VPN Client to Pix Always Disconnects

arthecker · ‎01-29-2004

I am running a Pix 501 (version 6.3(1)) and using the VPN Client (versions 3.6.4(a) and 4.0.1(Rel)) for VPN access. The clients are able to connect to the Pix, go through authentication, the client claims that the secure tunnel has been established and then 5 seconds later the tunnel is disconnected. Always 5 seconds later. The client claims that it has lost contact with the security gateway (check your network connection). Both the outside port of the Pix and the PC running the client are on the same network so there should be no routing/DSL/modem issues. This has also been tried over a DSL connection with exactly the same result.

The Pix was initially configured using the VPN wizard in the PDM. Since then the configuration has been modified to match these two documents:

How to Configure the Cisco VPN Client to PIX with AES-Cisco VPN Client: http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a00801e71c0.shtml

And

Configuring Cisco Secure PIX Firewall 6.0 and Cisco VPN 3000 Clients Using IPSec-IPSec: http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009442e.shtml

The main difference between these documents (and the wizard configuration) seems to be the selections for the ipsec transform set. All of these configurations produce the same result at both clients even when using the wizard configuration (the wizard's configuration fails to negotiate a transform during the ISAKMP phase). The Pix configuration is included with some addresses and identification changed or removed. Debug output from the Pix and logs from both versions of the VPN client available upon request.

I have seen problems similar to this posted several times but never a solution. Any suggestions or advice are appreciated. Thank you for reading.

The config:

Building configuration...

: Saved

:

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx

passwd xxxx

hostname pixfirewall

domain-name zzz.com

clock timezone EST -5

clock summer-time EDT recurring

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any time-exceeded

access-list 100 permit icmp any any unreachable

pager lines 24

logging on

logging monitor debugging

logging buffered informational

icmp permit any echo outside

icmp permit any echo-reply outside

mtu outside 1500

mtu inside 1500

ip address outside 10.1.3.143 255.255.255.224

ip address inside 192.168.1.1 255.255.255.0

ip verify reverse-path interface outside

ip audit info action alarm

ip audit attack action alarm

ip local pool 3xClients 192.168.2.1-192.168.2.127

pdm location 192.168.1.96 255.255.255.224 outside

pdm location 192.168.2.0 255.255.255.0 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group 100 in interface outside

route outside 0.0.0.0 0.0.0.0 10.1.3.129 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-256 esp-aes-256 esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256

crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication LOCAL

crypto map outside_map interface outside

isakmp enable outside

isakmp identity address

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption aes-256

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup HF address-pool 3xClients

vpngroup HF dns-server 192.168.1.123

vpngroup HF default-domain horstfrisch.com

vpngroup HF idle-time 1800

vpngroup HF password ********

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh 138.0.0.0 255.0.0.0 outside

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.127-192.168.1.254 inside

dhcpd dns 192.168.1.123

dhcpd lease 36000

dhcpd ping_timeout 750

dhcpd domain zzz.com

dhcpd auto_config outside

dhcpd enable inside

username xxx password xxxx

privilege 3

username xxxx password xxxx

privilege 3

… several removed …

username xxx password xxx

privilege 3

terminal width 80

Cryptochecksum:xxxx

: end

[OK]

thomas.chen · ‎02-05-2004

Well you can try a couple of things, try to change the MTU size on the client or change the client version to the latest one.

Also you can check the release notes or bug tool kit for any known errors.

jackko · ‎02-05-2004

totally agree with the previous post. you may try to put the commands

crypto map ablawvpn client configuration address initiate

crypto map ablawvpn client configuration address respond

another thing you may try is to use a different pc.

arthecker · ‎02-05-2004

Thanks for the suggestion. I won't be at the client site until Monday but will try it then.

I had seen the crypto map . . . address initiate command in examples that use old VPN clients (version 1.x) and not in ones that use newer versions (3.x or 4.x) so left it out.

From the client logs it appeared that the clients were receiving an address from the PIX during the ISAKMP phase but during the IPSEC negotiation there is a line that reads "Adapter address changed from . Current address: 127.0.0.1" which never really sounded logical to me. The clients then immediately begin deleting SAs so hopefully this is it.

I have tried both a 3.x and 4.x version of the client on two separate PCs with the same results which makes think it is a Pix issue rather than a client issue.

One last (probably dumb) question in case this doesn't fix it. How do you get software updates from Cisco?

Thanks again.

arthecker · ‎02-05-2004

Nothing like this showed up in the bug lists or release notes either for the Pix or the VPN client.

Reducing the MTU didn't seem to help.

Thanks for the suggestions.

mostiguy · ‎02-06-2004

have you rebooted the pix since you entered all of your commands? perhaps you entered them in an order the pix doesn't like. the following might help:

no isakmp enable outside

isakmp enable outside

no crypto map ##### interface outside

crypto map ##### interface outside

should stop all ipsec mojo, and reinitialize your config, which looks good to me.

arthecker · ‎02-09-2004

I have tried rebooting and this morning I have tried resetting the ipsec config as you suggested (and rebooting). There were no apparent changes. The tunnel is still disconnecting after approximately 5 seconds.

I also tried the client configuration address intiate/reply as suggested earlier. Also no change.

Any other suggestions are very welcome.