01-07-2003 10:43 AM - edited 02-21-2020 12:16 PM
i have a remote access VPN user that is getting kicked off the VPN. The user has the Cisco VPN Client Software (Unity Client) installed. On the Concentrator the following errors are produced during IKE phase 2 SA negotiation, yet the connection is still allowed: QM FSM error & Received encrypted Oakley Quick Mode packet with invalid payloads. Here is phase 2.
172.16.1.123 Global (pseudo) IP address of remote dialup user
10.1.1.0 IP (pseudo) of internal subnet at main office
10.1.1.123 IP that Concentrator gives client (internal pool)
754 01/07/2003 11:44:09.140 SEV=5 IKE/25 RPT=255 172.16.1.123 (I-Net IP)
Group [Group1] User [user1]
Received remote Proxy Host data in ID Payload:
Address 10.1.1.123, Protocol 0, Port 0
757 01/07/2003 11:44:09.140 SEV=5 IKE/34 RPT=137 172.16.1.123
Group [Group1] User [user1]
Received local IP Proxy Subnet data in ID Payload:
Address 10.1.1.0, Mask 255.255.255.0, Protocol 0, Port 0
760 01/07/2003 11:44:09.140 SEV=5 IKE/66 RPT=255 172.16.1.123
Group [Group1] User [user1]
IKE Remote Peer configured for SA: ESP/IKE-3DES-MD5
762 01/07/2003 11:44:09.140 SEV=5 IKE/75 RPT=255 172.16.1.123
Group [Group1] User [user1]
Overriding Initiator's IPSec rekeying duration from 2147483 to 28800 seconds
764 01/07/2003 11:44:09.880 SEV=4 IKEDBG/0 RPT=5
QM FSM error (P2 struct &0x1c333e4, mess id 0x3bc007d4)!
765 01/07/2003 11:44:09.890 SEV=4 IKEDBG/0 RPT=6
QM FSM history (P2 struct &0x1c333e4):
[13, 52], [8, 5], [8, 65535], [4, 4]
<b>766 01/07/2003 11:44:09.890 SEV=4 IKE/100 RPT=2 172.16.1.123
Group [Group1] User [user1]
Received encrypted Oakley Quick Mode packet with invalid payloads,
MsgId (0x3bc007d4)</b>
771 01/07/2003 11:44:12.870 SEV=5 IKE/25 RPT=256 172.16.1.123
Address 135.102.1.176, Protocol 0, Port 0
Group [Group1] User [user1]
Received local IP Proxy Subnet data in ID Payload:
775 01/07/2003 11:44:12.870 SEV=5 IKE/66 RPT=256 172.16.1.123
Group [Group1] User [user1]
IKE Remote Peer configured for SA: ESP/IKE-3DES-MD5
777 01/07/2003 11:44:12.870 SEV=5 IKE/75 RPT=256 172.16.1.123
Group [Group1] User [user1]
Overriding Initiator's IPSec rekeying duration from 2147483 to 28800 seconds
779 01/07/2003 11:44:15.700 SEV=4 IKE/49 RPT=335 172.16.1.123
Group [Group1] User [user1]
Security negotiation complete for User (user1)
Responder, Inbound SPI = 0x245c3c2a, Outbound SPI = 0xe85ed5b0
782 01/07/2003 11:44:15.700 SEV=4 IKE/120 RPT=335 172.16.1.123
Group [Group1] User [user1]
PHASE 2 COMPLETED (msgid=693c1037)
Another user on the same Internet DHCP subnet (same ISP) had packet authentication failure earlier also (dumped the hash in event log). i am wondering if this is due to a crappy ISP connection.
01-07-2003 01:01 PM
There are a couple of reason why you should see these messages:
1) mismatched keys or certs used
2) A truncated pkt,
3) A non-conformant implementation,
4) A denial of service attack
If this is a persistant encryption problem with a known remote peer, then the preshared key or Digital Certificate being used should be checked. If the keys appear to be OK or not applicable, this may indicate a non-conformant IPSec implementation at the remote side. If the peer is not known, this may
indicate an attack and an appropriate filter should be installed (IKE data sourced from offending IP address). If the event is seen on an occasional basis, it may indicate a damaged packet. In this case, the Concentrator should ignore the packet and recover the tunnel.
Hope that helps
Jazib
01-07-2003 02:21 PM
the pre-shared keys match
non-conformant ipsec implementation at remote side: the linkup is Cisco VPN Client to 3005 Concentrator
remote peer is known
there have been more than a few damaged packets from dialup users (all on the same ISP) today alone. Workload is very heavy and the application is a poorly written database program running on Windows Terminal Services (server is running very badly - high CPU and memory use due to allocation in the program code).
one thing of notice
Monitoring | System Status
: the Outside interface of the Concentrator has recieved
Rx Broadcast - 80823
Tx Broadcast - 72
both recieved and transmitted unicast are in the 90000 range
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: