cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2142
Views
0
Helpful
7
Replies

unable to connect VPN with anyconnect client

rafat0426
Level 1
Level 1

Hi,

we have ASA5510 with version 7.x and asdm 5.X, i upgraded it to 8.3 and asdm 6.2, and i got vpn peers 250 and 2 ssl.

when i try to connect through client software , i can see in the logs UDP 500 port is created as shown below.

no other things are going on , and i get error as shown below.

Secure VPN Connection terminated Locally by the client

Reason 412: Remote peer is no longer Responding

Connection terminated on.

i am suspecting it is VPN-3DES-AES activation key issue.

when i go to Remote Access VPN ---Advanced---SSL Seetings--From Left Encryption Panel Available Algorithems i have DES-SHA1 when i try to drag it tto Right panel of Active algorithems it gives me error *** below

[ERROR] sl encryption rc4-sha1 des-sha1

The 3DES/AES algorithms require a VPN-3DES-AES activation key

and currently in right panel of Active Algorithms i have only RC4-SHA1,

kindly anyone suggest me what is the issue or is this related to any license/activation key issue.

Mar 31 2011 23:54:40 302015 94.97.180.0 57013 x.x.x.x 500 Built inbound UDP connection 56694 for outside:94.97.180.0/57013 (94.97.180.0/57013) to identity:x.x.x.x/500 (x.x.x.x/500)

1 Accepted Solution

Accepted Solutions

Cool... Please rate and mark as answered...

Thanks,

TJM

View solution in original post

7 Replies 7

tj.mitchell
Level 4
Level 4

please post a show license or show activation-key or sho version.

Hi mitchell,

sh activation-key

Running Permanent Activation Key: 0xaa03fc46 0xccdae02f 0x50325198 0xa7009cc4 0x

cd081ab0

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited perpetual

Maximum VLANs : 50 perpetual

Inside Hosts : Unlimited perpetual

Failover : Disabled perpetual

VPN-DES : Enabled perpetual

VPN-3DES-AES : Disabled perpetual

Security Contexts : 0 perpetual

GTP/GPRS : Disabled perpetual

SSL VPN Peers : 2 perpetual

Total VPN Peers : 250 perpetual

Shared License : Disabled perpetual

AnyConnect for Mobile : Disabled perpetual

AnyConnect for Cisco VPN Phone : Disabled perpetual

AnyConnect Essentials : Disabled perpetual

Advanced Endpoint Assessment : Disabled perpetual

UC Phone Proxy Sessions : 2 perpetual

Total UC Proxy Sessions : 2 perpetual

Botnet Traffic Filter : Disabled perpetual

Intercompany Media Engine : Disabled perpetual

This platform has a Base license.

The flash permanent activation key is the SAME as the running permanent key.

2. sh version

Hardware:   ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1599 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.06
0: Ext: Ethernet0/0         : address is c84c.7561.65cc, irq 9
1: Ext: Ethernet0/1         : address is c84c.7561.65cd, irq 9
2: Ext: Ethernet0/2         : address is c84c.7561.65ce, irq 9
3: Ext: Ethernet0/3         : address is c84c.7561.65cf, irq 9
4: Ext: Management0/0       : address is c84c.7561.65d0, irq 11
5: Int: Not used            : irq 11
6: Int: Not used            : irq 5

Mitchell kindly help me and this is very very urgent and if this problem related with License than i we can go for that or if configuration issue kindly guide me.

Hi Mitchell,

kindly find debug output when i try to connect through client.

debug cry isa 128

debug cry ips 128

Apr 01 21:59:43 [IKEv1]: IP = 88.85.229.110, IKE_DECODE RECEIVED Messag

e (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR

(13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total l

ength : 864

Apr 01 21:59:43 [IKEv1 DEBUG]: IP = 88.85.229.110, processing SA payload

Apr 01 21:59:43 [IKEv1 DEBUG]: IP = 88.85.229.110, processing ke payload

Apr 01 21:59:43 [IKEv1 DEBUG]: IP = 88.85.229.110, processing ISA_KE payload

Apr 01 21:59:43 [IKEv1 DEBUG]: IP = 88.85.229.110, processing nonce payload

Apr 01 21:59:43 [IKEv1 DEBUG]: IP = 88.85.229.110, processing ID payload

Apr 01 21:59:43 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload

Apr 01 21:59:43 [IKEv1 DEBUG]: IP = 88.85.229.110, Received xauth V6 VID

Apr 01 21:59:43 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload

Apr 01 21:59:43 [IKEv1 DEBUG]: IP = 88.85.229.110, Received DPD VID

Apr 01 21:59:43 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload

Apr 01 21:59:43 [IKEv1 DEBUG]: IP = 88.85.229.110, Received Fragmentation VID

Apr 01 21:59:43 [IKEv1 DEBUG]: IP = 88.85.229.110, IKE Peer included IKE fragmen

tation capability flags: Main Mode: True Aggressive Mode: False

Apr 01 21:59:43 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload

Apr 01 21:59:43 [IKEv1 DEBUG]: IP = 88.85.229.110, Received NAT-Traversal ver 02

VID

Apr 01 21:59:43 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload

Apr 01 21:59:43 [IKEv1 DEBUG]: IP = 88.85.229.110, Received Cisco Unity client V

ID

Apr 01 21:59:43 [IKEv1]: IP = 88.85.229.110, Connection landed on tunnel_group A

SLAK-ANY-CLIENT-VPN

Apr 01 21:59:43 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,

processing IKE SA payload

Apr 01 21:59:43 [IKEv1]: IP = 88.85.229.110, IKE_DECODE SENDING Message (msgid=0

) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 596

Apr 01 21:59:43 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,

All SA proposals found unacceptable

Apr 01 21:59:43 [IKEv1]: IP = 88.85.229.110, All IKE SA proposals found unaccept

able!

Apr 01 21:59:43 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,

IKE AM Responder FSM error history (struct &0xad35c1d8) , : AM_

DONE, EV_ERROR-->AM_BLD_MSG2, EV_PROCESS_SA-->AM_BLD_MSG2, EV_GROUP_LOOKUP-->AM_

BLD_MSG2, EV_PROCESS_MSG-->AM_BLD_MSG2, EV_CREATE_TMR-->AM_START, EV_RCV_MSG-->A

M_START, EV_START_AM-->AM_START, EV_START_AM

Apr 01 21:59:43 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,

IKE SA AM:df0356aa terminating: flags 0x0100c001, refcnt 0, tuncnt 0

Apr 01 21:59:43 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,

sending delete/delete with reason message

Apr 01 21:59:48 [IKEv1]: IP = 88.85.229.110, IKE_DECODE RECEIVED Message (msgid=

0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + V

ENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 8

64

Apr 01 21:59:48 [IKEv1 DEBUG]: IP = 88.85.229.110, processing SA payload

Apr 01 21:59:48 [IKEv1 DEBUG]: IP = 88.85.229.110, processing ke payload

Apr 01 21:59:48 [IKEv1 DEBUG]: IP = 88.85.229.110, processing ISA_KE payload

Apr 01 21:59:48 [IKEv1 DEBUG]: IP = 88.85.229.110, processing nonce payload

Apr 01 21:59:48 [IKEv1 DEBUG]: IP = 88.85.229.110, processing ID payload

Apr 01 21:59:48 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload

Apr 01 21:59:48 [IKEv1 DEBUG]: IP = 88.85.229.110, Received xauth V6 VID

Apr 01 21:59:48 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload

Apr 01 21:59:48 [IKEv1 DEBUG]: IP = 88.85.229.110, Received DPD VID

Apr 01 21:59:48 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload

Apr 01 21:59:48 [IKEv1 DEBUG]: IP = 88.85.229.110, Received Fragmentation VID

Apr 01 21:59:48 [IKEv1 DEBUG]: IP = 88.85.229.110, IKE Peer included IKE fragmen

tation capability flags: Main Mode: True Aggressive Mode: False

Apr 01 21:59:48 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload

Apr 01 21:59:48 [IKEv1 DEBUG]: IP = 88.85.229.110, Received NAT-Traversal ver 02

VID

Apr 01 21:59:48 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload

Apr 01 21:59:48 [IKEv1 DEBUG]: IP = 88.85.229.110, Received Cisco Unity client V

ID

Apr 01 21:59:48 [IKEv1]: IP = 88.85.229.110, Connection landed on tunnel_group A

SLAK-ANY-CLIENT-VPN

Apr 01 21:59:48 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,

processing IKE SA payload

Apr 01 21:59:48 [IKEv1]: IP = 88.85.229.110, IKE_DECODE SENDING Message (msgid=0

) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 596

Apr 01 21:59:48 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,

All SA proposals found unacceptable

Apr 01 21:59:48 [IKEv1]: IP = 88.85.229.110, All IKE SA proposals found unaccept

able!

Apr 01 21:59:48 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,

IKE AM Responder FSM error history (struct &0xad35c1d8) , : AM_

DONE, EV_ERROR-->AM_BLD_MSG2, EV_PROCESS_SA-->AM_BLD_MSG2, EV_GROUP_LOOKUP-->AM_

BLD_MSG2, EV_PROCESS_MSG-->AM_BLD_MSG2, EV_CREATE_TMR-->AM_START, EV_RCV_MSG-->A

M_START, EV_START_AM-->AM_START, EV_START_AM

Apr 01 21:59:48 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,

IKE SA AM:151b9de7 terminating: flags 0x0100c001, refcnt 0, tuncnt 0

Apr 01 21:59:48 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,

sending delete/delete with reason message

Apr 01 21:59:53 [IKEv1]: IP = 88.85.229.110, IKE_DECODE RECEIVED Message (msgid=

0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + V

ENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 8

64

Apr 01 21:59:53 [IKEv1 DEBUG]: IP = 88.85.229.110, processing SA payload

Apr 01 21:59:53 [IKEv1 DEBUG]: IP = 88.85.229.110, processing ke payload

Apr 01 21:59:53 [IKEv1 DEBUG]: IP = 88.85.229.110, processing ISA_KE payload

Apr 01 21:59:53 [IKEv1 DEBUG]: IP = 88.85.229.110, processing nonce payload

Apr 01 21:59:53 [IKEv1 DEBUG]: IP = 88.85.229.110, processing ID payload

Apr 01 21:59:53 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload

Apr 01 21:59:53 [IKEv1 DEBUG]: IP = 88.85.229.110, Received xauth V6 VID

Apr 01 21:59:53 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload

Apr 01 21:59:53 [IKEv1 DEBUG]: IP = 88.85.229.110, Received DPD VID

Apr 01 21:59:53 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload

Apr 01 21:59:53 [IKEv1 DEBUG]: IP = 88.85.229.110, Received Fragmentation VID

Apr 01 21:59:53 [IKEv1 DEBUG]: IP = 88.85.229.110, IKE Peer included IKE fragmen

tation capability flags: Main Mode: True Aggressive Mode: False

Apr 01 21:59:53 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload

Apr 01 21:59:53 [IKEv1 DEBUG]: IP = 88.85.229.110, Received NAT-Traversal ver 02

VID

Apr 01 21:59:53 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload

Apr 01 21:59:53 [IKEv1 DEBUG]: IP = 88.85.229.110, Received Cisco Unity client V

ID

Apr 01 21:59:53 [IKEv1]: IP = 88.85.229.110, Connection landed on tunnel_group A

SLAK-ANY-CLIENT-VPN

Apr 01 21:59:53 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,

processing IKE SA payload

Apr 01 21:59:53 [IKEv1]: IP = 88.85.229.110, IKE_DECODE SENDING Message (msgid=0

) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 596

Apr 01 21:59:53 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,

All SA proposals found unacceptable

Apr 01 21:59:53 [IKEv1]: IP = 88.85.229.110, All IKE SA proposals found unaccept

able!

Apr 01 21:59:53 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,

IKE AM Responder FSM error history (struct &0xad35c1d8) , : AM_

DONE, EV_ERROR-->AM_BLD_MSG2, EV_PROCESS_SA-->AM_BLD_MSG2, EV_GROUP_LOOKUP-->AM_

BLD_MSG2, EV_PROCESS_MSG-->AM_BLD_MSG2, EV_CREATE_TMR-->AM_START, EV_RCV_MSG-->A

M_START, EV_START_AM-->AM_START, EV_START_AM

Apr 01 21:59:53 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,

IKE SA AM:44661018 terminating: flags 0x0100c001, refcnt 0, tuncnt 0

Apr 01 21:59:53 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,

sending delete/delete with reason message

Apr 01 21:59:58 [IKEv1]: IP = 88.85.229.110, IKE_DECODE RECEIVED Message (msgid=

0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + V

ENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 8

64

Apr 01 21:59:58 [IKEv1 DEBUG]: IP = 88.85.229.110, processing SA payload

Apr 01 21:59:58 [IKEv1 DEBUG]: IP = 88.85.229.110, processing ke payload

Apr 01 21:59:58 [IKEv1 DEBUG]: IP = 88.85.229.110, processing ISA_KE payload

Apr 01 21:59:58 [IKEv1 DEBUG]: IP = 88.85.229.110, processing nonce payload

Apr 01 21:59:58 [IKEv1 DEBUG]: IP = 88.85.229.110, processing ID payload

Apr 01 21:59:58 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload

Apr 01 21:59:58 [IKEv1 DEBUG]: IP = 88.85.229.110, Received xauth V6 VID

Apr 01 21:59:58 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload

Apr 01 21:59:58 [IKEv1 DEBUG]: IP = 88.85.229.110, Received DPD VID

Apr 01 21:59:58 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload

Apr 01 21:59:58 [IKEv1 DEBUG]: IP = 88.85.229.110, Received Fragmentation VID

Apr 01 21:59:58 [IKEv1 DEBUG]: IP = 88.85.229.110, IKE Peer included IKE fragmen

tation capability flags: Main Mode: True Aggressive Mode: False

Apr 01 21:59:58 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload

Apr 01 21:59:58 [IKEv1 DEBUG]: IP = 88.85.229.110, Received NAT-Traversal ver 02

VID

Apr 01 21:59:58 [IKEv1 DEBUG]: IP = 88.85.229.110, processing VID payload

Apr 01 21:59:58 [IKEv1 DEBUG]: IP = 88.85.229.110, Received Cisco Unity client V

ID

Apr 01 21:59:58 [IKEv1]: IP = 88.85.229.110, Connection landed on tunnel_group A

SLAK-ANY-CLIENT-VPN

Apr 01 21:59:58 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,

processing IKE SA payload

Apr 01 21:59:58 [IKEv1]: IP = 88.85.229.110, IKE_DECODE SENDING Message (msgid=0

) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 596

Apr 01 21:59:58 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,

All SA proposals found unacceptable

Apr 01 21:59:58 [IKEv1]: IP = 88.85.229.110, All IKE SA proposals found unaccept

able!

Apr 01 21:59:58 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,

IKE AM Responder FSM error history (struct &0xad35c1d8) , : AM_

DONE, EV_ERROR-->AM_BLD_MSG2, EV_PROCESS_SA-->AM_BLD_MSG2, EV_GROUP_LOOKUP-->AM_

BLD_MSG2, EV_PROCESS_MSG-->AM_BLD_MSG2, EV_CREATE_TMR-->AM_START, EV_RCV_MSG-->A

M_START, EV_START_AM-->AM_START, EV_START_AM

Apr 01 21:59:58 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,

IKE SA AM:7916e0b5 terminating: flags 0x0100c001, refcnt 0, tuncnt 0

Apr 01 21:59:58 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,

sending delete/delete with reason message

It's failing phase 1...it's not matching on either side for any of the proposals. Install the license, change the encrytion to the proper encryption and it should work fine.

Apr 01 21:59:43 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,

All SA proposals found unacceptable

Apr 01 21:59:43 [IKEv1]: IP = 88.85.229.110, All IKE SA proposals found unaccept

able!

Apr 01 21:59:43 [IKEv1 DEBUG]: Group = ASLAK-ANY-CLIENT-VPN, IP = 88.85.229.110,

IKE AM Responder FSM error history (struct &0xad35c1d8) , : AM_

DONE, EV_ERROR-->AM_BLD_MSG2, EV_PROCESS_SA-->AM_BLD_MSG2, EV_GROUP_LOOKUP-->AM_

Need to get the 3DES license..

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited perpetual

Maximum VLANs : 50 perpetual

Inside Hosts : Unlimited perpetual

Failover : Disabled perpetual

VPN-DES : Enabled perpetual

VPN-3DES-AES : Disabled perpetual

Security Contexts : 0 perpetual

GTP/GPRS : Disabled perpetual

SSL VPN Peers : 2 perpetual

Total VPN Peers : 250 perpetual

Shared License : Disabled perpetual

AnyConnect for Mobile : Disabled perpetual

AnyConnect for Cisco VPN Phone : Disabled perpetual

AnyConnect Essentials : Disabled perpetual

Advanced Endpoint Assessment : Disabled perpetual

UC Phone Proxy Sessions : 2 perpetual

Total UC Proxy Sessions : 2 perpetual

Botnet Traffic Filter : Disabled perpetual

Intercompany Media Engine : Disabled perpetual

This platform has a Base license.

Hi,

After Activating VPN-DES-AES key it is working,

i really thankful to you.

Cool... Please rate and mark as answered...

Thanks,

TJM