VFtechnology
asked on
VPN for remote office.
I am currently trying to establish a vpn with a remote office user. I've got the cisco vpn client installed on their laptop and I've gone through the VPN wizard in ASDM ui, however I am getting the following error message:
Secure VPN Connection terminated Peer.
Reason 433 (Reason not specified by Peer).
Secure VPN Connection terminated Peer.
Reason 433 (Reason not specified by Peer).
Can you provide output from the VPN clients log. On the VPN CLient click on Log at the top of the client, then click enable. Then click on log again and select "log window". This will pop up a window and then you can cut/paste the log here.
Possible EE Solution:
https://www.experts-exchange.com/questions/22735049/Cisco-VPN-access-problem.html
https://www.experts-exchange.com/questions/22735049/Cisco-VPN-access-problem.html
ASKER
Here is the log from the VPN client:
Cisco Systems VPN Client Version 5.0.02.0090
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
Config file directory: C:\Program Files\Cisco Systems\VPN Client\
1 16:13:13.046 01/24/08 Sev=Info/4 CM/0x63100002
Begin connection process
2 16:13:13.078 01/24/08 Sev=Info/4 CM/0x63100004
Establish secure connection
3 16:13:13.078 01/24/08 Sev=Info/4 CM/0x63100024
Attempt connection with server "72.236.69.130"
4 16:13:13.453 01/24/08 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
5 16:13:13.453 01/24/08 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
6 16:13:18.828 01/24/08 Sev=Info/4 CM/0x63100026
Abort connection attempt before TCP session up
7 16:13:18.828 01/24/08 Sev=Info/4 CM/0x6310002D
Resetting TCP connection on port 10000
8 16:13:18.953 01/24/08 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
9 16:13:18.953 01/24/08 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
10 16:13:18.953 01/24/08 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
11 16:14:20.796 01/24/08 Sev=Info/4 CM/0x63100002
Begin connection process
12 16:14:20.812 01/24/08 Sev=Info/4 CM/0x63100004
Establish secure connection
13 16:14:20.812 01/24/08 Sev=Info/4 CM/0x63100024
Attempt connection with server "72.236.69.130"
14 16:14:20.953 01/24/08 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
15 16:14:20.953 01/24/08 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
16 16:14:20.953 01/24/08 Sev=Info/4 CM/0x63100029
TCP connection established on port 10000 with server "72.236.69.130"
17 16:14:21.453 01/24/08 Sev=Info/4 CM/0x63100024
Attempt connection with server "72.236.69.130"
18 16:14:21.468 01/24/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Unity)) to 72.236.69.130
19 16:14:21.515 01/24/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Frag), VID(?)) from 72.236.69.130
20 16:14:21.531 01/24/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONT ACT, VID(?), VID(Unity)) to 72.236.69.130
21 16:14:21.531 01/24/08 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0x092B, Remote Port = 0x01F4
22 16:14:21.531 01/24/08 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
23 16:14:21.562 01/24/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 72.236.69.130
24 16:14:21.562 01/24/08 Sev=Info/4 CM/0x63100015
Launch xAuth application
25 16:14:26.015 01/24/08 Sev=Info/4 CM/0x63100017
xAuth application returned
26 16:14:26.015 01/24/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 72.236.69.130
27 16:14:26.062 01/24/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 72.236.69.130
28 16:14:26.062 01/24/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 72.236.69.130
29 16:14:26.062 01/24/08 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
30 16:14:26.640 01/24/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 72.236.69.130
31 16:14:26.687 01/24/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, DEL) from 72.236.69.130
32 16:14:26.687 01/24/08 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=A087C206C81115C4 R_Cookie=01086DE0622A66C9) reason = PEER_DELETE-IKE_DELETE_UNS PECIFIED
33 16:14:27.453 01/24/08 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=A087C206C81115C4 R_Cookie=01086DE0622A66C9) reason = PEER_DELETE-IKE_DELETE_UNS PECIFIED
34 16:14:27.453 01/24/08 Sev=Info/4 CM/0x6310000F
Phase 1 SA deleted before Mode Config is completed cause by "PEER_DELETE-IKE_DELETE_UN SPECIFIED" . 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
35 16:14:27.453 01/24/08 Sev=Info/4 CM/0x6310002D
Resetting TCP connection on port 10000
36 16:14:27.468 01/24/08 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
37 16:14:27.953 01/24/08 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
38 16:14:27.953 01/24/08 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
39 16:14:27.953 01/24/08 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
40 16:14:27.953 01/24/08 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
Cisco Systems VPN Client Version 5.0.02.0090
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
Config file directory: C:\Program Files\Cisco Systems\VPN Client\
1 16:13:13.046 01/24/08 Sev=Info/4 CM/0x63100002
Begin connection process
2 16:13:13.078 01/24/08 Sev=Info/4 CM/0x63100004
Establish secure connection
3 16:13:13.078 01/24/08 Sev=Info/4 CM/0x63100024
Attempt connection with server "72.236.69.130"
4 16:13:13.453 01/24/08 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
5 16:13:13.453 01/24/08 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
6 16:13:18.828 01/24/08 Sev=Info/4 CM/0x63100026
Abort connection attempt before TCP session up
7 16:13:18.828 01/24/08 Sev=Info/4 CM/0x6310002D
Resetting TCP connection on port 10000
8 16:13:18.953 01/24/08 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
9 16:13:18.953 01/24/08 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
10 16:13:18.953 01/24/08 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
11 16:14:20.796 01/24/08 Sev=Info/4 CM/0x63100002
Begin connection process
12 16:14:20.812 01/24/08 Sev=Info/4 CM/0x63100004
Establish secure connection
13 16:14:20.812 01/24/08 Sev=Info/4 CM/0x63100024
Attempt connection with server "72.236.69.130"
14 16:14:20.953 01/24/08 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
15 16:14:20.953 01/24/08 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
16 16:14:20.953 01/24/08 Sev=Info/4 CM/0x63100029
TCP connection established on port 10000 with server "72.236.69.130"
17 16:14:21.453 01/24/08 Sev=Info/4 CM/0x63100024
Attempt connection with server "72.236.69.130"
18 16:14:21.468 01/24/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Unity)) to 72.236.69.130
19 16:14:21.515 01/24/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Frag), VID(?)) from 72.236.69.130
20 16:14:21.531 01/24/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONT
21 16:14:21.531 01/24/08 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0x092B, Remote Port = 0x01F4
22 16:14:21.531 01/24/08 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
23 16:14:21.562 01/24/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 72.236.69.130
24 16:14:21.562 01/24/08 Sev=Info/4 CM/0x63100015
Launch xAuth application
25 16:14:26.015 01/24/08 Sev=Info/4 CM/0x63100017
xAuth application returned
26 16:14:26.015 01/24/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 72.236.69.130
27 16:14:26.062 01/24/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 72.236.69.130
28 16:14:26.062 01/24/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 72.236.69.130
29 16:14:26.062 01/24/08 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
30 16:14:26.640 01/24/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 72.236.69.130
31 16:14:26.687 01/24/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, DEL) from 72.236.69.130
32 16:14:26.687 01/24/08 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=A087C206C81115C4
33 16:14:27.453 01/24/08 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=A087C206C81115C4
34 16:14:27.453 01/24/08 Sev=Info/4 CM/0x6310000F
Phase 1 SA deleted before Mode Config is completed cause by "PEER_DELETE-IKE_DELETE_UN
35 16:14:27.453 01/24/08 Sev=Info/4 CM/0x6310002D
Resetting TCP connection on port 10000
36 16:14:27.468 01/24/08 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
37 16:14:27.953 01/24/08 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
38 16:14:27.953 01/24/08 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
39 16:14:27.953 01/24/08 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
40 16:14:27.953 01/24/08 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
It looks to me like the VPN client's not getting an IP address offered to it. Can others connect? Can you post a copy of your config?
Does the remote user have a router in front of their laptop? If so, is VPN IPSec/PPTP/L2TP passthrough enabled on it?
ASKER
Here is a portion of the config that I think is applicable to the issue, let me know if you need more, also I'll check if they have VPN IPSec/PPTP/L2TP passthrough enabled on their router. No other user's are using the VPN at this time, this user is our first attempt.
group-policy VFvpn internal
group-policy VFvpn attributes
dns-server value 192.168.1.8 192.168.1.5
vpn-tunnel-protocol IPSec
default-domain value ourdomain.local
webvpn
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-t imeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
webvpn
functions url-entry
port-forward-name value Application Access
group-policy VF internal
group-policy VF attributes
dns-server value 192.168.1.8
webvpn
group-policy VPN internal
group-policy VPN attributes
dns-server value 192.168.1.8
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_splitTunnelAcl
webvpn
vpn-tunnel-protocol IPSec webvpn
webvpn
functions url-entry file-access file-entry file-browsing mapi port-forward filter http-proxy
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 1480
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer
crypto map outside_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 40 set nat-t-disable
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp identity address
isakmp enable outside
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 1
isakmp policy 30 lifetime 1000
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption 3des
isakmp policy 50 hash sha
isakmp policy 50 group 2
isakmp policy 50 lifetime 86400
isakmp policy 70 authentication pre-share
isakmp policy 70 encryption 3des
isakmp policy 70 hash md5
isakmp policy 70 group 2
isakmp policy 70 lifetime 86400
isakmp nat-traversal 20
isakmp ipsec-over-tcp port 10000
pre-shared-key *
tunnel-group VF type ipsec-ra
tunnel-group VF general-attributes
address-pool VPNip
default-group-policy VF
tunnel-group VF ipsec-attributes
pre-shared-key *
no vpn-addr-assign aaa
no vpn-addr-assign local
telnet timeout 5
ssh timeout 30
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 50
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect tftp
service-policy global_policy global
webvpn
nbns-server 192.168.1.8 timeout 2 retry 2
authorization-server-group LOCAL
default-group-policy VFvpn
authorization-required
authorization-dn-attribute s use-entire-name
smtp-server 192.168.1.6
group-policy VFvpn internal
group-policy VFvpn attributes
dns-server value 192.168.1.8 192.168.1.5
vpn-tunnel-protocol IPSec
default-domain value ourdomain.local
webvpn
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
secure-unit-authentication
user-authentication disable
user-authentication-idle-t
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
webvpn
functions url-entry
port-forward-name value Application Access
group-policy VF internal
group-policy VF attributes
dns-server value 192.168.1.8
webvpn
group-policy VPN internal
group-policy VPN attributes
dns-server value 192.168.1.8
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_splitTunnelAcl
webvpn
vpn-tunnel-protocol IPSec webvpn
webvpn
functions url-entry file-access file-entry file-browsing mapi port-forward filter http-proxy
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 1480
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer
crypto map outside_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 40 set nat-t-disable
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp identity address
isakmp enable outside
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 1
isakmp policy 30 lifetime 1000
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption 3des
isakmp policy 50 hash sha
isakmp policy 50 group 2
isakmp policy 50 lifetime 86400
isakmp policy 70 authentication pre-share
isakmp policy 70 encryption 3des
isakmp policy 70 hash md5
isakmp policy 70 group 2
isakmp policy 70 lifetime 86400
isakmp nat-traversal 20
isakmp ipsec-over-tcp port 10000
pre-shared-key *
tunnel-group VF type ipsec-ra
tunnel-group VF general-attributes
address-pool VPNip
default-group-policy VF
tunnel-group VF ipsec-attributes
pre-shared-key *
no vpn-addr-assign aaa
no vpn-addr-assign local
telnet timeout 5
ssh timeout 30
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 50
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect tftp
service-policy global_policy global
webvpn
nbns-server 192.168.1.8 timeout 2 retry 2
authorization-server-group
default-group-policy VFvpn
authorization-required
authorization-dn-attribute
smtp-server 192.168.1.6
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks, i can take it from here.