Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco VPN Client - error "deleting SA reason "By user command"

hi,

still having some troubles making client vpn to work. Following the configuration and the debug crypto isakmp.

From a client prospective, it starts the connection it prompts for password (and if it is the wrong password it prompts again, that means the authetication process apparently works), but then the client terminates with:

Phase 1 SA deleted before Mode Config is completed cause by "DEL_REASON_IKE_NEG_FAILED".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

thanks

Conf.

!

! Last configuration change at 09:32:19 AWST Mon Aug 20 2012 by rda

! NVRAM config last updated at 08:09:31 AWST Mon Aug 20 2012 by rda

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname perprimus878

!

boot-start-marker

boot-end-marker

!

no logging buffered

enable secret 5 $1$q5HQ$QZV42umjVRzsseSlxSQq//

enable password **********

!

--More--                           aaa new-model

!

!

aaa authentication login userauthen group radius local

aaa authentication login admins local

aaa authorization exec default local

aaa authorization network groupauthor local

aaa authorization network RDAPER group radius local

!

aaa session-id common

!

resource policy

!

memory-size iomem 15

clock timezone AWST 8

ip cef

!

!

!

!

!

!

!

sername ********* p rivilege 15 secret 5 $1$S.bS$SYFFnu/JkGAMHp13lMKvK/

!

!

controller DSL 0

mode atm

line-term cpe

line-mode 2-wire line-zero

dsl-mode shdsl symmetric annex B

line-rate auto

!

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

!

!

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

lifetime 28800

crypto isakmp policy 2

hash md5

authentication pre-share

group 2

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

crypto isakmp key ************ address ************* no-xauth

crypto isakmp key ************ address ************* no-xauth

crypto isakmp key ************* address *************** no-xauth

crypto isakmp nat keepalive 20

!

crypto isakmp client configuration group RDAPER

key CiscoVPN

dns 192.168.0.20

domain ************

pool VPNPool

acl 108

!

!

          crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set myset1 esp-des esp-md5-hmac

crypto ipsec transform-set myset2 esp-des esp-sha-hmac

crypto ipsec transform-set myset3 esp-null esp-md5-hmac

crypto ipsec transform-set myset4 esp-null esp-sha-hmac

crypto ipsec transform-set myset5 esp-des

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set ESP-3DES-SHA

reverse-route

!

!

crypto map RDAPER client authentication list userauthen

crypto map RDAPER isakmp authorization list groupauthor

crypto map RDAPER 2 ipsec-isakmp

description VPN to Perth

set peer ***************

set transform-set ESP-3DES-SHA

set pfs group2

match address 118

crypto map RDAPER 10 ipsec-isakmp dynamic dynmap

!

          crypto map RDAVPN client authentication list userauthen

crypto map RDAVPN isakmp authorization list groupauthor

crypto map RDAVPN client configuration address respond

crypto map RDAVPN 1 ipsec-isakmp

description IPSec with RDACSYD

set peer *************

set transform-set myset1 myset2 myset3 myset4 myset5

match address 103

crypto map RDAVPN 2 ipsec-isakmp

description IPSec with RDACBRIS

set peer **************8

set transform-set myset1

match address 104

crypto map RDAVPN 30 ipsec-isakmp dynamic dynmap

!

crypto map VPNTOMEL 1 ipsec-isakmp

description VPN to Perth

set peer *****************8

set transform-set ESP-3DES-SHA

set pfs group2

match address 118

!

!

interface Loopback0

description IPSec NAT Fix

ip address 10.100.0.1 255.255.255.0

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

!

interface ATM0

no ip address

no atm ilmi-keepalive

!

--More--                           interface ATM0.1 point-to-point

no snmp trap link-status

pvc 8/35

  pppoe-client dial-pool-number 1

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

description $FW_INSIDE$

ip address 10.10.10.10 255.255.255.0 secondary

ip address 192.168.0.254 255.255.255.0

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1380

--More--                            ip policy route-map nonat

!

interface Dialer0

description $FW_OUTSIDE$

ip address *************** 255.255.255.240

ip mtu 1492

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap callin

ppp chap hostname *****************88

ppp chap password 0 ***************

crypto map RDAPER

!

interface Dialer1

no ip address

!

router ospf 1

log-adjacency-changes

          redistribute static

network 192.168.0.0 0.0.0.255 area 0

!

ip local pool VPNPool 172.28.11.1 172.28.11.254

ip route 0.0.0.0 0.0.0.0 Dialer0

!

ip flow-top-talkers

top 10

sort-by bytes

cache-timeout 30

!

ip http server

ip http authentication local

no ip http secure-server

ip nat inside source list 119 interface Dialer0 overload

i

ip ospf name-lookup

!

ip access-list extended SDM_AH

remark SDM_ACL Category=1

permit ahp any any

remark SDM_ACL Category=1

ip access-list extended SDM_ESP

--More--                            remark SDM_ACL Category=1

permit esp any any

remark SDM_ACL Category=1

!

access-list 23 permit 202.72.186.18

access-list 23 permit 203.161.68.210

access-list 23 permit 172.28.10.0 0.0.0.255

access-list 23 permit 192.168.0.0 0.0.0.255

access-list 101 deny   ip 192.168.0.0 0.0.0.255 172.28.66.0 0.0.0.255

access-list 101 deny   ip 192.168.200.0 0.0.0.255 172.28.66.0 0.0.0.255

access-list 101 deny   ip 172.28.3.0 0.0.0.255 172.28.66.0 0.0.0.255

access-list 101 deny   ip 172.28.11.0 0.0.0.255 172.28.66.0 0.0.0.255

access-list 101 deny   ip 192.168.0.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list 101 deny   ip 192.168.0.0 0.0.0.255 172.28.11.0 0.0.0.255

access-list 101 deny   ip 10.111.112.0 0.0.0.3 192.168.200.0 0.0.0.255

access-list 101 deny   ip 10.111.112.0 0.0.0.3 172.28.11.0 0.0.0.255

access-list 101 deny   ip 192.168.0.0 0.0.0.255 172.28.7.0 0.0.0.255

access-list 101 deny   ip 192.168.200.0 0.0.0.255 172.28.7.0 0.0.0.255

access-list 101 deny   ip 172.28.66.0 0.0.0.255 172.28.11.0 0.0.0.255

access-list 101 permit ip 192.168.0.0 0.0.0.255 any

access-list 101 permit ip 10.111.112.0 0.0.0.3 any

access-list 103 permit ip 192.168.0.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list 103 permit ip 10.111.112.0 0.0.0.3 192.168.200.0 0.0.0.255

--More--                           access-list 104 permit ip 192.168.0.0 0.0.0.255 172.28.7.0 0.0.0.255

access-list 104 permit ip 192.168.200.0 0.0.0.255 172.28.7.0 0.0.0.255

access-list 108 permit ip 192.168.0.0 0.0.0.255 172.28.11.0 0.0.0.255

access-list 108 permit ip 172.28.66.0 0.0.0.255 172.28.11.0 0.0.0.255

access-list 118 remark VPN TO MEL

access-list 118 permit ip 192.168.0.0 0.0.0.255 172.28.3.0 0.0.0.255

access-list 118 permit ip 172.28.3.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 119 deny   ip 192.168.0.0 0.0.0.255 172.28.66.0 0.0.0.255

access-list 119 deny   ip 192.168.0.0 0.0.0.255 172.28.3.0 0.0.0.255

access-list 119 deny   ip 192.168.200.0 0.0.0.255 172.28.66.0 0.0.0.255

access-list 119 deny   ip 172.28.3.0 0.0.0.255 172.28.66.0 0.0.0.255

access-list 119 deny   ip 172.28.11.0 0.0.0.255 172.28.66.0 0.0.0.255

access-list 119 deny   ip 192.168.0.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list 119 deny   ip 192.168.0.0 0.0.0.255 172.28.11.0 0.0.0.255

access-list 119 deny   ip 10.111.112.0 0.0.0.3 192.168.200.0 0.0.0.255

access-list 119 deny   ip 10.111.112.0 0.0.0.3 172.28.11.0 0.0.0.255

access-list 119 deny   ip 192.168.0.0 0.0.0.255 172.28.7.0 0.0.0.255

access-list 119 deny   ip 192.168.200.0 0.0.0.255 172.28.7.0 0.0.0.255

access-list 119 deny   ip 172.28.66.0 0.0.0.255 172.28.11.0 0.0.0.255

access-list 119 permit ip 192.168.0.0 0.0.0.255 any

access-list 119 permit ip 10.111.112.0 0.0.0.3 any

access-list 123 remark IPSec NAT Fix

access-list 123 permit ip host 192.168.0.11 192.168.200.0 0.0.0.255

--More--                           access-list 123 permit ip host 192.168.0.11 172.28.11.0 0.0.0.255

access-list 123 permit ip host 192.168.0.13 192.168.200.0 0.0.0.255

access-list 123 permit ip host 192.168.0.13 172.28.11.0 0.0.0.255

access-list 123 permit ip host 192.168.0.118 192.168.200.0 0.0.0.255

access-list 123 permit ip host 192.168.0.118 172.28.11.0 0.0.0.255

access-list 123 permit ip host 192.168.0.60 192.168.200.0 0.0.0.255

access-list 123 permit ip host 192.168.0.60 172.28.11.0 0.0.0.255

access-list 123 permit ip host 192.168.0.65 192.168.200.0 0.0.0.255

access-list 123 permit ip host 192.168.0.65 172.28.11.0 0.0.0.255

access-list 123 permit ip host 192.168.0.63 192.168.200.0 0.0.0.255

access-list 123 permit ip host 192.168.0.63 172.28.11.0 0.0.0.255

access-list 123 permit ip host 192.168.0.16 192.168.200.0 0.0.0.255

access-list 123 permit ip host 192.168.0.16 172.28.11.0 0.0.0.255

access-list 123 permit ip host 192.168.0.11 172.28.7.0 0.0.0.255

access-list 123 permit ip host 192.168.0.13 172.28.7.0 0.0.0.255

access-list 123 permit ip host 192.168.0.118 172.28.7.0 0.0.0.255

access-list 123 permit ip host 192.168.0.60 172.28.7.0 0.0.0.255

access-list 123 permit ip host 192.168.0.65 172.28.7.0 0.0.0.255

access-list 123 permit ip host 192.168.0.63 172.28.7.0 0.0.0.255

access-list 123 permit ip host 192.168.0.16 172.28.7.0 0.0.0.255

access-list 123 permit ip host 192.168.0.155 192.168.200.0 0.0.0.255

access-list 123 permit ip host 192.168.0.155 172.28.11.0 0.0.0.255

access-list 123 permit ip host 192.168.0.155 172.28.7.0 0.0.0.255

--More--                           access-list 123 remark IPSec NAT Fix

dialer-list 1 protocol ip permit

snmp-server community RDAC RW 23

snmp-server community RDA RO 23

snmp-server enable traps tty

!

!

!

route-map nonat permit 10

match ip address 123

set ip next-hop 10.100.0.2

!

radius-server host 192.168.0.20 auth-port 1645 acct-port 1646 key **********

!

control-plane

!

!

line con 0

password 7 110D1602464A19050B

no modem enable

line aux 0

line vty 0 4

access-class 23 in

password 7 130118155A54162324

!

scheduler max-task-time 5000

ntp clock-period 17174972

ntp server 192.168.0.20

end

Aug 20 03:39:49.967: ISAKMP (0:0): received packet from **************8 dport 500 sport 1156 Global (N) NEW SA

Aug 20 03:39:49.967: ISAKMP: Created a peer struct for ****************88, peer port 1156

Aug 20 03:39:49.967: ISAKMP: New peer created peer = 0x82D9411C peer_handle = 0x80000029

Aug 20 03:39:49.967: ISAKMP: Locking peer struct 0x82D9411C, refcount 1 for crypto_isakmp_process_block

Aug 20 03:39:49.967: ISAKMP:(0):Setting client config settings 83BCB4C4

Aug 20 03:39:49.967: ISAKMP:(0):(Re)Setting client xauth list  and state

Aug 20 03:39:49.967: ISAKMP/xauth: initializing AAA request

Aug 20 03:39:49.971: ISAKMP: local port 500, remote port 1156

Aug 20 03:39:49.971: insert sa successfully sa = 83FEB880

Aug 20 03:39:49.971: ISAKMP:(0): processing SA payload. message ID = 0

Aug 20 03:39:49.971: ISAKMP:(0): processing ID payload. message ID = 0

Aug 20 03:39:49.971: ISAKMP (0:0): ID payload

next-payload : 13

type         : 11

group id     : RDAPER

protocol     : 17

port         : 500

length       : 14

Aug 20 03:39:49.971: ISAKMP:(0):: peer matches *none* of the profiles

Aug 20 03:39:49.971: ISAKMP:(0): processing vendor id payload

Aug 20 03:39:49.971: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch

Aug 20 03:39:49.971: ISAKMP:(0): vendor ID is XAUTH

Aug 20 03:39:49.971: ISAKMP:(0): processing vendor id payload

Aug 20 03:39:49.971: ISAKMP:(0): vendor ID is DPD

Aug 20 03:39:49.971: ISAKMP:(0): processing vendor id payload

Aug 20 03:39:49.975: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch

Aug 20 03:39:49.975: ISAKMP:(0): processing vendor id payload

Aug 20 03:39:49.975: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

Aug 20 03:39:49.975: ISAKMP:(0): vendor ID is NAT-T v2

Aug 20 03:39:49.975: ISAKMP:(0): processing vendor id payload

Aug 20 03:39:49.975: ISAKMP:(0): vendor ID is Unity

Aug 20 03:39:49.975: ISAKMP:(0): Authentication by xauth preshared

Aug 20 03:39:49.975: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy

Aug 20 03:39:49.975: ISAKMP:      encryption AES-CBC

Aug 20 03:39:49.975: ISAKMP:      hash SHA

Aug 20 03:39:49.975: ISAKMP:      default group 2

Aug 20 03:39:49.975: ISAKMP:      auth XAUTHInitPreShared

Aug 20 03:39:49.975: ISAKMP:      life type in seconds

Aug 20 03:39:49.975: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

Aug 20 03:39:49.975: ISAKMP:      keylength of 256

Aug 20 03:39:49.975: ISAKMP:(0):Encryption algorithm offered does not match policy!

Aug 20 03:39:49.975: ISAKMP:(0):atts are not acceptable. Next payload is 3

Aug 20 03:39:49.975: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy

Aug 20 03:39:49.975: ISAKMP:      encryption AES-CBC

Aug 20 03:39:49.975: ISAKMP:      hash MD5

Aug 20 03:39:49.975: ISAKMP:      default group 2

Aug 20 03:39:49.975: ISAKMP:      auth XAUTHInitPreShared

Aug 20 03:39:49.975: ISAKMP:      life type in seconds

Aug 20 03:39:49.975: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

Aug 20 03:39:49.975: ISAKMP:      keylength of 256

Aug 20 03:39:49.979: ISAKMP:(0):Encryption algorithm offered does not match policy!

Aug 20 03:39:49.979: ISAKMP:(0):atts are not acceptable. Next payload is 3

Aug 20 03:39:49.979: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy

Aug 20 03:39:49.979: ISAKMP:      encryption AES-CBC

Aug 20 03:39:49.979: ISAKMP:      hash SHA

Aug 20 03:39:49.979: ISAKMP:      default group 2

Aug 20 03:39:49.979: ISAKMP:      auth pre-share

Aug 20 03:39:49.979: ISAKMP:      life type in seconds

Aug 20 03:39:49.979: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

Aug 20 03:39:49.979: ISAKMP:      keylength of 256

Aug 20 03:39:49.979: ISAKMP:(0):Encryption algorithm offered does not match policy!

Aug 20 03:39:49.979: ISAKMP:(0):atts are not acceptable. Next payload is 3

Aug 20 03:39:49.979: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy

Aug 20 03:39:49.979: ISAKMP:      encryption AES-CBC

Aug 20 03:39:49.979: ISAKMP:      hash MD5

Aug 20 03:39:49.979: ISAKMP:      default group 2

Aug 20 03:39:49.979: ISAKMP:      auth pre-share

Aug 20 03:39:49.979: ISAKMP:      life type in seconds

Aug 20 03:39:49.979: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

Aug 20 03:39:49.979: ISAKMP:      keylength of 256

Aug 20 03:39:49.979: ISAKMP:(0):Encryption algorithm offered does not match policy!

Aug 20 03:39:49.979: ISAKMP:(0):atts are not acceptable. Next payload is 3

Aug 20 03:39:49.979: ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy

Aug 20 03:39:49.979: ISAKMP:      encryption AES-CBC

Aug 20 03:39:49.979: ISAKMP:      hash SHA

Aug 20 03:39:49.979: ISAKMP:      default group 2

Aug 20 03:39:49.979: ISAKMP:      auth XAUTHInitPreShared

Aug 20 03:39:49.979: ISAKMP:      life type in seconds

Aug 20 03:39:49.983: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

Aug 20 03:39:49.983: ISAKMP:      keylength of 128

Aug 20 03:39:49.983: ISAKMP:(0):Encryption algorithm offered does not match policy!

Aug 20 03:39:49.983: ISAKMP:(0):atts are not acceptable. Next payload is 3

Aug 20 03:39:49.983: ISAKMP:(0):Checking ISAKMP transform 6 against priority 1 policy

Aug 20 03:39:49.983: ISAKMP:      encryption AES-CBC

Aug 20 03:39:49.983: ISAKMP:      hash MD5

Aug 20 03:39:49.983: ISAKMP:      default group 2

Aug 20 03:39:49.983: ISAKMP:      auth XAUTHInitPreShared

Aug 20 03:39:49.983: ISAKMP:      life type in seconds

Aug 20 03:39:49.983: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

Aug 20 03:39:49.983: ISAKMP:      keylength of 128

Aug 20 03:39:49.983: ISAKMP:(0):Encryption algorithm offered does not match policy!

Aug 20 03:39:49.983: ISAKMP:(0):atts are not acceptable. Next payload is 3

Aug 20 03:39:49.983: ISAKMP:(0):Checking ISAKMP transform 7 against priority 1 policy

Aug 20 03:39:49.983: ISAKMP:      encryption AES-CBC

Aug 20 03:39:49.983: ISAKMP:      hash SHA

Aug 20 03:39:49.983: ISAKMP:      default group 2

Aug 20 03:39:49.983: ISAKMP:      auth pre-share

Aug 20 03:39:49.983: ISAKMP:      life type in seconds

Aug 20 03:39:49.983: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

Aug 20 03:39:49.983: ISAKMP:      keylength of 128

Aug 20 03:39:49.983: ISAKMP:(0):Encryption algorithm offered does not match policy!

Aug 20 03:39:49.983: ISAKMP:(0):atts are not acceptable. Next payload is 3

Aug 20 03:39:49.987: ISAKMP:(0):Checking ISAKMP transform 8 against priority 1 policy

Aug 20 03:39:49.987: ISAKMP:      encryption AES-CBC

Aug 20 03:39:49.987: ISAKMP:      hash MD5

Aug 20 03:39:49.987: ISAKMP:      default group 2

Aug 20 03:39:49.987: ISAKMP:      auth pre-share

Aug 20 03:39:49.987: ISAKMP:      life type in seconds

Aug 20 03:39:49.987: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

Aug 20 03:39:49.987: ISAKMP:      keylength of 128

Aug 20 03:39:49.987: ISAKMP:(0):Encryption algorithm offered does not match policy!

Aug 20 03:39:49.987: ISAKMP:(0):atts are not acceptable. Next payload is 3

Aug 20 03:39:49.987: ISAKMP:(0):Checking ISAKMP transform 9 against priority 1 policy

Aug 20 03:39:49.987: ISAKMP:      encryption 3DES-CBC

Aug 20 03:39:49.987: ISAKMP:      hash SHA

Aug 20 03:39:49.987: ISAKMP:      default group 2

Aug 20 03:39:49.987: ISAKMP:      auth XAUTHInitPreShared

Aug 20 03:39:49.987: ISAKMP:      life type in seconds

Aug 20 03:39:49.987: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

Aug 20 03:39:49.987: ISAKMP:(0):Hash algorithm offered does not match policy!

Aug 20 03:39:49.987: ISAKMP:(0):atts are not acceptable. Next payload is 3

Aug 20 03:39:49.987: ISAKMP:(0):Checking ISAKMP transform 10 against priority 1 policy

Aug 20 03:39:49.987: ISAKMP:      encryption 3DES-CBC

Aug 20 03:39:49.987: ISAKMP:      hash MD5

Aug 20 03:39:49.987: ISAKMP:      default group 2

Aug 20 03:39:49.987: ISAKMP:      auth XAUTHInitPreShared

Aug 20 03:39:49.987: ISAKMP:      life type in seconds

Aug 20 03:39:49.987: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

Aug 20 03:39:49.987: ISAKMP:(0):atts are acceptable. Next payload is 3

Aug 20 03:39:49.987: ISAKMP:(0): processing KE payload. message ID = 0

Aug 20 03:39:49.995: ISAKMP:(0): processing NONCE payload. message ID = 0

Aug 20 03:39:49.995: ISAKMP:(0): vendor ID is NAT-T v2

Aug 20 03:39:49.995: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH

Aug 20 03:39:49.995: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_AM_AAA_AWAIT

Aug 20 03:39:49.999: ISAKMP:(2029): constructed NAT-T vendor-02 ID

Aug 20 03:39:49.999: ISAKMP:(2029):SA is doing pre-shared key authentication plus XAUTH using id type ID_IPV4_ADDR

Aug 20 03:39:49.999: ISAKMP (0:2029): ID payload

next-payload : 10

type         : 1

address      : 203.134.63.178

protocol     : 17

port         : 0

length       : 12

Aug 20 03:39:49.999: ISAKMP:(2029):Total payload length: 12

Aug 20 03:39:50.003: ISAKMP:(2029): sending packet to ************** my_port 500 peer_port 1156 (R) AG_INIT_EXCH

Aug 20 03:39:50.003: ISAKMP:(2029):Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY

Aug 20 03:39:50.003: ISAKMP:(2029):Old State = IKE_R_AM_AAA_AWAIT  New State = IKE_R_AM2

Aug 20 03:39:50.263: ISAKMP (0:2029): received packet from **************8 dport 4500 sport 1157 Global (R) AG_INIT_EXCH

Aug 20 03:39:50.263: ISAKMP:(2029): processing HASH payload. message ID = 0

Aug 20 03:39:50.263: ISAKMP:(2029): processing NOTIFY INITIAL_CONTACT protocol 1

spi 0, message ID = 0, sa = 83FEB880

Aug 20 03:39:50.263: ISAKMP:received payload type 20

Aug 20 03:39:50.263: ISAKMP:received payload type 20

Aug 20 03:39:50.263: ISAKMP (0:2029): NAT found, the node outside NAT

Aug 20 03:39:50.263: ISAKMP:(2029):SA authentication status:

authenticated

Aug 20 03:39:50.263: ISAKMP:(2029):SA has been authenticated with 220.233.203.106

Aug 20 03:39:50.263: ISAKMP:(2029):Detected port,floating to port = 1157

Aug 20 03:39:50.263: ISAKMP: Trying to find existing peer ***************

Aug 20 03:39:50.263: ISAKMP:(2029):SA authentication status:

authenticated

Aug 20 03:39:50.263: ISAKMP:(2029): Process initial contact,

bring down existing phase 1 and 2 SA's with local ***************8 remote ***********88 remote port 1157

Aug 20 03:39:50.267: ISAKMP:(2029):returning IP addr to the address pool

Aug 20 03:39:50.267: ISAKMP: Trying to insert a peer **********8/,  and inserted successfully 82D9411C.

Aug 20 03:39:50.267: ISAKMP: set new node -2054341534 to CONF_XAUTH  

Aug 20 03:39:50.271: ISAKMP:(2029):Sending NOTIFY RESPONDER_LIFETIME protocol 1

spi 2206265168, message ID = -2054341534

Aug 20 03:39:50.271: ISAKMP:(2029): sending packet to ******************** my_port 4500 peer_port 1157 (R) QM_IDLE     

Aug 20 03:39:50.271: ISAKMP:(2029):purging node -2054341534

Aug 20 03:39:50.271: ISAKMP: Sending phase 1 responder lifetime 28800

Aug 20 03:39:50.271: ISAKMP:(2029):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH

Aug 20 03:39:50.271: ISAKMP:(2029):Old State = IKE_R_AM2  New State = IKE_P1_COMPLETE

Aug 20 03:39:50.271: ISAKMP:(2029):Need XAUTH

Aug 20 03:39:50.271: ISAKMP: set new node -567734444 to CONF_XAUTH  

Aug 20 03:39:50.271: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2

Aug 20 03:39:50.271: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2

Aug 20 03:39:50.275: ISAKMP:(2029): initiating peer config to ****. ID = -567734444

Aug 20 03:39:50.275: ISAKMP:(2029): sending packet to **** my_port 4500 peer_port 1157 (R) CONF_XAUTH  

Aug 20 03:39:50.275: ISAKMP:(2029):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

Aug 20 03:39:50.275: ISAKMP:(2029):Old State = IKE_P1_COMPLETE  New State = IKE_XAUTH_REQ_SENT

Aug 20 03:39:57.185: ISAKMP (0:2029): received packet from ************** dport 4500 sport 1157 Global (R) CONF_XAUTH  

Aug 20 03:39:57.185: ISAKMP:(2029):processing transaction payload from *****************8. message ID = -567734444

Aug 20 03:39:57.185: ISAKMP: Config payload REPLY

Aug 20 03:39:57.185: ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2

Aug 20 03:39:57.185: ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2

Aug 20 03:39:57.189: ISAKMP:(2029):deleting node -567734444 error FALSE reason "Done with xauth request/reply exchange"

Aug 20 03:39:57.189: ISAKMP:(2029):Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY

Aug 20 03:39:57.189: ISAKMP:(2029):Old State = IKE_XAUTH_REQ_SENT  New State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT

Aug 20 03:39:57.289: ISAKMP: set new node 1173242474 to CONF_XAUTH  

Aug 20 03:39:57.289: ISAKMP:(2029): initiating peer config to 220.233.203.106. ID = 1173242474

Aug 20 03:39:57.289: ISAKMP:(2029): sending packet to **06 my_port 4500 peer_port 1157 (R) CONF_XAUTH  

Aug 20 03:39:57.293: ISAKMP:(2029):Input = IKE_MESG_FROM_AAA, IKE_AAA_CONT_LOGIN

Aug 20 03:39:57.293: ISAKMP:(2029):Old State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT  New State = IKE_XAUTH_SET_SENT

Aug 20 03:39:57.433: ISAKMP (0:2029): received packet from 220.233.203.106 dport 4500 sport 1157 Global (R) CONF_XAUTH  

Aug 20 03:39:57.433: ISAKMP:(2029):processing transaction payload from 220.233.203.106. message ID = 1173242474

Aug 20 03:39:57.433: ISAKMP: Config payload ACK

Aug 20 03:39:57.433: ISAKMP:(2029):       (blank) XAUTH ACK Processed

Aug 20 03:39:57.437: ISAKMP:(2029):deleting node 1173242474 error FALSE reason "Transaction mode done"

Aug 20 03:39:57.437: ISAKMP:(2029):Input = IKE_MESG_FROM_PEER, IKE_CFG_ACK

Aug 20 03:39:57.437: ISAKMP:(2029):Old State = IKE_XAUTH_SET_SENT  New State = IKE_P1_COMPLETE

Aug 20 03:39:57.437: ISAKMP:(2029):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

Aug 20 03:39:57.437: ISAKMP:(2029):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Aug 20 03:39:57.785: ISAKMP (0:2029): received packet from 2****.106 dport 4500 sport 1157 Global (R) QM_IDLE     

Aug 20 03:39:57.785: ISAKMP: set new node 1110568144 to QM_IDLE     

Aug 20 03:39:57.785: ISAKMP:(2029):processing transaction payload from 220.233.203.106. message ID = 1110568144

Aug 20 03:39:57.785: ISAKMP: Config payload REQUEST

Aug 20 03:39:57.785: ISAKMP:(2029):checking request:

Aug 20 03:39:57.785: ISAKMP:    IP4_ADDRESS

Aug 20 03:39:57.785: ISAKMP:    IP4_NETMASK

Aug 20 03:39:57.785: ISAKMP:    IP4_DNS

Aug 20 03:39:57.789: ISAKMP:    IP4_NBNS

Aug 20 03:39:57.789: ISAKMP:    ADDRESS_EXPIRY

Aug 20 03:39:57.789: ISAKMP:    MODECFG_BANNER

Aug 20 03:39:57.789: ISAKMP:    MODECFG_SAVEPWD

Aug 20 03:39:57.789: ISAKMP:    DEFAULT_DOMAIN

Aug 20 03:39:57.789: ISAKMP:    SPLIT_INCLUDE

Aug 20 03:39:57.789: ISAKMP:    SPLIT_DNS

Aug 20 03:39:57.789: ISAKMP:    PFS

Aug 20 03:39:57.789: ISAKMP:    MODECFG_BROWSER_PROXY

Aug 20 03:39:57.789: ISAKMP:    BACKUP_SERVER

Aug 20 03:39:57.789: ISAKMP:    CONFIG_MODE_UNKNOWN Unknown Attr: 0x700C

Aug 20 03:39:57.789: ISAKMP:    APPLICATION_VERSION

Aug 20 03:39:57.789: ISAKMP:    FW_RECORD

Aug 20 03:39:57.789: ISAKMP:    MODECFG_HOSTNAME

Aug 20 03:39:57.789: ISAKMP/author: Author request for group RDAPERsuccessfully sent to AAA

Aug 20 03:39:57.789: ISAKMP:(2029):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST

Aug 20 03:39:57.789: ISAKMP:(2029):Old State = IKE_P1_COMPLETE  New State = IKE_CONFIG_AUTHOR_AAA_AWAIT

Aug 20 03:39:57.793: ISAKMP:(2029):Receive config attributes requested butconfig attributes not in crypto map.  Sending empty reply.

Aug 20 03:39:57.793: ISAKMP:(2029):attributes sent in message:

Aug 20 03:39:57.793:         Address: 0.2.0.0

Aug 20 03:39:57.793: ISAKMP: Sending ADDRESS_EXPIRY seconds left to use the address: 28792

Aug 20 03:39:57.793: ISAKMP (0/2029): Unknown Attr: CONFIG_MODE_UNKNOWN (0x700C)

Aug 20 03:39:57.793: ISAKMP: Sending APPLICATION_VERSION string: Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(9)T3, RELEASE SOFTWARE (fc3)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2007 by Cisco Systems, Inc.

Compiled Sat 24-Mar-07 03:56 by prod_rel_team

Aug 20 03:39:57.793: ISAKMP (0/2029): Unknown Attr: MODECFG_HOSTNAME (0x700A)

Aug 20 03:39:57.793: ISAKMP:(2029): responding to peer config from 220.233.203.106. ID = 1110568144

Aug 20 03:39:57.797: ISAKMP:(2029): sending packet to ***06 my_port 4500 peer_port 1157 (R) CONF_ADDR   

Aug 20 03:39:57.797: ISAKMP:(2029):deleting node 1110568144 error FALSE reason "No Error"

Aug 20 03:39:57.797: ISAKMP:(2029):Input = IKE_MESG_FROM_AAA, IKE_AAA_GROUP_ATTR

Aug 20 03:39:57.797: ISAKMP:(2029):Old State = IKE_CONFIG_AUTHOR_AAA_AWAIT  New State = IKE_P1_COMPLETE

Aug 20 03:39:57.797: ISAKMP:(2029):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

Aug 20 03:39:57.797: ISAKMP:(2029):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Aug 20 03:39:58.229: ISAKMP (0:2029): received packet from 2**3.106 dport 4500 sport 1157 Global (R) QM_IDLE     

Aug 20 03:39:58.229: ISAKMP: set new node -1232980111 to QM_IDLE     

Aug 20 03:39:58.229: ISAKMP:(2029): processing HASH payload. message ID = -1232980111

Aug 20 03:39:58.229: ISAKMP:received payload type 18

Aug 20 03:39:58.229: ISAKMP:(2029): processing DELETE_WITH_REASON payload, message ID = -1232980111, reason: DELETE_BY_USER_COMMAND

Aug 20 03:39:58.229: ISAKMP:(2029):peer does not do paranoid keepalives.

Aug 20 03:39:58.229: ISAKMP:(2029):deleting SA reason "BY user command" state (R) QM_IDLE       (peer 220.233.203.106)

Aug 20 03:39:58.229: ISAKMP:(2029):deleting node -1232980111 error FALSE reason "Informational (in) state 1"

Aug 20 03:39:58.229: ISAKMP: set new node -1138782828 to QM_IDLE     

Aug 20 03:39:58.233: ISAKMP:(2029): sending packet to ***06 my_port 4500 peer_port 1157 (R) QM_IDLE     

Aug 20 03:39:58.233: ISAKMP:(2029):purging node -1138782828

Aug 20 03:39:58.233: ISAKMP:(2029):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

Aug 20 03:39:58.233: ISAKMP:(2029):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

Aug 20 03:39:58.233: ISAKMP:(2029):deleting SA reason "No reason" state (R) QM_IDLE       (peer 220.233.203.106)

Aug 20 03:39:58.233: ISAKMP: Unlocking peer struct 0x82D9411C for isadb_mark_sa_deleted(), count 0

Aug 20 03:39:58.237: ISAKMP: Deleting peer node by peer_reap for 220.233.203.106: 82D9411C

Aug 20 03:39:58.237: ISAKMP:(2029):deleting node -567734444 error FALSE reason "IKE deleted"

Aug 20 03:39:58.237: ISAKMP:(2029):deleting node 1173242474 error FALSE reason "IKE deleted"

Aug 20 03:39:58.237: ISAKMP:(2029):deleting node 1110568144 error FALSE reason "IKE deleted"

Aug 20 03:39:58.237: ISAKMP:(2029):deleting node -1232980111 error FALSE reason "IKE deleted"

Aug 20 03:39:58.237: ISAKMP:(2029):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Aug 20 03:39:58.237: ISAKMP:(2029):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

1 REPLY
New Member

Cisco VPN Client - error "deleting SA reason "By user command"

any clues anyone?

thanks

1286
Views
0
Helpful
1
Replies
CreatePlease to create content