Problem with VPN client connecting the IPSec PIX.

Answered Question
Sep 20th, 2010
User Badges:

PIX# Sep 17 14:58:51 [IKEv1 DEBUG]: IP = Y, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  False

Sep 17 14:58:51 [IKEv1]: IP = Y, Connection landed on tunnel_group

Sep 17 14:58:51 [IKEv1 DEBUG]: Group = X, IP = Y, IKE SA Proposal # 1, Transform # 13 acceptable  Matches global IKE entry # 1

Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, User (X) authenticated.

Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, Received unsupported transaction mode attribute: 5

Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, Client Type: WinNT  Client Application Version: 5.0.06.0160

Sep 17 14:58:58 [IKEv1]: Group = Xe, Username = X, IP = Y, Assigned private IP address 10.0.1.7 to remote user

Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, IP = Y, Resume Quick Mode processing, Cert/Trans Exch/RM DSID completed

Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, PHASE 1 COMPLETED

Sep 17 14:58:58 [IKEv1]: IP = Y, Keep-alive type for this connection: DPD

Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, IP = Y, Starting P1 rekey timer: 6840 seconds.

Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, Received remote Proxy Host data in ID Payload:  Address 10.0.1.7, Protocol 0, Port 0

Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, Received local IP Proxy Subnet data in ID Payload:   Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0

Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, QM IsRekeyed old sa not found by addr

Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, IKE Remote Peer configured for crypto map: outside_dyn_map

Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, IP =Y, processing IPSec SA payload

Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, IP = Y, IPSec SA Proposal # 14, Transform # 1 acceptable  Matches global IPSec SA entry # 20

Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP =Y, IKE: requesting SPI!

Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, Overriding Initiator's IPSec rekeying duration from 2147483 to 7200 seconds

Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, IP = Y, Transmitting Proxy Id:

  Remote host: 10.0.1.7  Protocol 0  Port 0

  Local subnet:  0.0.0.0  mask 0.0.0.0 Protocol 0  Port 0

Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, IP = Y Sending RESPONDER LIFETIME notification to Initiator

Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, Security negotiation complete for User (slalanne)  Responder, Inbound SPI = 0x6

044adb5, Outbound SPI = 0xcd82f95e

Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, IP = Y, Starting P2 rekey timer: 6840 seconds.

Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, Adding static route for client address: 10.0.1.7

Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, PHASE 2 COMPLETED (msgid=c4d80320)



PIX# Sep 17 14:59:40 [IKEv1]: Group = X, Username = X, IP = Y, Connection terminated for peer X.  Reason: Peer Terminate  Remote Proxy 10.0.1.7, Local Proxy 0.0.0.0Sep 17 14:59:40 [IKEv1 DEBUG]: Group = X, Username = X, IP = Y, IKE Deleting SA: Remote Proxy 10.0.1.7, Local Proxy 0.0.0.0


Sep 17 14:59:40 [IKEv1]: IP = Y, Received encrypted packet with no matching SA, dropping



Then the IPSec debug are also normal.



Now this user is logging out and another clients connects normally. the old user tries to connect back in and here are the difference in the debug :


Sep 17 14:25:22 [IKEv1]: Group = X, Username = X, IP = Y, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 10.0.1.8/255.255.255.255/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
Sep 17 14:25:22 [IKEv1]: Group = X, Username = X, IP = Y,QM FSM error (P2 struct &0x2a5fd68, mess id 0x16b59315)!
Sep 17 14:25:22 [IKEv1 DEBUG]: Group = X, Username = X, IP = Y, IKE QM Responder FSM error history (struct &0x2a5fd68)  <state>, <event>:
  QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BL
D_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_
BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Sep 17 14:25:22 [IKEv1]: Group = X, Username = X, IP = Y, Removing peer from correlator table failed, no match!
Sep 17 14:25:22 [IKEv1]: IP = Y, Received encrypted packet with no matching SA, dropping




Here is the VPN config ... and I dont see what is the issue :


crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 7200
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption des
hash md5
group 2
lifetime 7200
crypto isakmp policy 65535
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400


access-list outside_cryptomap_dyn_20 extended permit ip any 10.0.1.0 255.255.255.248



tunnel-group DefaultRAGroup general-attributes
authentication-server-group (outside) LOCAL
tunnel-group X type ipsec-ra
tunnel-group X general-attributes
address-pool adresses
authentication-server-group (outside) LOCAL
default-group-policy X
tunnel-group X ipsec-attributes
pre-shared-key *
prompt hostname context



ip local pool adresses 10.0.1.6-10.0.1.40 mask 255.255.255.0

Correct Answer by Jitendriya Athavale about 6 years 9 months ago

please remove the crypto acl from the dynamic crypto map, it causes wierd behaviour


try using split acl instead of acl in dynamic crypto map and let me know how it goes

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jitendriya Athavale Mon, 09/20/2010 - 02:25
User Badges:
  • Cisco Employee,

please remove the crypto acl from the dynamic crypto map, it causes wierd behaviour


try using split acl instead of acl in dynamic crypto map and let me know how it goes

Nicolas MICHEL Mon, 09/20/2010 - 06:56
User Badges:

Thanks for the help but after I seek some configuration example on cisco.com I tried to configure split tunneling , but couldnt really understand about it.


Can you please help ?



I d like to thank you for the previous post




Nicolas

Nicolas MICHEL Tue, 09/21/2010 - 02:03
User Badges:

Hey there !


Now here is what it looks like !



ccess-list Split_Tunnel_List; 1 elements
access-list Split_Tunnel_List line 1 remark LAN behind ASA
access-list Split_Tunnel_List line 2 standard permit 10.0.0.0 255.255.255.0 (hitcnt=0) 0xc1e1c483




service-policy global_policy global
group-policy X internal
group-policy X attributes
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value oenodev.com


crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 7200
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption des
hash md5
group 2
lifetime 7200
crypto isakmp policy 65535
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400




Should I remove the cryptomap now as u asked ?


tried to connect a second user but still the same log message.

Jitendriya Athavale Tue, 09/21/2010 - 08:38
User Badges:
  • Cisco Employee,

yes please remove this


crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20


and


crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 7200


though the second one is not required to be removed, i would like to try with the default value once

Nicolas MICHEL Tue, 09/21/2010 - 23:57
User Badges:

Thanks a lot ,


The solution seems to work. I still need some feedback from the client.



Many many many thanks for the help provided.



I'll definitely read more books on Security

Actions

This Discussion