04-01-2011 10:17 AM - edited 02-21-2020 05:15 PM
Hi,
we have ASA5510 with version 7.x and asdm 5.X, i upgraded it to 8.3 and asdm 6.2, and i got vpn peers 250 and 2 ssl.
when i try to connect through client software , i can see in the logs UDP 500 port is created as shown below.
no other things are going on , and i get error as shown below.
Secure VPN Connection terminated Locally by the client
Reason 412: Remote peer is no longer Responding
Connection terminated on.
i am suspecting it is VPN-3DES-AES activation key issue.
when i go to Remote Access VPN ---Advanced---SSL Seetings--From Left Encryption Panel Available Algorithems i have DES-SHA1 when i try to drag it tto Right panel of Active algorithems it gives me error *** below
[ERROR] sl encryption rc4-sha1 des-sha1
The 3DES/AES algorithms require a VPN-3DES-AES activation key
and currently in right panel of Active Algorithms i have only RC4-SHA1,
kindly anyone suggest me what is the issue or is this related to any license/activation key issue.
Mar 31 2011 23:54:40 302015 94.97.180.0 57013 x.x.x.x 500 Built inbound UDP connection 56694 for outside:94.97.180.0/57013 (94.97.180.0/57013) to identity:x.x.x.x/500 (x.x.x.x/500)
Solved! Go to Solution.
04-03-2011 07:05 PM
04-01-2011 11:55 AM
please post a show license or show activation-key or sho version.
04-01-2011 09:59 PM
Hi mitchell,
sh activation-key
Running Permanent Activation Key: 0xaa03fc46 0xccdae02f 0x50325198 0xa7009cc4 0x
cd081ab0
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 50 perpetual
Inside Hosts : Unlimited perpetual
Failover : Disabled perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Disabled perpetual
Security Contexts : 0 perpetual
GTP/GPRS : Disabled perpetual
SSL VPN Peers : 2 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
AnyConnect Essentials : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has a Base license.
The flash permanent activation key is the SAME as the running permanent key.
2. sh version
Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1599 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
0: Ext: Ethernet0/0 : address is c84c.7561.65cc, irq 9
1: Ext: Ethernet0/1 : address is c84c.7561.65cd, irq 9
2: Ext: Ethernet0/2 : address is c84c.7561.65ce, irq 9
3: Ext: Ethernet0/3 : address is c84c.7561.65cf, irq 9
4: Ext: Management0/0 : address is c84c.7561.65d0, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Mitchell kindly help me and this is very very urgent and if this problem related with License than i we can go for that or if configuration issue kindly guide me.
04-01-2011 10:33 PM
Hi Mitchell,
kindly find debug output when i try to connect through client.
debug cry isa 128
debug cry ips 128
Apr 01 21:59:43 [IKEv1]: IP = 88.85.229.110, IKE_DECODE RECEIVED Messag
e (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR
(13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total l
ength : 864
Apr 01 21:59:43 [IKEv1 DEBUG]: IP = 88.85.229.110, processing SA payload
Apr 01 21:59:43 [IKEv1 DEBUG]: IP = 88.85.229.110, processing ke payload
Apr 01 21:59:43 [IKEv1 DEBUG]: IP = 88.85.229.110, processing ISA_KE payload
Apr 01 21:59:43 [IKEv1 DEBUG]: IP = 88.85.229.110, processing nonce payload
Apr 01 21:59:43 [IKEv1 DEBUG]: IP = 88.85.229.110, processing ID payload
Apr 01 21:59:43 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload
Apr 01 21:59:43 [IKEv1 DEBUG]: IP = 88.85.229.110, Received xauth V6 VID
Apr 01 21:59:43 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload
Apr 01 21:59:43 [IKEv1 DEBUG]: IP = 88.85.229.110, Received DPD VID
Apr 01 21:59:43 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload
Apr 01 21:59:43 [IKEv1 DEBUG]: IP = 88.85.229.110, Received Fragmentation VID
Apr 01 21:59:43 [IKEv1 DEBUG]: IP = 88.85.229.110, IKE Peer included IKE fragmen
tation capability flags: Main Mode: True Aggressive Mode: False
Apr 01 21:59:43 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload
Apr 01 21:59:43 [IKEv1 DEBUG]: IP = 88.85.229.110, Received NAT-Traversal ver 02
VID
Apr 01 21:59:43 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload
Apr 01 21:59:43 [IKEv1 DEBUG]: IP = 88.85.229.110, Received Cisco Unity client V
ID
Apr 01 21:59:43 [IKEv1]: IP = 88.85.229.110, Connection landed on tunnel_group A
SLAK-ANY-CLIENT-VPN
Apr 01 21:59:43 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,
processing IKE SA payload
Apr 01 21:59:43 [IKEv1]: IP = 88.85.229.110, IKE_DECODE SENDING Message (msgid=0
) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 596
Apr 01 21:59:43 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,
All SA proposals found unacceptable
Apr 01 21:59:43 [IKEv1]: IP = 88.85.229.110, All IKE SA proposals found unaccept
able!
Apr 01 21:59:43 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,
IKE AM Responder FSM error history (struct &0xad35c1d8)
DONE, EV_ERROR-->AM_BLD_MSG2, EV_PROCESS_SA-->AM_BLD_MSG2, EV_GROUP_LOOKUP-->AM_
BLD_MSG2, EV_PROCESS_MSG-->AM_BLD_MSG2, EV_CREATE_TMR-->AM_START, EV_RCV_MSG-->A
M_START, EV_START_AM-->AM_START, EV_START_AM
Apr 01 21:59:43 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,
IKE SA AM:df0356aa terminating: flags 0x0100c001, refcnt 0, tuncnt 0
Apr 01 21:59:43 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,
sending delete/delete with reason message
Apr 01 21:59:48 [IKEv1]: IP = 88.85.229.110, IKE_DECODE RECEIVED Message (msgid=
0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + V
ENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 8
64
Apr 01 21:59:48 [IKEv1 DEBUG]: IP = 88.85.229.110, processing SA payload
Apr 01 21:59:48 [IKEv1 DEBUG]: IP = 88.85.229.110, processing ke payload
Apr 01 21:59:48 [IKEv1 DEBUG]: IP = 88.85.229.110, processing ISA_KE payload
Apr 01 21:59:48 [IKEv1 DEBUG]: IP = 88.85.229.110, processing nonce payload
Apr 01 21:59:48 [IKEv1 DEBUG]: IP = 88.85.229.110, processing ID payload
Apr 01 21:59:48 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload
Apr 01 21:59:48 [IKEv1 DEBUG]: IP = 88.85.229.110, Received xauth V6 VID
Apr 01 21:59:48 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload
Apr 01 21:59:48 [IKEv1 DEBUG]: IP = 88.85.229.110, Received DPD VID
Apr 01 21:59:48 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload
Apr 01 21:59:48 [IKEv1 DEBUG]: IP = 88.85.229.110, Received Fragmentation VID
Apr 01 21:59:48 [IKEv1 DEBUG]: IP = 88.85.229.110, IKE Peer included IKE fragmen
tation capability flags: Main Mode: True Aggressive Mode: False
Apr 01 21:59:48 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload
Apr 01 21:59:48 [IKEv1 DEBUG]: IP = 88.85.229.110, Received NAT-Traversal ver 02
VID
Apr 01 21:59:48 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload
Apr 01 21:59:48 [IKEv1 DEBUG]: IP = 88.85.229.110, Received Cisco Unity client V
ID
Apr 01 21:59:48 [IKEv1]: IP = 88.85.229.110, Connection landed on tunnel_group A
SLAK-ANY-CLIENT-VPN
Apr 01 21:59:48 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,
processing IKE SA payload
Apr 01 21:59:48 [IKEv1]: IP = 88.85.229.110, IKE_DECODE SENDING Message (msgid=0
) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 596
Apr 01 21:59:48 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,
All SA proposals found unacceptable
Apr 01 21:59:48 [IKEv1]: IP = 88.85.229.110, All IKE SA proposals found unaccept
able!
Apr 01 21:59:48 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,
IKE AM Responder FSM error history (struct &0xad35c1d8)
DONE, EV_ERROR-->AM_BLD_MSG2, EV_PROCESS_SA-->AM_BLD_MSG2, EV_GROUP_LOOKUP-->AM_
BLD_MSG2, EV_PROCESS_MSG-->AM_BLD_MSG2, EV_CREATE_TMR-->AM_START, EV_RCV_MSG-->A
M_START, EV_START_AM-->AM_START, EV_START_AM
Apr 01 21:59:48 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,
IKE SA AM:151b9de7 terminating: flags 0x0100c001, refcnt 0, tuncnt 0
Apr 01 21:59:48 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,
sending delete/delete with reason message
Apr 01 21:59:53 [IKEv1]: IP = 88.85.229.110, IKE_DECODE RECEIVED Message (msgid=
0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + V
ENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 8
64
Apr 01 21:59:53 [IKEv1 DEBUG]: IP = 88.85.229.110, processing SA payload
Apr 01 21:59:53 [IKEv1 DEBUG]: IP = 88.85.229.110, processing ke payload
Apr 01 21:59:53 [IKEv1 DEBUG]: IP = 88.85.229.110, processing ISA_KE payload
Apr 01 21:59:53 [IKEv1 DEBUG]: IP = 88.85.229.110, processing nonce payload
Apr 01 21:59:53 [IKEv1 DEBUG]: IP = 88.85.229.110, processing ID payload
Apr 01 21:59:53 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload
Apr 01 21:59:53 [IKEv1 DEBUG]: IP = 88.85.229.110, Received xauth V6 VID
Apr 01 21:59:53 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload
Apr 01 21:59:53 [IKEv1 DEBUG]: IP = 88.85.229.110, Received DPD VID
Apr 01 21:59:53 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload
Apr 01 21:59:53 [IKEv1 DEBUG]: IP = 88.85.229.110, Received Fragmentation VID
Apr 01 21:59:53 [IKEv1 DEBUG]: IP = 88.85.229.110, IKE Peer included IKE fragmen
tation capability flags: Main Mode: True Aggressive Mode: False
Apr 01 21:59:53 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload
Apr 01 21:59:53 [IKEv1 DEBUG]: IP = 88.85.229.110, Received NAT-Traversal ver 02
VID
Apr 01 21:59:53 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload
Apr 01 21:59:53 [IKEv1 DEBUG]: IP = 88.85.229.110, Received Cisco Unity client V
ID
Apr 01 21:59:53 [IKEv1]: IP = 88.85.229.110, Connection landed on tunnel_group A
SLAK-ANY-CLIENT-VPN
Apr 01 21:59:53 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,
processing IKE SA payload
Apr 01 21:59:53 [IKEv1]: IP = 88.85.229.110, IKE_DECODE SENDING Message (msgid=0
) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 596
Apr 01 21:59:53 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,
All SA proposals found unacceptable
Apr 01 21:59:53 [IKEv1]: IP = 88.85.229.110, All IKE SA proposals found unaccept
able!
Apr 01 21:59:53 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,
IKE AM Responder FSM error history (struct &0xad35c1d8)
DONE, EV_ERROR-->AM_BLD_MSG2, EV_PROCESS_SA-->AM_BLD_MSG2, EV_GROUP_LOOKUP-->AM_
BLD_MSG2, EV_PROCESS_MSG-->AM_BLD_MSG2, EV_CREATE_TMR-->AM_START, EV_RCV_MSG-->A
M_START, EV_START_AM-->AM_START, EV_START_AM
Apr 01 21:59:53 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,
IKE SA AM:44661018 terminating: flags 0x0100c001, refcnt 0, tuncnt 0
Apr 01 21:59:53 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,
sending delete/delete with reason message
Apr 01 21:59:58 [IKEv1]: IP = 88.85.229.110, IKE_DECODE RECEIVED Message (msgid=
0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + V
ENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 8
64
Apr 01 21:59:58 [IKEv1 DEBUG]: IP = 88.85.229.110, processing SA payload
Apr 01 21:59:58 [IKEv1 DEBUG]: IP = 88.85.229.110, processing ke payload
Apr 01 21:59:58 [IKEv1 DEBUG]: IP = 88.85.229.110, processing ISA_KE payload
Apr 01 21:59:58 [IKEv1 DEBUG]: IP = 88.85.229.110, processing nonce payload
Apr 01 21:59:58 [IKEv1 DEBUG]: IP = 88.85.229.110, processing ID payload
Apr 01 21:59:58 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload
Apr 01 21:59:58 [IKEv1 DEBUG]: IP = 88.85.229.110, Received xauth V6 VID
Apr 01 21:59:58 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload
Apr 01 21:59:58 [IKEv1 DEBUG]: IP = 88.85.229.110, Received DPD VID
Apr 01 21:59:58 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload
Apr 01 21:59:58 [IKEv1 DEBUG]: IP = 88.85.229.110, Received Fragmentation VID
Apr 01 21:59:58 [IKEv1 DEBUG]: IP = 88.85.229.110, IKE Peer included IKE fragmen
tation capability flags: Main Mode: True Aggressive Mode: False
Apr 01 21:59:58 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload
Apr 01 21:59:58 [IKEv1 DEBUG]: IP = 88.85.229.110, Received NAT-Traversal ver 02
VID
Apr 01 21:59:58 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload
Apr 01 21:59:58 [IKEv1 DEBUG]: IP = 88.85.229.110, Received Cisco Unity client V
ID
Apr 01 21:59:58 [IKEv1]: IP = 88.85.229.110, Connection landed on tunnel_group A
SLAK-ANY-CLIENT-VPN
Apr 01 21:59:58 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,
processing IKE SA payload
Apr 01 21:59:58 [IKEv1]: IP = 88.85.229.110, IKE_DECODE SENDING Message (msgid=0
) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 596
Apr 01 21:59:58 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,
All SA proposals found unacceptable
Apr 01 21:59:58 [IKEv1]: IP = 88.85.229.110, All IKE SA proposals found unaccept
able!
Apr 01 21:59:58 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,
IKE AM Responder FSM error history (struct &0xad35c1d8)
DONE, EV_ERROR-->AM_BLD_MSG2, EV_PROCESS_SA-->AM_BLD_MSG2, EV_GROUP_LOOKUP-->AM_
BLD_MSG2, EV_PROCESS_MSG-->AM_BLD_MSG2, EV_CREATE_TMR-->AM_START, EV_RCV_MSG-->A
M_START, EV_START_AM-->AM_START, EV_START_AM
Apr 01 21:59:58 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,
IKE SA AM:7916e0b5 terminating: flags 0x0100c001, refcnt 0, tuncnt 0
Apr 01 21:59:58 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,
sending delete/delete with reason message
04-02-2011 10:47 AM
It's failing phase 1...it's not matching on either side for any of the proposals. Install the license, change the encrytion to the proper encryption and it should work fine.
Apr 01 21:59:43 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,
All SA proposals found unacceptable
Apr 01 21:59:43 [IKEv1]: IP = 88.85.229.110, All IKE SA proposals found unaccept
able!
Apr 01 21:59:43 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,
IKE AM Responder FSM error history (struct &0xad35c1d8)
DONE, EV_ERROR-->AM_BLD_MSG2, EV_PROCESS_SA-->AM_BLD_MSG2, EV_GROUP_LOOKUP-->AM_
04-02-2011 10:43 AM
Need to get the 3DES license..
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 50 perpetual
Inside Hosts : Unlimited perpetual
Failover : Disabled perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Disabled perpetual
Security Contexts : 0 perpetual
GTP/GPRS : Disabled perpetual
SSL VPN Peers : 2 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
AnyConnect Essentials : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has a Base license.
04-03-2011 11:58 AM
Hi,
After Activating VPN-DES-AES key it is working,
i really thankful to you.
04-03-2011 07:05 PM
Cool... Please rate and mark as answered...
Thanks,
TJM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide