Can not connect to a pix at a remote site.

Posted on 2007-10-11
Last Modified: 2013-11-16
I have a Cisco VPN client that I need to connect to a PIX at a remote site. The remote site is another company that we need to connect to to get their data. We have a juniper netscreen 25 firewall running ScreenOS 5.4.0 R6. The connection works outside of our network, but not inside. The VPN Client is using all default settings to connect. Here is the log of the Cisco VPN client:

Cisco Systems VPN Client Version
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
Config file directory: C:\Program Files\Cisco Systems\VPN Client\
1      17:16:03.979  10/11/07  Sev=Warning/3      GUI/0xA3B0000B
Reloaded the Certificates in all Certificate Stores successfully.
2      17:16:12.823  10/11/07  Sev=Info/4      CM/0x63100002
Begin connection process
3      17:16:12.823  10/11/07  Sev=Info/4      CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully
4      17:16:12.823  10/11/07  Sev=Info/4      CM/0x63100004
Establish secure connection using Ethernet
5      17:16:12.823  10/11/07  Sev=Info/4      CM/0x63100024
Attempt connection with server "216.x.x.x"
6      17:16:13.823  10/11/07  Sev=Info/6      IKE/0x6300003B
Attempting to establish a connection with 216.x.x.x.
7      17:16:13.839  10/11/07  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 216.x.x.x
8      17:16:13.839  10/11/07  Sev=Info/4      IPSEC/0x63700008
IPSec driver successfully started
9      17:16:13.839  10/11/07  Sev=Info/4      IPSEC/0x63700014
Deleted all keys
10     17:16:14.229  10/11/07  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 216.x.x.x
11     17:16:14.229  10/11/07  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Xauth), VID(dpd), VID(Unity), VID(?), KE, ID, NON, HASH) from 216.x.x.x
12     17:16:14.229  10/11/07  Sev=Info/5      IKE/0x63000001
Peer supports XAUTH
13     17:16:14.229  10/11/07  Sev=Info/5      IKE/0x63000001
Peer supports DPD
14     17:16:14.229  10/11/07  Sev=Info/5      IKE/0x63000001
Peer is a Cisco-Unity compliant peer
15     17:16:14.229  10/11/07  Sev=Info/5      IKE/0x63000082
Received IOS Vendor ID with unknown capabilities flag 0x00000025
16     17:16:14.229  10/11/07  Sev=Warning/3      IKE/0xE3000056
The received HASH payload cannot be verified
17     17:16:14.229  10/11/07  Sev=Warning/2      IKE/0xE300007D
Hash verification failed... may be configured with invalid group password.
18     17:16:14.229  10/11/07  Sev=Warning/2      IKE/0xE3000099
Failed to authenticate peer (Navigator:904)
19     17:16:14.229  10/11/07  Sev=Info/4      IKE/0x63000013
20     17:16:14.229  10/11/07  Sev=Info/4      IKE/0x63000013
21     17:16:14.229  10/11/07  Sev=Warning/2      IKE/0xE30000A5
Unexpected SW error occurred while processing Aggressive Mode negotiator:(Navigator:2237)
22     17:16:14.229  10/11/07  Sev=Info/4      IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=EDEF4D4BF3CEA781 R_Cookie=965624B709EFA40A) reason = DEL_REASON_IKE_NEG_FAILED
23     17:16:14.745  10/11/07  Sev=Info/4      IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=EDEF4D4BF3CEA781 R_Cookie=965624B709EFA40A) reason = DEL_REASON_IKE_NEG_FAILED
24     17:16:14.745  10/11/07  Sev=Info/4      CM/0x63100014
Unable to establish Phase 1 SA with server "216.x.x.x" because of "DEL_REASON_IKE_NEG_FAILED"
25     17:16:14.745  10/11/07  Sev=Info/5      CM/0x63100025
Initializing CVPNDrv
26     17:16:14.745  10/11/07  Sev=Info/4      IKE/0x63000001
IKE received signal to terminate VPN connection
27     17:16:14.745  10/11/07  Sev=Info/4      IKE/0x63000086
Microsoft IPSec Policy Agent service started successfully
28     17:16:15.245  10/11/07  Sev=Info/4      IPSEC/0x63700014
Deleted all keys
29     17:16:15.245  10/11/07  Sev=Info/4      IPSEC/0x63700014
Deleted all keys
30     17:16:15.245  10/11/07  Sev=Info/4      IPSEC/0x63700014
Deleted all keys
31     17:16:15.245  10/11/07  Sev=Info/4      IPSEC/0x6370000A
IPSec driver successfully stopped

I have changed the ip address of the client to 216.x.x.x to protect their identity. Please let me know what other information I can give you.
Question by:KristenHoward
    LVL 19

    Expert Comment


    If the connection works ok outside your network then the most likely cause is nat.  When you are behind a NAT device, your IPSec encrypted traffic has problems getting back to you.
    If you configure nat traversal on the PIX - it will allow the encrypted traffic back behind the nat device.

    To do this - logon to the PIX and
    conf t
    isakmp nat-traversal 30

    This command will not affect any other traffic flows on the PIX - it just assists in the problem you are having.
    You may or may not need to configure same on the netscreen but I am not familiar with how to do this on a netscreen.  

    Author Comment

    He says his version of IOS does not have the command isakmp nat-traversal 30
    LVL 19

    Expert Comment

    He must have a very old PIX OS is it doesn't support nat traversal - can you find out what OS it is?
    sh ver will tell him

    LVL 5

    Accepted Solution

    Do you have you have UDP 4500, 4000 and 10000 open? If so, make sure that they are coming from the correct source port. Alot of non Cisco firewalls are set up to NAT out the information on a random source port. For example:

    src-id port 4500 dst-id port 4500 becomes
    src-id port 8961 dst-id port 4500

    Alot of older Cisco equipment is sensitive to this and will not allow a connection from another source port.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Suggested Solutions

    Title # Comments Views Activity
    Checkpoint books 3 64
    Sonicwall NSA 250 M SSL VPN very sloooow 2 41
    TCP Connection Established 14 56
    AnyConnect to 3rd vpn site 4 45
    I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
    Let’s list some of the technologies that enable smooth teleworking. 
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now