06-15-2010 08:56 AM
First off I am trying to Remotely connect a user to the Insider Server directory at my company and Need to use the VPN. We have a PIX 501 Version 6.3(5), PDM Version 3.0(4). It was originally set up by a 3rd party that we hired to get the entire Server up and running, they have however gone out of buisness since then and I cannot find anyone locally to help me with this. I am fairly adept at keeping everything running, and we have not needed to use the VPN for a while, but it seems that the VPN configuration may need to be redone. I have used the VPN Wizzard to set up the VPN, and have tried to use another computer on another Internet source to try to connect to the VPN, however my VPN client keeps getting a 'Reason 412: The remote peer is no longer responding' Is ther any easy way to get this set up?
Solved! Go to Solution.
06-16-2010 09:17 PM
If all clent logs have been enabled, the client log suggest the firewall is not responding to ike at all. Maybe udp 500 is being blocked elsewhere in the path.
Are you certain the dhcp ip you rceive, is the ip address you are trying to connect too?
For seeing more logs on ASA
You need to issue "logging buffered debug", "clear log" and then do show log.
Otherwise, once you enable the debug commands, and you got access to the console (serial - CLI) you should see the log messages being output, when you have client trying to connect.
Regards,
06-15-2010 11:35 AM
John
There should be a way to get this set up. What that will qualify as easy is another question.
There is not enough detail here for us to understand what the problem is or what you could do about it. When you attempt to connect to the VPN, do you get a prompt for user name and password? When you attempt to connect to the VPN are any log messages generated by the PIX?
It might be helpful if you would post the configuration of the PIX (or at least al the parts that relate to the VPN).
HTH
Rick
06-15-2010 11:54 AM
Well since Easy is objective I guess I just need it simplified enough that I can write it down to make sure it can be done again in the future if needed.
I have used the VPN Wizzard to get everything in place group name is AMMC password is alpha. The outside IP is set by DHCP.
When I run the Client, I have it setup to access the IP address for the Office, using the aforementioned group name and password, and it never asks me for another login, it just cycles like its trying to connect then says 'not connected' on the bottom of the frame.
The notification window says
"Initializing the connection...
Contacting the gateway at x.x.x.x ...
Secure VPN Connection Terminated locally by Client.
Reason 412: The remote peer is no longer responding.
Connection terminated on Jun. 15, 2010 11:52:18 Durration: Not connected."
As far as the Configuration on the PIX goes Im not sure how to get that. I also dont know how to get any of the logs.
Is there a way to get to it from the PDM?
Thank You,
John
06-15-2010 12:52 PM
John
There ought to be a couple of ways to get the config information. It has been a while since I used PDM but there should be an option in it to view the config, and from that it should be possible to cut and paste the config information into a text file. Or another possibility may be to use an option in PDM to save the config. Within this should be an option to TFTP the config to your PC. If the PIX will TFTP the config to your PC then you can use a text editor to access its content or can post the config file (after obscuring sensitive addresses and pass words).
As far as getting at the logs, I would assume that there is an option in the monitoring function of PDM to show the logs.
I am interested in your comment that the outside address is set by DHCP. If the outside address is possibly dynamic then that could complicate setting up VPN. So I am curious about the message:"Contacting the gateway at x.x.x.x ...". So what is x.x.x.x and how does that relate to the outside address of the PIX? Is there a way to test and verify whether you have IP connectivity from where you are testing to the PIX (ping or tracert or something)?
HTH
Rick
06-15-2010 01:33 PM
I have found the Command line interface in the PDM, and came up with a config, and a log, though the log doesnt show any of my trying to log into the VPN, just my office mates not working... Other than running the VPN Wizzard I have not changed anything in the config.
As far as the IP address goes, I came up with what the IP is by going to places like whatismyip.com and whatismyipaddress.com. Not quite sure if thats right but both come up with the same IP address, so thats the IP I have set my VPN client to go to.
I can Ping the IP for the company and get a response. Though the ping back to the secondary internet source doesnt seem to be coming back. I dont know if the firewall ping is working, but it does seem to be when I ping other computers inside the network...
Result of firewall command: "show config"
: Saved
: Written by enable_15 at 11:59:05.158 PDT Tue Jun 15 2010
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password CHLT6WlKIINkqDao encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname xxx
domain-name xxx.dom
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip any host 10.10.1.10
access-list outside_cryptomap_dyn_20 permit ip any host 10.10.1.10
pager lines 24
logging on
logging buffered notifications
logging host inside 10.10.1.10 format emblem
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.10.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool Pool 10.10.1.100-10.10.1.244
pdm location 10.10.1.112 255.255.255.255 inside
pdm location 10.10.1.10 255.255.255.255 inside
pdm location 10.10.1.10 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.10.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client configuration address initiate
crypto map outside_map client configuration address respond
crypto map outside_map client authentication TACACS+ LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup ammco address-pool Pool
vpngroup ammco default-domain xxx.dom
vpngroup ammco idle-time 1800
vpngroup ammc password ********
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.10.1.2-10.10.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username admin password 2.L7i4CxlntxBayE encrypted privilege 15
terminal width 80
Cryptochecksum:1b9a8756fdfa0ca11ad3a210649f7293
Result of firewall command: "show logging"
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level notifications, 9910 messages logged
Trap logging: disabled
History logging: disabled
Device ID: disabled
Fpub%2Fagent.dll
304001: 10.10.1.102 Accessed URL 74.125.127.149:/activity;src=2588797;type=nausc826;cat=nauss008;u=08d0db93a3de4aae88044148ed5d4023;u16=oi;u13=;u14=n;u11=Economy%20/%20Coach;u12=;u9=;u10=;u7=1%20%7C%200;u8=;u5=;u6=;u3=EUG;u4=20101223%20%7C%2020101227;u1=Flight;u2=LAX;ord=5498487375442.865?;~oref=http%3A%2F%2Fwww.expedia.com%2Fpub%2Fagent.dll
304001: 10.10.1.102 Accessed URL 74.125.127.156:/pagead/viewthroughconversion/1045337482/?label=CaglCPi_2AEQiqu68gM&guid=ON&script=0&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false
304001: 10.10.1.102 Accessed URL 74.125.127.156:/pagead/viewthroughconversion/1045337482/?label=s5u4CPCPswEQiqu68gM&guid=ON&script=0&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false
304001: 10.10.1.102 Accessed URL 74.125.127.99:/afsonline/show_afs_ads.js
304001: 10.10.1.102 Accessed URL 98.137.48.23:/pixel?id=742892&t=2
304001: 10.10.1.102 Accessed URL 98.137.48.23:/pixel?id=728151&t=2
304001: 10.10.1.102 Accessed URL 98.137.48.23:/pixel?id=788292&t=2
304001: 10.10.1.102 Accessed URL 184.73.55.124:/pixel?pixelID=12262&partnerID=123&clientID=2058&key=segment
304001: 10.10.1.102 Accessed URL 98.137.48.23:/pixel?id=749391&t=2
304001: 10.10.1.102 Accessed URL 66.235.139.152:/b/ss/expedia1/1/G.9p2/s64966286992930?[AQB]&ndh=1&t=15/5/2010%2013%3A23%3A8%202%20420&ce=ISO-8859-1&cdp=2&pageName=HTX_FLTAAP_OUT&g=http%3A//www.expedia.com/pub/agent.dll%3Fqscr%3Dfexp%26qryt%3D2%26tovr%3D-1294537294%26ps3u%3D%26%26altd%3D%26hqot%3D%26pddt%3D%26prdt%3D%26altg%3D%26hftp%3D%26flag%3Dq%26wsds%3DEX015B87605D0%2524FE%25212%2524FF%2524EF%2521601%2521p0%252150%25218%2524FF%252190221010002%252170122%25214%2524FF%252190100001%2521V0%25214%2524FF%2521C0%252416000%2524&r=http%3A//www.expedia.com/pub/agent.dll%3Fqscr%3Dfexp%26flag%3Dq%26city1%3DEUG%26citd1%3DLos%2BAngeles%252C%2BCA%2B%2528LAX%252DLos%2BAngeles%2BIntl%252E%2529%26date1%3D9/9/2010%26time1%3D362%26date2%3D9/12/2010%26time2%3D362%26cAdu%3D1%26cSen%3D%26cChi%3D%26cInf%3D%26infs%3D2%26tktt%3D3%26trpt%3D2%26ecrc%3D%26eccn%3D%26qryt%3D8%26load%3D1%26airp1%3D%26dair1&ch=flights&server=www.expedia.com&h1=HTX%2Cflights&c2=fexp&v2=fexp&c3=eug&v3=eug&c4=lax&v4=lax&c12=08d0db93a3de4aae88044148ed5d4023&c16=-57675&v17=HTX_FLTAAP_OUT&v18=HTX_FLTAAP_OUT&v28=-57675&c29=FLT%20%7C%20EUG&v29=FLT%20%7C%20EUG&c30=FLT%20%7C%20LAX&v30=FLT%20%7C%20LAX&c31=FLT&v31=FLT&c34=445.1&v34=445.1&c50=G.20100520&pid=HTX_FLTAAP_OUT&pidt=1&oid=Go&oidt=3&ot=SUBMIT&oi=530&s=1024x768&c=32&j=1.3&v=Y&k=Y&bw=1024&bh=567&ct=lan&hp=N&[AQE]
304001: 10.10.1.102 Accessed URL 209.235.221.100:/Offers/Delivery/Deliver.aspx?f=50&thrn=274930&pgID=HTX_FLTAAP_OUT&Start=0&OfferC=&MessageC=&rd=12/27/2010&sd=EUG&sa=LAX&st=240&ss=091&pa=1&Dt0=23-Dec&D0=EUG&A0=LAX&P0=318.01&N0=AS2338,AS560&T0=5:20am&P1=318.01&N1=AA7534,AA6886&T1=5:20am&P2=318.01&N2=AA7534,AA6865&T2=5:20am&P3=318.01&N3=AS2338,AS562&T3=5:20am&P4=348.00&N4=AS2296,AS462&T4=9:55am&P5=348.00&N5=AS2298,AS450&T5=6:55pm&P6=348.00&N6=AS2280,AS460&T6=6:55am&P7=348.00&N7=AS2338,AS2238,AS456&T7=5:20am&P8=348.00&N8=AS2040,AS2046,AS472&T8=4:05pm&P9=412.00&N9=UA6332,UA6082&T9=6:16pm&P10=412.00&N10=UA6406,UA844&T10=12:45pm&P11=412.00&N11=UA6408,UA145&T11=3:12pm&P12=423.15&N12=US7601,US6508&T12=12:45pm&P13=423.15&N13=US7602,US6738&T13=3:12pm&P14=432.01&N14=UA6400,UA858&T14=7:55am&P15=432.01&N15=UA6404,UA111&T15=10:28am&P16=432.01&N16=UA6400,UA888&T16=7:55am&P17=444.16&N17=US7598,US6803&T17=7:55am&P18=444.16&N18=US7600,US6728&T18=10:28am&P19=444.16&N19=US7598,US6705&T19=7:55am&P20=512.00&N20=DL4681,DL2441&T20=6:00am&P21=564.01&N21=DL4681,DL4701&T21=6:00am&P22=802.01&N22=DL4683,DL4703&T22=1:00pm&eapid=0&
304001: 10.10.1.102 Accessed URL 64.127.118.102:/baynote/customerstatus2?customerId=expedia&code=www&x=01276633388717
304001: 10.10.1.101 Accessed URL 65.55.87.111:/videoByTag.aspx?tag=im_default&ns=Gallery&mk=us&vs=1&responseEncoding=RSS&p=imbot_us_default
304001: 10.10.1.112 Accessed URL 128.242.245.116:/statuses/user_timeline.json?screen_name=gamelife&callback=TWTR.Widget.receiveCallback_1&count=50&since_id=15973158362&refresh=true&clientsource=TWITTERINC_WIDGET
06-15-2010 02:32 PM
John
Thanks for the additional information. I am glad that you figured how to get to the configuration and to the logs. That is helpful.
In looking through the configuration I notice multiple references to address 10.10.1.10. PDM associates that address with locations both inside and outside, and that address is exempted from translation. Was this really the address or did you change a real address to hide it?
If the logs do not show your attempts to connect to VPN there are a couple of possibilities to consider:
- perhaps your attempts to connect do not fall into the period of time contained in the logs.
- perhaps your attempts to connect never got to the interface of the PIX.
- perhaps your attempt to connect contains some flaw that prevented the PIX from processing your request.
I have seen situations where there was a mistake in the VPN group name or in the group password and it produced symptoms similar to this. In the PIX there is this line:
vpngroup ammc password ********
I would suggest that you test again and be very sure that what is entered in your VPN client match EXACTLY what is configured on the PIX (including upper case/lower case). If you are not absolutely sure what is on the PIX you can configure it again. And it would be helpful when you test again to try to see what is in the logs for that time period.
If it is still a problem there are some diagnostics that you can run that might be helpful.
HTH
Rick
06-15-2010 02:51 PM
The ip addresses listed in the config are what is actually there. I have not changed any of them. My accessing address is not shown it seems because its not set.
I dont think Im even getting into the PIX at all, Im using Cisco VPN Client Version 4.8.00.0440.
I have double checked the login and password and still am getting nothing...
What kind of diagnostics are you thinking of?
John
06-15-2010 05:43 PM
Please issue the following commands in configure mode of the pix.
######
no crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
no crypto map outside_map interface outside
no isakmp enable outside
no crypto map outside_map client authentication TACACS+ LOCAL
access-list inside_outbound_nat0_acl permit ip any 10.10.1.0 255.255.255.0
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-sha-hmac
isakmp policy 20 hash sha
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
#####
The configuration guide is here:
http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/basclnt.html#wp1076294
If you still not able to make a connection, please enable the debug as follows :
On the firewall
debug crypto isakmp
debug crypto ipsec
The firewall should be throwing logs when you try to connect the client, but before connecting the client, enable the client logging as well.
On the clinet tabs, select the log tab, set it to enable, and then set log settings to high on all, and then try the connection from the client, and you can get the client log by selecting the log window.
And provide the latest configuration of the pix.
Regards,
06-16-2010 08:26 AM
Ok, I have included the results of the executed commands, the PIX log and Client log for when I tried to access the VPN, and also the new PIX config. There has to be a way for me to only see the log of the VPN correct? Maybe a way to clear the log completely then show the VPN log?
Results of Executed commands
Result of firewall command: "no crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20"
ERROR: unable to clear match address
Result of firewall command: "no crypto map outside_map interface outside"
The command has been sent to the firewall
Result of firewall command: "no isakmp enable outside"
The command has been sent to the firewall
Result of firewall command: "no crypto map outside_map client authentication TACACS+ LOCAL"
The command has been sent to the firewall
Result of firewall command: "access-list inside_outbound_nat0_acl permit ip any 10.10.1.0 255.255.255.0"
ACE not added. Possible duplicate entry
Result of firewall command: "crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-sha-hmac"
The command has been sent to the firewall
Result of firewall command: "isakmp policy 20 hash sha"
The command has been sent to the firewall
Result of firewall command: "crypto map outside_map client authentication LOCAL"
The command has been sent to the firewall
Result of firewall command: "crypto map outside_map interface outside"
The command has been sent to the firewall
Result of firewall command: "isakmp enable outside"
The command has been sent to the firewall
PIX Log
Result of firewall command: "show log"
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level notifications, 16728 messages logged
Trap logging: disabled
History logging: disabled
Device ID: disabled
=ui%3DT9_kb7xbbY43oD%3Btr%3DeUilToehBDC%3Btm%3D0-0;ts=20100616110502;dct=$$
304001: 10.10.1.100 Accessed URL 174.35.52.134:/creative/blank.gif?ts=20100616110502&cmxid=2101.010008408000497456xmc
304001: 10.10.1.100 Accessed URL 96.17.148.115:/15530/db/xg.gif?pid=15530&sid=10001&type=db&p_bid=4b9952d2b8f4dff1
304001: 10.10.1.100 Accessed URL 8.19.18.8:/orbserv/hbpix?pixId=1598&pcv=45&curl=http%3a%2f%2findiana.scout.com%2f2%2f977488.html
304001: 10.10.1.100 Accessed URL 207.38.101.11:/img/clip1-IA4.swf?rnd=230820
304001: 10.10.1.100 Accessed URL 67.228.117.82:/lgrt?ci=1&ti=81&ai=4&mi=36&ei=1&adsi=4&tp_CampaignName=[%tp_CampaignName%]&tp_PublisherName=SpecificMEDIA%20US&tp_PlacementName=BofA_SM_160x600
304001: 10.10.1.100 Accessed URL 96.17.70.81:/BurstingCachedScripts//SBTemplates_4_0_1/StdBanner.js?ai=2951976
304001: 10.10.1.100 Accessed URL 98.137.51.1:/unpixel?t=2&id=710862
304001: 10.10.1.100 Accessed URL 207.38.101.11:/img/psn.html?m=DR1L9OB-3z&b=Z--------------------2&qr=420&nr=IA4&ag=1&qrag=4201&nrag=IA41&hs=&rnd=230820
304001: 10.10.1.100 Accessed URL 96.17.70.81:/BurstingRes///Site-17453/Type-2/5ff9631a-5b31-4d5a-ba4b-95a062b0d839.swf
304001: 10.10.1.100 Accessed URL 205.234.175.175:/antenna2.js?0_194_1487103_0
304001: 10.10.1.102 Accessed URL 65.54.95.222:/signed/SearchBoxExt.cab
304001: 10.10.1.100 Accessed URL 184.73.249.96:/redir/863532/0/194/1487103/0/917463/0/1.ver?at=i&d=Imp&jsv=3.1.0&num=0&sr=1024x768x32&tz=7&url=http%3A%2F%2Findiana.scout.com%2F2%2F977488.html&
111008: User 'enable_15' executed the 'debug crypto ipsec' command.
304001: 10.10.1.110 Accessed URL 74.125.127.103:/
304001: 10.10.1.110 Accessed URL 74.125.127.103:/images/srpr/nav_logo13.png
304001: 10.10.1.110 Accessed URL 74.125.127.139:/generate_204
304001: 10.10.1.110 Accessed URL 63.245.209.93:/en-US/firefox/headlines.xml
304001: 10.10.1.110 Accessed URL 63.245.209.93:/firefox/headlines.xml
304001: 10.10.1.110 Accessed URL 96.17.148.64:/rss/newsonline_world_edition/front_page/rss.xml
304001: 10.10.1.112 Accessed URL 198.133.219.25:/assets/cdc_content_elements/cl_pilots/buttons/gray_button_sprite.png
304001: 10.10.1.102 Accessed URL 184.51.159.35:/update/AU/map-2.0.2.1.xml
304001: 10.10.1.102 Accessed URL 137.254.16.78:/javafx-cache.jnlp
304001: 10.10.1.102 Accessed URL 137.254.16.78:/1.3/jmc-natives-windows-i586__V1.3.0_b412.jar
304001: 10.10.1.102 Accessed URL 137.254.16.78:/1.3/javafx-rt-natives-windows-i586__V1.3.0_b412.jar
304001: 10.10.1.102 Accessed URL 137.254.16.78:/1.3/javafx-rt-lazy-windows-i586__V1.3.0_b412.jar
304001: 10.10.1.102 Accessed URL 68.142.93.250:/javafx/pgz/javafx-rt-lazy-windows-i586__V1.3.0_b412.jar.pgz
304001: 10.10.1.102 Accessed URL 68.142.93.250:/javafx/gzip/javafx-rt-natives-windows-i586__V1.3.0_b412.jar.gz
304001: 10.10.1.102 Accessed URL 68.142.93.250:/javafx/pgz/javafx-rt-fonts-windows-i586__V1.3.0_b412.jar.pgz
304001: 10.10.1.102 Accessed URL 68.142.93.250:/javafx/gzip/jmc-natives-windows-i586__V1.3.0_b412.jar.gz
304001: 10.10.1.102 Accessed URL 68.142.93.11:/c1/javafx/gzip/javafx-rt-natives-windows-i586__V1.3.0_b412.jar.gz?e=1276701291&h=23d4679878771063b24a638ae667f1b9
304001: 10.10.1.102 Accessed URL 68.142.93.11:/c1/javafx/pgz/javafx-rt-lazy-windows-i586__V1.3.0_b412.jar.pgz?e=1276701291&h=d92c1aeb7b785925a0ceaa28d46a8ecb
304001: 10.10.1.102 Accessed URL 68.142.93.11:/c1/javafx/gzip/jmc-natives-windows-i586__V1.3.0_b412.jar.gz?e=1276701292&h=0cc132fc523a5bc77db8955858170a69
304001: 10.10.1.102 Accessed URL 68.142.93.11:/c1/javafx/pgz/javafx-rt-fonts-windows-i586__V1.3.0_b412.jar.pgz?e=1276701291&h=83661ee4e7fe2783ee834159c97cca90
304001: 10.10.1.102 Accessed URL 137.254.16.78:/1.3/javafx-rt-windows-i586__V1.3.0_b412.jar
304001: 10.10.1.102 Accessed URL 68.142.93.250:/javafx/pgz/javafx-rt-windows-i586__V1.3.0_b412.jar.pgz
304001: 10.10.1.102 Accessed URL 68.142.93.11:/c1/javafx/pgz/javafx-rt-windows-i586__V1.3.0_b412.jar.pgz?e=1276701293&h=fff4bcfd69d9ddf5bbfd0af6996ea0fb
304001: 10.10.1.110 Accessed URL 74.125.6.84:/safebrowsing/rd/ChNnb29nLW1hbHdhcmUtc2hhdmFyEAEYkYcCIOCHAioLsIMAAP_______wEyCJGDAAD___9_
Client Log
Cisco Systems VPN Client Version 4.8.00.0440
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3
Config file directory: C:\Program Files\Cisco Systems\VPN Client
Cisco Systems VPN Client Version 4.8.00.0440
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3
Config file directory: C:\Program Files\Cisco Systems\VPN Client
1 08:07:19.078 06/16/10 Sev=Info/4 CM/0x63100002
Begin connection process
2 08:07:19.218 06/16/10 Sev=Info/4 CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully
3 08:07:19.218 06/16/10 Sev=Info/4 CM/0x63100004
Establish secure connection using Ethernet
4 08:07:19.218 06/16/10 Sev=Info/4 CM/0x63100024
Attempt connection with server "X.X.X.X"
5 08:07:20.218 06/16/10 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with X.X.X.X.
6 08:07:20.234 06/16/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to X.X.X.X
7 08:07:20.234 06/16/10 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
8 08:07:20.234 06/16/10 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
9 08:07:25.250 06/16/10 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
10 08:07:25.250 06/16/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to X.X.X.X
11 08:07:30.250 06/16/10 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
12 08:07:30.250 06/16/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to X.X.X.X
13 08:07:35.250 06/16/10 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
14 08:07:35.250 06/16/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to X.X.X.X
15 08:07:40.250 06/16/10 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=16F506959EE122A6 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
16 08:07:40.765 06/16/10 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=16F506959EE122A6 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
17 08:07:40.765 06/16/10 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "X.X.X.X" because of "DEL_REASON_PEER_NOT_RESPONDING"
18 08:07:40.781 06/16/10 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
19 08:07:40.781 06/16/10 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
20 08:07:40.796 06/16/10 Sev=Info/4 IKE/0x63000086
Microsoft IPSec Policy Agent service started successfully
21 08:07:40.796 06/16/10 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
22 08:07:40.796 06/16/10 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
23 08:07:40.796 06/16/10 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
24 08:07:40.796 06/16/10 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
New Config
Result of firewall command: "show config"
: Saved
: Written by enable_15 at 13:50:13.306 PDT Tue Jun 15 2010
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password CHLT6WlKIINkqDao encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname ammco
domain-name ammco.dom
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip any host 10.10.1.10
access-list outside_cryptomap_dyn_20 permit ip any host 10.10.1.10
pager lines 24
logging on
logging buffered notifications
logging host inside 10.10.1.10 format emblem
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.10.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool Pool 10.10.1.100-10.10.1.244
pdm location 10.10.1.112 255.255.255.255 inside
pdm location 10.10.1.10 255.255.255.255 inside
pdm location 10.10.1.10 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.10.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client configuration address initiate
crypto map outside_map client configuration address respond
crypto map outside_map client authentication TACACS+ LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup ammco address-pool Pool
vpngroup ammco default-domain ammco.dom
vpngroup ammco idle-time 1800
vpngroup ammco password ********
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.10.1.2-10.10.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username admin password 2.L7i4CxlntxBayE encrypted privilege 15
terminal width 80
Cryptochecksum:1b9a8756fdfa0ca11ad3a210649f7293
06-16-2010 09:17 PM
If all clent logs have been enabled, the client log suggest the firewall is not responding to ike at all. Maybe udp 500 is being blocked elsewhere in the path.
Are you certain the dhcp ip you rceive, is the ip address you are trying to connect too?
For seeing more logs on ASA
You need to issue "logging buffered debug", "clear log" and then do show log.
Otherwise, once you enable the debug commands, and you got access to the console (serial - CLI) you should see the log messages being output, when you have client trying to connect.
Regards,
06-17-2010 11:55 AM
It seems that my exterior router that comcast supplied me was not properly forwarding the UDP. Thank you both for all of your help!
John
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide