VPN Client not working

Answered Question
May 24th, 2010
User Badges:

Hi all,

can anyone help me in troubleshooting vpn client that have the following configuration:


CLI(config)# ip local pool vpnpool 172.16.1.100-172.16.1.199 mask 255.255.255.0   
CLI(config)#username marty password 12345678               



CLI(config)#isakmp policy 1 authentication pre-share
CLI(config)#isakmp policy 1 encryption 3des
CLI(config)#isakmp policy 1 hash sha
CLI(config)#isakmp policy 1 group 2
CLI(config)#isakmp policy 1 lifetime 43200
CLI(config)#isakmp enable outside
CLI(config)#crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac


CLI(config)#crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA


CLI(config)#crypto dynamic-map Outside_dyn_map 10 set reverse-route
CLI(config)#crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000


CLI(config)#crypto map Outside_map 10 ipsec-isakmp dynamic Outside_dyn_map
CLI(config)#crypto map outside_map interface outside
CLI(config)#crypto isakmp nat-traversal



CLI(config)#group-policy groupvpn internal


CLI(config)#group-policy groupvpn attributes


CLI(config)#(config-group-policy)#vpn-tunnel-protocol IPSec






CLI(config)#tunnel-group groupvpn type ipsec-ra


CLI(config)#tunnel-group groupvpn ipsec-attributes


CLI(config-tunnel-ipsec)#pre-shared-key key


CLI(config)#tunnel-group groupvpn general-attributes


CLI(config-tunnel-general)#authentication-server-group LOCAL


CLI(config-tunnel-ipsec)# default-group-policy Solidarityvpn


CLI(config-tunnel-general)#address-pool vpnpool


when try to connect using the vpn client it request the authentication and when authenticating it negotiate policies secure the channel but it give me not connected.



can anyone help in this.



THanks in advance,


Ayman

Correct Answer by Federico Coto F... about 6 years 12 months ago

Some comments:
I assume that you changed the outside IP 1.1.1.1?
This unit is configured as a secondary failover unit?


Anyway, I think the problem is this:


Change this line:
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
To this one:
crypto dynamic-map Outside_dyn_map 10 set transform-set ESP-3DES-SHA


Federico.

Correct Answer by Federico Coto F... about 6 years 12 months ago

According to the logs you're getting authenticated as a VPN user, but then the IPsec SA negotiation fails.


Can you post the current ''sh run'' from the ASA?


Federico.

Correct Answer by Jennifer Halim about 7 years 1 day ago

Doesn't seem that you even attempted to connect from the logs.

Correct Answer by Jennifer Halim about 7 years 1 day ago

I gather your VPN Client is not connected hence nothing on the show outputs.


Can you enable logging on the VPN Client, then try to connect and share the logs on the VPN Client.

Correct Answer by Jennifer Halim about 7 years 1 day ago

Have you changed the crypto map as advised earlier?


Please share the following show output after the changes:

show crypto isa sa

show crypto ipsec sa

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (5 ratings)
Loading.
Jennifer Halim Mon, 05/24/2010 - 05:24
User Badges:
  • Cisco Employee,

Seems like maybe a typo on the upper case:

crypto map Outside_map 10 ipsec-isakmp dynamic Outside_dyn_map
crypto  map outside_map interface outside


Try to remove "crypto  map outside_map interface outside" and changed it with "crypto  map Outside_map interface outside"


If it still doesn't work, turn on "debug cry ipsec" and try to connect again. Please share the debug output. Thanks.

ayman emara Mon, 05/24/2010 - 06:11
User Badges:

how can i get you the debug ??


as i opened it but i do not know how to get the output.


Regards,


Ayman

ayman emara Mon, 05/24/2010 - 07:06
User Badges:

Hi Halijenn,


i think i got this output



FW# sh isakmp


There are no isakmp sas


Global IKE Statistics
Active Tunnels: 0
Previous Tunnels: 19
In Octets: 48833
In Packets: 138
In Drop Packets: 21
In Notifys: 1
In P2 Exchanges: 19
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 19
In P2 Sa Delete Requests: 0
Out Octets: 41040
Out Packets: 142
Out Drop Packets: 0
Out Notifys: 76
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 0
Initiator Fails: 0
Responder Fails: 0
System Capacity Fails: 0
Auth Fails: 0
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0


Global IPSec over TCP Statistics
--------------------------------
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0


.


Thanks in advance


Ayman

Correct Answer
Jennifer Halim Wed, 05/26/2010 - 03:47
User Badges:
  • Cisco Employee,

Have you changed the crypto map as advised earlier?


Please share the following show output after the changes:

show crypto isa sa

show crypto ipsec sa

ayman emara Wed, 05/26/2010 - 04:16
User Badges:

Hi halijenn,


Yes i have changed as you adviced.



FW# show crypto isa sa


There are no isakmp sas
FW#
FW# show crypto ipsec sa


There are no ipsec sas


thanks for help


Ayman

Correct Answer
Jennifer Halim Wed, 05/26/2010 - 04:30
User Badges:
  • Cisco Employee,

I gather your VPN Client is not connected hence nothing on the show outputs.


Can you enable logging on the VPN Client, then try to connect and share the logs on the VPN Client.

ayman emara Wed, 05/26/2010 - 04:59
User Badges:

this is the logging from the VPN client :



Cisco Systems VPN Client Version 4.8.01.0300
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3
Config file directory: C:\Program Files\Cisco Systems\VPN Client\


Cisco Systems VPN Client Version 4.8.01.0300
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3
Config file directory: C:\Program Files\Cisco Systems\VPN Client\

Correct Answer
Jennifer Halim Wed, 05/26/2010 - 05:05
User Badges:
  • Cisco Employee,

Doesn't seem that you even attempted to connect from the logs.

ayman emara Wed, 05/26/2010 - 05:33
User Badges:

sorry halijenn,

kindly find the below:


Cisco Systems VPN Client Version 4.8.01.0300
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3


150    15:31:57.375  05/26/10  Sev=Info/4    CM/0x63100002
Begin connection process


151    15:31:57.375  05/26/10  Sev=Info/4    CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully


152    15:31:57.375  05/26/10  Sev=Info/4    CM/0x63100004
Establish secure connection using Ethernet


153    15:31:57.375  05/26/10  Sev=Info/4    CM/0x63100024
Attempt connection with server "196.218.181.234"


154    15:31:58.375  05/26/10  Sev=Info/6    IKE/0x6300003B
Attempting to establish a connection with 196.218.181.234.


155    15:31:58.375  05/26/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 196.218.181.234


156    15:31:58.375  05/26/10  Sev=Info/4    IPSEC/0x63700008
IPSec driver successfully started


157    15:31:58.375  05/26/10  Sev=Info/4    IPSEC/0x63700014
Deleted all keys


158    15:31:59.046  05/26/10  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 196.218.181.234


159    15:31:59.046  05/26/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from 196.218.181.234


160    15:31:59.046  05/26/10  Sev=Info/5    IKE/0x63000001
Peer is a Cisco-Unity compliant peer


161    15:31:59.046  05/26/10  Sev=Info/5    IKE/0x63000001
Peer supports XAUTH


162    15:31:59.046  05/26/10  Sev=Info/5    IKE/0x63000001
Peer supports DPD


163    15:31:59.046  05/26/10  Sev=Info/5    IKE/0x63000001
Peer supports NAT-T


164    15:31:59.046  05/26/10  Sev=Info/5    IKE/0x63000001
Peer supports IKE fragmentation payloads


165    15:31:59.046  05/26/10  Sev=Info/6    IKE/0x63000001
IOS Vendor ID Contruction successful


166    15:31:59.046  05/26/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 196.218.181.234


167    15:31:59.046  05/26/10  Sev=Info/6    IKE/0x63000055
Sent a keepalive on the IPSec SA


168    15:31:59.046  05/26/10  Sev=Info/4    IKE/0x63000083
IKE Port in use - Local Port =  0x1194, Remote Port = 0x1194


169    15:31:59.046  05/26/10  Sev=Info/5    IKE/0x63000072
Automatic NAT Detection Status:
   Remote end is NOT behind a NAT device
   This   end IS behind a NAT device


170    15:31:59.046  05/26/10  Sev=Info/4    CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system


171    15:31:59.750  05/26/10  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 196.218.181.234


172    15:31:59.750  05/26/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 196.218.181.234


173    15:31:59.750  05/26/10  Sev=Info/4    CM/0x63100015
Launch xAuth application


174    15:32:01.375  05/26/10  Sev=Info/4    CM/0x63100017
xAuth application returned


175    15:32:01.375  05/26/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 196.218.181.234


176    15:32:02.031  05/26/10  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 196.218.181.234


177    15:32:02.031  05/26/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 196.218.181.234


178    15:32:02.031  05/26/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 196.218.181.234


179    15:32:02.031  05/26/10  Sev=Info/4    CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system


180    15:32:02.312  05/26/10  Sev=Info/5    IKE/0x6300005E
Client sending a firewall request to concentrator


181    15:32:02.312  05/26/10  Sev=Info/5    IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client Firewall, Capability= (Centralized Protection Policy).


182    15:32:02.312  05/26/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 196.218.181.234


183    15:32:02.984  05/26/10  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 196.218.181.234


184    15:32:02.984  05/26/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 196.218.181.234


185    15:32:02.984  05/26/10  Sev=Info/5    IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 172.16.1.100


186    15:32:02.984  05/26/10  Sev=Info/5    IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0


187    15:32:02.984  05/26/10  Sev=Info/5    IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000


188    15:32:02.984  05/26/10  Sev=Info/5    IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000


189    15:32:02.984  05/26/10  Sev=Info/5    IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5520 Version 7.0(8) built by builders on Sat 31-May-08 23:48


190    15:32:02.984  05/26/10  Sev=Info/5    IKE/0x6300000D
MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194


191    15:32:02.984  05/26/10  Sev=Info/4    CM/0x63100019
Mode Config data received


192    15:32:02.984  05/26/10  Sev=Info/4    IKE/0x63000056
Received a key request from Driver: Local IP = 172.16.1.100, GW IP = 196.218.181.234, Remote IP = 0.0.0.0


193    15:32:02.984  05/26/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 196.218.181.234


194    15:32:03.328  05/26/10  Sev=Info/4    IPSEC/0x63700014
Deleted all keys


195    15:32:03.687  05/26/10  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 196.218.181.234


196    15:32:03.687  05/26/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 196.218.181.234


197    15:32:03.687  05/26/10  Sev=Info/5    IKE/0x63000045
RESPONDER-LIFETIME notify has value of 43200 seconds


198    15:32:03.687  05/26/10  Sev=Info/5    IKE/0x63000047
This SA has already been alive for 5 seconds, setting expiry to 43195 seconds from now


199    15:32:03.687  05/26/10  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 196.218.181.234


200    15:32:03.687  05/26/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from 196.218.181.234


201    15:32:03.703  05/26/10  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 196.218.181.234


202    15:32:03.703  05/26/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from 196.218.181.234


203    15:32:03.734  05/26/10  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 196.218.181.234


204    15:32:03.734  05/26/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from 196.218.181.234


205    15:32:03.734  05/26/10  Sev=Info/5    IKE/0x63000073
All fragments received.


206    15:32:03.734  05/26/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:INVALID_ID_INFO) from 196.218.181.234


207    15:32:03.734  05/26/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 196.218.181.234


208    15:32:03.734  05/26/10  Sev=Info/4    IKE/0x63000049
Discarding IPsec SA negotiation, MsgID=4280D439


209    15:32:03.734  05/26/10  Sev=Info/4    IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=201F310765753FE5 R_Cookie=90B7636188FDA5A1) reason = DEL_REASON_IKE_NEG_FAILED


210    15:32:03.734  05/26/10  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 196.218.181.234


211    15:32:03.734  05/26/10  Sev=Info/4    IKE/0x63000058
Received an ISAKMP message for a non-active SA, I_Cookie=201F310765753FE5 R_Cookie=90B7636188FDA5A1


212    15:32:03.734  05/26/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(Dropped) from 196.218.181.234


213    15:32:06.828  05/26/10  Sev=Info/4    IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=201F310765753FE5 R_Cookie=90B7636188FDA5A1) reason = DEL_REASON_IKE_NEG_FAILED


214    15:32:06.828  05/26/10  Sev=Info/4    CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system


215    15:32:06.828  05/26/10  Sev=Info/5    CM/0x63100025
Initializing CVPNDrv


216    15:32:06.828  05/26/10  Sev=Info/6    CM/0x63100046
Set tunnel established flag in registry to 0.


217    15:32:06.828  05/26/10  Sev=Info/4    IKE/0x63000001
IKE received signal to terminate VPN connection


218    15:32:06.828  05/26/10  Sev=Info/4    IKE/0x63000086
Microsoft IPSec Policy Agent service started successfully


219    15:32:06.828  05/26/10  Sev=Info/4    IPSEC/0x63700014
Deleted all keys


220    15:32:06.828  05/26/10  Sev=Info/4    IPSEC/0x63700014
Deleted all keys


221    15:32:06.828  05/26/10  Sev=Info/4    IPSEC/0x63700014
Deleted all keys


222    15:32:06.828  05/26/10  Sev=Info/4    IPSEC/0x6370000A
IPSec driver successfully stopped


223    15:32:07.765  05/26/10  Sev=Info/4    CM/0x63100002
Begin connection process


224    15:32:07.765  05/26/10  Sev=Info/4    CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully


225    15:32:07.765  05/26/10  Sev=Info/4    CM/0x63100004
Establish secure connection using Ethernet


226    15:32:07.765  05/26/10  Sev=Info/4    CM/0x63100024
Attempt connection with server "196.218.181.234"


227    15:32:08.765  05/26/10  Sev=Info/6    IKE/0x6300003B
Attempting to establish a connection with 196.218.181.234.


228    15:32:08.781  05/26/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 196.218.181.234


229    15:32:08.781  05/26/10  Sev=Info/4    IPSEC/0x63700008
IPSec driver successfully started


230    15:32:08.781  05/26/10  Sev=Info/4    IPSEC/0x63700014
Deleted all keys


231    15:32:09.453  05/26/10  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 196.218.181.234


232    15:32:09.453  05/26/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from 196.218.181.234


233    15:32:09.453  05/26/10  Sev=Info/5    IKE/0x63000001
Peer is a Cisco-Unity compliant peer


234    15:32:09.453  05/26/10  Sev=Info/5    IKE/0x63000001
Peer supports XAUTH


235    15:32:09.453  05/26/10  Sev=Info/5    IKE/0x63000001
Peer supports DPD


236    15:32:09.453  05/26/10  Sev=Info/5    IKE/0x63000001
Peer supports NAT-T


237    15:32:09.453  05/26/10  Sev=Info/5    IKE/0x63000001
Peer supports IKE fragmentation payloads


238    15:32:09.453  05/26/10  Sev=Info/6    IKE/0x63000001
IOS Vendor ID Contruction successful


239    15:32:09.453  05/26/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 196.218.181.234


240    15:32:09.453  05/26/10  Sev=Info/6    IKE/0x63000055
Sent a keepalive on the IPSec SA


241    15:32:09.453  05/26/10  Sev=Info/4    IKE/0x63000083
IKE Port in use - Local Port =  0x1194, Remote Port = 0x1194


242    15:32:09.453  05/26/10  Sev=Info/5    IKE/0x63000072
Automatic NAT Detection Status:
   Remote end is NOT behind a NAT device
   This   end IS behind a NAT device


243    15:32:09.453  05/26/10  Sev=Info/4    CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system


244    15:32:10.109  05/26/10  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 196.218.181.234


245    15:32:10.109  05/26/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 196.218.181.234


246    15:32:10.109  05/26/10  Sev=Info/4    CM/0x63100015
Launch xAuth application


247    15:32:11.609  05/26/10  Sev=Info/4    CM/0x63100017
xAuth application returned


248    15:32:11.609  05/26/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 196.218.181.234


249    15:32:12.296  05/26/10  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 196.218.181.234


250    15:32:12.296  05/26/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 196.218.181.234


251    15:32:12.296  05/26/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 196.218.181.234


252    15:32:12.296  05/26/10  Sev=Info/4    CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system


253    15:32:12.593  05/26/10  Sev=Info/5    IKE/0x6300005E
Client sending a firewall request to concentrator


254    15:32:12.593  05/26/10  Sev=Info/5    IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client Firewall, Capability= (Centralized Protection Policy).


255    15:32:12.593  05/26/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 196.218.181.234


256    15:32:13.328  05/26/10  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 196.218.181.234


257    15:32:13.328  05/26/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 196.218.181.234


258    15:32:13.328  05/26/10  Sev=Info/5    IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 172.16.1.100


259    15:32:13.328  05/26/10  Sev=Info/5    IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0


260    15:32:13.343  05/26/10  Sev=Info/5    IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000


261    15:32:13.343  05/26/10  Sev=Info/5    IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000


262    15:32:13.343  05/26/10  Sev=Info/5    IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5520 Version 7.0(8) built by builders on Sat 31-May-08 23:48


263    15:32:13.343  05/26/10  Sev=Info/5    IKE/0x6300000D
MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194


264    15:32:13.343  05/26/10  Sev=Info/4    CM/0x63100019
Mode Config data received


265    15:32:13.343  05/26/10  Sev=Info/4    IKE/0x63000056
Received a key request from Driver: Local IP = 172.16.1.100, GW IP = 196.218.181.234, Remote IP = 0.0.0.0


266    15:32:13.343  05/26/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 196.218.181.234


267    15:32:13.828  05/26/10  Sev=Info/4    IPSEC/0x63700014
Deleted all keys


268    15:32:14.109  05/26/10  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 196.218.181.234


269    15:32:14.109  05/26/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 196.218.181.234


270    15:32:14.109  05/26/10  Sev=Info/5    IKE/0x63000045
RESPONDER-LIFETIME notify has value of 43200 seconds


271    15:32:14.109  05/26/10  Sev=Info/5    IKE/0x63000047
This SA has already been alive for 6 seconds, setting expiry to 43194 seconds from now


272    15:32:14.125  05/26/10  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 196.218.181.234


273    15:32:14.125  05/26/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from 196.218.181.234


274    15:32:14.156  05/26/10  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 196.218.181.234


275    15:32:14.156  05/26/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from 196.218.181.234


276    15:32:14.171  05/26/10  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 196.218.181.234


277    15:32:14.171  05/26/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from 196.218.181.234


278    15:32:14.171  05/26/10  Sev=Info/5    IKE/0x63000073
All fragments received.


279    15:32:14.187  05/26/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:INVALID_ID_INFO) from 196.218.181.234


280    15:32:14.187  05/26/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 196.218.181.234


281    15:32:14.187  05/26/10  Sev=Info/4    IKE/0x63000049
Discarding IPsec SA negotiation, MsgID=F3754338


282    15:32:14.187  05/26/10  Sev=Info/4    IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=CBDFD65E6BEF2EC7 R_Cookie=EF8DB6A138C2E1E9) reason = DEL_REASON_IKE_NEG_FAILED


283    15:32:14.187  05/26/10  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 196.218.181.234


284    15:32:14.187  05/26/10  Sev=Info/4    IKE/0x63000058
Received an ISAKMP message for a non-active SA, I_Cookie=CBDFD65E6BEF2EC7 R_Cookie=EF8DB6A138C2E1E9


285    15:32:14.187  05/26/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(Dropped) from 196.218.181.234


286    15:32:17.328  05/26/10  Sev=Info/4    IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=CBDFD65E6BEF2EC7 R_Cookie=EF8DB6A138C2E1E9) reason = DEL_REASON_IKE_NEG_FAILED


287    15:32:17.328  05/26/10  Sev=Info/4    CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system


288    15:32:17.328  05/26/10  Sev=Info/5    CM/0x63100025
Initializing CVPNDrv


289    15:32:17.328  05/26/10  Sev=Info/6    CM/0x63100046
Set tunnel established flag in registry to 0.


290    15:32:17.328  05/26/10  Sev=Info/4    IKE/0x63000001
IKE received signal to terminate VPN connection


291    15:32:17.328  05/26/10  Sev=Info/4    IKE/0x63000086
Microsoft IPSec Policy Agent service started successfully


292    15:32:17.328  05/26/10  Sev=Info/4    IPSEC/0x63700014
Deleted all keys


293    15:32:17.328  05/26/10  Sev=Info/4    IPSEC/0x63700014
Deleted all keys


294    15:32:17.328  05/26/10  Sev=Info/4    IPSEC/0x63700014
Deleted all keys


295    15:32:17.328  05/26/10  Sev=Info/4    IPSEC/0x6370000A
IPSec driver successfully stopped

ayman emara Sat, 05/29/2010 - 01:20
User Badges:

hi halijenn,


did the logs means something ,or you wanna me do something else?




Thanks in advance


Ayman

Correct Answer
Federico Coto F... Sat, 05/29/2010 - 01:28
User Badges:
  • Green, 3000 points or more

According to the logs you're getting authenticated as a VPN user, but then the IPsec SA negotiation fails.


Can you post the current ''sh run'' from the ASA?


Federico.

Correct Answer
Federico Coto F... Sat, 05/29/2010 - 01:43
User Badges:
  • Green, 3000 points or more

Some comments:
I assume that you changed the outside IP 1.1.1.1?
This unit is configured as a secondary failover unit?


Anyway, I think the problem is this:


Change this line:
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
To this one:
crypto dynamic-map Outside_dyn_map 10 set transform-set ESP-3DES-SHA


Federico.

ayman emara Sat, 05/29/2010 - 02:02
User Badges:

Thanks very much Federico it worked


thanks for you all you are really helpful .



Regards,


Ayman

Actions

This Discussion