Vpn software client does not connect to concentrator anymore - Cisco Community

357

Views

0

Helpful

3

Replies

Since we have configured a lan-to-lan connection, we cannot establish a connection with a software client anymore. Everything was working fine before. We tried different client software versions (3.6.3 and 4.0.3), we tried making the connection over ADSL and ISDN. Every time we get the same messages in the log of the concentrator:

14586 12/22/2003 11:40:57.070 SEV=12 IKEDECODE/0 RPT=1805

IKE Decode of received SA attributes follows:

0000: 80010007 80020001 80040002 80030001 ................

0010: 800B0001 000C0004 0020C49B 800E0080 ......... ......

14589 12/22/2003 11:40:57.070 SEV=8 IKEDBG/0 RPT=2488

Proposal # 1, Transform # 12, Type ISAKMP, Id IKE

Parsing received transform:

Phase 1 failure against global IKE proposal # 1:

Rcv'd Key Length attr class, but class is not cfg'd

14593 12/22/2003 11:40:57.070 SEV=8 IKEDBG/0 RPT=2489

Phase 1 failure against global IKE proposal # 2:

Rcv'd Key Length attr class, but class is not cfg'd

14595 12/22/2003 11:40:57.070 SEV=8 IKEDBG/0 RPT=2490

Phase 1 failure against global IKE proposal # 3:

Rcv'd Key Length attr class, but class is not cfg'd

14597 12/22/2003 11:40:57.070 SEV=8 IKEDBG/0 RPT=2491

Phase 1 failure against global IKE proposal # 4:

Rcv'd Key Length attr class, but class is not cfg'd

14599 12/22/2003 11:40:57.070 SEV=8 IKEDBG/0 RPT=2492

Phase 1 failure against global IKE proposal # 5:

Rcv'd Key Length attr class, but class is not cfg'd

14601 12/22/2003 11:40:57.070 SEV=8 IKEDBG/0 RPT=2493

Phase 1 failure against global IKE proposal # 6:

Mismatched attr types for class Hash Alg:

Rcv'd: MD5

Cfg'd: SHA

De Vpn client software replies with: remote peer no longer responding.

We messed around with the settings in the concentrator, but dit not get the right settings to get this working again.

Does anyone have any idea what could be wrong?

3 Replies 3

Since this started after configuring a L2L tunnel, check that the client pool of IP addresses isn't included as part of the local or remote network list of the L2L tunnel configuration.

If everything looks OK try removing the L2L tunnel config and see if the client connections start again, it may just be a coincidence that they stopped at the same time. Removing what you think is the offending config will give you a good idea of whether it's the cause of the problem or not.

It seems that this has to do with the user authentication: if I set the Authentication field in the Ipsec tab to None, the client authenticates (without the need to fill in a user/pwd), if I put it back to Internal, The client gets a "Remote peer no longer responding" message when trying to connect.

What could be wrong and why does Internal authentication go wrong even though there are users in that group?

The cause of this problem was that the certificate transmission was not correct in the SA. The right setting should be: Entire Certificate Chain. After changing this setting the "remote peer no longer responding" dit not show up again.

Learn, share, save

Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.

New here? Get started with these tips. How to use Community New member guide

Log in to Community