We help IT Professionals succeed at work.

Can not connect to a pix at a remote site.

KristenHoward
on
2,216 Views
Last Modified: 2013-11-16
I have a Cisco VPN client that I need to connect to a PIX at a remote site. The remote site is another company that we need to connect to to get their data. We have a juniper netscreen 25 firewall running ScreenOS 5.4.0 R6. The connection works outside of our network, but not inside. The VPN Client is using all default settings to connect. Here is the log of the Cisco VPN client:

Cisco Systems VPN Client Version 4.8.00.0440
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
Config file directory: C:\Program Files\Cisco Systems\VPN Client\
1      17:16:03.979  10/11/07  Sev=Warning/3      GUI/0xA3B0000B
Reloaded the Certificates in all Certificate Stores successfully.
2      17:16:12.823  10/11/07  Sev=Info/4      CM/0x63100002
Begin connection process
3      17:16:12.823  10/11/07  Sev=Info/4      CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully
4      17:16:12.823  10/11/07  Sev=Info/4      CM/0x63100004
Establish secure connection using Ethernet
5      17:16:12.823  10/11/07  Sev=Info/4      CM/0x63100024
Attempt connection with server "216.x.x.x"
6      17:16:13.823  10/11/07  Sev=Info/6      IKE/0x6300003B
Attempting to establish a connection with 216.x.x.x.
7      17:16:13.839  10/11/07  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 216.x.x.x
8      17:16:13.839  10/11/07  Sev=Info/4      IPSEC/0x63700008
IPSec driver successfully started
9      17:16:13.839  10/11/07  Sev=Info/4      IPSEC/0x63700014
Deleted all keys
10     17:16:14.229  10/11/07  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 216.x.x.x
11     17:16:14.229  10/11/07  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Xauth), VID(dpd), VID(Unity), VID(?), KE, ID, NON, HASH) from 216.x.x.x
12     17:16:14.229  10/11/07  Sev=Info/5      IKE/0x63000001
Peer supports XAUTH
13     17:16:14.229  10/11/07  Sev=Info/5      IKE/0x63000001
Peer supports DPD
14     17:16:14.229  10/11/07  Sev=Info/5      IKE/0x63000001
Peer is a Cisco-Unity compliant peer
15     17:16:14.229  10/11/07  Sev=Info/5      IKE/0x63000082
Received IOS Vendor ID with unknown capabilities flag 0x00000025
16     17:16:14.229  10/11/07  Sev=Warning/3      IKE/0xE3000056
The received HASH payload cannot be verified
17     17:16:14.229  10/11/07  Sev=Warning/2      IKE/0xE300007D
Hash verification failed... may be configured with invalid group password.
18     17:16:14.229  10/11/07  Sev=Warning/2      IKE/0xE3000099
Failed to authenticate peer (Navigator:904)
19     17:16:14.229  10/11/07  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK INFO (NOTIFY:INVALID_HASH_INFO) to 216.x.x.x
20     17:16:14.229  10/11/07  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK INFO (NOTIFY:AUTH_FAILED) to 216.201.117.194
21     17:16:14.229  10/11/07  Sev=Warning/2      IKE/0xE30000A5
Unexpected SW error occurred while processing Aggressive Mode negotiator:(Navigator:2237)
22     17:16:14.229  10/11/07  Sev=Info/4      IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=EDEF4D4BF3CEA781 R_Cookie=965624B709EFA40A) reason = DEL_REASON_IKE_NEG_FAILED
23     17:16:14.745  10/11/07  Sev=Info/4      IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=EDEF4D4BF3CEA781 R_Cookie=965624B709EFA40A) reason = DEL_REASON_IKE_NEG_FAILED
24     17:16:14.745  10/11/07  Sev=Info/4      CM/0x63100014
Unable to establish Phase 1 SA with server "216.x.x.x" because of "DEL_REASON_IKE_NEG_FAILED"
25     17:16:14.745  10/11/07  Sev=Info/5      CM/0x63100025
Initializing CVPNDrv
26     17:16:14.745  10/11/07  Sev=Info/4      IKE/0x63000001
IKE received signal to terminate VPN connection
27     17:16:14.745  10/11/07  Sev=Info/4      IKE/0x63000086
Microsoft IPSec Policy Agent service started successfully
28     17:16:15.245  10/11/07  Sev=Info/4      IPSEC/0x63700014
Deleted all keys
29     17:16:15.245  10/11/07  Sev=Info/4      IPSEC/0x63700014
Deleted all keys
30     17:16:15.245  10/11/07  Sev=Info/4      IPSEC/0x63700014
Deleted all keys
31     17:16:15.245  10/11/07  Sev=Info/4      IPSEC/0x6370000A
IPSec driver successfully stopped

I have changed the ip address of the client to 216.x.x.x to protect their identity. Please let me know what other information I can give you.
Comment
Watch Question

Commented:
Hi

If the connection works ok outside your network then the most likely cause is nat.  When you are behind a NAT device, your IPSec encrypted traffic has problems getting back to you.
If you configure nat traversal on the PIX - it will allow the encrypted traffic back behind the nat device.

To do this - logon to the PIX and
conf t
isakmp nat-traversal 30


This command will not affect any other traffic flows on the PIX - it just assists in the problem you are having.
You may or may not need to configure same on the netscreen but I am not familiar with how to do this on a netscreen.  
cheers

Author

Commented:
He says his version of IOS does not have the command isakmp nat-traversal 30

Commented:
He must have a very old PIX OS is it doesn't support nat traversal - can you find out what OS it is?
sh ver will tell him

Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.