Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

ccs
New Member

Vpn software client does not connect to concentrator anymore

Since we have configured a lan-to-lan connection, we cannot establish a connection with a software client anymore. Everything was working fine before. We tried different client software versions (3.6.3 and 4.0.3), we tried making the connection over ADSL and ISDN. Every time we get the same messages in the log of the concentrator:

14586 12/22/2003 11:40:57.070 SEV=12 IKEDECODE/0 RPT=1805

IKE Decode of received SA attributes follows:

0000: 80010007 80020001 80040002 80030001 ................

0010: 800B0001 000C0004 0020C49B 800E0080 ......... ......

14589 12/22/2003 11:40:57.070 SEV=8 IKEDBG/0 RPT=2488

Proposal # 1, Transform # 12, Type ISAKMP, Id IKE

Parsing received transform:

Phase 1 failure against global IKE proposal # 1:

Rcv'd Key Length attr class, but class is not cfg'd

14593 12/22/2003 11:40:57.070 SEV=8 IKEDBG/0 RPT=2489

Phase 1 failure against global IKE proposal # 2:

Rcv'd Key Length attr class, but class is not cfg'd

14595 12/22/2003 11:40:57.070 SEV=8 IKEDBG/0 RPT=2490

Phase 1 failure against global IKE proposal # 3:

Rcv'd Key Length attr class, but class is not cfg'd

14597 12/22/2003 11:40:57.070 SEV=8 IKEDBG/0 RPT=2491

Phase 1 failure against global IKE proposal # 4:

Rcv'd Key Length attr class, but class is not cfg'd

14599 12/22/2003 11:40:57.070 SEV=8 IKEDBG/0 RPT=2492

Phase 1 failure against global IKE proposal # 5:

Rcv'd Key Length attr class, but class is not cfg'd

14601 12/22/2003 11:40:57.070 SEV=8 IKEDBG/0 RPT=2493

Phase 1 failure against global IKE proposal # 6:

Mismatched attr types for class Hash Alg:

Rcv'd: MD5

Cfg'd: SHA

De Vpn client software replies with: remote peer no longer responding.

We messed around with the settings in the concentrator, but dit not get the right settings to get this working again.

Does anyone have any idea what could be wrong?

3 REPLIES
Cisco Employee

Re: Vpn software client does not connect to concentrator anymore

Since this started after configuring a L2L tunnel, check that the client pool of IP addresses isn't included as part of the local or remote network list of the L2L tunnel configuration.

If everything looks OK try removing the L2L tunnel config and see if the client connections start again, it may just be a coincidence that they stopped at the same time. Removing what you think is the offending config will give you a good idea of whether it's the cause of the problem or not.

ccs
New Member

Re: Vpn software client does not connect to concentrator anymore

It seems that this has to do with the user authentication: if I set the Authentication field in the Ipsec tab to None, the client authenticates (without the need to fill in a user/pwd), if I put it back to Internal, The client gets a "Remote peer no longer responding" message when trying to connect.

What could be wrong and why does Internal authentication go wrong even though there are users in that group?

ccs
New Member

Re: Vpn software client does not connect to concentrator anymore

The cause of this problem was that the certificate transmission was not correct in the SA. The right setting should be: Entire Certificate Chain. After changing this setting the "remote peer no longer responding" dit not show up again.

105
Views
0
Helpful
3
Replies
CreatePlease login to create content