VPN Concentrator issue

Unanswered Question
Apr 16th, 2009

Hi,

Whenever user trying to login into conceter getting the following errors on VPN concenters

40433 04/16/2009 10:57:47.480 SEV=5 IKEDBG/64 RPT=292 1.1.1.1

IKE Peer included IKE fragmentation capability flags:

Main Mode: True

Aggressive Mode: False

40435 04/16/2009 10:57:47.670 SEV=5 IKE/172 RPT=249 1.1.1.1

Group [H0u5t0N0]

Automatic NAT Detection Status:

Remote end IS behind a NAT device

This end is NOT behind a NAT device

40439 04/16/2009 10:57:53.030 SEV=4 IKE/52 RPT=212 1.1.1.1

Group [H0u5t0N0] User {xxxxxxxx]

User (xxxxxxx) authenticated.

40440 04/16/2009 10:57:53.200 SEV=5 IKE/184 RPT=211 1.1.1.1

Group [H0u5t0N0] User [sdziatkowiec]

Client Type: WinNT

Client Application Version: 5.0.00.0340

40442 04/16/2009 10:58:13.530 SEV=5 IKE/50 RPT=143 1.1.1.1

Group [H0u5t0N0] User [sdziatkowiec]

Connection terminated for peer xxxxxxxx.

Reason: Peer Terminate, Administratively Disconnected.

Remote Proxy N/A, Local Proxy N/A

40446 04/16/2009 10:59:00.480 SEV=4 IKE/136 RPT=139 1.1.1.1

Group [H0u5t0N0] User xxxxxx]

IKE session establishment timed out [AM_WAIT_DELETE], aborting!

At user end logs(Cisco VPN Client)

25 11:18:57.328 04/16/09 Sev=Info/4 IKE/0x6300002D

Phase-2 retransmission count exceeded: MsgID=6524FE77

26 11:18:57.328 04/16/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to x.x.x.x

27 11:18:57.328 04/16/09 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=4B4471259D1E22B4 R_Cookie=4545A9BBA00AE192) reason = DEL_REASON_IKE_NEG_FAILED

28 11:18:57.328 04/16/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to x.x.x.x

29 11:19:00.328 04/16/09 Sev=Info/4 IKE/0x6300004B

Discarding IKE SA negotiation (I_Cookie=4B4471259D1E22B4 R_Cookie=4545A9BBA00AE192) reason = DEL_REASON_IKE_NEG_FAILED

30 11:19:00.328 04/16/09 Sev=Info/4 CM/0x6310000F

Phase 1 SA deleted before Mode Config is completed cause by "DEL_REASON_IKE_NEG_FAILED". 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

31 11:19:00.328 04/16/09 Sev=Info/4 IKE/0x63000001

IKE received signal to terminate VPN connection

32 11:19:00.843 04/16/09 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

33 11:19:00.843 04/16/09 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

34 11:19:00.843 04/16/09 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

35 11:19:00.843 04/16/09 Sev=Info/4 IPSEC/0x6370000A

IPSec driver successfully stopped

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Fri, 04/17/2009 - 10:58

sateesh

From the message on the concentrator that the user is authenticated I would believe that it is getting part way through the negotiation, but then something fails.

I faced a situation recently that might be somewhat similar. We found that there was a small detail that was different in the way that the client was configured from the way that the concentrator was configured. Can you check the details of how your clients and concentrator are configured?

HTH

Rick

sateeshk10 Fri, 04/17/2009 - 12:26

Hi,

After rebooting my concentrator its working fine. But in need small solution

I have 2 contrators at two diffrent locations(A & B), I want use one has Primary and otherone as secondary.

A -- Should be primary

B- should be secondary

There is tunnel beteen A and B

Config is same at both the ends includes redius,groups,access etc.

pl. let me know is there any possibility to the same.

Regards

sateesh

Richard Burts Fri, 04/17/2009 - 12:36

sateesh

Am I correct in assuming that your concentrator is one of the Cisco 3000 series of concentrators? If so I believe that there is a way to achieve what you describe. Have the users configure their client with the address of A as the concentrator. In the configuration of the groups on the concentrator there is an option to specify a backup concentrator and to push that information to the client. So configure A to specify B as the backup concentrator and to push that to the clients. When you do this the client will attempt to connec to A. If the connection to A fails then the client will attempt to connect to B.

HTH

Rick

sateeshk10 Fri, 04/17/2009 - 12:47

Hi,

Could you pl. let me know the option where it is exactly as i have checked. But no luck.

Thanks in advance

Regards

sateesh

Richard Burts Fri, 04/17/2009 - 13:00

sateesh

In the concentrator, under configuration, choose the User Management tab, and then choose the Groups option. This should open a page which displays the groups that are configured. Choose the group that you want to configure and click on modify. This should open the configuration of the group. Click the Client Config tab which should bring up options about the client. One of these options is IPSec Backup Servers. In that option there is a pull down menu and you would select the option for Use List Below and input the address of the concentrator which will be the backup.

At that point the concentrator should begin to push to the clients the configured backup server. After you make the change remember to save the config.

HTH

Rick

Actions

This Discussion