03-11-2011 01:31 AM
Hello,
Any idea why in some places I can not switch on my VPN ?
The strange thing is when I use the VPN server of my office , this work OK and it is the same VPN client.
So this means that I do something wrong in my private CISCO 1841 ROUTER.
Here bellow what does not work and at the bottom the same computer same network , but other VPN server :
Cisco Systems VPN Client Version 5.0.03.0560
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
36 10:13:40.625 03/11/11 Sev=Info/4 CM/0x63100002
Begin connection process
37 10:13:40.640 03/11/11 Sev=Info/4 CM/0x63100004
Establish secure connection
38 10:13:40.640 03/11/11 Sev=Info/4 CM/0x63100024
Attempt connection with server "mlgw.dyndns.info"
39 10:13:40.718 03/11/11 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 81.83.201.32.
40 10:13:40.734 03/11/11 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 81.83.201.32
41 10:13:40.984 03/11/11 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
42 10:13:40.984 03/11/11 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
43 10:13:45.984 03/11/11 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
44 10:13:45.984 03/11/11 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 81.83.201.32
45 10:13:50.984 03/11/11 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
46 10:13:50.984 03/11/11 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 81.83.201.32
47 10:13:55.984 03/11/11 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
48 10:13:55.984 03/11/11 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 81.83.201.32
49 10:14:00.984 03/11/11 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=0EACC63815AC9551 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
50 10:14:01.484 03/11/11 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=0EACC63815AC9551 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
51 10:14:01.484 03/11/11 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "mlgw.dyndns.info" because of "DEL_REASON_PEER_NOT_RESPONDING"
52 10:14:01.484 03/11/11 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
53 10:14:01.484 03/11/11 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
54 10:14:01.484 03/11/11 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
55 10:14:01.500 03/11/11 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
56 10:14:01.500 03/11/11 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
57 10:14:01.500 03/11/11 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
58 10:14:01.500 03/11/11 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
THIS WORK OK :
Cisco Systems VPN Client Version 5.0.03.0560
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
59 10:25:37.953 03/11/11 Sev=Info/4 CM/0x63100002
Begin connection process
60 10:25:38.203 03/11/11 Sev=Info/4 CM/0x63100004
Establish secure connection
61 10:25:38.203 03/11/11 Sev=Info/4 CM/0x63100024
Attempt connection with server "193.89.221.13"
62 10:25:38.265 03/11/11 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 193.89.221.13.
63 10:25:38.359 03/11/11 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 193.89.221.13
64 10:25:38.437 03/11/11 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
65 10:25:38.437 03/11/11 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
66 x0:25:38.437 03/11/11 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 1x3.89.221.13
67 10:25:38.437 03/11/11 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from 193.89.221.13
68 10:25:38.437 03/11/11 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
69 10:25:38.437 03/11/11 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
70 10:25:38.437 03/11/11 Sev=Info/5 IKE/0x63000001
Peer supports DPD
71 10:25:38.437 03/11/11 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
72 10:25:38.437 03/11/11 Sev=Info/5 IKE/0x63000001
Peer supports IKE fragmentation payloads
73 10:25:38.703 03/11/11 Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 87h.
74 10:25:38.468 03/11/11 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
75 10:25:38.468 03/11/11 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 1x3.89.221.13
76 10:25:38.500 03/11/11 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
77 10:25:38.500 03/11/11 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0x0584, Remote Port = 0x1194
78 10:25:38.500 03/11/11 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device
79 10:25:38.500 03/11/11 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
80 10:25:38.515 03/11/11 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 1x3.89.221.13
81 10:25:38.531 03/11/11 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 193.89.221.13
82 10:25:38.531 03/11/11 Sev=Info/4 CM/0x63100015
Launch xAuth application
83 10:25:47.078 03/11/11 Sev=Info/4 CM/0x63100017
xAuth application returned
84 10:25:47.078 03/11/11 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 1x3.89.221.13
85 10:25:47.140 03/11/11 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 193.89.221.13
86 10:25:47.140 03/11/11 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 193.89.221.13
87 10:25:47.140 03/11/11 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 193.89.221.13
88 10:25:47.140 03/11/11 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
89 10:25:47.453 03/11/11 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator
90 10:25:47.468 03/11/11 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 193.89.221.13
91 10:25:47.937 03/11/11 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 193.89.221.13
92 10:25:47.937 03/11/11 Sev=Info/4 IKE/0x63000014
This SA has already been alive for 10 seconds, setting expiry to 86390 seconds from now
Thank you in advance for your help,
Best Regards,
Didier
03-11-2011 09:19 AM
From client log, you could see "Retransmitting last packet!" and "DEL_REASON_PEER_NOT_RESPONDING".
So, you need run a debug on your home router to see if it receives IKE negociation packet. If yes, why it did not reply it.
03-12-2011 01:19 AM
Hello,
Thank you for your prompt reply
What kind of debug do you recommend I can put ON , to follow up on this ?
I have put on this one :
ROUTER1841_1#debug vpn authorization event
Best Regards,
Didier
03-12-2011 08:28 PM
Please run the following two debug.
debug crypto isa
debug crypto ipsec
03-13-2011 11:47 AM
Hello,
Thank You for your HELP
I have a other small question not directly related to this , but to the monitor part.
The problem I have , I can see the LOG when I am connected directly to my router via the CONSOL RS232 connector.
How can I see this monitoring when I use TELNET or SSH ?
A plan B can be to leave a computer connected directly to the ROUTER , while a other computer try to connect via VPN.
But I think their is a way to save or see the LOG while we are in TELNET or SSH mode , but I do not know how
Any idea is welcome
Best Regards,
Didier.
03-13-2011 06:16 PM
try "terminal monitor"
make sure the logging level for monitor session is set to debugging -- "logging monitor debug"
You can also increase you logging biffer size "logging buffered 2000000" - 2M
and then check your buffer logging by 'show log"
03-14-2011 07:55 AM
Hello,
Thank you for this useful information , I have just put it ON , now I just have to wait.
Best Regards,
Didier
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide