VPN Client not working

Answered Question
May 24th, 2010

Hi all,

can anyone help me in troubleshooting vpn client that have the following configuration:

CLI(config)# ip local pool vpnpool 172.16.1.100-172.16.1.199 mask 255.255.255.0   
CLI(config)#username marty password 12345678               


CLI(config)#isakmp policy 1 authentication pre-share
CLI(config)#isakmp policy 1 encryption 3des
CLI(config)#isakmp policy 1 hash sha
CLI(config)#isakmp policy 1 group 2
CLI(config)#isakmp policy 1 lifetime 43200
CLI(config)#isakmp enable outside
CLI(config)#crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

CLI(config)#crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA

CLI(config)#crypto dynamic-map Outside_dyn_map 10 set reverse-route
CLI(config)#crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000

CLI(config)#crypto map Outside_map 10 ipsec-isakmp dynamic Outside_dyn_map
CLI(config)#crypto map outside_map interface outside
CLI(config)#crypto isakmp nat-traversal


CLI(config)#group-policy groupvpn internal

CLI(config)#group-policy groupvpn attributes

CLI(config)#(config-group-policy)#vpn-tunnel-protocol IPSec

CLI(config)#tunnel-group groupvpn type ipsec-ra

CLI(config)#tunnel-group groupvpn ipsec-attributes

CLI(config-tunnel-ipsec)#pre-shared-key key

CLI(config)#tunnel-group groupvpn general-attributes

CLI(config-tunnel-general)#authentication-server-group LOCAL

CLI(config-tunnel-ipsec)# default-group-policy Solidarityvpn

CLI(config-tunnel-general)#address-pool vpnpool

when try to connect using the vpn client it request the authentication and when authenticating it negotiate policies secure the channel but it give me not connected.

can anyone help in this.

THanks in advance,

Ayman

I have this problem too.
0 votes
Correct Answer by coto.fusionet about 3 years 10 months ago

Some comments:
I assume that you changed the outside IP 1.1.1.1?
This unit is configured as a secondary failover unit?

Anyway, I think the problem is this:


Change this line:
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
To this one:
crypto dynamic-map Outside_dyn_map 10 set transform-set ESP-3DES-SHA

Federico.

Correct Answer by coto.fusionet about 3 years 10 months ago

According to the logs you're getting authenticated as a VPN user, but then the IPsec SA negotiation fails.

Can you post the current ''sh run'' from the ASA?

Federico.

Correct Answer by Jennifer Halim about 3 years 11 months ago

Doesn't seem that you even attempted to connect from the logs.

Correct Answer by Jennifer Halim about 3 years 11 months ago

I gather your VPN Client is not connected hence nothing on the show outputs.

Can you enable logging on the VPN Client, then try to connect and share the logs on the VPN Client.

Correct Answer by Jennifer Halim about 3 years 11 months ago

Have you changed the crypto map as advised earlier?

Please share the following show output after the changes:

show crypto isa sa

show crypto ipsec sa

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (5 ratings)
Jennifer Halim Mon, 05/24/2010 - 05:24

Seems like maybe a typo on the upper case:

crypto map Outside_map 10 ipsec-isakmp dynamic Outside_dyn_map
crypto  map outside_map interface outside

Try to remove "crypto  map outside_map interface outside" and changed it with "crypto  map Outside_map interface outside"

If it still doesn't work, turn on "debug cry ipsec" and try to connect again. Please share the debug output. Thanks.

ayman emara Mon, 05/24/2010 - 06:11

how can i get you the debug ??

as i opened it but i do not know how to get the output.

Regards,

Ayman

ayman emara Mon, 05/24/2010 - 07:06

Hi Halijenn,

i think i got this output

FW# sh isakmp

There are no isakmp sas

Global IKE Statistics
Active Tunnels: 0
Previous Tunnels: 19
In Octets: 48833
In Packets: 138
In Drop Packets: 21
In Notifys: 1
In P2 Exchanges: 19
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 19
In P2 Sa Delete Requests: 0
Out Octets: 41040
Out Packets: 142
Out Drop Packets: 0
Out Notifys: 76
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 0
Initiator Fails: 0
Responder Fails: 0
System Capacity Fails: 0
Auth Fails: 0
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0

Global IPSec over TCP Statistics
--------------------------------
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0

.

Thanks in advance

Ayman

Correct Answer
Jennifer Halim Wed, 05/26/2010 - 03:47

Have you changed the crypto map as advised earlier?

Please share the following show output after the changes:

show crypto isa sa

show crypto ipsec sa

ayman emara Wed, 05/26/2010 - 04:16

Hi halijenn,

Yes i have changed as you adviced.

FW# show crypto isa sa

There are no isakmp sas
FW#
FW# show crypto ipsec sa

There are no ipsec sas

thanks for help

Ayman

Correct Answer
Jennifer Halim Wed, 05/26/2010 - 04:30

I gather your VPN Client is not connected hence nothing on the show outputs.

Can you enable logging on the VPN Client, then try to connect and share the logs on the VPN Client.

ayman emara Wed, 05/26/2010 - 04:59

this is the logging from the VPN client :

Cisco Systems VPN Client Version 4.8.01.0300
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3
Config file directory: C:\Program Files\Cisco Systems\VPN Client\

Cisco Systems VPN Client Version 4.8.01.0300
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3
Config file directory: C:\Program Files\Cisco Systems\VPN Client\

ayman emara Wed, 05/26/2010 - 05:33

sorry halijenn,

kindly find the below:

Cisco Systems VPN Client Version 4.8.01.0300
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3

150    15:31:57.375  05/26/10  Sev=Info/4    CM/0x63100002
Begin connection process

151    15:31:57.375  05/26/10  Sev=Info/4    CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully

152    15:31:57.375  05/26/10  Sev=Info/4    CM/0x63100004
Establish secure connection using Ethernet

153    15:31:57.375  05/26/10  Sev=Info/4    CM/0x63100024
Attempt connection with server "196.218.181.234"

154    15:31:58.375  05/26/10  Sev=Info/6    IKE/0x6300003B
Attempting to establish a connection with 196.218.181.234.

155    15:31:58.375  05/26/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 196.218.181.234

156    15:31:58.375  05/26/10  Sev=Info/4    IPSEC/0x63700008
IPSec driver successfully started

157    15:31:58.375  05/26/10  Sev=Info/4    IPSEC/0x63700014
Deleted all keys

158    15:31:59.046  05/26/10  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 196.218.181.234

159    15:31:59.046  05/26/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from 196.218.181.234

160    15:31:59.046  05/26/10  Sev=Info/5    IKE/0x63000001
Peer is a Cisco-Unity compliant peer

161    15:31:59.046  05/26/10  Sev=Info/5    IKE/0x63000001
Peer supports XAUTH

162    15:31:59.046  05/26/10  Sev=Info/5    IKE/0x63000001
Peer supports DPD

163    15:31:59.046  05/26/10  Sev=Info/5    IKE/0x63000001
Peer supports NAT-T

164    15:31:59.046  05/26/10  Sev=Info/5    IKE/0x63000001
Peer supports IKE fragmentation payloads

165    15:31:59.046  05/26/10  Sev=Info/6    IKE/0x63000001
IOS Vendor ID Contruction successful

166    15:31:59.046  05/26/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 196.218.181.234

167    15:31:59.046  05/26/10  Sev=Info/6    IKE/0x63000055
Sent a keepalive on the IPSec SA

168    15:31:59.046  05/26/10  Sev=Info/4    IKE/0x63000083
IKE Port in use - Local Port =  0x1194, Remote Port = 0x1194

169    15:31:59.046  05/26/10  Sev=Info/5    IKE/0x63000072
Automatic NAT Detection Status:
   Remote end is NOT behind a NAT device
   This   end IS behind a NAT device

170    15:31:59.046  05/26/10  Sev=Info/4    CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

171    15:31:59.750  05/26/10  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 196.218.181.234

172    15:31:59.750  05/26/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 196.218.181.234

173    15:31:59.750  05/26/10  Sev=Info/4    CM/0x63100015
Launch xAuth application

174    15:32:01.375  05/26/10  Sev=Info/4    CM/0x63100017
xAuth application returned

175    15:32:01.375  05/26/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 196.218.181.234

176    15:32:02.031  05/26/10  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 196.218.181.234

177    15:32:02.031  05/26/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 196.218.181.234

178    15:32:02.031  05/26/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 196.218.181.234

179    15:32:02.031  05/26/10  Sev=Info/4    CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

180    15:32:02.312  05/26/10  Sev=Info/5    IKE/0x6300005E
Client sending a firewall request to concentrator

181    15:32:02.312  05/26/10  Sev=Info/5    IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client Firewall, Capability= (Centralized Protection Policy).

182    15:32:02.312  05/26/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 196.218.181.234

183    15:32:02.984  05/26/10  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 196.218.181.234

184    15:32:02.984  05/26/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 196.218.181.234

185    15:32:02.984  05/26/10  Sev=Info/5    IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 172.16.1.100

186    15:32:02.984  05/26/10  Sev=Info/5    IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0

187    15:32:02.984  05/26/10  Sev=Info/5    IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000

188    15:32:02.984  05/26/10  Sev=Info/5    IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000

189    15:32:02.984  05/26/10  Sev=Info/5    IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5520 Version 7.0(8) built by builders on Sat 31-May-08 23:48

190    15:32:02.984  05/26/10  Sev=Info/5    IKE/0x6300000D
MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194

191    15:32:02.984  05/26/10  Sev=Info/4    CM/0x63100019
Mode Config data received

192    15:32:02.984  05/26/10  Sev=Info/4    IKE/0x63000056
Received a key request from Driver: Local IP = 172.16.1.100, GW IP = 196.218.181.234, Remote IP = 0.0.0.0

193    15:32:02.984  05/26/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 196.218.181.234

194    15:32:03.328  05/26/10  Sev=Info/4    IPSEC/0x63700014
Deleted all keys

195    15:32:03.687  05/26/10  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 196.218.181.234

196    15:32:03.687  05/26/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 196.218.181.234

197    15:32:03.687  05/26/10  Sev=Info/5    IKE/0x63000045
RESPONDER-LIFETIME notify has value of 43200 seconds

198    15:32:03.687  05/26/10  Sev=Info/5    IKE/0x63000047
This SA has already been alive for 5 seconds, setting expiry to 43195 seconds from now

199    15:32:03.687  05/26/10  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 196.218.181.234

200    15:32:03.687  05/26/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from 196.218.181.234

201    15:32:03.703  05/26/10  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 196.218.181.234

202    15:32:03.703  05/26/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from 196.218.181.234

203    15:32:03.734  05/26/10  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 196.218.181.234

204    15:32:03.734  05/26/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from 196.218.181.234

205    15:32:03.734  05/26/10  Sev=Info/5    IKE/0x63000073
All fragments received.

206    15:32:03.734  05/26/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:INVALID_ID_INFO) from 196.218.181.234

207    15:32:03.734  05/26/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 196.218.181.234

208    15:32:03.734  05/26/10  Sev=Info/4    IKE/0x63000049
Discarding IPsec SA negotiation, MsgID=4280D439

209    15:32:03.734  05/26/10  Sev=Info/4    IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=201F310765753FE5 R_Cookie=90B7636188FDA5A1) reason = DEL_REASON_IKE_NEG_FAILED

210    15:32:03.734  05/26/10  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 196.218.181.234

211    15:32:03.734  05/26/10  Sev=Info/4    IKE/0x63000058
Received an ISAKMP message for a non-active SA, I_Cookie=201F310765753FE5 R_Cookie=90B7636188FDA5A1

212    15:32:03.734  05/26/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(Dropped) from 196.218.181.234

213    15:32:06.828  05/26/10  Sev=Info/4    IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=201F310765753FE5 R_Cookie=90B7636188FDA5A1) reason = DEL_REASON_IKE_NEG_FAILED

214    15:32:06.828  05/26/10  Sev=Info/4    CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

215    15:32:06.828  05/26/10  Sev=Info/5    CM/0x63100025
Initializing CVPNDrv

216    15:32:06.828  05/26/10  Sev=Info/6    CM/0x63100046
Set tunnel established flag in registry to 0.

217    15:32:06.828  05/26/10  Sev=Info/4    IKE/0x63000001
IKE received signal to terminate VPN connection

218    15:32:06.828  05/26/10  Sev=Info/4    IKE/0x63000086
Microsoft IPSec Policy Agent service started successfully

219    15:32:06.828  05/26/10  Sev=Info/4    IPSEC/0x63700014
Deleted all keys

220    15:32:06.828  05/26/10  Sev=Info/4    IPSEC/0x63700014
Deleted all keys

221    15:32:06.828  05/26/10  Sev=Info/4    IPSEC/0x63700014
Deleted all keys

222    15:32:06.828  05/26/10  Sev=Info/4    IPSEC/0x6370000A
IPSec driver successfully stopped

223    15:32:07.765  05/26/10  Sev=Info/4    CM/0x63100002
Begin connection process

224    15:32:07.765  05/26/10  Sev=Info/4    CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully

225    15:32:07.765  05/26/10  Sev=Info/4    CM/0x63100004
Establish secure connection using Ethernet

226    15:32:07.765  05/26/10  Sev=Info/4    CM/0x63100024
Attempt connection with server "196.218.181.234"

227    15:32:08.765  05/26/10  Sev=Info/6    IKE/0x6300003B
Attempting to establish a connection with 196.218.181.234.

228    15:32:08.781  05/26/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 196.218.181.234

229    15:32:08.781  05/26/10  Sev=Info/4    IPSEC/0x63700008
IPSec driver successfully started

230    15:32:08.781  05/26/10  Sev=Info/4    IPSEC/0x63700014
Deleted all keys

231    15:32:09.453  05/26/10  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 196.218.181.234

232    15:32:09.453  05/26/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from 196.218.181.234

233    15:32:09.453  05/26/10  Sev=Info/5    IKE/0x63000001
Peer is a Cisco-Unity compliant peer

234    15:32:09.453  05/26/10  Sev=Info/5    IKE/0x63000001
Peer supports XAUTH

235    15:32:09.453  05/26/10  Sev=Info/5    IKE/0x63000001
Peer supports DPD

236    15:32:09.453  05/26/10  Sev=Info/5    IKE/0x63000001
Peer supports NAT-T

237    15:32:09.453  05/26/10  Sev=Info/5    IKE/0x63000001
Peer supports IKE fragmentation payloads

238    15:32:09.453  05/26/10  Sev=Info/6    IKE/0x63000001
IOS Vendor ID Contruction successful

239    15:32:09.453  05/26/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 196.218.181.234

240    15:32:09.453  05/26/10  Sev=Info/6    IKE/0x63000055
Sent a keepalive on the IPSec SA

241    15:32:09.453  05/26/10  Sev=Info/4    IKE/0x63000083
IKE Port in use - Local Port =  0x1194, Remote Port = 0x1194

242    15:32:09.453  05/26/10  Sev=Info/5    IKE/0x63000072
Automatic NAT Detection Status:
   Remote end is NOT behind a NAT device
   This   end IS behind a NAT device

243    15:32:09.453  05/26/10  Sev=Info/4    CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

244    15:32:10.109  05/26/10  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 196.218.181.234

245    15:32:10.109  05/26/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 196.218.181.234

246    15:32:10.109  05/26/10  Sev=Info/4    CM/0x63100015
Launch xAuth application

247    15:32:11.609  05/26/10  Sev=Info/4    CM/0x63100017
xAuth application returned

248    15:32:11.609  05/26/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 196.218.181.234

249    15:32:12.296  05/26/10  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 196.218.181.234

250    15:32:12.296  05/26/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 196.218.181.234

251    15:32:12.296  05/26/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 196.218.181.234

252    15:32:12.296  05/26/10  Sev=Info/4    CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

253    15:32:12.593  05/26/10  Sev=Info/5    IKE/0x6300005E
Client sending a firewall request to concentrator

254    15:32:12.593  05/26/10  Sev=Info/5    IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client Firewall, Capability= (Centralized Protection Policy).

255    15:32:12.593  05/26/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 196.218.181.234

256    15:32:13.328  05/26/10  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 196.218.181.234

257    15:32:13.328  05/26/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 196.218.181.234

258    15:32:13.328  05/26/10  Sev=Info/5    IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 172.16.1.100

259    15:32:13.328  05/26/10  Sev=Info/5    IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0

260    15:32:13.343  05/26/10  Sev=Info/5    IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000

261    15:32:13.343  05/26/10  Sev=Info/5    IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000

262    15:32:13.343  05/26/10  Sev=Info/5    IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5520 Version 7.0(8) built by builders on Sat 31-May-08 23:48

263    15:32:13.343  05/26/10  Sev=Info/5    IKE/0x6300000D
MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194

264    15:32:13.343  05/26/10  Sev=Info/4    CM/0x63100019
Mode Config data received

265    15:32:13.343  05/26/10  Sev=Info/4    IKE/0x63000056
Received a key request from Driver: Local IP = 172.16.1.100, GW IP = 196.218.181.234, Remote IP = 0.0.0.0

266    15:32:13.343  05/26/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 196.218.181.234

267    15:32:13.828  05/26/10  Sev=Info/4    IPSEC/0x63700014
Deleted all keys

268    15:32:14.109  05/26/10  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 196.218.181.234

269    15:32:14.109  05/26/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 196.218.181.234

270    15:32:14.109  05/26/10  Sev=Info/5    IKE/0x63000045
RESPONDER-LIFETIME notify has value of 43200 seconds

271    15:32:14.109  05/26/10  Sev=Info/5    IKE/0x63000047
This SA has already been alive for 6 seconds, setting expiry to 43194 seconds from now

272    15:32:14.125  05/26/10  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 196.218.181.234

273    15:32:14.125  05/26/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from 196.218.181.234

274    15:32:14.156  05/26/10  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 196.218.181.234

275    15:32:14.156  05/26/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from 196.218.181.234

276    15:32:14.171  05/26/10  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 196.218.181.234

277    15:32:14.171  05/26/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from 196.218.181.234

278    15:32:14.171  05/26/10  Sev=Info/5    IKE/0x63000073
All fragments received.

279    15:32:14.187  05/26/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:INVALID_ID_INFO) from 196.218.181.234

280    15:32:14.187  05/26/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 196.218.181.234

281    15:32:14.187  05/26/10  Sev=Info/4    IKE/0x63000049
Discarding IPsec SA negotiation, MsgID=F3754338

282    15:32:14.187  05/26/10  Sev=Info/4    IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=CBDFD65E6BEF2EC7 R_Cookie=EF8DB6A138C2E1E9) reason = DEL_REASON_IKE_NEG_FAILED

283    15:32:14.187  05/26/10  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 196.218.181.234

284    15:32:14.187  05/26/10  Sev=Info/4    IKE/0x63000058
Received an ISAKMP message for a non-active SA, I_Cookie=CBDFD65E6BEF2EC7 R_Cookie=EF8DB6A138C2E1E9

285    15:32:14.187  05/26/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(Dropped) from 196.218.181.234

286    15:32:17.328  05/26/10  Sev=Info/4    IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=CBDFD65E6BEF2EC7 R_Cookie=EF8DB6A138C2E1E9) reason = DEL_REASON_IKE_NEG_FAILED

287    15:32:17.328  05/26/10  Sev=Info/4    CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

288    15:32:17.328  05/26/10  Sev=Info/5    CM/0x63100025
Initializing CVPNDrv

289    15:32:17.328  05/26/10  Sev=Info/6    CM/0x63100046
Set tunnel established flag in registry to 0.

290    15:32:17.328  05/26/10  Sev=Info/4    IKE/0x63000001
IKE received signal to terminate VPN connection

291    15:32:17.328  05/26/10  Sev=Info/4    IKE/0x63000086
Microsoft IPSec Policy Agent service started successfully

292    15:32:17.328  05/26/10  Sev=Info/4    IPSEC/0x63700014
Deleted all keys

293    15:32:17.328  05/26/10  Sev=Info/4    IPSEC/0x63700014
Deleted all keys

294    15:32:17.328  05/26/10  Sev=Info/4    IPSEC/0x63700014
Deleted all keys

295    15:32:17.328  05/26/10  Sev=Info/4    IPSEC/0x6370000A
IPSec driver successfully stopped

ayman emara Sat, 05/29/2010 - 01:20

hi halijenn,

did the logs means something ,or you wanna me do something else?

Thanks in advance

Ayman

Correct Answer
coto.fusionet Sat, 05/29/2010 - 01:28

According to the logs you're getting authenticated as a VPN user, but then the IPsec SA negotiation fails.

Can you post the current ''sh run'' from the ASA?

Federico.

Correct Answer
coto.fusionet Sat, 05/29/2010 - 01:43

Some comments:
I assume that you changed the outside IP 1.1.1.1?
This unit is configured as a secondary failover unit?

Anyway, I think the problem is this:


Change this line:
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
To this one:
crypto dynamic-map Outside_dyn_map 10 set transform-set ESP-3DES-SHA

Federico.

ayman emara Sat, 05/29/2010 - 02:02

Thanks very much Federico it worked

thanks for you all you are really helpful .

Regards,

Ayman

Actions

Login or Register to take actions

This Discussion

Posted May 24, 2010 at 5:17 AM
Stats:
Replies:14 Avg. Rating:5
Views:1594 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard