Solved: vpn client 4.0 termination on pix 515

hbartz · ‎09-25-2003

I am trying to connect cisco vpn client 4.0 to a pix 515 ver 6.1 and receive following errors which I assume are Hash algorithm related but am not sure. Only DES is enabled not 3DES. Posted config in Cisco output interpreter but apparently no config errors.

vpn client log:

Cisco Systems VPN Client Version 4.0 (Rel)

Client Type(s): Windows, WinNT

Running on: 5.0.2195

1 10:58:34.890 09/25/03 Sev=Info/4 CM/0x63100002

Begin connection process

2 10:58:34.906 09/25/03 Sev=Info/4 CVPND/0xE3400001

Microsoft IPSec Policy Agent service stopped successfully

3 10:58:34.906 09/25/03 Sev=Info/4 CM/0x63100004

Establish secure connection using Ethernet

4 10:58:34.906 09/25/03 Sev=Info/4 CM/0x63100024

Attempt connection with server "x.x.x.226"

5 10:58:35.953 09/25/03 Sev=Info/6 IKE/0x6300003B

Attempting to establish a connection with x.x.x.226.

6 10:58:36.000 09/25/03 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to x.x.x.226

7 10:58:36.000 09/25/03 Sev=Info/4 IPSEC/0x63700008

IPSec driver successfully started

8 10:58:36.000 09/25/03 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

9 10:58:41.093 09/25/03 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

10 10:58:41.093 09/25/03 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to x.x.x.226

11 10:58:46.093 09/25/03 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

12 10:58:46.093 09/25/03 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to x.x.x.226

13 10:58:51.093 09/25/03 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

14 10:58:51.093 09/25/03 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to x.x.x.226

15 10:58:56.093 09/25/03 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=20FC277498A5D2DC R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

16 10:58:56.593 09/25/03 Sev=Info/4 IKE/0x6300004A

Discarding IKE SA negotiation (I_Cookie=20FC277498A5D2DC R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

17 10:58:56.593 09/25/03 Sev=Info/4 CM/0x63100014

Unable to establish Phase 1 SA with server "x.x.x.226" because of "DEL_REASON_PEER_NOT_RESPONDING"

18 10:58:56.593 09/25/03 Sev=Info/5 CM/0x63100025

Initializing CVPNDrv

19 10:58:56.593 09/25/03 Sev=Info/4 IKE/0x63000001

IKE received signal to terminate VPN connection

20 10:58:56.625 09/25/03 Sev=Critical/1 CVPND/0xE3400001

Microsoft IPSec Policy Agent service started successfully

21 10:58:57.093 09/25/03 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

22 10:58:57.093 09/25/03 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

23 10:58:57.093 09/25/03 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

24 10:58:57.093 09/25/03 Sev=Info/4 IPSEC/0x6370000A

IPSec driver successfully stopped

Pix log:

crypto_isakmp_process_block: src x.x.x.194, dest x.x.x.226

VPN Peer: ISAKMP: Added new peer: ip:x.x.x.194 Total VPN Peers:1

VPN Peer: ISAKMP: Peer ip:x.x.x.194 Ref cnt incremented to:1 Total VPN Pee

rs:1

OAK_AG exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 2 against priority 1 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 3 against priority 1 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 4 against priority 1 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 5 against priority 1 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 6 against priority 1 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 7 against priority 1 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 8 against priority 1 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 9 against priority 1 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4

crypto_isakmp_process_block: src x.x.x.194, dest x.x.x.226

VPN Peer: ISAKMP: Peer ip:x.x.x.194 Ref cnt incremented to:2 Total VPN Pee

rs:1

VPN Peer: ISAKMP: Peer ip:x.x.x.194 Ref cnt decremented to:1 Total VPN Pee

rs:1

crypto_isakmp_process_block: src x.x.x.194, dest x.x.x.226

VPN Peer: ISAKMP: Peer ip:x.x.x.194 Ref cnt incremented to:2 Total VPN Pee

rs:1

VPN Peer: ISAKMP: Peer ip:x.x.x.194 Ref cnt decremented to:1 Total VPN Pee

rs:1

ISAKMP (0): retransmitting phase 1...

ISAKMP (0): deleting SA: src x.x.x.194, dst x.x.x.226

ISADB: reaper checking SA 0x80db91c8, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:x.x.x.194 Ref cnt decremented to:0 Total VPN Pee

rs:1

VPN Peer: ISAKMP: Deleted peer: ip:x.x.x.194 Total VPN peers:0

ISAKMP: Deleting peer node for x.x.x.194

Thanks for any help

artherrera · ‎09-28-2003

Hi,

The pix isakmp policy should have DES,MD5 and group 2 for the Cisco VPN client 4.x to connect, this are the proposals that the client will send to the server...

http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/rel4_0/admin_gd/vcach6.htm#1157757

This link will show you IKE proposals to be configured on the PIX (VPN server)

Arthur

View solution in original post

artherrera · ‎09-28-2003

Hi,

The pix isakmp policy should have DES,MD5 and group 2 for the Cisco VPN client 4.x to connect, this are the proposals that the client will send to the server...

http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/rel4_0/admin_gd/vcach6.htm#1157757

This link will show you IKE proposals to be configured on the PIX (VPN server)

Arthur