Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco SA520 / QuickVPN Access Issues

I have Windows 7 and I am trying to use QuickVPN 1.4.1.2 to access our Cisco VPN but am having no luck at all.  Another user in the office who uses WinXP has absolutely no problems, but myself and another Windows 7 user are unable to get in.  The SA520 is running FW 1.1.65.  When I try to connect to the VPN, I get the "Remote computer not responding, do you want to wait" message when it tries to verify the network.  Here is my QuickVPN log:

2010/10/06 18:28:54 [STATUS]OS Version: Windows 7
2010/10/06 18:28:54 [STATUS]Windows Firewall Domain Profile Settings: ON
2010/10/06 18:28:54 [STATUS]Windows Firewall Private Profile Settings: ON
2010/10/06 18:28:54 [STATUS]Windows Firewall Private Profile Settings: ON
2010/10/06 18:28:55 [STATUS]One network interface detected with IP address 192.168.1.100
2010/10/06 18:28:55 [STATUS]Connecting...
2010/10/06 18:28:55 [DEBUG]Input VPN Server Address = 204.101.24.xx
2010/10/06 18:28:55 [STATUS]Connecting to remote gateway with IP address: 204.101.24.xx
2010/10/06 18:28:55 [WARNING]Server's certificate doesn't exist on your local computer.
2010/10/06 18:28:57 [STATUS]Remote gateway was reached by https ...
2010/10/06 18:28:57 [STATUS]Provisioning...
2010/10/06 18:29:07 [STATUS]Success to connect.
2010/10/06 18:29:07 [STATUS]Tunnel is configured. Ping test is about to start.
2010/10/06 18:29:07 [STATUS]Verifying Network...
2010/10/06 18:29:13 [WARNING]Failed to ping remote VPN Router!
2010/10/06 18:29:13 [WARNING]IPSEC service not running when connecting!
2010/10/06 18:29:16 [WARNING]Failed to ping remote VPN Router!
2010/10/06 18:29:19 [WARNING]Failed to ping remote VPN Router!
2010/10/06 18:29:22 [WARNING]Failed to ping remote VPN Router!
2010/10/06 18:29:25 [WARNING]Failed to ping remote VPN Router!
2010/10/06 18:29:37 [WARNING]Ping was blocked, which can be caused by an unexpected disconnect.
2010/10/06 18:29:39 [STATUS]Disconnecting...
2010/10/06 18:29:42 [STATUS]Success to disconnect.

And here is the IPSec VPN Log:

2010-10-06 18:28:55: INFO:  Adding IPSec configuration with identifier "tbuckland"
2010-10-06 18:28:55: INFO:  Adding IKE configuration with identifer "tbuckland"
2010-10-06 18:28:55: ERROR:  parse error is nothing, but yyerrorcount is 6.
2010-10-06 18:29:08: INFO:  Configuration found for 76.10.132.xxx[38809].
2010-10-06 18:29:08: INFO:  Received request for new phase 1 negotiation: 204.101.24.xxx[500]<=>76.10.132.xxx[38809]
2010-10-06 18:29:08: INFO:  Beginning Identity Protection mode.
2010-10-06 18:29:08: INFO:  Received Vendor ID: MS NT5 ISAKMPOAKLEY
2010-10-06 18:29:08: INFO:  Received Vendor ID: RFC 3947
2010-10-06 18:29:08: INFO:  Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2010-10-06 18:29:08: INFO:  Received unknown Vendor ID
2010-10-06 18:29:08: INFO:  Received unknown Vendor ID
2010-10-06 18:29:08: INFO:  Received unknown Vendor ID
2010-10-06 18:29:08: INFO:  Received unknown Vendor ID
2010-10-06 18:29:08: INFO:  For 76.10.132.191[38809], Selected NAT-T version: RFC 3947
2010-10-06 18:29:08: INFO:  NAT-D payload matches for 204.101.24.xxx[500]
2010-10-06 18:29:08: INFO:  NAT-D payload does not match for 76.10.132.xxx[38809]
2010-10-06 18:29:08: INFO:  NAT detected: PEER
2010-10-06 18:29:08: INFO:  Floating ports for NAT-T with peer 76.10.132.xxx[38810]
2010-10-06 18:29:09: INFO:  ISAKMP-SA established for 204.101.24.xxx[4500]-76.10.132.xxx[38810] with spi:e8178fbbc6b01638:ea9d75a00feaab78
2010-10-06 18:29:09: INFO:  Sending Informational Exchange: notify payload[INITIAL-CONTACT]
2010-10-06 18:29:09: INFO:  Responding to new phase 2 negotiation: 204.101.24.xxx[0]<=>76.10.132.xxx[0]
2010-10-06 18:29:09: INFO:  Using IPsec SA configuration: 192.168.5.0/24<->192.168.1.100/32
2010-10-06 18:29:09: INFO:  Adjusting peer's encmode 3(3)->Tunnel(1)
2010-10-06 18:29:09: INFO:  IPsec-SA established[UDP encap 38810->4500]: ESP/Tunnel 76.10.132.xxx->204.101.24.xxx with spi=52469435(0x3209ebb)
2010-10-06 18:29:09: INFO:  IPsec-SA established[UDP encap 4500->38810]: ESP/Tunnel 204.101.24.xxx->76.10.132.xxx with spi=4159859696(0xf7f26bf0)
2010-10-06 18:29:11: INFO:  Using IPsec SA configuration: 192.168.5.0/24<->192.168.1.105/32
2010-10-06 18:29:11: ERROR:  policy found: id:9.
2010-10-06 18:29:11: ERROR:  no FQDN for this policy id 9
2010-10-06 18:29:11: ERROR:  no configuration found for policy id 9.
2010-10-06 18:29:11: ERROR:  Failed to begin ipsec sa negotiation with 99.249.150.xxx[0].
2010-10-06 18:29:37: INFO:  an undead schedule has been deleted: 'pk_recvupdate'.
2010-10-06 18:29:37: INFO:  Purged IPsec-SA with proto_id=ESP and spi=4159859696(0xf7f26bf0).
2010-10-06 18:29:37: INFO:  Purged ISAKMP-SA with proto_id=ISAKMP and spi=e8178fbbc6b01638:ea9d75a00feaab78.
2010-10-06 18:29:37: WARNING:  no phase2 found for "tbuckland"
2010-10-06 18:29:37: INFO:  IPSec configuration with identifer "tbuckland" deleted sucessfully
2010-10-06 18:29:37: WARNING:  no phase2 bounded.
2010-10-06 18:29:37: INFO:  Purged IPsec-SA with spi=52469435(0x3209ebb).
2010-10-06 18:29:37: INFO:  Purged ISAKMP-SA with spi=e8178fbbc6b01638:ea9d75a00feaab78.
2010-10-06 18:29:37: INFO:  an undead schedule has been deleted: 'purge_remote'.
2010-10-06 18:29:37: INFO:  IKE configuration with identifier "tbuckland" deleted sucessfully
2010-10-06 18:29:38: ERROR:  sainfo identifier not found ("tbuckland")
2010-10-06 18:29:38: ERROR:  Failed to Delete the IPSec configuration with identifier "tbuckland"

At 18:29:09, it says "Using IPsec SA configuration: 192.168.5.0/24<->192.168.1.100/32" but then at 18:29:11 it says "Using IPsec SA configuration: 192.168.5.0/24<->192.168.1.105/32" and then goes on to say "Failed to begin ipsec sa negotiation with 99.249.150.xxx", which is the IP address of the user who is able to connect successfully.  It almost seems like the SA520 is confusing me with the other user who is able to connect.  Am I reading this wrong?

5 REPLIES
New Member

Re: Cisco SA520 / QuickVPN Access Issues

I am also suffering the same issue.I think

Sa-540 supports only four Cisco QVPN client .we have to apply licence from cisco

New Member

Re: Cisco SA520 / QuickVPN Access Issues

Check to make sure that IPSEC is started in your services on the PC.  To check this do the following:

Richt click Computer Icon

Select Manage

Select Services and Apps

Select Services

Sort by name

Look for and right click on IKE and Auth IPSEC keying Modules (Should not be disabled, if so do the following: Select Properties

Make startup type be Automatic.

Also have you tried running the QVPN in Compatibility Mode. Choose Vista Service Pack 2. Also Run as Administrator.

THANKS

New Member

Re: Cisco SA520 / QuickVPN Access Issues

The IPSec and IKE services are already both enabled.  I haven't tried running QVPN in compatibility mode, or as an administrator though.  I'll try that tonight.

New Member

Re: Cisco SA520 / QuickVPN Access Issues

I tried running QuickVPN in Compatibiliy Mode and as an Administrator but still had the same problem.  There is only one person out of about 5 who are able to connect wih no issues.  This is very frustrating since everything appears to be configured correctly.

New Member

Re: Cisco SA520 / QuickVPN Access Issues

So I tried connecting from a different network which has a different LAN subnet than the one I use at home and it worked.  The IPsec SA configuration was established successfully and it didn't try to use a different IPsec SA configuration after it initiated the first one, which is what it does when I connect from home (see below)

2010-10-18 18:37:49: INFO:  Using IPsec SA configuration: 192.168.5.0/24<->192.168.1.100/32 (***Correct IPsec SA config***)
2010-10-18 18:37:49: INFO:  Adjusting peer's encmode 3(3)->Tunnel(1)
2010-10-18 18:37:50: INFO:  IPsec-SA established[UDP encap 51483->4500]: ESP/Tunnel 76.10.141.26->204.101.24.68 with spi=263051666(0xfadd992)
2010-10-18 18:37:50: INFO:  IPsec-SA established[UDP encap 4500->51483]: ESP/Tunnel 204.101.24.xxx->76.10.141.xxx with spi=3162217248(0xbc7b9b20)
2010-10-18 18:37:51: INFO:  Using IPsec SA configuration: 192.168.5.0/24<->192.168.1.105/32 (***Wrong Ipsec SA config***)
2010-10-18 18:37:51: ERROR:  policy found: id:9.
2010-10-18 18:37:51: ERROR:  no FQDN for this policy id 9
2010-10-18 18:37:51: ERROR:  no configuration found for policy id 9.
2010-10-18 18:37:51: ERROR:  Failed to begin ipsec sa negotiation with 99.249.150.xxx[0]. (<--- Not my IP)

It seems that once the tunnel is created between my network and the router, it then tries to use a completely different IPsec SA configuration which fails, then it goes on to state that it failed to begin the IPsec SA negotiation with a completely different IP address from mine.  It seems the SA520 is confusing my IPsec session with a different user's who happens to be on the same LAN subnet as myself.  Does anyone have any idea what's going on here, or even better, how to fix it?  I think I'm going to change my default gateway at home tonight to see if that makes a difference.

2031
Views
0
Helpful
5
Replies
CreatePlease to create content