VPN Setup

Answered Question
Jun 15th, 2010

First off I am trying to Remotely connect a user to the Insider Server directory at my company and Need to use the VPN.  We have a PIX 501 Version 6.3(5), PDM Version 3.0(4).  It was originally set up by a 3rd party that we hired to get the entire Server up and running, they have however gone out of buisness since then and I cannot find anyone locally to help me with this.  I am fairly adept at keeping everything running, and we have not needed to use the VPN for a while, but it seems that the VPN configuration may need to be redone.  I have used the VPN Wizzard to set up the VPN, and have tried to use another computer on another Internet source to try to connect to the VPN, however my VPN client keeps getting a 'Reason 412: The remote peer is no longer responding'  Is ther any easy way to get this set up?

I have this problem too.
0 votes
Correct Answer by edadios about 6 years 5 months ago

If all clent logs have been enabled, the client log suggest the firewall is not responding to ike at all. Maybe udp 500 is being blocked elsewhere in the path.

Are you certain the dhcp ip you rceive, is the ip address you are trying to connect too?

For seeing more logs on ASA

You need to issue "logging buffered debug", "clear log" and then do show log.

Otherwise, once you enable the debug commands, and you got access to the console (serial - CLI) you should see the log messages being output, when you have client trying to connect.

Regards,

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Richard Burts Tue, 06/15/2010 - 11:35

John

There should be a way to get this set up. What that will qualify as easy is another question.

There is not enough detail here for us to understand what the problem is or what you could do about it. When you attempt to connect to the VPN, do you get a prompt for user name and password? When you attempt to connect to the VPN are any log messages generated by the PIX?

It might be helpful if you would post the configuration of the PIX (or at least al the parts that relate to the VPN).

HTH

Rick

archmillwork Tue, 06/15/2010 - 11:54

Well since Easy is objective I guess I just need it simplified enough that I can write it down to make sure it can be done again in the future if needed.

I have used the VPN Wizzard to get everything in place group name is AMMC password is alpha.  The outside IP is set by DHCP.

When I run the Client, I have it setup to access the IP address for the Office, using the aforementioned group name and password, and it never asks me for another login, it just cycles like its trying to connect then says 'not connected' on the bottom of the frame.

The notification window says

"Initializing the connection...

Contacting the gateway at x.x.x.x ...

Secure VPN Connection Terminated locally by Client.

Reason 412: The remote peer is no longer responding.

Connection terminated on Jun. 15, 2010 11:52:18         Durration: Not connected."

As far as the Configuration on the PIX goes Im not sure how to get that.    I also dont know how to get any of the logs.

Is there a way to get to it from the PDM?

Thank You,

John

Richard Burts Tue, 06/15/2010 - 12:52

John

There ought to be a couple of ways to get the config information. It has been a while since I used PDM but there should be an option in it to view the config, and from that it should be possible to cut and paste the config information into a text file. Or another possibility may be to use an option in PDM to save the config. Within this should be an option to TFTP the config to your PC. If the PIX will TFTP the config to your PC then you can use a text editor to access its content or can post the config file (after obscuring sensitive addresses and pass words).

As far as getting at the logs, I would assume that there is an option in the monitoring function of PDM to show the logs.

I am interested in your comment that the outside address is set by DHCP. If the outside address is possibly dynamic then that could complicate setting up VPN. So I am curious about the message:"Contacting the gateway at x.x.x.x ...". So what is x.x.x.x and how does that relate to the outside address of the PIX? Is there a way to test and verify whether you have IP connectivity from where you are testing to the PIX (ping or tracert or something)?

HTH

Rick

archmillwork Tue, 06/15/2010 - 13:33

I have found the Command line interface in the PDM, and came up with a config, and a log, though the log doesnt show any of my trying to log into the VPN, just my office mates not working... Other than running the VPN Wizzard I have not changed anything in the config.

As far as the IP address goes, I came up with what the IP is by going to places like whatismyip.com and whatismyipaddress.com.  Not quite sure if thats right but both come up with the same IP address, so thats the IP I have set my VPN client to go to.

I can Ping the IP for the company and get a response.  Though the ping back to the secondary internet source doesnt seem to be coming back.  I dont know if the firewall ping is working, but it does seem to be when I ping other computers inside the network...

Result of firewall command: "show config"

: Saved

: Written by enable_15 at 11:59:05.158 PDT Tue Jun 15 2010

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password CHLT6WlKIINkqDao encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname xxx

domain-name xxx.dom

clock timezone PST -8

clock summer-time PDT recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list inside_outbound_nat0_acl permit ip any host 10.10.1.10

access-list outside_cryptomap_dyn_20 permit ip any host 10.10.1.10

pager lines 24

logging on

logging buffered notifications

logging host inside 10.10.1.10 format emblem

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 10.10.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool Pool 10.10.1.100-10.10.1.244

pdm location 10.10.1.112 255.255.255.255 inside

pdm location 10.10.1.10 255.255.255.255 inside

pdm location 10.10.1.10 255.255.255.255 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 10.10.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

sysopt connection permit-l2tp

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client configuration address initiate

crypto map outside_map client configuration address respond

crypto map outside_map client authentication TACACS+ LOCAL

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup ammco address-pool Pool

vpngroup ammco default-domain xxx.dom

vpngroup ammco idle-time 1800

vpngroup ammc password ********

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 10.10.1.2-10.10.1.33 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

username admin password 2.L7i4CxlntxBayE encrypted privilege 15

terminal width 80

Cryptochecksum:1b9a8756fdfa0ca11ad3a210649f7293

Result of firewall command: "show logging"


Syslog logging: enabled
    Facility: 20
    Timestamp logging: disabled
    Standby logging: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: level notifications, 9910 messages logged
    Trap logging: disabled
    History logging: disabled
    Device ID: disabled
Fpub%2Fagent.dll
304001: 10.10.1.102 Accessed URL 74.125.127.149:/activity;src=2588797;type=nausc826;cat=nauss008;u=08d0db93a3de4aae88044148ed5d4023;u16=oi;u13=;u14=n;u11=Economy%20/%20Coach;u12=;u9=;u10=;u7=1%20%7C%200;u8=;u5=;u6=;u3=EUG;u4=20101223%20%7C%2020101227;u1=Flight;u2=LAX;ord=5498487375442.865?;~oref=http%3A%2F%2Fwww.expedia.com%2Fpub%2Fagent.dll
304001: 10.10.1.102 Accessed URL 74.125.127.156:/pagead/viewthroughconversion/1045337482/?label=CaglCPi_2AEQiqu68gM&guid=ON&script=0&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false
304001: 10.10.1.102 Accessed URL 74.125.127.156:/pagead/viewthroughconversion/1045337482/?label=s5u4CPCPswEQiqu68gM&guid=ON&script=0&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false
304001: 10.10.1.102 Accessed URL 74.125.127.99:/afsonline/show_afs_ads.js
304001: 10.10.1.102 Accessed URL 98.137.48.23:/pixel?id=742892&t=2
304001: 10.10.1.102 Accessed URL 98.137.48.23:/pixel?id=728151&t=2
304001: 10.10.1.102 Accessed URL 98.137.48.23:/pixel?id=788292&t=2
304001: 10.10.1.102 Accessed URL 184.73.55.124:/pixel?pixelID=12262&partnerID=123&clientID=2058&key=segment
304001: 10.10.1.102 Accessed URL 98.137.48.23:/pixel?id=749391&t=2
304001: 10.10.1.102 Accessed URL 66.235.139.152:/b/ss/expedia1/1/G.9p2/s64966286992930?[AQB]&ndh=1&t=15/5/2010%2013%3A23%3A8%202%20420&ce=ISO-8859-1&cdp=2&pageName=HTX_FLTAAP_OUT&g=http%3A//www.expedia.com/pub/agent.dll%3Fqscr%3Dfexp%26qryt%3D2%26tovr%3D-1294537...
304001: 10.10.1.102 Accessed URL 209.235.221.100:/Offers/Delivery/Deliver.aspx?f=50&thrn=274930&pgID=HTX_FLTAAP_OUT&Start=0&OfferC=&MessageC=&rd=12/27/2010&sd=EUG&sa=LAX&st=240&ss=091&pa=1&Dt0=23-Dec&D0=EUG&A0=LAX&P0=318.01&N0=AS2338,AS560&T0=5:20am&P1=318.01&N1=AA7534,AA6886&T1=5:20am&P2=318.01&N2=AA7534,AA6865&T2=5:20am&P3=318.01&N3=AS2338,AS562&T3=5:20am&P4=348.00&N4=AS2296,AS462&T4=9:55am&P5=348.00&N5=AS2298,AS450&T5=6:55pm&P6=348.00&N6=AS2280,AS460&T6=6:55am&P7=348.00&N7=AS2338,AS2238,AS456&T7=5:20am&P8=348.00&N8=AS2040,AS2046,AS472&T8=4:05pm&P9=412.00&N9=UA6332,UA6082&T9=6:16pm&P10=412.00&N10=UA6406,UA844&T10=12:45pm&P11=412.00&N11=UA6408,UA145&T11=3:12pm&P12=423.15&N12=US7601,US6508&T12=12:45pm&P13=423.15&N13=US7602,US6738&T13=3:12pm&P14=432.01&N14=UA6400,UA858&T14=7:55am&P15=432.01&N15=UA6404,UA111&T15=10:28am&P16=432.01&N16=UA6400,UA888&T16=7:55am&P17=444.16&N17=US7598,US6803&T17=7:55am&P18=444.16&N18=US7600,US6728&T18=10:28am&P19=444.16&N19=US7598,US6705&T19=7:55am&P20=512.00&N20=DL4681,DL2441&T20=6:00am&P21=564.01&N21=DL4681,DL4701&T21=6:00am&P22=802.01&N22=DL4683,DL4703&T22=1:00pm&eapid=0&
304001: 10.10.1.102 Accessed URL 64.127.118.102:/baynote/customerstatus2?customerId=expedia&code=www&x=01276633388717
304001: 10.10.1.101 Accessed URL 65.55.87.111:/videoByTag.aspx?tag=im_default&ns=Gallery&mk=us&vs=1&responseEncoding=RSS&p=imbot_us_default
304001: 10.10.1.112 Accessed URL 128.242.245.116:/statuses/user_timeline.json?screen_name=gamelife&callback=TWTR.Widget.receiveCallback_1&count=50&since_id=15973158362&refresh=true&clientsource=TWITTERINC_WIDGET

Richard Burts Tue, 06/15/2010 - 14:32

John

Thanks for the additional information. I am glad that you figured how to get to the configuration and to the logs. That is helpful.

In looking through the configuration I notice multiple references to address 10.10.1.10. PDM associates that address with locations both inside and outside, and that address is exempted from translation. Was this really the address or did you change a real address to hide it?

If the logs do not show your attempts to connect to VPN there are a couple of possibilities to consider:

- perhaps your attempts to connect do not fall into the period of time contained in the logs.

- perhaps your attempts to connect never got to the interface of the PIX.

- perhaps your attempt to connect contains some flaw that prevented the PIX from processing your request.

I have seen situations where there was a mistake in the VPN group name or in the group password and it produced symptoms similar to this. In the PIX there is this line:

vpngroup ammc password ********

I would suggest that you test again and be very sure that what is entered in your VPN client match EXACTLY what is configured on the PIX (including upper case/lower case). If you are not absolutely sure what is on the PIX you can configure it again. And it would be helpful when you  test again to try to see what is in the logs for that time period.

If it is still a problem there are some diagnostics that you can run that might be helpful.

HTH

Rick

archmillwork Tue, 06/15/2010 - 14:51

The ip addresses listed in the config are what is actually there.  I have not changed any of them. My accessing address is not shown it seems because its not set.

I dont think Im even getting into the PIX at all, Im using Cisco VPN Client Version 4.8.00.0440.

I have double checked the login and password and still am getting nothing...

What kind of diagnostics are you thinking of?

John

edadios Tue, 06/15/2010 - 17:43

Please issue the following commands in configure mode of the pix.

######
no crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

no crypto map outside_map interface outside

no isakmp enable outside

no crypto map outside_map client authentication TACACS+ LOCAL

access-list inside_outbound_nat0_acl permit ip any 10.10.1.0 255.255.255.0

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-sha-hmac

isakmp policy 20 hash sha

crypto map outside_map client authentication LOCAL

crypto map outside_map interface outside

isakmp enable outside
#####


The configuration guide is here:
http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/basclnt.html#wp1076294


If you still not able to make a connection, please enable the debug as follows :

On the firewall

debug crypto isakmp
debug crypto ipsec

The firewall should be throwing logs when you try to connect the client, but before connecting the client, enable the client logging as well.


On the clinet tabs, select the log tab, set it to enable, and then set log settings to high on all, and then try the connection from the client, and you can get the client log by selecting the log window.

And provide the latest configuration of the pix.


Regards,

archmillwork Wed, 06/16/2010 - 08:26

Ok, I have included the results of the executed commands, the PIX log and Client log for when I tried to access the VPN, and also the new PIX config.  There has to be a way for me to only see the log of the VPN correct? Maybe a way to clear the log completely then show the VPN log?

Results of Executed commands

Result of firewall command: "no crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20"
ERROR: unable to clear match address

Result of firewall command: "no crypto map outside_map interface outside"
The command has been sent to the firewall

Result of firewall command: "no isakmp enable outside"
The command has been sent to the firewall

Result of firewall command: "no crypto map outside_map client authentication TACACS+ LOCAL"
The command has been sent to the firewall

Result of firewall command: "access-list inside_outbound_nat0_acl permit ip any 10.10.1.0 255.255.255.0"
ACE not added. Possible duplicate entry

Result of firewall command: "crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-sha-hmac"
The command has been sent to the firewall

Result of firewall command: "isakmp policy 20 hash sha"
The command has been sent to the firewall

Result of firewall command: "crypto map outside_map client authentication LOCAL"
The command has been sent to the firewall

Result of firewall command: "crypto map outside_map interface outside"
The command has been sent to the firewall

Result of firewall command: "isakmp enable outside"
The command has been sent to the firewall

PIX Log

Result of firewall command: "show log"

Syslog logging: enabled
    Facility: 20
    Timestamp logging: disabled
    Standby logging: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: level notifications, 16728 messages logged
    Trap logging: disabled
    History logging: disabled
    Device ID: disabled
=ui%3DT9_kb7xbbY43oD%3Btr%3DeUilToehBDC%3Btm%3D0-0;ts=20100616110502;dct=$$
304001: 10.10.1.100 Accessed URL 174.35.52.134:/creative/blank.gif?ts=20100616110502&cmxid=2101.010008408000497456xmc
304001: 10.10.1.100 Accessed URL 96.17.148.115:/15530/db/xg.gif?pid=15530&sid=10001&type=db&p_bid=4b9952d2b8f4dff1
304001: 10.10.1.100 Accessed URL 8.19.18.8:/orbserv/hbpix?pixId=1598&pcv=45&curl=http%3a%2f%2findiana.scout.com%2f2%2f977488.html
304001: 10.10.1.100 Accessed URL 207.38.101.11:/img/clip1-IA4.swf?rnd=230820
304001: 10.10.1.100 Accessed URL 67.228.117.82:/lgrt?ci=1&ti=81&ai=4&mi=36&ei=1&adsi=4&tp_CampaignName=[%tp_CampaignName%]&tp_PublisherName=SpecificMEDIA%20US&tp_PlacementName=BofA_SM_160x600
304001: 10.10.1.100 Accessed URL 96.17.70.81:/BurstingCachedScripts//SBTemplates_4_0_1/StdBanner.js?ai=2951976
304001: 10.10.1.100 Accessed URL 98.137.51.1:/unpixel?t=2&id=710862
304001: 10.10.1.100 Accessed URL 207.38.101.11:/img/psn.html?m=DR1L9OB-3z&b=Z--------------------2&qr=420&nr=IA4&ag=1&qrag=4201&nrag=IA41&hs=&rnd=230820
304001: 10.10.1.100 Accessed URL 96.17.70.81:/BurstingRes///Site-17453/Type-2/5ff9631a-5b31-4d5a-ba4b-95a062b0d839.swf
304001: 10.10.1.100 Accessed URL 205.234.175.175:/antenna2.js?0_194_1487103_0
304001: 10.10.1.102 Accessed URL 65.54.95.222:/signed/SearchBoxExt.cab
304001: 10.10.1.100 Accessed URL 184.73.249.96:/redir/863532/0/194/1487103/0/917463/0/1.ver?at=i&d=Imp&jsv=3.1.0&num=0&sr=1024x768x32&tz=7&url=http%3A%2F%2Findiana.scout.com%2F2%2F977488.html&
111008: User 'enable_15' executed the 'debug crypto ipsec' command.
304001: 10.10.1.110 Accessed URL 74.125.127.103:/
304001: 10.10.1.110 Accessed URL 74.125.127.103:/images/srpr/nav_logo13.png
304001: 10.10.1.110 Accessed URL 74.125.127.139:/generate_204
304001: 10.10.1.110 Accessed URL 63.245.209.93:/en-US/firefox/headlines.xml
304001: 10.10.1.110 Accessed URL 63.245.209.93:/firefox/headlines.xml
304001: 10.10.1.110 Accessed URL 96.17.148.64:/rss/newsonline_world_edition/front_page/rss.xml
304001: 10.10.1.112 Accessed URL 198.133.219.25:/assets/cdc_content_elements/cl_pilots/buttons/gray_button_sprite.png
304001: 10.10.1.102 Accessed URL 184.51.159.35:/update/AU/map-2.0.2.1.xml
304001: 10.10.1.102 Accessed URL 137.254.16.78:/javafx-cache.jnlp
304001: 10.10.1.102 Accessed URL 137.254.16.78:/1.3/jmc-natives-windows-i586__V1.3.0_b412.jar
304001: 10.10.1.102 Accessed URL 137.254.16.78:/1.3/javafx-rt-natives-windows-i586__V1.3.0_b412.jar
304001: 10.10.1.102 Accessed URL 137.254.16.78:/1.3/javafx-rt-lazy-windows-i586__V1.3.0_b412.jar
304001: 10.10.1.102 Accessed URL 68.142.93.250:/javafx/pgz/javafx-rt-lazy-windows-i586__V1.3.0_b412.jar.pgz
304001: 10.10.1.102 Accessed URL 68.142.93.250:/javafx/gzip/javafx-rt-natives-windows-i586__V1.3.0_b412.jar.gz
304001: 10.10.1.102 Accessed URL 68.142.93.250:/javafx/pgz/javafx-rt-fonts-windows-i586__V1.3.0_b412.jar.pgz
304001: 10.10.1.102 Accessed URL 68.142.93.250:/javafx/gzip/jmc-natives-windows-i586__V1.3.0_b412.jar.gz
304001: 10.10.1.102 Accessed URL 68.142.93.11:/c1/javafx/gzip/javafx-rt-natives-windows-i586__V1.3.0_b412.jar.gz?e=1276701291&h=23d4679878771063b24a638ae667f1b9
304001: 10.10.1.102 Accessed URL 68.142.93.11:/c1/javafx/pgz/javafx-rt-lazy-windows-i586__V1.3.0_b412.jar.pgz?e=1276701291&h=d92c1aeb7b785925a0ceaa28d46a8ecb
304001: 10.10.1.102 Accessed URL 68.142.93.11:/c1/javafx/gzip/jmc-natives-windows-i586__V1.3.0_b412.jar.gz?e=1276701292&h=0cc132fc523a5bc77db8955858170a69
304001: 10.10.1.102 Accessed URL 68.142.93.11:/c1/javafx/pgz/javafx-rt-fonts-windows-i586__V1.3.0_b412.jar.pgz?e=1276701291&h=83661ee4e7fe2783ee834159c97cca90
304001: 10.10.1.102 Accessed URL 137.254.16.78:/1.3/javafx-rt-windows-i586__V1.3.0_b412.jar
304001: 10.10.1.102 Accessed URL 68.142.93.250:/javafx/pgz/javafx-rt-windows-i586__V1.3.0_b412.jar.pgz
304001: 10.10.1.102 Accessed URL 68.142.93.11:/c1/javafx/pgz/javafx-rt-windows-i586__V1.3.0_b412.jar.pgz?e=1276701293&h=fff4bcfd69d9ddf5bbfd0af6996ea0fb
304001: 10.10.1.110 Accessed URL 74.125.6.84:/safebrowsing/rd/ChNnb29nLW1hbHdhcmUtc2hhdmFyEAEYkYcCIOCHAioLsIMAAP_______wEyCJGDAAD___9_

Client Log

Cisco Systems VPN Client Version 4.8.00.0440
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3
Config file directory: C:\Program Files\Cisco Systems\VPN Client

Cisco Systems VPN Client Version 4.8.00.0440
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3
Config file directory: C:\Program Files\Cisco Systems\VPN Client

1      08:07:19.078  06/16/10  Sev=Info/4 CM/0x63100002
Begin connection process

2      08:07:19.218  06/16/10  Sev=Info/4 CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully

3      08:07:19.218  06/16/10  Sev=Info/4 CM/0x63100004
Establish secure connection using Ethernet

4      08:07:19.218  06/16/10  Sev=Info/4 CM/0x63100024
Attempt connection with server "X.X.X.X"

5      08:07:20.218  06/16/10  Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with X.X.X.X.

6      08:07:20.234  06/16/10  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to X.X.X.X

7      08:07:20.234  06/16/10  Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started

8      08:07:20.234  06/16/10  Sev=Info/4 IPSEC/0x63700014
Deleted all keys

9      08:07:25.250  06/16/10  Sev=Info/4 IKE/0x63000021
Retransmitting last packet!

10     08:07:25.250  06/16/10  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to X.X.X.X

11     08:07:30.250  06/16/10  Sev=Info/4 IKE/0x63000021
Retransmitting last packet!

12     08:07:30.250  06/16/10  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to X.X.X.X

13     08:07:35.250  06/16/10  Sev=Info/4 IKE/0x63000021
Retransmitting last packet!

14     08:07:35.250  06/16/10  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to X.X.X.X

15     08:07:40.250  06/16/10  Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=16F506959EE122A6 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

16     08:07:40.765  06/16/10  Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=16F506959EE122A6 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

17     08:07:40.765  06/16/10  Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "X.X.X.X" because of "DEL_REASON_PEER_NOT_RESPONDING"

18     08:07:40.781  06/16/10  Sev=Info/5 CM/0x63100025
Initializing CVPNDrv

19     08:07:40.781  06/16/10  Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection

20     08:07:40.796  06/16/10  Sev=Info/4 IKE/0x63000086
Microsoft IPSec Policy Agent service started successfully

21     08:07:40.796  06/16/10  Sev=Info/4 IPSEC/0x63700014
Deleted all keys

22     08:07:40.796  06/16/10  Sev=Info/4 IPSEC/0x63700014
Deleted all keys

23     08:07:40.796  06/16/10  Sev=Info/4 IPSEC/0x63700014
Deleted all keys

24     08:07:40.796  06/16/10  Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped

New Config

Result of firewall command: "show config"

: Saved
: Written by enable_15 at 13:50:13.306 PDT Tue Jun 15 2010
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password CHLT6WlKIINkqDao encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname ammco
domain-name ammco.dom
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip any host 10.10.1.10
access-list outside_cryptomap_dyn_20 permit ip any host 10.10.1.10
pager lines 24
logging on
logging buffered notifications
logging host inside 10.10.1.10 format emblem
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.10.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool Pool 10.10.1.100-10.10.1.244
pdm location 10.10.1.112 255.255.255.255 inside
pdm location 10.10.1.10 255.255.255.255 inside
pdm location 10.10.1.10 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.10.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client configuration address initiate
crypto map outside_map client configuration address respond
crypto map outside_map client authentication TACACS+ LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup ammco address-pool Pool
vpngroup ammco default-domain ammco.dom
vpngroup ammco idle-time 1800
vpngroup ammco password ********
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.10.1.2-10.10.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username admin password 2.L7i4CxlntxBayE encrypted privilege 15
terminal width 80
Cryptochecksum:1b9a8756fdfa0ca11ad3a210649f7293

Correct Answer
edadios Wed, 06/16/2010 - 21:17

If all clent logs have been enabled, the client log suggest the firewall is not responding to ike at all. Maybe udp 500 is being blocked elsewhere in the path.

Are you certain the dhcp ip you rceive, is the ip address you are trying to connect too?

For seeing more logs on ASA

You need to issue "logging buffered debug", "clear log" and then do show log.

Otherwise, once you enable the debug commands, and you got access to the console (serial - CLI) you should see the log messages being output, when you have client trying to connect.

Regards,

archmillwork Thu, 06/17/2010 - 11:55

It seems that my exterior router that comcast supplied me was not properly forwarding the UDP.  Thank you both for all of your help!

John

Actions

This Discussion