?
Solved

Cisco Firewall / VPN issue - Can not connect to Firewall using Cisco VPN client software 5.0. Debug crypto isakmp shows error

Posted on 2007-07-27
2
Medium Priority
?
12,328 Views
Last Modified: 2010-10-26
Hello All,

I am receiving error when I am trying to connect to a CISCO ASA using Cisco VPN client 5.0 o Windows Vista. Strange thing is the VPN was working fine. Tried rebooting Vista, no luck. I tried a reboot the ASA and I am still getting that same error. I've seen this error on other threads due to a configuration change. The ASA configuration as not changed at all. Any help or suggestions. Thank you :-)

The debug crypto isakmp shows the following error:

Jul 26 23:12:21 [IKEv1]: Group = BARODA, IP = x.x.x.224, Removing peer from peer table failed, no match!
Jul 26 23:12:21 [IKEv1]: Group = BARODA, IP = x.x.x.224, Error: Unable to remove PeerTblEntry

sh crypto isakmp sa shows:

Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: x.x.x.224
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_WAIT_MSG3

Here is my ASA config:

The ASA 7.0
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address x.x.x.2 255.255.255.0
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.28.5.20 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 security-level 100
 no ip address
!            
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
 management-only
!
passwd OLwrzN2..uVF.NHM encrypted
ftp mode passive
access-list 100 extended permit icmp any any
access-list 100 extended permit udp any any eq isakmp
access-list 100 extended permit esp any any
access-list 100 extended permit ip any host x.x.x.50
access-list 100 extended permit tcp any host x.x.x.10 eq 3389
access-list 100 extended permit ip any host x.x.x.3
access-list NONAT extended permit ip 10.1.3.0 255.255.255.0 10.1.10.0 255.255.255.0
access-list NONAT extended permit ip 10.1.3.0 255.255.255.0 10.1.19.0 255.255.255.0
access-list NONAT extended permit ip 10.1.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list NONAT extended permit ip 10.1.3.0 255.255.255.0 10.1.5.0 255.255.255.0
access-list NONAT extended permit ip 10.1.3.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list NONAT extended permit ip 10.1.3.0 255.255.255.0 10.1.20.0 255.255.255.0
access-list NONAT extended permit ip 10.1.3.0 255.255.255.0 10.1.4.0 255.255.255.0
access-list VPNCLIENT extended permit ip 10.1.3.0 255.255.255.0 10.1.19.0 255.255.255.0
access-list BARODA extended permit ip 10.1.3.0 255.255.255.0 10.1.10.0 255.255.255.0
access-list BARODA extended permit ip 10.1.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list BARODA extended permit ip 10.1.3.0 255.255.255.0 10.1.20.0 255.255.255.0
access-list BARODA extended permit ip 10.1.3.0 255.255.255.0 10.1.4.0 255.255.255.0
access-list Acacia extended permit ip 10.1.3.0 255.255.255.0 10.1.5.0 255.255.255.0
access-list ROXBURY extended permit ip 10.1.3.0 255.255.255.0 10.1.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool vpnclientpool 10.1.19.50-10.1.19.254
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) x.x.x.50 10.1.3.50 netmask 255.255.255.255
static (inside,outside) x.x.x.10 10.1.3.10 netmask 255.255.255.255
static (inside,outside) x.x.x.3 10.1.3.250 netmask 255.255.255.255
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.1 1
route inside 10.0.0.0 255.0.0.0 10.28.5.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server partnerauth protocol radius
aaa-server partnerauth host 10.1.3.10
 timeout 5
 key *****
group-policy BARODA internal
group-policy BARODA attributes
 wins-server value 10.1.3.10
 dns-server value 10.1.3.10
 vpn-idle-timeout 30
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPNCLIENT
 default-domain value barodaventures.local
 webvpn
http server enable
http 192.168.1.0 255.255.255.0 inside
snmp-server location Baroda Ventures
snmp-server contact emailaddress@mycompany.com
snmp-server community 9ice411
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetinbound
service resetoutside
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map VPNmap 100 match address BARODA
crypto map VPNmap 100 set pfs
crypto map VPNmap 100 set peer x.x.x.10
crypto map VPNmap 100 set transform-set ESP-3DES-MD5
crypto map VPNmap 200 match address ROXBURY
crypto map VPNmap 200 set pfs
crypto map VPNmap 200 set peer x.x.x.2
crypto map VPNmap 200 set transform-set ESP-3DES-MD5
crypto map VPNmap 300 match address Acacia
crypto map VPNmap 300 set pfs
crypto map VPNmap 300 set peer x.x.x.196
crypto map VPNmap 300 set transform-set ESP-3DES-MD5
crypto map VPNmap 800 ipsec-isakmp dynamic outside_dyn_map
crypto map VPNmap interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
isakmp nat-traversal  20
tunnel-group DefaultRAGroup general-attributes
 authentication-server-group (outside) partnerauth
tunnel-group x.x.x.196 type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
 pre-shared-key *
tunnel-group x.x.x.10 type ipsec-l2l
tunnel-group x.x.x.10 ipsec-attributes
 pre-shared-key *
tunnel-group x.x.x.2 type ipsec-l2l
tunnel-group x.x.x.2 ipsec-attributes
 pre-shared-key *
tunnel-group BARODA type ipsec-ra
tunnel-group BARODA general-attributes
 address-pool vpnclientpool
 authentication-server-group partnerauth
 default-group-policy BARODA
tunnel-group BARODA ipsec-attributes
 pre-shared-key *
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
ssl encryption des-sha1 rc4-md5
0
Comment
Question by:greenbeanx81
2 Comments
 

Author Comment

by:greenbeanx81
ID: 19580958
Hello All,

I ran a crypto debug level 15. Here is the output. What concerns me is the duplicate phase 1 packets.  Any thoughts?

Jul 27 01:15:16 [IKEv1]: IP = x.x.x.181, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 850
Jul 27 01:15:16 [IKEv1 DEBUG]: IP = x.x.x.181, processing SA payload
Jul 27 01:15:16 [IKEv1 DEBUG]: IP = x.x.x.181, processing ke payload
Jul 27 01:15:16 [IKEv1 DEBUG]: IP = x.x.x.181, processing ISA_KE payload
Jul 27 01:15:16 [IKEv1 DEBUG]: IP = x.x.x.181, processing nonce payload
Jul 27 01:15:16 [IKEv1 DEBUG]: IP = x.x.x.181, processing ID payload
Jul 27 01:15:16 [IKEv1 DEBUG]: IP = x.x.x.181, processing VID payload
Jul 27 01:15:16 [IKEv1 DEBUG]: IP = x.x.x.181, Received xauth V6 VID
Jul 27 01:15:16 [IKEv1 DEBUG]: IP = x.x.x.181, processing VID payload
Jul 27 01:15:16 [IKEv1 DEBUG]: IP = x.x.x.181, Received DPD VID
Jul 27 01:15:16 [IKEv1 DEBUG]: IP = x.x.x.181, processing VID payload
Jul 27 01:15:16 [IKEv1 DEBUG]: IP = x.x.x.181, Received Fragmentation VID
Jul 27 01:15:16 [IKEv1 DEBUG]: IP = x.x.x.181, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  False
Jul 27 01:15:16 [IKEv1 DEBUG]: IP = x.x.x.181, processing VID payload
Jul 27 01:15:16 [IKEv1 DEBUG]: IP = x.x.x.181, Received NAT-Traversal ver 02 VID
Jul 27 01:15:16 [IKEv1 DEBUG]: IP = x.x.x.181, processing VID payload
Jul 27 01:15:16 [IKEv1 DEBUG]: IP = x.x.x.181, Received Cisco Unity client VID
Jul 27 01:15:16 [IKEv1]: IP = x.x.x.181, Connection landed on tunnel_group BARODA
Jul 27 01:15:16 [IKEv1 DEBUG]: Group = BARODA, IP = x.x.x.181, processing IKE SA payload
Jul 27 01:15:16 [IKEv1 DEBUG]: Group = BARODA, IP = x.x.x.181, IKE SA Proposal # 1, Transform # 13 acceptable  Matches global IKE entry # 1
Jul 27 01:15:16 [IKEv1 DEBUG]: Group = BARODA, IP = x.x.x.181, constructing ISAKMP SA payload
Jul 27 01:15:16 [IKEv1 DEBUG]: Group = BARODA, IP = x.x.x.181, constructing ke payload
Jul 27 01:15:16 [IKEv1 DEBUG]: Group = BARODA, IP = x.x.x.181, constructing nonce payload
Jul 27 01:15:16 [IKEv1 DEBUG]: Group = BARODA, IP = x.x.x.181, Generating keys for Responder...
Jul 27 01:15:16 [IKEv1 DEBUG]: Group = BARODA, IP = x.x.x.181, constructing ID payload
Jul 27 01:15:16 [IKEv1 DEBUG]: Group = BARODA, IP = x.x.x.181, constructing hash payload
Jul 27 01:15:16 [IKEv1 DEBUG]: Group = BARODA, IP = x.x.x.181, Computing hash for ISAKMP
Jul 27 01:15:16 [IKEv1 DEBUG]: Group = BARODA, IP = x.x.x.181, constructing Cisco Unity VID payload
Jul 27 01:15:16 [IKEv1 DEBUG]: Group = BARODA, IP = x.x.x.181, constructing xauth V6 VID payload
Jul 27 01:15:16 [IKEv1 DEBUG]: Group = BARODA, IP = x.x.x.181, constructing dpd vid payload
Jul 27 01:15:16 [IKEv1 DEBUG]: Group = BARODA, IP = x.x.x.181, constructing NAT-Traversal VID ver 02 payload
Jul 27 01:15:16 [IKEv1 DEBUG]: Group = BARODA, IP = x.x.x.181, constructing NAT-Discovery payload
Jul 27 01:15:16 [IKEv1 DEBUG]: Group = BARODA, IP = x.x.x.181, computing NAT Discovery hash
Jul 27 01:15:16 [IKEv1 DEBUG]: Group = BARODA, IP = x.x.x.181, constructing NAT-Discovery payload
Jul 27 01:15:16 [IKEv1 DEBUG]: Group = BARODA, IP = x.x.x.181, computing NAT Discovery hash
Jul 27 01:15:16 [IKEv1 DEBUG]: Group = BARODA, IP = x.x.x.181, constructing Fragmentation VID + extended capabilities payload
Jul 27 01:15:16 [IKEv1 DEBUG]: Group = BARODA, IP = x.x.x.181, constructing VID payload
Jul 27 01:15:16 [IKEv1 DEBUG]: Group = BARODA, IP = x.x.x.181, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jul 27 01:15:16 [IKEv1]: IP = x.x.x.181, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 428
Jul 27 01:15:21 [IKEv1]: Group = BARODA, IP = x.x.x.181, Duplicate Phase 1 packet detected.  Retransmitting last packet.
Jul 27 01:15:21 [IKEv1]: Group = BARODA, IP = x.x.x.181, P1 Retransmit msg dispatched to AM FSM
Jul 27 01:15:26 [IKEv1]: Group = BARODA, IP = x.x.x.181, Duplicate Phase 1 packet detected.  Retransmitting last packet.
Jul 27 01:15:26 [IKEv1]: Group = BARODA, IP = x.x.x.181, P1 Retransmit msg dispatched to AM FSM
Jul 27 01:15:31 [IKEv1]: Group = BARODA, IP = x.x.x.181, Duplicate Phase 1 packet detected.  Retransmitting last packet.
Jul 27 01:15:31 [IKEv1]: Group = BARODA, IP = x.x.x.181, P1 Retransmit msg dispatched to AM FSM
Jul 27 01:15:39 [IKEv1 DEBUG]: Group = BARODA, IP = x.x.x.181, IKE AM Responder FSM error history (struct &0x35fbd08)  <state>, <event>:  AM_DONE, EV_ERROR-->AM_WAIT_MSG3, EV_PROB_AUTH_FAIL-->AM_WAIT_MSG3, EV_TIMEOUT-->AM_WAIT_MSG3, NullEvent-->AM_SND_MSG2, EV_CRYPTO_ACTIVE-->AM_SND_MSG2, EV_SND_MSG-->AM_SND_MSG2, EV_START_TMR-->AM_SND_MSG2, EV_RESEND_MSG
Jul 27 01:15:39 [IKEv1 DEBUG]: Group = BARODA, IP = x.x.x.181, IKE SA AM:9e37833d terminating:  flags 0x0104c001, refcnt 0, tuncnt 0
Jul 27 01:15:39 [IKEv1 DEBUG]: Group = BARODA, IP = x.x.x.181, sending delete/delete with reason message
Jul 27 01:15:39 [IKEv1 DEBUG]: Group = BARODA, IP = x.x.x.181, constructing blank hash payload
Jul 27 01:15:39 [IKEv1 DEBUG]: Group = BARODA, IP = x.x.x.181, constructing IKE delete payload
Jul 27 01:15:39 [IKEv1 DEBUG]: Group = BARODA, IP = x.x.x.181, constructing qm hash payload
Jul 27 01:15:39 [IKEv1]: IP = x.x.x.181, IKE_DECODE SENDING Message (msgid=c4edb2e1) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
Jul 27 01:15:39 [IKEv1]: Group = BARODA, IP = x.x.x.181, Removing peer from peer table failed, no match!
Jul 27 01:15:39 [IKEv1]: Group = BARODA, IP = x.x.x.181, Error: Unable to remove PeerTblEntry
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 19581895
> nameif inside
> ip address 10.28.5.20 255.255.255.0

If your inside LAN subnet is 10.28.5.0/24 then nothing else in the config makes any sense.
All of your acls and statics refer to 10.1.3.0/24 as being inside
You have no inside route statement routing 10.1.3.0 anywhere

What exact versions of ASA 7.x and VPN client are you using?
There is a new VPN 5.0.0600 version client


0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question