VPN Client not connected error

Posted on 2006-05-26
Last Modified: 2008-01-09
I setup Cisco PIX 515 in my lab to test IPSec VPN. The PIX is behind a Linksys WRTP54G router and UDP port 500 is open. I can establish the VPN in the LAN, but I get not connected error if I test it from a remote office that is behind another PIX 515E. I am not sure the problem is the Linksys router or PIX in the office. Any suggestions?

The lab PIX configuration can be found here,

Here are VPN client log.

Cisco Systems VPN Client Version
Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2

1      09:58:38.469  05/26/06  Sev=Info/4      CM/0x63100002
Begin connection process

2      09:58:38.979  05/26/06  Sev=Info/4      CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully

3      09:58:38.979  05/26/06  Sev=Info/4      CM/0x63100004
Establish secure connection using Ethernet

4      09:58:38.979  05/26/06  Sev=Info/4      CM/0x63100024
Attempt connection with server ""

5      09:58:40.247  05/26/06  Sev=Info/6      IKE/0x6300003B
Attempting to establish a connection with x.x.x.246.

6      09:58:40.557  05/26/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to x.x.x.246

7      09:58:40.587  05/26/06  Sev=Info/4      IPSEC/0x63700008
IPSec driver successfully started

8      09:58:40.587  05/26/06  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

9      09:58:40.947  05/26/06  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.246

10     09:58:40.947  05/26/06  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Xauth), VID(dpd), VID(Unity), VID(?), KE, ID, NON, VID(?), VID(Nat-T), NAT-D, NAT-D, HASH) from x.x.x.246

11     09:58:40.947  05/26/06  Sev=Info/5      IKE/0x63000001
Peer supports XAUTH

12     09:58:40.947  05/26/06  Sev=Info/5      IKE/0x63000001
Peer supports DPD

13     09:58:40.947  05/26/06  Sev=Info/5      IKE/0x63000001
Peer is a Cisco-Unity compliant peer

14     09:58:40.947  05/26/06  Sev=Info/5      IKE/0x63000082
Received IOS Vendor ID with unknown capabilities flag 0x000000A5

15     09:58:40.947  05/26/06  Sev=Info/5      IKE/0x63000001
Peer supports NAT-T

16     09:58:40.977  05/26/06  Sev=Info/6      IKE/0x63000001
IOS Vendor ID Contruction successful

17     09:58:40.977  05/26/06  Sev=Info/4      IKE/0x63000013

18     09:58:40.997  05/26/06  Sev=Info/6      IKE/0x63000055
Sent a keepalive on the IPSec SA

19     09:58:40.997  05/26/06  Sev=Info/4      IKE/0x63000083
IKE Port in use - Local Port =  0x1194, Remote Port = 0x1194

20     09:58:40.997  05/26/06  Sev=Info/5      IKE/0x63000072
Automatic NAT Detection Status:
   Remote end IS behind a NAT device
   This   end IS behind a NAT device

21     09:58:40.997  05/26/06  Sev=Info/4      CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

22     09:58:40.997  05/26/06  Sev=Info/4      CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

23     09:58:41.566  05/26/06  Sev=Info/5      IKE/0x6300005E
Client sending a firewall request to concentrator

24     09:58:41.566  05/26/06  Sev=Info/5      IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client, Capability= (Centralized Protection Policy).

25     09:58:41.566  05/26/06  Sev=Info/4      IKE/0x63000013

26     09:58:46.860  05/26/06  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

27     09:58:46.860  05/26/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(Retransmission) to x.x.x.246

28     09:58:51.305  05/26/06  Sev=Info/6      IKE/0x63000055
Sent a keepalive on the IPSec SA

29     09:58:52.304  05/26/06  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

30     09:58:52.304  05/26/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(Retransmission) to x.x.x.246

31     09:58:55.900  05/26/06  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.246

32     09:58:55.900  05/26/06  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (Retransmission) from x.x.x.246

33     09:58:55.900  05/26/06  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

34     09:58:55.900  05/26/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(Retransmission) to x.x.x.246

35     09:58:57.798  05/26/06  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

36     09:58:57.798  05/26/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(Retransmission) to x.x.x.246

37     09:59:01.793  05/26/06  Sev=Info/6      IKE/0x63000055
Sent a keepalive on the IPSec SA

38     09:59:03.291  05/26/06  Sev=Info/4      IKE/0x6300002D
Phase-2 retransmission count exceeded: MsgID=442F0A75

39     09:59:03.291  05/26/06  Sev=Info/4      IKE/0x63000013

40     09:59:03.291  05/26/06  Sev=Info/6      IKE/0x6300003D
Sending DPD request to x.x.x.246, our seq# = 2226793716

41     09:59:03.341  05/26/06  Sev=Info/4      IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=672CDA295511818F R_Cookie=9ADE594A69BA0090) reason = DEL_REASON_IKE_NEG_FAILED

42     09:59:03.341  05/26/06  Sev=Info/4      IKE/0x63000013

43     09:59:06.787  05/26/06  Sev=Info/4      IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=672CDA295511818F R_Cookie=9ADE594A69BA0090) reason = DEL_REASON_IKE_NEG_FAILED

44     09:59:06.787  05/26/06  Sev=Info/4      CM/0x6310000F
Phase 1 SA deleted before Mode Config is completed cause by "DEL_REASON_IKE_NEG_FAILED".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

45     09:59:06.797  05/26/06  Sev=Info/5      CM/0x63100025
Initializing CVPNDrv

46     09:59:06.807  05/26/06  Sev=Info/4      IKE/0x63000001
IKE received signal to terminate VPN connection

47     09:59:06.937  05/26/06  Sev=Info/4      IKE/0x63000086
Microsoft IPSec Policy Agent service started successfully

48     09:59:07.297  05/26/06  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

49     09:59:07.297  05/26/06  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

50     09:59:07.297  05/26/06  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

51     09:59:07.297  05/26/06  Sev=Info/4      IPSEC/0x6370000A
IPSec driver successfully stopped
Question by:blin2000
    LVL 79

    Accepted Solution

    Two things:
     On BOTH PIX's, be sure the following command is entered:
       isakmp nat-traversal 20

     And on the Linksys WRTP54G router open UDP 4500
    LVL 7

    Author Comment

    Hi Irmoore,

    I already have isakmp nat-traversal 20. After opened UDP 500, it works. Thank you.

    However, the VPN client can't ping the remote computers while remote computers can ping the VPN client. I think I need some access-list command, but what are they?
    LVL 79

    Expert Comment

    If you only open up UDP 500, then you only have half of the requirement. UDP 4500 is required for the data.
    If you have sysopt connect permit-ipsec, then you don't need any access-lists unless you have an outbound acl applied to the inside interface.
    Client pool is in different subnet than the internal LAN? Client PC's local LAN subnet is different from remote subnet through the VPN tunnel?
    Systems that you want to access have their default gateway pointed to the PIX?
    If you want to post your config, I'll take a look at it.
    LVL 77

    Expert Comment

    by:Rob Williams
    Does the WRTP54G support IPSec? The WRT54G is supposed to, but the only mention of IPSec in the WRTP54G manual or spec sheet, was in the appendix which seems to be somewhat universal. Also, the normal Firewall/Security/enable IPSec option doesn't seem to exist in the manual. lrmoore is far more aware of any implications this may have on the Cisco client than I, but thought I would point it out.
    Perhaps try by-passing the router and connecting directly to the modem as a test.
    LVL 7

    Author Comment

    here are the configuration.

    PIX Version 6.3(3)

    interface ethernet0 auto

    interface ethernet1 auto

    nameif ethernet0 outside security0

    nameif ethernet1 inside security100

    hostname CHICAGOTECH


    fixup protocol dns maximum-length 512

    fixup protocol ftp 21

    fixup protocol h323 h225 1720

    fixup protocol h323 ras 1718-1719

    fixup protocol http 80

    fixup protocol rsh 514

    fixup protocol rtsp 554

    fixup protocol sip 5060

    fixup protocol sip udp 5060

    fixup protocol skinny 2000

    fixup protocol smtp 25

    fixup protocol sqlnet 1521

    fixup protocol tftp 69


    name chicagotech

    access-list outside_in permit icmp any any

    access-list outside_in permit tcp any host eq 3389

    access-list outside_inbound_nat0_acl permit ip any

    access-list 10 permit

    access-list 192_splitTunnelAcl permit ip any

    pager lines 24

    logging on

    logging trap errors

    logging device-id hostname

    mtu outside 1500

    mtu inside 1500

    ip address outside

    ip address inside

    ip audit info action alarm

    ip audit attack action alarm

    ip local pool 172pool

    pdm location chicagotech inside

    pdm history enable

    arp timeout 14400

    global (outside) 2

    global (outside) 1 interface

    nat (outside) 0 access-list outside_inbound_nat0_acl outside

    nat (inside) 1 0 0

    static (inside,outside) chicagotech netmask 0 0

    static (inside,outside) netmask 0 0

    access-group outside_in in interface outside

    route outside 1

    timeout xlate 3:00:00

    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

    timeout uauth 0:05:00 absolute

    aaa-server TACACS+ protocol tacacs+

    aaa-server RADIUS protocol radius

    aaa-server LOCAL protocol local

    http server enable

    http inside

    no snmp-server location

    no snmp-server contact

    snmp-server community public

    no snmp-server enable traps

    floodguard enable

    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

    crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5

    crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 600 kilobytes 4608000

    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

    crypto map outside_map interface outside

    isakmp enable outside

    isakmp nat-traversal 20

    isakmp policy 10 authentication pre-share

    isakmp policy 10 encryption 3des

    isakmp policy 10 hash md5

    isakmp policy 10 group 2

    isakmp policy 10 lifetime 86400

    vpngroup 192 address-pool 172pool

    vpngroup 192 dns-server

    vpngroup 192 split-tunnel 192_splitTunnelAcl

    vpngroup 192 idle-time 1800

    vpngroup 192 password ********

    telnet inside

    telnet timeout 5

    ssh timeout 5

    console timeout 0

    terminal width 80

    LVL 79

    Expert Comment

    These lines represent part of the problem:
    \\-- VPN client address pool is in same subnet as the inside LAN - not recommended
    ip address inside
    ip local pool 172pool

    \\-- Acls should reference inside LAN to IP Pool subnet, and should not have "any" in them - they don't
    access-list outside_inbound_nat0_acl permit ip any
    access-list 192_splitTunnelAcl permit ip any

    \\-- IP pool in totally different subnet
    ip local pool 172pool
    no access-list outside_inbound_nat0_acl
    no access-list 192_splitTunnelAcl
    access-list inside_outbound_nat0_acl permit ip
    access-list SplitTunnel permit ip
    no nat (outside) 0 access-list outside_inbound_nat0_acl outside
    nat (outside) 0 access-list inside_outbound_nat0_acl  outside
    vpngroup 192 split-tunnel SplitTunnel

    >vpngroup 192 dns-server
    If you're not going to give the VPN client an internal DNS IP address, then don't give them anything
      no vpngroup 192 dns-server
    LVL 7

    Author Comment

    It works. Thank you very much.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    One of the Top 10  common Cisco VPN problems are not-matching shared keys. This is an easy one to fix, but not always easy to notice, see the case below. A simple IPsec tunnel between fast Ethernet interfaces of routers SW1 (f1/1) and R1(f0/0). …
    For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now