Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Pix-to-Pix(x3) with VPN Client - no client connectivity

With the below config, all of the S-t-S VPNs are operating normally. However, the incorporated Client is not permitting connections. I'm using 6.3.1 PIX IOS on the host firewall and VPN Client 4.0.3 for the remote access piece. I will paste the config from the host (edited for content), the debug output from "Debug crypto ipsec" whilst attempting to connect via the Client, and a description of the Client log during the same process.

Any assistance is appreciated in advance.

THE HOST PIX CONFIG

: Saved

: Written by enable_15 at 13:42:32.880 UTC Mon Nov 24 2003

PIX Version 6.3(1)

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

interface ethernet3 100full

interface ethernet4 auto shutdown

interface ethernet5 auto shutdown

interface gb-ethernet0 1000full

nameif ethernet0 outside security0

nameif ethernet1 dmz2 security40

nameif ethernet2 dmz3 security70

nameif ethernet3 dmz4 security80

nameif ethernet4 intf4 security8

nameif ethernet5 intf5 security10

nameif gb-ethernet0 inside security100

hostname PIX

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list 102 permit ip 192.168.169.0 255.255.255.0 10.2.1.0 255.255.255.0

access-list 102 permit ip 192.168.169.0 255.255.255.0 10.2.4.0 255.255.255.0

access-list 102 permit ip 192.168.169.0 255.255.255.0 10.2.5.0 255.255.255.0

access-list 102 permit ip 192.168.169.0 255.255.255.0 10.2.3.0 255.255.255.0

access-list 102 permit ip 192.168.169.0 255.255.255.0 10.2.2.0 255.255.255.0

access-list 102 permit ip 10.1.1.0 255.255.255.0 10.2.1.0 255.255.255.0

access-list 102 permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

access-list 102 permit ip 10.1.1.0 255.255.255.0 10.2.3.0 255.255.255.0

access-list 102 permit ip 10.1.1.0 255.255.255.0 10.2.4.0 255.255.255.0

access-list 102 permit ip 10.1.1.0 255.255.255.0 10.2.5.0 255.255.255.0

access-list 103 permit ip 192.168.169.0 255.255.255.0 10.3.1.0 255.255.255.0

access-list 103 permit ip 10.1.1.0 255.255.255.0 10.3.1.0 255.255.255.0

access-list 104 permit ip 192.168.169.0 255.255.255.0 10.4.1.0 255.255.255.0

access-list 104 permit ip 10.1.1.0 255.255.255.0 10.4.1.0 255.255.255.0

access-list 104 permit ip 10.1.3.0 255.255.255.0 10.4.1.0 255.255.255.0

access-list 105 permit ip 192.168.169.0 255.255.255.0 10.2.1.0 255.255.255.0

access-list 105 permit ip 192.168.169.0 255.255.255.0 10.2.4.0 255.255.255.0

access-list 105 permit ip 192.168.169.0 255.255.255.0 10.2.5.0 255.255.255.0

access-list 105 permit ip 192.168.169.0 255.255.255.0 10.2.3.0 255.255.255.0

access-list 105 permit ip 192.168.169.0 255.255.255.0 10.2.2.0 255.255.255.0

access-list 105 permit ip 10.1.1.0 255.255.255.0 10.2.1.0 255.255.255.0

access-list 105 permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

access-list 105 permit ip 10.1.1.0 255.255.255.0 10.2.3.0 255.255.255.0

access-list 105 permit ip 10.1.1.0 255.255.255.0 10.2.4.0 255.255.255.0

access-list 105 permit ip 10.1.1.0 255.255.255.0 10.2.5.0 255.255.255.0

access-list 105 permit ip 192.168.169.0 255.255.255.0 10.3.1.0 255.255.255.0

access-list 105 permit ip 10.1.1.0 255.255.255.0 10.3.1.0 255.255.255.0

access-list 105 permit ip 192.168.169.0 255.255.255.0 10.4.1.0 255.255.255.0

access-list 105 permit ip 10.1.1.0 255.255.255.0 10.4.1.0 255.255.255.0

access-list 105 permit ip 10.1.3.0 255.255.255.0 10.4.1.0 255.255.255.0

access-list 105 permit ip 192.168.169.0 255.255.255.0 10.5.1.0 255.255.255.0

access-list 105 permit ip 10.1.1.0 255.255.255.0 10.5.1.0 255.255.255.0

access-list 105 permit ip 10.1.3.0 255.255.255.0 10.5.1.0 255.255.255.0

access-list 106 permit ip 192.168.169.0 255.255.255.0 10.5.1.0 255.255.255.0

access-list 106 permit ip 10.1.1.0 255.255.255.0 10.5.1.0 255.255.255.0

access-list 106 permit ip 10.1.3.0 255.255.255.0 10.5.1.0 255.255.255.0

pager lines 24

logging on

mtu outside 1500

mtu dmz2 1500

mtu dmz3 1500

mtu dmz4 1500

mtu intf4 1500

mtu intf5 1500

mtu inside 1500

ip address outside x.x.x.x 255.255.255.128

ip address dmz2 x.x.x.x 255.255.255.0

ip address dmz3 x.x.x.x 255.255.255.0

ip address dmz4 x.x.x.x 255.255.255.0

no ip address intf4

no ip address intf5

ip address inside x.x.x.x 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool r_vpnIT 10.5.1.1-10.5.1.30

failover

failover timeout 0:00:00

failover poll 15

failover ip address outside x.x.x.x

failover ip address dmz2 x.x.x.x

failover ip address dmz3 x.x.x.x

failover ip address dmz4 x.x.x.x

no failover ip address intf4

no failover ip address intf5

failover ip address inside x.x.x.x

pdm history enable

arp timeout 14400

global (outside) 1 x.x.x.x-x.x.x.x netmask 255.255.255.128

global (outside) 1 x.x.x.x netmask 255.255.255.128

global (dmz2) 1 x.x.x.x-x.x.x.x netmask 255.255.255.0

global (dmz3) 1 x.x.x.x-x.x.x.x netmask 255.255.255.0

global (dmz4) 1 x.x.x.x-x.x.x.x netmask 255.255.255.0

nat (dmz2) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz3) 0 access-list 105

nat (dmz3) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz4) 0 access-list 105

nat (dmz4) 1 0.0.0.0 0.0.0.0 0 0

nat (inside) 0 access-list 105

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group acl_out in interface outside

access-group acl_dmz2 in interface dmz2

access-group acl_dmz3 in interface dmz3

access-group acl_dmz4 in interface dmz4

apply (dmz2) 1 outgoing_src

apply (dmz3) 1 outgoing_src

apply (dmz4) 1 outgoing_src

apply (inside) 1 outgoing_src

route outside 0.0.0.0 0.0.0.0 65.208.169.3 1

route inside 10.1.0.0 255.255.0.0 192.168.169.1 1

route inside 172.17.0.0 255.255.0.0 192.168.169.1 1

route inside 172.18.0.0 255.255.0.0 192.168.169.1 1

route inside 192.102.102.0 255.255.255.0 192.168.169.1 1

route inside 192.104.104.0 255.255.255.0 192.168.169.1 1

route inside 192.105.105.0 255.255.255.0 192.168.169.1 1

route inside 192.106.106.0 255.255.255.0 192.168.169.1 1

route inside 192.109.109.0 255.255.255.0 192.168.169.1 1

route inside 192.168.0.0 255.255.0.0 192.168.169.1 1

route inside 192.168.4.0 255.255.255.0 192.168.169.10 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa-server tacas+ protocol tacacs+

aaa-server tacacs+ protocol tacacs+

aaa-server tacacs+ (inside) host x.x.x.x AAA timeout 10

url-server (inside) vendor websense host x.x.x.x timeout 10 protocol TCP version 1

filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow longurl-truncate

sysopt connection permit-ipsec

crypto ipsec transform-set toPIX01 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set toPIXLTNV esp-aes-256 esp-md5-hmac

crypto ipsec transform-set toPIXHB esp-aes-256 esp-md5-hmac

crypto ipsec transform-set toPIXWLVIT esp-aes-256 esp-md5-hmac

crypto ipsec transform-set r_vpnIT esp-aes-256 esp-md5-hmac

crypto dynamic-map dynmap 50 set transform-set r_vpnIT

crypto map newmap 20 ipsec-isakmp

crypto map newmap 20 match address 102

crypto map newmap 20 set peer x.x.x.x

crypto map newmap 20 set transform-set toPIXLTNV

crypto map newmap 30 ipsec-isakmp

crypto map newmap 30 match address 103

crypto map newmap 30 set peer x.x.x.x

crypto map newmap 30 set transform-set toPIXHB

crypto map newmap 40 ipsec-isakmp

crypto map newmap 40 match address 104

crypto map newmap 40 set peer x.x.x.x

crypto map newmap 40 set transform-set toPIXWLVIT

crypto map newmap 50 ipsec-isakmp dynamic dynmap

crypto map newmap interface outside

isakmp enable outside

isakmp key "key" address x.x.x.x netmask 255.255.255.255

isakmp key "key" address x.x.x.x netmask 255.255.255.255

isakmp key "key" address x.x.x.x netmask 255.255.255.255

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes-256

isakmp policy 10 hash md5

isakmp policy 10 group 5

isakmp policy 10 lifetime 1000

vpngroup r_vpnIT address-pool r_vpnIT

vpngroup r_vpnIT dns-server x.x.x.x

vpngroup r_vpnIT wins-server x.x.x.x

vpngroup r_vpnIT default-domain nationsholdinggroup.com

vpngroup r_vpnIT split-tunnel 106

vpngroup r_vpnIT idle-time 1800

vpngroup r_vpnIT password "passwd"

(rest to follow in second post.)

2 REPLIES
New Member

Re: Pix-to-Pix(x3) with VPN Client - no client connectivity

THE DEBUG OUTPUT

crypto_isakmp_process_block:src:x.x.x.x, dest:x.x.x.x spt:500 dpt:500

OAK_AG exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 128

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 128

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 128

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 128

ISAKMP (0): Proposed key length does not match policy

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

crypto_isakmp_process_block:src:x.x.x.x, dest:x.x.x.x spt:500 dpt:500

OAK_AG exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 128

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 128

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 128

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 128

ISAKMP (0): Proposed key length does not match policy

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

crypto_isakmp_process_block:src:x.x.x.x, dest:x.x.x.x spt:500 dpt:500

VPN Peer:ISAKMP: Peer Info for x.x.x.x/500 not found - peers:1

crypto_isakmp_process_block:src:x.x.x.x, dest:x.x.x.x spt:500 dpt:500

VPN Peer:ISAKMP: Peer Info for x.x.x.x/500 not found - peers:1

THE CLIENT LOG OUTPUT

113 12:02:47.164 08/01/03 Sev=Info/6 IKE/0x6300003B

Attempting to establish a connection with X.X.X.X.

114 12:02:51.270 08/01/03 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to X.X.X.X

115 12:02:51.400 08/01/03 Sev=Info/4 IPSEC/0x63700008

IPSec driver successfully started

116 12:02:51.400 08/01/03 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

117 12:02:51.400 08/01/03 Sev=Info/4 IPSEC/0x6370000D

Key(s) deleted by Interface (X.X.X.X)

118 12:02:51.961 08/01/03 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = X.X.X.X

119 12:02:51.961 08/01/03 Sev=Warning/2 IKE/0xE3000099

Invalid SPI size (PayloadNotify:116)

120 12:02:51.961 08/01/03 Sev=Info/4 IKE/0xE30000A4

Invalid payload: Stated payload length, 568, is not sufficient for Notification:(PayloadList:148)

121 12:02:51.961 08/01/03 Sev=Warning/3 IKE/0xA3000058

Received malformed message or negotiation no longer active (message id: 0x00000000)

122 12:02:56.367 08/01/03 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

123 12:02:56.367 08/01/03 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to X.X.X.X

124 12:03:01.375 08/01/03 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

125 12:03:01.375 08/01/03 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to X.X.X.X

126 12:03:06.382 08/01/03 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

127 12:03:06.382 08/01/03 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to X.X.X.X

128 12:03:11.389 08/01/03 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=4C2814A7C299B252 R_Cookie=2F7EED9EA7C43E3A) reason = DEL_REASON_PEER_NOT_RESPONDING

129 12:03:11.930 08/01/03 Sev=Info/4 IKE/0x6300004A

Discarding IKE SA negotiation (I_Cookie=4C2814A7C299B252 R_Cookie=2F7EED9EA7C43E3A) reason = DEL_REASON_PEER_NOT_RESPONDING

130 12:03:11.950 08/01/03 Sev=Info/4 IKE/0x63000001

IKE received signal to terminate VPN connection

131 12:03:11.960 08/01/03 Sev=Info/4 IKE/0x63000085

Microsoft IPSec Policy Agent service started successfully

132 12:03:12.400 08/01/03 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

133 12:03:12.400 08/01/03 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

134 12:03:12.400 08/01/03 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

135 12:03:12.400 08/01/03 Sev=Info/4 IPSEC/0x6370000A

IPSec driver successfully stopped

I've run the HOST PIX config through the Cisco Interpreter and it discovered no errors or misconfigurations of any sort.

New Member

Re: Pix-to-Pix(x3) with VPN Client - no client connectivity

no takers?

171
Views
0
Helpful
2
Replies