Remote Access VPN Problem Help!!!

gilbertcsc · ‎06-30-2010

Hi,

I;m configuring the Remote Access vpn on the Pix 515 with version 8.0(4)

Licensed features for this platform:
Maximum Physical Interfaces : 6
Maximum VLANs                : 25
Inside Hosts                 : Unlimited
Failover                     : Active/Active
VPN-DES                      : Enabled
VPN-3DES-AES                 : Disabled
Cut-through Proxy            : Enabled
Guards                       : Enabled
URL Filtering                : Enabled
Security Contexts            : 2
GTP/GPRS                     : Disabled
VPN Peers                    : Unlimited

When i try using the Cisco VPN Client Software version4.0.2 to establish connect it failed.I did the debug and the message as below:

Jun 16 12:23:14 [IKEv1 DEBUG]: IP = 100.100.100.2, processing VID payload
Jun 16 12:23:14 [IKEv1 DEBUG]: IP = 100.100.100.2, Received Cisco Unity client VID
Jun 16 12:23:14 [IKEv1]: IP = 100.100.100.2, Connection landed on tunnel_group cisco2
Jun 16 12:23:14 [IKEv1 DEBUG]: Group = cisco2, IP = 100.100.100.2, processing IKE SA payload
Jun 16 12:23:14 [IKEv1]: IP = 100.100.100.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 596
Jun 16 12:23:14 [IKEv1 DEBUG]: Group = cisco2, IP = 100.100.100.2, All SA proposals found unacceptable
Jun 16 12:23:14 [IKEv1]: IP = 100.100.100.2, All IKE SA proposals found unacceptable!
Jun 16 12:23:14 [IKEv1 DEBUG]: Group = cisco2, IP = 100.100.100.2, IKE AM Responder FSM error history (struct &0x36f5810) <state>, <event>: AM_DONE, EV_ERROR-->AM_BLD_MSG2, EV_PROCESS_SA-->AM_BLD_MSG2, EV_GROUP_LOOKUP-->AM_BLD_MSG2, EV_PROCESS_MSG-->AM_BLD_MSG2, EV_CREATE_TMR-->AM_START, EV_RCV_MSG-->AM_START, EV_START_AM-->AM_START, EV_START_AM
Jun 16 12:23:14 [IKEv1 DEBUG]: Group = cisco2, IP = 100.100.100.2, IKE SA AM:f7fe02b6 terminating: flags 0x0100c001, refcnt 0, tuncnt 0
Jun 16 12:23:14 [IKEv1 DEBUG]: Group = cisco2, IP = 100.100.100.2, sending delete/delete with reason message
Jun 16 12:23:14 [IKEv1]: Group = cisco2, IP = 100.100.100.2, Removing peer from peer table failed, no match!
Jun 16 12:23:14 [IKEv1]: Group = cisco2, IP = 100.100.100.2, Error: Unable to remove PeerTblEntry
Jun 16 12:23:19 [IKEv1]: IP = 100.100.100.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 850
Jun 16 12:23:19 [IKEv1 DEBUG]: IP = 100.100.100.2, processing SA payload
Jun 16 12:23:19 [IKEv1 DEBUG]: IP = 100.100.100.2, processing ke payload
Jun 16 12:23:19 [IKEv1 DEBUG]: IP = 100.100.100.2, processing ISA_KE payload
Jun 16 12:23:19 [IKEv1 DEBUG]: IP = 100.100.100.2, processing nonce payload
Jun 16 12:23:19 [IKEv1 DEBUG]: IP = 100.100.100.2, processing ID payload
Jun 16 12:23:19 [IKEv1 DEBUG]: IP = 100.100.100.2, processing VID payload
Jun 16 12:23:19 [IKEv1 DEBUG]: IP = 100.100.100.2, Received xauth V6 VID
Jun 16 12:23:19 [IKEv1 DEBUG]: IP = 100.100.100.2, processing VID payload
Jun 16 12:23:19 [IKEv1 DEBUG]: IP = 100.100.100.2, Received DPD VID
Jun 16 12:23:19 [IKEv1 DEBUG]: IP = 100.100.100.2, processing VID payload
Jun 16 12:23:19 [IKEv1 DEBUG]: IP = 100.100.100.2, Received NAT-Traversal ver 02 VID
Jun 16 12:23:19 [IKEv1 DEBUG]: IP = 100.100.100.2, processing VID payload
Jun 16 12:23:19 [IKEv1 DEBUG]: IP = 100.100.100.2, Received Fragmentation VID
Jun 16 12:23:19 [IKEv1 DEBUG]: IP = 100.100.100.2, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False
Jun 16 12:23:19 [IKEv1 DEBUG]: IP = 100.100.100.2, processing VID payload
Jun 16 12:23:19 [IKEv1 DEBUG]: IP = 100.100.100.2, Received Cisco Unity client VID
Jun 16 12:23:19 [IKEv1]: IP = 100.100.100.2, Connection landed on tunnel_group cisco2
Jun 16 12:23:19 [IKEv1 DEBUG]: Group = cisco2, IP = 100.100.100.2, processing IKE SA payload
Jun 16 12:23:19 [IKEv1]: IP = 100.100.100.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 596
Jun 16 12:23:19 [IKEv1 DEBUG]: Group = cisco2, IP = 100.100.100.2, All SA proposals found unacceptable
Jun 16 12:23:19 [IKEv1]: IP = 100.100.100.2, All IKE SA proposals found unacceptable!
Jun 16 12:23:19 [IKEv1 DEBUG]: Group = cisco2, IP = 100.100.100.2, IKE AM Responder FSM error history (struct &0x36db7e8) <state>, <event>: AM_DONE, EV_ERROR-->AM_BLD_MSG2, EV_PROCESS_SA-->AM_BLD_MSG2, EV_GROUP_LOOKUP-->AM_BLD_MSG2, EV_PROCESS_MSG-->AM_BLD_MSG2, EV_CREATE_TMR-->AM_START, EV_RCV_MSG-->AM_START, EV_START_AM-->AM_START, EV_START_AM
Jun 16 12:23:19 [IKEv1 DEBUG]: Group = cisco2, IP = 100.100.100.2, IKE SA AM:519b3d9c terminating: flags 0x0100c001, refcnt 0, tuncnt 0
Jun 16 12:23:19 [IKEv1 DEBUG]: Group = cisco2, IP = 100.100.100.2, sending delete/delete with reason message
Jun 16 12:23:19 [IKEv1]: Group = cisco2, IP = 100.100.100.2, Removing peer from peer table failed, no match!
Jun 16 12:23:19 [IKEv1]: Group = cisco2, IP = 100.100.100.2, Error: Unable to remove PeerTblEntry

May i know what is the problem???

thks

Jennifer Halim · ‎06-30-2010

Base on the debug outputs, it's failing because the IKE/ISAKMP proposal does not match.

Please share the output of "show run cry isa" to see what has been configured. Thanks.