Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
537
Views
0
Helpful
3
Replies

1811 VPN Not Working

xcz504d1114
Level 4
Level 4

‎08-28-2008 09:06 AM

Many Kudos to the person who figures this one out...

We have a VPN concentrator and about 15 1811's already in the field and working. We can't seem to get the latest one to work properly, we initially thought it was bad hardware, we are on our 3rd VPN router. Multiple IOS versions have been tried, 3 different ISP's from 4 seperate locations have been tried, and of course we even copied known good configs with still no luck. And yes we have verified the connection limit of our concentrator.

Now on to the good stuff

Log message, distant end failed sanity check:

000157: *Aug 28 10:56:56.126 CDT: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from xxx.xxx.xxx.xxx failed its sanity check or is malformed

Console message:

000734: *Aug 28 11:58:57.197 CDT: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) Use

r= Group=<grp-name omitted> Client_public_addr=yyy.yyy.yyy.yyy Server_public_addr=xxx.xxx.xxx.xxx

show crypto ipsec client ezvpn

Easy VPN Remote Phase: 6

Tunnel name : <name omitted>

Inside interface list: Vlan199

Outside interface: FastEthernet0

Current State: SS_OPEN

Last Event: SOCKET_READY

DNS Primary: xxx.xxx.xxx.xxx

Save Password: Disallowed

Current EzVPN Peer: xxx.xxx.xxx.xxx

show crypto session

Crypto session current status

Interface: FastEthernet0

Session status: UP-IDLE

Peer: xxx.xxx.xxx.xxx port 500

IKE SA: local 192.168.1.100/500 remote xxx.xxx.xxx.xxx/500 Active

IKE SA: local 192.168.1.100/500 remote xxx.xxx.xxx.xxx/500 Inactive

IKE SA: local 192.168.1.100/500 remote xxx.xxx.xxx.xxx/500 Inactive

IPSEC FLOW: permit ip xx.xx.xx.xx/255.255.255.0 0.0.0.0/0.0.0.0

Active SAs: 0, origin: crypto map

show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

xxx.xxx.xxx.xxx 192.168.1.100 QM_IDLE 2170 0 ACTIVE

xxx.xxx.xxx.xxx 192.168.1.100 MM_NO_STATE 2169 0 ACTIVE (deleted)

xxx.xxx.xxx.xxx 192.168.1.100 MM_NO_STATE 2168 0 ACTIVE (deleted)

xxx.xxx.xxx.xxx 192.168.1.100 MM_NO_STATE 2167 0 ACTIVE (deleted)

I can get any show commands or debug commands that is needed to help get this resolved.

Thanks,

Craig

Labels:
0 Helpful
3 Replies 3

xcz504d1114
Level 4
Level 4

‎08-28-2008 10:47 AM

Also, this is setup with ezvpn, IKE phase 1 completes.

here is a partial output of the isakmp debug, after the 5th retry it attempts to tear down the connection but fails because the connection doesn't exist, and then goes through the policy matching, authenticates, inserts a peer and comes back to this point.

t phase 2

004734: *Aug 28 13:44:44.497 CDT: ISAKMP:(2392): retransmitting phase 2 QM_IDLE

1712116236 ...

004735: *Aug 28 13:44:44.997 CDT: ISAKMP:(2392): retransmitting phase 2 QM_IDLE

1712116236 ...

004736: *Aug 28 13:44:44.997 CDT: ISAKMP (0:2392): incrementing error counter on

node, attempt 2 of 5: retransmit phase 2

004737: *Aug 28 13:44:44.997 CDT: ISAKMP (0:2392): incrementing error counter on

sa, attempt 3 of 5: retransmit phase 2

004738: *Aug 28 13:44:44.997 CDT: ISAKMP:(2392): retransmitting phase 2 17121162

36 QM_IDLE

004739: *Aug 28 13:44:44.997 CDT: ISAKMP:(2392): sending packet to xxx.xxx.xxx.xxx

my_port 500 peer_port 500 (I) QM_IDLE

004740: *Aug 28 13:44:44.997 CDT: ISAKMP:(2392):Sending an IKE IPv4 Packet.

0 Helpful

singhsaju
Level 4
Level 4
In response to xcz504d1114

‎08-29-2008 08:53 AM

Hello,

Can you post your config of the router?

Is the Ezvpn mode "network extension"?

If the mode is network extension check your configs on both sides using following url:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800945cf.shtml

0 Helpful

xcz504d1114
Level 4
Level 4

‎10-06-2008 02:09 PM

After many hours we figured out a solution to the problem but developed another issue.

The original problem was resolved by finding an IOS with a crypto library version 19.0.0, the 20.0.0 gave bad IKE messages and couldn't generate an RSA key without an error. So that part is resolved, but I can't find an IOS that has the crypto lib I need with a good working wireless for my Cisco 1811.

The current IOS I have loaded is c181x-advipservicesk9-mz.124-6.T11.

The IOS's we are having known issues with the vrypto lib are c181x-advipservicesk9-mz.124-11.XW3.bin - 124-11.XW9.bin.

The "T" series does not work with the wireless (at least the ones that I have tried) and the XW series wont work because of the crypto lib version.

I have tried many different IOS's and shooting in the dark for the right information is becoming a headache and wasting a lot of time. Any additional help would be appreciated.

Thanks,

Craig

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents