IKE Negotiation failed when trying to VPN into PIX 535

Unanswered Question
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (5 ratings)
Loading.
ajagadee Tue, 10/02/2007 - 04:28
User Badges:
  • Cisco Employee,

Hi,


Can you post the debugs from the pix and the logs from the client.


Also, check the group name and password and make sure that they match on the client and pix.


I hope it helps.


Regards,

Arul

Here's the client logs:


Cisco Systems VPN Client Version 4.0.4 (Rel)

Copyright (C) 1998-2003 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 5.1.2600


1 05:48:47.687 10/02/07 Sev=Info/4 PPP/0x63200015

Processing enumerate phone book entries command


2 05:48:47.765 10/02/07 Sev=Info/4 PPP/0x6320000D

Retrieved 5 dial entries


3 05:49:07.156 10/02/07 Sev=Info/4 PPP/0x63200015

Processing enumerate phone book entries command


4 05:49:07.234 10/02/07 Sev=Info/4 PPP/0x6320000D

Retrieved 5 dial entries


5 05:49:46.656 10/02/07 Sev=Info/4 CM/0x63100002

Begin connection process


6 05:49:46.671 10/02/07 Sev=Info/4 CVPND/0xE3400001

Microsoft IPSec Policy Agent service stopped successfully


7 05:49:46.671 10/02/07 Sev=Info/4 CM/0x63100004

Establish secure connection using Ethernet


8 05:49:46.671 10/02/07 Sev=Info/4 CM/0x63100024

Attempt connection with server "x.x.x.x"


9 05:49:47.671 10/02/07 Sev=Info/6 IKE/0x6300003B

Attempting to establish a connection with x.x.x.x.


10 05:49:47.687 10/02/07 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to 216.110.208.114


11 05:49:47.687 10/02/07 Sev=Info/4 IPSEC/0x63700008

IPSec driver successfully started


12 05:49:47.687 10/02/07 Sev=Info/4 IPSEC/0x63700014

Deleted all keys


13 05:49:47.781 10/02/07 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = x.x.x.x


14 05:49:47.781 10/02/07 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from x.x.x.x


15 05:49:47.781 10/02/07 Sev=Info/5 IKE/0x63000001

Peer is a Cisco-Unity compliant peer


16 05:49:47.781 10/02/07 Sev=Info/5 IKE/0x63000001

Peer supports XAUTH


17 05:49:47.781 10/02/07 Sev=Info/5 IKE/0x63000001

Peer supports NAT-T



18 05:49:47.781 10/02/07 Sev=Info/5 IKE/0x63000001

Peer supports IKE fragmentation payloads


19 05:49:47.781 10/02/07 Sev=Warning/3 IKE/0xE3000056

The received HASH payload cannot be verified


20 05:49:47.781 10/02/07 Sev=Warning/2 IKE/0xE300007D

Hash verification failed... may be configured with invalid group password.


21 05:49:47.781 10/02/07 Sev=Warning/2 IKE/0xE3000099

Failed to authenticate peer (Navigator:903)


22 05:49:47.781 10/02/07 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK INFO (NOTIFY:INVALID_HASH_INFO) to x.x.x.x


23 05:49:47.781 10/02/07 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK INFO (NOTIFY:AUTH_FAILED) to x.x.x.x


24 05:49:47.781 10/02/07 Sev=Warning/2 IKE/0xE30000A5

Unexpected SW error occurred while processing Aggressive Mode negotiator:(Navigator:2201)


25 05:49:47.781 10/02/07 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=DD5CB2F562AC2835 R_Cookie=8ABECB968B1F8D0F) reason = DEL_REASON_IKE_NEG_FAILED


26 05:49:48.671 10/02/07 Sev=Info/4 IKE/0x6300004A

Discarding IKE SA negotiation (I_Cookie=DD5CB2F562AC2835 R_Cookie=8ABECB968B1F8D0F) reason = DEL_REASON_IKE_NEG_FAILED


27 05:49:48.671 10/02/07 Sev=Info/4 CM/0x63100014

Unable to establish Phase 1 SA with server because of "DEL_REASON_IKE_NEG_FAILED"


28 05:49:48.671 10/02/07 Sev=Info/5 CM/0x63100025

Initializing CVPNDrv


29 05:49:48.671 10/02/07 Sev=Info/4 IKE/0x63000001

IKE received signal to terminate VPN connection


30 05:49:48.671 10/02/07 Sev=Info/4 IKE/0x63000085

Microsoft IPSec Policy Agent service started successfully


31 05:49:49.171 10/02/07 Sev=Info/4 IPSEC/0x63700014

Deleted all keys


32 05:49:49.171 10/02/07 Sev=Info/4 IPSEC/0x63700014

Deleted all keys


33 05:49:49.171 10/02/07 Sev=Info/4 IPSEC/0x63700014

Deleted all keys


34 05:49:49.171 10/02/07 Sev=Info/4 IPSEC/0x6370000A

IPSec driver successfully stopped



ajagadee Tue, 10/02/2007 - 08:04
User Badges:
  • Cisco Employee,

Thanks for the logs.


From the logs:


20 05:49:47.781 10/02/07 Sev=Warning/2 IKE/0xE300007D

Hash verification failed... may be configured with invalid group password.


This basically means the group name/password is not matching. Can you retype the groupname/password on the VPN Server as well as client and try to connect.


I hope it helps.


Regards,

Arul


** Please rate all helpful posts **

kaachary Wed, 10/03/2007 - 14:43
User Badges:
  • Cisco Employee,

On the client, check securred routes, if you see only one host. If not, your split tunnel is not working.

Actions

This Discussion