Need help troubleshooting why user can't access VPN
VPN has been up and running for a couple of weeks. New user was configured for VPN remote access using Cisco VPN Client 4.0.3(F) software to connect to a PIX 501 6.3(3). I masked the source and destination IP addresses.
I ran a debug crytpo isakmp while he tired to connect to the PIX.
crypto_isakmp_process_bloc
OAK_AG exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are acceptable. Next payload is 3
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): received xauth v6 vendor id
ISAKMP (0): processing vendor id payload
ISAKMP (0): remote peer supports dead peer detection
ISAKMP (0): processing vendor id payload
ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to a Unity client
ISAKMP (0): ID payload
next-payload : 10
type : 1
protocol : 17
port : 0
length : 8
ISAKMP (0): Total payload length: 12
ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
ISAKMP (0:0): constructed HIS NAT-D
ISAKMP (0:0): constructed MINE NAT-D
ISAKMP (0:0): Detected port floating
return status is IKMP_NO_ERROR
crypto_isakmp_process_bloc
VPN Peer:ISAKMP: Peer Info for E.F.G.H/500 not found - peers:1
ISAKMP: larval sa found
crypto_isakmp_process_bloc
VPN Peer:ISAKMP: Peer Info for E.F.G.H/500 not found - peers:1
ISAKMP: larval sa found
crypto_isakmp_process_bloc
VPN Peer:ISAKMP: Peer Info for E.F.G.H/500 not found - peers:1
ISAKMP: larval sa found
ISAKMP (0): retransmitting phase 1 (0)...
ISAKMP (0): retransmitting phase 1 (1)...
ISAKMP (0): deleting SA: src E.F.G.H, dst A.B.C.D
ISADB: reaper checking SA 0xa9dcec, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for E.F.G.H/500 not found - peers:1
ISADB: reaper checking SA 0xa9e70c, conn_id = 0
Any suggestions on why this is going on?
I ran a debug crytpo isakmp while he tired to connect to the PIX.
crypto_isakmp_process_bloc
OAK_AG exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are acceptable. Next payload is 3
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): received xauth v6 vendor id
ISAKMP (0): processing vendor id payload
ISAKMP (0): remote peer supports dead peer detection
ISAKMP (0): processing vendor id payload
ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to a Unity client
ISAKMP (0): ID payload
next-payload : 10
type : 1
protocol : 17
port : 0
length : 8
ISAKMP (0): Total payload length: 12
ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
ISAKMP (0:0): constructed HIS NAT-D
ISAKMP (0:0): constructed MINE NAT-D
ISAKMP (0:0): Detected port floating
return status is IKMP_NO_ERROR
crypto_isakmp_process_bloc
VPN Peer:ISAKMP: Peer Info for E.F.G.H/500 not found - peers:1
ISAKMP: larval sa found
crypto_isakmp_process_bloc
VPN Peer:ISAKMP: Peer Info for E.F.G.H/500 not found - peers:1
ISAKMP: larval sa found
crypto_isakmp_process_bloc
VPN Peer:ISAKMP: Peer Info for E.F.G.H/500 not found - peers:1
ISAKMP: larval sa found
ISAKMP (0): retransmitting phase 1 (0)...
ISAKMP (0): retransmitting phase 1 (1)...
ISAKMP (0): deleting SA: src E.F.G.H, dst A.B.C.D
ISADB: reaper checking SA 0xa9dcec, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for E.F.G.H/500 not found - peers:1
ISADB: reaper checking SA 0xa9e70c, conn_id = 0
Any suggestions on why this is going on?
ASKER
Yes, "enable transparent tunneling" is checked in the Transport tab
Yes, the the client is behind a broadband router?
I don't know if the router is set to permit IPSEC passthrough?
A coworker lives down the street, uses the same ISP, and is able to connect to the VPN. I don't have specifics on their configuration. Most probable reason is something to do with his broadband router. I am looking into that, but would appreciate comments on the config in case I missed something.
Here is the full config:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ARZAuT.CplHXAHmn encrypted
passwd d6gwdVQj/WXD/3Qs encrypted
hostname what
domain-name blah.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name W.X.Y.254 ServerI
name W.X.Y.2 ServerT
name W.X.Y.0 O_LAN
name W.X.Z.0 VPN_LAN
access-list 101 permit icmp any host A.B.C.E
access-list 101 permit icmp any host A.B.C.D
access-list 101 deny udp any any eq 1434
access-list 101 deny tcp any any eq 593
access-list 101 deny udp any any eq 445
access-list 101 deny tcp any any eq 445
access-list 101 deny tcp any any eq netbios-ssn
access-list 101 deny udp any any eq 139
access-list 101 deny udp any any eq netbios-ns
access-list 101 deny tcp any any eq 137
access-list 101 deny tcp any any eq 135
access-list 101 deny udp any any eq 135
access-list 101 deny tcp any any eq telnet
access-list 101 permit tcp any host A.B.C.D eq ftp-data
access-list 101 permit tcp any host A.B.C.D eq ftp
access-list 101 permit tcp any host A.B.C.E eq ftp
access-list 101 permit tcp any host A.B.C.E eq ftp-data
access-list 101 permit tcp any host A.B.C.E eq pop3
access-list 101 permit tcp any host A.B.C.E eq imap4
access-list 101 permit tcp any host A.B.C.E eq smtp
access-list 101 permit tcp any host A.B.C.E eq 8080
access-list 101 permit tcp any host A.B.C.E eq www
access-list 101 permit tcp any host A.B.C.D eq www
access-list 102 permit ip O_LAN 255.255.255.0 VPN_LAN 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside A.B.C.D 255.255.255.224
ip address inside W.X.Y.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool W.X.Z.1-W.X.Z.15
<Deleted several pdm related lines>
arp timeout 14400
global (outside) 1 A.B.C.I
nat (inside) 0 access-list 102
nat (inside) 1 ServerI 255.255.255.255 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) A.B.C.D ServerI netmask 255.255.255.255 0 0
static (inside,outside) A.B.C.E ServerT netmask 255.255.255.255 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 A.B.C.G 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 inside
http VPN_LAN 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac
crypto dynamic-map map2 10 set transform-set trmset1
crypto map map1 10 ipsec-isakmp dynamic map2
crypto map map1 interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup duh address-pool vpnpool
vpngroup duh dns-server ServerI
vpngroup duh default-domain blah.com
vpngroup duh split-tunnel 102
vpngroup duh idle-time 1800
vpngroup duh password ********
vpngroup split-tunnel idle-time 1800
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
I appreciate the help.
Yes, the the client is behind a broadband router?
I don't know if the router is set to permit IPSEC passthrough?
A coworker lives down the street, uses the same ISP, and is able to connect to the VPN. I don't have specifics on their configuration. Most probable reason is something to do with his broadband router. I am looking into that, but would appreciate comments on the config in case I missed something.
Here is the full config:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ARZAuT.CplHXAHmn encrypted
passwd d6gwdVQj/WXD/3Qs encrypted
hostname what
domain-name blah.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name W.X.Y.254 ServerI
name W.X.Y.2 ServerT
name W.X.Y.0 O_LAN
name W.X.Z.0 VPN_LAN
access-list 101 permit icmp any host A.B.C.E
access-list 101 permit icmp any host A.B.C.D
access-list 101 deny udp any any eq 1434
access-list 101 deny tcp any any eq 593
access-list 101 deny udp any any eq 445
access-list 101 deny tcp any any eq 445
access-list 101 deny tcp any any eq netbios-ssn
access-list 101 deny udp any any eq 139
access-list 101 deny udp any any eq netbios-ns
access-list 101 deny tcp any any eq 137
access-list 101 deny tcp any any eq 135
access-list 101 deny udp any any eq 135
access-list 101 deny tcp any any eq telnet
access-list 101 permit tcp any host A.B.C.D eq ftp-data
access-list 101 permit tcp any host A.B.C.D eq ftp
access-list 101 permit tcp any host A.B.C.E eq ftp
access-list 101 permit tcp any host A.B.C.E eq ftp-data
access-list 101 permit tcp any host A.B.C.E eq pop3
access-list 101 permit tcp any host A.B.C.E eq imap4
access-list 101 permit tcp any host A.B.C.E eq smtp
access-list 101 permit tcp any host A.B.C.E eq 8080
access-list 101 permit tcp any host A.B.C.E eq www
access-list 101 permit tcp any host A.B.C.D eq www
access-list 102 permit ip O_LAN 255.255.255.0 VPN_LAN 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside A.B.C.D 255.255.255.224
ip address inside W.X.Y.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool W.X.Z.1-W.X.Z.15
<Deleted several pdm related lines>
arp timeout 14400
global (outside) 1 A.B.C.I
nat (inside) 0 access-list 102
nat (inside) 1 ServerI 255.255.255.255 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) A.B.C.D ServerI netmask 255.255.255.255 0 0
static (inside,outside) A.B.C.E ServerT netmask 255.255.255.255 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 A.B.C.G 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 inside
http VPN_LAN 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac
crypto dynamic-map map2 10 set transform-set trmset1
crypto map map1 10 ipsec-isakmp dynamic map2
crypto map map1 interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup duh address-pool vpnpool
vpngroup duh dns-server ServerI
vpngroup duh default-domain blah.com
vpngroup duh split-tunnel 102
vpngroup duh idle-time 1800
vpngroup duh password ********
vpngroup split-tunnel idle-time 1800
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
I appreciate the help.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sure enough. There is a section in the broadband router config called "VPN Pass through" I expect that the user will find that it is not enabled for IPSec.
Is the client behind a broadband router?
Is this router set to permit IPSEC passthrough?
Can you post your crypto map configuration?