Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN connection issues with new firewall appliance

We are changing our firewall from a WatchGuard appliance that our ISP manages to a Cisco NBFW that they are doing the initial configuration for. The issue that I am experiencing is that our current VPN setup with the WatchGuard allows our users to connect to VPN using a Cisco VPN client. They connect to an external IP address that is setup to NAT to our internal MPLS WAN interface on our router. That router is configured for VPN.

Since the change to the new firewall, our ISP is telling me that they are unable to NAT to the MPLS WAN interface as the new firewall views it as an public IP address so they tried setting the NAT up to our internal LAN IP on the same router. Now the VPN client will not connect. It times out. I am not sure what I need to apply or change in our router to allow the VPN to connect using the internal LAN port. Below is the debug output of the failed connection attempt.

CHS-RTR1#
002262: Jan 26 21:17:50.073: ISAKMP (0): received packet from 99.11.202.186 dport 500 sport 56657 Global (N) NEW SA
002263: Jan 26 21:17:50.077: ISAKMP: Created a peer struct for 99.11.202.186, peer port 56657
002264: Jan 26 21:17:50.077: ISAKMP: New peer created peer = 0x4A6CC47C peer_handle = 0x80000095
002265: Jan 26 21:17:50.077: ISAKMP: Locking peer struct 0x4A6CC47C, refcount 1 for crypto_isakmp_process_block
002266: Jan 26 21:17:50.077: ISAKMP: local port 500, remote port 56657
002267: Jan 26 21:17:50.077: ISAKMP:(0):insert sa successfully sa = 47EFCCC8
002268: Jan 26 21:17:50.077: ISAKMP:(0): processing SA payload. message ID = 0
002269: Jan 26 21:17:50.077: ISAKMP:(0): processing ID payload. message ID = 0
002270: Jan 26 21:17:50.077: ISAKMP (0): ID payload
next-payload : 13
type         : 11
group id     : VPNRadius
protocol     : 17
port         : 500
length       : 17
002271: Jan 26 21:17:50.077: ISAKMP:(0):: peer matches VPNRadius profile
0022
CHS-RTR1#72: Jan 26 21:17:50.077: ISAKMP:(0):Setting client config settings 4B202EB0
002273: Jan 26 21:17:50.077: ISAKMP:(0):(Re)Setting client xauth list  and state
002274: Jan 26 21:17:50.077: ISAKMP/xauth: initializing AAA request
002275: Jan 26 21:17:50.077: ISAKMP:(0): processing vendor id payload
002276: Jan 26 21:17:50.077: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch
002277: Jan 26 21:17:50.077: ISAKMP:(0): vendor ID is XAUTH
002278: Jan 26 21:17:50.081: ISAKMP:(0): processing vendor id payload
002279: Jan 26 21:17:50.081: ISAKMP:(0): vendor ID is DPD
002280: Jan 26 21:17:50.081: ISAKMP:(0): processing vendor id payload
002281: Jan 26 21:17:50.081: ISAKMP:(0): processing IKE frag vendor id payload
002282: Jan 26 21:17:50.081: ISAKMP:(0):Support for IKE Fragmentation not enabled
002283: Jan 26 21:17:50.081: ISAKMP:(0): processing vendor id payload
002284: Jan 26 21:17:50.081: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
002285: Jan 26 21:17:50.081: ISAKMP:(0): vendor ID is NAT-T v2
002286: Jan 26 21:17:50.081: ISAKMP:(0): processing vendor id payload
002287: Jan 26 21:17:50.081: ISAKMP:(0): vendor ID is Unity
002288: Jan 26 21:17:50.081: ISAKMP:(0): Authentication by xauth preshared
002289: Jan 26 21:17:50.081: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
002290: Jan 26 21:17:50.081: ISAKMP:      encryption AES-CBC
002291: Jan 26 21:17:50.081: ISAKMP:      hash SHA
002292: Jan 26 21:17:50.081: ISAKMP:      default group 2
002293: Jan 26 21:17:50.081: ISAKMP:      auth XAUTHInitPreShared
002294: Jan 26 21:17:50.081: ISAKMP:      life type in seconds
002295: Jan 26 21:17:50.081: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
002296: Jan 26 21:17:50.081: ISAKMP:      keylength of 256
002297: Jan 26 21:17:50.081: ISAKMP:(0):Encryption algorithm offered does not match policy!
002298: Jan 26 21:17:50.081: ISAKMP:(0):atts are not acceptable. Next payload is 3
002299: Jan 26 21:17:50.081: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
002300: Jan 26 21:17:50.081: ISAKMP:      encryption AES-CBC
002301: Jan 26 21:17:50.081: ISAKMP:      hash MD5
002302: Jan 26 21:17:50.081: ISAKMP:      default group 2
002303: Jan 26 21:17:50.081: ISAKMP:      auth XAUTHInitPreShared
002304: Jan 26 21:17:50.081: ISAKMP:      life type in seconds
002305: Jan 26 21:17:50.081: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
002306: Jan 26 21:17:50.085: ISAKMP:      keylength of 256
002307: Jan 26 21:17:50.085: ISAKMP:(0):Encryption algorithm offered does not match policy!
002308: Jan 26 21:17:50.085: ISAKMP:(0):atts are not acceptable. Next payload is 3
002309: Jan 26 21:17:50.085: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy
002310: Jan 26 21:17:50.085: ISAKMP:      encryption AES-CBC
002311: Jan 26 21:17:50.085: ISAKMP:      hash SHA
002312: Jan 26 21:17:50.085: ISAKMP:      default group 2
002313: Jan 26 21:17:50.085: ISAKMP:      auth pre-share
002314: Jan 26 21:17:50.085: ISAKMP:      life type in seconds
002315: Jan 26 21:17:50.085: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
002316: Jan 26 21:17:50.085: ISAKMP:      keylength of 256
002317: Jan 26 21:17:50.085: ISAKMP:(0):Encryption algorithm offered does not match policy!
002318: Jan 26 21:17:50.085: ISAKMP:(0):atts are not acceptable. Next payload is 3
002319: Jan 26 21:17:50.085: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy
002320: Jan 26 21:17:50.085: ISAKMP:      encryption AES-CBC
002321: Jan 26 21:17:50.085: ISAKMP:      hash MD5
002322: Jan 26 21:17:50.085: ISAKMP:      default group 2
002323: Jan 26 21:17:50.085: ISAKMP:      auth pre-share
002324: Jan 26 21:17:50.085: ISAKMP:      life type in seconds
002325: Jan 26 21:17:50.085: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
002326: Jan 26 21:17:50.085: ISAKMP:      keylength of 256
002327: Jan 26 21:17:50.085: ISAKMP:(0):Encryption algorithm offered does not match policy!
002328: Jan 26 21:17:50.085: ISAKMP:(0):atts are not acceptable. Next payload is 3
002329: Jan 26 21:17:50.085: ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy
002330: Jan 26 21:17:50.085: ISAKMP:      encryption AES-CBC
002331: Jan 26 21:17:50.085: ISAKMP:      hash SHA
002332: Jan 26 21:17:50.085: ISAKMP:      default group 2
002333: Jan 26 21:17:50.085: ISAKMP:      auth XAUTHInitPreShared
002334: Jan 26 21:17:50.085: ISAKMP:      life type in seconds
002335: Jan 26 21:17:50.085: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
002336: Jan 26 21:17:50.085: ISAKMP:      keylength of 128
002337: Jan 26 21:17:50.085: ISAKMP:(0):Encryption algorithm offered does not match policy!
002338: Jan 26 21:17:50.085: ISAKMP:(0):atts are not acceptable. Next payload is 3
002339: Jan 26 21:17:50.085: ISAKMP:(0):Checking ISAKMP transform 6 against priority 1 policy
002340: Jan 26 21:17:50.085: ISAKMP:      encryption AES-CBC
002341: Jan 26 21:17:50.085: ISAKMP:      hash MD5
002342: Jan 26 21:17:50.089: ISAKMP:      default group 2
002343: Jan 26 21:17:50.089: ISAKMP:      auth XAUTHInitPreShared
002344: Jan 26 21:17:50.089: ISAKMP:      life type in seconds
002345: Jan 26 21:17:50.089: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
002346: Jan 26 21:17:50.089: ISAKMP:      keylength of 128
002347: Jan 26 21:17:50.089: ISAKMP:(0):Encryption algorithm offered does not match policy!
002348: Jan 26 21:17:50.089: ISAKMP:(0):atts are not acceptable. Next payload is 3
002349: Jan 26 21:17:50.089: ISAKMP:(0):Checking ISAKMP transform 7 against priority 1 policy
002350: Jan 26 21:17:50.089: ISAKMP:      encryption AES-CBC
002351: Jan 26 21:17:50.089: ISAKMP:      hash SHA
002352: Jan 26 21:17:50.089: ISAKMP:      default group 2
002353: Jan 26 21:17:50.089: ISAKMP:      auth pre-share
002354: Jan 26 21:17:50.089: ISAKMP:      life type in seconds
002355: Jan 26 21:17:50.089: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
002356: Jan 26 21:17:50.089: ISAKMP:      keylength of 128
002357: Jan 26 21:17:50.089: ISAKMP:(0):Encryption algorithm offered does not match policy!
002358: Jan 26 21:17:50.089: ISAKMP:(0):atts are not acceptable. Next payload is 3
002359: Jan 26 21:17:50.089: ISAKMP:(0):Checking ISAKMP transform 8 against priority 1 policy
002360: Jan 26 21:17:50.089: ISAKMP:      encryption AES-CBC
002361: Jan 26 21:17:50.089: ISAKMP:      hash MD5
002362: Jan 26 21:17:50.089: ISAKMP:      default group 2
002363: Jan 26 21:17:50.089: ISAKMP:      auth pre-share
002364: Jan 26 21:17:50.089: ISAKMP:      life type in seconds
002365: Jan 26 21:17:50.089: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
002366: Jan 26 21:17:50.089: ISAKMP:      keylength of 128
002367: Jan 26 21:17:50.089: ISAKMP:(0):Encryption algorithm offered does not match policy!
002368: Jan 26 21:17:50.089: ISAKMP:(0):atts are not acceptable. Next payload is 3
002369: Jan 26 21:17:50.089: ISAKMP:(0):Checking ISAKMP transform 9 against priority 1 policy
002370: Jan 26 21:17:50.089: ISAKMP:      encryption 3DES-CBC
002371: Jan 26 21:17:50.089: ISAKMP:      hash SHA
002372: Jan 26 21:17:50.089: ISAKMP:      default group 2
002373: Jan 26 21:17:50.089: ISAKMP:      auth XAUTHInitPreShared
002374: Jan 26 21:17:50.089: ISAKMP:      life type in seconds
002375: Jan 26 21:17:50.089: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
002376: Jan 26 21:17:50.089: ISAKMP:(0):atts are acceptable. Next payload is 3
002377: Jan 26 21:17:50.089: ISAKMP:(0):Acceptable atts:actual life: 86400
002378: Jan 26 21:17:50.089: ISAKMP:(0):Acceptable atts:life: 0
002379: Jan 26 21:17:50.089: ISAKMP:(0):Fill atts in sa vpi_length:4
002380: Jan 26 21:17:50.089: ISAKMP:(0):Fill atts in sa life_in_seconds:2147483
002381: Jan 26 21:17:50.089: ISAKMP:(0):Returning Actual lifetime: 86400
002382: Jan 26 21:17:50.089: ISAKMP:(0)::Started lifetime timer: 86400.

002383: Jan 26 21:17:50.089: ISAKMP:(0): processing KE payload. message ID = 0
002384: Jan 26 21:17:50.141: ISAKMP:(0): processing NONCE payload. message ID = 0
002385: Jan 26 21:17:50.145: ISAKMP:(0): vendor ID is NAT-T v2
002386: Jan 26 21:17:50.145: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
002387: Jan 26 21:17:50.145: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_AM_AAA_AWAIT

002388: Jan 26 21:17:50.149: ISAKMP:(1148): constructed NAT-T vendor-02 ID
002389: Jan 26 21:17:50.149: ISAKMP:(1148):SA is doing pre-shared key authentication plus XAUTH using id type ID_IPV4_ADDR
002390: Jan 26 21:17:50.149: ISAKMP (1148): ID payload
next-payload : 10
type         : 1
address      : 10.10.2.4
protocol     : 0
port         : 0
length       : 12
002391: Jan 26 21:17:50.149: ISAKMP:(1148):Total payload length: 12
002392: Jan 26 21:17:50.149: ISAKMP:(1148): sending packet to 99.11.202.186 my_port 500 peer_port 56657 (R) AG_INIT_EXCH
002393: Jan 26 21:17:50.149: ISAKMP:(1148):Sending an IKE IPv4 Packet.
002394: Jan 26 21:17:50.149: ISAKMP:(1148):Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY
002395: Jan 26 21:17:50.149: ISAKMP:(1148):Old State = IKE_R_AM_AAA_AWAIT  New State = IKE_R_AM2

002396: Jan 26 21:17:55.713: ISAKMP:(1147): retransmitting phase 1 AG_INIT_EXCH...
002397: Jan 26 21:17:55.713: ISAKMP (1147): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
002398: Jan 26 21:17:55.713: ISAKMP:(1147): retransmitting phase 1 AG_INIT_EXCH
002399: Jan 26 21:17:55.713: ISAKMP:(1147): sending packet to 98.236.145.207 my_port 500 peer_port 1088 (R) AG_INIT_EXCH
002400: Jan 26 21:17:55.713: ISAKMP:(1147):Sending an IKE IPv4 Packet.
002401: Jan 26 21:17:57.737: ISAKMP:(1146): retransmitting phase 1 AG_INIT_EXCH...
002402: Jan 26 21:17:57.737: ISAKMP (1146): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
002403: Jan 26 21:17:57.737: ISAKMP:(1146): retransmitting phase 1 AG_INIT_EXCH
002404: Jan 26 21:17:57.737: ISAKMP:(1146): sending packet to 98.236.145.207 my_port 500 peer_port 1084 (R) AG_INIT_EXCH
002405: Jan 26 21:17:57.737: ISAKMP:(1146):Sending an IKE IPv4 Packet.
002406: Jan 26 21:17:58.273: ISAKMP:(1144):purging SA., sa=47EF8BB8, delme=47EF8BB8
002407: Jan 26 21:18:00.149: ISAKMP:(1148): retransmitting phase 1 AG_INIT_EXCH...
002408: Jan 26 21:18:00.149: ISAKMP (1148): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
002409: Jan 26 21:18:00.149: ISAKMP:(1148): retransmitting phase 1 AG_INIT_EXCH
002410: Jan 26 21:18:00.149: ISAKMP:(1148): sending packet to 99.11.202.186 my_port 500 peer_port 56657 (R) AG_INIT_EXCH
002411: Jan 26 21:18:00.149: ISAKMP:(1148):Sending an IKE IPv4 Packet.
CHS-RTR1#
CHS-RTR1#
002412: Jan 26 21:18:03.937: ISAKMP:(1145):purging SA., sa=47F0389C, delme=47F0389C
CHS-RTR1#
002413: Jan 26 21:18:05.713: ISAKMP:(1147): retransmitting phase 1 AG_INIT_EXCH...
002414: Jan 26 21:18:05.713: ISAKMP (1147): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
002415: Jan 26 21:18:05.713: ISAKMP:(1147): retransmitting phase 1 AG_INIT_EXCH
002416: Jan 26 21:18:05.713: ISAKMP:(1147): sending packet to 98.236.145.207 my_port 500 peer_port 1088 (R) AG_INIT_EXCH
002417: Jan 26 21:18:05.713: ISAKMP:(1147):Sending an IKE IPv4 Packet.
CHS-RTR1#
002418: Jan 26 21:18:07.737: ISAKMP:(1146): retransmitting phase 1 AG_INIT_EXCH...
002419: Jan 26 21:18:07.737: ISAKMP (1146): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
002420: Jan 26 21:18:07.737: ISAKMP:(1146): retransmitting phase 1 AG_INIT_EXCH
002421: Jan 26 21:18:07.737: ISAKMP:(1146): sending packet to 98.236.145.207 my_port 500 peer_port 1084 (R) AG_INIT_EXCH
002422: Jan 26 21:18:07.737: ISAKMP:(1146):Sending an IKE IPv4 Packet.
002423: Jan 26 21:18:09.033: ISAKMP (0): received packet from 99.11.202.186 dport 500 sport 65411 Global (N) NEW SA
002424: Jan 26 21:18:09.037: ISAKMP: Created a peer struct for 99.11.202.186, peer port 65411
002425: Jan 26 21:18:09.037: ISAKMP: New peer created peer = 0x47EF97D8 peer_handle = 0x80000096
002426: Jan 26 21:18:09.037: ISAKMP: Locking peer struct 0x47EF97D8, refcount 1 for crypto_isakmp_process_block
002427: Jan 26 21:18:09.037: ISAKMP: local port 500, remote port 65411
002428: Jan 26 21:18:09.041:
CHS-RTR1#ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 4A6E4C18

339
Views
0
Helpful
0
Replies
CreatePlease to create content