Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1312
Views
0
Helpful
9
Replies

VPN issues

g.leonard
Level 1
Level 1

‎02-21-2005 08:59 AM - edited ‎02-21-2020 01:37 PM

My client is unable to connect to our PIX which is acting as the VPN head-end. It is a 501 running 6.3(1) and my client is using Cisco VPN Client 4.0.1. The VPN has previous worked and both my client and myself have not altered the configuration. I am running the following debug commands to try and troubleshoot:

debug crypto isakmp

debug crypto ipsec

debug crypto vpnclient

The following output is disaplyed on the console of the PIX when my client attempts to connect:

crypto_isakmp_process_block:src:X.X.X.X, dest:X.X.X.X spt:617 dpt:

500

crypto_isakmp_process_block:src:X.X.X.X, dest:X.X.X.X spt:617 dpt:

500

OAK_AG exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP (0): atts are acceptable. Next payload is 3

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a Unity client

ISAKMP (0): ID payload

next-payload : 10

type : 1

protocol : 17

port : 500

length : 8

ISAKMP (0): Total payload length: 12

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:X.X.X.X, dest:X.X.X.X spt:617 dpt:

500

ISAKMP (0): deleting SA: src X.X.X.X, dst X.X.X.X

ISADB: reaper checking SA 0x9e98c4, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for X.X.X.X/617 not found - peers:0

ISADB: reaper checking SA 0xa89704, conn_id = 0

ISAKMP (0): deleting SA: src X.X.X.X, dst X.X.X.X

ISADB: reaper checking SA 0xa89704, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for X.X.X.X/617 not found - peers:0

We have IP connectivity (Ping). Unfortunately I cannot see from the above messages if there is a problem. Any ideas?? I have also enclosed the error message that the VPN Client gives.

Many thanks for any help.

Labels:
Preview file
113 KB
0 Helpful
9 Replies 9

jmia
Level 7
Level 7

‎02-21-2005 09:31 AM

Gary,

Little confused on your question, you say that you have L3 connectivity but from the debug output and the vpn client side it saying that it can not see the peer!!

Is your client using dial-up and then making the vpn connection?

From the debug you have provided it looks like that the peer address can not be contacted :

> VPN Peer:ISAKMP: Peer Info for X.X.X.X/617 not found - peers:0

I'm presuming that this is the peer address of a dial-up ISP that your client is using, I have come across similar issues were certain ISP's are blocking TCP Protocol 50 (ESP), TCP Protocol 51 (AH) and UDP Protocol 500 (IKE).

Have you tried a diffrent dial-up ISP for your client and see if you are getting the same problem.

Let me know how you get on or need further help.

Jay

0 Helpful

g.leonard
Level 1
Level 1
In response to jmia

‎02-22-2005 02:02 AM

Jay

I find it a little confusing too. We can run ping and traceroute without problems when ICMP filtering is removed. The VPN client is also behind a firewall on our client's premises which apparently has no restrictions on client access outbound to the internet. So I don't think any packet filtering is interfering. Do you know if there is any debugging that can be switched on the VPN client? My client is using a leased line connection.

Many thanks

Gary

0 Helpful

stevep
Level 1
Level 1
In response to g.leonard

‎02-22-2005 03:23 AM

Hi,

I am running a later version of the Cisco VPN client but as far as I can remember you can still enable logging within you code of VPN client. Open up the client and try navigating to the following:

log

enable

log

log window

Attempt to connect to the headend peer and then save the log file. You might want to post it along with your PIX config so that we can have a look and try to establish what the root of the problem is.

Remember to remove any sensitive information such as IP addresses.

Can you confirm which ports the firewall which you are behind has open, IKE may well be getting blocked

Thanks

Steve.

0 Helpful

g.leonard
Level 1
Level 1
In response to stevep

‎02-22-2005 03:36 AM

Hi Steve

I actually figured out the VPN client logging shortly after my last post (haven't actually used the client myself). I will post the log when I retrieve it from my client. As far as firewall rules, as stated earlier, my client assures me that the firewall in front of their VPN client permits all outbound traffic.

Many thanks

Gary

0 Helpful

Patrick Iseli
Level 7
Level 7
In response to g.leonard

‎02-22-2005 05:07 AM

Have you allready added that command:

isakmp nat-traversal 20

Network Address Translation (NAT), including Port Address Translation (PAT), is used in many networks where IPSec is also used, but there are a number of incompatibilities that prevent IPSec packets from successfully traversing NAT devices. NAT traversal enables ESP packets to pass through one or more NAT devices.

The firewall supports NAT traversal as described by Version 2 and Version 3 of the IETF "UDP Encapsulation of IPsec Packets" draft, available at http://www.ietf.org/html.charters/ipsec-charter.html, and NAT traversal is supported for both dynamic and static crypto maps. NAT traversal is disabled by default on the firewall.

To enable NAT traversal, check that ISAKMP is enabled (you can enable it with the isakmp enable if_name command) and then use the isakmp nat-traversal [natkeepalive] command. (This command appears in the configuration if both ISAKMP is enabled and NAT traversal is enabled.) If you have enabled NAT traversal, you can disable it with the no isakmp nat-traversal command. Valid values for natkeepalive are from 10 to 3600 seconds. The default is 20 seconds.

See: http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a9.html#wp1027312

sincerely

Patrick

0 Helpful

jmia
Level 7
Level 7
In response to g.leonard

‎02-22-2005 05:34 AM

Gary,

I've just read your reply, As Patrick points out on his post, have you got NAT-T enabled on your pix config.

> isakmp nat-traversal

Let me know if this helps.

Jay

0 Helpful

g.leonard
Level 1
Level 1
In response to jmia

‎02-22-2005 06:14 AM

Jay, Patrick

I have not got NAT-T configured on the PIX I am using as the VPN head-end as I believe this is not necessary (no NAT translations). However I am not sure of my clients setup which I will check.

Gary

0 Helpful

g.leonard
Level 1
Level 1
In response to g.leonard

‎02-24-2005 06:58 AM

Fixed the problem. I tested the connection by setting up another client on a different Internet connection to the VPN head-end and enabled logging. There seemed to be a problem with the hash and it suggested a problem with the group password. I re-entered this into the PIX configuration and it started to work. Only thing I can think of is that somehow the configuration got corrupted? Anybody had any similar problems?

0 Helpful

Patrick Iseli
Level 7
Level 7
In response to g.leonard

‎02-24-2005 08:18 AM

Thanks for the feedback,

YES, had once also a problem after copying the profile file to another host and that did not work. Finaly I had to recreate the profile on this host and everything workded fine.

But I did not had any issue with the VPN policy settings !!

sincerely

Patrick

0 Helpful
Customers Also Viewed These Support Documents