Solved

Cisco PIX 501 VPN Client stops at "Securing Communication Channel"

Posted on 2006-11-15
13
1,219 Views
Last Modified: 2013-11-16
I have a client with a PIX 501 that has a point to point VPN to another PIX 501 that seems to be working okay.  The one PIX is also setup to allow for VPNClients to connect.  Whenever I try to connect to it the software connects but hangs on "Securing Communication Channel"  I have tried multiple computers with different connections and always the same.  When I do a sh isakmp sa it shows the tunnel created with a state of QM_IDLE.  Any ideas?  Below is a config and log of the VPNClient.

PIX CONFIG
-------------------------------------------
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit icmp any any
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.201.0 255.255.255.0
access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 110 permit ip 192.168.1.0 255.255.255.0 192.168.201.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.252
ip address inside 192.168.1.253 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool bhripvpnpool 192.168.2.100-192.168.2.149
pdm location 192.168.1.0 255.255.255.255 inside
pdm location 192.168.1.240 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 101 in interface outside
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 100 ipsec-isakmp dynamic dynmap
crypto map dyn-map 2 ipsec-isakmp
crypto map dyn-map 2 match address 110
crypto map dyn-map 2 set peer xxx.xxx.xxx.xxx
crypto map dyn-map 2 set transform-set myset
crypto map dyn-map interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup XXXXX address-pool XXXXXXXXX
vpngroup XXXXX dns-server 192.168.1.240
vpngroup XXXXX split-tunnel 101
vpngroup XXXXX idle-time 1800
vpngroup XXXXX password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
management-access inside
console timeout 0
terminal width 80


VPN Client Log
-----------------------------------------
Cisco Systems VPN Client Version 4.0.2 (B)
Copyright (C) 1998-2003 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600

6      20:26:46.925  11/15/06  Sev=Warning/3      IKE/0xA300004B
Received a NOTIFY message with an invalid protocol id (0)

7      20:26:51.953  11/15/06  Sev=Warning/3      IKE/0xA3000056
Driver says we received a packet with invalid SPI (2283076355), sending INVALID-SPI notify.

I only have access to the 4.0.2 Version of the software, FYI.

Thanks

0
Comment
Question by:bitincusa
  • 3
  • 3
  • 3
  • +1
13 Comments
 
LVL 28

Expert Comment

by:batry_boy
ID: 17952814
Can you issue the following commands and then try a VPN connection?

debug crypto isakmp
debug crypto ipsec

Please paste the output of the debug while a VPN connection is attempting to be established.

You state that you only have access to 4.0.2 of the VPN client.  That is a fairly old version of the software.  There is a good possibility that updating the VPN client software will fix this issue.  If you have a current SmartNet maintenance contract on your PIX you should be able to get the most recent version.  Is there any way you can get a copy of it to at least rule this out as the possible problem?
0
 

Author Comment

by:bitincusa
ID: 17953066
Here is part of the debug from the isakmp

ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3


Debug from IPSEC

IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with    xxx.xxx.xxx.xxx
IPSEC(validate_proposal): peer address xxx.xxx.xxx.xxx not found
IPSEC(validate_proposal): peer address xxx.xxx.xxx.xxx not found
IPSEC(validate_proposal): peer address xxx.xxx.xxx.xxx not found
IPSEC(validate_proposal): peer address xxx.xxx.xxx.xxx not found
IPSEC(validate_proposal): peer address xxx.xxx.xxx.xxx not found
IPSEC(validate_proposal): peer address xxx.xxx.xxx.xxx not found
IPSEC(validate_proposal): peer address xxx.xxx.xxx.xxx not found
IPSEC(validate_proposal): peer address xxx.xxx.xxx.xxx not found
IPSEC(validate_proposal): peer address xxx.xxx.xxx.xxx not found
IPSEC(validate_proposal): peer address xxx.xxx.xxx.xxx not found
IPSEC(validate_proposal): peer address xxx.xxx.xxx.xxx not found
IPSEC(validate_proposal): peer address xxx.xxx.xxx.xxx not found
IPSEC(validate_proposal): peer address xxx.xxx.xxx.xxx not found
IPSEC(validate_proposal): peer address xxx.xxx.xxx.xxx not found
IPSEC(validate_proposal): peer address xxx.xxx.xxx.xxx not found
IPSEC(validate_proposal): peer address xxx.xxx.xxx.xxx not found
IPSEC(key_engine): got a queue event...




0
 

Author Comment

by:bitincusa
ID: 17953070
Also I do not have an active SmartNet at this time.
0
 
LVL 28

Accepted Solution

by:
batry_boy earned 250 total points
ID: 17953133
It's not making it past Phase I of the negotiation process.  It looks like it's trying to use AES for the Phase I encryption, but you don't have that configured in the posted PIX config.  Is this the current PIX config?  I don't believe that the VPN client version you have supports AES which may be the issue...
0
 

Author Comment

by:bitincusa
ID: 17953276
Yes this is the running config of the PIX.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17953936
As I recall the VPN client is free, it is the OS and the PDM that requires the smartnet/CCO access.

Rgds
Keith
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 17953970
I did find the below statement at the following URL:

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_data_sheet0900aecd801a9de9.html

"The Cisco® VPN Client is software that enables customers to establish secure, end-to-end encrypted tunnels to any Cisco Easy VPN server. This thin-design, IP Security (IPSec)-compliant implementation is available from Cisco.com for customers with Cisco SMARTnet® support, and is included free of charge with Cisco VPN 3000 Series concentrators, Cisco ASA 5500 Series security appliances, and most Cisco PIX security appliances."

I will verify and get back with you since I believe that trying the updated client will help your issue.
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 250 total points
ID: 17955245
Agree that VPN Client 4.02 is not very well supported on XP/SP2

These tricks for 4.03 may work for 4.02 as well, may be worth a try.
http://ict.cas.psu.edu/training/howto/comm/vpn403-xpsp2.htm

Here's another discussion where 4.03 didn't work with XP2, but update to 4.05 did
http://www.peterprovost.org/archive/2004/08/12/1754.aspx

You really need the most recent 4.8 version of the client.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18107905
Are you still working on this? Can you close out this question before the cleanup crew gets around to it?
Thanks!
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18108573
hehehe, I would have done it today Les but you've started the 21-day clock running again with your post so I'll leave it be :)
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18108590
Oh, crap.... LOL!
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now