03-11-2011 01:31 AM
Hello,
Any idea why in some places I can not switch on my VPN ?
The strange thing is when I use the VPN server of my office , this work OK and it is the same VPN client.
So this means that I do something wrong in my private CISCO 1841 ROUTER.
Here bellow what does not work and at the bottom the same computer same network , but other VPN server :
Cisco Systems VPN Client Version 5.0.03.0560
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
36 10:13:40.625 03/11/11 Sev=Info/4 CM/0x63100002
Begin connection process
37 10:13:40.640 03/11/11 Sev=Info/4 CM/0x63100004
Establish secure connection
38 10:13:40.640 03/11/11 Sev=Info/4 CM/0x63100024
Attempt connection with server "mlgw.dyndns.info"
39 10:13:40.718 03/11/11 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 81.83.201.32.
40 10:13:40.734 03/11/11 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 81.83.201.32
41 10:13:40.984 03/11/11 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
42 10:13:40.984 03/11/11 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
43 10:13:45.984 03/11/11 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
44 10:13:45.984 03/11/11 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 81.83.201.32
45 10:13:50.984 03/11/11 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
46 10:13:50.984 03/11/11 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 81.83.201.32
47 10:13:55.984 03/11/11 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
48 10:13:55.984 03/11/11 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 81.83.201.32
49 10:14:00.984 03/11/11 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=0EACC63815AC9551 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
50 10:14:01.484 03/11/11 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=0EACC63815AC9551 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
51 10:14:01.484 03/11/11 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "mlgw.dyndns.info" because of "DEL_REASON_PEER_NOT_RESPONDING"
52 10:14:01.484 03/11/11 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
53 10:14:01.484 03/11/11 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
54 10:14:01.484 03/11/11 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
55 10:14:01.500 03/11/11 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
56 10:14:01.500 03/11/11 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
57 10:14:01.500 03/11/11 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
58 10:14:01.500 03/11/11 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
THIS WORK OK :
Cisco Systems VPN Client Version 5.0.03.0560
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
59 10:25:37.953 03/11/11 Sev=Info/4 CM/0x63100002
Begin connection process
60 10:25:38.203 03/11/11 Sev=Info/4 CM/0x63100004
Establish secure connection
61 10:25:38.203 03/11/11 Sev=Info/4 CM/0x63100024
Attempt connection with server "193.89.221.13"
62 10:25:38.265 03/11/11 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 193.89.221.13.
63 10:25:38.359 03/11/11 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 193.89.221.13
64 10:25:38.437 03/11/11 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
65 10:25:38.437 03/11/11 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
66 x0:25:38.437 03/11/11 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 1x3.89.221.13
67 10:25:38.437 03/11/11 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from 193.89.221.13
68 10:25:38.437 03/11/11 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
69 10:25:38.437 03/11/11 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
70 10:25:38.437 03/11/11 Sev=Info/5 IKE/0x63000001
Peer supports DPD
71 10:25:38.437 03/11/11 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
72 10:25:38.437 03/11/11 Sev=Info/5 IKE/0x63000001
Peer supports IKE fragmentation payloads
73 10:25:38.703 03/11/11 Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 87h.
74 10:25:38.468 03/11/11 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
75 10:25:38.468 03/11/11 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 1x3.89.221.13
76 10:25:38.500 03/11/11 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
77 10:25:38.500 03/11/11 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0x0584, Remote Port = 0x1194
78 10:25:38.500 03/11/11 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device
79 10:25:38.500 03/11/11 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
80 10:25:38.515 03/11/11 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 1x3.89.221.13
81 10:25:38.531 03/11/11 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 193.89.221.13
82 10:25:38.531 03/11/11 Sev=Info/4 CM/0x63100015
Launch xAuth application
83 10:25:47.078 03/11/11 Sev=Info/4 CM/0x63100017
xAuth application returned
84 10:25:47.078 03/11/11 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 1x3.89.221.13
85 10:25:47.140 03/11/11 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 193.89.221.13
86 10:25:47.140 03/11/11 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 193.89.221.13
87 10:25:47.140 03/11/11 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 193.89.221.13
88 10:25:47.140 03/11/11 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
89 10:25:47.453 03/11/11 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator
90 10:25:47.468 03/11/11 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 193.89.221.13
91 10:25:47.937 03/11/11 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 193.89.221.13
92 10:25:47.937 03/11/11 Sev=Info/4 IKE/0x63000014
This SA has already been alive for 10 seconds, setting expiry to 86390 seconds from now
Thank you in advance for your help,
Best Regards,
Didier
03-11-2011 09:19 AM
From client log, you could see "Retransmitting last packet!" and "DEL_REASON_PEER_NOT_RESPONDING".
So, you need run a debug on your home router to see if it receives IKE negociation packet. If yes, why it did not reply it.
03-12-2011 01:19 AM
Hello,
Thank you for your prompt reply
What kind of debug do you recommend I can put ON , to follow up on this ?
I have put on this one :
ROUTER1841_1#debug vpn authorization event
Best Regards,
Didier
03-12-2011 08:28 PM
Please run the following two debug.
debug crypto isa
debug crypto ipsec
03-13-2011 11:47 AM
Hello,
Thank You for your HELP
I have a other small question not directly related to this , but to the monitor part.
The problem I have , I can see the LOG when I am connected directly to my router via the CONSOL RS232 connector.
How can I see this monitoring when I use TELNET or SSH ?
A plan B can be to leave a computer connected directly to the ROUTER , while a other computer try to connect via VPN.
But I think their is a way to save or see the LOG while we are in TELNET or SSH mode , but I do not know how
Any idea is welcome
Best Regards,
Didier.
03-13-2011 06:16 PM
try "terminal monitor"
make sure the logging level for monitor session is set to debugging -- "logging monitor debug"
You can also increase you logging biffer size "logging buffered 2000000" - 2M
and then check your buffer logging by 'show log"
03-14-2011 07:55 AM
Hello,
Thank you for this useful information , I have just put it ON , now I just have to wait.
Best Regards,
Didier
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: