Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco VPN Client(v3.0) connect to PIX-525E problems

Hi all,

I have a Cisco PIX-525 and am trying to connect it via the cisco

vpn client software(3.0) using IPSec.It's always failed to connect.I

start the debug to get details when trying to connect.The following is

the debug information from the PIX console output:

Oct 08 06:33:47 [IKEv1]: Group = ExhibitAccessgroup, IP =

61.49.235.70, Received encrypted Oakley Aggressive Mode packet with

invalid payloads, MessID = 0

Oct 08 06:34:10 [IKEv1]: Group = ExhibitAccessgroup, IP =

61.49.235.70, Received encrypted Oakley Aggressive Mode packet with

invalid payloads, MessID = 0

And, from the log of Cisco VPN client, the following information is detected:

received a NOTIFY message withh an invalid protocol id ( 0 )

Really I can not find out what kind of problem it is.Could you give me

any suggestions ? and all advices are appereacted.

Thanks

Regards

Kee W

8 REPLIES
Gold

Re: Cisco VPN Client(v3.0) connect to PIX-525E problems

Kee,

Take a look at the following document:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009442e.shtml

If your PIX is running 6.3+ code, then I would suggest that you also enable Nat-Traversal for ISAKMP : in config mode: isakmp nat-traversal

Hope this helps,

Jay

Gold

Re: Cisco VPN Client(v3.0) connect to PIX-525E problems

please post the config.

New Member

Re: Cisco VPN Client(v3.0) connect to PIX-525E problems

Hi Jay,

Thank you for comment.

What I use is a PIX-525(7.0) and I will provide the configuration and more detail information later.

Gold

Re: Cisco VPN Client(v3.0) connect to PIX-525E problems

New Member

Re: Cisco VPN Client(v3.0) connect to PIX-525E problems

Hi all,

Attached picture is my network topology, please check it.

Also,my configuration is attached.

please check it for me, thank you in advance!!!

New Member

Re: Cisco VPN Client(v3.0) connect to PIX-525E problems

Hi, debug information is got, could anyone provide me some hints about the problem ?

222.216.5.142 is the client IP Address.

%PIX-7-715049: IP = 222.216.5.142, Received Fragmentation VID

%PIX-7-715064: IP = 222.216.5.142, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False

%PIX-7-715047: IP = 222.216.5.142, processing VID payload

%PIX-7-715049: IP = 222.216.5.142, Received Cisco Unity client VID

%PIX-7-713906: IP = 222.216.5.142, Connection landed on tunnel_group ExhibitAccessgroup

%PIX-7-713906: Group = ExhibitAccessgroup, IP = 222.216.5.142, processing IKE SA

%PIX-7-715028: Group = ExhibitAccessgroup, IP = 222.216.5.142, IKE SA Proposal # 1, Transform # 13 acceptable Matches global IKE entry # 1

%PIX-7-713906: Group = ExhibitAccessgroup, IP = 222.216.5.142, constructing ISA_SA for isakmp

%PIX-7-713906: Group = ExhibitAccessgroup, IP = 222.216.5.142, constructing ke payload

%PIX-7-715001: Group = ExhibitAccessgroup, IP = 222.216.5.142, constructing nonce payload

%PIX-7-713906: Group = ExhibitAccessgroup, IP = 222.216.5.142, Generating keys for Responder...

%PIX-7-715001: Group = ExhibitAccessgroup, IP = 222.216.5.142, constructing ID

%PIX-7-713906: Group = ExhibitAccessgroup, IP = 222.216.5.142, construct hash payload

%PIX-7-713906: Group = ExhibitAccessgroup, IP = 222.216.5.142, computing hash

%PIX-7-715046: Group = ExhibitAccessgroup, IP = 222.216.5.142, constructing Cisco Unity VID payload

%PIX-7-715046: Group = ExhibitAccessgroup, IP = 222.216.5.142, constructing xauth V6 VID payload

%PIX-7-715046: Group = ExhibitAccessgroup, IP = 222.216.5.142, constructing dpd vid payload

%PIX-7-715046: Group = ExhibitAccessgroup, IP = 222.216.5.142, constructing Fragmentation VID + extended capabilities payload

%PIX-7-715046: Group = ExhibitAccessgroup, IP = 222.216.5.142, constructing VID payload

%PIX-7-715048: Group = ExhibitAccessgroup, IP = 222.216.5.142, Send Altiga/Cisco VPN3000/Cisco ASA GW VID

%PIX-7-713906: IP = 222.216.5.142, IKE DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 368

%PIX-5-713904: Group = ExhibitAccessgroup, IP = 222.216.5.142, Received encrypted Oakley Aggressive Mode packet with invalid payloads, MessID = 0

%PIX-7-713906: IP = 222.216.5.142, IKE DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 88

: Group = ExhibitAccessgroup, IP = 222.216.5.142, Received encrypted Oakley Aggressive Mode packet with invalid payloads, MessID = 0

New Member

Re: Cisco VPN Client(v3.0) connect to PIX-525E problems

Could someone provide me any suggestions ?

Bronze

Re: Cisco VPN Client(v3.0) connect to PIX-525E problems

Double check the Group password configured in the client. The debugging messages such a problem causes are often less than completely clear.

1152
Views
0
Helpful
8
Replies
CreatePlease login to create content