VPN Troubleshooting

Answered Question
Jul 24th, 2007

Argghh - I'm pulling my hair out.

I'm having problems with this VPN stuff. I have read piles of books etc and I just can't see what the problem is.

I have a PIX515E which has a outside interface with a private IP address which connects to the inside of a 3660 Router. The router nat the PIX ip to a internet routable IP. No access-list are on the router and traffic flows thorugh to other internal IPs fine.

The VPN Cisco Client is saying:

Cisco Systems VPN Client Version 5.0.00.0340

Copyright (C) 1998-2006 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 5.1.2600 Service Pack 2

!

!

259 16:36:02.050 07/24/07 Sev=Info/4 CM/0x63100024

Attempt connection with server "*.*.*.*"

260 16:36:02.060 07/24/07 Sev=Info/6 IKE/0x6300003B

Attempting to establish a connection with *.*.*.*.

261 16:36:02.090 07/24/07 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Unity)) to *.*.*.*

262 16:36:02.100 07/24/07 Sev=Info/4 IPSEC/0x63700008

IPSec driver successfully started

263 16:36:02.100 07/24/07 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

264 16:36:07.568 07/24/07 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

265 16:36:07.568 07/24/07 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to *.*.*.*

!

!

270 16:36:22.589 07/24/07 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=B9A3A69D5B3192A7 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

271 16:36:23.090 07/24/07 Sev=Info/4 IKE/0x6300004B

Discarding IKE SA negotiation (I_Cookie=B9A3A69D5B3192A7 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

272 16:36:23.090 07/24/07 Sev=Info/4 CM/0x63100014

Unable to establish Phase 1 SA with server "*.*.*.*" because of "DEL_REASON_PEER_NOT_RESPONDING"

etc

The PIX 515 has increase in the In Octets and also packets but has the same amount of dropped packets in a Show ISAKMP command:

Global IKE Statistics

Active Tunnels: 0

Previous Tunnels: 0

In Octets: 46152

In Packets: 56

In Drop Packets: 56

In Notifys: 0

The ISAKMP is as follows:

crypto ipsec transform-set Myset esp-3des esp-sha-hmac

crypto dynamic-map TestMap 1 match address CorpOffice

crypto dynamic-map TestMap 1 set transform-set Myset

crypto map Test 10 ipsec-isakmp dynamic TestMap

crypto map Test interface outside

crypto isakmp identity hostname

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto isakmp nat-traversal 20

crypto isakmp am-disable

crypto isakmp disconnect-notify

crypto isakmp reload-wait

Any pointers on how to debug or even fix - much much much appreciated!!!!

Thanks

Ed

Correct Answer by 1cmerchant about 9 years 7 months ago

Ed,

Does the rest of your network know a route back to the network you are using for the VPN? Assuming that you have an 'Inside' interface connected to your network, other networking devices in your network would need to know that IP address in order to send traffic back to the network subnet you are assigning to the VPN clients.

Carl

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
mattiaseriksson Tue, 07/24/2007 - 14:56

Ed,

It looks like you use IP address to connect, so you shold use "crypto isakmp identity address" instead of "crypto isakmp identity hostname".

And you don't really need the match statement in the dynamic crypto map so you can try to remove it.

If this does not help it would be useful to see the debugging from the PIX.

Fernando_Meza Tue, 07/24/2007 - 23:10

HI .. here is a working config you could use as reference ..

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication LOCAL

crypto map outside_map interface outside

isakmp enable outside

isakmp identity address

isakmp nat-traversal 30

isakmp policy 100 authentication pre-share

isakmp policy 100 encryption des

isakmp policy 100 hash md5

isakmp policy 100 group 2

isakmp policy 100 lifetime 86400

vpngroup VPNGROUP address-pool VPNGROUP-Pool

vpngroup VPNGROUP dns-server x.x.x.x

vpngroup VPNGROUP default-domain domain.net

vpngroup VPNGROUP idle-time 1800

vpngroup VPNGROUP password ********

username remoteuser password remoteuser privilege 2

I hope it helps .. please rate it if it does !!!

edw Wed, 07/25/2007 - 02:38

Hi,

I got a bit futher after posting my message. The problem was the crypto isakmp match address command!

So after a few bumps I can connect no errors that I can see etc. However now I pass any traffic - debug only referances this

Built ICMP connection for faddr 10.10.10.18/1024 gaddr 10.9.9.10/0 laddr 10.9.9.10/0

.

.

.

Teardown ICMP connection for faddr 10.10.10.18/1024 gaddr 10.9.9.10/0 laddr 10.9.9.10/0

Any ideas why I seem to be sending but not getting a response back ??

Thanks

Ed

edw Wed, 07/25/2007 - 08:13

I honestly can't see why this isnt working ?

The ISAKMP is as follows:

crypto ipsec transform-set Myset esp-3des esp-sha-hmac

crypto dynamic-map TestMap 1 set transform-set Myset

crypto map Test 10 ipsec-isakmp dynamic TestMap

crypto map Test interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto isakmp nat-traversal 20

crypto isakmp am-disable

crypto isakmp disconnect-notify

crypto isakmp reload-wait

I have nat 0 (inside) access-list Test

access-list Test extended permit ip any 10.10.10.0 255.255.255.0

Is there other command I should be seeing ?? I have entered sysopt connection permit-vpn (thou it doesnt show up in config.

Thanks for any desperate help

Ed

edw Wed, 07/25/2007 - 09:04

Okay

5 POINTS FOR THE FIRST CORRECT ANSWER!

I can connect and auth with no erros but not pass traffic. I get this in the debug when I try to ping.

Built ICMP connection for faddr 10.10.10.18/1024 gaddr 10.9.9.10/0 laddr 10.9.9.10/0

.

.

.

Teardown ICMP connection for faddr 10.10.10.18/1024 gaddr 10.9.9.10/0 laddr 10.9.9.10/0

The config without correct IP's is:

PIX Version 7.2(2)

!

hostname VPN-Headache

!

!

interface Ethernet0

nameif outside

security-level 0

ip address 10.11.1.1 255.255.255.0

!

!

interface Ethernet1

nameif inside

security-level 100

ip address 10.10.10.1 255.255.255.0

!

!

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list Out extended permit tcp host 10.10.1.201 any eq ftp

!

!

access-list In extended permit udp host 10.11.1.2 host 10.250.250.201 eq tftp

!

!

access-list VPNTest extended permit ip any 192.168.20.0 255.255.255.0

!

!

pager lines 24

!

!

ip local pool Off-Pool 192.168.1.50-192.168.20.1.60

!

!

nat-control

global (outside) 2 10.250.250.10

nat (inside) 0 access-list VPNTest

nat (inside) 2 10.10.1.0 255.255.255.0

!

!

static (inside,outside) 10.250.250.201 10.10.1.201 netmask 255.255.255.255

!

!

access-group In in interface outside

access-group Out in interface inside

!

!

route outside 0.0.0.0 0.0.0.0 10.11.1.2 1

route inside 10.10.1.0 255.255.255.0 10.10.10.2 1

!

!

group-policy DfltGrpPolicy attributes

banner value Testing Default

wins-server none

dns-server none

dhcp-network-scope none

vpn-access-hours none

vpn-simultaneous-logins 3

vpn-idle-timeout 30

vpn-session-timeout none

vpn-filter none

vpn-tunnel-protocol IPSec l2tp-ipsec

password-storage disable

ip-comp disable

re-xauth disable

group-lock none

pfs disable

ipsec-udp disable

ipsec-udp-port 10000

split-tunnel-policy tunnelall

split-tunnel-network-list none

default-domain none

split-dns none

intercept-dhcp 255.255.255.255 disable

secure-unit-authentication disable

user-authentication disable

user-authentication-idle-timeout 30

ip-phone-bypass disable

leap-bypass disable

nem disable

backup-servers keep-client-config

msie-proxy server none

msie-proxy method no-modify

msie-proxy except-list none

msie-proxy local-bypass disable

nac disable

nac-sq-period 300

nac-reval-period 36000

nac-default-acl none

address-pools none

client-firewall none

client-access-rule none

group-policy Test internal

group-policy Test attributes

banner value Test Test

wins-server value 10.10.1.2 10.10.1.5

vpn-session-timeout 30

vpn-tunnel-protocol IPSec

ipsec-udp enable

ipsec-udp-port 10000

!

!

crypto ipsec transform-set Myset esp-des esp-md5-hmac

crypto dynamic-map Test1 1 set transform-set Myset

crypto map VPN 10 ipsec-isakmp dynamic Test1

crypto map VPN interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 20

crypto isakmp disconnect-notify

crypto isakmp reload-wait

tunnel-group Off type ipsec-ra

tunnel-group Off general-attributes

address-pool Off-Pool

authentication-server-group (outside) Mygroup

accounting-server-group Mygroup

default-group-policy Test

tunnel-group Off ipsec-attributes

pre-shared-key *

Thanks

Ed

Correct Answer
1cmerchant Wed, 07/25/2007 - 09:17

Ed,

Does the rest of your network know a route back to the network you are using for the VPN? Assuming that you have an 'Inside' interface connected to your network, other networking devices in your network would need to know that IP address in order to send traffic back to the network subnet you are assigning to the VPN clients.

Carl

edw Wed, 07/25/2007 - 09:25

Hi,

Yes I have a route on my internal router pointing 192.168.1.0 255.255.255.0 10.10.10.1

The gateway my clients get given is 192.0.0.1 255.0.0.0

Not sure why ??

Thanks

Ed

edw Wed, 07/25/2007 - 09:56

Hi,

I checked this last night - and thought it was correct but after your post, I checked again. Guess what - it was pointing to the old firewall. lol

Can't believe it! Thanks for the heads up - 5 points as promised!

Ed

Actions

This Discussion