cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7815
Views
23
Helpful
9
Replies

IKE Negotiation failed when trying to VPN into PIX 535

gflorescu
Level 1
Level 1

I'm trying to setup a VPN on my PIX 535. I created a local user and went thru the wizard to setup the VPN.

I setup a tunnel group name and a preshared key. When I look at the log on the VPN Client, it says:

Unable to establish Phase 1 SA with server because of "DEL_REASON_IKE_NEG_FAILED"

9 Replies 9

ajagadee
Cisco Employee
Cisco Employee

Hi,

Can you post the debugs from the pix and the logs from the client.

Also, check the group name and password and make sure that they match on the client and pix.

I hope it helps.

Regards,

Arul

Here's the client logs:

Cisco Systems VPN Client Version 4.0.4 (Rel)

Copyright (C) 1998-2003 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 5.1.2600

1 05:48:47.687 10/02/07 Sev=Info/4 PPP/0x63200015

Processing enumerate phone book entries command

2 05:48:47.765 10/02/07 Sev=Info/4 PPP/0x6320000D

Retrieved 5 dial entries

3 05:49:07.156 10/02/07 Sev=Info/4 PPP/0x63200015

Processing enumerate phone book entries command

4 05:49:07.234 10/02/07 Sev=Info/4 PPP/0x6320000D

Retrieved 5 dial entries

5 05:49:46.656 10/02/07 Sev=Info/4 CM/0x63100002

Begin connection process

6 05:49:46.671 10/02/07 Sev=Info/4 CVPND/0xE3400001

Microsoft IPSec Policy Agent service stopped successfully

7 05:49:46.671 10/02/07 Sev=Info/4 CM/0x63100004

Establish secure connection using Ethernet

8 05:49:46.671 10/02/07 Sev=Info/4 CM/0x63100024

Attempt connection with server "x.x.x.x"

9 05:49:47.671 10/02/07 Sev=Info/6 IKE/0x6300003B

Attempting to establish a connection with x.x.x.x.

10 05:49:47.687 10/02/07 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to 216.110.208.114

11 05:49:47.687 10/02/07 Sev=Info/4 IPSEC/0x63700008

IPSec driver successfully started

12 05:49:47.687 10/02/07 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

13 05:49:47.781 10/02/07 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = x.x.x.x

14 05:49:47.781 10/02/07 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from x.x.x.x

15 05:49:47.781 10/02/07 Sev=Info/5 IKE/0x63000001

Peer is a Cisco-Unity compliant peer

16 05:49:47.781 10/02/07 Sev=Info/5 IKE/0x63000001

Peer supports XAUTH

17 05:49:47.781 10/02/07 Sev=Info/5 IKE/0x63000001

Peer supports NAT-T

18 05:49:47.781 10/02/07 Sev=Info/5 IKE/0x63000001

Peer supports IKE fragmentation payloads

19 05:49:47.781 10/02/07 Sev=Warning/3 IKE/0xE3000056

The received HASH payload cannot be verified

20 05:49:47.781 10/02/07 Sev=Warning/2 IKE/0xE300007D

Hash verification failed... may be configured with invalid group password.

21 05:49:47.781 10/02/07 Sev=Warning/2 IKE/0xE3000099

Failed to authenticate peer (Navigator:903)

22 05:49:47.781 10/02/07 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK INFO (NOTIFY:INVALID_HASH_INFO) to x.x.x.x

23 05:49:47.781 10/02/07 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK INFO (NOTIFY:AUTH_FAILED) to x.x.x.x

24 05:49:47.781 10/02/07 Sev=Warning/2 IKE/0xE30000A5

Unexpected SW error occurred while processing Aggressive Mode negotiator:(Navigator:2201)

25 05:49:47.781 10/02/07 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=DD5CB2F562AC2835 R_Cookie=8ABECB968B1F8D0F) reason = DEL_REASON_IKE_NEG_FAILED

26 05:49:48.671 10/02/07 Sev=Info/4 IKE/0x6300004A

Discarding IKE SA negotiation (I_Cookie=DD5CB2F562AC2835 R_Cookie=8ABECB968B1F8D0F) reason = DEL_REASON_IKE_NEG_FAILED

27 05:49:48.671 10/02/07 Sev=Info/4 CM/0x63100014

Unable to establish Phase 1 SA with server because of "DEL_REASON_IKE_NEG_FAILED"

28 05:49:48.671 10/02/07 Sev=Info/5 CM/0x63100025

Initializing CVPNDrv

29 05:49:48.671 10/02/07 Sev=Info/4 IKE/0x63000001

IKE received signal to terminate VPN connection

30 05:49:48.671 10/02/07 Sev=Info/4 IKE/0x63000085

Microsoft IPSec Policy Agent service started successfully

31 05:49:49.171 10/02/07 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

32 05:49:49.171 10/02/07 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

33 05:49:49.171 10/02/07 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

34 05:49:49.171 10/02/07 Sev=Info/4 IPSEC/0x6370000A

IPSec driver successfully stopped

Thanks for the logs.

From the logs:

20 05:49:47.781 10/02/07 Sev=Warning/2 IKE/0xE300007D

Hash verification failed... may be configured with invalid group password.

This basically means the group name/password is not matching. Can you retype the groupname/password on the VPN Server as well as client and try to connect.

I hope it helps.

Regards,

Arul

** Please rate all helpful posts **

When you say group name/password, you're talking about the "tunnel group name" and the "pre-shared" key, right?

Yes.

Regards,

Arul

I figured out what was wrong. I didn't realize the tunnel group was case sensitive. I was using sss, instead of SSS.

My next problem with it that I got it to work now is that I can vpn in but I can access every resource. I thought I had restricted it to only 1 host. Where can I check that?

On the client, check securred routes, if you see only one host. If not, your split tunnel is not working.

I had setup my ACLs incorrectly. Actually I was just using the inherited setting. I followed a Cisco document and unchecked "filter" then added my ACL and ACE entries. It's all working now.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: