Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
816
Views
0
Helpful
1
Replies

VPN clients not working after ISP switch - PIX 6.3

rbdrake22
Level 1
Level 1

‎05-17-2010 06:08 AM

We switched our ISP from 1.1.1.1 to 2.2.2.2 in the attached config, now for some reason, our clients connect and authenticate via radius without any problem but the VPN client logs show "remote peer is no longer responding"  after a few DPD attempts.

What gives?

Thanks in advance for the help!!!

Labels:
64660-ciscoconfig.txt.zip
0 Helpful
1 Reply 1

rbdrake22
Level 1
Level 1

‎05-17-2010 06:21 AM

Here are the debugs i am getting on the pix

ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 20 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 20 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 5 against priority 20 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 6 against priority 20 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 7 against priority 20 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 8 against priority 20 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 9 against priority 20 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP (0): atts are not acceptable.
crypto_isakmp_process_block:src:71.28.110.224, dest:barracuda spt:11810 dpt:4500
OAK_AG exchange
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
        spi 0, message ID = 0
ISAKMP (0): processing notify INITIAL_CONTACT
ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): recalc my hash for NAT-D
ISAKMP (0:0): NAT match MINE hash
ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): recalc his hash for NAT-D
ISAKMP (0:0): NAT does not match HIS hash
hash received: bd bd 29 ff d3 17 2a 94 ed ae 11 e5 61 36 35 47
his nat hash : 25 e5 77 76 6c ee 78 8f 5a d3 98 6a 1b 24 2b d9
ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a Unity client

ISAKMP (0): SA has been authenticated
ISAKMP: Created a peer struct for 71.28.110.224, peer port 8750
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify
ISAKMP (0): sending NOTIFY message 24576 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:71.28.110.224/11810 Total VPN Peers:4
VPN Peer: ISAKMP: Peer ip:71.28.110.224/11810 Ref cnt incremented to:1 Total VPN
Peers:4
ISAKMP: peer is a remote access client
ISAKMP/xauth: request attribute XAUTH_TYPE
ISAKMP/xauth: request attribute XAUTH_USER_NAME
ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD
ISAKMP (0:0): initiating peer config to 71.28.110.224. ID = 374133609 (0x164cd36
9)
crypto_isakmp_process_block:src:71.28.110.224, dest:barracuda spt:11810 dpt:4500
ISAKMP_TRANSACTION exchange
ISAKMP (0:0): processing transaction payload from 71.28.110.224. message ID = 16
424676
ISAKMP: Config payload CFG_REPLY
return status is IKMP_ERR_NO_RETRANS
ISAKMP (0:0): initiating peer config to 71.28.110.224. ID = 1367316236 (0x517f97
0c)
crypto_isakmp_process_block:src:71.28.110.224, dest:barracuda spt:11810 dpt:4500
ISAKMP_TRANSACTION exchange
ISAKMP (0:0): processing transaction payload from 71.28.110.224. message ID = 16
424676
ISAKMP: Config payload CFG_ACK
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:71.28.110.224, dest:barracuda spt:11810 dpt:4500
ISAKMP_TRANSACTION exchange
ISAKMP (0:0): processing transaction payload from 71.28.110.224. message ID = 16
424676
ISAKMP: Config payload CFG_REQUEST
ISAKMP (0:0): checking request:
ISAKMP: attribute    IP4_ADDRESS (1)
ISAKMP: attribute    IP4_NETMASK (2)
ISAKMP: attribute    IP4_DNS (3)
ISAKMP: attribute    IP4_NBNS (4)
ISAKMP: attribute    ADDRESS_EXPIRY (5)
        Unsupported Attr: 5
ISAKMP: attribute    UNKNOWN (28672)
        Unsupported Attr: 28672
ISAKMP: attribute    UNKNOWN (28673)
        Unsupported Attr: 28673
ISAKMP: attribute    ALT_DEF_DOMAIN (28674)
ISAKMP: attribute    ALT_SPLIT_INCLUDE (28676)
ISAKMP: attribute    ALT_SPLITDNS_NAME (28675)
ISAKMP: attribute    ALT_PFS (28679)
ISAKMP: attribute    UNKNOWN (28683)
        Unsupported Attr: 28683
ISAKMP: attribute    ALT_BACKUP_SERVERS (28681)
ISAKMP: attribute    UNKNOWN (28684)
        Unsupported Attr: 28684
ISAKMP: attribute    APPLICATION_VERSION (7)
ISAKMP: attribute    UNKNOWN (28680)
        Unsupported Attr: 28680
ISAKMP: attribute    UNKNOWN (28682)
        Unsupported Attr: 28682
ISAKMP (0:0): responding to peer config from 71.28.110.224. ID = 1704104218
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:71.28.110.224, dest:barracuda spt:11810 dpt:4500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 2949854982

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-MD5
ISAKMP:      key length is 256
ISAKMP:      encaps is 61443
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (1)
ISAKMP : Checking IPSec proposal 2

ISAKMP: transform 1, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-SHA
ISAKMP:      key length is 256
ISAKMP:      encaps is 61443
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (2)
ISAKMP : Checking IPSec proposal 3

ISAKMP: transform 1, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-MD5
ISAKMP:      key length is 128
ISAKMP:      encaps is 61443
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (3)
ISAKMP : Checking IPSec proposal 4

ISAKMP: transform 1, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-SHA
ISAKMP:      key length is 128
ISAKMP:      encaps is 61443
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (4)
ISAKMP : Checking IPSec proposal 5

ISAKMP: transform 1, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-MD5
ISAKMP:      key length is 256
ISAKMP:      encaps is 61443
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 6

ISAKMP: transform 1, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-SHA
ISAKMP:      key length is 256
ISAKMP:      encaps is 61443
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 7

ISAKMP: transform 1, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-MD5
ISAKMP:      key length is 128
ISAKMP:      encaps is 61443
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 8

ISAKMP: transform 1, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-SHA
ISAKMP:      key length is 128
ISAKMP:      encaps is 61443
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 9

ISAKMP: transform 1, ESP_3DES
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-MD5
ISAKMP:      encaps is 61443
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (9)
ISAKMP : Checking IPSec proposal 10

crypto_isakmp_process_block:src:71.28.110.224, dest:barracuda spt:11810 dpt:4500
ISAKMP: phase 2 packet is a duplicate of a previous packet
ISAKMP: resending last response
crypto_isakmp_process_block:src:71.28.110.224, dest:barracuda spt:11810 dpt:4500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
        spi 0, message ID = 197607774
ISAMKP (0): received DPD_R_U_THERE from peer 71.28.110.224
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:71.28.110.224, dest:barracuda spt:11810 dpt:4500
ISAKMP: phase 2 packet is a duplicate of a previous packet
ISAKMP: resending last response
crypto_isakmp_process_block:src:71.28.110.224, dest:barracuda spt:11810 dpt:4500
ISAKMP: phase 2 packet is a duplicate of a previous packet
ISAKMP: resending last response
crypto_isakmp_process_block:src:71.28.110.224, dest:barracuda spt:11810 dpt:4500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
        spi 0, message ID = 163364156
ISAMKP (0): received DPD_R_U_THERE from peer 71.28.110.224
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:71.28.110.224, dest:barracuda spt:11810 dpt:4500
ISAKMP (0): processing DELETE payload. message ID = 3102390203, spi size = 4
return status is IKMP_NO_ERR_NO_TRANS
ISAKMP (0): retransmitting phase 2 (0/0)... mess_id 0xafd33706
crypto_isakmp_process_block:src:71.28.110.224, dest:barracuda spt:11810 dpt:4500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
        spi 0, message ID = 3519520552
ISAMKP (0): received DPD_R_U_THERE from peer 71.28.110.224
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:71.28.110.224, dest:barracuda spt:11810 dpt:4500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
        spi 0, message ID = 3934443666
ISAMKP (0): received DPD_R_U_THERE from peer 71.28.110.224
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
ISAKMP: Deleting peer node for 71.28.110.224
ISAKMP (0): retransmitting phase 2 (1/1)... mess_id 0xafd33706
crypto_isakmp_process_block:src:71.28.110.224, dest:barracuda spt:11810 dpt:4500
ISAKMP (0): processing DELETE payload. message ID = 764653628, spi size = 16
ISAKMP (0): deleting SA: src 71.28.110.224, dst barracuda
return status is IKMP_NO_ERR_NO_TRANS
ISADB: reaper checking SA 0x11bc394, conn_id = 0  DELETE IT!

VPN Peer: ISAKMP: Peer ip:71.28.110.224/11810 Ref cnt decremented to:0 Total VPN
Peers:4
VPN Peer: ISAKMP: Deleted peer: ip:71.28.110.224/11810 Total VPN peers:3
ISAKMP: Deleting peer node for 71.28.110.224

Thanks in advance!!!!!!!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents