cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3908
Views
0
Helpful
6
Replies

Problem with VPN client connecting the IPSec PIX.

Nicolas MICHEL
Level 1
Level 1

PIX# Sep 17 14:58:51 [IKEv1 DEBUG]: IP = Y, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  False

Sep 17 14:58:51 [IKEv1]: IP = Y, Connection landed on tunnel_group

Sep 17 14:58:51 [IKEv1 DEBUG]: Group = X, IP = Y, IKE SA Proposal # 1, Transform # 13 acceptable  Matches global IKE entry # 1

Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, User (X) authenticated.

Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, Received unsupported transaction mode attribute: 5

Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, Client Type: WinNT  Client Application Version: 5.0.06.0160

Sep 17 14:58:58 [IKEv1]: Group = Xe, Username = X, IP = Y, Assigned private IP address 10.0.1.7 to remote user

Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, IP = Y, Resume Quick Mode processing, Cert/Trans Exch/RM DSID completed

Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, PHASE 1 COMPLETED

Sep 17 14:58:58 [IKEv1]: IP = Y, Keep-alive type for this connection: DPD

Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, IP = Y, Starting P1 rekey timer: 6840 seconds.

Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, Received remote Proxy Host data in ID Payload:  Address 10.0.1.7, Protocol 0, Port 0

Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, Received local IP Proxy Subnet data in ID Payload:   Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0

Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, QM IsRekeyed old sa not found by addr

Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, IKE Remote Peer configured for crypto map: outside_dyn_map

Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, IP =Y, processing IPSec SA payload

Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, IP = Y, IPSec SA Proposal # 14, Transform # 1 acceptable  Matches global IPSec SA entry # 20

Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP =Y, IKE: requesting SPI!

Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, Overriding Initiator's IPSec rekeying duration from 2147483 to 7200 seconds

Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, IP = Y, Transmitting Proxy Id:

  Remote host: 10.0.1.7  Protocol 0  Port 0

  Local subnet:  0.0.0.0  mask 0.0.0.0 Protocol 0  Port 0

Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, IP = Y Sending RESPONDER LIFETIME notification to Initiator

Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, Security negotiation complete for User (slalanne)  Responder, Inbound SPI = 0x6

044adb5, Outbound SPI = 0xcd82f95e

Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, IP = Y, Starting P2 rekey timer: 6840 seconds.

Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, Adding static route for client address: 10.0.1.7

Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, PHASE 2 COMPLETED (msgid=c4d80320)

PIX# Sep 17 14:59:40 [IKEv1]: Group = X, Username = X, IP = Y, Connection terminated for peer X.  Reason: Peer Terminate  Remote Proxy 10.0.1.7, Local Proxy 0.0.0.0Sep 17 14:59:40 [IKEv1 DEBUG]: Group = X, Username = X, IP = Y, IKE Deleting SA: Remote Proxy 10.0.1.7, Local Proxy 0.0.0.0

Sep 17 14:59:40 [IKEv1]: IP = Y, Received encrypted packet with no matching SA, dropping

Then the IPSec debug are also normal.

Now this user is logging out and another clients connects normally. the old user tries to connect back in and here are the difference in the debug :

Sep 17 14:25:22 [IKEv1]: Group = X, Username = X, IP = Y, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 10.0.1.8/255.255.255.255/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
Sep 17 14:25:22 [IKEv1]: Group = X, Username = X, IP = Y,QM FSM error (P2 struct &0x2a5fd68, mess id 0x16b59315)!
Sep 17 14:25:22 [IKEv1 DEBUG]: Group = X, Username = X, IP = Y, IKE QM Responder FSM error history (struct &0x2a5fd68)  <state>, <event>:
  QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BL
D_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_
BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Sep 17 14:25:22 [IKEv1]: Group = X, Username = X, IP = Y, Removing peer from correlator table failed, no match!
Sep 17 14:25:22 [IKEv1]: IP = Y, Received encrypted packet with no matching SA, dropping

Here is the VPN config ... and I dont see what is the issue :

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 7200
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption des
hash md5
group 2
lifetime 7200
crypto isakmp policy 65535
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400

access-list outside_cryptomap_dyn_20 extended permit ip any 10.0.1.0 255.255.255.248

tunnel-group DefaultRAGroup general-attributes
authentication-server-group (outside) LOCAL
tunnel-group X type ipsec-ra
tunnel-group X general-attributes
address-pool adresses
authentication-server-group (outside) LOCAL
default-group-policy X
tunnel-group X ipsec-attributes
pre-shared-key *
prompt hostname context

ip local pool adresses 10.0.1.6-10.0.1.40 mask 255.255.255.0

1 Accepted Solution

Accepted Solutions

Jitendriya Athavale
Cisco Employee
Cisco Employee

please remove the crypto acl from the dynamic crypto map, it causes wierd behaviour

try using split acl instead of acl in dynamic crypto map and let me know how it goes

View solution in original post

6 Replies 6

Jitendriya Athavale
Cisco Employee
Cisco Employee

please remove the crypto acl from the dynamic crypto map, it causes wierd behaviour

try using split acl instead of acl in dynamic crypto map and let me know how it goes

Thanks for the help but after I seek some configuration example on cisco.com I tried to configure split tunneling , but couldnt really understand about it.

Can you please help ?

I d like to thank you for the previous post

Nicolas

this link will help you

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml#s2

configure acl

call it in group-policy attributes

Hey there !

Now here is what it looks like !

ccess-list Split_Tunnel_List; 1 elements
access-list Split_Tunnel_List line 1 remark LAN behind ASA
access-list Split_Tunnel_List line 2 standard permit 10.0.0.0 255.255.255.0 (hitcnt=0) 0xc1e1c483

service-policy global_policy global
group-policy X internal
group-policy X attributes
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value oenodev.com

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 7200
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption des
hash md5
group 2
lifetime 7200
crypto isakmp policy 65535
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400

Should I remove the cryptomap now as u asked ?

tried to connect a second user but still the same log message.

yes please remove this

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

and

crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 7200

though the second one is not required to be removed, i would like to try with the default value once

Thanks a lot ,

The solution seems to work. I still need some feedback from the client.

Many many many thanks for the help provided.

I'll definitely read more books on Security

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: