Link to home
Start Free TrialLog in
Avatar of VFtechnology
VFtechnologyFlag for United States of America

asked on

VPN for remote office.

I am currently trying to establish a vpn with a remote office user.  I've got the cisco vpn client installed on their laptop and I've gone through the VPN wizard in ASDM ui, however I am getting the following error message:
Secure VPN Connection terminated Peer.
Reason 433 (Reason not specified by Peer).
Avatar of stuknhawaii
stuknhawaii
Flag of United States of America image

Can you provide output from the VPN clients log. On the VPN CLient click on Log at the top of the client, then click enable. Then click on log again and select "log window". This will pop up a window and then you can cut/paste the log here.
Avatar of Michael Worsham
Avatar of VFtechnology

ASKER

Here is the log from the VPN client:

Cisco Systems VPN Client Version 5.0.02.0090
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
Config file directory: C:\Program Files\Cisco Systems\VPN Client\

1      16:13:13.046  01/24/08  Sev=Info/4      CM/0x63100002
Begin connection process

2      16:13:13.078  01/24/08  Sev=Info/4      CM/0x63100004
Establish secure connection

3      16:13:13.078  01/24/08  Sev=Info/4      CM/0x63100024
Attempt connection with server "72.236.69.130"

4      16:13:13.453  01/24/08  Sev=Info/4      IPSEC/0x63700008
IPSec driver successfully started

5      16:13:13.453  01/24/08  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

6      16:13:18.828  01/24/08  Sev=Info/4      CM/0x63100026
Abort connection attempt before TCP session up

7      16:13:18.828  01/24/08  Sev=Info/4      CM/0x6310002D
Resetting TCP connection on port 10000

8      16:13:18.953  01/24/08  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

9      16:13:18.953  01/24/08  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

10     16:13:18.953  01/24/08  Sev=Info/4      IPSEC/0x6370000A
IPSec driver successfully stopped

11     16:14:20.796  01/24/08  Sev=Info/4      CM/0x63100002
Begin connection process

12     16:14:20.812  01/24/08  Sev=Info/4      CM/0x63100004
Establish secure connection

13     16:14:20.812  01/24/08  Sev=Info/4      CM/0x63100024
Attempt connection with server "72.236.69.130"

14     16:14:20.953  01/24/08  Sev=Info/4      IPSEC/0x63700008
IPSec driver successfully started

15     16:14:20.953  01/24/08  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

16     16:14:20.953  01/24/08  Sev=Info/4      CM/0x63100029
TCP connection established on port 10000 with server "72.236.69.130"

17     16:14:21.453  01/24/08  Sev=Info/4      CM/0x63100024
Attempt connection with server "72.236.69.130"

18     16:14:21.468  01/24/08  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Unity)) to 72.236.69.130

19     16:14:21.515  01/24/08  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Frag), VID(?)) from 72.236.69.130

20     16:14:21.531  01/24/08  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, VID(?), VID(Unity)) to 72.236.69.130

21     16:14:21.531  01/24/08  Sev=Info/4      IKE/0x63000083
IKE Port in use - Local Port =  0x092B, Remote Port = 0x01F4

22     16:14:21.531  01/24/08  Sev=Info/4      CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

23     16:14:21.562  01/24/08  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 72.236.69.130

24     16:14:21.562  01/24/08  Sev=Info/4      CM/0x63100015
Launch xAuth application

25     16:14:26.015  01/24/08  Sev=Info/4      CM/0x63100017
xAuth application returned

26     16:14:26.015  01/24/08  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 72.236.69.130

27     16:14:26.062  01/24/08  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 72.236.69.130

28     16:14:26.062  01/24/08  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 72.236.69.130

29     16:14:26.062  01/24/08  Sev=Info/4      CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

30     16:14:26.640  01/24/08  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 72.236.69.130

31     16:14:26.687  01/24/08  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, DEL) from 72.236.69.130

32     16:14:26.687  01/24/08  Sev=Info/4      IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=A087C206C81115C4 R_Cookie=01086DE0622A66C9) reason = PEER_DELETE-IKE_DELETE_UNSPECIFIED

33     16:14:27.453  01/24/08  Sev=Info/4      IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=A087C206C81115C4 R_Cookie=01086DE0622A66C9) reason = PEER_DELETE-IKE_DELETE_UNSPECIFIED

34     16:14:27.453  01/24/08  Sev=Info/4      CM/0x6310000F
Phase 1 SA deleted before Mode Config is completed cause by "PEER_DELETE-IKE_DELETE_UNSPECIFIED".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

35     16:14:27.453  01/24/08  Sev=Info/4      CM/0x6310002D
Resetting TCP connection on port 10000

36     16:14:27.468  01/24/08  Sev=Info/4      IKE/0x63000001
IKE received signal to terminate VPN connection

37     16:14:27.953  01/24/08  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

38     16:14:27.953  01/24/08  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

39     16:14:27.953  01/24/08  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

40     16:14:27.953  01/24/08  Sev=Info/4      IPSEC/0x6370000A
IPSec driver successfully stopped
It looks to me like the VPN client's not getting an IP address offered to it. Can others connect? Can you post a copy of your config?
Does the remote user have a router in front of their laptop? If so, is VPN IPSec/PPTP/L2TP passthrough enabled on it?
Here is a portion of the config that I think is applicable to the issue, let me know if you need more, also I'll check if they have VPN IPSec/PPTP/L2TP passthrough enabled on their router.  No other user's are using the VPN at this time, this user is our first attempt.

group-policy VFvpn internal
group-policy VFvpn attributes
 dns-server value 192.168.1.8 192.168.1.5
 vpn-tunnel-protocol IPSec
 default-domain value ourdomain.local
 webvpn
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  port-forward-name value Application Access
group-policy VF internal
group-policy VF attributes
 dns-server value 192.168.1.8
 webvpn
group-policy VPN internal
group-policy VPN attributes
 dns-server value 192.168.1.8
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN_splitTunnelAcl
 webvpn
 vpn-tunnel-protocol IPSec webvpn
 webvpn
  functions url-entry file-access file-entry file-browsing mapi port-forward filter http-proxy
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 1480
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer
crypto map outside_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 40 set nat-t-disable
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp identity address
isakmp enable outside
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 1
isakmp policy 30 lifetime 1000
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption 3des
isakmp policy 50 hash sha
isakmp policy 50 group 2
isakmp policy 50 lifetime 86400
isakmp policy 70 authentication pre-share
isakmp policy 70 encryption 3des
isakmp policy 70 hash md5
isakmp policy 70 group 2
isakmp policy 70 lifetime 86400
isakmp nat-traversal  20
isakmp ipsec-over-tcp port 10000
 pre-shared-key *
tunnel-group VF type ipsec-ra
tunnel-group VF general-attributes
 address-pool VPNip
 default-group-policy VF
tunnel-group VF ipsec-attributes
 pre-shared-key *
no vpn-addr-assign aaa
no vpn-addr-assign local
telnet timeout 5
ssh timeout 30
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 50
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect rsh
  inspect rtsp
  inspect sip
  inspect skinny
  inspect sqlnet
  inspect tftp
service-policy global_policy global
webvpn
 nbns-server 192.168.1.8 timeout 2 retry 2
 authorization-server-group LOCAL
 default-group-policy VFvpn
 authorization-required
 authorization-dn-attributes use-entire-name
smtp-server 192.168.1.6
ASKER CERTIFIED SOLUTION
Avatar of stuknhawaii
stuknhawaii
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks, i can take it from here.