Advertisement

02.11.2008 at 07:18PM PST, ID: 23155091
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
7.8

Cisco Easy VPN problem with 871 router

Asked by Pro4ia in Virtual Private Networking (VPN), Network Routers, IPSec Security Protocol

Tags: ,

Hello experts,

I'm hoping someone can shed some lights here to my question.

We have a Cisco 871 router setup for Easy VPN through a wizard to connect to a Cisco UC 520 device.

It worked initially (after I had to manually type in my username & password on the console for xauth) but all of a sudden, I'm having a problem.  I'm getting the following messages on the 871 console over and over.

*Mar  4 15:20:36.863: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  Group=VPNGROUP1  Client_public_addr=12.34.56.78  Server_public_addr=216.210.34.63

When I do "debug crypto isakmp" I get the following -
*Mar  4 15:23:39.543: ISAKMP: Deleting peer node by peer_reap for 216.210.34.63: 82D53040
*Mar  4 15:23:39.543: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  Group=VPNGROUP1  Client_public_addr=12.34.56.78  Server_public_addr=216.210.34.63
*Mar  4 15:23:39.543: ISAKMP: Created a peer struct for 216.210.34.63, peer port 500
*Mar  4 15:23:41.135: ISAKMP:(0): SA request profile is (NULL)
*Mar  4 15:23:41.135: ISAKMP: Found a peer struct for 216.210.34.63, peer port 500
*Mar  4 15:23:41.135: ISAKMP: Locking peer struct 0x82D082CC, refcount 1 for isakmp_initiator
*Mar  4 15:23:41.135: ISAKMP:(0):Setting client config settings 825234C4
*Mar  4 15:23:41.135: ISAKMP: local port 500, remote port 500
*Mar  4 15:23:41.135: insert sa successfully sa = 82601900
*Mar  4 15:23:41.135: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Mar  4 15:23:41.135: ISAKMP:(0):found peer pre-shared key matching 216.210.34.63
*Mar  4 15:23:41.135: ISAKMP:(0): construct_initial_message: Can not start Main mode
*Mar  4 15:23:41.135: ISAKMP: Unlocking peer struct 0x82D082CC for isadb_unlock_peer_delete_sa(), count 0
*Mar  4 15:23:41.135: ISAKMP: Deferring peer node 82D082CC deletion, by peer_reap as there are other users 4
*Mar  4 15:23:41.135: ISAKMP:(0):purging SA., sa=82601900, delme=82601900
*Mar  4 15:23:41.135: ISAKMP: Error while processing SA request: Failed to initialize SA
*Mar  4 15:23:41.135: ISAKMP: Error while processing KMI message 0, error 2.

It states - ISAKMP: Error while processing SA request: Failed to initialize SA

I can ping the gateway & out to the Internet with NO problem.
Anyone know why I'm getting this error message?  I will attach the 871 config. (please I changed the IP information for security reasons)

Start Free Trial 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ISR
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool sdm-pool
   import all
   network 10.10.10.0 255.255.255.248
   default-router 10.10.10.1
   option 150 ip 10.1.1.1
   lease 0 2
!
!
no ip domain lookup
ip domain name domain.com
!
!
crypto pki trustpoint TP-self-signed-2068528647
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2068528647
 revocation-check none
 rsakeypair TP-self-signed-2068528647
!
!
crypto pki certificate chain TP-self-signed-2068528647
 certificate self-signed 01
  3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32303638 35323836 3437301E 170D3032 30333034 31353030
  32315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 30363835
  32383634 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100AB65 397D98BE C51EB311 5EF73877 39C0C23B FC6DC76C 1B3B8182 8ED1B155
  8755C8B3 20B62A44 A13D5DE9 7AF09724 B3DB743E 886BA009 72DB0773 148280CB
  837B4D21 820C8124 2D1D0716 BA4749A5 54F93FC8 C50E9367 FE8C377E 1EFFEC8D
  EDE56C82 7A0F7030 837CDB9A 97CA5DFB AB6A4334 3F0B89F9 3B00A1BE A614558A
  E0810203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603
  551D1104 18301682 14536572 67495352 2E70726F 34696130 312E636F 6D301F06
  03551D23 04183016 80149709 D437A677 42677124 81E70625 71E11BF7 3424301D
  0603551D 0E041604 149709D4 37A67742 67712481 E7062571 E11BF734 24300D06
  092A8648 86F70D01 01040500 03818100 12768DD2 0CE3C27A 55EDCE69 A107F868
  5715BB3F D3C2F699 4589B1A0 7BE4F538 B38EEB69 4BD270AE 88A14A99 1918A7DE
  C4DABDB8 D7E9E4ED E4F625C9 32577511 46DDE100 2A2FC930 59042B6B E1028B97
  055D68E5 E3572CF3 E5640A40 83B13D7A 71629862 48F2D4CA 12184872 C563D019
  8C45946C BE5FEB0D FAA95DFE 235830FC
  quit
!
!
!
!
crypto ipsec client ezvpn xauth
 connect auto
 mode client
 xauth userid mode interactive
crypto ipsec client ezvpn EZVPN_REMOTE_CONNECTION_1
 connect auto
 group VPNGROUP1 key sharedkey
 mode client
 peer 216.210.34.63
 xauth userid mode interactive
!
bridge irb
!
!
interface Loopback0
 ip address 10.1.20.13 255.255.255.255
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 ip address 12.34.56.78 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto ipsec client ezvpn EZVPN_REMOTE_CONNECTION_1
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 no ip address
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface BVI1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 ip address 10.10.10.1 255.255.255.248
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 crypto ipsec client ezvpn EZVPN_REMOTE_CONNECTION_1 inside
!
ip classless
ip route 0.0.0.0 0.0.0.0 12.34.56.77 
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.7
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
end
[+][-]02.12.2008 at 01:38AM PST, ID: 20873473

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]02.12.2008 at 02:09AM PST, ID: 20873608

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]02.12.2008 at 02:48AM PST, ID: 20873786

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]02.12.2008 at 04:37AM PST, ID: 20874211

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]02.16.2008 at 06:17PM PST, ID: 20912261

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]04.16.2008 at 09:08PM PDT, ID: 21374133

View this solution now by starting your 7-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zones: Virtual Private Networking (VPN), Network Routers, IPSec Security Protocol
Tags: Cisco, 800 series
Sign Up Now!
Solution Provided By: Pro4ia
Participating Experts: 2
Solution Grade: A
 
 
 
Loading Advertisement...
20080716-EE-VQP-32 / EE_QW_2_20070628