 04 00 20 c4 9b 80 0e 00 80    |  ......... ......
03 00 00 28 07 01 00 00 80 01 00 07 80 02 00 02    |  ...(............
80 04 00 02 80 03 00 01 80 0b 00 01 00 0c 00 04    |  ................
00 20 c4 9b 80 0e 00 80 03 00 00 28 08 01 00 00    |  . .........(....
80 01 00 07 80 02 00 01 80 04 00 02 80 03 00 01    |  ................
80 0b 00 01 00 0c 00 04 00 20 c4 9b 80 0e 00 80    |  ......... ......
03 00 00 24 09 01 00 00 80 01 00 05 80 02 00 02    |  ...$............
80 04 00 02 80 03 fd e9 80 0b 00 01 00 0c 00 04    |  ................
00 20 c4 9b 03 00 00 24 0a 01 00 00 80 01 00 05    |  . .....$........
80 02 00 01 80 04 00 02 80 03 fd e9 80 0b 00 01    |  ................
00 0c 00 04 00 20 c4 9b 03 00 00 24 0b 01 00 00    |  ..... .....$....
80 01 00 05 80 02 00 02 80 04 00 02 80 03 00 01    |  ................
80 0b 00 01 00 0c 00 04 00 20 c4 9b 03 00 00 24    |  ......... .....$
0c 01 00 00 80 01 00 05 80 02 00 01 80 04 00 02    |  ................
80 03 00 01 80 0b 00 01 00 0c 00 04 00 20 c4 9b    |  ............. ..
03 00 00 24 0d 01 00 00 80 01 00 01 80 02 00 01    |  ...$............
80 04 00 02 80 03 fd e9 80 0b 00 01 00 0c 00 04    |  ................
00 20 c4 9b 00 00 00 24 0e 01 00 00 80 01 00 01    |  . .....$........
80 02 00 01 80 04 00 02 80 03 00 01 80 0b 00 01    |  ................
00 0c 00 04 00 20 c4 9b 0a 00 00 84 66 d6 74 ca    |  ..... ......f.t.
3d 49 31 0f 5d 2e 85 c1 4c c4 6b da 81 d3 24 60    |  =I1.]...L.k...$`
a1 07 5c 5d 1f f5 b3 e7 ad f4 6d c2 de 79 fb e3    |  ..\]......m..y..
a0 6d 8e 1a 78 60 65 f7 bc ec 07 33 d7 77 45 ad    |  .m..x`e....3.wE.
ed d1 9c a0 31 15 6e 51 0b 68 a4 6f 30 dc 39 8e    |  ....1.nQ.h.o0.9.
76 57 f4 5b 8a 7b 79 98 49 1c 2d bb 8b c1 9f 5c    |  vW.[.{y.I.-....\
96 49 98 a6 74 c7 87 03 fa 12 d7 94 fb 0e e2 03    |  .I..t...........
78 5e ec b3 0e 10 e5 88 ed 46 2d 97 83 2a ae 4b    |  x^.......F-..*.K
42 83 f7 df 2e f1 53 34 a4 5b b0 58 05 00 00 18    |  B.....S4.[.X....
2a f3 38 81 5e 8b 54 78 82 da 53 27 54 63 81 51    |  *.8.^.Tx..S'Tc.Q
6c eb f8 f8 0d 00 00 10 0b 11 01 f4 67 65 72 6f    |  l...........gero
6e 69 6d 6f 0d 00 00 0c 09 00 26 89 df d6 b7 12    |  nimo......&.....
0d 00 00 14 af ca d7 13 68 a1 f1 c9 6b 86 96 fc    |  ........h...k...
77 57 01 00 0d 00 00 18 40 48 b7 d5 6e bc e8 85    |  wW......@H..n...
25 e7 de 7f 00 d6 c2 d3 80 00 00 00 0d 00 00 14    |  %..............
90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f    |  ....>.in.c...B{.
00 00 00 14 12 f5 f2 8c 45 71 68 a9 70 2d 9f e2    |  ........Eqh.p-..
74 cc 01 00 00 00 00 00 00 00 00 00 00 00 00 00    |  t...............
00 00 00 00                                        |  ....

RECV PACKET from 10.200.49.23
ISAKMP Header
  Initiator COOKIE: d2 5a da 68 91 c5 31 d7
  Responder COOKIE: 00 00 00 00 00 00 00 00
  Next Payload: Security Association
  Version: 1.0
  Exchange Type: Aggressive Mode
  Flags: (none)
  MessageID: 00000000
  Length: 852
  Payload Security Association
    Next Payload: Key Exchange
    Reserved: 00
    Payload Length: 556
    DOI: IPsec
    Situation:(SIT_IDENTITY_ONLY)
    Payload Proposal
      Next Payload: None
      Reserved: 00
      Payload Length: 544
      Proposal #: 1
      Protocol-Id: PROTO_ISAKMP
      SPI Size: 0
      # of transforms: 14
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 40
        Transform #: 1
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: AES-CBC
        Hash Algorithm: SHA1
        Group Description: Group 2
        Authentication Method: XAUTH_INIT_PRESHRD
        Life Type: seconds
        Life Duration (Hex): 00 20 c4 9b
        Key Length: 256
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 40
        Transform #: 2
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: AES-CBC
        Hash Algorithm: MD5
        Group Description: Group 2
        Authentication Method: XAUTH_INIT_PRESHRD
        Life Type: seconds
        Life Duration (Hex): 00 20 c4 9b
        Key Length: 256
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 40
        Transform #: 3
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: AES-CBC
        Hash Algorithm: SHA1
        Group Description: Group 2
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 20 c4 9b
        Key Length: 256
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 40
        Transform #: 4
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: AES-CBC
        Hash Algorithm: MD5
        Group Description: Group 2
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 20 c4 9b
        Key Length: 256
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 40
        Transform #: 5
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: AES-CBC
        Hash Algorithm: SHA1
        Group Description: Group 2
        Authentication Method: XAUTH_INIT_PRESHRD
        Life Type: seconds
        Life Duration (Hex): 00 20 c4 9b
        Key Length: 128
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 40
        Transform #: 6
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: AES-CBC
        Hash Algorithm: MD5
        Group Description: Group 2
        Authentication Method: XAUTH_INIT_PRESHRD
        Life Type: seconds
        Life Duration (Hex): 00 20 c4 9b
        Key Length: 128
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 40
        Transform #: 7
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: AES-CBC
        Hash Algorithm: SHA1
        Group Description: Group 2
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 20 c4 9b
        Key Length: 128
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 40
        Transform #: 8
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: AES-CBC
        Hash Algorithm: MD5
        Group Description: Group 2
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 20 c4 9b
        Key Length: 128
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 36
        Transform #: 9
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: 3DES-CBC
        Hash Algorithm: SHA1
        Group Description: Group 2
        Authentication Method: XAUTH_INIT_PRESHRD
        Life Type: seconds
        Life Duration (Hex): 00 20 c4 9b
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 36
        Transform #: 10
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: 3DES-CBC
        Hash Algorithm: MD5
        Group Description: Group 2
        Authentication Method: XAUTH_INIT_PRESHRD
        Life Type: seconds
        Life Duration (Hex): 00 20 c4 9b
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 36
        Transform #: 11
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: 3DES-CBC
        Hash Algorithm: SHA1
        Group Description: Group 2
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 20 c4 9b
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 36
        Transform #: 12
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: 3DES-CBC
        Hash Algorithm: MD5
        Group Description: Group 2
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 20 c4 9b
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 36
        Transform #: 13
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: DES-CBC
        Hash Algorithm: MD5
        Group Description: Group 2
        Authentication Method: XAUTH_INIT_PRESHRD
        Life Type: seconds
        Life Duration (Hex): 00 20 c4 9b
      Payload Transform
        Next Payload: None
        Reserved: 00
        Payload Length: 36
        Transform #: 14
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: DES-CBC
        Hash Algorithm: MD5
        Group Description: Group 2
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 20 c4 9b
  Payload Key Exchange
    Next Payload: Nonce
    Reserved: 00
    Payload Length: 132
    Data:
      66 d6 74 ca 3d 49 31 0f 5d 2e 85 c1 4c c4 6b da
      81 d3 24 60 a1 07 5c 5d 1f f5 b3 e7 ad f4 6d c2
      de 79 fb e3 a0 6d 8e 1a 78 60 65 f7 bc ec 07 33
      d7 77 45 ad ed d1 9c a0 31 15 6e 51 0b 68 a4 6f
      30 dc 39 8e 76 57 f4 5b 8a 7b 79 98 49 1c 2d bb
      8b c1 9f 5c 96 49 98 a6 74 c7 87 03 fa 12 d7 94
      fb 0e e2 03 78 5e ec b3 0e 10 e5 88 ed 46 2d 97
      83 2a ae 4b 42 83 f7 df 2e f1 53 34 a4 5b b0 58
  Payload Nonce
    Next Payload: Identification
    Reserved: 00
    Payload Length: 24
    Data:
      2a f3 38 81 5e 8b 54 78 82 da 53 27 54 63 81 51
      6c eb f8 f8
  Payload Identification
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 16
    ID Type: ID_KEY_ID (11)
    Protocol ID (UDP/TCP, etc...): 17
    Port: 500
    ID Data: geronimo
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 12
    Data (In Hex): 09 00 26 89 df d6 b7 12
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 24
    Data (In Hex):
      40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
      80 00 00 00
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
  Payload Vendor ID
    Next Payload: None
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 74 cc 01 00
Dec 13 18:25:32 [IKEv1]: IP = 10.200.49.23, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 852
Dec 13 18:25:32 [IKEv1 DEBUG]: IP = 10.200.49.23, processing SA payload
Dec 13 18:25:32 [IKEv1 DEBUG]: IP = 10.200.49.23, processing ke payload
Dec 13 18:25:32 [IKEv1 DEBUG]: IP = 10.200.49.23, processing ISA_KE payload
Dec 13 18:25:32 [IKEv1 DEBUG]: IP = 10.200.49.23, processing nonce payload
Dec 13 18:25:32 [IKEv1 DEBUG]: IP = 10.200.49.23, processing ID payload
Dec 13 18:25:32 [IKEv1 DEBUG]: IP = 10.200.49.23, processing VID payload
Dec 13 18:25:32 [IKEv1 DEBUG]: IP = 10.200.49.23, Received xauth V6 VID
Dec 13 18:25:32 [IKEv1 DEBUG]: IP = 10.200.49.23, processing VID payload
Dec 13 18:25:32 [IKEv1 DEBUG]: IP = 10.200.49.23, Received DPD VID
Dec 13 18:25:32 [IKEv1 DEBUG]: IP = 10.200.49.23, processing VID payload
Dec 13 18:25:32 [IKEv1 DEBUG]: IP = 10.200.49.23, Received Fragmentation VID
Dec 13 18:25:32 [IKEv1 DEBUG]: IP = 10.200.49.23, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  False
Dec 13 18:25:32 [IKEv1 DEBUG]: IP = 10.200.49.23, processing VID payload
Dec 13 18:25:32 [IKEv1 DEBUG]: IP = 10.200.49.23, Received NAT-Traversal ver 02 VID
Dec 13 18:25:32 [IKEv1 DEBUG]: IP = 10.200.49.23, processing VID payload
Dec 13 18:25:32 [IKEv1 DEBUG]: IP = 10.200.49.23, Received Cisco Unity client VID
Dec 13 18:25:32 [IKEv1]: IP = 10.200.49.23, Received ISAKMP Aggressive Mode message 1 with unknown tunnel group name 'geronimo'.
Dec 13 18:25:32 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 10.200.49.23, processing IKE SA payload
Dec 13 18:25:32 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 10.200.49.23, IKE SA Proposal # 1, Transform # 9 acceptable  Matches global IKE entry # 1
Dec 13 18:25:32 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 10.200.49.23, constructing ISAKMP SA payload
Dec 13 18:25:32 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 10.200.49.23, constructing ke payload
Dec 13 18:25:32 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 10.200.49.23, constructing nonce payload
Dec 13 18:25:32 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 10.200.49.23, Generating keys for Responder...
Dec 13 18:25:32 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 10.200.49.23, constructing ID payload
Dec 13 18:25:32 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 10.200.49.23, constructing hash payload
Dec 13 18:25:32 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 10.200.49.23, Computing hash for ISAKMP
Dec 13 18:25:32 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 10.200.49.23, constructing Cisco Unity VID payload
Dec 13 18:25:32 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 10.200.49.23, constructing xauth V6 VID payload
Dec 13 18:25:32 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 10.200.49.23, constructing dpd vid payload
Dec 13 18:25:32 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 10.200.49.23, constructing NAT-Traversal VID ver 02 payload
Dec 13 18:25:32 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 10.200.49.23, constructing NAT-Discovery payload
Dec 13 18:25:32 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 10.200.49.23, computing NAT Discovery hash
Dec 13 18:25:32 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 10.200.49.23, constructing NAT-Discovery payload
Dec 13 18:25:32 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 10.200.49.23, computing NAT Discovery hash
Dec 13 18:25:32 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 10.200.49.23, constructing Fragmentation VID + extended capabilities payload
Dec 13 18:25:32 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 10.200.49.23, constructing VID payload
Dec 13 18:25:32 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 10.200.49.23, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Dec 13 18:25:32 [IKEv1]: IP = 10.200.49.23, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 440

SENDING PACKET to 10.200.49.23
ISAKMP Header
  Initiator COOKIE: d2 5a da 68 91 c5 31 d7
  Responder COOKIE: 15 5d a7 fc 5e c3 0b ac
  Next Payload: Security Association
  Version: 1.0
  Exchange Type: Aggressive Mode
  Flags: (none)
  MessageID: 00000000
  Length: 440
  Payload Security Association
    Next Payload: Key Exchange
    Reserved: 00
    Payload Length: 56
    DOI: IPsec
    Situation:(SIT_IDENTITY_ONLY)
    Payload Proposal
      Next Payload: None
      Reserved: 00
      Payload Length: 44
      Proposal #: 1
      Protocol-Id: PROTO_ISAKMP
      SPI Size: 0
      # of transforms: 1
      Payload Transform
        Next Payload: None
        Reserved: 00
        Payload Length: 36
        Transform #: 9
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: 3DES-CBC
        Hash Algorithm: SHA1
        Group Description: Group 2
        Authentication Method: XAUTH_INIT_PRESHRD
        Life Type: seconds
        Life Duration (Hex): 00 20 c4 9b
  Payload Key Exchange
    Next Payload: Nonce
    Reserved: 00
    Payload Length: 132
    Data:
      78 76 58 8d 18 a3 30 a7 c2 a9 be cc 95 72 fa 73
      7b 9e db 65 6e 09 da e7 f7 52 ae 5d 4b a6 64 ba
      78 c2 5e 71 85 6c e6 28 37 24 1f 87 71 e3 d4 b7
      3c 05 9f 5d b7 dd 42 57 f2 58 76 66 44 f8 37 f3
      1a 21 94 30 b3 ad 27 17 65 8a c7 aa c8 5b f5 32
      fe c8 5e 8a a0 5c 16 d7 94 f2 42 92 bf eb e2 04
      ca 47 b8 73 41 b5 2e 4f 86 32 62 c5 cd a9 e7 35
      16 21 fc 20 aa 1b 24 20 3b f7 7c 22 f9 b2 2c b8
  Payload Nonce
    Next Payload: Identification
    Reserved: 00
    Payload Length: 24
    Data:
      8f 98 93 5f 81 f9 59 d5 28 d9 87 d3 42 a3 1f 31
      04 df 39 d6
  Payload Identification
    Next Payload: Hash
    Reserved: 00
    Payload Length: 12
    ID Type: IPv4 Address (1)
    Protocol ID (UDP/TCP, etc...): 17
    Port: 0
    ID Data: 10.210.16.253
  Payload Hash
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 24
    Data:
      99 01 bc 97 b1 c9 b7 f5 e5 5e 5e d0 55 90 83 51
      f7 4c 0f d7
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 74 cc 01 00
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 12
    Data (In Hex): 09 00 26 89 df d6 b7 12
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00
  Payload Vendor ID
    Next Payload: NAT-D
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
  Payload NAT-D
    Next Payload: NAT-D
    Reserved: 00
    Payload Length: 24
    Data:
      0b 5c b8 6d 5c 99 c7 fc 5b 41 db e5 be a4 37 cc
      3f 68 b4 61
  Payload NAT-D
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 24
    Data:
      ff 34 bd ee 41 e9 ea 1b 07 4c a9 b7 94 d8 b5 5c
      db 0d 3f c5
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 24
    Data (In Hex):
      40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
      c0 00 00 00
  Payload Vendor ID
    Next Payload: None
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      1f 07 f7 0e aa 65 14 d3 b0 fa 96 54 2a 50 01 00
Dec 13 18:25:32 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 10.200.49.23, IKE AM Responder FSM error history (struct &0xccdb2878)  , :  AM_DONE, EV_ERROR-->AM_SND_MSG2, EV_SND_MSG-->AM_SND_MSG2, EV_START_TMR-->AM_BLD_MSG2, EV_BLD_MSG2_TRL-->AM_BLD_MSG2, EV_SKEYID_OK-->AM_BLD_MSG2, NullEvent-->AM_BLD_MSG2, EV_GEN_SKEYID-->AM_BLD_MSG2, EV_BLD_MSG2_HDR
Dec 13 18:25:32 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 10.200.49.23, IKE SA AM:fca75d15 terminating:  flags 0x0104c001, refcnt 0, tuncnt 0
Dec 13 18:25:32 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 10.200.49.23, sending delete/delete with reason message


IKE Recv RAW packet dump
d2 5a da 68 91 c5 31 d7 15 5d a7 fc 5e c3 0b ac    |  .Z.h..1..]..^...
0b 10 05 00 00 00 00 00 00 00 00 38 00 00 00 1c    |  ...........8....
00 00 00 01 01 10 00 17 d2 5a da 68 91 c5 31 d7    |  .........Z.h..1.
15 5d a7 fc 5e c3 0b ac 00 00 00 00 00 00 00 00    |  .]..^...........
00 00 00 00 00 00 00 00                            |  ........


IKE Recv RAW packet dump
d2 5a da 68 91 c5 31 d7 15 5d a7 fc 5e c3 0b ac    |  .Z.h..1..]..^...
0b 10 05 00 00 00 00 00 00 00 00 38 00 00 00 1c    |  ...........8....
00 00 00 01 01 10 00 18 d2 5a da 68 91 c5 31 d7    |  .........Z.h..1.
15 5d a7 fc 5e c3 0b ac 00 00 00 00 00 00 00 00    |  .]..^...........
00 00 00 00 00 00 00 00                            |  ........

RECV PACKET from 10.200.49.23
ISAKMP Header
  Initiator COOKIE: d2 5a da 68 91 c5 31 d7
  Responder COOKIE: 15 5d a7 fc 5e c3 0b ac
  Next Payload: Notification
  Version: 1.0
  Exchange Type: Informational
  Flags: (none)
  MessageID: 00000000
  Length: 56
  Payload Notification
    Next Payload: None
    Reserved: 00
    Payload Length: 28
    DOI: IPsec
    Protocol-ID: PROTO_ISAKMP
    Spi Size: 16
    Notify Type: INVALID_HASH_INFO
    SPI:
      d2 5a da 68 91 c5 31 d7 15 5d a7 fc 5e c3 0b ac

RECV PACKET from 10.200.49.23
ISAKMP Header
  Initiator COOKIE: d2 5a da 68 91 c5 31 d7
  Responder COOKIE: 15 5d a7 fc 5e c3 0b ac
  Next Payload: Notification
  Version: 1.0
  Exchange Type: Informational
  Flags: (none)
  MessageID: 00000000
  Length: 56
  Payload Notification
    Next Payload: None
    Reserved: 00
    Payload Length: 28
    DOI: IPsec
    Protocol-ID: PROTO_ISAKMP
    Spi Size: 16
    Notify Type: AUTH_FAILED
    SPI:
      d2 5a da 68 91 c5 31 d7 15 5d a7 fc 5e c3 0b ac