Can not connect to a pix at a remote site.

Posted on 2007-10-11
Medium Priority
Last Modified: 2013-11-16
I have a Cisco VPN client that I need to connect to a PIX at a remote site. The remote site is another company that we need to connect to to get their data. We have a juniper netscreen 25 firewall running ScreenOS 5.4.0 R6. The connection works outside of our network, but not inside. The VPN Client is using all default settings to connect. Here is the log of the Cisco VPN client:

Cisco Systems VPN Client Version
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
Config file directory: C:\Program Files\Cisco Systems\VPN Client\
1      17:16:03.979  10/11/07  Sev=Warning/3      GUI/0xA3B0000B
Reloaded the Certificates in all Certificate Stores successfully.
2      17:16:12.823  10/11/07  Sev=Info/4      CM/0x63100002
Begin connection process
3      17:16:12.823  10/11/07  Sev=Info/4      CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully
4      17:16:12.823  10/11/07  Sev=Info/4      CM/0x63100004
Establish secure connection using Ethernet
5      17:16:12.823  10/11/07  Sev=Info/4      CM/0x63100024
Attempt connection with server "216.x.x.x"
6      17:16:13.823  10/11/07  Sev=Info/6      IKE/0x6300003B
Attempting to establish a connection with 216.x.x.x.
7      17:16:13.839  10/11/07  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 216.x.x.x
8      17:16:13.839  10/11/07  Sev=Info/4      IPSEC/0x63700008
IPSec driver successfully started
9      17:16:13.839  10/11/07  Sev=Info/4      IPSEC/0x63700014
Deleted all keys
10     17:16:14.229  10/11/07  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 216.x.x.x
11     17:16:14.229  10/11/07  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Xauth), VID(dpd), VID(Unity), VID(?), KE, ID, NON, HASH) from 216.x.x.x
12     17:16:14.229  10/11/07  Sev=Info/5      IKE/0x63000001
Peer supports XAUTH
13     17:16:14.229  10/11/07  Sev=Info/5      IKE/0x63000001
Peer supports DPD
14     17:16:14.229  10/11/07  Sev=Info/5      IKE/0x63000001
Peer is a Cisco-Unity compliant peer
15     17:16:14.229  10/11/07  Sev=Info/5      IKE/0x63000082
Received IOS Vendor ID with unknown capabilities flag 0x00000025
16     17:16:14.229  10/11/07  Sev=Warning/3      IKE/0xE3000056
The received HASH payload cannot be verified
17     17:16:14.229  10/11/07  Sev=Warning/2      IKE/0xE300007D
Hash verification failed... may be configured with invalid group password.
18     17:16:14.229  10/11/07  Sev=Warning/2      IKE/0xE3000099
Failed to authenticate peer (Navigator:904)
19     17:16:14.229  10/11/07  Sev=Info/4      IKE/0x63000013
20     17:16:14.229  10/11/07  Sev=Info/4      IKE/0x63000013
21     17:16:14.229  10/11/07  Sev=Warning/2      IKE/0xE30000A5
Unexpected SW error occurred while processing Aggressive Mode negotiator:(Navigator:2237)
22     17:16:14.229  10/11/07  Sev=Info/4      IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=EDEF4D4BF3CEA781 R_Cookie=965624B709EFA40A) reason = DEL_REASON_IKE_NEG_FAILED
23     17:16:14.745  10/11/07  Sev=Info/4      IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=EDEF4D4BF3CEA781 R_Cookie=965624B709EFA40A) reason = DEL_REASON_IKE_NEG_FAILED
24     17:16:14.745  10/11/07  Sev=Info/4      CM/0x63100014
Unable to establish Phase 1 SA with server "216.x.x.x" because of "DEL_REASON_IKE_NEG_FAILED"
25     17:16:14.745  10/11/07  Sev=Info/5      CM/0x63100025
Initializing CVPNDrv
26     17:16:14.745  10/11/07  Sev=Info/4      IKE/0x63000001
IKE received signal to terminate VPN connection
27     17:16:14.745  10/11/07  Sev=Info/4      IKE/0x63000086
Microsoft IPSec Policy Agent service started successfully
28     17:16:15.245  10/11/07  Sev=Info/4      IPSEC/0x63700014
Deleted all keys
29     17:16:15.245  10/11/07  Sev=Info/4      IPSEC/0x63700014
Deleted all keys
30     17:16:15.245  10/11/07  Sev=Info/4      IPSEC/0x63700014
Deleted all keys
31     17:16:15.245  10/11/07  Sev=Info/4      IPSEC/0x6370000A
IPSec driver successfully stopped

I have changed the ip address of the client to 216.x.x.x to protect their identity. Please let me know what other information I can give you.
Question by:KristenHoward
  • 2
LVL 19

Expert Comment

ID: 20062964

If the connection works ok outside your network then the most likely cause is nat.  When you are behind a NAT device, your IPSec encrypted traffic has problems getting back to you.
If you configure nat traversal on the PIX - it will allow the encrypted traffic back behind the nat device.

To do this - logon to the PIX and
conf t
isakmp nat-traversal 30

This command will not affect any other traffic flows on the PIX - it just assists in the problem you are having.
You may or may not need to configure same on the netscreen but I am not familiar with how to do this on a netscreen.  

Author Comment

ID: 20080860
He says his version of IOS does not have the command isakmp nat-traversal 30
LVL 19

Expert Comment

ID: 20080897
He must have a very old PIX OS is it doesn't support nat traversal - can you find out what OS it is?
sh ver will tell him


Accepted Solution

ccreamer_22 earned 2000 total points
ID: 20097066
Do you have you have UDP 4500, 4000 and 10000 open? If so, make sure that they are coming from the correct source port. Alot of non Cisco firewalls are set up to NAT out the information on a random source port. For example:

src-id port 4500 dst-id port 4500 becomes
src-id port 8961 dst-id port 4500

Alot of older Cisco equipment is sensitive to this and will not allow a connection from another source port.

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question