Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11149
Views
0
Helpful
5
Replies

VPN client error : unable to contact security gateway

casaben
Level 1
Level 1

‎07-09-2004 01:50 AM - edited ‎02-21-2020 01:14 PM

Dear all,

We have a Cisco VPN using certificates for authentication. Existing certificates work fine, but when we try to create a new certificate (requested and issued using Microsoft CA), we are able to import it into the VPN client, when checked it is valid, but when we try to use it, the error message "unable to contact security gateway" is given. The problem lays within the certificate, because under the same circumstances, earlier certificates do work.

Certificate generation :

-request using CA website on our server (with options "using this form" - "mark keys as exportable"

- issue

- install in browser

- export to file (pfx file)

- import into VPN client

Any ideas on what we are doing wrong ? Thx !

Labels:
0 Helpful
5 Replies 5

ehirsel
Level 6
Level 6

‎07-09-2004 04:24 AM

Set the log level to 3, the highest, for all log levels at the vpn client end. Then try to connect and let me know what the results are.

0 Helpful

casaben
Level 1
Level 1
In response to ehirsel

‎07-10-2004 01:46 AM

Here is the output of the log, the client version is 4.0.1.

Note : I've replaced the server ip with xx.xx.xx.xx for privacy ;-)

I'm new to all this, and any help on where to find info to resolve this is more than welcome, or any hints will be highly appreciated.

This error occurs with a new requested and issued certificate, exported from IE, and imported into the VPN. For previously generated certificates, this procedure worked fine. Thanks for helping me out !

Shortened some info because max char for message reached

0 Helpful

casaben
Level 1
Level 1
In response to casaben

‎07-10-2004 01:50 AM

41 11:43:01.201 07/10/04 Sev=Info/4 CERT/0x63600014

Cert (cn=Raymond,ou=IT,o=CP,l=Location,c=BE,e=email) verification succeeded.

42 ...

Begin connection process

43 ...

Establish secure connection using Ethernet

44 ...

Attempt connection with server "xx.xx.xx.xx"

45 11:43:01.281 07/10/04 Sev=Info/6 IKE/0x6300003B

Attempting to establish a connection with xx.xx.xx.xx.

46 11:43:01.471 07/10/04 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK MM (SA, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to xx.xx.xx.xx

47 ...IPSEC/0x63700008

IPSec driver successfully started

48 ... IPSEC/0x63700014

Deleted all keys

49 ... Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = xx.xx.xx.xx

50 11:43:01.762 07/10/04 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK MM (SA, VID(Nat-T)) from xx.xx.xx.xx

51 ... Sev=Info/5 IKE/0x63000001

Peer supports NAT-T

52 ... Sev=Info/6 IKE/0x63000001

IOS Vendor ID Contruction successful

53 ... Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK MM (KE, NON, NAT-D, NAT-D, VID(?), VID(Unity)) to xx.xx.xx.xx

54 ... Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = xx.xx.xx.xx

55 ... Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK MM (KE, NON, VID(Unity), VID(dpd), VID(?), VID(Xauth), NAT-D, NAT-D) from xx.xx.xx.xx

56 ... Sev=Info/5 IKE/0x63000001

Peer is a Cisco-Unity compliant peer

57 ... Sev=Info/5 IKE/0x63000001

Peer supports DPD

58 ... Sev=Info/5 IKE/0x63000001

Peer supports DWR Code Only

59 ... Sev=Info/5 IKE/0x63000001

Peer supports XAUTH

60 ... Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK MM *(ID, CERT, CERT_REQ, SIG, NOTIFY:STATUS_INITIAL_CONTACT) to xx.xx.xx.xx

61 ... Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = xx.xx.xx.xx

62 ... Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK MM *(KE, NON, VID(Unity), VID(dpd), VID(?), VID(Xauth), NAT-D, NAT-D) from xx.xx.xx.xx

63 11:43:02.423 07/10/04 Sev=Warning/2 IKE/0xE30000A2

Unexpected payload type found: type = 4 (MsgHandler:360)

64 11:43:02.423 07/10/04 Sev=Warning/2 IKE/0xE30000A2

Unexpected payload type found: type = 10 (MsgHandler:360)

65 11:43:02.423 07/10/04 Sev=Warning/2 IKE/0xE30000A2

Unexpected payload type found: type = 130 (MsgHandler:360)

66 11:43:02.423 07/10/04 Sev=Warning/2 IKE/0xE30000A2

Unexpected payload type found: type = 130 (MsgHandler:360)

67 11:43:02.423 07/10/04 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:INVALID_PAYLOAD) to xx.xx.xx.xx

68 11:43:02.423 07/10/04 Sev=Warning/2 IKE/0xE3000099

Failed to validate the payloads (MsgHandler:105)

69 11:43:02.423 07/10/04 Sev=Warning/2 IKE/0xE3000099

Failed to process MM Msg 6 (NavigatorMM:570)

70 11:43:02.423 07/10/04 Sev=Warning/2 IKE/0xE30000A5

Unexpected SW error occurred while processing Identity Protection (Main Mode) negotiator:(Navigator:2046)

71 11:43:02.423 07/10/04 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=6F4EF2F5E806785D R_Cookie=B8736336A61C72EA) reason = DEL_REASON_IKE_NEG_FAILED

72 11:43:02.423 07/10/04 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to xx.xx.xx.xx

73 11:43:03.224 07/10/04 Sev=Info/4 IKE/0x6300004A

Discarding IKE SA negotiation (I_Cookie=6F4EF2F5E806785D R_Cookie=B8736336A61C72EA) reason = DEL_REASON_IKE_NEG_FAILED

74 11:43:03.224 07/10/04 Sev=Info/4 CM/0x63100014

Unable to establish Phase 1 SA with server "xx.xx.xx.xx" because of "DEL_REASON_IKE_NEG_FAILED"

75 11:43:03.224 07/10/04 Sev=Info/5 CM/0x63100025

Initializing CVPNDrv

76 ...

IKE received signal to terminate VPN connection

...

79 Deleted all keys

80 IPSec driver successfully stopped

0 Helpful

ehirsel
Level 6
Level 6
In response to casaben

‎07-12-2004 10:31 AM

What version of the client are you using, and what code version and model of vpn gateway is in use?

I saw some messages relating to unexpected payload. I have searched cisco.com but I have found nothing yet. Once I do, I'll post it here.

0 Helpful

casaben
Level 1
Level 1
In response to ehirsel

‎07-12-2004 11:37 AM

Cisco IOS version 12.2.something, don't know exactely anymore (not at work right now). VPN Client 4.0.1.

We use Microsoft certification services on Win 2K, X509 certificates.

I found the problem however : Once the power is lost, the router (821-830 series) boots with the date from 1993, causing the new certificate to be invalid, cause it is valid from 2004 to 2005. So new certificates are not accepted.

Certificates already - successfully - used for login however do not suffer from this issue. Regardless of the router date, they work until they expire (date checked locally on VPN client).

A second reason seemed to be an incorrect URL for retrieval of the certification list : the router searches for a certain URL on the CA server. Verifying with the CRL (certificate revocation list) can be set to optional, but I guess it was obligatory in our case. When the URL cannot be found, it assumes that a new cvertificate is automatically on the revoked list, at least, correcting the URL + setting the clock made the new certificates work, so I assume the last part ... (maybe somebody can tell me what the correct explanation is ?)

So in short : "unexpected payload => security gateway not found " when trying new certificates can sometimes be resolved by settings the correct date/time.

For setting the clock : login to router and issue following command :

clock set hh:mm:ss day month yyyy

For viewing the certificate revocation list :

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_q_and_a_item09186a008021bc50.shtml

Also check the URL of the CA server (trustpoint) for enrollment : more info on http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080087cc2.html#1015409

Thanks for interest in my problem, it's highly appreciated !

0 Helpful
Customers Also Viewed These Support Documents