remote access vpn - error

Unanswered Question
Mar 24th, 2010

Hi,

I have a problem with remote access IPSEC VPN configuration on 1841 security router.

Connection can't be established by cisco vpn client.

Part of the configuration is in attahment.

Best regards,

Miroslav Petkovic

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Wed, 03/24/2010 - 04:47

Please share debug output when trying to connect to the router.

debug cry isa

debug cry ipsec

Thanks.

miroslavpetkovic Wed, 03/24/2010 - 05:41

There is not any output from debug commands when I tried to connect with remote cisco vpn client.

Router1841#debug cry isa
Crypto ISAKMP debugging is on


Router1841#debug cry ipsec
Crypto IPSEC debugging is on

I recived message from VPN Client:

Secure VPN Connection terminated locally by the Client

Reason 412: The remote peer is no longer responding.

Best regards,

Miroslav Petkovic

Jennifer Halim Wed, 03/24/2010 - 14:30

What is your logging level? If you are telnetting or ssh into the ASA, please turn on "logging mon 7" and "logging on". You should see debugs when you are trying to connect.

miroslavpetkovic Thu, 03/25/2010 - 03:53

Hi,

this is router cisco 1841. I tried:

Router1841(config)#logging monitor 7
Router1841(config)#logging on
Router1841#terminal monitor
Router1841#debug cry ipsec
Crypto IPSEC debugging is on
Router1841#debug cry isa

but I din't receive any log when I tried to establish remote access vpn.

Best regards,

Miroslav Petkovic

Jennifer Halim Thu, 03/25/2010 - 03:55

Maybe the VPN connection is not even reaching your router.

What about the VPN Client logs? Can you share, please?

Jennifer Halim Thu, 03/25/2010 - 05:15

On your vpn client, go to Log --> Log Settings --> change everything to High, then enable the logs.

Tried to connect again, and grab the logs from the logs tab after you are prompted with that error message.

miroslavpetkovic Thu, 03/25/2010 - 05:37

Hi,

This is log:

Attempt connection with server "118.159.110.241"

4      13:24:50.412  03/25/10  Sev=Info/6    IKE/0x6300003B
Attempting to establish a connection with 118.159.110.241.

5      13:24:50.419  03/25/10  Sev=Info/4    IKE/0x63000001
Starting IKE Phase 1 Negotiation

6      13:24:50.425  03/25/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 118.159.110.241

7      13:24:50.429  03/25/10  Sev=Info/4    IPSEC/0x63700008
IPSec driver successfully started

8      13:24:50.429  03/25/10  Sev=Info/4    IPSEC/0x63700014
Deleted all keys

9      13:24:50.430  03/25/10  Sev=Info/4    IPSEC/0x6370000D
Key(s) deleted by Interface (10.1.0.103)

10     13:24:55.553  03/25/10  Sev=Info/4    IKE/0x63000021
Retransmitting last packet!

11     13:24:55.554  03/25/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 118.159.110.241

12     13:25:00.625  03/25/10  Sev=Info/4    IKE/0x63000021
Retransmitting last packet!

13     13:25:00.626  03/25/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 118.159.110.241

14     13:25:05.695  03/25/10  Sev=Info/4    IKE/0x63000021
Retransmitting last packet!

15     13:25:05.695  03/25/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 118.159.110.241

16     13:25:10.765  03/25/10  Sev=Info/4    IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=CD66FFF7820A7902 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

17     13:25:11.266  03/25/10  Sev=Info/4    IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=CD66FFF7820A7902 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

18     13:25:11.266  03/25/10  Sev=Info/4    CM/0x63100014
Unable to establish Phase 1 SA with server "118.159.110.241" because of "DEL_REASON_PEER_NOT_RESPONDING"

19     13:25:11.266  03/25/10  Sev=Info/5    CM/0x63100025
Initializing CVPNDrv

20     13:25:11.288  03/25/10  Sev=Info/6    CM/0x63100046
Set tunnel established flag in registry to 0.

21     13:25:11.289  03/25/10  Sev=Info/4    IKE/0x63000001
IKE received signal to terminate VPN connection

22     13:25:12.298  03/25/10  Sev=Info/4    IPSEC/0x63700014
Deleted all keys

23     13:25:12.298  03/25/10  Sev=Info/4    IPSEC/0x63700014
Deleted all keys

24     13:25:12.298  03/25/10  Sev=Info/4    IPSEC/0x63700014
Deleted all keys

25     13:25:12.298  03/25/10  Sev=Info/4    IPSEC/0x6370000A
IPSec driver successfully stopped

Best regards,

Miroslav Petkovic

Jennifer Halim Thu, 03/25/2010 - 05:42

Yup, doesn't look like the VPN traffic is reaching your router.

Checked if UDP/500 is being blocked by your router/modem/etc or ISP or if there is a firewall.

Actions

This Discussion