Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Client 3.6.1 OK, but 3.6.3 gives 'CM_IKE_ESTABLISH_FAIL'

I've been using client 3.6.1 against a Pix 520 for quite some time now. Today I tried 3.6.3B and I keep getting the error above. I can successfully connect on another computer behind the same router, on the same LAN w/ 3.6.1. If I un-install 3.6.3B and re-install 3.6.1, it works fine. We're using 'Group Access' instead of certs to connect if that makes a difference.

I'm using DSL at home w/ a Linksys router. I don't think it's router config though since it works on the older client.

Here's the one line I get from the client log...

1 19:48:21.740 02/18/03 Sev=Warning/3 DIALER/0xE3300008

GI VPNStart callback failed "CM_IKE_ESTABLISH_FAIL" (3h).

Any ideas?



New Member

Re: VPN Client 3.6.1 OK, but 3.6.3 gives 'CM_IKE_ESTABLISH_FAIL'

Greg - I've been seeing something very similar with client 3.6.3. Some 5% of new users just cannot connect on their first login, and the exact message you showed is also displayed in the client logs.

Mostly the systems are fine, but I'm also getting intermittent connection success across about 100 users. Most login OK, but then everyone fails to connect about every four or five days, and the 3005 has to be rebooted to get it to work. Other times, just a few users can't connect.

My environment is a 3005 with 3.6.6 and 32 MB RAM; all users authenticate with a RSA token, and all belong to a group that is authenticated via a RSA server, and that is the only group on the box. There are no users on the 3005. I'm getting ready today to fireup our sniffer on the WAN segment, to see if the client is sending anything at all. That's my big concern - that nothing is happening from the client end.

I'll repost later with results. In the meantime, if you find something useful, msg me at Remove the KNOTs to send.

New Member

Re: VPN Client 3.6.1 OK, but 3.6.3 gives 'CM_IKE_ESTABLISH_FAIL'

Turns out this was due to the client no longer supporting DES-SHA, which the PIX was configured for. Once I changed the PIX to DES-MD5, it worked fine.

CreatePlease login to create content