Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VFR aware Remote Access - Reason 433: (Reason Not Specified by Peer)

Hello,

I get this error if I connected to Cisco IOS router (Version 15.1(4)M3) with Cisco VPN Client (5.0.07.0410):

Secure VPN Connection terminated by Peer.

Reason 433: (Reason Not Specified by Peer)

Debug is in the attachment. I can't find any reason for that behavior.

aaa new-model

aaa authentication login default local

aaa authentication login x-auth local

aaa authentication enable default enable

aaa authorization exec default local

aaa authorization network vpn-auth local

!

ip vrf private

rd 65000:1

ip vrf public

rd 65000:2

!

crypto logging session

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 2

!

crypto isakmp fragmentation

crypto isakmp keepalive 10 periodic

!

crypto isakmp client configuration group pkapralik

key xxxxxxxx

pool pkapralik

acl vpn-pkapralik

netmask 255.255.255.255

!

crypto isakmp profile dvti

   match identity group pkapralik

   client authentication list x-auth

   isakmp authorization list vpn-auth

   client configuration address respond

   initiate mode aggressive

   virtual-template 1

!

crypto ipsec transform-set 1 esp-aes 256 esp-sha-hmac

crypto ipsec df-bit clear

!

crypto ipsec profile 1

set transform-set 1

!

interface Virtual-Template1 type tunnel

ip vrf forwarding public

ip unnumbered GigabitEthernet0/1

tunnel mode ipsec ipv4

tunnel protection ipsec profile 1

!

interface GigabitEthernet0/1

ip vrf forwarding public

ip address 194.160.24.2 255.255.255.252

no ip redirects

no ip proxy-arp

duplex auto

speed auto

no cdp enable

!

ip local pool pkapralik 100.100.100.100

Greetings

Pali

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

VFR aware Remote Access - Reason 433: (Reason Not Specified by P

Hello Pavel,

My personal (and unwarranted as of yet) opinion is that your configuration is not properly referring to the VRFs. With IPsec VPNs, you have to distinguish between two VRFs:

  • Front-door VRF or simply Front VRF which is the VRF of the outside interface that connects your router to the ISP
  • Internal VRF which is the VRF of internal networks that you want to access via the IPsec tunnel

Your current configuration does not appear to properly distinguish between these two VRFs and has a couple of issues:

  1. The Gi0/1 interface obviously used to access the ISP is placed into the VRF public, yet the Virtual-Template1 is not associated with this VRF as its FVRF (the tunnel vrf command is missing)
  2. The VRF private does not appear to be used at all, nor is there any other interface placed into the same VRF

Can you try modifying your Virtual-Template1 configuration as follows?

interface Virtual-Template1 type tunnel

  ip vrf forwarding private ! This is the IVRF

  ip unnumbered GigabitEthernet0/1

  tunnel mode ipsec ipv4

  tunnel vrf public ! This is the FVRF

  tunnel protection ipsec profile 1

This seems to have worked with me when replicating your setup in Dynagen using a 2691 as an EzVPN client. Without the tunnel vrf, it logically could not have worked - the tunnel endpoints were associated with the global routing table while in reality, they are reachable only through the VRF public (thanks to Gi0/1 being placed into that FVRF).

Of course, adapt the IVRF on the Virtual-Template1 interface as appropriate.

You may be interested in reading more about FVRF/IVRF in this document:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/prod_white_paper0900aecd8034be03_ps6658_Products_White_Paper.html

Please keep us informed. Thank you!

Best regards,

Peter

2 REPLIES
Cisco Employee

VFR aware Remote Access - Reason 433: (Reason Not Specified by P

Hello Pavel,

My personal (and unwarranted as of yet) opinion is that your configuration is not properly referring to the VRFs. With IPsec VPNs, you have to distinguish between two VRFs:

  • Front-door VRF or simply Front VRF which is the VRF of the outside interface that connects your router to the ISP
  • Internal VRF which is the VRF of internal networks that you want to access via the IPsec tunnel

Your current configuration does not appear to properly distinguish between these two VRFs and has a couple of issues:

  1. The Gi0/1 interface obviously used to access the ISP is placed into the VRF public, yet the Virtual-Template1 is not associated with this VRF as its FVRF (the tunnel vrf command is missing)
  2. The VRF private does not appear to be used at all, nor is there any other interface placed into the same VRF

Can you try modifying your Virtual-Template1 configuration as follows?

interface Virtual-Template1 type tunnel

  ip vrf forwarding private ! This is the IVRF

  ip unnumbered GigabitEthernet0/1

  tunnel mode ipsec ipv4

  tunnel vrf public ! This is the FVRF

  tunnel protection ipsec profile 1

This seems to have worked with me when replicating your setup in Dynagen using a 2691 as an EzVPN client. Without the tunnel vrf, it logically could not have worked - the tunnel endpoints were associated with the global routing table while in reality, they are reachable only through the VRF public (thanks to Gi0/1 being placed into that FVRF).

Of course, adapt the IVRF on the Virtual-Template1 interface as appropriate.

You may be interested in reading more about FVRF/IVRF in this document:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/prod_white_paper0900aecd8034be03_ps6658_Products_White_Paper.html

Please keep us informed. Thank you!

Best regards,

Peter

New Member

VFR aware Remote Access - Reason 433: (Reason Not Specified by P

Peter, you are absolutely right. Thanks for your explanation.

Greetings.

Pavel

4703
Views
0
Helpful
2
Replies
CreatePlease to create content