EZVPN Router to PIX - vpn tunnel fails after xauth

I'm trying to configure a 1721 router to connect to a PIX at the office, essentially putting the router in place of a software VPN client. I can connect to the PIX with both a software VPN client and a hardware VPN 3002, but whenever I try to configure the router with EZVPN, the tunnel fails to come up after the XAUTH negotiation. I've tried a few variations on configurations with no luck. Can anyone comment if this is possible? I've attached a config and debug info. Thanks in advance for any help and comments.
Ken

Thank you for the suggestions. Currently, the PIX is configured to not allow the save password option on the remote end. Was hoping the PIX config wouldn't need any changes since its working for the software VPN clients. I tried your NAT suggestion:
ip nat inside source list 100 interface Ethernet0 overload
ip nat inside source list Lan_Addresses interface Ethernet0 overload
ip access-list standard Lan_Addresses
permit 192.168.5.0 0.0.0.255
access-list 100 deny ip 192.168.5.0 0.0.0.255 10.0.0.0 0.0.15.255
access-list 100 permit ip 192.168.5.0 0.0.0.255 any
This didn't change things. Also, things behave differently when I use a bad username/password, for example:
AADDAA#crypto ipsec client ezvpn xauth OfficeVPN
Username: baduser
Password:
AADDAA#
*Mar 14 06:27:07.891: xauth-type: 0
*Mar 14 06:27:07.895: username: baduser
*Mar 14 06:27:07.895: password:
*Mar 14 06:27:07.899: ISAKMP:(1032): responding to peer config from 2XX.XXX.XXX.
XX. ID = -475558296
*Mar 14 06:27:07.903: ISAKMP:(1032): sending packet to 2XX.XXX.XXX.XX my_port 50
0 peer_port 500 (I) CONF_XAUTH
*Mar 14 06:27:07.907: ISAKMP:(1032):Sending an IKE IPv4 Packet.
*Mar 14 06:27:07.907: ISAKMP:(1032):deleting node -475558296 error FALSE reason
"Done with xauth request/reply exchange"
*Mar 14 06:27:07.907: ISAKMP:(1032):Input = IKE_MESG_INTERNAL, IKE_XAUTH_REPLY_A
TTR
*Mar 14 06:27:07.907: ISAKMP:(1032):Old State = IKE_XAUTH_REPLY_AWAIT New State
= IKE_XAUTH_REPLY_SENT
*Mar 14 06:27:07.963: ISAKMP (0:1032): received packet from 2XX.XXX.XXX.XX dport
500 sport 500 Global (I) CONF_XAUTH
*Mar 14 06:27:07.967: ISAKMP: set new node 559535353 to CONF_XAUTH
*Mar 14 06:27:07.971: ISAKMP:(1032):processing transaction payload from 2XX.XXX.
XXX.XX. message ID = 559535353
*Mar 14 06:27:07.979: ISAKMP: Config payload REQUEST
*Mar 14 06:27:07.979: ISAKMP:(1032):Xauth process request
*Mar 14 06:27:07.979: ISAKMP:(1032):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST
*Mar 14 06:27:07.979: ISAKMP:(1032):Old State = IKE_XAUTH_REPLY_SENT New State
= IKE_XAUTH_REPLY_AWAIT
*Mar 14 06:27:08.983: EZVPN(OfficeVPN): Pending XAuth Request, Please enter the fo
llowing command:
*Mar 14 06:27:08.983: EZVPN: crypto ipsec client ezvpn xauth
Thanks again,
Ken

Similar Messages

Router-to-PIX VPN Tunnels fade in and out

Does anyone know of any problems with Router-to-PIX vpn tunnels? For a number of months we've had about 35 831Routers vpn'd into our PIX515 and the tunnel has been stable. Recently, however, the tunnel has been dropping out at a number of sites.
When the tunnel goes down the users still have access to their local internet but obviously not to the shared network resources of the vpn tunnel. In most cases the tunnel can be re-established at each location simply by rebooting the router. Only problem with that is that some of the locations are having to reboot their 831Router more than two or three times a day.
I've added keepalive statements into theconfig of the routers and the PIX. Specifically I've added these two lines to the routers:
Crypto isakmp keepalive 10 5
crypto ipsec secutity-association lifetime seconds 28800
I added a similar isakmp keepalive to the PIX. Any suggestions would be appreciated as some of my users are getting frustrated.
Thank you,
Chris

Try using the debug commands and see if you are getting any error messages that might give us some idea.

Site-to-Site VPN Tunnel fails after upgrade 8.3(2) to 8.4(4)

Hello Team Cisco,
I upgraded an ASA 5505 from 8.3(2) to 8.4(4) this evening. The 5505 is a backup and used to perform testing prior to production changes. After the upgrade was complete, a VPN tunnel began to fail. I did a limited search online to see if this was a known issue or something new. I also reviewed the release notes but did not see anything that matched the issue I received.
My concern is that this tunnel configuration is scheduled to be deployed to the production firewalls next week after their upgrade. But if it failed on the upgraded test unit, it may fail on the production units.
I downgraded the backup unit to 8.3(1) and verified that the tunnel indeed worked at that level.
Any input or thoughts would be greatly appreciated.
Thanks,
Michael

Hi Chris,
Thanks for the response. Unfortunately not. I'll need to upgrade and capture logs and upload for review. I may not get to that until this afternoon or Monday of next week.
Regards,
Michael

Cisco IOS Router to PIX VPN Issues

Hi Everyone,
I have a small issue here which someone may be able to shed some light on.
I have a Cisco IOS router which is terminating a site-to-site VPN connection on the dialer interface. The PIX on the other end is behind a NAT router. The tunnel is being established and one subnet is able to see another when the tunnel is up. The thing we are having an issue is both networks on each side of the VPN contain multiple subnets and i cannot connect to all the subnets over the same tunnel.
Any ideas.

Yes all this is setup.
I have just found out that Cisco IOS can only make connections from 1 network per crypt map unless multiple connections are made from server to host. This is quite disturbing because i have not seen this in any documentation.
Does anyone know of IOS to PIX IPsec with multiple subnets on each side of the network.

SSL-VPN Anyconnect fails after rebooting 2811

Hello all,
I have setup an Anyconnect SSL-VPN in my 2811 and it works just great, but then after the reboot it fails. I think it has something to do with the SSL Cert being ereased. Here is my configuration, please let me know if you need anything else:
! Last configuration change at 02:03:27 CDT Thu Sep 27 2012
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
aaa new-model
aaa session-id common
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-XXXXXXXXXX
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-XXXXXXXXXX
revocation-check none
crypto pki certificate chain TP-self-signed-XXXXXXXXXX
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31363535 34343437 3534301E 170D3132 30393237 30373033
34365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36353534
34343735 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
810096FE 9114BCED E2FA2297 CE41A6F5 73078E18 C1109993 48E2629E 78713B48
E6EA7C79 17C8E159 C057A05B F3CAFB4D 36AE9196 AAC4A2BF 586CF144 A81E50FC
5261BFCF 0A11064F C9F19A4C 953DFBF8 65194AD2 73100EE0 FBFE7EB6 0AD16875
7C1C03AE B3A461E2 9837E057 E2A8AE94 F11FDA8A 98AF8107 C0D9FF14 3CF1C62E
BE090203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1425F172 BAFEAA95 A90FA3D7 A3482174 6F951194 52301D06
03551D0E 04160414 25F172BA FEAA95A9 0FA3D7A3 4821746F 95119452 300D0609
2A864886 F70D0101 04050003 81810064 30DCCC2D 0506EDF6 61C37B9E DF5D8F9A
A9FE0646 FC72C3F8 A7E10E55 CE6AA592 7385931A DDFE95B7 47ED3690 2C3F8B43
9A637526 1464D94E 3A71D235 A14C0551 70E3ED2F F51B07E3 4379E2AF CCA03416
10DDF3E1 784D053B A9E4A624 E34BDDFB BA638658 58E30B74 55A62B02 BDC493A8
23191E2E E4BF390B D62DAA2B 351C09
        quit
username USERNAME privilege 15 secret 5 $1$Pc/.$y6kJb0xpe.77ciRHZTJ8A.
ip local pool SSL-VPN 192.168.11.5 192.168.11.8
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
bvpn gateway gateway_1
ip interface Dialer1 port 443
ssl trustpoint SSL-VPN
inservice
webvpn install svc flash:/webvpn/anyconnect-win-2.5.2014-k9.pkg sequence 1
webvpn context SSL-VPN
secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all
policy group policy_1
   functions svc-enabled
   svc address-pool "SSL-VPN"
   svc default-domain "DOMAIN"
   svc keep-client-installed
   svc split include 192.168.0.0 255.255.0.0
   svc dns-server primary DNS-SERVER
default-group-policy policy_1
gateway gateway_1
inservice

Here is the bug description that matches your explaination of the issue:
MF: HTTPS generates a new self-signed cert on reboot even if one exists
Symptom:
With Secure HTTP server enabled, IOS device generates a new self-signed certificate when it reloads even if a valid self-signed certificate already exists.
Conditions:
When there is no CA(Certificate Authority) provided certificate on the device
Workaround:
Use CA provided certificate.
The resolution is to upgrade it to version 15.2(1)T or higher.
Unfortunately you would need to have SmartNet contract to be able to download the software from CCO.

Pix vpn tunnel using certificates problem

hi
I have set up a small network at home to practice a branch office
pix 501 obtaining a digital certificate from a windows 2000 server
which is located on a dmz on a pix 515 over an encrypted tunnel
the tunnel is initually set up using pre-shared keys and once the
branch pix has its certificate altering the configs on both pix's
to use certificates for authentication,but have run into a problem
i have included an attachment to explain how i went about it and
the problem i have encounterd
would appreciate it if someone could take a look and tell me where
the problem lies
regards
melvyn brown

I am having the same issues with small business server 2003. VPN from the iTouch works fine, but it will not sync with contacts,mail and calendar.
The Apple Store Genius bar was of no help. Generally their pretty good. I believe this will be NEW turf for the folks at Apple.

Apple VPN Client fails after 10.4.7 update

I have three different remote computers that cannot connect over VPN remotely to our xServe running 10.3.9. After installing 10.4.7 update recently, all three remote computers fail to even hit the server logs (ie. no connection, no denial, no nothing on the server end). I had one machine that was running 10.4.6 tonight. VPN connection worked fine. Ran the software update, restarted, now that computer fails to make a connection.
It has nothing to do with the firewall on the xServe. I have turned that off with no success.
Any ideas? I appreciate the help.

to uninstall the client:
http://docs.info.apple.com/article.html?artnum=108021
you can create a client installer with the admin
under File, Create Client Installer...
Thanks for this. I will look into it further. The document you refer to states that 10.4 Clients should only be stopped rather than uninstalled, this concerns me a little. As I have tried simply stopping the service I will escalate to uninstalling the client and then see if reinstalling resolves the issue. Many thanks for your response.

Router to pix vpn ipsec - bandwidth issue

I basically followed the config example of cisco in :
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094498.shtml
it works fine.
my pb is:
the remote site has a 2Mbps line but once the tunnel is up, even without traffic in the tunnel, the link between any client behind the router and a line tester in the OUTSIDE world (internet) will give very poor results.....
what could be wrong ?
no crc error, no error at all, just that the bandwidth with the outside world is vanishing
any idea?

Did you apply any QOS on the link?

Cannot establish site-site vpn tunnel through ASA 9.1(2)

Hi,
We use ASA 9.1(2) to filter traffic in/out of our organisation. A dept within the organisation also have a firewall. They want to establish a site-site VPN tunnel with a remote firewall. We have allowed full access between the public address of the dept firewall and the remote firewall and full access between the remote firewall address and the dept firewall address . We do not use NAT.
The site-site VPN tunnel fails to establish.
The dept sysadmin has requested that we enable IPSec Passthrough. From my reading this will not make any difference as we allow full access between the firewalls in both directions. Is that correct?
Has anyone encountered issues with ASA 9.1(2) interfering with site-site tunnels?
Regards

>The dept sysadmin has requested that we enable IPSec Passthrough. From my reading this will not make any difference as we allow full access between the firewalls in both directions. Is that correct?
Yes, in that case, no IPsec-pass-through is needed. All you need is (in both directions):
UDP/500
UDP/4500 (also if you don't use NAT, the remote gateway could be located behind a NAT gateway)
IP/50
for testing ICMP/Echo
If you allowed full IP-access between these two endpoints, it is more than enough.
When they start testing, do you see a connection on your ASA. There should be at least UDP/500 traffic.
Can the two gateways ping each other?

881 VPN fails after 24hrs/IKE key lifetime

Hi all,
This is my first post on the support forms and I only just got my CCNA, so please bear with me and don't shoot me if I pose a slightly newbish perspective on things. Thanks in advance.
We've got a central office (actually quite small) where several IPSec connections connect to. Two of these connections are Cisco 881 routers. One of them works fine, the other craps out after 24 hours (coincidentally also the IKE key lifetime). When I mean "craps out", it means the VPN worked fine from the get go, until 24 hours later. Only a reload will bring back the VPN tunnel. I've verified my PFS and DPD configurations are solid, because these kind of symptoms would most likely occur when these configurations aren't in order.
The two 881 configurations are quite similar. The only differences between the two are some details in the PPPoE configurations and (quite obviously) the IP address space for the two sites. Both operate on the premise of a point to point connection (no multipoint stuff going on here).
I have examined all I can. It took me two weeks to make sure I exhausted all my options before I post my issue here.
Here is a brief list of things I've done.
- Checked configuration of central router (which is a Mikrotik RB800 btw)
- Verified that the central router is not the cause of the VPN not coming back. Rebooted it as a last resort; VPN stays down. Rebooted 881, VPN comes back.
- I've downgraded the 881 firmware image from version 152.4.M2 to 151.4.M4 (the succesful 881 was running the 151.4.M4 image, and I found some Ipsec issues in the caveat for version 152.4.M2), but to no avail.
- I've tried to clear several crypto components hoping to restore key exchanging, also to no avail. Only a reload will suffice.
I've included the 881's config:
Building configuration...Current configuration : 7795 bytes
! Last configuration change at 15:37:50 Paris Tue May 28 2013 by admin
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname <<removed>>
boot-start-marker
boot system flash c880data-universalk9-mz.151-4.M4.bin
boot-end-marker
logging buffered 102400
enable secret 4 <<removed>>
no aaa new-model
memory-size iomem 10
clock timezone Paris 1 0
clock summer-time Paris date Mar 30 2003 2:00 Oct 26 2003 3:00
crypto pki token default removal timeout 0
!no ip source-route
ip dhcp excluded-address 192.168.4.1 192.168.4.9
ip dhcp excluded-address 192.168.4.199 192.168.4.254
ip dhcp pool Main
network 192.168.4.0 255.255.255.0
dns-server 192.168.4.250 8.8.4.4
default-router 192.168.4.250
lease infinite
ip cef
ip domain lookup source-interface Dialer1
ip domain name <<removed>>
ip name-server 8.8.4.4
ip name-server 192.168.58.199
no ipv6 cef
password encryption aes!
object-group network SUBNET_DUITSLAND
description Hele subnet IC Duitsland
192.168.4.0 255.255.255.0
object-group network SUBNET_IC_ARNHEM
description Hele subnet IC Arnhem
192.168.58.0 255.255.255.0
object-group network WAN_IC_ARNHEM
description Het WAN IP adres van IC Arnhem
host <<removed>>
vtp mode transparent
username <<removed>> privilege 15 view root secret 4 <<removed>>
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 102
class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
match access-group 105
class-map type inspect match-all ccp-cls--1
match access-group name Outgoing
class-map type inspect match-all ccp-cls--2
match access-group name Incoming
policy-map type inspect ccp-policy-ccp-cls--1
class type inspect ccp-cls--1
pass
class class-default
drop
policy-map type inspect ccp-policy-ccp-cls--2
class type inspect ccp-cls--2
pass
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class type inspect sdm-cls-VPNOutsideToInside-2
inspect
class class-default
drop
zone security Inside
zone security Outside
zone-pair security sdm-zp-Inside-Outside source Inside destination Outside
service-policy type inspect ccp-policy-ccp-cls--1
zone-pair security sdm-zp-Outside-Inside source Outside destination Inside
service-policy type inspect ccp-policy-ccp-cls--2
crypto logging ezvpn
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp key <<removed>> address <<removed>>
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
crypto ipsec security-association lifetime seconds 28800
crypto ipsec transform-set ESP-AES256-SHA esp-aes esp-sha-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to CO
set peer <<removed>>
set transform-set ESP-AES256-SHA
set pfs group5
match address 104
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface FastEthernet4
description DeutscheTelekom$ETH-WAN$
no ip address
duplex auto
speed auto
pppoe-client dial-pool-number 1
interface Vlan1
description $FW_INSIDE$
ip address 192.168.4.250 255.255.255.0
ip mask-reply
ip nat inside
ip virtual-reassembly in
zone-member security Inside
ip tcp adjust-mss 1412
interface Dialer1
description $FW_OUTSIDE$
mtu 1492
ip address negotiated
ip nat outside
ip virtual-reassembly in
zone-member security Outside
encapsulation ppp
no ip route-cache
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp chap hostname <<removed>>
ppp chap password 7 <<removed>>
ppp pap sent-username <<removed>> password 7 <<removed>>
ppp ipcp dns request
ppp ipcp address accept
crypto map SDM_CMAP_1
ip forward-protocol nd
no ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1 permanent
ip access-list extended Incoming
remark CCP_ACL Category=128
permit ip any object-group SUBNET_DUITSLAND
ip access-list extended Outgoing
remark CCP_ACL Category=128
permit ip object-group SUBNET_DUITSLAND any
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark CCP_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=1
permit tcp any any eq 22
no logging trap
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.4.0 0.0.0.255
access-list 2 permit <<removed>>
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 192.168.4.0 0.0.0.255
access-list 2 permit 192.168.58.0 0.0.0.255
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark CCP_ACL Category=1
access-list 101 permit ip 192.168.4.0 0.0.0.255 any
access-list 101 permit ip host <<removed>> any
access-list 101 permit ip 192.168.58.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip 192.168.58.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 103 remark CCP_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny ip 192.168.4.0 0.0.0.255 192.168.58.0 0.0.0.255
access-list 103 permit ip 192.168.4.0 0.0.0.255 any
access-list 104 remark CCP_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 192.168.4.0 0.0.0.255 192.168.58.0 0.0.0.255
access-list 105 remark CCP_ACL Category=0
access-list 105 permit ip 192.168.58.0 0.0.0.255 192.168.4.0 0.0.0.255
dialer-list 1 protocol ip permit
route-map SDM_RMAP_1 permit 1
match ip address 103
line con 0
line aux 0
line vty 0 4
access-class 101 in
privilege level 15
password 7 <<removed>>
login local
transport input ssh
ntp update-calendar
ntp server de.pool.ntp.org prefer
end
Also, I have some ISAKMP debug output (when the VPN fails, I can still reach the router via the internet):
.May 29 08:31:22.848: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:31:28.848: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:31:30.016: ISAKMP: set new node 0 to QM_IDLE
.May 29 08:31:30.016: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local <<remote office WAN IP>>, remote <<central office WAN IP>>)
.May 29 08:31:30.016: ISAKMP: Error while processing SA request: Failed to initialize SA
.May 29 08:31:30.016: ISAKMP: Error while processing KMI message 0, error 2.
.May 29 08:31:30.016: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:31:30.016: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
.May 29 08:31:30.016: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
.May 29 08:31:30.016: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:31:30.016: ISAKMP:(0):Sending an IKE IPv4 Packet.
.May 29 08:31:34.848: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:31:40.016: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:31:40.016: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
.May 29 08:31:40.016: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
.May 29 08:31:40.016: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:31:40.016: ISAKMP:(0):Sending an IKE IPv4 Packet.
.May 29 08:31:40.844: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:31:46.380: ISAKMP:(0):purging node 297623767
.May 29 08:31:46.380: ISAKMP:(0):purging node -1266458641
.May 29 08:31:46.452: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:31:49.848: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<<remote office WAN IP>>, prot=50, spi=0xCF8BD5F3(3482047987), srcaddr=<<central office WAN IP>>, input interface=Dialer1
.May 29 08:31:50.016: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:31:50.016: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
.May 29 08:31:50.016: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
.May 29 08:31:50.016: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:31:50.016: ISAKMP:(0):Sending an IKE IPv4 Packet.
.May 29 08:31:52.845: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:31:56.381: ISAKMP:(0):purging SA., sa=874CF15C, delme=874CF15C
.May 29 08:31:58.849: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:32:00.017: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:32:00.017: ISAKMP:(0):peer does not do paranoid keepalives..May 29 08:32:00.017: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer <<central office WAN IP>>)
.May 29 08:32:00.017: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer <<central office WAN IP>>)
.May 29 08:32:00.017: ISAKMP: Unlocking peer struct 0x874792E0 for isadb_mark_sa_deleted(), count 0
.May 29 08:32:00.017: ISAKMP: Deleting peer node by peer_reap for <<central office WAN IP>>: 874792E0
.May 29 08:32:00.017: ISAKMP:(0):deleting node -118750948 error FALSE reason "IKE deleted"
.May 29 08:32:00.017: ISAKMP:(0):deleting node -1193365643 error FALSE reason "IKE deleted"
.May 29 08:32:00.017: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
.May 29 08:32:00.017: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA.May 29 08:32:02.037: ISAKMP:(0): SA request profile is (NULL)
.May 29 08:32:02.037: ISAKMP: Created a peer struct for <<central office WAN IP>>, peer port 500
.May 29 08:32:02.037: ISAKMP: New peer created peer = 0x875BF6B8 peer_handle = 0x8000000A
.May 29 08:32:02.037: ISAKMP: Locking peer struct 0x875BF6B8, refcount 1 for isakmp_initiator
.May 29 08:32:02.037: ISAKMP: local port 500, remote port 500
.May 29 08:32:02.037: ISAKMP: set new node 0 to QM_IDLE
.May 29 08:32:02.037: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 85C6B420
.May 29 08:32:02.037: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
.May 29 08:32:02.037: ISAKMP:(0):found peer pre-shared key matching <<central office WAN IP>>
.May 29 08:32:02.037: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
.May 29 08:32:02.041: ISAKMP:(0): constructed NAT-T vendor-07 ID
.May 29 08:32:02.041: ISAKMP:(0): constructed NAT-T vendor-03 ID
.May 29 08:32:02.041: ISAKMP:(0): constructed NAT-T vendor-02 ID
.May 29 08:32:02.041: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
.May 29 08:32:02.041: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1.May 29 08:32:02.041: ISAKMP:(0): beginning Main Mode exchange
.May 29 08:32:02.041: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:32:02.041: ISAKMP:(0):Sending an IKE IPv4 Packet.
.May 29 08:32:04.849: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:32:10.845: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:32:12.041: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:32:12.041: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
.May 29 08:32:12.041: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
.May 29 08:32:12.041: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:32:12.041: ISAKMP:(0):Sending an IKE IPv4 Packet.
.May 29 08:32:16.845: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:32:22.041: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:32:22.041: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
.May 29 08:32:22.041: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
.May 29 08:32:22.041: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:32:22.041: ISAKMP:(0):Sending an IKE IPv4 Packet.
.May 29 08:32:22.449: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:32:28.846: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:32:32.038: ISAKMP: set new node 0 to QM_IDLE
.May 29 08:32:32.038: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local <<remote office WAN IP>>, remote <<central office WAN IP>>)
.May 29 08:32:32.038: ISAKMP: Error while processing SA request: Failed to initialize SA
.May 29 08:32:32.038: ISAKMP: Error while processing KMI message 0, error 2.
.May 29 08:32:32.042: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:32:32.042: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
.May 29 08:32:32.042: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
.May 29 08:32:32.042: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:32:32.042: ISAKMP:(0):Sending an IKE IPv4 Packet.
.May 29 08:32:34.846: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:32:40.846: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:32:42.042: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:32:42.042: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
.May 29 08:32:42.042: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
.May 29 08:32:42.042: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:32:42.042: ISAKMP:(0):Sending an IKE IPv4 Packet.
.May 29 08:32:46.846: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:32:50.018: ISAKMP:(0):purging node -118750948
.May 29 08:32:50.018: ISAKMP:(0):purging node -1193365643
.May 29 08:32:51.346: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<<remote office WAN IP>>, prot=50, spi=0xCF8BD5F3(3482047987), srcaddr=<<central office WAN IP>>, input interface=Dialer1
.May 29 08:32:52.042: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:32:52.042: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
.May 29 08:32:52.042: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
.May 29 08:32:52.042: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:32:52.042: ISAKMP:(0):Sending an IKE IPv4 Packet.
.May 29 08:32:52.846: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:32:58.847: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:33:00.019: ISAKMP:(0):purging SA., sa=875BE8B8, delme=875BE8B8
.May 29 08:33:02.043: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:33:02.043: ISAKMP:(0):peer does not do paranoid keepalives..May 29 08:33:02.043: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer <<central office WAN IP>>)
.May 29 08:33:02.043: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer <<central office WAN IP>>)
.May 29 08:33:02.043: ISAKMP: Unlocking peer struct 0x875BF6B8 for isadb_mark_sa_deleted(), count 0
.May 29 08:33:02.043: ISAKMP: Deleting peer node by peer_reap for <<central office WAN IP>>: 875BF6B8
.May 29 08:33:02.043: ISAKMP:(0):deleting node 1839947115 error FALSE reason "IKE deleted"
.May 29 08:33:02.043: ISAKMP:(0):deleting node -1221586275 error FALSE reason "IKE deleted"
.May 29 08:33:02.043: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
.May 29 08:33:02.043: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA.May 29 08:33:02.455: ISAKMP:(0): SA request profile is (NULL)
.May 29 08:33:02.455: ISAKMP: Created a peer struct for <<central office WAN IP>>, peer port 500
.May 29 08:33:02.455: ISAKMP: New peer created peer = 0x874792E0 peer_handle = 0x8000000B
.May 29 08:33:02.455: ISAKMP: Locking peer struct 0x874792E0, refcount 1 for isakmp_initiator
.May 29 08:33:02.455: ISAKMP: local port 500, remote port 500
.May 29 08:33:02.455: ISAKMP: set new node 0 to QM_IDLE
.May 29 08:33:02.455: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 87060E68
.May 29 08:33:02.455: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
.May 29 08:33:02.455: ISAKMP:(0):found peer pre-shared key matching <<central office WAN IP>>
.May 29 08:33:02.455: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
.May 29 08:33:02.455: ISAKMP:(0): constructed NAT-T vendor-07 ID
.May 29 08:33:02.455: ISAKMP:(0): constructed NAT-T vendor-03 ID
.May 29 08:33:02.455: ISAKMP:(0): constructed NAT-T vendor-02 ID
.May 29 08:33:02.455: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
.May 29 08:33:02.455: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1.May 29 08:33:02.455: ISAKMP:(0): beginning Main Mode exchange
.May 29 08:33:02.455: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:33:02.455: ISAKMP:(0):Sending an IKE IPv4 Packet.
.May 29 08:33:04.847: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>ndebug crypto isakmp
.May 29 08:33:10.847: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>o debug crypto isakmp
Crypto ISAKMP debugging is off
IC-Deutschland#
.May 29 08:33:12.455: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:33:12.455: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
.May 29 08:33:12.455: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
.May 29 08:33:12.455: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:33:12.455: ISAKMP:(0):Sending an IKE IPv4 Packet.
Can anyone shed some light as what could be going on?
Much obliged!

Unfortunately I do not have a support contract for our hardware. I wouldn't even know how to get one.
However, we do pay top dollar for the equipment and it seems one it's components doesn't work as advertised. So if no support is given I will have to try warrenty instead. This does mean I have to replace the unit with a competitor brand which isn't something I'm keen to do because I want to use Cisco as our main brand. This issue effectively nukes my entire plan.
Given our work load, CPU power isn't an issue. The encryption level is set to this level because I'm paranoid. Which I reckon is a good thing when it comes to network security (correct me if I'm wrong). Do you suspect these settings could be of any influence in this particular case?
If I remember correctly I used the "debug crypto isakmp" or "debug crypto isakmp errors" and "debug crypto ipsec" (also perhaps with the "error" suffix), I'm not sure.

Multiple Site-Site VPN Tunnel on a Single PiX Firewall

I cureently have a site to site VPN tunnel (VPN1) between HK (Pix ver 6.1(2) & Leeds (ASA version 7.2(2). I am in the process of migrating the VPN tunnel to a newly deployed 10 Mb internet link in Leeds which has a Pix 506E Ver 7.0(2). I have decided to create a 2nd VPN tunnel to HK (VPN2) and will shutdown VPN1 when VPN2 is up.
On the HK PIX I am using the same isakmp policy, transform-set and have created another crypto map for the the new VPN (VPN2).
On passing intersting traffic to establish the new tunnel for the Leeds end, I am gettting the following debugging errors.
Feb 04 15:06:42 [IKEv1]: QM FSM error (P2 struct &0x1b24150, mess id 0x47595d7)!
Feb 04 15:06:42 [IKEv1]: Group = 192.168.0.1, IP = 192.168.0.1, Removing peer from correlator table failed, no match!
Feb 04 15:06:42 [IKEv1]: QM FSM error (P2 struct &0x1b24860, mess id 0x9cafcd4d)!
Feb 04 15:06:42 [IKEv1]: Group = 192.168.0.1, IP = 192.168.0.1, Removing peer from correlator table failed, no match!
sh Feb 04 15:06:47 [IKEv1]: QM FSM error (P2 struct &0x1d085d0, mess id 0x458d4091)!
Feb 04 15:06:47 [IKEv1]: Group = 192.168.0.1, IP = 192.168.0.1, Removing peer from correlator table failed, no match!
sh crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 192.168.0.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Site HK - PIX1(192.168.0.1)
crypto ipsec transform-set chevvie esp-des esp-md5-hmac
(crypto map for existing VPN (VPN1)
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer 192.168.0.2
crypto map transam 1 set transform-set chevvie
(New Crpto Map for new VPN (VPN2)
crypto map transam 2 ipsec-isakmp
crypto map transam 2 match address 101
crypto map transam 2 set peer 192.168.0.3
crypto map transam 2 set transform-set chevvie
crypto map transam interface outside
isakmp enable outside
isakmp key ****** address 192.168.0.2 netmask 255.255.255.255
isakmp key ev0lut10n address 192.168.0.3 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
isakmp am-disable
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
Site - Leeds PIX2 (192.168.0.3)
crypto ipsec transform-set ford esp-des esp-md5-hmac
crypto map VPNHK 2 match address outside_crypto_acl
crypto map VPNHK 2 set peer 192.168.0.1
crypto map VPNHK 2 set transform-set ford
crypto map VPNHK interface outside
isakmp identity address
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
isakmp am-disable
tunnel-group 192.168.0.1 type ipsec-l2l
tunnel-group 192.168.0.1 ipsec-attributes
pre-shared-key ev0lut10n
sysopt connection permit-ipsec
Your assistance will be grately appreciated.

How could the HK PIX decide which tunnel to use if you apply the same ACL to both? You have to choose a different subnet to Leeds2.
Peter

SNMP Monitor PIX throught VPN tunnel

I have two Cisco PIX 515e firewalls configured in fail-over. The primary PIX has private address 192.168.1.5 and the secondary PIX (standby) has a private address 192.168.1.6. The PIX firewalls are running IOS 6.3.3. I'm connecting to the PIX firewalls through a VPN tunnel (PIXes terminate VPN tunnel) and my monitoring system uses SNMP to monitor devices behind the PIX firewalls and the primary PIX private IP address. I would also like to monitor the standby IP address 192.168.1.6 from the tunnel and have been unsuccessful thus far. I can do this from behind the PIX, but not through the tunnel (only the primary PIX).
Is there a way I can SNMP monitor (and PING) the IP address of the standby PIX through the VPN tunnel?
Please send email to [email protected]
Thank you,
frank

Paul,
Thank you for your email. Yes, we currently use this command to monitor the active private IP of the active PIX firewall through the VPN tunnel. What I would like to be able to monitor is the private IP address of the standby PIX firewall (has a different IP address while in standby mode) would like to make sure that it too is up and running (I can do this today for other PIX firewalls from the inside, but not through the tunnel.
Best regards,
Frank Pikelner
Hi Frank,
Dont think you are going to get that to work due to the routing issues. Sending syslog messages to the snmp server is the only way Ive done it in the past. Have you given this a try?
http://cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278a.html#wp1052111
http://cisco.com/en/US/products/sw/secursw/ps2120/products_system_message_guide09186a00800896ac.html
I hope this is of some help.
Cheers,
Paul.

Multiple VPN tunnels on Multiple interfaces on PIX

We have a PIX 515 with 5 interfaces in it, I have 2 different ISPs connect to 2 different interfaces on the PIX. I want to create 2 different ipsec tunnels from our office on Toronto. Toronto have 2 different ISPs int there router. How can I create 2 different ipsec tunnels on to different interfaces on a PIX 515?

Thank you for the reply -
So if I had Internet---router---PIX---inside. I have a router for each ISP and then the routers are connected to the PIX. I would then terminate the VPN tunnels on the routers? How would I route the traffic from the inside to the outside for the VPN tunnels?

Bandwidth Allocation for a specific VPN Tunnel - PIX 525 7.2(1)

Hello,
I have a PIX with a 10 MB internet connection. This PIX has several L2L VPN Tunnels configured: Tunnel1, Tunnel2...TunnelN. I want to be able guarentee 5Mb of the total 10Mb to a specific VPN Tunnel. Is this possible? I have read the following links, however I believe that the configuration guidelines I'm looking for are a combination of several examples shown here:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008080dfa7.shtml#tab4
https://supportforums.cisco.com/docs/DOC-1230
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008084de0c.shtml#cqos
The tunnel is being defined by the following commands:
crypto map prdmay 20 match address vpn_1
crypto map prdmay 20 set peer 61.172.142.222
crypto map prdmay 20 set transform-set TS
access-list vpn_1 extended permit ip 10.14.102.0 255.255.255.0 any
access-list vpn_1 extended permit ip 10.14.101.0 255.255.255.0 any
tunnel-group 61.172.142.222 type ipsec-l2l
tunnel-group 61.172.142.222 ipsec-attributes
pre-shared-key *
Is the following what I need to do in order to accomplish what I want:
priority-queue outside
class-map vpn_5Mb
match access-list vpn_1
match tunnel-group 61.172.142.222
policy-map police-priority-policy
class vpn_5Mb
police output 5120000
service-policy police-priority-policy interface outside
Thank you for your help.

I don't think the ASA will let you match on ACL and tunnel group at the same time.
Just the ACL will do though. The ACL should match local ip addresses (there are usually no-natted for the VPN anyway).
Here is a page with a QoS examples on the ASA for reference https://supportforums.cisco.com/docs/DOC-1230
I hope it helps.
PK

Which wireless router do I need for multiple VPN tunnels?

I work at home and I connect to my office VPN (SSH Extranet Client) thru cable broadband. I need to have 2 VPN tunnels open as I frequently have my laptop & desktop connected to my work VPN. I've had a BEFSX41 for the past 3 years and it's worked good as it allowed for 2 VPN tunnels. It just died on me a few days ago and I would like to go wireless now. What wireless router(s) would meet my needs? Thanks in advance for any input.Message Edited by nolesworld on 11-27-200606:24 PM
Message Edited by nolesworld on 11-27-200606:38 PM

hi , the WRV200 will be a good choice....supports upto 50 tunnels and has wireless capabilities....

EZVPN Router to PIX - vpn tunnel fails after xauth

Similar Messages

Maybe you are looking for