Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

vpn client 4.0 termination on pix 515

I am trying to connect cisco vpn client 4.0 to a pix 515 ver 6.1 and receive following errors which I assume are Hash algorithm related but am not sure. Only DES is enabled not 3DES. Posted config in Cisco output interpreter but apparently no config errors.

vpn client log:

Cisco Systems VPN Client Version 4.0 (Rel)

Copyright (C) 1998-2003 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 5.0.2195

1 10:58:34.890 09/25/03 Sev=Info/4 CM/0x63100002

Begin connection process

2 10:58:34.906 09/25/03 Sev=Info/4 CVPND/0xE3400001

Microsoft IPSec Policy Agent service stopped successfully

3 10:58:34.906 09/25/03 Sev=Info/4 CM/0x63100004

Establish secure connection using Ethernet

4 10:58:34.906 09/25/03 Sev=Info/4 CM/0x63100024

Attempt connection with server "x.x.x.226"

5 10:58:35.953 09/25/03 Sev=Info/6 IKE/0x6300003B

Attempting to establish a connection with x.x.x.226.

6 10:58:36.000 09/25/03 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to x.x.x.226

7 10:58:36.000 09/25/03 Sev=Info/4 IPSEC/0x63700008

IPSec driver successfully started

8 10:58:36.000 09/25/03 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

9 10:58:41.093 09/25/03 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

10 10:58:41.093 09/25/03 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to x.x.x.226

11 10:58:46.093 09/25/03 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

12 10:58:46.093 09/25/03 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to x.x.x.226

13 10:58:51.093 09/25/03 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

14 10:58:51.093 09/25/03 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to x.x.x.226

15 10:58:56.093 09/25/03 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=20FC277498A5D2DC R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

16 10:58:56.593 09/25/03 Sev=Info/4 IKE/0x6300004A

Discarding IKE SA negotiation (I_Cookie=20FC277498A5D2DC R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

17 10:58:56.593 09/25/03 Sev=Info/4 CM/0x63100014

Unable to establish Phase 1 SA with server "x.x.x.226" because of "DEL_REASON_PEER_NOT_RESPONDING"

18 10:58:56.593 09/25/03 Sev=Info/5 CM/0x63100025

Initializing CVPNDrv

19 10:58:56.593 09/25/03 Sev=Info/4 IKE/0x63000001

IKE received signal to terminate VPN connection

20 10:58:56.625 09/25/03 Sev=Critical/1 CVPND/0xE3400001

Microsoft IPSec Policy Agent service started successfully

21 10:58:57.093 09/25/03 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

22 10:58:57.093 09/25/03 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

23 10:58:57.093 09/25/03 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

24 10:58:57.093 09/25/03 Sev=Info/4 IPSEC/0x6370000A

IPSec driver successfully stopped

Pix log:

crypto_isakmp_process_block: src x.x.x.194, dest x.x.x.226

VPN Peer: ISAKMP: Added new peer: ip:x.x.x.194 Total VPN Peers:1

VPN Peer: ISAKMP: Peer ip:x.x.x.194 Ref cnt incremented to:1 Total VPN Pee

rs:1

OAK_AG exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 2 against priority 1 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 3 against priority 1 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 4 against priority 1 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 5 against priority 1 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 6 against priority 1 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 7 against priority 1 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 8 against priority 1 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 9 against priority 1 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4

crypto_isakmp_process_block: src x.x.x.194, dest x.x.x.226

VPN Peer: ISAKMP: Peer ip:x.x.x.194 Ref cnt incremented to:2 Total VPN Pee

rs:1

VPN Peer: ISAKMP: Peer ip:x.x.x.194 Ref cnt decremented to:1 Total VPN Pee

rs:1

crypto_isakmp_process_block: src x.x.x.194, dest x.x.x.226

VPN Peer: ISAKMP: Peer ip:x.x.x.194 Ref cnt incremented to:2 Total VPN Pee

rs:1

VPN Peer: ISAKMP: Peer ip:x.x.x.194 Ref cnt decremented to:1 Total VPN Pee

rs:1

ISAKMP (0): retransmitting phase 1...

ISAKMP (0): retransmitting phase 1...

ISAKMP (0): deleting SA: src x.x.x.194, dst x.x.x.226

ISADB: reaper checking SA 0x80db91c8, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:x.x.x.194 Ref cnt decremented to:0 Total VPN Pee

rs:1

VPN Peer: ISAKMP: Deleted peer: ip:x.x.x.194 Total VPN peers:0

ISAKMP: Deleting peer node for x.x.x.194

Thanks for any help

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: vpn client 4.0 termination on pix 515

Hi,

The pix isakmp policy should have DES,MD5 and group 2 for the Cisco VPN client 4.x to connect, this are the proposals that the client will send to the server...

http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/rel4_0/admin_gd/vcach6.htm#1157757

This link will show you IKE proposals to be configured on the PIX (VPN server)

Arthur

1 REPLY
New Member

Re: vpn client 4.0 termination on pix 515

Hi,

The pix isakmp policy should have DES,MD5 and group 2 for the Cisco VPN client 4.x to connect, this are the proposals that the client will send to the server...

http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/rel4_0/admin_gd/vcach6.htm#1157757

This link will show you IKE proposals to be configured on the PIX (VPN server)

Arthur

104
Views
0
Helpful
1
Replies
CreatePlease login to create content