Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- Technology and Support
- Security
- VPN
- I found my issue. I was
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
754
Views
0
Helpful
1
Replies
VPN Client disconnects right after authentication
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-30-2015 07:24 AM
Here is the log from the client. I see that it is failing here: DEL_REASON_IKE_NEG_FAILED. But I just cant seem to find the error in the config. Any help is appreciated.
Cisco Systems VPN Client Version 5.0.07.0290
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7601 Service Pack 1
97 08:32:59.231 07/30/15 Sev=Info/4 CM/0x63100002
Begin connection process
98 08:32:59.236 07/30/15 Sev=Info/4 CM/0x63100004
Establish secure connection
99 08:32:59.236 07/30/15 Sev=Info/4 CM/0x63100024
Attempt connection with server "69.46.48.30"
100 08:32:59.240 07/30/15 Sev=Info/6 CM/0x6310002F
Allocated local TCP port 60404 for TCP connection.
101 08:32:59.357 07/30/15 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
102 08:32:59.357 07/30/15 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
103 08:32:59.357 07/30/15 Sev=Info/6 IPSEC/0x6370002C
Sent 2 packets, 0 were fragmented.
104 08:32:59.357 07/30/15 Sev=Info/6 IPSEC/0x63700020
TCP SYN sent to 69.46.48.30, src port 60404, dst port 10000
105 08:32:59.358 07/30/15 Sev=Info/6 IPSEC/0x6370001C
TCP SYN-ACK received from 69.46.48.30, src port 10000, dst port 60404
106 08:32:59.358 07/30/15 Sev=Info/6 IPSEC/0x63700021
TCP ACK sent to 69.46.48.30, src port 60404, dst port 10000
107 08:32:59.358 07/30/15 Sev=Info/4 CM/0x63100029
TCP connection established on port 10000 with server "69.46.48.30"
108 08:32:59.858 07/30/15 Sev=Info/4 CM/0x63100024
Attempt connection with server "69.46.48.30"
109 08:32:59.866 07/30/15 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 69.46.48.30.
110 08:32:59.877 07/30/15 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation
111 08:32:59.883 07/30/15 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Unity)) to 69.46.48.30
112 08:32:59.902 07/30/15 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.46.48.30
113 08:32:59.902 07/30/15 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Frag), VID(?)) from 69.46.48.30
114 08:32:59.902 07/30/15 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
115 08:32:59.902 07/30/15 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
116 08:32:59.902 07/30/15 Sev=Info/5 IKE/0x63000001
Peer supports DPD
117 08:32:59.902 07/30/15 Sev=Info/5 IKE/0x63000001
Peer supports IKE fragmentation payloads
118 08:32:59.908 07/30/15 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
119 08:32:59.908 07/30/15 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, VID(?), VID(Unity)) to 69.46.48.30
120 08:32:59.909 07/30/15 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0xF207, Remote Port = 0x01F4
121 08:32:59.909 07/30/15 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
122 08:32:59.922 07/30/15 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.46.48.30
123 08:32:59.922 07/30/15 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 69.46.48.30
124 08:32:59.922 07/30/15 Sev=Info/4 CM/0x63100015
Launch xAuth application
125 08:32:59.925 07/30/15 Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 6h.
126 08:33:03.664 07/30/15 Sev=Info/4 CM/0x63100017
xAuth application returned
127 08:33:03.664 07/30/15 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 69.46.48.30
128 08:33:03.776 07/30/15 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.46.48.30
129 08:33:03.777 07/30/15 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 69.46.48.30
130 08:33:03.777 07/30/15 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 69.46.48.30
131 08:33:03.778 07/30/15 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
132 08:33:03.785 07/30/15 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator
133 08:33:03.786 07/30/15 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 69.46.48.30
134 08:33:03.798 07/30/15 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.46.48.30
135 08:33:03.798 07/30/15 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 69.46.48.30
136 08:33:03.798 07/30/15 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 172.16.100.10
137 08:33:03.798 07/30/15 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0
138 08:33:03.798 07/30/15 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 10.1.1.20
139 08:33:03.798 07/30/15 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 69.46.48.13
140 08:33:03.798 07/30/15 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000
141 08:33:03.798 07/30/15 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x0000000B
142 08:33:03.799 07/30/15 Sev=Info/5 IKE/0x6300000F
SPLIT_NET #1
subnet = 10.5.5.0
mask = 255.255.255.0
protocol = 0
src port = 0
dest port=0
143 08:33:03.799 07/30/15 Sev=Info/5 IKE/0x6300000F
SPLIT_NET #2
subnet = 10.100.1.0
mask = 255.255.255.0
protocol = 0
src port = 0
dest port=0
144 08:33:03.799 07/30/15 Sev=Info/5 IKE/0x6300000F
SPLIT_NET #3
subnet = 10.101.0.0
mask = 255.255.0.0
protocol = 0
src port = 0
dest port=0
145 08:33:03.799 07/30/15 Sev=Info/5 IKE/0x6300000F
SPLIT_NET #4
subnet = 10.1.0.0
mask = 255.255.0.0
protocol = 0
src port = 0
dest port=0
146 08:33:03.799 07/30/15 Sev=Info/5 IKE/0x6300000F
SPLIT_NET #5
subnet = 10.50.0.0
mask = 255.255.0.0
protocol = 0
src port = 0
dest port=0
147 08:33:03.799 07/30/15 Sev=Info/5 IKE/0x6300000F
SPLIT_NET #6
subnet = 10.1.40.0
mask = 255.255.255.0
protocol = 0
src port = 0
dest port=0
148 08:33:03.799 07/30/15 Sev=Info/5 IKE/0x6300000F
SPLIT_NET #7
subnet = 10.51.0.0
mask = 255.255.255.0
protocol = 0
src port = 0
dest port=0
149 08:33:03.799 07/30/15 Sev=Info/5 IKE/0x6300000F
SPLIT_NET #8
subnet = 10.52.0.0
mask = 255.255.255.0
protocol = 0
src port = 0
dest port=0
150 08:33:03.799 07/30/15 Sev=Info/5 IKE/0x6300000F
SPLIT_NET #9
subnet = 10.55.0.0
mask = 255.255.255.0
protocol = 0
src port = 0
dest port=0
151 08:33:03.799 07/30/15 Sev=Info/5 IKE/0x6300000F
SPLIT_NET #10
subnet = 10.60.0.0
mask = 255.255.0.0
protocol = 0
src port = 0
dest port=0
152 08:33:03.799 07/30/15 Sev=Info/5 IKE/0x6300000F
SPLIT_NET #11
subnet = 10.30.0.0
mask = 255.255.0.0
protocol = 0
src port = 0
dest port=0
153 08:33:03.799 07/30/15 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = peoplescom.local
154 08:33:03.800 07/30/15 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
155 08:33:03.800 07/30/15 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5510 Version 8.0(4) built by builders on Thu 07-Aug-08 20:53
156 08:33:03.800 07/30/15 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT: , value = 0x00000001
157 08:33:03.802 07/30/15 Sev=Info/4 CM/0x63100019
Mode Config data received
158 08:33:03.810 07/30/15 Sev=Info/4 IKE/0x63000056
Received a key request from Driver: Local IP = 172.16.100.10, GW IP = 69.46.48.30, Remote IP = 0.0.0.0
159 08:33:03.810 07/30/15 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 69.46.48.30
160 08:33:03.830 07/30/15 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.46.48.30
161 08:33:03.830 07/30/15 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 69.46.48.30
162 08:33:03.830 07/30/15 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
163 08:33:03.830 07/30/15 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 4 seconds, setting expiry to 86396 seconds from now
164 08:33:03.830 07/30/15 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.46.48.30
165 08:33:03.831 07/30/15 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from 69.46.48.30
166 08:33:03.831 07/30/15 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.46.48.30
167 08:33:03.831 07/30/15 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from 69.46.48.30
168 08:33:03.832 07/30/15 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.46.48.30
169 08:33:03.832 07/30/15 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from 69.46.48.30
170 08:33:03.832 07/30/15 Sev=Info/5 IKE/0x63000073
All fragments received.
171 08:33:03.832 07/30/15 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:INVALID_ID_INFO) from 69.46.48.30
172 08:33:03.832 07/30/15 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 69.46.48.30
173 08:33:03.833 07/30/15 Sev=Info/4 IKE/0x63000049
Discarding IPsec SA negotiation, MsgID=3E68C570
174 08:33:03.833 07/30/15 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=617FC15C827335C7 R_Cookie=CDE7EF9A4E0D2D40) reason = DEL_REASON_IKE_NEG_FAILED
175 08:33:03.833 07/30/15 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.46.48.30
176 08:33:03.833 07/30/15 Sev=Info/4 IKE/0x63000058
Received an ISAKMP message for a non-active SA, I_Cookie=617FC15C827335C7 R_Cookie=CDE7EF9A4E0D2D40
177 08:33:03.833 07/30/15 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(Dropped) from 69.46.48.30
178 08:33:03.915 07/30/15 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
179 08:33:03.916 07/30/15 Sev=Info/6 IPSEC/0x6370002C
Sent 5 packets, 0 were fragmented.
180 08:33:03.916 07/30/15 Sev=Info/6 IPSEC/0x6370001D
TCP RST received from 69.46.48.30, src port 10000, dst port 60404
181 08:33:06.957 07/30/15 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=617FC15C827335C7 R_Cookie=CDE7EF9A4E0D2D40) reason = DEL_REASON_IKE_NEG_FAILED
182 08:33:06.957 07/30/15 Sev=Info/4 CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED". 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
183 08:33:06.958 07/30/15 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
184 08:33:06.966 07/30/15 Sev=Info/4 CM/0x6310002D
Resetting TCP connection on port 10000
185 08:33:06.967 07/30/15 Sev=Info/6 CM/0x63100030
Removed local TCP port 60404 for TCP connection.
186 08:33:06.972 07/30/15 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
187 08:33:06.973 07/30/15 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
188 08:33:06.976 07/30/15 Sev=Info/6 IPSEC/0x63700023
TCP RST sent to 69.46.48.30, src port 60404, dst port 10000
189 08:33:06.977 07/30/15 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
190 08:33:06.977 07/30/15 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
191 08:33:06.977 07/30/15 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
192 08:33:06.977 07/30/15 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
config:
access-list remote_vpn_client_splitTunnelAcl standard permit 10.5.5.0 255.255.255.0
access-list remote_vpn_client_splitTunnelAcl standard permit 10.1.0.0 255.255.0.0
access-list remote_vpn_client_splitTunnelAcl standard permit 10.50.0.0 255.255.0.0
access-list remote_vpn_client_splitTunnelAcl standard permit 10.1.40.0 255.255.255.0
access-list remote_vpn_client_splitTunnelAcl standard permit 10.51.0.0 255.255.255.0
access-list remote_vpn_client_splitTunnelAcl standard permit 10.52.0.0 255.255.255.0
access-list remote_vpn_client_splitTunnelAcl standard permit 10.55.0.0 255.255.255.0
access-list remote_vpn_client_splitTunnelAcl standard permit 10.60.0.0 255.255.0.0
access-list remote_vpn_client_splitTunnelAcl standard permit 10.30.0.0 255.255.0.0
access-list remote_vpn_client_splitTunnelAcl standard permit 10.1.0.0 255.255.0.0
access-list remote_vpn_client_splitTunnelAcl standard permit 10.50.0.0 255.255.0.0
access-list remote_vpn_client_splitTunnelAcl standard permit 10.1.40.0 255.255.255.0
access-list remote_vpn_client_splitTunnelAcl standard permit 10.51.0.0 255.255.255.0
access-list remote_vpn_client_splitTunnelAcl standard permit 10.52.0.0 255.255.255.0
access-list remote_vpn_client_splitTunnelAcl standard permit 10.55.0.0 255.255.255.0
access-list remote_vpn_client_splitTunnelAcl standard permit 10.60.0.0 255.255.0.0
access-list remote_vpn_client_splitTunnelAcl standard permit 10.30.0.0 255.255.0.0
ip local pool remote_vpn_pool 172.16.100.10-172.16.100.50 mask 255.255.255.0
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server radiusgroup protocol radius
aaa-server radiusgroup (inside) host 10.1.1.20
timeout 5
key ***
aaa-server radiusgroup (inside) host 10.1.1.20
timeout 5
key ***
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set nat-t-disable
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set nat-t-disable
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp enable outside
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
crypto isakmp ipsec-over-tcp port 10000
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
crypto isakmp ipsec-over-tcp port 10000
group-policy remote_vpn_client internal
group-policy remote_vpn_client attributes
dns-server value 10.1.1.20 69.46.48.13
vpn-idle-timeout none
split-tunnel-policy tunnelspecified
split-tunnel-network-list value remote_vpn_client_splitTunnelAcl
default-domain value peoplescom.local
group-policy remote_vpn_client attributes
dns-server value 10.1.1.20 69.46.48.13
vpn-idle-timeout none
split-tunnel-policy tunnelspecified
split-tunnel-network-list value remote_vpn_client_splitTunnelAcl
default-domain value peoplescom.local
tunnel-group remote_vpn_client type remote-access
tunnel-group remote_vpn_client general-attributes
address-pool remote_vpn_pool
authentication-server-group (outside) radiusgroup
default-group-policy remote_vpn_client
tunnel-group remote_vpn_client ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 900 retry 2
tunnel-group remote_vpn_client general-attributes
address-pool remote_vpn_pool
authentication-server-group (outside) radiusgroup
default-group-policy remote_vpn_client
tunnel-group remote_vpn_client ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 900 retry 2
Then attached is a debug output from the ASA.
Labels:
- Labels:
-
VPN
1 Reply 1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-30-2015 06:46 PM
I found my issue. I was missing my crypto map statement...
crypto map vpnmsm 30 ipsec-isakmp dynamic outside_dyn_map
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
Customers Also Viewed These Support Documents