VPN IP errors

I have a site to site between my office and a customer using two Pix 515E's. As my office has moved there is a new ip address at my office end. I have been to the clients site and changed the peer address to correspond but it will not connect. When debugging it appears that it is still trying to connect to the old ip address even though there is nothing in the config that relates to that address now. Has anyone come across this before and if so how did you resolve it.

I'm no expert but I know that there are some changes made to a crypto map that aren't dynamic, such as an access-list change.
Even if you issue a clear ipsec sa command the changes won't be reflected in the sa.
Try unbinding the cyrpto map and then re-binding it to the correct interface.
Also, if you are using PSKs, double check that the line isakmp key... is pointing to the correct address.

Similar Messages

SSL VPN Client Error

I setup a Cisco ASA 5510 SSL VPN with the folowing;
IOS 7.2
SSL VPN CLient sslclient-win-1.1.1.164.pkg
Out of 400 users, there is one user having problem installing the SSL Client to his laptop. The user laptop information is;
IBM Thinkpad T40
Windows XP SP 2
Internet Explorer 7
All patches up-to-date
All drivers up-to-date
SSL VPN Client connection process;
- User login with valid account and password
- The SSL VPN Client package will automatically download and installed.
- User will then be connected to SSL VPN
The ERRORS;
1. GUI (Cisco SSL VPN Client installation process)
"The SSL VPN Client driver has Encountered an Error"
2. Event Viewer
The only error in this user event viewer that differs from other users who successfully connected are;
a)
Function: EnableVA
Return code: 0
File: e:\temp\build\workspace\SSLClient\Agent\VAMgr.cpp
Line: 310
Description: unknown
b)
Function: EnableVA
Return code: 0xFE080007
File: e:\temp\build\workspace\SSLClient\Agent\VpnMgr.cpp
Line: 1145
Description: VAMGR_ERROR_ENABLE_VA_FAILED
Anyone know what thus the error means?
BTW, anyone know the link to SSL VPN knowledgebase. i.e errors, root cause, solutions?
Thanks

The Cisco SVC provides end users running Microsoft Windows XP or Windows 2000 with the benefits of a Cisco IPSec VPN client without the administrative overhead required to install and configure an IPSec client. It supports applications and functions unavailable to a standard WebVPN connection.
http://www.cisco.com/univercd/cc/td/doc/product/vpn/svc/svcrn110.htm

SSL VPN Connection error with SA520

Hi there,
I have an SA520 setup and all my users can login to the SSL VPN tunnel except one user. The laptop is running windows 7 64bit and had IE9 installed. When I try to connect her to use an SSL VPN Tunnel, I get the following error: Cisco-SSLVPN-Tunnel Install Failed: Error in getting proxy settings!.
I have made sure the firewall was turned off. Any idea on how to get the ssl tunel connected?
Thanks

Hihi,
we have the same problem, running on Vista 32 bit, and IE9.
On the same machine, using virtual PC and emulating an XP environment it works, what a paradox!
It works also on Win 7 64 bit, although only with the 64 bit version of IE.
Coming back to our Vista issue, we did not find any way to make it work properly.
Tried to turn off firewall, disinstall a lot of stuff that may interphere, etc. , still same problem.
We are a bit annoyed there seems to be no documentation about this error nor troubleshooting help.
Anyone has any suggestion ??
Tks

Site to Site VPN Setup: Error processing payload: Payload ID: 1

Hello,
I am currently getting the error Error processing payload: Payload ID: 1 when attempting to connect an old RV082 (local) to an ASA5520 (in lab). I'm not really sure what is causing this, going through what I've found via Google hasn't really helped much and I was hoping one of you could point me in the right direction.
I've attached a screen grab of the RV configuration and below is an (abridged) copy of the running config from the ASA. Any and all help would be amazing, I'm sure it's something simple that I'm overlooking but I just don;t have the experience with Cisco gear to nail it down.
Thank you very much!
Result of the command: "show running-config"
: Saved
ASA Version 9.0(3)
hostname epath-asa02
domain-name epathlearning.com
enable password hqamp6WHO7djZ5fP encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool REMOTE_VPN_POOL 192.168.5.201-192.168.5.205 mask 255.255.255.0
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address xx.xx.xx.xx 255.255.255.254
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.5.1 255.255.255.0
interface GigabitEthernet0/2
nameif storage
security-level 100
ip address 192.168.6.1 255.255.255.0
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
shutdown
no nameif
no security-level
no ip address
boot system disk0:/asa903-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.5.4
name-server 8.8.8.8
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu storage 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-715-100.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,inside) source static any any destination static NETWORK_OBJ_192.168.5.200_29 NETWORK_OBJ_192.168.5.200_29 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.5.200_29 NETWORK_OBJ_192.168.5.200_29 no-proxy-arp route-lookup
nat (inside,outside) source static DMZ_Network DMZ_Network destination static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 no-proxy-arp route-lookup
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.5.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES-SHA-TRANS
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 208.103.76.212
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
email [email protected]
subject-name CN=xxxxxx
serial-number
ip-address xx.xx.xx.xx
keypair xxxxxxxxxxxxxx
proxy-ldc-issuer
crl configure
crypto ca trustpoint ASDM_TrustPoint1
crl configure
crypto ca trustpoint localtrust
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130
0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117
30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56
65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043
65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
30303230 38303030 3030305a 170d3230 30323037 32333539 35395a30 81b5310b
30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65
74776f72 6b313b30 39060355 040b1332 5465726d 73206f66 20757365 20617420
68747470 733a2f2f 7777772e 76657269 7369676e 2e636f6d 2f727061 20286329
3130312f 302d0603 55040313 26566572 69536967 6e20436c 61737320 33205365
63757265 20536572 76657220 4341202d 20473330 82012230 0d06092a 864886f7
0d010101 05000382 010f0030 82010a02 82010100 b187841f c20c45f5 bcab2597
a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
9c688b2e 957b899b 13cae234 34c1f35b f3497b62 83488174 d188786c 0253f9bc
7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
63cd1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8
18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 02030100 01a38201 df308201
db303406 082b0601 05050701 01042830 26302406 082b0601 05050730 01861868
7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1d130101
ff040830 060101ff 02010030 70060355 1d200469 30673065 060b6086 480186f8
45010717 03305630 2806082b 06010505 07020116 1c687474 70733a2f 2f777777
2e766572 69736967 6e2e636f 6d2f6370 73302a06 082b0601 05050702 02301e1a
1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
03551d1f 042d302b 3029a027 a0258623 68747470 3a2f2f63 726c2e76 65726973
69676e2e 636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403
02010630 6d06082b 06010505 07010c04 61305fa1 5da05b30 59305730 55160969
6d616765 2f676966 3021301f 30070605 2b0e0302 1a04148f e5d31a86 ac8d8e6b
c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
1b311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301d0603
551d0e04 1604140d 445c1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355
1d230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300d0609
2a864886 f70d0101 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80
4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e
b2227055 d9203340 3307c265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a
6decd018 7d494aca 99c71928 a2bed877 24f78526 866d8705 404167d1 273aeddc
481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
6c2527b9 deb78458 c61f381e a4c4cb66
quit
crypto ca certificate chain ASDM_TrustPoint0
certificate 825b0a53
308202c0 30820229 a0030201 02020482 5b0a5330 0d06092a 864886f7 0d010105
05003072 31143012 06035504 03130b65 70617468 2d617361 3032315a 30120603
55040513 0b4a4d58 31343531 4c314139 30180609 2a864886 f70d0109 08130b36
342e3134 2e38362e 3432302a 06092a86 4886f70d 01090216 1d657061 74682d61
73613032 2e657061 74686c65 61726e69 6e672e63 6f6d301e 170d3134 30323235
32313232 35345a17 0d323430 32323332 31323235 345a3072 31143012 06035504
03130b65 70617468 2d617361 3032315a 30120603 55040513 0b4a4d58 31343531
4c314139 30180609 2a864886 f70d0109 08130b36 342e3134 2e38362e 3432302a
06092a86 4886f70d 01090216 1d657061 74682d61 73613032 2e657061 74686c65
61726e69 6e672e63 6f6d3081 9f300d06 092a8648 86f70d01 01010500 03818d00
30818902 818100b4 95aafc2d e42e5ae5 18bdaebb 757c1062 1a841b50 81fe1416
64477fdb e191122d 8ffd10e5 4e4259fd 3e7ee914 6ab0ef7f 1c6291b4 03400042
ea19a125 401a274e 7e123153 d1a20628 1f870ccd 8b53d059 0948c352 83555659
a6d8ea17 87c25e3e 68d1d910 6157f218 4720733f 533f5784 e740c252 79981a4b
c8cfa891 7469ef02 03010001 a3633061 300f0603 551d1301 01ff0405 30030101
ff300e06 03551d0f 0101ff04 04030201 86301f06 03551d23 04183016 8014b0c8
dcea285f e8e1df05 8cf6558a 44a4875a 32a5301d 0603551d 0e041604 14b0c8dc
ea285fe8 e1df058c f6558a44 a4875a32 a5300d06 092a8648 86f70d01 01050500
03818100 54840176 9be7ba91 9d2dfa04 b3bebc8a 77dac595 4abef8d0 1c277a28
ea3cbbc9 65375d40 788f1349 e996d0a9 2f6923ef b47713a5 e5d2a03e 557b2a0d
c3042510 0c2d2a86 2c20aa31 71c38e1c 1f4227ad c676ffeb 684dfde4 d85a0ee8
06ecc072 fe261a36 58ee85cb c5b16004 adebae26 8105605a c6efed38 0c43acfd
acb0c31d
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 enable inside
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 enable inside
crypto ikev1 policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 192.168.5.3 255.255.255.255 inside
telnet timeout 5
ssh scopy enable
ssh 192.168.5.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
management-access inside
dhcp-client update dns server both
dhcpd address 192.168.5.100-192.168.5.120 inside
dhcpd dns 192.168.5.4 8.8.4.4 interface inside
dhcpd update dns both override interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 12.10.191.251 source outside prefer
ssl trust-point ASDM_TrustPoint0 outside
ssl trust-point ASDM_TrustPoint0 inside
webvpn
enable outside
enable inside
anyconnect image disk0:/anyconnect-win-3.1.05152-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-3.1.05152-k9.pkg 2
anyconnect image disk0:/anyconnect-linux-64-3.1.05152-k9.pkg 3
anyconnect profiles Production_client_profile disk0:/Production_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
default-domain value
group-policy DfltGrpPolicy attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
group-policy GroupPolicy_Production internal
group-policy GroupPolicy_Production attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev2 ssl-client
default-domain value
webvpn
anyconnect profiles value Production_client_profile type user
group-policy GroupPolicy_208.103.76.212 internal
group-policy GroupPolicy_208.103.76.212 attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
username zzzzzzzzzzzzzz password pwoiKxeLmKvYDJf5 encrypted
username root password nSkWYNJFu52Wl56e encrypted
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group DefaultRAGroup general-attributes
address-pool REMOTE_VPN_POOL
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool REMOTE_VPN_POOL
authorization-server-group LOCAL
dhcp-server 192.168.5.1
authorization-required
tunnel-group Production type remote-access
tunnel-group Production general-attributes
address-pool REMOTE_VPN_POOL
default-group-policy GroupPolicy_Production
strip-realm
strip-group
tunnel-group Production webvpn-attributes
group-alias Production enable
tunnel-group 208.103.xxx.xxx type ipsec-l2l
tunnel-group 208.103.xxx.xxx general-attributes
default-group-policy GroupPolicy_208.103.xxx.xxx
tunnel-group 208.103.xxx.xxx ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
service call-home
call-home reporting anonymous
call-home
contact-email-addr [email protected]
profile CiscoTAC-1
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:9f04ecc9900e65a838e26d06af93a5be
: end

Hello,
It seems you are establishing ikev1 site to site vpn to linksys router.
On linksys router you have configured phase 1 policy to use aes-256, g5 and sha-1 where as non of the ikev1 policy on asa match matchs with it. Configure ikev1 policy to match the parameters on ASA.
crypto ikev1 policy 15
authentication pre-share
encryption aes-256
hash sha
group 5
HTH
"Please rate helpful posts"

Routing and Remote Access VPN DHCP error

I have a strange problem.
I have a client that is using Server 2012 Standard.
On this server they have Routing and Remote Access configured for VPN client access. Their users that are working outside the office connect to the VPN to access the internal network.
The VPN works fine for the most part. Recently however, it has started having issues.
Periodically (about once every 8 days) I will hear from them that they cannot connect and that they get error 720. I will check the server and the server will have the following errors in the event log:
Warning: No IP address is available to hand out to the dial-in client.
If you check DHCP the server is running fine and will hand out local addresses but it will not hand out addresses to VPN clients. Also the addresses that it HAS previously handed out to VPN clients will not show in the address leases.
The solution strangly enough is to disconnect and reconnect a the VPN client connection that the server has connecting it to a offsite server that it does a SQL sync with.
Any ideas as to what might be causing this? If need be I can post more detailed logs but I am not sure what logs even to post or what data to collect.
Any help is greatly appreciated.

I am experiencing the same issue on a Windows 2008R2 SP1 RAS server. The above statement About increasing the lease time on DHCP does not resolve the problem.
I am also Searching for a Solutions to this issue.
Up to now I have done the Following :
1. Increased the scope/ cleared IP's in DHCP.
2. Ensure that the DHCP server is accessable.
3. Created a Manual Scope on RRAS configurations settings (then clients can connect but cannot access resources on the network). Changing Back to DHCP, you recieve the same 720 Error.
4. Stop and started the DHCP services on the DHCP Server.
5. Stop and Started RRAS Services on RRAS server.
The Only Indication is, that DHCP for some reason does not lease out Addresses to the RRAS server..

VPN - IPX error 733 when connecting from Windows XP

I have a 10.4.8 (Intel) OS X Server at our office. Our Mac users can VPN in with no problems, they get a valid IP from the vpn lease pool, can remotely control desktop machines, use files, etc. However, when trying to connect from XP, my user is getting an Error 733 referring to IPX. Anyone see this or have input for me? It's the boss who can't get in, so you can imagine I need to pay attention to this one!

PPTP only. Basic name/password challenge.
Server has private IP behind Netgear Prosafe Firewall appliance. Server is the DMZ. The Netgear receives our static IP from our T1 gateway, and performs DHCP and NAT for us. The OS X Server has a static private IP, and serves mail, ftp and vpn. (web to follow)
Clients can VPN in and receive a private IP within the specified range. I allow 40 bit and 128 bit encryption.
OSX Server: 192.168.200.250
Starting and ending IP addresses for VPN: 192.168.200.180 - 190
under Client Information:
DNS Servers: (two public DNS local to us from an ISP)
Search domains: (empty)
Network routing definition: 192.168.200.0 / 255.255.255.0 / private
From my PowerBook (10.4.8 client), I connect just fine, can use remote desktop connector to control XP boxes at the office, and access our files, printers, etc.

Windows 8 - VPN 720 error after installing some of the lenovo updates

Hi,
I have T530 and windows 8 x64 on it, I have noticed that after some time of using it I was unable to connect to PPTP VPN or my SSL VPN.
The error stated during the connection to the PPTP VPN (windows client) was 720 error.
I restored my windows via recovery to the point one week before and VPN started to work again. I was trying to isolate the problem after which installing I became having such problem. What I have noticed is that there are two lenovo updates that are casing this problem (I'm not excatly sure which one it is, becouse after installing them I had to restart computer about 2 or 3 times to reproduce the problem). After the problem occurs it's constant and I could not find a solution this.
The updates I am talking about are:
- Intel PRO/1000 LAN Adapter Software for Windows 8 64-bit (ver 12.1.77.0 - no previous ver installed)
- Lenovo Settings Dependency Package - 8 [32,64] (ver 1.0.5.8 - no previous ver installed)
I've notcied that there was a similar problems on older versions of windows - does anybody know if those instrucions are valid for win8?
http://forums.lenovo.com/t5/Windows-XP-and-Vista-discussion/Error-720-Dial-Up-Networking-could-not-n...

look and search 720 in MS Windows 8 networking forum , you are not alone
Jiří Cvrk
TP YOGA S1 .. X220, X61, T22, ms w8nd8ws

Cisco CA + Cisco VPN Client - Error 42: Unable to create certificate enrolment request

We find ourselves in a difficult situation with the
Cisco VPN Cleint version 5.0.07.0290 where it keeps giving us an
"Error 42: Unable to create certificate enrolment request" when we attempt to use the Online enrolment method to create and enrol a new certificate.
There is no additional information in the VPN client logs where we have set 3-High for all logs.
In addition, Wireshark does not show any packets sent from the machine running the client to the Cisco 3825 router which runs the Cisco CA.
To create and enrol a certificate we do the following:
1. Click on the Enroll button to show the Certificate Enrolment dialog
2. Select Online
3. Select <New> for Certificate Authority
4. Enter http://192.168.120.1 as CA URL (note, 192.168.120.1 is the IP of the Cisco 3825)
5. Click Next to display the dialog where we can enter certificate details
6. Enter details in all fileds except IP Address and Domain
7. Click Enroll which shows a dilaog with the Error 42 ... message in it.
If we attempt to create a request by using the File method, all works fine, that is, the client creates a file with the enrolment request.
The fact that the client does not send any messages to the Cisco CA leads us to belive that we have a pronblem on the clinet machine. However, the client does not write any information in the logs, so it is a bit hard to fix the problem.
We will be grateful for any assistance that you can provide with this issue. I can provide additional configuration information if required for both the client and the Cisco CA. Note that we have not modified any client configuration. Basically, we installed the clinet on a Windows 7 64bit machine and attempted the steps listed above.
Thank you
Emil

FYI, I just came up against this problem and the solution in my instance was to ensure that the Cisco CA Server was configured to automatically grant certificate requests.
Cisco2691#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Cisco2691(config)#crypto pki server CERTSERVER
Cisco2691(cs-server)#grant ?
auto Automatically grant incoming SCEP enrollment requests
none Automatically reject any incoming SCEP enrollment request
ra-auto Automatically grant RA-authorized incoming SCEP enrollment request
Cisco2691(cs-server)#grant auto
% The CS config is locked. You need to shut the server off before changing its configuration.
Cisco2691(cs-server)#shut
Cisco2691(cs-server)#grant auto
Cisco2691(cs-server)#
Mar 25 19:39:53.356: %PKI-6-CS_GRANT_AUTO: All enrollment requests will be automatically granted.
Cisco2691(cs-server)#no shut
% Certificate Server enabled.

Unable to connect to VPN with error 850

Hi,
I am new to windows 8 and this is a brand new laptop and have set up my VPN connection so I can work from home. Each time I try to connect it comes up with error 850. Is there something i've done wrong? Will greatly appreciate help and apologies if this
is a really stupid question!
Cheers,
Kelly

Hi,
Is the detailed error message was:
850″ The Extensible Authentication Protocol type required for authentication of the remote access connection is not installed on your computer.
If so, please try the following steps to fix this problem for test.
Open the properties of the VPN Connection and select the security tab. Set the authentication to “allow these protocols” and tick MS-CHAP v2.
Roger Lu
TechNet Community Support

VPN receive errors

I saw the previous post on VPN error codes. I have a similar problem between a PIX-515 and a Netscreen:
#pkts encaps: 837, #pkts encrypt: 837, #pkts digest 837
#pkts decaps: 872, #pkts decrypt: 26075, #pkts verify 26075
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 8, #recv errors 25203
Traffic sent from the Netscreen end shows up as recv errors, while packets sent from the PIX end are delivered successfully end to end. We have another VPN tunnel to a second Netscreen (not sure of the firmware revisions) that is working. Any ideas on what could be causing this?

the pix receives some packets which are not encapsulated correctly.
#pkts decaps: 872 plus #recv errors 25203 equals to #pkts decrypt: 26075
in other words, the pix didn't decapsulate these packets but yet it did decrypt them and of course it will become an error. not too sure why the pix will still go ahead to decrypt those packets, i thought that the pix would have dropped the packet since it should be encapsulated.

VPN 720 error with win 8 with Cisco VPN client 5.0.07.0440

Hello,
I have Win 2008 configured as RRAS- VPN server, with win 7/8 VPN clients.
half of these client machines are also running "Cisco VPN client 5.0.07.0440"
all win 7 machines works fine however most of Win 8 will not connect to windows VPN, if they also have Cisco VPN client 5.0.07.0440 intsalled.
Any suggestion.
Thanks

Workaround to this problem is:
1)- Unintsall Cisco VPN client from win 8
2)- reset IP stack

Mobile VPN Client - Received an error response fro...

Hi everybody, i am trying to establish a vpn connection to SecureKISS servers.
I tried different configurations without luck.
SECURITY_FILE_VERSION: 1
[INFO]
SecurityKISS
[POLICY]
sa CISCO_ASA_PSK = {
esp
encrypt_alg 3
max_encrypt_bits 128
auth_alg 2
identity_remote 0.0.0.0/0
src_specific
hard_lifetime_bytes 0
hard_lifetime_addtime 3600
hard_lifetime_usetime 3600
soft_lifetime_bytes 0
soft_lifetime_addtime 3600
soft_lifetime_usetime 3600
replay_win_len 0
remote 0.0.0.0 0.0.0.0 = { CISCO_ASA_PSK(31.24.33.221) }
inbound = { }
outbound = { }
[IKE]
ADDR: 31.24.33.221 255.255.255.255
IKE_VERSION: 1
MODE: Aggressive
REPLAY_STATUS: FALSE
USE_MODE_CFG: TRUE
IPSEC_EXPIRE: TRUE
USE_XAUTH: TRUE
USE_COMMIT: FALSE
ESP_UDP_PORT: 0
SEND_NOTIFICATION: TRUE
INITIAL_CONTACT: TRUE
USE_INTERNAL_ADDR: FALSE
DPD_HEARTBEAT: 90
NAT_KEEPALIVE: 60
REKEYING_THRESHOLD: 90
ID_TYPE: 11
FQDN: unive
PRESHARED_KEYS:
FORMAT: STRING_FORMAT
KEY: 12 KEY-REMOVED
USE_NAT_PROBE: FALSE
PROPOSALS: 1
ENC_ALG: 3DES-CBC
AUTH_METHOD: PRE-SHARED
HASH_ALG: MD5
GROUP_DESCRIPTION: MODP_1024
GROUP_TYPE: DEFAULT
LIFETIME_KBYTES: 0
LIFETIME_SECONDS: 86400
PRF: NONE
It should ask for username and password but It doesn't happen.
In the logs there are some errors like this:
Received an error response from vpn gateway error code 29
and the last error is always like this one:
Error: Failed to activate VPN access point 'SecurityKISS', reason code -5258
that should stand for "IKE negotiation with gateway failed because there was no acceptable proposal".
So, what it's wrong in my configuration? There's someone able to help me with this configuration?
Best regards
Matteo.

I moved futher with change of configuration on the router and no I get IP from virtual pool but unable to get any further as IPSEC does not negotiate.
My configuration is as following
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key aaabbb address 0.0.0.0 0.0.0.0
crypto isakmp client configuration address-pool local vpn2
crypto isakmp client configuration group VPNCLIENTGROUP
key aaabbb
dns a.b.c.d
domain wr
pool vpn2
save-password
crypto isakmp profile VPNclient
   description VPN clients profile
   match identity group VPNCLIENTGROUP
   match identity address 0.0.0.0
   client authentication list userlist
   isakmp authorization list groupauthor
   client configuration address initiate
   client configuration address respond
   client configuration group VPNCLIENTGROUP
crypto ipsec transform-set 3des esp-3des esp-sha-hmac
crypto dynamic-map SDM_CMAP_1 99
set transform-set 3des
set isakmp-profile VPNclient
reverse-route
crypto map SDM_CMAP_1 99 ipsec-isakmp dynamic SDM_CMAP_1
When I run the debug on the router, I am getting IP address from the pool which actually also shows up on the phone (n85). It should that VPN is activated also on the phone followed by another message that it is deactivated. I used Nokia VPN Client policy tool to create the policy with following
IKEv1,3DES,MD5,
True = Responder lifetime, send certificate, IPsec expire, Replay status, Use mode config, Use commit bit, Xauth
False= Nat probe
IKE proposal = 3DES-CBC, MD5

Windows VPN: Error 720 - A connection to the remote computer could not be established

Dear all
I have a windows7 Laptop 64bit Dell 1340.
I was working with a UMTS card, was connected with a VPN to a windows 2003 server over PPTP and experienced a bluescreen. After this, I have the following errors when connecting to the VPN:
"Registering your computer on the network... Error 720: A connection to the remote computer could not be established. You might need to change the network settings for this connection"
and in the event view I receive the following:
EventID: 1, Source RasSstp
CoId={A3478DFD-FFA4-4E8F-9DA3-CE829BDA777B}:The initial Secure Socket Tunneling Protocol request could not be successfully sent to the server. This can be due to network connectivity issues or certificate (trust) issues. The detailed error message is provided below. Correct the problem and try again.
I tried to use the Rarepair.exe tool but it looks to work only on windows xp. I deleted the IP and TCP settings without any luck.
I run a registry cleaner as well with out any luck.
Your help will be greatly appreciated!
Marc

Hi,
Since it worked previously, a quick solution is to run System Restore and get back to the previous status when the issue didn’t occur.
If system restore doesn’t help, please also try the following:
1. Check if you can establish the VPN via other connections except the connection through the UMTS card.
2. Reset the PPTP and L2TP WAN miniport with running the following commands one by one in an elevated command prompt:
Netcfg -u MS_L2TP
Netcfg -u MS_PPTP
Netcfg -l %windir%\inf\netrast.inf -c p -i MS_PPTP
Netcfg -l %windir%\inf\netrast.inf -c p -i MS_L2TP
Then reboot the computer and see how it works.
Meanwhile, I would like to share the following with you for your reference:
Troubleshooting common VPN related errors
Hope this helps. Thanks.
Nicholas Li - MSFT

Linux 3.9 VPN Client

Anybody have any success connecting to a BM 3.8.5 VPN server (C2S) using this client?
I've setup a SLED 10 box patched to the hilt and installed the latest Novell Client for Linux as well as the VPN client (installed and configured as per the documentation...http://www.novell.com/documentation/.../bookinfo.html) that comes with the BM 3.9 Trial and I'm unable to get connected. I'm still able to connect with my Windows and MAC boxes so I don't think my VPN server is the issue.
On the SLED box I get one the following errors after it tries to connect to our VPN:
Error #1:
VPN Connect Failure
Could not start the VPN connection "XXXX" due to a connection error.
The VPN login failed because the VPN program could not connect to the VPN server.
Error #2:
VPN Connect Error
Could not start the VPN connection "XXXX" due to a connection error.
VPNCLIENT-UI-4611:Failed to connect to the Gateway.
Here is a snippet from the IKE.LOG file:
6-27-2007 2:04:26 pm ***Receive Main Mode message from <LINUX_CLIENT_IP>
6-27-2007 2:04:26 pm I-COOKIE=80441C99D658EC20,R-COOKIE=0000000000000000,MsgID=0,1stPL=SA-PAYLOAD,state=-1640542708
6-27-2007 2:04:26 pm The client 200.13.38.18 removed from vpninf
6-27-2007 2:04:26 pm Freeing IKE SA
6-27-2007 2:04:26 pm Start IKE-SA ABD1CDC0 - Responder,src=<BM_VPN_EXT_IP>,dst=<LINUX_CLIENT_IP >,TotSA=5
6-27-2007 2:04:26 pm AUTH ALG IS 1
6-27-2007 2:04:26 pm Negotiating for an NMAS user <LINUX_CLIENT_IP>
6-27-2007 2:04:26 pm IKE SA NEGOTIATION: Peer lifetime = 28800 My lifetime=28800
6-27-2007 2:04:26 pm Warn :Proposal mismatch PHASE 1 Encryption Algorithm mismatch mine : 3DES his : DES dst : <LINUX_CLIENT_IP> src : <BM_VPN_EXT_IP> cookies[mine :his] CBFDEE874EB850F9 : 80441C9900000002
6-27-2007 2:04:26 pm IKE SA NEGOTIATION: Peer lifetime = 28800 My lifetime=28800
6-27-2007 2:04:26 pm Warn :Proposal mismatch PHASE 1 Encryption Algorithm mismatch mine : 3DES his : DES dst : <LINUX_CLIENT_IP> src : <BM_VPN_EXT_IP> cookies[mine :his] CBFDEE874EB850F9 : 80441C9900000002
6-27-2007 2:04:26 pm IKE SA NEGOTIATION: Peer lifetime = 28800 My lifetime=28800
6-27-2007 2:04:26 pm Warn :Proposal mismatch PHASE 1 Encryption Algorithm mismatch mine : 3DES his : DES dst : <LINUX_CLIENT_IP> src : <BM_VPN_EXT_IP> cookies[mine :his] CBFDEE874EB850F9 : 80441C9900000002
6-27-2007 2:04:26 pm IKE SA NEGOTIATION: Peer lifetime = 28800 My lifetime=28800
6-27-2007 2:04:26 pm Warn :Proposal mismatch PHASE 1 Encryption Algorithm mismatch mine : 3DES his : DES dst : <LINUX_CLIENT_IP> src : <BM_VPN_EXT_IP> cookies[mine :his] CBFDEE874EB850F9 : 80441C9900000002
6-27-2007 2:04:26 pm IKE SA NEGOTIATION: Peer lifetime = 28800 My lifetime=28800
6-27-2007 2:04:26 pm Warn :Proposal mismatch PHASE 1 HASH Algorithm mismatch mine : SHA his : MD5 dst : <LINUX_CLIENT_IP> src : <BM_VPN_EXT_IP> cookies[mine :his] CBFDEE874EB850F9 : 80441C9900000004
6-27-2007 2:04:26 pm IKE SA NEGOTIATION: Peer lifetime = 28800 My lifetime=28800
6-27-2007 2:04:26 pm Warn :Proposal mismatch PHASE 1 HASH Algorithm mismatch mine : SHA his : MD5 dst : <LINUX_CLIENT_IP> src : <BM_VPN_EXT_IP> cookies[mine :his] CBFDEE874EB850F9 : 80441C9900000004
6-27-2007 2:04:26 pm IKE SA NEGOTIATION: Peer lifetime = 28800 My lifetime=28800
6-27-2007 2:04:26 pm ****DH private exponent size is 1016****
6-27-2007 2:04:26 pm Local server's interfaces : <BM_VPN_EXT_IP>
6-27-2007 2:04:26 pm Local server's interfaces : <BM_VPN_INT_IP>
6-27-2007 2:04:26 pm Recieved Supported Vendor id Novell Linux Client from <LINUX_CLIENT_IP>
6-27-2007 2:04:26 pm Recieved Supported Vendor id draft-ietf-ipsec-nat-t-ike-03 from <LINUX_CLIENT_IP>
6-27-2007 2:04:26 pm Recieved Supported Vendor id draft-ietf-ipsec-nat-t-ike-02 from <LINUX_CLIENT_IP>
6-27-2007 2:04:26 pm ***Send Main Mode message to <LINUX_CLIENT_IP>
6-27-2007 2:04:26 pm I-COOKIE=80441C99D658EC20,R-COOKIE=CBFDEE874EB850F9,MsgID=0,1stPL=SA-PAYLOAD,state=-1640542708
6-27-2007 2:04:26 pm ***Receive Main Mode message from <LINUX_CLIENT_IP>
6-27-2007 2:04:26 pm I-COOKIE=80441C99D658EC20,R-COOKIE=CBFDEE874EB850F9,MsgID=0,1stPL=KEY-PAYLOAD,state=-1640542656
6-27-2007 2:04:26 pm No NAT detected
6-27-2007 2:04:26 pm ***Send Main Mode message to <LINUX_CLIENT_IP>
6-27-2007 2:04:26 pm I-COOKIE=80441C99D658EC20,R-COOKIE=CBFDEE874EB850F9,MsgID=0,1stPL=KEY-PAYLOAD,state=-1640542656
6-27-2007 2:04:27 pm ***Receive Main Mode message from <LINUX_CLIENT_IP>
6-27-2007 2:04:27 pm I-COOKIE=80441C99D658EC20,R-COOKIE=CBFDEE874EB850F9,MsgID=0,1stPL=ID-PAYLOAD,state=-1640542644
6-27-2007 2:04:27 pm Recieved MM ID payload type 1 protocol 17 portnum 500 length 8
6-27-2007 2:04:27 pm *Received MM ID ID_IPV4_ADDR <LINUX_CLIENT_IP>
6-27-2007 2:04:27 pm IKE : Nmas user check authentication and traffic rule
6-27-2007 2:04:27 pm Adding user :original address is <LINUX_CLIENT_IP>
6-27-2007 2:04:27 pm
Client 200.13.38.18 is added successfully
6-27-2007 2:04:27 pm *Sending MM id payload IPSEC_ID_IPV4_ADDR <BM_VPN_EXT_IP>
6-27-2007 2:04:27 pm *protocol 0 portnum 0 length 8
6-27-2007 2:04:27 pm ***Send Main Mode message to <LINUX_CLIENT_IP>
6-27-2007 2:04:27 pm I-COOKIE=80441C99D658EC20,R-COOKIE=CBFDEE874EB850F9,MsgID=0,1stPL=ID-PAYLOAD,state=-1640542644
6-27-2007 2:04:27 pm ***Receive Unacknowledge Informational message from <LINUX_CLIENT_IP>
6-27-2007 2:04:27 pm I-COOKIE=80441C99D658EC20,R-COOKIE=CBFDEE874EB850F9,MsgID=E212BBAB,1stPL=HASH-PAYLOAD,state=-1640542596
6-27-2007 2:04:27 pm Recieved notify message type 24578 from <LINUX_CLIENT_IP>
6-27-2007 2:04:27 pm Recieved INITIAL_CONTACT notify deleting all old SA's with <LINUX_CLIENT_IP> address
6-27-2007 2:04:27 pm ***Receive Quick Mode message from <LINUX_CLIENT_IP>
6-27-2007 2:04:27 pm I-COOKIE=80441C99D658EC20,R-COOKIE=CBFDEE874EB850F9,MsgID=F99A0483,1stPL=HASH-PAYLOAD,state=-1640542596
6-27-2007 2:04:27 pm Start IPSEC SA 9191F5A0 - Responder****totSA=1
6-27-2007 2:04:27 pm ****DH private exponent size is 1016****
6-27-2007 2:04:27 pm Final IKE (phase 1) SA lifetime is 28800 secs
6-27-2007 2:04:27 pm IKE-SA is created. rekey time = 21600 encr=1,hash=1,auth=1,lifesec=28800
6-27-2007 2:04:27 pm dst=<LINUX_CLIENT_IP>,time=144349413
6-27-2007 2:04:27 pm Received (QM) proxy ID 0.0.0.0 0.0.0.0 - <LINUX_CLIENT_IP>
6-27-2007 2:04:27 pm IPSE SA NEGOTIATION: Peer lifetime = 1800 My lifetime=1000
6-27-2007 2:04:27 pm Warn :Proposal mismatch Quick Mode : ESP - esp desHASH Algorithm mismatch mine : SHA his : MD5 dst : <LINUX_CLIENT_IP> src : <BM_VPN_EXT_IP> cookies[mine :his] CBFDEE874EB850F9 : 80441C9900000020
6-27-2007 2:04:27 pm IPSE SA NEGOTIATION: Peer lifetime = 1800 My lifetime=1000
6-27-2007 2:04:27 pm IKE peer requesting PFS - Accepted
6-27-2007 2:04:27 pm ****DH private exponent size is 760****
6-27-2007 2:04:27 pm Received (QM) proxy ID 0.0.0.0 0.0.0.0 - <LINUX_CLIENT_IP>
6-27-2007 2:04:27 pm Sending DH params in QM - PFS Configured or Requested by Peer
6-27-2007 2:04:27 pm *Sending proxy ID type 4 0.0.0.0/0.0.0.0
6-27-2007 2:04:27 pm *Sending proxy ID type 1 <LINUX_CLIENT_IP>
6-27-2007 2:04:27 pm ***Send Quick Mode message to <LINUX_CLIENT_IP>
6-27-2007 2:04:27 pm I-COOKIE=80441C99D658EC20,R-COOKIE=CBFDEE874EB850F9,MsgID=F99A0483,1stPL=HASH-PAYLOAD,state=-1640542596
6-27-2007 2:04:27 pm ***Receive Quick Mode message from <LINUX_CLIENT_IP>
6-27-2007 2:04:27 pm I-COOKIE=80441C99D658EC20,R-COOKIE=CBFDEE874EB850F9,MsgID=F99A0483,1stPL=HASH-PAYLOAD,state=-1640542596
6-27-2007 2:04:27 pm ESP-SA is created:algorID=esp des,mySPI=42A06A25,peerSPI=640F580D,time=8019411 ,dst=<LINUX_CLIENT_IP>
Any ideas?
Thanks,
John Hunter

>>> Craig Johnson<[email protected]> 27/06/2007 10:29 pm >>>
>>>Do you have anything to go on in the VPN audit logs? (Check using NRM).
You bet...here is what's in the VPN Audit logs from NRM (from last entry to first) at the same time as my snippet from the IKE.log:
06/27/2007 02:04:30 PM IKE ESP SA was created successfully with <LINUX_CLIENT_IP>
06/27/2007 02:04:30 PM IKE Sending proxy id: Type 1 <LINUX_CLIENT_IP>
06/27/2007 02:04:30 PM IKE Sending proxy id :Type 4 0.0.0.0/0.0.0.0
06/27/2007 02:04:30 PM IKE Received proxy id ID_IPV4_ADDR <LINUX_CLIENT_IP>
06/27/2007 02:04:30 PM IKE Received proxy Id : IPV4 SUBNET 0.0.0.0/0.0.0.0
06/27/2007 02:04:30 PM IKE IPSEC SA NEGOTIATION - Peer lifetime is: 1800 My lifetime is: 1000
06/27/2007 02:04:30 PM IKE Proposal Mismatch - Quick Mode : ESP - esp desHASH Algorithm mismatch mine : SHA his : MD5 dst: <LINUX_CLIENT_IP> src: <BM_VPN_EXT_IP> cookies my-his :CBFDEE874EB850F9 - 80441C99D658EC20
06/27/2007 02:04:30 PM IKE IPSEC SA NEGOTIATION - Peer lifetime is: 1800 My lifetime is: 1000
06/27/2007 02:04:30 PM IKE Received proxy id ID_IPV4_ADDR <LINUX_CLIENT_IP>
06/27/2007 02:04:28 PM IKE Received proxy Id : IPV4 SUBNET 0.0.0.0/0.0.0.0
06/27/2007 02:04:28 PM IKE IKE SA was created successfully with <LINUX_CLIENT_IP>, encr = DES, SA lifetime = 28800 sec
06/27/2007 02:04:28 PM IKE Final IKE SA (phase 1) lifetime is 28800 secs
06/27/2007 02:04:28 PM IKE Recieved INITIAL_CONTACT notify from <LINUX_CLIENT_IP> deleting all old sa's to <LINUX_CLIENT_IP>
06/27/2007 02:04:28 PM IKE Received notify message of type IPSEC_CONTACT : 24578 from <LINUX_CLIENT_IP>
06/27/2007 02:04:28 PM IKE Nmas user check authentication and traffic rule
06/27/2007 02:04:28 PM IKE Received MM ID type: 1 protocol : 17 portnum: 500 length 8
06/27/2007 02:04:28 PM IKE IKE SA NEGOTIATION - Peer lifetime is: 28800 My lifetime is: 28800
06/27/2007 02:04:28 PM IKE Proposal Mismatch - PHASE 1 HASH Algorithm mismatch mine : SHA his : MD5 dst: <LINUX_CLIENT_IP> src: <BM_VPN_EXT_IP> cookies my-his :CBFDEE874EB850F9 - 80441C99D658EC20
06/27/2007 02:04:28 PM IKE IKE SA NEGOTIATION - Peer lifetime is: 28800 My lifetime is: 28800
06/27/2007 02:04:28 PM IKE Proposal Mismatch - PHASE 1 HASH Algorithm mismatch mine : SHA his : MD5 dst: <LINUX_CLIENT_IP> src: <BM_VPN_EXT_IP> cookies my-his :CBFDEE874EB850F9 - 80441C99D658EC20
06/27/2007 02:04:28 PM IKE IKE SA NEGOTIATION - Peer lifetime is: 28800 My lifetime is: 28800
06/27/2007 02:04:28 PM IKE Proposal Mismatch - PHASE 1 Encryption Algorithm mismatch mine : 3DES his : DES dst: <LINUX_CLIENT_IP> src: <BM_VPN_EXT_IP> cookies my-his :CBFDEE874EB850F9 - 80441C99D658EC20
06/27/2007 02:04:28 PM IKE IKE SA NEGOTIATION - Peer lifetime is: 28800 My lifetime is: 28800
06/27/2007 02:04:28 PM IKE Proposal Mismatch - PHASE 1 Encryption Algorithm mismatch mine : 3DES his : DES dst: <LINUX_CLIENT_IP> src: <BM_VPN_EXT_IP> cookies my-his :CBFDEE874EB850F9 - 80441C99D658EC20
06/27/2007 02:04:28 PM IKE IKE SA NEGOTIATION - Peer lifetime is: 28800 My lifetime is: 28800
06/27/2007 02:04:28 PM IKE Proposal Mismatch - PHASE 1 Encryption Algorithm mismatch mine : 3DES his : DES dst: <LINUX_CLIENT_IP> src: <BM_VPN_EXT_IP> cookies my-his :CBFDEE874EB850F9 - 80441C99D658EC20
06/27/2007 02:04:28 PM IKE IKE SA NEGOTIATION - Peer lifetime is: 28800 My lifetime is: 28800
06/27/2007 02:04:28 PM IKE Proposal Mismatch - PHASE 1 Encryption Algorithm mismatch mine : 3DES his : DES dst: <LINUX_CLIENT_IP> src: <BM_VPN_EXT_IP> cookies my-his :CBFDEE874EB850F9 - 80441C99D658EC20
06/27/2007 02:04:28 PM IKE IKE SA NEGOTIATION - Peer lifetime is: 28800 My lifetime is: 28800
06/27/2007 02:04:28 PM VPN Control Client JohnHu.SPCSS added to IPSEC.
06/27/2007 02:04:26 PM IKE Negotiating for an NMAS user <LINUX_CLIENT_IP>
06/27/2007 02:04:26 PM AUTH Gateway Connection closed for the VPN client at address <LINUX_CLIENT_IP>.
06/27/2007 02:04:26 PM AUTH Gateway VPN client NMAS user <USER.CONTEXT> at address <LINUX_CLIENT_IP> has been authenticated.
06/27/2007 02:04:26 PM AUTH Gateway Process NMAS request: NMAS authentication successful.
06/27/2007 02:04:24 PM AUTH Gateway A connection was opened for a VPN client at address <LINUX_CLIENT_IP>.
>>>By any chance do you have an IP address on the linux client that is in the same subnet as the VPN tunnel address?
Nope. The Linux box is using a public IP address...we've got a separate connection that seems to come in handy for issues like this. =)
Thanks for your response, Craig.
JH

IPSec VPN b/w ISA500 and RV042

2013-07-30 11:37:04
Information
IPsec VPN
msg=Could not change to directory '/etc/ipsec.d/crls';
2013-07-30 11:37:04
Information
IPsec VPN
msg=Could not change to directory '/etc/ipsec.d/ocspcerts': /;
2013-07-30 11:37:04
Information
IPsec VPN
msg=Could not change to directory '/etc/ipsec.d/aacerts': /;
2013-07-30 11:37:04
Information
IPsec VPN
msg= error in X.509 certificate default.pem;
2013-07-30 11:37:04
Information
IPsec VPN
msg= loaded CA cert file 'default.pem' (2745 bytes);
2013-07-30 11:37:04
Information
IPsec VPN
msg= loaded CA cert file 'default_crt.pem' (1070 bytes);
2013-07-30 11:37:04
Information
IPsec VPN
msg= error in X.509 certificate default_key.pem;
2013-07-30 11:37:04
Information
IPsec VPN
msg= loaded CA cert file 'default_key.pem' (1675 bytes);
2013-07-30 11:37:04
Information
IPsec VPN
msg=Changed path to directory '/mnt/shiner/certificate';
2013-07-30 11:37:04
Information
IPsec VPN
msg=loading secrets from "/tmp/etc/ipsec.d/S2S.secrets";
2013-07-30 11:37:04
Information
IPsec VPN
msg= loaded CA cert file 'default.pem' (2745 bytes);
2013-07-30 11:37:04
Information
IPsec VPN
msg= loaded CA cert file 'default_crt.pem' (1070 bytes);
2013-07-30 11:37:04
Information
IPsec VPN
msg= error in X.509 certificate default_key.pem;
2013-07-30 11:37:04
Information
IPsec VPN
msg= loaded CA cert file 'default_key.pem' (1675 bytes);
2013-07-30 11:37:04
Information
IPsec VPN
msg=Changed path to directory '/mnt/shiner/certificate';
2013-07-30 11:37:04
Information
IPsec VPN
msg=loading secrets from "/tmp/etc/ipsec.d/S2S.secrets";
2013-07-30 11:37:04
Information
IPsec VPN
msg=loading secrets from "/etc/ipsec.secrets";
2013-07-30 11:37:04
Information
IPsec VPN
msg=forgetting secrets;
2013-07-30 11:37:04
Information
IPsec VPN
msg=added connection description "Tunnel0";
2013-07-30 11:37:02
Information
IPsec VPN
msg="Alabang" #117: deleting state (STATE_MAIN_R1);
2013-07-30 11:37:02
Information
IPsec VPN
msg="Alabang": deleting connection;
2013-07-30 11:36:55
Warning
IPsec VPN
msg="Alabang" #117: STATE_MAIN_R1: sent MR1, expecting MI2;
2013-07-30 11:36:55
Error
IPsec VPN
msg=ERROR: "Alabang" #117: sendto on ppp0 to 112.209.172.XXX:500 failed in STATE_MAIN_R0. Errno 101: Network is unreachable;
2013-07-30 11:36:55
Information
IPsec VPN
msg="Alabang" #117: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1;
2013-07-30 11:36:55
Information
IPsec VPN
msg="Alabang" #117: responding to Main Mode;
2013-07-30 11:36:55
Warning
IPsec VPN
msg=packet from 112.209.172.XXX:500: received Vendor ID payload [Dead Peer Detection];
2013-07-30 11:36:46
Information
IPsec VPN
msg=Could not change to directory '/etc/ipsec.d/crls';
2013-07-30 11:36:46
Information
IPsec VPN
msg=Could not change to directory '/etc/ipsec.d/ocspcerts': /;
==============================================================
Site 1 = Cisco ISA 500. Named as CHI
Site 2 = Cisco RV042. Named as Alabang
Shown above is the logs from my ISA 570 IPSec VPN. I have set the same settings for my IKE Policies and my Transform Sets. Attached are the screenshots of my the VPN Settings of my 2 systems. It does show in the table above that the 112.209.172.XXX is unreachable, but please look at screen6.bmp and see that I can very well ping the RV042 system. Please feel free to ask me for more info about my setup.
On a side note, take a look at Screen5.bmp. This screenie shows that I have an existing WORKING VPN connection to another site with a Linksys RV042, named as Villa. So as you can also see in the screenshot, it has a VPN setup for CHI but it can not connect. Hence my problem above. The VPN setting for Villa is the same as CHI (PFS, IKE, Transforms, PFS).

Dan,
Since I'm not a Cisco employee, don't have access to spare ISAs and RVs to setup a lab and test, don't have a setup similar enough to yours to test with, don't have access to your devices, and wouldn't have other than UI access if I did, doing a little trial and error is all I have to work with to assist you.
That said, it's not random trial and error. From what I'm able to see via your screenshots and explanations, all of your config looks correct. So if everything for Phase 1 & 2 are accurate, then it should work unless there is an interesting traffic mismatch.
Usually this is pretty straightforward and simple to troubleshoot and confirm. However when you add in additional challenges that come with Multi-WAN support, terminating the VPN on the secondary WAN interface, and PBR, there is a lot of room for possible mistakes as the config is becoming fairly complex.
So my thought was to remove what I perceived to be the least impacting piece of complexity, which is the custom PBR that is sending those 2 laptops out WAN 2 instead of WAN 1, so that the only non-typical configuration was the VPN terminating on WAN 2.
Right now I'm assuming the issue isn't the the possibility of the ISA and RV042 being incapable of establishing a VPN. I'm assuming it is either an issue with VPN termination on WAN 2 (which I don't believe is an issue) or something not quite right with PBR and VPN interesting traffic.
Sent from Cisco Technical Support iPhone App

VPN IP errors

Similar Messages

Maybe you are looking for