Link to home
Start Free TrialLog in
Avatar of chikagoh
chikagoh

asked on

Cisco VPN client and ASA 5510 not working

Greetings

I have an ASA that I use to terminate Cisco router EZVPN clients, and that works perfectly all the time.

I am now trying to get a Cisco VPN client (Windows) to make a connection to the ASA, and it is failing beyond belief.

My VPN client log says:

Cisco Systems VPN Client Version 5.0.07.0290
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.0.6001 Service Pack 1

2      11:34:33.899  07/31/10  Sev=Info/4      CM/0x63100002
Begin connection process

3      11:34:33.905  07/31/10  Sev=Info/4      CM/0x63100004
Establish secure connection

4      11:34:33.905  07/31/10  Sev=Info/4      CM/0x63100024
Attempt connection with server "xxx.xxx.xxx.xxx"

5      11:34:33.916  07/31/10  Sev=Info/6      CM/0x6310002F
Allocated local TCP port 52305 for TCP connection.

6      11:34:34.357  07/31/10  Sev=Info/4      IPSEC/0x63700008
IPSec driver successfully started

7      11:34:34.357  07/31/10  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

8      11:34:34.357  07/31/10  Sev=Info/6      IPSEC/0x6370002C
Sent 5 packets, 0 were fragmented.

9      11:34:34.357  07/31/10  Sev=Info/6      IPSEC/0x63700020
TCP SYN sent to xxx.xxx.xxx.xxx, src port 52305, dst port 48590

10     11:34:34.357  07/31/10  Sev=Info/6      IPSEC/0x6370001C
TCP SYN-ACK received from xxx.xxx.xxx.xxx, src port 48590, dst port 52305

11     11:34:34.357  07/31/10  Sev=Info/6      IPSEC/0x63700021
TCP ACK sent to xxx.xxx.xxx.xxx, src port 52305, dst port 48590

12     11:34:34.357  07/31/10  Sev=Info/4      CM/0x63100029
TCP connection established on port 48590 with server "xxx.xxx.xxx.xxx"

13     11:34:34.867  07/31/10  Sev=Info/4      CM/0x63100024
Attempt connection with server "xxx.xxx.xxx.xxx"

14     11:34:34.877  07/31/10  Sev=Info/6      IKE/0x6300003B
Attempting to establish a connection with xxx.xxx.xxx.xxx.

15     11:34:34.884  07/31/10  Sev=Info/4      IKE/0x63000001
Starting IKE Phase 1 Negotiation

16     11:34:34.898  07/31/10  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Unity)) to xxx.xxx.xxx.xxx

17     11:34:34.955  07/31/10  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = xxx.xxx.xxx.xxx

18     11:34:34.955  07/31/10  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Frag), VID(?), VID(?)) from xxx.xxx.xxx.xxx

19     11:34:34.955  07/31/10  Sev=Info/5      IKE/0x63000001
Peer is a Cisco-Unity compliant peer

20     11:34:34.955  07/31/10  Sev=Info/5      IKE/0x63000001
Peer supports XAUTH

21     11:34:34.955  07/31/10  Sev=Info/5      IKE/0x63000001
Peer supports DPD

22     11:34:34.955  07/31/10  Sev=Info/5      IKE/0x63000001
Peer supports IKE fragmentation payloads

23     11:34:34.955  07/31/10  Sev=Info/5      IKE/0x63000001
Peer supports DWR Code and DWR Text

24     11:34:34.969  07/31/10  Sev=Info/6      IKE/0x63000001
IOS Vendor ID Contruction successful

25     11:34:34.969  07/31/10  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, VID(?), VID(Unity)) to xxx.xxx.xxx.xxx

26     11:34:34.969  07/31/10  Sev=Info/4      IKE/0x63000083
IKE Port in use - Local Port =  0xC08B, Remote Port = 0x01F4

27     11:34:34.969  07/31/10  Sev=Info/4      CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

28     11:34:35.024  07/31/10  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = xxx.xxx.xxx.xxx

29     11:34:35.024  07/31/10  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from xxx.xxx.xxx.xxx

30     11:34:35.024  07/31/10  Sev=Info/4      CM/0x63100015
Launch xAuth application

31     11:34:35.029  07/31/10  Sev=Info/6      GUI/0x63B00012
Authentication request attributes is 6h.

32     11:34:37.563  07/31/10  Sev=Info/4      CM/0x63100017
xAuth application returned

33     11:34:37.563  07/31/10  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to xxx.xxx.xxx.xxx

34     11:34:37.619  07/31/10  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = xxx.xxx.xxx.xxx

35     11:34:37.620  07/31/10  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from xxx.xxx.xxx.xxx

36     11:34:37.620  07/31/10  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to xxx.xxx.xxx.xxx

37     11:34:37.620  07/31/10  Sev=Info/4      CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

38     11:34:37.627  07/31/10  Sev=Info/5      IKE/0x6300005E
Client sending a firewall request to concentrator

39     11:34:37.628  07/31/10  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to xxx.xxx.xxx.xxx

40     11:34:37.684  07/31/10  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = xxx.xxx.xxx.xxx

41     11:34:37.685  07/31/10  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, DWR) from xxx.xxx.xxx.xxx

42     11:34:37.685  07/31/10  Sev=Info/4      IKE/0x63000081
Delete Reason Code: 4 --> PEER_DELETE-IKE_DELETE_NO_ERROR.

43     11:34:37.685  07/31/10  Sev=Info/5      IKE/0x6300003C
Received a DELETE payload for IKE SA with Cookies:  I_Cookie=B0BFC7529CFC2955 R_Cookie=290593D3F51C1B1E

44     11:34:37.685  07/31/10  Sev=Info/4      IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=B0BFC7529CFC2955 R_Cookie=290593D3F51C1B1E) reason = PEER_DELETE-IKE_DELETE_NO_ERROR

45     11:34:37.909  07/31/10  Sev=Info/6      IPSEC/0x6370001D
TCP RST received from xxx.xxx.xxx.xxx, src port 48590, dst port 52305

46     11:34:38.410  07/31/10  Sev=Info/4      IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=B0BFC7529CFC2955 R_Cookie=290593D3F51C1B1E) reason = PEER_DELETE-IKE_DELETE_NO_ERROR

47     11:34:38.410  07/31/10  Sev=Info/4      CM/0x6310000F
Phase 1 SA deleted before Mode Config is completed cause by "PEER_DELETE-IKE_DELETE_NO_ERROR".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

48     11:34:38.411  07/31/10  Sev=Info/5      CM/0x63100025
Initializing CVPNDrv

49     11:34:38.416  07/31/10  Sev=Info/4      CM/0x6310002D
Resetting TCP connection on port 48590

50     11:34:38.417  07/31/10  Sev=Info/6      CM/0x63100030
Removed local TCP port 52305 for TCP connection.

51     11:34:38.420  07/31/10  Sev=Info/6      CM/0x63100046
Set tunnel established flag in registry to 0.

52     11:34:38.420  07/31/10  Sev=Info/4      IKE/0x63000001
IKE received signal to terminate VPN connection

53     11:34:38.429  07/31/10  Sev=Info/6      IPSEC/0x63700023
TCP RST sent to xxx.xxx.xxx.xxx, src port 52305, dst port 48590

54     11:34:38.429  07/31/10  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

55     11:34:38.429  07/31/10  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

56     11:34:38.429  07/31/10  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

57     11:34:38.429  07/31/10  Sev=Info/4      IPSEC/0x6370000A
IPSec driver successfully stopped



My ASA debug (isakmp and ipsec) says:

IKE Recv RAW packet dump
8e 1a 4b 83 a2 c0 9f fb 00 00 00 00 00 00 00 00    |  ..K.............
01 10 04 00 00 00 00 00 00 00 03 40 04 00 02 2c    |  ...........@...,
00 00 00 01 00 00 00 01 00 00 02 20 01 01 00 0e    |  ........... ....
03 00 00 28 01 01 00 00 80 01 00 07 80 02 00 02    |  ...(............
80 04 00 02 80 03 fd e9 80 0b 00 01 00 0c 00 04    |  ................
00 20 c4 9b 80 0e 01 00 03 00 00 28 02 01 00 00    |  . .........(....
80 01 00 07 80 02 00 01 80 04 00 02 80 03 fd e9    |  ................
80 0b 00 01 00 0c 00 04 00 20 c4 9b 80 0e 01 00    |  ......... ......
03 00 00 28 03 01 00 00 80 01 00 07 80 02 00 02    |  ...(............
80 04 00 02 80 03 00 01 80 0b 00 01 00 0c 00 04    |  ................
00 20 c4 9b 80 0e 01 00 03 00 00 28 04 01 00 00    |  . .........(....
80 01 00 07 80 02 00 01 80 04 00 02 80 03 00 01    |  ................
80 0b 00 01 00 0c 00 04 00 20 c4 9b 80 0e 01 00    |  ......... ......
03 00 00 28 05 01 00 00 80 01 00 07 80 02 00 02    |  ...(............
80 04 00 02 80 03 fd e9 80 0b 00 01 00 0c 00 04    |  ................
00 20 c4 9b 80 0e 00 80 03 00 00 28 06 01 00 00    |  . .........(....
80 01 00 07 80 02 00 01 80 04 00 02 80 03 fd e9    |  ................
80 0b 00 01 00 0c 00 04 00 20 c4 9b 80 0e 00 80    |  ......... ......
03 00 00 28 07 01 00 00 80 01 00 07 80 02 00 02    |  ...(............
80 04 00 02 80 03 00 01 80 0b 00 01 00 0c 00 04    |  ................
00 20 c4 9b 80 0e 00 80 03 00 00 28 08 01 00 00    |  . .........(....
80 01 00 07 80 02 00 01 80 04 00 02 80 03 00 01    |  ................
80 0b 00 01 00 0c 00 04 00 20 c4 9b 80 0e 00 80    |  ......... ......
03 00 00 24 09 01 00 00 80 01 00 05 80 02 00 02    |  ...$............
80 04 00 02 80 03 fd e9 80 0b 00 01 00 0c 00 04    |  ................
00 20 c4 9b 03 00 00 24 0a 01 00 00 80 01 00 05    |  . .....$........
80 02 00 01 80 04 00 02 80 03 fd e9 80 0b 00 01    |  ................
00 0c 00 04 00 20 c4 9b 03 00 00 24 0b 01 00 00    |  ..... .....$....
80 01 00 05 80 02 00 02 80 04 00 02 80 03 00 01    |  ................
80 0b 00 01 00 0c 00 04 00 20 c4 9b 03 00 00 24    |  ......... .....$
0c 01 00 00 80 01 00 05 80 02 00 01 80 04 00 02    |  ................
80 03 00 01 80 0b 00 01 00 0c 00 04 00 20 c4 9b    |  ............. ..
03 00 00 24 0d 01 00 00 80 01 00 01 80 02 00 01    |  ...$............
80 04 00 02 80 03 fd e9 80 0b 00 01 00 0c 00 04    |  ................
00 20 c4 9b 00 00 00 24 0e 01 00 00 80 01 00 01    |  . .....$........
80 02 00 01 80 04 00 02 80 03 00 01 80 0b 00 01    |  ................
00 0c 00 04 00 20 c4 9b 0a 00 00 84 aa d0 10 bb    |  ..... ..........
b3 75 4e 2b 30 b0 ae 16 30 6f 55 ca b3 3c 95 e6    |  .uN+0...0oU..<..
42 d6 b4 70 a1 5e 71 9f 39 08 db 0b f7 c7 a6 7f    |  B..p.^q.9......
98 9f e2 7c cf 4a 2c df d8 88 ee af fc 85 e8 f1    |  ...|.J,.........
3f 1b a2 73 eb f6 05 eb 53 6c 47 b8 4f 99 8f 22    |  ?..s....SlG.O.."
a5 19 ea c3 ef d6 57 bf 4c 2b e7 96 5b c4 fe 7e    |  ......W.L+..[..~
ac e8 2d f3 18 7e 9a 53 49 1f bf 58 f5 78 92 36    |  ..-..~.SI..X.x.6
0b b9 04 c4 36 15 4f 03 4f 74 c4 75 f0 7d 06 a7    |  ....6.O.Ot.u.}..
29 54 41 bc 72 e7 8c 9e 34 7d eb 2d 05 00 00 18    |  )TA.r...4}.-....
13 15 e9 82 af d4 ee 22 0d 84 8f ae 6c 30 fe 41    |  ......."....l0.A
ce 74 79 29 0d 00 00 10 0b 11 01 f4 57 41 4e 53    |  .ty)........WANGR
4e 4d 50 43 0d 00 00 0c 09 00 26 89 df d6 b7 12    |  OUPX......&.....
0d 00 00 14 af ca d7 13 68 a1 f1 c9 6b 86 96 fc    |  ........h...k...
77 57 01 00 0d 00 00 18 40 48 b7 d5 6e bc e8 85    |  wW......@H..n...
25 e7 de 7f 00 d6 c2 d3 80 00 00 00 00 00 00 14    |  %..............
12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 74 cc 01 00    |  ....Eqh.p-..t...
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    |  ................

 RECV PACKET from xxx.xxx.xxx.xxx
ISAKMP Header
  Initiator COOKIE: 8e 1a 4b 83 a2 c0 9f fb
  Responder COOKIE: 00 00 00 00 00 00 00 00
  Next Payload: Security Association
  Version: 1.0
  Exchange Type: Aggressive Mode
  Flags: (none)
  MessageID: 00000000
  Length: 832
  Payload Security Association
    Next Payload: Key Exchange
    Reserved: 00
    Payload Length: 556
    DOI: IPsec
    Situation:(SIT_IDENTITY_ONLY)
    Payload Proposal
      Next Payload: None
      Reserved: 00
      Payload Length: 544
      Proposal #: 1
      Protocol-Id: PROTO_ISAKMP
      SPI Size: 0
      # of transforms: 14
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 40
        Transform #: 1
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: AES-CBC
        Hash Algorithm: SHA1
        Group Description: Group 2
        Authentication Method: XAUTH_INIT_PRESHRD
        Life Type: seconds
        Life Duration (Hex): 00 20 c4 9b
        Key Length: 256
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 40
        Transform #: 2
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: AES-CBC
        Hash Algorithm: MD5
        Group Description: Group 2
        Authentication Method: XAUTH_INIT_PRESHRD
        Life Type: seconds
        Life Duration (Hex): 00 20 c4 9b
        Key Length: 256
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 40
        Transform #: 3
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: AES-CBC
        Hash Algorithm: SHA1
        Group Description: Group 2
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 20 c4 9b
        Key Length: 256
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 40
        Transform #: 4
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: AES-CBC
        Hash Algorithm: MD5
        Group Description: Group 2
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 20 c4 9b
        Key Length: 256
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 40
        Transform #: 5
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: AES-CBC
        Hash Algorithm: SHA1
        Group Description: Group 2
        Authentication Method: XAUTH_INIT_PRESHRD
        Life Type: seconds
        Life Duration (Hex): 00 20 c4 9b
        Key Length: 128
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 40
        Transform #: 6
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: AES-CBC
        Hash Algorithm: MD5
        Group Description: Group 2
        Authentication Method: XAUTH_INIT_PRESHRD
        Life Type: seconds
        Life Duration (Hex): 00 20 c4 9b
        Key Length: 128
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 40
        Transform #: 7
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: AES-CBC
        Hash Algorithm: SHA1
        Group Description: Group 2
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 20 c4 9b
        Key Length: 128
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 40
        Transform #: 8
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: AES-CBC
        Hash Algorithm: MD5
        Group Description: Group 2
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 20 c4 9b
        Key Length: 128
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 36
        Transform #: 9
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: 3DES-CBC
        Hash Algorithm: SHA1
        Group Description: Group 2
        Authentication Method: XAUTH_INIT_PRESHRD
        Life Type: seconds
        Life Duration (Hex): 00 20 c4 9b
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 36
        Transform #: 10
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: 3DES-CBC
        Hash Algorithm: MD5
        Group Description: Group 2
        Authentication Method: XAUTH_INIT_PRESHRD
        Life Type: seconds
        Life Duration (Hex): 00 20 c4 9b
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 36
        Transform #: 11
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: 3DES-CBC
        Hash Algorithm: SHA1
        Group Description: Group 2
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 20 c4 9b
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 36
        Transform #: 12
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: 3DES-CBC
        Hash Algorithm: MD5
        Group Description: Group 2
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 20 c4 9b
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 36
        Transform #: 13
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: DES-CBC
        Hash Algorithm: MD5
        Group Description: Group 2
        Authentication Method: XAUTH_INIT_PRESHRD
        Life Type: seconds
        Life Duration (Hex): 00 20 c4 9b
      Payload Transform
        Next Payload: None
        Reserved: 00
        Payload Length: 36
        Transform #: 14
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: DES-CBC
        Hash Algorithm: MD5
        Group Description: Group 2
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 20 c4 9b
  Payload Key Exchange
    Next Payload: Nonce
    Reserved: 00
    Payload Length: 132
    Data:
      aa d0 10 bb b3 75 4e 2b 30 b0 ae 16 30 6f 55 ca
      b3 3c 95 e6 42 d6 b4 70 a1 5e 71 9f 39 08 db 0b
      f7 c7 a6 7f 98 9f e2 7c cf 4a 2c df d8 88 ee af
      fc 85 e8 f1 3f 1b a2 73 eb f6 05 eb 53 6c 47 b8
      4f 99 8f 22 a5 19 ea c3 ef d6 57 bf 4c 2b e7 96
      5b c4 fe 7e ac e8 2d f3 18 7e 9a 53 49 1f bf 58
      f5 78 92 36 0b b9 04 c4 36 15 4f 03 4f 74 c4 75
      f0 7d 06 a7 29 54 41 bc 72 e7 8c 9e 34 7d eb 2d
  Payload Nonce
    Next Payload: Identification
    Reserved: 00
    Payload Length: 24
    Data:
      13 15 e9 82 af d4 ee 22 0d 84 8f ae 6c 30 fe 41
      ce 74 79 29
  Payload Identification
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 16
    ID Type: ID_KEY_ID (11)
    Protocol ID (UDP/TCP, etc...): 17
    Port: 500
    ID Data: VPNGROUPX
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 12
    Data (In Hex): 09 00 26 89 df d6 b7 12
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 24
    Data (In Hex):
      40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
      80 00 00 00
  Payload Vendor ID
    Next Payload: None
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 74 cc 01 00
Jul 31 11:15:43 [IKEv1]: IP = xxx.xxx.xxx.xxx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 832
Jul 31 11:15:43 [IKEv1]: IP = xxx.xxx.xxx.xxx, Responder: IPSec over TCP encapsulation is used    local TCP port: 48590    peer TCP port:  52338  
Jul 31 11:15:43 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.xxx, processing SA payload
Jul 31 11:15:43 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.xxx, processing ke payload
Jul 31 11:15:43 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.xxx, processing ISA_KE payload
Jul 31 11:15:43 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.xxx, processing nonce payload
Jul 31 11:15:43 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.xxx, processing ID payload
Jul 31 11:15:43 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.xxx, processing VID payload
Jul 31 11:15:43 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.xxx, Received xauth V6 VID
Jul 31 11:15:43 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.xxx, processing VID payload
Jul 31 11:15:43 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.xxx, Received DPD VID
Jul 31 11:15:43 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.xxx, processing VID payload
Jul 31 11:15:43 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.xxx, Received Fragmentation VID
Jul 31 11:15:43 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.xxx, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  False
Jul 31 11:15:43 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.xxx, processing VID payload
Jul 31 11:15:43 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.xxx, Received Cisco Unity client VID
Jul 31 11:15:43 [IKEv1]: IP = xxx.xxx.xxx.xxx, Connection landed on tunnel_group VPNGROUPX
Jul 31 11:15:43 [IKEv1 DEBUG]: Group = VPNGROUPX, IP = xxx.xxx.xxx.xxx, processing IKE SA payload
Jul 31 11:15:43 [IKEv1 DEBUG]: Group = VPNGROUPX, IP = xxx.xxx.xxx.xxx, IKE SA Proposal # 1, Transform # 9 acceptable  Matches global IKE entry # 1
Jul 31 11:15:43 [IKEv1 DEBUG]: Group = VPNGROUPX, IP = xxx.xxx.xxx.xxx, constructing ISAKMP SA payload
Jul 31 11:15:43 [IKEv1 DEBUG]: Group = VPNGROUPX, IP = xxx.xxx.xxx.xxx, constructing ke payload
Jul 31 11:15:43 [IKEv1 DEBUG]: Group = VPNGROUPX, IP = xxx.xxx.xxx.xxx, constructing nonce payload
Jul 31 11:15:43 [IKEv1 DEBUG]: Group = VPNGROUPX, IP = xxx.xxx.xxx.xxx, Generating keys for Responder...
Jul 31 11:15:43 [IKEv1 DEBUG]: Group = VPNGROUPX, IP = xxx.xxx.xxx.xxx, constructing ID payload
Jul 31 11:15:43 [IKEv1 DEBUG]: Group = VPNGROUPX, IP = xxx.xxx.xxx.xxx, constructing hash payload
Jul 31 11:15:43 [IKEv1 DEBUG]: Group = VPNGROUPX, IP = xxx.xxx.xxx.xxx, Computing hash for ISAKMP
Jul 31 11:15:43 [IKEv1 DEBUG]: Group = VPNGROUPX, IP = xxx.xxx.xxx.xxx, constructing Cisco Unity VID payload
Jul 31 11:15:43 [IKEv1 DEBUG]: Group = VPNGROUPX, IP = xxx.xxx.xxx.xxx, constructing xauth V6 VID payload
Jul 31 11:15:43 [IKEv1 DEBUG]: Group = VPNGROUPX, IP = xxx.xxx.xxx.xxx, constructing dpd vid payload
Jul 31 11:15:43 [IKEv1 DEBUG]: Group = VPNGROUPX, IP = xxx.xxx.xxx.xxx, constructing Fragmentation VID + extended capabilities payload
Jul 31 11:15:43 [IKEv1 DEBUG]: Group = VPNGROUPX, IP = xxx.xxx.xxx.xxx, Send IOS VID
Jul 31 11:15:43 [IKEv1 DEBUG]: Group = VPNGROUPX, IP = xxx.xxx.xxx.xxx, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 00000408)
Jul 31 11:15:43 [IKEv1 DEBUG]: Group = VPNGROUPX, IP = xxx.xxx.xxx.xxx, constructing VID payload
Jul 31 11:15:43 [IKEv1 DEBUG]: Group = VPNGROUPX, IP = xxx.xxx.xxx.xxx, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jul 31 11:15:43 [IKEv1]: IP = xxx.xxx.xxx.xxx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 392

SENDING PACKET to xxx.xxx.xxx.xxx
ISAKMP Header
  Initiator COOKIE: 8e 1a 4b 83 a2 c0 9f fb
  Responder COOKIE: 37 61 85 c3 a8 0a f3 41
  Next Payload: Security Association
  Version: 1.0
  Exchange Type: Aggressive Mode
  Flags: (none)
  MessageID: 00000000
  Length: 392
  Payload Security Association
    Next Payload: Key Exchange
    Reserved: 00
    Payload Length: 56
    DOI: IPsec
    Situation:(SIT_IDENTITY_ONLY)
    Payload Proposal
      Next Payload: None
      Reserved: 00
      Payload Length: 44
      Proposal #: 1
      Protocol-Id: PROTO_ISAKMP
      SPI Size: 0
      # of transforms: 1
      Payload Transform
        Next Payload: None
        Reserved: 00
        Payload Length: 36
        Transform #: 9
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: 3DES-CBC
        Hash Algorithm: SHA1
        Group Description: Group 2
        Authentication Method: XAUTH_INIT_PRESHRD
        Life Type: seconds
        Life Duration (Hex): 00 20 c4 9b
  Payload Key Exchange
    Next Payload: Nonce
    Reserved: 00
    Payload Length: 132
    Data:
      f6 58 f8 d6 6d 74 7a 7c 24 f4 2d 56 12 47 bf 2b
      3b 19 94 10 29 5f 03 5b a8 6e 9a fb 98 15 57 bf
      aa 4f 37 89 cd 7d 36 e0 9b 85 85 6f bc e3 ca 26
      54 23 77 9b 9d 69 0c 44 1c 8c c4 33 ce bb 8a 2b
      f5 70 2f 5b 62 b2 44 e2 63 19 da 8e 7a 33 24 c0
      ae f4 74 34 b4 57 04 32 6c 68 8b 19 6c 0e 1f 1c
      e4 9c 97 c9 ee 65 c7 2d 0f 5d a8 d2 98 e4 d8 32
      dc 4b ba a7 d5 e8 dd ed 96 3d c4 6f 85 20 19 ce
  Payload Nonce
    Next Payload: Identification
    Reserved: 00
    Payload Length: 24
    Data:
      a0 9b 92 d6 10 3c e4 57 85 0d 8c 6f 50 59 0a 95
      4c f8 57 50
  Payload Identification
    Next Payload: Hash
    Reserved: 00
    Payload Length: 12
    ID Type: IPv4 Address (1)
    Protocol ID (UDP/TCP, etc...): 17
    Port: 0
    ID Data: xxx.xxx.xxx.xxx
  Payload Hash
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 24
    Data:
      7f d6 cd 2d 58 5e 44 37 be dd e8 6a ec cb 63 93
      4f 9a 63 f4
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 74 cc 01 00
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 12
    Data (In Hex): 09 00 26 89 df d6 b7 12
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 24
    Data (In Hex):
      40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
      c0 00 00 00
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      c2 a6 22 de a8 0b f3 41 ae cc b7 18 81 5d 9d 22
  Payload Vendor ID
    Next Payload: None
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      1f 07 f7 0e aa 65 14 d3 b0 fa 96 54 2a 50 01 00


IKE Recv RAW packet dump
8e 1a 4b 83 a2 c0 9f fb 37 61 85 c3 a8 0a f3 41    |  ..K.....7a.....A
08 10 04 01 00 00 00 00 00 00 00 7c 91 45 62 a6    |  ...........|.Eb.
0a ad 3e e6 b9 3f 96 e0 be bd 63 12 4c d6 7b 3c    |  ..>..?....c.L.{<
8a 8f fb c3 d2 93 6f 66 8b de dc 17 81 09 ad 49    |  ......of.......I
48 37 84 ce 56 1c 9f a7 94 9a 1b f3 24 76 44 21    |  H7..V.......$vD!
e7 b9 f5 f8 f4 cb 25 2c 2d 4e ce 00 b5 5b 03 e9    |  ......%,-N...[..
96 0e 83 eb ad 15 a7 a0 86 21 c5 32 0c b3 b4 78    |  .........!.2...x
6a 29 d4 d0 eb 51 47 3b 06 e3 68 f7                |  j)...QG;..h.

 RECV PACKET from xxx.xxx.xxx.xxx
ISAKMP Header
  Initiator COOKIE: 8e 1a 4b 83 a2 c0 9f fb
  Responder COOKIE: 37 61 85 c3 a8 0a f3 41
  Next Payload: Hash
  Version: 1.0
  Exchange Type: Aggressive Mode
  Flags: (Encryption)
  MessageID: 00000000
  Length: 124

AFTER DECRYPTION
ISAKMP Header
  Initiator COOKIE: 8e 1a 4b 83 a2 c0 9f fb
  Responder COOKIE: 37 61 85 c3 a8 0a f3 41
  Next Payload: Hash
  Version: 1.0
  Exchange Type: Aggressive Mode
  Flags: (Encryption)
  MessageID: 00000000
  Length: 124
  Payload Hash
    Next Payload: Notification
    Reserved: 00
    Payload Length: 24
    Data:
      87 c1 69 a3 83 d9 9e 5c 69 9a e5 e1 25 e9 1e 3e
      4f 95 e1 84
  Payload Notification
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 28
    DOI: IPsec
    Protocol-ID: PROTO_ISAKMP
    Spi Size: 16
    Notify Type: STATUS_INITIAL_CONTACT
    SPI:
      8e 1a 4b 83 a2 c0 9f fb 37 61 85 c3 a8 0a f3 41
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      7b dd ec 9e a2 c1 9f fb 12 74 fe 6c 3f c3 b5 7d
  Payload Vendor ID
    Next Payload: None
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 74 cc 01 00
Jul 31 11:15:43 [IKEv1]: IP = xxx.xxx.xxx.xxx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NOTIFY (11) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 120
Jul 31 11:15:43 [IKEv1 DEBUG]: Group = VPNGROUPX, IP = xxx.xxx.xxx.xxx, processing hash payload
Jul 31 11:15:43 [IKEv1 DEBUG]: Group = VPNGROUPX, IP = xxx.xxx.xxx.xxx, Computing hash for ISAKMP
Jul 31 11:15:43 [IKEv1 DEBUG]: Group = VPNGROUPX, IP = xxx.xxx.xxx.xxx, processing notify payload
Jul 31 11:15:43 [IKEv1 DEBUG]: Group = VPNGROUPX, IP = xxx.xxx.xxx.xxx, processing VID payload
Jul 31 11:15:43 [IKEv1 DEBUG]: Group = VPNGROUPX, IP = xxx.xxx.xxx.xxx, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000408)
Jul 31 11:15:43 [IKEv1 DEBUG]: Group = VPNGROUPX, IP = xxx.xxx.xxx.xxx, processing VID payload
Jul 31 11:15:43 [IKEv1 DEBUG]: Group = VPNGROUPX, IP = xxx.xxx.xxx.xxx, Received Cisco Unity client VID
Jul 31 11:15:43 [IKEv1 DEBUG]: Group = VPNGROUPX, IP = xxx.xxx.xxx.xxx, constructing blank hash payload
Jul 31 11:15:43 [IKEv1 DEBUG]: Group = VPNGROUPX, IP = xxx.xxx.xxx.xxx, constructing qm hash payload
Jul 31 11:15:43 [IKEv1]: IP = xxx.xxx.xxx.xxx, IKE_DECODE SENDING Message (msgid=8cf6bd6a) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 72

BEFORE ENCRYPTION
RAW PACKET DUMP on SEND
8e 1a 4b 83 a2 c0 9f fb 37 61 85 c3 a8 0a f3 41    |  ..K.....7a.....A
08 10 06 00 6a bd f6 8c 1c 00 00 00 0e 00 00 18    |  ....j...........
04 f2 48 b2 c6 a0 b0 4a b8 96 36 e3 48 0f 18 bc    |  ..H....J..6.H...
cd 63 d0 02 00 00 00 14 01 00 00 00 c0 88 00 00    |  .c..............
40 89 00 00 40 8a 00 00                            |  @...@...

ISAKMP Header
  Initiator COOKIE: 8e 1a 4b 83 a2 c0 9f fb
  Responder COOKIE: 37 61 85 c3 a8 0a f3 41
  Next Payload: Hash
  Version: 1.0
  Exchange Type: Transaction
  Flags: (none)
  MessageID: 6ABDF68C
  Length: 469762048
  Payload Hash
    Next Payload: Attributes
    Reserved: 00
    Payload Length: 24
    Data:
      04 f2 48 b2 c6 a0 b0 4a b8 96 36 e3 48 0f 18 bc
      cd 63 d0 02
  Payload Attributes
    Next Payload: None
    Reserved: 00
    Payload Length: 20
    type: ISAKMP_CFG_REQUEST
    Reserved: 00
    Identifier: 0000
      XAUTH Type: Generic
      XAUTH User Name: (empty)
      XAUTH User Password: (empty)

ISAKMP Header
  Initiator COOKIE: 8e 1a 4b 83 a2 c0 9f fb
  Responder COOKIE: 37 61 85 c3 a8 0a f3 41
  Next Payload: Hash
  Version: 1.0
  Exchange Type: Transaction
  Flags: (Encryption)
  MessageID: 8CF6BD6A
  Length: 76


IKE Recv RAW packet dump
8e 1a 4b 83 a2 c0 9f fb 37 61 85 c3 a8 0a f3 41    |  ..K.....7a.....A
08 10 06 01 8c f6 bd 6a 00 00 00 5c 19 5b d4 85    |  .......j...\.[..
cb 71 c0 50 be f7 59 da 9f 5e 7c 20 f8 dc 84 69    |  .q.P..Y..^| ...i
f2 67 fa 91 df 20 35 20 b5 ca 07 39 59 7e ca 6b    |  .g... 5 ...9Y~.k
14 d3 91 61 5b d5 87 3a 4d e8 11 a7 ec 14 b4 0d    |  ...a[..:M.......
60 87 22 30 9a 34 2f 96 d2 b7 1c 83                |  `."0.4/.....

 RECV PACKET from xxx.xxx.xxx.xxx
ISAKMP Header
  Initiator COOKIE: 8e 1a 4b 83 a2 c0 9f fb
  Responder COOKIE: 37 61 85 c3 a8 0a f3 41
  Next Payload: Hash
  Version: 1.0
  Exchange Type: Transaction
  Flags: (Encryption)
  MessageID: 8CF6BD6A
  Length: 92

AFTER DECRYPTION
ISAKMP Header
  Initiator COOKIE: 8e 1a 4b 83 a2 c0 9f fb
  Responder COOKIE: 37 61 85 c3 a8 0a f3 41
  Next Payload: Hash
  Version: 1.0
  Exchange Type: Transaction
  Flags: (Encryption)
  MessageID: 8CF6BD6A
  Length: 92
  Payload Hash
    Next Payload: Attributes
    Reserved: 00
    Payload Length: 24
    Data:
      23 5b 1d c1 af da 62 ee 33 eb 77 a3 04 78 08 f7
      76 d0 93 74
  Payload Attributes
    Next Payload: None
    Reserved: 00
    Payload Length: 36
    type: ISAKMP_CFG_REPLY
    Reserved: 00
    Identifier: 0000
      XAUTH Type: Generic
      XAUTH User Name: (data not displayed)
      XAUTH User Password: (data not displayed)
Jul 31 11:15:46 [IKEv1]: IP = xxx.xxx.xxx.xxx, IKE_DECODE RECEIVED Message (msgid=8cf6bd6a) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 88
Jul 31 11:15:46 [IKEv1 DEBUG]: Group = VPNGROUPX, IP = xxx.xxx.xxx.xxx, process_attr(): Enter!
Jul 31 11:15:46 [IKEv1 DEBUG]: Group = VPNGROUPX, IP = xxx.xxx.xxx.xxx, Processing MODE_CFG Reply attributes.
Jul 31 11:15:46 [IKEv1 DEBUG]: Group = VPNGROUPX, Username = vpnusernameX, IP = xxx.xxx.xxx.xxx, IKEGetUserAttributes: primary DNS = 66.209.211.200
Jul 31 11:15:46 [IKEv1 DEBUG]: Group = VPNGROUPX, Username = vpnusernameX, IP = xxx.xxx.xxx.xxx, IKEGetUserAttributes: secondary DNS = cleared
Jul 31 11:15:46 [IKEv1 DEBUG]: Group = VPNGROUPX, Username = vpnusernameX, IP = xxx.xxx.xxx.xxx, IKEGetUserAttributes: primary WINS = cleared
Jul 31 11:15:46 [IKEv1 DEBUG]: Group = VPNGROUPX, Username = vpnusernameX, IP = xxx.xxx.xxx.xxx, IKEGetUserAttributes: secondary WINS = cleared
Jul 31 11:15:46 [IKEv1 DEBUG]: Group = VPNGROUPX, Username = vpnusernameX, IP = xxx.xxx.xxx.xxx, IKEGetUserAttributes: default domain = xxx.net
Jul 31 11:15:46 [IKEv1 DEBUG]: Group = VPNGROUPX, Username = vpnusernameX, IP = xxx.xxx.xxx.xxx, IKEGetUserAttributes: IP Compression = disabled
Jul 31 11:15:46 [IKEv1 DEBUG]: Group = VPNGROUPX, Username = vpnusernameX, IP = xxx.xxx.xxx.xxx, IKEGetUserAttributes: Split Tunneling Policy = Disabled
Jul 31 11:15:46 [IKEv1 DEBUG]: Group = VPNGROUPX, Username = vpnusernameX, IP = xxx.xxx.xxx.xxx, IKEGetUserAttributes: Browser Proxy Setting = no-modify
Jul 31 11:15:46 [IKEv1 DEBUG]: Group = VPNGROUPX, Username = vpnusernameX, IP = xxx.xxx.xxx.xxx, IKEGetUserAttributes: Browser Proxy Bypass Local = disable
Jul 31 11:15:46 [IKEv1]: Group = VPNGROUPX, Username = vpnusernameX, IP = xxx.xxx.xxx.xxx, User (vpnusernameX) authenticated.
Jul 31 11:15:46 [IKEv1 DEBUG]: Group = VPNGROUPX, Username = vpnusernameX, IP = xxx.xxx.xxx.xxx, constructing blank hash payload
Jul 31 11:15:46 [IKEv1 DEBUG]: Group = VPNGROUPX, Username = vpnusernameX, IP = xxx.xxx.xxx.xxx, constructing qm hash payload
Jul 31 11:15:46 [IKEv1]: IP = xxx.xxx.xxx.xxx, IKE_DECODE SENDING Message (msgid=2b4586df) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 64

BEFORE ENCRYPTION
RAW PACKET DUMP on SEND
8e 1a 4b 83 a2 c0 9f fb 37 61 85 c3 a8 0a f3 41    |  ..K.....7a.....A
08 10 06 00 df 86 45 2b 1c 00 00 00 0e 00 00 18    |  ......E+........
d6 3f ea 75 37 3c e1 7a 33 c0 ec 55 d3 7b fc c8    |  .?.u7<.z3..U.{..
4d eb 9b cb 00 00 00 0c 03 00 00 00 c0 8f 00 01    |  M...............

ISAKMP Header
  Initiator COOKIE: 8e 1a 4b 83 a2 c0 9f fb
  Responder COOKIE: 37 61 85 c3 a8 0a f3 41
  Next Payload: Hash
  Version: 1.0
  Exchange Type: Transaction
  Flags: (none)
  MessageID: DF86452B
  Length: 469762048
  Payload Hash
    Next Payload: Attributes
    Reserved: 00
    Payload Length: 24
    Data:
      d6 3f ea 75 37 3c e1 7a 33 c0 ec 55 d3 7b fc c8
      4d eb 9b cb
  Payload Attributes
    Next Payload: None
    Reserved: 00
    Payload Length: 12
    type: ISAKMP_CFG_SET
    Reserved: 00
    Identifier: 0000
      XAUTH Status: Pass

ISAKMP Header
  Initiator COOKIE: 8e 1a 4b 83 a2 c0 9f fb
  Responder COOKIE: 37 61 85 c3 a8 0a f3 41
  Next Payload: Hash
  Version: 1.0
  Exchange Type: Transaction
  Flags: (Encryption)
  MessageID: 2B4586DF
  Length: 68


IKE Recv RAW packet dump
8e 1a 4b 83 a2 c0 9f fb 37 61 85 c3 a8 0a f3 41    |  ..K.....7a.....A
08 10 06 01 2b 45 86 df 00 00 00 3c 3f b5 14 da    |  ....+E.....<?...
1d d2 04 9a 73 6d f7 69 63 c1 38 97 02 8b fa 0f    |  ....sm.ic.8.....
91 ea 02 4e ca f0 38 c9 84 e0 cb 3b                |  ...N..8....;

 RECV PACKET from xxx.xxx.xxx.xxx
ISAKMP Header
  Initiator COOKIE: 8e 1a 4b 83 a2 c0 9f fb
  Responder COOKIE: 37 61 85 c3 a8 0a f3 41
  Next Payload: Hash
  Version: 1.0
  Exchange Type: Transaction
  Flags: (Encryption)
  MessageID: 2B4586DF
  Length: 60

AFTER DECRYPTION
ISAKMP Header
  Initiator COOKIE: 8e 1a 4b 83 a2 c0 9f fb
  Responder COOKIE: 37 61 85 c3 a8 0a f3 41
  Next Payload: Hash
  Version: 1.0
  Exchange Type: Transaction
  Flags: (Encryption)
  MessageID: 2B4586DF
  Length: 60
  Payload Hash
    Next Payload: Attributes
    Reserved: 00
    Payload Length: 24
    Data:
      b1 71 98 14 a5 29 94 8e dc c4 08 43 0a 6c 9c 6c
      b1 e9 25 0a
  Payload Attributes
    Next Payload: None
    Reserved: 00
    Payload Length: 8
    type: ISAKMP_CFG_ACK
    Reserved: 00
    Identifier: 0000
Jul 31 11:15:46 [IKEv1]: IP = xxx.xxx.xxx.xxx, IKE_DECODE RECEIVED Message (msgid=2b4586df) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 60
Jul 31 11:15:46 [IKEv1 DEBUG]: Group = VPNGROUPX, Username = vpnusernameX, IP = xxx.xxx.xxx.xxx, process_attr(): Enter!
Jul 31 11:15:46 [IKEv1 DEBUG]: Group = VPNGROUPX, Username = vpnusernameX, IP = xxx.xxx.xxx.xxx, Processing cfg ACK attributes


IKE Recv RAW packet dump
8e 1a 4b 83 a2 c0 9f fb 37 61 85 c3 a8 0a f3 41    |  ..K.....7a.....A
08 10 06 01 bb 83 40 71 00 00 00 b4 a7 d2 64 ca    |  ......@q......d.
89 fc 06 58 d4 75 cb 62 d9 1c f2 63 c2 50 10 34    |  ...X.u.b...c.P.4
d5 f1 9d 5f 1b e7 c9 83 a3 11 4a 6f dd 82 09 1f    |  ..._......Jo....
06 5f 2d 76 a6 3a ed 6b e0 78 4a 49 ec be 42 c7    |  ._-v.:.k.xJI..B.
84 d8 34 52 d6 a8 28 7a cb 77 17 f5 d5 d1 f1 9e    |  ..4R..(z.w......
c1 8f 04 9e 96 cd 31 4f 60 0f 06 e6 0f d1 ec 42    |  ......1O`......B
b9 c6 ad 3c 90 ce c5 ec e9 48 d3 40 6c 6b 46 67    |  ...<.....H.@lkFg
06 a9 de 26 19 0d bc ef e0 c6 b1 10 98 58 d3 0b    |  ...&.........X..
4b 4e 05 19 cb ec 90 66 c1 ad 78 26 56 b5 88 55    |  KN.....f..x&V..U
d9 9a 71 fe a4 2d b1 ba 4e f4 d8 fb c9 65 c1 21    |  ..q..-..N....e.!
ff 64 66 6c                                        |  .dfl

 RECV PACKET from xxx.xxx.xxx.xxx
ISAKMP Header
  Initiator COOKIE: 8e 1a 4b 83 a2 c0 9f fb
  Responder COOKIE: 37 61 85 c3 a8 0a f3 41
  Next Payload: Hash
  Version: 1.0
  Exchange Type: Transaction
  Flags: (Encryption)
  MessageID: BB834071
  Length: 180

AFTER DECRYPTION
ISAKMP Header
  Initiator COOKIE: 8e 1a 4b 83 a2 c0 9f fb
  Responder COOKIE: 37 61 85 c3 a8 0a f3 41
  Next Payload: Hash
  Version: 1.0
  Exchange Type: Transaction
  Flags: (Encryption)
  MessageID: BB834071
  Length: 180
  Payload Hash
    Next Payload: Attributes
    Reserved: 00
    Payload Length: 24
    Data:
      8b 05 3a 5d 1f ab 46 aa 36 7e ac cf 54 a7 9e 52
      7c 80 36 a6
  Payload Attributes
    Next Payload: None
    Reserved: 00
    Payload Length: 126
    type: ISAKMP_CFG_REQUEST
    Reserved: 00
    Identifier: 0000
      IPv4 Address: (empty)
      IPv4 Netmask: (empty)
      IPv4 DNS: (empty)
      IPv4 NBNS (WINS): (empty)
      Address Expiry: (empty)
      Cisco extension: Banner: (empty)
      Cisco extension: Save PWD: (empty)
      Cisco extension: Default Domain Name: (empty)
      Cisco extension: Split Include: (empty)
      Cisco extension: Split DNS Name: (empty)
      Cisco extension: Do PFS: (empty)
      Unknown: (empty)
      Cisco extension: Backup Servers: (empty)
      Unknown: (empty)
      Application Version:
      43 69 73 63 6f 20 53 79 73 74 65 6d 73 20 56 50
      4e 20 43 6c 69 65 6e 74 20 35 2e 30 2e 30 37 2e
      30 32 39 30 3a 57 69 6e 4e 54
      Cisco extension: Firewall Type: (empty)
      Cisco extension: Dynamic DNS Hostname: 48 6f 73 74 69 6e 67 33
Jul 31 11:15:46 [IKEv1]: IP = xxx.xxx.xxx.xxx, IKE_DECODE RECEIVED Message (msgid=bb834071) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 178
Jul 31 11:15:46 [IKEv1 DEBUG]: Group = VPNGROUPX, Username = vpnusernameX, IP = xxx.xxx.xxx.xxx, process_attr(): Enter!
Jul 31 11:15:46 [IKEv1 DEBUG]: Group = VPNGROUPX, Username = vpnusernameX, IP = xxx.xxx.xxx.xxx, Processing cfg Request attributes
Jul 31 11:15:46 [IKEv1 DEBUG]: Group = VPNGROUPX, Username = vpnusernameX, IP = xxx.xxx.xxx.xxx, MODE_CFG: Received request for IPV4 address!
Jul 31 11:15:46 [IKEv1 DEBUG]: Group = VPNGROUPX, Username = vpnusernameX, IP = xxx.xxx.xxx.xxx, MODE_CFG: Received request for IPV4 net mask!
Jul 31 11:15:46 [IKEv1 DEBUG]: Group = VPNGROUPX, Username = vpnusernameX, IP = xxx.xxx.xxx.xxx, MODE_CFG: Received request for DNS server address!
Jul 31 11:15:46 [IKEv1 DEBUG]: Group = VPNGROUPX, Username = vpnusernameX, IP = xxx.xxx.xxx.xxx, MODE_CFG: Received request for WINS server address!
Jul 31 11:15:46 [IKEv1]: Group = VPNGROUPX, Username = vpnusernameX, IP = xxx.xxx.xxx.xxx, Received unsupported transaction mode attribute: 5
Jul 31 11:15:46 [IKEv1 DEBUG]: Group = VPNGROUPX, Username = vpnusernameX, IP = xxx.xxx.xxx.xxx, MODE_CFG: Received request for Banner!
Jul 31 11:15:46 [IKEv1 DEBUG]: Group = VPNGROUPX, Username = vpnusernameX, IP = xxx.xxx.xxx.xxx, MODE_CFG: Received request for Save PW setting!
Jul 31 11:15:46 [IKEv1 DEBUG]: Group = VPNGROUPX, Username = vpnusernameX, IP = xxx.xxx.xxx.xxx, MODE_CFG: Received request for Default Domain Name!
Jul 31 11:15:46 [IKEv1 DEBUG]: Group = VPNGROUPX, Username = vpnusernameX, IP = xxx.xxx.xxx.xxx, MODE_CFG: Received request for Split Tunnel List!
Jul 31 11:15:46 [IKEv1 DEBUG]: Group = VPNGROUPX, Username = vpnusernameX, IP = xxx.xxx.xxx.xxx, MODE_CFG: Received request for Split DNS!
Jul 31 11:15:46 [IKEv1 DEBUG]: Group = VPNGROUPX, Username = vpnusernameX, IP = xxx.xxx.xxx.xxx, MODE_CFG: Received request for PFS setting!
Jul 31 11:15:46 [IKEv1 DEBUG]: Group = VPNGROUPX, Username = vpnusernameX, IP = xxx.xxx.xxx.xxx, MODE_CFG: Received request for Client Browser Proxy Setting!
Jul 31 11:15:46 [IKEv1 DEBUG]: Group = VPNGROUPX, Username = vpnusernameX, IP = xxx.xxx.xxx.xxx, MODE_CFG: Received request for backup ip-sec peer list!
Jul 31 11:15:46 [IKEv1 DEBUG]: Group = VPNGROUPX, Username = vpnusernameX, IP = xxx.xxx.xxx.xxx, MODE_CFG: Received request for Client Smartcard Removal Disconnect Setting!
Jul 31 11:15:46 [IKEv1 DEBUG]: Group = VPNGROUPX, Username = vpnusernameX, IP = xxx.xxx.xxx.xxx, MODE_CFG: Received request for Application Version!
Jul 31 11:15:46 [IKEv1]: Group = VPNGROUPX, Username = vpnusernameX, IP = xxx.xxx.xxx.xxx, Client Type: WinNT  Client Application Version: 5.0.07.0290
Jul 31 11:15:46 [IKEv1 DEBUG]: Group = VPNGROUPX, Username = vpnusernameX, IP = xxx.xxx.xxx.xxx, MODE_CFG: Received request for FWTYPE!
Jul 31 11:15:46 [IKEv1 DEBUG]: Group = VPNGROUPX, Username = vpnusernameX, IP = xxx.xxx.xxx.xxx, MODE_CFG: Received request for DHCP hostname for DDNS is: Hosting3!
Jul 31 11:15:46 [IKEv1 DEBUG]: Group = VPNGROUPX, Username = vpnusernameX, IP = xxx.xxx.xxx.xxx, IKE received response of type [] to a request from the IP address utility
Jul 31 11:15:46 [IKEv1]: Group = VPNGROUPX, Username = vpnusernameX, IP = xxx.xxx.xxx.xxx, Cannot obtain an IP address for remote peer
Jul 31 11:15:46 [IKEv1 DEBUG]: Group = VPNGROUPX, Username = vpnusernameX, IP = xxx.xxx.xxx.xxx, IKE TM V6 FSM error history (struct &0xcc049470)  <state>, <event>:  TM_DONE, EV_ERROR-->TM_BLD_REPLY, EV_IP_FAIL-->TM_BLD_REPLY, NullEvent-->TM_BLD_REPLY, EV_GET_IP-->TM_BLD_REPLY, EV_NEED_IP-->TM_WAIT_REQ, EV_PROC_MSG-->TM_WAIT_REQ, EV_HASH_OK-->TM_WAIT_REQ, NullEvent
Jul 31 11:15:46 [IKEv1 DEBUG]: Group = VPNGROUPX, Username = vpnusernameX, IP = xxx.xxx.xxx.xxx, IKE AM Responder FSM error history (struct &0xcc043a28)  <state>, <event>:  AM_DONE, EV_ERROR-->AM_TM_INIT_MODECFG_V6H, EV_TM_FAIL-->AM_TM_INIT_MODECFG_V6H, NullEvent-->AM_TM_INIT_MODECFG, EV_WAIT-->AM_TM_INIT_XAUTH_V6H, EV_CHECK_QM_MSG-->AM_TM_INIT_XAUTH_V6H, EV_TM_XAUTH_OK-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA
Jul 31 11:15:46 [IKEv1 DEBUG]: Group = VPNGROUPX, Username = vpnusernameX, IP = xxx.xxx.xxx.xxx, IKE SA AM:c3856137 terminating:  flags 0x0945c001, refcnt 0, tuncnt 0
Jul 31 11:15:46 [IKEv1 DEBUG]: Group = VPNGROUPX, Username = vpnusernameX, IP = xxx.xxx.xxx.xxx, sending delete/delete with reason message
Jul 31 11:15:46 [IKEv1 DEBUG]: Group = VPNGROUPX, Username = vpnusernameX, IP = xxx.xxx.xxx.xxx, constructing blank hash payload
Jul 31 11:15:46 [IKEv1 DEBUG]: Group = VPNGROUPX, Username = vpnusernameX, IP = xxx.xxx.xxx.xxx, constructing IKE delete with reason payload
Jul 31 11:15:46 [IKEv1]: Group = VPNGROUPX, Username = vpnusernameX, IP = xxx.xxx.xxx.xxx, Sending IKE Delete With Reason message: No Reason Provided.
Jul 31 11:15:46 [IKEv1 DEBUG]: Group = VPNGROUPX, Username = vpnusernameX, IP = xxx.xxx.xxx.xxx, constructing qm hash payload
Jul 31 11:15:46 [IKEv1]: IP = xxx.xxx.xxx.xxx, IKE_DECODE SENDING Message (msgid=cc002501) with payloads : HDR + HASH (8) + DWR (129) + NONE (0) total length : 84

BEFORE ENCRYPTION
RAW PACKET DUMP on SEND
8e 1a 4b 83 a2 c0 9f fb 37 61 85 c3 a8 0a f3 41    |  ..K.....7a.....A
08 10 05 00 01 25 00 cc 1c 00 00 00 81 00 00 18    |  .....%..........
24 f6 b4 34 2d aa 6f bc ae f8 90 21 eb bd ae c4    |  $..4-.o....!....
0d ea c5 21 00 00 00 20 00 00 00 01 01 10 00 01    |  ...!... ........
00 00 00 04 8e 1a 4b 83 a2 c0 9f fb 37 61 85 c3    |  ......K.....7a..
a8 0a f3 41                                        |  ...A

ISAKMP Header
  Initiator COOKIE: 8e 1a 4b 83 a2 c0 9f fb
  Responder COOKIE: 37 61 85 c3 a8 0a f3 41
  Next Payload: Hash
  Version: 1.0
  Exchange Type: Informational
  Flags: (none)
  MessageID: 012500CC
  Length: 469762048
  Payload Hash
    Next Payload: Private Use
    Reserved: 00
    Payload Length: 24
    Data:
      24 f6 b4 34 2d aa 6f bc ae f8 90 21 eb bd ae c4
      0d ea c5 21
  Payload Private Use
    Next Payload: None
    Reserved: 00
    Payload Length: 32

ISAKMP Header
  Initiator COOKIE: 8e 1a 4b 83 a2 c0 9f fb
  Responder COOKIE: 37 61 85 c3 a8 0a f3 41
  Next Payload: Hash
  Version: 1.0
  Exchange Type: Informational
  Flags: (Encryption)
  MessageID: CC002501
  Length: 84
Jul 31 11:15:46 [IKEv1]: Group = VPNGROUPX, Username = vpnusernameX, IP = xxx.xxx.xxx.xxx, Removing peer from peer table failed, no match!
Jul 31 11:15:46 [IKEv1]: Group = VPNGROUPX, Username = vpnusernameX, IP = xxx.xxx.xxx.xxx, Error: Unable to remove PeerTblEntry

Avatar of anoopkmr
anoopkmr
Flag of United States of America image
did you define any address pool for the vpn client ?
Avatar of Les Moore
Les Moore
Flag of United States of America image
Post your configs and maybe we can help
Avatar of chikagoh
chikagoh

ASKER

Don't really want to post my whole config.  Which portions would you require?
Avatar of Les Moore
Les Moore
Flag of United States of America image
Jul 31 11:15:46 [IKEv1]: Group = VPNGROUPX, Username = vpnusernameX, IP = xxx.xxx.xxx.xxx, Cannot obtain an IP address for remote peer
Looks like you dont have a vpn pool for this group
Avatar of chikagoh
chikagoh

ASKER

It does have a pool.  I removed it and changed it.  Now getting a different error:

ASA1# Jul 31 15:21:07 [IKEv1]: Group = groupx, Username = usernamex, IP = 173.201.33.70, QM FSM error (P2 struct &0xcc0a0ba0, mess id 0x5034472c)!
Jul 31 15:21:07 [IKEv1]: Group = groupx, Username = usernamex, IP = 173.201.33.70, Removing peer from correlator table failed, no match!
Avatar of anoopkmr
anoopkmr
Flag of United States of America image
please provide the firewall config

also you can try the below comand under tunnel-group general attributes

1) do u have any site-to-site vpn running on this FW. if so the dynamic entry has to be configured for higher sequence number

If static and dynamic peers are configured on the same crypto map, the order of the crypto map entries is very important. The sequence number of the dynamic crypto map entry must be higher than all of the other static crypto map entries. If the static entries are numbered higher than the dynamic entry, connections with those peers fail and the debugs as shown appears.

IKEv1]: Group = x.x.x.x, IP = x.x.x.x, QM FSM error (P2 struct &0x49ba5a0, mess id 0xcd600011)!

2) you can try configuring the below command under ur RA tunnel group
isakmp ikev1-user-authentication xauth
Avatar of atusingh
atusingh
Flag of India image
post the QM FSM error  history from debugs..
Avatar of chikagoh
chikagoh

ASKER

Those are the only debugs I have that show QM FSM error.  What other debugs should I pull?
Avatar of anoopkmr
anoopkmr
Flag of United States of America image
did you try my workaround
Avatar of chikagoh
chikagoh

ASKER

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set CiscoVPN esp-des esp-md5-hmac
crypto ipsec transform-set VPNTRANS esp-3des esp-sha-hmac
crypto ipsec transform-set VPNTRANS mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Outside_dyn_map 20 set pfs group1
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-DES-SHA
crypto dynamic-map Outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map Outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map Outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map Outside_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto dynamic-map Outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 60 set security-association lifetime seconds 28800
crypto dynamic-map Outside_dyn_map 60 set security-association lifetime kilobytes 4608000
crypto dynamic-map Outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 80 set security-association lifetime seconds 28800
crypto dynamic-map Outside_dyn_map 80 set security-association lifetime kilobytes 4608000
crypto dynamic-map Outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 100 set security-association lifetime seconds 28800
crypto dynamic-map Outside_dyn_map 100 set security-association lifetime kilobytes 4608000
crypto dynamic-map Outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 120 set security-association lifetime seconds 28800
crypto dynamic-map Outside_dyn_map 120 set security-association lifetime kilobytes 4608000
crypto dynamic-map Outside_dyn_map 140 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 140 set security-association lifetime seconds 28800
crypto dynamic-map Outside_dyn_map 140 set security-association lifetime kilobytes 4608000
crypto dynamic-map Outside_dyn_map 160 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 160 set security-association lifetime seconds 28800
crypto dynamic-map Outside_dyn_map 160 set security-association lifetime kilobytes 4608000
crypto dynamic-map Outside_dyn_map 180 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 180 set security-association lifetime seconds 28800
crypto dynamic-map Outside_dyn_map 180 set security-association lifetime kilobytes 4608000
crypto dynamic-map Outside_dyn_map 200 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 200 set security-association lifetime seconds 28800
crypto dynamic-map Outside_dyn_map 200 set security-association lifetime kilobytes 4608000
crypto dynamic-map Outside_dyn_map 220 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 220 set security-association lifetime seconds 28800
crypto dynamic-map Outside_dyn_map 220 set security-association lifetime kilobytes 4608000
crypto dynamic-map Outside_dyn_map 240 set transform-set ESP-DES-SHA
crypto dynamic-map Outside_dyn_map 240 set security-association lifetime seconds 28800
crypto dynamic-map Outside_dyn_map 240 set security-association lifetime kilobytes 4608000
crypto dynamic-map management_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map management_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map management_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto map management_map 65535 ipsec-isakmp dynamic management_dyn_map
crypto map management_map interface management
crypto map test_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map test_map interface test
ASKER CERTIFIED SOLUTION
Avatar of anoopkmr
anoopkmr
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial