Solved

Need help troubleshooting why user can't access VPN

Posted on 2004-08-30
4
340 Views
Last Modified: 2013-11-16
VPN has been up and running for a couple of weeks.  New user was configured for VPN remote access using Cisco VPN Client 4.0.3(F) software to connect to a PIX 501 6.3(3).  I masked the source and destination IP addresses.

I ran a debug crytpo isakmp while he tired to connect to the PIX.

crypto_isakmp_process_block:src:E.F.G.H, dest:A.B.C.D spt:500 dpt:500
OAK_AG exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 256
ISAKMP (0): atts are acceptable. Next payload is 3
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): processing vendor id payload

ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a Unity client

ISAKMP (0): ID payload
        next-payload : 10
        type         : 1
        protocol     : 17
        port         : 0
        length       : 8
ISAKMP (0): Total payload length: 12
ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
ISAKMP (0:0): constructed HIS NAT-D
ISAKMP (0:0): constructed MINE NAT-D
ISAKMP (0:0): Detected port floating
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:E.F.G.H, dest:A.B.C.D spt:500 dpt:500
VPN Peer:ISAKMP: Peer Info for E.F.G.H/500 not found - peers:1

ISAKMP: larval sa found
crypto_isakmp_process_block:src:E.F.G.H, dest:A.B.C.D spt:500 dpt:500
VPN Peer:ISAKMP: Peer Info for E.F.G.H/500 not found - peers:1

ISAKMP: larval sa found
crypto_isakmp_process_block:src:E.F.G.H, dest:A.B.C.D spt:500 dpt:500
VPN Peer:ISAKMP: Peer Info for E.F.G.H/500 not found - peers:1

ISAKMP: larval sa found
ISAKMP (0): retransmitting phase 1 (0)...
ISAKMP (0): retransmitting phase 1 (1)...
ISAKMP (0): deleting SA: src E.F.G.H, dst A.B.C.D
ISADB: reaper checking SA 0xa9dcec, conn_id = 0  DELETE IT!

VPN Peer:ISAKMP: Peer Info for E.F.G.H/500 not found - peers:1

ISADB: reaper checking SA 0xa9e70c, conn_id = 0


Any suggestions on why this is going on?
0
Comment
Question by:averyb
  • 2
  • 2
4 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 11934919
Is the client setup checked with "enable transparent tunneling" checked in the Transport tab?
Is the client behind a broadband router?
Is this router set to permit IPSEC passthrough?
Can you post your crypto map configuration?


0
 
LVL 4

Author Comment

by:averyb
ID: 11935288
Yes, "enable transparent tunneling" is checked in the Transport tab
Yes, the the client is behind a broadband router?
I don't know if the router is set to permit IPSEC passthrough?
A coworker lives down the street, uses the same ISP, and is able to connect to the VPN.  I don't have specifics on their configuration.  Most probable reason is something to do with his broadband router.  I am looking into that, but would appreciate comments on the config in case I missed something.

Here is the full config:

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ARZAuT.CplHXAHmn encrypted
passwd d6gwdVQj/WXD/3Qs encrypted
hostname what
domain-name blah.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name W.X.Y.254 ServerI
name W.X.Y.2 ServerT
name W.X.Y.0 O_LAN
name W.X.Z.0 VPN_LAN
access-list 101 permit icmp any host A.B.C.E
access-list 101 permit icmp any host A.B.C.D
access-list 101 deny udp any any eq 1434
access-list 101 deny tcp any any eq 593
access-list 101 deny udp any any eq 445
access-list 101 deny tcp any any eq 445
access-list 101 deny tcp any any eq netbios-ssn
access-list 101 deny udp any any eq 139
access-list 101 deny udp any any eq netbios-ns
access-list 101 deny tcp any any eq 137
access-list 101 deny tcp any any eq 135
access-list 101 deny udp any any eq 135
access-list 101 deny tcp any any eq telnet
access-list 101 permit tcp any host A.B.C.D eq ftp-data
access-list 101 permit tcp any host A.B.C.D eq ftp
access-list 101 permit tcp any host A.B.C.E eq ftp
access-list 101 permit tcp any host A.B.C.E eq ftp-data
access-list 101 permit tcp any host A.B.C.E eq pop3
access-list 101 permit tcp any host A.B.C.E eq imap4
access-list 101 permit tcp any host A.B.C.E eq smtp
access-list 101 permit tcp any host A.B.C.E eq 8080
access-list 101 permit tcp any host A.B.C.E eq www
access-list 101 permit tcp any host A.B.C.D eq www
access-list 102 permit ip O_LAN 255.255.255.0 VPN_LAN 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside A.B.C.D 255.255.255.224
ip address inside W.X.Y.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool W.X.Z.1-W.X.Z.15
<Deleted several pdm related lines>
arp timeout 14400
global (outside) 1 A.B.C.I
nat (inside) 0 access-list 102
nat (inside) 1 ServerI 255.255.255.255 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) A.B.C.D ServerI netmask 255.255.255.255 0 0
static (inside,outside) A.B.C.E ServerT netmask 255.255.255.255 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 A.B.C.G 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 inside
http VPN_LAN 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac
crypto dynamic-map map2 10 set transform-set trmset1
crypto map map1 10 ipsec-isakmp dynamic map2
crypto map map1 interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup duh address-pool vpnpool
vpngroup duh dns-server ServerI
vpngroup duh default-domain blah.com
vpngroup duh split-tunnel 102
vpngroup duh idle-time 1800
vpngroup duh password ********
vpngroup split-tunnel idle-time 1800
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80


I appreciate the help.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 11935449
Most likely issue with this user's local router, but:

>nat (inside) 0 access-list 102
>vpngroup duh split-tunnel 102

Two different processes using the same acl is not recommended practice.

Suggest a new split-tunnel acl:

access-list 103 permit ip O_LAN 255.255.255.0 VPN_LAN 255.255.255.0
vpngroup duh split-tunnel 103

Exact same rule, but with different acl reference number makes for cleaner processes...

Also, nothing to do with the problem at hand, but:
>access-list 101 deny udp any any eq 1434
>access-list 101 deny tcp any any eq 593
> <etc>

All of your "deny" statements are not needed at all. By default EVERYTHING is denied until and unless you expressly permit with "permit" statements. Any unnecessary acl lines will impact performance.



0
 
LVL 4

Author Comment

by:averyb
ID: 11942994
Sure enough.  There is a section in the broadband router config called "VPN Pass through"  I expect that the user will find that it is not enabled for IPSec.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video discusses moving either the default database or any database to a new volume.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now