Cisco Support Community
Community Member

Unable to use VPN client to IOS router from behind PIX

Hello, I'm having problems connecting with Cisco VPN client to a Cisco IOS router. There is a PIX between the client and the router, with protocols enabled, NAT-T, sysopt conn permit-ipsec ..., but I still can't connect...

On the router I get (when using cert authentication):

366071: *May 26 11:30:54.076 PCTime: ISAKMP:(0:498:SW:1): failed to find usage restriction in ext.

On the client I get:

574 11:34:36.739 05/26/06 Sev=Info/4 CERT/0x63600015

Cert (1.2.840.113549.1.9.2=#1613323835312e73796e657267792d66732e636f6d) verification succeeded.

575 11:34:36.739 05/26/06 Sev=Info/6 IKE/0x63000055

Sent a keepalive on the IPSec SA

576 11:34:36.739 05/26/06 Sev=Info/4 IKE/0x63000083

IKE Port in use - Local Port = 0x1194, Remote Port = 0x1194

577 11:34:36.739 05/26/06 Sev=Info/5 IKE/0x63000072

Automatic NAT Detection Status:

Remote end is NOT behind a NAT device

This end IS behind a NAT device

578 11:34:36.739 05/26/06 Sev=Info/4 CM/0x6310000E

Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

579 11:34:36.769 05/26/06 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = xx.xx.xx.xx

580 11:34:36.769 05/26/06 Sev=Info/4 IKE/0x63000014


581 11:34:36.769 05/26/06 Sev=Info/5 IKE/0x63000045

RESPONDER-LIFETIME notify has value of 86400 seconds

582 11:34:36.769 05/26/06 Sev=Info/5 IKE/0x63000047

This SA has already been alive for 1 seconds, setting expiry to 86399 seconds from now

583 11:34:47.034 05/26/06 Sev=Info/6 IKE/0x63000055

Sent a keepalive on the IPSec SA

** followed by numerous keepalives, and then an IKE SA deletion:

612 11:39:36.951 05/26/06 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=97E05EB0AED2C3A3 R_Cookie=8E7AA274E4EDFB3C) reason = DEL_REASON_CANNOT_AUTH

If I used pre-shared key, I get the following on the router:

366272: *May 26 11:41:12.156 PCTime: ISAKMP:(0:0:N/A:0):no offers accepted!

366273: *May 26 11:41:12.156 PCTime: ISAKMP:(0:0:N/A:0): phase 1 SA policy not acceptable! (local xx.xx.xx.xx remote xx.xx.xx.xx)

and on the client:

632 11:44:54.708 05/26/06 Sev=Warning/2 IKE/0xE3000099

Invalid SPI size (PayloadNotify:116)

633 11:44:54.718 05/26/06 Sev=Info/4 IKE/0xE30000A4

Invalid payload: Stated payload length, 568, is not sufficient for Notification:(PayloadList:149)

634 11:44:54.718 05/26/06 Sev=Warning/3 IKE/0xA3000058

Received malformed message or negotiation no longer active (message id: 0x00000000)

635 11:44:59.915 05/26/06 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

The config on the IOS router has been tested with the VPN client, and it works. I just have a problem when I put a PIX inbetween...

I've attached the PIX config, and afaik, it's got all that's required... any ideas?

Many thanks,


Community Member

Re: Unable to use VPN client to IOS router from behind PIX

Found the error!!

I had a crypto map setup for the same address that the VPN client was using, so when I was trying to connect with the client, the router was checking the crypto map and pre-shared key instead VPN client config... hope this may help someone in the future..

CreatePlease to create content