06-29-2012 09:15 PM
I am trying to connect to my pix using the Cisco Client V5.0 or Windows VPN
Neither Connects and I am not even seeeing the traffic hit the firewall.
Any help would be appreciated.
VPN Client Config
IPSEC over UDP
Username - vpngroup1
password-xxxxxx
Windows VPN
Type - Automatic
Encryption - Optional
Checked are PAP and CHAP
Error Messages
VPN Client
Secure VPN Connection terminated locally by client
Reason 412:The remote peer is no longer responding
Windows VPN
Error 919: The connection could not be established because the
authentication protocol used by the RAS/VPN server to verify your username
and password could not be matched with the settings in your connection
profile Error 919: The connection could not be established because the
authentication protocol used by the RAS/VPN server to verify your username
and password could not be matched with the settings in your connection
profile
Firewall Configuration
PIX Version 6.3(4)
fixup protocol dns maximum-length 512
access-list outside_access_in permit tcp any host xx.xx.xx.xx eq smtp
access-list outside_access_in permit tcp any host xx.xx.xx.xx eq pptp
access-list outside_access_in permit gre any host xx.xx.xx.xx
access-list outside_access_in deny ip 10.0.0.0 255.0.0.0 any
access-list outside_access_in deny ip 172.16.0.0 255.240.0.0 any
access-list outside_access_in deny ip 127.0.0.0 255.0.0.0 any
access-list outside_access_in deny ip 224.0.0.0 224.0.0.0 any
access-list outside_access_in deny ip 248.0.0.0 248.0.0.0 any
access-list outside_access_in deny ip 0.0.0.0 255.0.0.0 any
access-list outside_access_in permit ip host xx.xx.xx.xx any
access-list outside_access_in permit ip host xx.xx.xx.xx any
access-list acl_in permit ip any any
access-list inside_outbound_nat0_acl permit ip JA_Office_Internal 255.255.255.0 Data_Center_internal 255.255.255.0
access-list outside_cryptomap_20 permit ip JA_Office_Internal 255.255.255.0 Data_Center_internal 255.255.255.0
pager lines 24
logging on
logging timestamp
logging monitor informational
logging buffered debugging
logging trap notifications
logging host outside xx.xx.xx.xx
mtu outside 1500
mtu inside 1500
ip address outside xx.xx.xx.xx 255.255.255.252
ip address inside xx.xx.xx.xx 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool Remote-dhcp-pool xx.xx.xx.xx1-xx.xx.xx.xx
pdm location xx.xx.xx.xx 255.255.255.255 inside
pdm locationxx.xx.xx.xx 255.255.255.0 inside
pdm location 0.0.0.0 255.0.0.0 outside
pdm location 10.0.0.0 255.0.0.0 outside
pdm location 127.0.0.0 255.0.0.0 outside
pdm location 172.16.0.0 255.240.0.0 outside
pdm location 248.0.0.0 248.0.0.0 outside
pdm location 224.0.0.0 224.0.0.0 outside
pdm location JA_Office_Internal 255.255.255.0 inside
pdm location Data_Center_internal 255.255.255.0 outside
pdm location xx.xx.xx.xx 255.255.255.255 outside
pdm location xx.xx.xx.xx 255.255.255.255 outside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) xx.xx.xx.xx netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.xx netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group acl_in in interface inside
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx
route inside JA_Office_Internal 255.255.255.0 xx.xx.xx.xxtimeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server vpnauth protocol radius
aaa-server vpnauth max-failed-attempts 3
aaa-server vpnauth deadtime 10
aaa authentication ssh console LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer xx.xx.xx.xx
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address xx.xx.xx.xx netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
vpngroup vpngrp1 address-pool Remote-dhcp-pool
vpngroup vpngrp1 dns-server xx.xx.xx.xx
vpngroup vpngrp1 default-domain lexja.local
vpngroup vpngrp1 idle-time 1800
vpngroup vpngrp1 password ********
telnet xx.xx.xx.xx 255.255.255.0 inside
telnet timeout 5
ssh timeout 30
console timeout 0
vpdn group PPTP-VPDN-GROUP ppp authentication pap
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
vpdn group PPTP-VPDN-GROUP client configuration address local Remote-dhcp-pool
vpdn group PPTP-VPDN-GROUP client configuration dns xx.xx.xx.xx
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username XXXX password *********
vpdn enable outside
username XXXX password sGwmrerTEergtETxm/uwysret8jT encrypted privilege 15
terminal width 80
Cryptochecksum:e80d3aa79b72f4c8c34b0c5bc04bd959
06-30-2012 09:01 PM
If you are not seeing the traffic hits the firewall, it seems more to be issue with your laptop/client side.
Are other people able to connect and you are the only one with the issue? or noone is able to connect at all?
07-01-2012 07:03 AM
I have VPN connections to 5500 Series and PIX that connect without issue.
I have also tried this connection from another pc, witht the same error messages.
07-02-2012 07:01 AM
Can you please share the error logs from the PC
07-02-2012 08:12 AM
Cisco VPN Client Log
Cisco Systems VPN Client Version 5.0.07.0290
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7601 Service Pack 1
2 10:56:25.431 07/02/12 Sev=Critical/1 CVPND/0xE3400003
Function SocketApiBind() failed with an error code of 0xFFFFFFF8(C:\temp\build\rel_5.0.70.246728277571-Tue-23-Mar-2010-19-10-12\rel_5.0.7\PubKeyPK\SRC\ike-init-state.cpp:412)
Windows VPN Client Log
Event Type: Error Event Source: RasMan Event Category: None Event ID: 20276 Date: 7/2/2012 Time: 11:03:44 AM User: N/A Computer: xxxxx -PC.XXXXX.local Description: : The connection attempt failed on port: VPN3-1 because of the authentication protocol selected. Check to see if the authentication protocol is supported in the operating systems at the client and server ends of the connection Event Type: Error Event Source: RasMan Event Category: None Event ID: 20276 Date: 7/2/2012 Time: 10:59:36 AM User: N/A Computer: XXXXX-PC.XXXX.local Description: : The connection attempt failed on port: VPN3-1 because of the authentication protocol selected. Check to see if the authentication protocol is supported in the operating systems at the client and server ends of the connection
07-02-2012 11:02 AM
Do you have any other software or application running on the pc that might be listening on UDP/500?
Pls disable that application and connect the vpn client.
To check, run "netstat -an" from DOS prompt.
07-02-2012 12:17 PM
No there should be nothign using UDP/500
Netstat -an
UDP 0.0.0.0:67 *:*
UDP 0.0.0.0:68 *:*
UDP 0.0.0.0:68 *:*
UDP 0.0.0.0:69 *:*
UDP 0.0.0.0:123 *:*
UDP 0.0.0.0:138 *:*
UDP 0.0.0.0:162 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:1196 *:*
UDP 0.0.0.0:1900 *:*
UDP 0.0.0.0:3702 *:*
UDP 0.0.0.0:3702 *:*
UDP 0.0.0.0:3702 *:*
UDP 0.0.0.0:3702 *:*
UDP 0.0.0.0:3702 *:*
UDP 0.0.0.0:3702 *:*
UDP 0.0.0.0:4500 *:*
UDP 0.0.0.0:5353 *:*
UDP 0.0.0.0:5355 *:*
UDP 0.0.0.0:6004 *:*
UDP 0.0.0.0:8082 *:*
UDP 0.0.0.0:10115 *:*
UDP 0.0.0.0:49154 *:*
UDP 0.0.0.0:49788 *:*
UDP 0.0.0.0:54295 *:*
UDP 0.0.0.0:58627 *:*
UDP 0.0.0.0:59797 *:*
UDP 0.0.0.0:59799 *:*
UDP 127.0.0.1:1900 *:*
UDP 127.0.0.1:49152 *:*
UDP 127.0.0.1:49153 *:*
UDP 127.0.0.1:49156 *:*
UDP 127.0.0.1:49157 *:*
UDP 127.0.0.1:49158 *:*
UDP 127.0.0.1:49653 *:*
UDP 127.0.0.1:49918 *:*
UDP 127.0.0.1:50091 *:*
UDP 127.0.0.1:51125 *:*
UDP 127.0.0.1:51825 *:*
UDP 127.0.0.1:54951 *:*
UDP 127.0.0.1:55581 *:*
UDP 127.0.0.1:55750 *:*
UDP 127.0.0.1:56285 *:*
UDP 127.0.0.1:58254 *:*
UDP 127.0.0.1:59276 *:*
UDP 127.0.0.1:59534 *:*
UDP 127.0.0.1:61375 *:*
UDP 127.0.0.1:61479 *:*
UDP 127.0.0.1:62514 *:*
UDP 127.0.0.1:64584 *:*
UDP 192.168.100.67:137 *:*
UDP 192.168.100.67:138 *:*
UDP 192.168.100.67:1900 *:*
UDP 192.168.100.67:5353 *:*
UDP 192.168.100.67:49917 *:*
UDP [::]:123 *:*
UDP [::]:500 *:*
UDP [::]:3702 *:*
UDP [::]:3702 *:*
UDP [::]:3702 *:*
UDP [::]:3702 *:*
UDP [::]:3702 *:*
UDP [::]:3702 *:*
UDP [::]:4500 *:*
UDP [::]:5355 *:*
UDP [::]:8082 *:*
UDP [::]:10115 *:*
UDP [::]:49155 *:*
UDP [::]:58628 *:*
UDP [::]:59798 *:*
UDP [::]:59800 *:*
UDP [::1]:1900 *:*
UDP [::1]:5353 *:*
UDP [::1]:49916 *:*
UDP [fe80::2c5d:2b9c:7172:c3cd%11]:1900 *:*
UDP [fe80::2c5d:2b9c:7172:c3cd%11]:49915 *:*
07-02-2012 07:41 PM
Looks like there is as UDP/500 is listed above:
UDP 0.0.0.0:500 *:*
UDP [::]:4500 *:*
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide