12-23-2009 09:07 AM
Greeting,
I have configured my ASA for easy VPN remote access , when i tried to connect from the client GUI i get an error disconnect 433 remote host disconnecting the connection:
Here is my output from the GUI VPN user:
112 11:59:36.828 12/23/09 Sev=Info/4 CM/0x63100002
Begin connection process.
113 11:59:36.875 12/23/09 Sev=Info/4 CM/0x63100004
Establish secure connection
114 11:59:36.875 12/23/09 Sev=Info/4 CM/0x63100024
Attempt connection with server "X.X.X.X"
115 11:59:36.875 12/23/09 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with "X.X.X.X".
116 11:59:36.875 12/23/09 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation
117 11:59:36.890 12/23/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Unity)) to "X.X.X.X"
118 11:59:36.937 12/23/09 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = "X.X.X.X"
119 11:59:36.937 12/23/09 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Frag), VID(?)) from X.X.X.X
120 11:59:36.937 12/23/09 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
121 11:59:36.937 12/23/09 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
122 11:59:36.937 12/23/09 Sev=Info/5 IKE/0x63000001
Peer supports DPD
123 11:59:36.953 12/23/09 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
124 11:59:36.953 12/23/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, VID(?), VID(Unity)) to X.X.X.X
125 11:59:36.953 12/23/09 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0x0A1E, Remote Port = 0x01F4
126 11:59:36.953 12/23/09 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
127 11:59:36.953 12/23/09 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = "X.X.X.X"
128 11:59:36.953 12/23/09 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from "X.X.X.X"
129 11:59:36.953 12/23/09 Sev=Info/4 CM/0x63100015
Launch xAuth application
130 11:59:37.078 12/23/09 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
131 11:59:37.078 12/23/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
132 11:59:40.906 12/23/09 Sev=Info/4 CM/0x63100017
xAuth application returned
133 11:59:40.906 12/23/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to "X.X.X.X"
134 11:59:40.906 12/23/09 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = "X.X.X.X"
135 11:59:40.906 12/23/09 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from
136 11:59:40.906 12/23/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to X.X.X.X
137 11:59:40.906 12/23/09 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
138 11:59:41.968 12/23/09 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator
139 11:59:41.968 12/23/09 Sev=Info/5 IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client Firewall, Capability= (Centralized Protection Policy).
140 11:59:41.968 12/23/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to X.X.X.X
141 11:59:41.968 12/23/09 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = .X.X.X.X
142 11:59:41.968 12/23/09 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from .X.X.X.X
143 11:59:41.968 12/23/09 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 172.20.1.100
144 11:59:41.968 12/23/09 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0
145 11:59:41.968 12/23/09 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = Y.Y.Y.Y
146 11:59:41.968 12/23/09 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = Y.Y.Y.Y
147 11:59:41.968 12/23/09 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000
148 11:59:41.968 12/23/09 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
149 11:59:41.968 12/23/09 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5510 Version 8.0(4) built by builders on Thu 07-Aug-08 20:53
150 11:59:41.968 12/23/09 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT: , value = 0x00000001
151 11:59:41.984 12/23/09 Sev=Info/4 CM/0x63100019
Mode Config data received
152 11:59:42.000 12/23/09 Sev=Info/4 IKE/0x63000056
Received a key request from Driver: Local IP = 172.20.1.100, GW IP =X.X.X.X, Remote IP = 0.0.0.0
153 11:59:42.015 12/23/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to .X.X.X.X
154 11:59:42.015 12/23/09 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = .X.X.X.X
155 11:59:42.015 12/23/09 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from X.X.X.X.X
156 11:59:42.015 12/23/09 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
157 11:59:42.015 12/23/09 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 6 seconds, setting expiry to 86394 seconds from now
158 11:59:42.015 12/23/09 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = X.X.X.X.
159 11:59:42.015 12/23/09 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, DEL) from X.X.X.X
160 11:59:42.015 12/23/09 Sev=Info/5 IKE/0x6300003C
Received a DELETE payload for IKE SA with Cookies: I_Cookie=3EC217BD892FAA R_Cookie=1918DD5EF326D0C2
161 11:59:42.015 12/23/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to X.X.X.X.X
162 11:59:42.015 12/23/09 Sev=Info/4 IKE/0x63000049
Discarding IPsec SA negotiation, MsgID=27002AF7
163 11:59:42.015 12/23/09 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=3EC217BDCC892FAA R_Cookie=1918DD5EF326D0C2) reason = PEER_DELETE-IKE_DELETE_UNSPECIFIED
164 11:59:42.484 12/23/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
165 11:59:42.984 12/23/09 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=3EC217BDCC892FAA R_Cookie=1918DD5EF326D0C2) reason = PEER_DELETE-IKE_DELETE_UNSPECIFIED
166 11:59:42.984 12/23/09 Sev=Info/4 CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "PEER_DELETE-IKE_DELETE_UNSPECIFIED". 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
167 11:59:42.984 12/23/09 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
168 11:59:43.015 12/23/09 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
169 11:59:43.015 12/23/09 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
170 11:59:43.015 12/23/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
171 11:59:43.015 12/23/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
172 11:59:43.015 12/23/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
173 11:59:43.015 12/23/09 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
12-23-2009 09:37 AM
Just to add:
I got this in my debug:
Dec 23 07:25:08 [IKEv1]: Group = UL, Username = stlili, IP = x.x.x.x., Tunnel Rejected: Conflicting protocols specified by tunnel-group and group-policy
Dec 23 07:25:08 [IKEv1]: Group = UL, Username = stlili, IP = x.x.x.x., QM FSM error (P2 struct &0xd5e89a58, mess id 0x3419efed)!
Dec 23 07:25:08 [IKEv1]: Group = UL, Username = stlili, IP =x.x.x.x., Removing peer from correlator table failed, no match!
I have checked my group policy and everything is fine i`m actually using the ASDM
Thanks guys i really appreciate it
Any idea plzz
12-28-2009 12:08 AM
Dear Siefeddine,
Go to ipsec rules and change uncheck the " ASA SIDE HOSTNETWORK FROM ADDRESS TRANSLATION"
These step can be done through ASDM, go the the VPN then to IP-SEC rules n double click the IP and uncheck the above said option. As by default address translation is enable n it stop the tunnel to come up.
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide