Troubleshooting VPN client connecting to PIX

shabib.syed · ‎03-16-2004

I have simple VPN configuration on my PIX. With only group access no local or xauth authentication. Some clients can connect fine. Some are unable to. The clients who cannot, they connect to my other PIX VPN with no problem.

here is a log from of the client that cannot connect to the PIX

1 18:31:31.073 03/16/04 Sev=Info/4 CM/0x63100002

Begin connection process

2 18:31:31.083 03/16/04 Sev=Info/4 CM/0x63100004

Establish secure connection using Ethernet

3 18:31:31.083 03/16/04 Sev=Info/4 CM/0x63100024

Attempt connection with server "217.205.83.146"

4 18:31:31.083 03/16/04 Sev=Info/6 IKE/0x6300003B

Attempting to establish a connection with 217.205.83.146.

5 18:31:31.153 03/16/04 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID, VID, VID, VID, VID) to 217.205.83.146

6 18:31:31.304 03/16/04 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 217.205.83.146

7 18:31:31.304 03/16/04 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK INFO (NOTIFY:NO_PROPOSAL_CHOSEN) from 217.205.83.146

8 18:31:31.304 03/16/04 Sev=Info/5 IKE/0x6300004A

Discarding IKE SA negotiation

9 18:31:31.314 03/16/04 Sev=Info/4 CM/0x63100014

Unable to establish Phase 1 SA with server "217.205.83.146" because of "DEL_REASON_EXPIRED"

10 18:31:31.314 03/16/04 Sev=Info/5 CM/0x63100027

Initializing CVPNDrv

umedryk · ‎03-22-2004

The "DEL_REASON_EXPIRED" message is indicating that the requested information was not provided to the client after numerous attempts and it timed out.

In order to determine the reason for this we should inspect the following error message from the debugs:

"RECEIVING <<< ISAKMP OAK INFO (NOTIFY:NO_PROPOSAL_CHOSEN) from 217.205.83.146"

It appears the client cannot locate any matching proposals for the phase 1 to work