Re: Remote VPN v7.01

sonnyw · ‎06-21-2005

Hello,

I have recently upgraded from 6.3(4) to v7.01 and am having some problems with

remote VPN connections.

In the past we just used the PPTP and Windows XP connection to make a VPN

connection.

Now with v7.01 I see we have to use Cisco's VPN client, which is fine,

however I am unable to connect to the PIX unit remotely.

The syslog message I get back is:

%PIX-4-713903: Group = xx.xx.xx.xx, IP = ABC, Can't find a valid tunnel group, aborting...!

The log from the Cisco VPN Client (v4.6.03.0021) shows the following:

93 23:50:09.329 06/14/05 Sev=Info/4 CM/0x63100002

Begin connection process

94 23:50:09.350 06/14/05 Sev=Info/4 CVPND/0xE3400001

Microsoft IPSec Policy Agent service stopped successfully

95 23:50:09.350 06/14/05 Sev=Info/4 CM/0x63100004

Establish secure connection using Ethernet

96 23:50:09.350 06/14/05 Sev=Info/4 CM/0x63100024

Attempt connection with server "xx.xx.xx.xx"

97 23:50:09.360 06/14/05 Sev=Info/6 IKE/0x6300003B

Attempting to establish a connection with xx.xx.xx.xx.

98 23:50:09.390 06/14/05 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd),

VID(Nat-T), VID(Frag), VID(Unity)) to xx.xx.xx.xx

99 23:50:09.550 06/14/05 Sev=Info/4 IPSEC/0x63700008

IPSec driver successfully started

100 23:50:09.550 06/14/05 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

101 23:50:14.547 06/14/05 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

102 23:50:14.547 06/14/05 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to xx.xx.xx.xx

103 23:50:19.555 06/14/05 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

104 23:50:19.555 06/14/05 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to xx.xx.xx.xx

105 23:50:24.562 06/14/05 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

106 23:50:24.592 06/14/05 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to xx.xx.xx.xx

107 23:50:29.580 06/14/05 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=9B2ED7B1BD723447

R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

108 23:50:30.571 06/14/05 Sev=Info/4 IKE/0x6300004B

Discarding IKE SA negotiation (I_Cookie=9B2ED7B1BD723447

R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

109 23:50:30.581 06/14/05 Sev=Info/4 CM/0x63100014

Unable to establish Phase 1 SA with server "xx.xx.xx.xx" because of

"DEL_REASON_PEER_NOT_RESPONDING"

110 23:50:30.581 06/14/05 Sev=Info/5 CM/0x63100025

Initializing CVPNDrv

111 23:50:30.611 06/14/05 Sev=Info/4 IKE/0x63000001

IKE received signal to terminate VPN connection

112 23:50:30.631 06/14/05 Sev=Info/4 IKE/0x63000086

Microsoft IPSec Policy Agent service started successfully

113 23:50:31.082 06/14/05 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

114 23:50:31.082 06/14/05 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

115 23:50:31.082 06/14/05 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

116 23:50:31.092 06/14/05 Sev=Info/4 IPSEC/0x6370000A

IPSec driver successfully stopped

Any ideas? I have also used the VPN wizard to create it.

Thanks

Sonny

umedryk · ‎06-27-2005

Is the PIX that you are using only licensed for DES? And is there a client that won't connect to DES ?

Here are some known issues as a result of upgrading to 7.0 from 6.3 affecting VPN: xauth is enabled by default on all remote access tunnels. It does not show up in a "show run", but you can see it by doing a show run all tunnel-group. To disable it, under the tunnel's general-attributes, set the authentication server to none.

conred · ‎07-21-2005

Could you please tell me the exact commands to do this?

Thank you

s.uslay · ‎07-26-2005

"tunnel-group general-attributes

authentication-server-group none"

the full description is in document "Guide for Cisco PIX 6.2 and 6.3 Users Upgrading to Cisco PIX Software Version 7.0"

Serhat