03-24-2010 04:08 AM - edited 02-21-2020 04:34 PM
Hi,
I have a problem with remote access IPSEC VPN configuration on 1841 security router.
Connection can't be established by cisco vpn client.
Part of the configuration is in attahment.
Best regards,
Miroslav Petkovic
03-24-2010 04:47 AM
Please share debug output when trying to connect to the router.
debug cry isa
debug cry ipsec
Thanks.
03-24-2010 05:41 AM
There is not any output from debug commands when I tried to connect with remote cisco vpn client.
Router1841#debug cry isa
Crypto ISAKMP debugging is on
Router1841#debug cry ipsec
Crypto IPSEC debugging is on
I recived message from VPN Client:
Secure VPN Connection terminated locally by the Client
Reason 412: The remote peer is no longer responding.
Best regards,
Miroslav Petkovic
03-24-2010 02:30 PM
What is your logging level? If you are telnetting or ssh into the ASA, please turn on "logging mon 7" and "logging on". You should see debugs when you are trying to connect.
03-25-2010 03:53 AM
Hi,
this is router cisco 1841. I tried:
Router1841(config)#logging monitor 7
Router1841(config)#logging on
Router1841#terminal monitor
Router1841#debug cry ipsec
Crypto IPSEC debugging is on
Router1841#debug cry isa
but I din't receive any log when I tried to establish remote access vpn.
Best regards,
Miroslav Petkovic
03-25-2010 03:55 AM
Maybe the VPN connection is not even reaching your router.
What about the VPN Client logs? Can you share, please?
03-25-2010 04:05 AM
03-25-2010 05:15 AM
On your vpn client, go to Log --> Log Settings --> change everything to High, then enable the logs.
Tried to connect again, and grab the logs from the logs tab after you are prompted with that error message.
03-25-2010 05:37 AM
Hi,
This is log:
Attempt connection with server "118.159.110.241"
4 13:24:50.412 03/25/10 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 118.159.110.241.
5 13:24:50.419 03/25/10 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation
6 13:24:50.425 03/25/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 118.159.110.241
7 13:24:50.429 03/25/10 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
8 13:24:50.429 03/25/10 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
9 13:24:50.430 03/25/10 Sev=Info/4 IPSEC/0x6370000D
Key(s) deleted by Interface (10.1.0.103)
10 13:24:55.553 03/25/10 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
11 13:24:55.554 03/25/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 118.159.110.241
12 13:25:00.625 03/25/10 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
13 13:25:00.626 03/25/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 118.159.110.241
14 13:25:05.695 03/25/10 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
15 13:25:05.695 03/25/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 118.159.110.241
16 13:25:10.765 03/25/10 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=CD66FFF7820A7902 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
17 13:25:11.266 03/25/10 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=CD66FFF7820A7902 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
18 13:25:11.266 03/25/10 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "118.159.110.241" because of "DEL_REASON_PEER_NOT_RESPONDING"
19 13:25:11.266 03/25/10 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
20 13:25:11.288 03/25/10 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
21 13:25:11.289 03/25/10 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
22 13:25:12.298 03/25/10 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
23 13:25:12.298 03/25/10 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
24 13:25:12.298 03/25/10 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
25 13:25:12.298 03/25/10 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
Best regards,
Miroslav Petkovic
03-25-2010 05:42 AM
Yup, doesn't look like the VPN traffic is reaching your router.
Checked if UDP/500 is being blocked by your router/modem/etc or ISP or if there is a firewall.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide