06-30-2010 09:46 PM - edited 02-21-2020 04:42 PM
Hi,
I;m configuring the Remote Access vpn on the Pix 515 with version 8.0(4)
Licensed features for this platform:
Maximum Physical Interfaces : 6
Maximum VLANs : 25
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Disabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : Unlimited
When i try using the Cisco VPN Client Software version4.0.2 to establish connect it failed.I did the debug and the message as below:
Jun 16 12:23:14 [IKEv1 DEBUG]: IP = 100.100.100.2, processing VID payload
Jun 16 12:23:14 [IKEv1 DEBUG]: IP = 100.100.100.2, Received Cisco Unity client VID
Jun 16 12:23:14 [IKEv1]: IP = 100.100.100.2, Connection landed on tunnel_group cisco2
Jun 16 12:23:14 [IKEv1 DEBUG]: Group = cisco2, IP = 100.100.100.2, processing IKE SA payload
Jun 16 12:23:14 [IKEv1]: IP = 100.100.100.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 596
Jun 16 12:23:14 [IKEv1 DEBUG]: Group = cisco2, IP = 100.100.100.2, All SA proposals found unacceptable
Jun 16 12:23:14 [IKEv1]: IP = 100.100.100.2, All IKE SA proposals found unacceptable!
Jun 16 12:23:14 [IKEv1 DEBUG]: Group = cisco2, IP = 100.100.100.2, IKE AM Responder FSM error history (struct &0x36f5810) <state>, <event>: AM_DONE, EV_ERROR-->AM_BLD_MSG2, EV_PROCESS_SA-->AM_BLD_MSG2, EV_GROUP_LOOKUP-->AM_BLD_MSG2, EV_PROCESS_MSG-->AM_BLD_MSG2, EV_CREATE_TMR-->AM_START, EV_RCV_MSG-->AM_START, EV_START_AM-->AM_START, EV_START_AM
Jun 16 12:23:14 [IKEv1 DEBUG]: Group = cisco2, IP = 100.100.100.2, IKE SA AM:f7fe02b6 terminating: flags 0x0100c001, refcnt 0, tuncnt 0
Jun 16 12:23:14 [IKEv1 DEBUG]: Group = cisco2, IP = 100.100.100.2, sending delete/delete with reason message
Jun 16 12:23:14 [IKEv1]: Group = cisco2, IP = 100.100.100.2, Removing peer from peer table failed, no match!
Jun 16 12:23:14 [IKEv1]: Group = cisco2, IP = 100.100.100.2, Error: Unable to remove PeerTblEntry
Jun 16 12:23:19 [IKEv1]: IP = 100.100.100.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 850
Jun 16 12:23:19 [IKEv1 DEBUG]: IP = 100.100.100.2, processing SA payload
Jun 16 12:23:19 [IKEv1 DEBUG]: IP = 100.100.100.2, processing ke payload
Jun 16 12:23:19 [IKEv1 DEBUG]: IP = 100.100.100.2, processing ISA_KE payload
Jun 16 12:23:19 [IKEv1 DEBUG]: IP = 100.100.100.2, processing nonce payload
Jun 16 12:23:19 [IKEv1 DEBUG]: IP = 100.100.100.2, processing ID payload
Jun 16 12:23:19 [IKEv1 DEBUG]: IP = 100.100.100.2, processing VID payload
Jun 16 12:23:19 [IKEv1 DEBUG]: IP = 100.100.100.2, Received xauth V6 VID
Jun 16 12:23:19 [IKEv1 DEBUG]: IP = 100.100.100.2, processing VID payload
Jun 16 12:23:19 [IKEv1 DEBUG]: IP = 100.100.100.2, Received DPD VID
Jun 16 12:23:19 [IKEv1 DEBUG]: IP = 100.100.100.2, processing VID payload
Jun 16 12:23:19 [IKEv1 DEBUG]: IP = 100.100.100.2, Received NAT-Traversal ver 02 VID
Jun 16 12:23:19 [IKEv1 DEBUG]: IP = 100.100.100.2, processing VID payload
Jun 16 12:23:19 [IKEv1 DEBUG]: IP = 100.100.100.2, Received Fragmentation VID
Jun 16 12:23:19 [IKEv1 DEBUG]: IP = 100.100.100.2, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False
Jun 16 12:23:19 [IKEv1 DEBUG]: IP = 100.100.100.2, processing VID payload
Jun 16 12:23:19 [IKEv1 DEBUG]: IP = 100.100.100.2, Received Cisco Unity client VID
Jun 16 12:23:19 [IKEv1]: IP = 100.100.100.2, Connection landed on tunnel_group cisco2
Jun 16 12:23:19 [IKEv1 DEBUG]: Group = cisco2, IP = 100.100.100.2, processing IKE SA payload
Jun 16 12:23:19 [IKEv1]: IP = 100.100.100.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 596
Jun 16 12:23:19 [IKEv1 DEBUG]: Group = cisco2, IP = 100.100.100.2, All SA proposals found unacceptable
Jun 16 12:23:19 [IKEv1]: IP = 100.100.100.2, All IKE SA proposals found unacceptable!
Jun 16 12:23:19 [IKEv1 DEBUG]: Group = cisco2, IP = 100.100.100.2, IKE AM Responder FSM error history (struct &0x36db7e8) <state>, <event>: AM_DONE, EV_ERROR-->AM_BLD_MSG2, EV_PROCESS_SA-->AM_BLD_MSG2, EV_GROUP_LOOKUP-->AM_BLD_MSG2, EV_PROCESS_MSG-->AM_BLD_MSG2, EV_CREATE_TMR-->AM_START, EV_RCV_MSG-->AM_START, EV_START_AM-->AM_START, EV_START_AM
Jun 16 12:23:19 [IKEv1 DEBUG]: Group = cisco2, IP = 100.100.100.2, IKE SA AM:519b3d9c terminating: flags 0x0100c001, refcnt 0, tuncnt 0
Jun 16 12:23:19 [IKEv1 DEBUG]: Group = cisco2, IP = 100.100.100.2, sending delete/delete with reason message
Jun 16 12:23:19 [IKEv1]: Group = cisco2, IP = 100.100.100.2, Removing peer from peer table failed, no match!
Jun 16 12:23:19 [IKEv1]: Group = cisco2, IP = 100.100.100.2, Error: Unable to remove PeerTblEntry
May i know what is the problem???
thks
06-30-2010 10:40 PM
Base on the debug outputs, it's failing because the IKE/ISAKMP proposal does not match.
Please share the output of "show run cry isa" to see what has been configured. Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide