VPN does NOT work in SOME Hotel NetWorks ?!?

Unanswered Question
Mar 11th, 2011

Hello,

Any idea why in some places I can not switch on my VPN ?

The strange thing is when I use the VPN server of my office , this work OK and it is the same VPN client.

So this means that I do something wrong in my private CISCO 1841 ROUTER.

Here bellow what does not work and at the bottom the same computer same network , but other VPN server :

Cisco Systems VPN Client Version 5.0.03.0560
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2

36     10:13:40.625  03/11/11  Sev=Info/4 CM/0x63100002
Begin connection process

37     10:13:40.640  03/11/11  Sev=Info/4 CM/0x63100004
Establish secure connection

38     10:13:40.640  03/11/11  Sev=Info/4 CM/0x63100024
Attempt connection with server "mlgw.dyndns.info"

39     10:13:40.718  03/11/11  Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 81.83.201.32.

40     10:13:40.734  03/11/11  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 81.83.201.32

41     10:13:40.984  03/11/11  Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started

42     10:13:40.984  03/11/11  Sev=Info/4 IPSEC/0x63700014
Deleted all keys

43     10:13:45.984  03/11/11  Sev=Info/4 IKE/0x63000021
Retransmitting last packet!

44     10:13:45.984  03/11/11  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 81.83.201.32

45     10:13:50.984  03/11/11  Sev=Info/4 IKE/0x63000021
Retransmitting last packet!

46     10:13:50.984  03/11/11  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 81.83.201.32

47     10:13:55.984  03/11/11  Sev=Info/4 IKE/0x63000021
Retransmitting last packet!

48     10:13:55.984  03/11/11  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 81.83.201.32

49     10:14:00.984  03/11/11  Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=0EACC63815AC9551 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

50     10:14:01.484  03/11/11  Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=0EACC63815AC9551 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

51     10:14:01.484  03/11/11  Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "mlgw.dyndns.info" because of "DEL_REASON_PEER_NOT_RESPONDING"

52     10:14:01.484  03/11/11  Sev=Info/5 CM/0x63100025
Initializing CVPNDrv

53     10:14:01.484  03/11/11  Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.

54     10:14:01.484  03/11/11  Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection

55     10:14:01.500  03/11/11  Sev=Info/4 IPSEC/0x63700014
Deleted all keys

56     10:14:01.500  03/11/11  Sev=Info/4 IPSEC/0x63700014
Deleted all keys

57     10:14:01.500  03/11/11  Sev=Info/4 IPSEC/0x63700014
Deleted all keys

58     10:14:01.500  03/11/11  Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped

THIS WORK OK :

Cisco Systems VPN Client Version 5.0.03.0560
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2

59     10:25:37.953  03/11/11  Sev=Info/4 CM/0x63100002
Begin connection process

60     10:25:38.203  03/11/11  Sev=Info/4 CM/0x63100004
Establish secure connection

61     10:25:38.203  03/11/11  Sev=Info/4 CM/0x63100024
Attempt connection with server "193.89.221.13"

62     10:25:38.265  03/11/11  Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 193.89.221.13.

63     10:25:38.359  03/11/11  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 193.89.221.13

64     10:25:38.437  03/11/11  Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started

65     10:25:38.437  03/11/11  Sev=Info/4 IPSEC/0x63700014
Deleted all keys

66     x0:25:38.437  03/11/11  Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 1x3.89.221.13

67     10:25:38.437  03/11/11  Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from 193.89.221.13

68     10:25:38.437  03/11/11  Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer

69     10:25:38.437  03/11/11  Sev=Info/5 IKE/0x63000001
Peer supports XAUTH

70     10:25:38.437  03/11/11  Sev=Info/5 IKE/0x63000001
Peer supports DPD

71     10:25:38.437  03/11/11  Sev=Info/5 IKE/0x63000001
Peer supports NAT-T

72     10:25:38.437  03/11/11  Sev=Info/5 IKE/0x63000001
Peer supports IKE fragmentation payloads

73     10:25:38.703  03/11/11  Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 87h.

74     10:25:38.468  03/11/11  Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful

75     10:25:38.468  03/11/11  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 1x3.89.221.13

76     10:25:38.500  03/11/11  Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA

77     10:25:38.500  03/11/11  Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port =  0x0584, Remote Port = 0x1194

78     10:25:38.500  03/11/11  Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
   Remote end is NOT behind a NAT device
   This   end IS behind a NAT device

79     10:25:38.500  03/11/11  Sev=Info/4 CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

80     10:25:38.515  03/11/11  Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 1x3.89.221.13

81     10:25:38.531  03/11/11  Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 193.89.221.13

82     10:25:38.531  03/11/11  Sev=Info/4 CM/0x63100015
Launch xAuth application

83     10:25:47.078  03/11/11  Sev=Info/4 CM/0x63100017
xAuth application returned

84     10:25:47.078  03/11/11  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 1x3.89.221.13

85     10:25:47.140  03/11/11  Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 193.89.221.13

86     10:25:47.140  03/11/11  Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 193.89.221.13

87     10:25:47.140  03/11/11  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 193.89.221.13

88     10:25:47.140  03/11/11  Sev=Info/4 CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

89     10:25:47.453  03/11/11  Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator

90     10:25:47.468  03/11/11  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 193.89.221.13

91     10:25:47.937  03/11/11  Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 193.89.221.13

92     10:25:47.937  03/11/11  Sev=Info/4 IKE/0x63000014

This SA has already been alive for 10 seconds, setting expiry to 86390 seconds from now

Thank you in advance for your help,

Best Regards,

Didier

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 4 (3 ratings)
kwu2 Fri, 03/11/2011 - 09:19

From client log, you could see "Retransmitting last packet!" and "DEL_REASON_PEER_NOT_RESPONDING".

So, you need run a debug on your home router to see if it receives IKE negociation packet. If yes, why it did not reply it.

Didier1966 Sat, 03/12/2011 - 01:19

Hello,

Thank you for your prompt reply

What kind of debug do you recommend I can put ON , to follow up on this ?

I have put on this one :

ROUTER1841_1#debug vpn authorization event

Best Regards,

Didier

kwu2 Sat, 03/12/2011 - 20:28

Please run the following two debug.

debug crypto isa

debug crypto ipsec

Didier1966 Sun, 03/13/2011 - 11:47

Hello,

Thank You for your HELP

I have a other small question not directly related to this , but to the monitor part.

The problem I have , I can see the LOG when I am connected directly to my router via the CONSOL RS232 connector.

How can I see this monitoring when I use TELNET or SSH ?

A plan B can be to leave a computer connected directly to the ROUTER , while a other computer try to connect via VPN.

But I think their is a way to save or see the LOG while we are in TELNET or SSH mode , but I do not know how

Any idea is welcome

Best Regards,

Didier.

kwu2 Sun, 03/13/2011 - 18:16

try "terminal monitor"

make sure the logging level for monitor session is set to debugging -- "logging monitor debug"

You can also increase you logging biffer size "logging buffered 2000000" - 2M

and then check your buffer logging by 'show log"

Didier1966 Mon, 03/14/2011 - 07:55

Hello,

Thank you for this useful information , I have just put it ON , now I just have to wait.

Best Regards,

Didier

Actions

Login or Register to take actions

This Discussion

Posted March 11, 2011 at 1:31 AM
Stats:
Replies:6 Avg. Rating:4
Views:1179 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard