Solved

Cisco VPN 1 specific username cannot login

Posted on 2006-10-31
11
2,998 Views
Last Modified: 2008-09-02
I am using a Cisco IOS Router with Easy VPN Server configured. Recently, 1 particular user is unable to login to the VPN.
The error message is as below
"
Phase 1 SA deleted before Mode Config is completed cause by "PEER_DELETE-IKE_DELETE_UNSPECIFIED".
0 Crypto Active IKE SA, 0 User Authenicated IKE SA in the system
"
From the same VPN Client, I am able to login using other usernames with no problems.

I have tried to delete the username and recreate it, but it still gives the same error.

What could be the problem?
0
Comment
Question by:frukeus
11 Comments
 
LVL 1

Author Comment

by:frukeus
Comment Utility
This is the logfile on the VPN Client


Cisco Systems VPN Client Version 4.7.00.0533
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
Config file directory: C:\Program Files\Cisco Systems\VPN Client

Cisco Systems VPN Client Version 4.7.00.0533
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
Config file directory: C:\Program Files\Cisco Systems\VPN Client

1      14:29:21.604  11/01/06  Sev=Info/4      CM/0x63100002
Begin connection process

2      14:29:21.614  11/01/06  Sev=Info/4      CM/0x63100004
Establish secure connection using Ethernet

3      14:29:21.614  11/01/06  Sev=Info/4      CM/0x63100024
Attempt connection with server "178.22.35.223"

4      14:29:22.615  11/01/06  Sev=Info/6      IKE/0x6300003B
Attempting to establish a connection with 178.22.35.223.

5      14:29:22.615  11/01/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to 178.22.35.223

6      14:29:22.625  11/01/06  Sev=Info/4      IPSEC/0x63700008
IPSec driver successfully started

7      14:29:22.625  11/01/06  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

8      14:29:23.096  11/01/06  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 178.22.35.223

9      14:29:23.096  11/01/06  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?), VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D, NAT-D) from 178.22.35.223

10     14:29:23.096  11/01/06  Sev=Info/5      IKE/0x63000001
Peer is a Cisco-Unity compliant peer

11     14:29:23.096  11/01/06  Sev=Info/5      IKE/0x63000001
Peer supports DPD

12     14:29:23.096  11/01/06  Sev=Info/5      IKE/0x63000001
Peer supports DWR Code and DWR Text

13     14:29:23.096  11/01/06  Sev=Info/5      IKE/0x63000001
Peer supports XAUTH

14     14:29:23.096  11/01/06  Sev=Info/5      IKE/0x63000001
Peer supports NAT-T

15     14:29:23.096  11/01/06  Sev=Info/6      IKE/0x63000001
IOS Vendor ID Contruction successful

16     14:29:23.096  11/01/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 178.22.35.223

17     14:29:23.096  11/01/06  Sev=Info/4      IKE/0x63000083
IKE Port in use - Local Port =  0x01F4, Remote Port = 0x01F4

18     14:29:23.096  11/01/06  Sev=Info/5      IKE/0x63000072
Automatic NAT Detection Status:
   Remote end is NOT behind a NAT device
   This   end is NOT behind a NAT device

19     14:29:23.096  11/01/06  Sev=Info/4      CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

20     14:29:23.306  11/01/06  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 178.22.35.223

21     14:29:23.306  11/01/06  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 178.22.35.223

22     14:29:23.306  11/01/06  Sev=Info/5      IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds

23     14:29:23.306  11/01/06  Sev=Info/5      IKE/0x63000047
This SA has already been alive for 1 seconds, setting expiry to 86399 seconds from now

24     14:29:23.316  11/01/06  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer =  178.22.35.223

25     14:29:23.316  11/01/06  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from  178.22.35.223

26     14:29:23.316  11/01/06  Sev=Info/4      CM/0x63100015
Launch xAuth application

27     14:29:30.386  11/01/06  Sev=Info/4      CM/0x63100017
xAuth application returned

28     14:29:30.386  11/01/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to  178.22.35.223

29     14:29:30.657  11/01/06  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 178.22.35.223

30     14:29:30.657  11/01/06  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from  178.22.35.223

31     14:29:30.657  11/01/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to  178.22.35.223

32     14:29:30.657  11/01/06  Sev=Info/4      CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

33     14:29:30.657  11/01/06  Sev=Info/5      IKE/0x6300005E
Client sending a firewall request to concentrator

34     14:29:30.657  11/01/06  Sev=Info/5      IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client Firewall, Capability= (Centralized Protection Policy).

35     14:29:30.657  11/01/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 178.22.35.223

36     14:29:30.907  11/01/06  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 178.22.35.223

37     14:29:30.907  11/01/06  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, DEL) from 178.22.35.223

38     14:29:30.907  11/01/06  Sev=Info/5      IKE/0x6300003C
Received a DELETE payload for IKE SA with Cookies:  I_Cookie=06A36C78457E59D7 R_Cookie=5F0A076EEFCA6E54

39     14:29:30.907  11/01/06  Sev=Info/4      IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=06A36C78457E59D7 R_Cookie=5F0A076EEFCA6E54) reason = PEER_DELETE-IKE_DELETE_UNSPECIFIED

40     14:29:31.628  11/01/06  Sev=Info/4      IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=06A36C78457E59D7 R_Cookie=5F0A076EEFCA6E54) reason = PEER_DELETE-IKE_DELETE_UNSPECIFIED

41     14:29:31.628  11/01/06  Sev=Info/4      CM/0x6310000F
Phase 1 SA deleted before Mode Config is completed cause by "PEER_DELETE-IKE_DELETE_UNSPECIFIED".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

42     14:29:31.628  11/01/06  Sev=Info/5      CM/0x63100025
Initializing CVPNDrv

43     14:29:31.628  11/01/06  Sev=Info/4      IKE/0x63000001
IKE received signal to terminate VPN connection

44     14:29:31.638  11/01/06  Sev=Info/4      IKE/0x63000086
Microsoft IPSec Policy Agent service started successfully

45     14:29:31.638  11/01/06  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

46     14:29:31.638  11/01/06  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

47     14:29:31.638  11/01/06  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

48     14:29:31.638  11/01/06  Sev=Info/4      IPSEC/0x6370000A
IPSec driver successfully stopped

0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
>Cisco Systems VPN Client Version 4.7.00.0533
Suggest updating to the latest 4.8 version

>Received a DELETE payload for IKE SA with Cookies:  I_Cookie=06A36C78457E59D7 R_Cookie=5F0A076EEFCA6E54
Try deleting all of your cookies for that site/host

It looks like the user is getting authenticated, but does not get an IP address. Do you have enough IP's in the pool to support another client?
Do you assign downloadable acls to users after they log in?
0
 
LVL 1

Author Comment

by:frukeus
Comment Utility
I was able to login without any problem previously on the same client. In anycase, I've tried to login on another client and the exact problem is replicated.
With this particular username and password, I am unable to login. No problems using other usernames on the same client.

0
 
LVL 1

Author Comment

by:frukeus
Comment Utility
>Received a DELETE payload for IKE SA with Cookies:  I_Cookie=06A36C78457E59D7 R_Cookie=5F0A076EEFCA6E54
Try deleting all of your cookies for that site/host

Is the cookies tied to a particular user? Because immediately after the client fails to connect using the username, I was able to connect successfully with another username.
0
 
LVL 1

Author Comment

by:frukeus
Comment Utility
anyone can help? My user reports another username unable to connect.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 1

Author Comment

by:frukeus
Comment Utility
anyone can help? all of a sudden, all my users are no longer able to login. All client side logs show the same error as above.
would a reboot help?
0
 
LVL 1

Author Comment

by:frukeus
Comment Utility
I realised that it is due to exceedingly huge number of aaa sessions

router#sh aaa sessions
Total sessions since last reload: 1036
Session Id: 7
   Unique Id: 7
   User Name: *not available*
   IP Address: 0.0.0.0
   Idle Time: 0
   CT Call Handle: 0
Session Id: 8
   Unique Id: 8
   User Name: *not available*
   IP Address: 0.0.0.0
   Idle Time: 0
   CT Call Handle: 0
....

When I did a reload, it cleared all the sessions.
Anyone can advise what can be causing this? Any other way to clear the sessions without reloading?
0
 

Expert Comment

by:sgriesbach
Comment Utility
I had this identical problem.  Like you, just one of several vpn clients was not able to connect.  All others continued to work fine.  I use the certificate authority authentication method.  To fix the problem, I deleted that particular certificate and recreated it.    I also have a huge number of sessions since last reload.
0
 
LVL 1

Author Comment

by:frukeus
Comment Utility
Well, the next time you encounter another client unable to connect, try to reboot the router to clear the sessions and see if it works. I still have no idea of how to clear the sessions without rebooting the router.

For my case, I am using local authentication. My workaround was to create a new username for the VPN user that cannot connect. Eventually, the number of sessions become so large that all users cannot connect and I had to reboot the router.

It would also be good to find out what is causing the sessions to remain instead of automatically being deleted.
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
Comment Utility
PAQed with points refunded (500)

Computer101
EE Admin
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

When you connect to your workplace's VPN, you may not notice that you are using your workplace's servers to serve up webpages.  This might be undesirable since the workplace can log all the places you've been.  It also might be very slow to load pag…
Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now