Solved: Re: VPN Client not working

ayman emara · ‎05-24-2010

Hi all,

can anyone help me in troubleshooting vpn client that have the following configuration:

CLI(config)# ip local pool vpnpool 172.16.1.100-172.16.1.199 mask 255.255.255.0
CLI(config)#username marty password 12345678

CLI(config)#isakmp policy 1 authentication pre-share
CLI(config)#isakmp policy 1 encryption 3des
CLI(config)#isakmp policy 1 hash sha
CLI(config)#isakmp policy 1 group 2
CLI(config)#isakmp policy 1 lifetime 43200
CLI(config)#isakmp enable outside
CLI(config)#crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

CLI(config)#crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA

CLI(config)#crypto dynamic-map Outside_dyn_map 10 set reverse-route
CLI(config)#crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000

CLI(config)#crypto map Outside_map 10 ipsec-isakmp dynamic Outside_dyn_map
CLI(config)#crypto map outside_map interface outside
CLI(config)#crypto isakmp nat-traversal

CLI(config)#group-policy groupvpn internal

CLI(config)#group-policy groupvpn attributes

CLI(config)#(config-group-policy)#vpn-tunnel-protocol IPSec

CLI(config)#tunnel-group groupvpn type ipsec-ra

CLI(config)#tunnel-group groupvpn ipsec-attributes

CLI(config-tunnel-ipsec)#pre-shared-key key

CLI(config)#tunnel-group groupvpn general-attributes

CLI(config-tunnel-general)#authentication-server-group LOCAL

CLI(config-tunnel-ipsec)# default-group-policy Solidarityvpn

CLI(config-tunnel-general)#address-pool vpnpool

when try to connect using the vpn client it request the authentication and when authenticating it negotiate policies secure the channel but it give me not connected.

can anyone help in this.

THanks in advance,

Ayman

Jennifer Halim · ‎05-26-2010

Have you changed the crypto map as advised earlier?

Please share the following show output after the changes:

show crypto isa sa

show crypto ipsec sa

View solution in original post

Jennifer Halim · ‎05-26-2010

I gather your VPN Client is not connected hence nothing on the show outputs.

Can you enable logging on the VPN Client, then try to connect and share the logs on the VPN Client.

View solution in original post

Jennifer Halim · ‎05-26-2010

Doesn't seem that you even attempted to connect from the logs.

View solution in original post

Federico Coto Fajardo · ‎05-29-2010

According to the logs you're getting authenticated as a VPN user, but then the IPsec SA negotiation fails.

Can you post the current ''sh run'' from the ASA?

Federico.

View solution in original post

Federico Coto Fajardo · ‎05-29-2010

Some comments:
I assume that you changed the outside IP 1.1.1.1?
This unit is configured as a secondary failover unit?

Anyway, I think the problem is this:

Change this line:
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
To this one:
crypto dynamic-map Outside_dyn_map 10 set transform-set ESP-3DES-SHA

Federico.

View solution in original post

Jennifer Halim · ‎05-24-2010

Seems like maybe a typo on the upper case:

crypto map Outside_map 10 ipsec-isakmp dynamic Outside_dyn_map
crypto map outside_map interface outside

Try to remove "crypto map outside_map interface outside" and changed it with "crypto map Outside_map interface outside"

If it still doesn't work, turn on "debug cry ipsec" and try to connect again. Please share the debug output. Thanks.

ayman emara · ‎05-24-2010

how can i get you the debug ??

as i opened it but i do not know how to get the output.

Regards,

Ayman

ayman emara · ‎05-24-2010

Hi Halijenn,

i think i got this output

FW# sh isakmp

There are no isakmp sas

Global IKE Statistics
Active Tunnels: 0
Previous Tunnels: 19
In Octets: 48833
In Packets: 138
In Drop Packets: 21
In Notifys: 1
In P2 Exchanges: 19
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 19
In P2 Sa Delete Requests: 0
Out Octets: 41040
Out Packets: 142
Out Drop Packets: 0
Out Notifys: 76
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 0
Initiator Fails: 0
Responder Fails: 0
System Capacity Fails: 0
Auth Fails: 0
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0

Global IPSec over TCP Statistics
--------------------------------
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0

.

Thanks in advance

Ayman

Jennifer Halim · ‎05-26-2010

Have you changed the crypto map as advised earlier?

Please share the following show output after the changes:

show crypto isa sa

show crypto ipsec sa

ayman emara · ‎05-26-2010

Hi halijenn,

Yes i have changed as you adviced.

FW# show crypto isa sa

There are no isakmp sas
FW#
FW# show crypto ipsec sa

There are no ipsec sas

thanks for help

Ayman

Jennifer Halim · ‎05-26-2010

I gather your VPN Client is not connected hence nothing on the show outputs.

Can you enable logging on the VPN Client, then try to connect and share the logs on the VPN Client.

ayman emara · ‎05-26-2010

this is the logging from the VPN client :

Cisco Systems VPN Client Version 4.8.01.0300
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3
Config file directory: C:\Program Files\Cisco Systems\VPN Client\

Jennifer Halim · ‎05-26-2010

Doesn't seem that you even attempted to connect from the logs.

ayman emara · ‎05-26-2010

sorry halijenn,

kindly find the below:

Cisco Systems VPN Client Version 4.8.01.0300
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3

150 15:31:57.375 05/26/10 Sev=Info/4 CM/0x63100002
Begin connection process

151 15:31:57.375 05/26/10 Sev=Info/4 CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully

152 15:31:57.375 05/26/10 Sev=Info/4 CM/0x63100004
Establish secure connection using Ethernet

153 15:31:57.375 05/26/10 Sev=Info/4 CM/0x63100024
Attempt connection with server "196.218.181.234"

154 15:31:58.375 05/26/10 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 196.218.181.234.

155 15:31:58.375 05/26/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 196.218.181.234

156 15:31:58.375 05/26/10 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started

157 15:31:58.375 05/26/10 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

158 15:31:59.046 05/26/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 196.218.181.234

159 15:31:59.046 05/26/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from 196.218.181.234

160 15:31:59.046 05/26/10 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer

161 15:31:59.046 05/26/10 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH

162 15:31:59.046 05/26/10 Sev=Info/5 IKE/0x63000001
Peer supports DPD

163 15:31:59.046 05/26/10 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T

164 15:31:59.046 05/26/10 Sev=Info/5 IKE/0x63000001
Peer supports IKE fragmentation payloads

165 15:31:59.046 05/26/10 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful

166 15:31:59.046 05/26/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 196.218.181.234

167 15:31:59.046 05/26/10 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA

168 15:31:59.046 05/26/10 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0x1194, Remote Port = 0x1194

169    15:31:59.046 05/26/10 Sev=Info/5    IKE/0x63000072
Automatic NAT Detection Status:
   Remote end is NOT behind a NAT device
   This   end IS behind a NAT device

170 15:31:59.046 05/26/10 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

171 15:31:59.750 05/26/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 196.218.181.234

172 15:31:59.750 05/26/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 196.218.181.234

173 15:31:59.750 05/26/10 Sev=Info/4 CM/0x63100015
Launch xAuth application

174 15:32:01.375 05/26/10 Sev=Info/4 CM/0x63100017
xAuth application returned

175 15:32:01.375 05/26/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 196.218.181.234

176 15:32:02.031 05/26/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 196.218.181.234

177 15:32:02.031 05/26/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 196.218.181.234

178 15:32:02.031 05/26/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 196.218.181.234

179 15:32:02.031 05/26/10 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

180 15:32:02.312 05/26/10 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator

181 15:32:02.312 05/26/10 Sev=Info/5 IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client Firewall, Capability= (Centralized Protection Policy).

182 15:32:02.312 05/26/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 196.218.181.234

183 15:32:02.984 05/26/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 196.218.181.234

184 15:32:02.984 05/26/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 196.218.181.234

185 15:32:02.984 05/26/10 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 172.16.1.100

186 15:32:02.984 05/26/10 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0

187 15:32:02.984 05/26/10 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000

188 15:32:02.984 05/26/10 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000

189 15:32:02.984 05/26/10 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5520 Version 7.0(8) built by builders on Sat 31-May-08 23:48

190 15:32:02.984 05/26/10 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194

191 15:32:02.984 05/26/10 Sev=Info/4 CM/0x63100019
Mode Config data received

192 15:32:02.984 05/26/10 Sev=Info/4 IKE/0x63000056
Received a key request from Driver: Local IP = 172.16.1.100, GW IP = 196.218.181.234, Remote IP = 0.0.0.0

193 15:32:02.984 05/26/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 196.218.181.234

194 15:32:03.328 05/26/10 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

195 15:32:03.687 05/26/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 196.218.181.234

196 15:32:03.687 05/26/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 196.218.181.234

197 15:32:03.687 05/26/10 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 43200 seconds

198 15:32:03.687 05/26/10 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 5 seconds, setting expiry to 43195 seconds from now

199 15:32:03.687 05/26/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 196.218.181.234

200 15:32:03.687 05/26/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from 196.218.181.234

201 15:32:03.703 05/26/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 196.218.181.234

202 15:32:03.703 05/26/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from 196.218.181.234

203 15:32:03.734 05/26/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 196.218.181.234

204 15:32:03.734 05/26/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from 196.218.181.234

205 15:32:03.734 05/26/10 Sev=Info/5 IKE/0x63000073
All fragments received.

206 15:32:03.734 05/26/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:INVALID_ID_INFO) from 196.218.181.234

207 15:32:03.734 05/26/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 196.218.181.234

208 15:32:03.734 05/26/10 Sev=Info/4 IKE/0x63000049
Discarding IPsec SA negotiation, MsgID=4280D439

209 15:32:03.734 05/26/10 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=201F310765753FE5 R_Cookie=90B7636188FDA5A1) reason = DEL_REASON_IKE_NEG_FAILED

210 15:32:03.734 05/26/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 196.218.181.234

211 15:32:03.734 05/26/10 Sev=Info/4 IKE/0x63000058
Received an ISAKMP message for a non-active SA, I_Cookie=201F310765753FE5 R_Cookie=90B7636188FDA5A1

212 15:32:03.734 05/26/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(Dropped) from 196.218.181.234

213 15:32:06.828 05/26/10 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=201F310765753FE5 R_Cookie=90B7636188FDA5A1) reason = DEL_REASON_IKE_NEG_FAILED

214 15:32:06.828 05/26/10 Sev=Info/4 CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED". 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

215 15:32:06.828 05/26/10 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv

216 15:32:06.828 05/26/10 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.

217 15:32:06.828 05/26/10 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection

218 15:32:06.828 05/26/10 Sev=Info/4 IKE/0x63000086
Microsoft IPSec Policy Agent service started successfully

219 15:32:06.828 05/26/10 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

220 15:32:06.828 05/26/10 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

221 15:32:06.828 05/26/10 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

222 15:32:06.828 05/26/10 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped

223 15:32:07.765 05/26/10 Sev=Info/4 CM/0x63100002
Begin connection process

224 15:32:07.765 05/26/10 Sev=Info/4 CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully

225 15:32:07.765 05/26/10 Sev=Info/4 CM/0x63100004
Establish secure connection using Ethernet

226 15:32:07.765 05/26/10 Sev=Info/4 CM/0x63100024
Attempt connection with server "196.218.181.234"

227 15:32:08.765 05/26/10 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 196.218.181.234.

228 15:32:08.781 05/26/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 196.218.181.234

229 15:32:08.781 05/26/10 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started

230 15:32:08.781 05/26/10 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

231 15:32:09.453 05/26/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 196.218.181.234

232 15:32:09.453 05/26/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from 196.218.181.234

233 15:32:09.453 05/26/10 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer

234 15:32:09.453 05/26/10 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH

235 15:32:09.453 05/26/10 Sev=Info/5 IKE/0x63000001
Peer supports DPD

236 15:32:09.453 05/26/10 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T

237 15:32:09.453 05/26/10 Sev=Info/5 IKE/0x63000001
Peer supports IKE fragmentation payloads

238 15:32:09.453 05/26/10 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful

239 15:32:09.453 05/26/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 196.218.181.234

240 15:32:09.453 05/26/10 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA

241 15:32:09.453 05/26/10 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0x1194, Remote Port = 0x1194

242    15:32:09.453 05/26/10 Sev=Info/5    IKE/0x63000072
Automatic NAT Detection Status:
   Remote end is NOT behind a NAT device
   This   end IS behind a NAT device

243 15:32:09.453 05/26/10 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

244 15:32:10.109 05/26/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 196.218.181.234

245 15:32:10.109 05/26/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 196.218.181.234

246 15:32:10.109 05/26/10 Sev=Info/4 CM/0x63100015
Launch xAuth application

247 15:32:11.609 05/26/10 Sev=Info/4 CM/0x63100017
xAuth application returned

248 15:32:11.609 05/26/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 196.218.181.234

249 15:32:12.296 05/26/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 196.218.181.234

250 15:32:12.296 05/26/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 196.218.181.234

251 15:32:12.296 05/26/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 196.218.181.234

252 15:32:12.296 05/26/10 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

253 15:32:12.593 05/26/10 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator

254 15:32:12.593 05/26/10 Sev=Info/5 IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client Firewall, Capability= (Centralized Protection Policy).

255 15:32:12.593 05/26/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 196.218.181.234

256 15:32:13.328 05/26/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 196.218.181.234

257 15:32:13.328 05/26/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 196.218.181.234

258 15:32:13.328 05/26/10 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 172.16.1.100

259 15:32:13.328 05/26/10 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0

260 15:32:13.343 05/26/10 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000

261 15:32:13.343 05/26/10 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000

262 15:32:13.343 05/26/10 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5520 Version 7.0(8) built by builders on Sat 31-May-08 23:48

263 15:32:13.343 05/26/10 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194

264 15:32:13.343 05/26/10 Sev=Info/4 CM/0x63100019
Mode Config data received

265 15:32:13.343 05/26/10 Sev=Info/4 IKE/0x63000056
Received a key request from Driver: Local IP = 172.16.1.100, GW IP = 196.218.181.234, Remote IP = 0.0.0.0

266 15:32:13.343 05/26/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 196.218.181.234

267 15:32:13.828 05/26/10 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

268 15:32:14.109 05/26/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 196.218.181.234

269 15:32:14.109 05/26/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 196.218.181.234

270 15:32:14.109 05/26/10 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 43200 seconds

271 15:32:14.109 05/26/10 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 6 seconds, setting expiry to 43194 seconds from now

272 15:32:14.125 05/26/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 196.218.181.234

273 15:32:14.125 05/26/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from 196.218.181.234

274 15:32:14.156 05/26/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 196.218.181.234

275 15:32:14.156 05/26/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from 196.218.181.234

276 15:32:14.171 05/26/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 196.218.181.234

277 15:32:14.171 05/26/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from 196.218.181.234

278 15:32:14.171 05/26/10 Sev=Info/5 IKE/0x63000073
All fragments received.

279 15:32:14.187 05/26/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:INVALID_ID_INFO) from 196.218.181.234

280 15:32:14.187 05/26/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 196.218.181.234

281 15:32:14.187 05/26/10 Sev=Info/4 IKE/0x63000049
Discarding IPsec SA negotiation, MsgID=F3754338

282 15:32:14.187 05/26/10 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=CBDFD65E6BEF2EC7 R_Cookie=EF8DB6A138C2E1E9) reason = DEL_REASON_IKE_NEG_FAILED

283 15:32:14.187 05/26/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 196.218.181.234

284 15:32:14.187 05/26/10 Sev=Info/4 IKE/0x63000058
Received an ISAKMP message for a non-active SA, I_Cookie=CBDFD65E6BEF2EC7 R_Cookie=EF8DB6A138C2E1E9

285 15:32:14.187 05/26/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(Dropped) from 196.218.181.234

286 15:32:17.328 05/26/10 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=CBDFD65E6BEF2EC7 R_Cookie=EF8DB6A138C2E1E9) reason = DEL_REASON_IKE_NEG_FAILED

287 15:32:17.328 05/26/10 Sev=Info/4 CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED". 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

288 15:32:17.328 05/26/10 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv

289 15:32:17.328 05/26/10 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.

290 15:32:17.328 05/26/10 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection

291 15:32:17.328 05/26/10 Sev=Info/4 IKE/0x63000086
Microsoft IPSec Policy Agent service started successfully

292 15:32:17.328 05/26/10 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

293 15:32:17.328 05/26/10 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

294 15:32:17.328 05/26/10 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

295 15:32:17.328 05/26/10 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped

ayman emara · ‎05-29-2010

hi halijenn,

did the logs means something ,or you wanna me do something else?

Thanks in advance

Ayman

Federico Coto Fajardo · ‎05-29-2010

According to the logs you're getting authenticated as a VPN user, but then the IPsec SA negotiation fails.

Can you post the current ''sh run'' from the ASA?

Federico.

ayman emara · ‎05-29-2010

hi Federico,

kindly find the attached show run

Federico Coto Fajardo · ‎05-29-2010

Some comments:
I assume that you changed the outside IP 1.1.1.1?
This unit is configured as a secondary failover unit?

Anyway, I think the problem is this:

Change this line:
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
To this one:
crypto dynamic-map Outside_dyn_map 10 set transform-set ESP-3DES-SHA

Federico.

ayman emara · ‎05-29-2010

Thanks very much Federico it worked

thanks for you all you are really helpful .

Regards,

Ayman