12-09-2009 08:19 AM - edited 02-21-2020 04:25 PM
I have cisco 3845 with version 12.3(11r)T2. I am trying to configure it for remote access vpn Xauth.
Follwoing is my configuration
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication login console none
aaa authentication enable default group tacacs+ enable
aaa authentication ppp default group tacacs+
aaa accounting network default start-stop group tacacs+
ip local pool aviation-pool 172.23.13.1 172.23.13.100
crypto isakmp policy 10
authentication pre-share
group 2
has md5
crypto isakmp client configuration address-pool local aviation-pool
crypto isakmp client configuration group NON-RETAIL-VPN
key xxxx
pool aviation-pool
crypto ipsec transform-set myset esp-3des esp-mds-hmac
crypto dynamic-map dynmap 1
set transform-set myset
crypto map aviation-map client authentication list default
crypto map aviation-map client configuration address-response
crypto map aviation-map 1 ipsec-isakmp dynamic dynmap
interface Serial2/3
crypto map aviation-map
I have created VPN GROUP NON-RETAIL-VPN in AAA. Router is configured for AAA server. I am logging to the Router
through the username configured in AAA.
But when i try to connect remote user they are getting error connection terminated locally by client reason 412.
Please help me out it is very urgent.
12-09-2009 10:55 AM
on the router run debug cry isa & debug cry ips, on the vpn client enable logs and set them all on level 3 and post that output.
12-09-2009 11:07 AM
isco Systems VPN Client Version 5.0.04.0300
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
23 22:00:09.890 12/09/09 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 172.18.4.2.
24 22:00:09.890 12/09/09 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation
25 22:00:09.906 12/09/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 172.18.4.2
26 22:00:10.156 12/09/09 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
27 22:00:10.156 12/09/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
28 22:00:12.453 12/09/09 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 172.18.4.2
29 22:00:12.453 12/09/09 Sev=Warning/2 IKE/0xE300009B
Invalid SPI size (PayloadNotify:116)
30 22:00:12.453 12/09/09 Sev=Info/4 IKE/0xE30000A6
Invalid payload: Stated payload length, 568, is not sufficient for Notification:(PayloadList:149)
31 22:00:12.453 12/09/09 Sev=Warning/3 IKE/0xA3000058
Received malformed message or negotiation no longer active (message id: 0x00000000)
32 22:00:15.156 12/09/09 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
33 22:00:15.156 12/09/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 172.18.4.2
34 22:00:20.156 12/09/09 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
35 22:00:20.156 12/09/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 172.18.4.2
36 22:00:25.156 12/09/09 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
37 22:00:25.156 12/09/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 172.18.4.2
38 22:00:30.156 12/09/09 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=ABC69FBBC7C5154C R_Cookie=E89398A0E94218C7) reason = DEL_REASON_PEER_NOT_RESPONDING
39 22:00:30.656 12/09/09 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=ABC69FBBC7C5154C R_Cookie=E89398A0E94218C7) reason = DEL_REASON_PEER_NOT_RESPONDING
40 22:00:30.703 12/09/09 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
41 22:00:30.703 12/09/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
42 22:00:30.703 12/09/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
43 22:00:30.703 12/09/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
44 22:00:30.703 12/09/09 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
12-09-2009 11:15 AM
from those client logs looks like traffic from the server to the client is not getting there.
32 22:00:15.156 12/09/09 Sev=Info/4 IKE/0x63000021 Retransmitting last packet!
33 22:00:15.156 12/09/09 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK AG (Retransmission) to 172.18.4.2
34 22:00:20.156 12/09/09 Sev=Info/4 IKE/0x63000021 Retransmitting last packet!
35 22:00:20.156 12/09/09 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK AG (Retransmission) to 172.18.4.2
36 22:00:25.156 12/09/09 Sev=Info/4 IKE/0x63000021 Retransmitting last packet!
37 22:00:25.156 12/09/09 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK AG (Retransmission) to 172.18.4.2
38 22:00:30.156 12/09/09 Sev=Info/4 IKE/0x63000017 Marking IKE SA for deletion (I_Cookie=ABC69FBBC7C5154C R_Cookie=E89398A0E94218C7) reason = DEL_REASON_PEER_NOT_RESPONDING
not sure if they are getting to the server?. can you get the logs from the vpn server when trying to initiate the connection from that same client?
12-09-2009 11:24 AM
I can ping the VPN Router, telnet and SSH. Traffic is hitting the VPN Router because I can see the Following debug when i am trying to connect Router.
ENOCDC_R03#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
172.18.4.2 172.18.3.200 MM_NO_STATE 0 0 ACTIVE (deleted)
IPv6 Crypto ISAKMP SA
ENOCDC_R03#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
172.18.4.2 172.18.3.200 MM_NO_STATE 0 0 ACTIVE (deleted)
IPv6 Crypto ISAKMP SA
I am supspecinting something is wrong with AAA configuration.
12-09-2009 12:48 PM
you're right. traffic is hitting the router and we're missing one line in aaa setup.
we may need the following line
aaa authorization network ezvpnnetwork local
crypto map aviation-map isakmp authorization list ezvpnnetwork
give this a try, if that doesn't work, please enable debug cry isa & debug cry ips and post that output in case that doesn't work.
traffic is hitting the router but might not be hitting the client back. i think the issue was that authorization line we were missing. let me know.
12-09-2009 10:50 PM
ENOCDC_R03#sh run | in cry
ENOCDC_R03#sh run | in crypto
crypto isakmp policy 10
crypto isakmp client configuration group Aviation-VPN
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto dynamic-map dynmap 1
crypto map aviation-map client authentication list Aviation-auth
crypto map aviation-map isakmp authorization list Aviation-authorization
crypto map aviation-map client configuration address respond
crypto map aviation-map 1 ipsec-isakmp dynamic dynmap
crypto map aviation-map
ENOCDC_R03#sh run | in aaa
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login console none
aaa authentication login Aviation-auth local
aaa authentication enable default group tacacs+ enable
aaa authentication ppp default group tacacs+
aaa authorization network Aviation-authorization local
aaa accounting network default start-stop group tacacs+
aaa session-id common
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group Aviation-VPN
key egntosc
pool aviation-pool
netmask 255.255.255.0
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 1
!
!
crypto map aviation-map client authentication list Aviation-auth
crypto map aviation-map isakmp authorization list Aviation-authorization
crypto map aviation-map client configuration address respond
crypto map aviation-map 1 ipsec-isakmp dynamic dynmap
!
interface Serial0/2/0
crypto map aviation-map
12-10-2009 06:46 PM
thanks for being with me. it is working but with different configuration. I made a Isakmp profile and then it started working.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide