• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4520
  • Last Modified:

VPN clients not connecting. "No private IP address was assigned by the peer" in vpn client log

Hello All,

     I have a client that is having a problem connecting to VPN using Cisco VPN client 5.0. He was fine until we  configured his router with an additional T1 for the internet. When I have a client connect to the router I am not recieving isakmp or ipsec debugging information. On the vpn client side the log says "No private IP address was assigned by the peer". We did not change any config related to VPN access. The full router configuration and vpn client log is below. Any suggestions? Nothing makes sense as to why this is happening.

1841 router configuration

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname nYko-HQ
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$tB5L$oW20fbjyF3Sqr4PwiVwEM1
!
aaa new-model
!
!
aaa authentication login l-authen local
aaa authentication login no-authen none
aaa authorization network l-author local
!
aaa session-id common
!
resource policy
!
ip cef
!
!
!
!
no ip domain lookup
ip name-server 198.6.1.2
!
!
crypto pki trustpoint TP-self-signed-1617998121
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1617998121
 revocation-check none
 rsakeypair TP-self-signed-1617998121
!
!
crypto pki certificate chain TP-self-signed-1617998121
 certificate self-signed 01
  3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31363137 39393831 3231301E 170D3038 30313235 31303539
  33315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36313739
  39383132 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100BE0A 43FDD49E D5BA30EA D4075326 AFBC4964 92427DB2 E8E6EAC2 20E4BD7E
  7C6BAEEC 2EBA0051 F6F12B3C 9980B7B7 48B243C0 5FC92C01 321BC241 9426B0C9
  393CBA78 A1866CF3 2317E7F7 FAF656B4 B2738730 A22CB458 BB6946EE 21FD31CB
  9D952C75 32742692 6F83A065 6D178D25 8C4BE9FA A08E1391 6304A752 84F1C487
  45490203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603
  551D1104 0B300982 076E596B 6F2D4851 301F0603 551D2304 18301680 148F6FD0
  9CAAC43F A62B598F 65364758 598EB9E5 13301D06 03551D0E 04160414 8F6FD09C
  AAC43FA6 2B598F65 36475859 8EB9E513 300D0609 2A864886 F70D0101 04050003
  81810003 A0CD507C 740B98BE 6B0F14BC E66BA46A D414D100 F3A3B99A E90EC616
  D944E22A 7B4AB754 1236899D C1F4D8C3 C10DD323 C04FC816 2979C287 FAE6CAE3
  394FD61B FCD052FC 3C1A6FA0 21A48AF5 EF1D170C 78B8EEDD 9422DCD2 31024E02
  8CA5698C 7144FAB2 9440D76D 0ADCA7BF AB9D70DC 8C38B322 C265A80B E297EBEC A82C85
  quit
username netops privilege 15 secret 5 $1$5B3O$RJC9xKbbb/viPl/UBkBod1
username nspectre privilege 15 secret 5 $1$Usu7$hpeivx3NmH0yJS0FlbzOA.
username nyko_ezvpn secret 5 $1$b29u$j6YWWj3HKi8XELtinuODO/
!
!
!
crypto isakmp policy 50
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group NYKOEZVPN
 key nYko_Connect
 dns 198.6.100.25 198.6.1.146
 domain nyko.com
 pool nyko_pool
!
!
crypto ipsec transform-set nyko_set esp-3des esp-sha-hmac
!
crypto dynamic-map nyko_dynmap 50
 set transform-set nyko_set
 reverse-route
!
!
crypto map secure client authentication list l-authen
crypto map secure isakmp authorization list l-author
crypto map secure client configuration address respond
crypto map secure 50 ipsec-isakmp dynamic nyko_dynmap
!
!
!
interface MFR1
 mtu 4470
 no ip address
 no ip redirects
 no ip proxy-arp
 no ip mroute-cache
 load-interval 30
 no arp frame-relay
 frame-relay multilink bid to gw
 frame-relay lmi-type ansi
!
interface MFR1.500 point-to-point
 ip address 63.x.x.x 255.255.255.252
 no ip redirects
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 no cdp enable
 no arp frame-relay
 frame-relay interface-dlci 500 IETF  
 crypto map secure
!
interface FastEthernet0/0
 ip address 192.168.110.254 255.255.255.0 secondary
 ip address 63.x.x.x 255.255.255.224
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0/0
 description To Verizon (U49456)
 mtu 4470
 bandwidth 1536
 no ip address
 no ip redirects
 no ip proxy-arp
 ip virtual-reassembly
 encapsulation frame-relay MFR1
 load-interval 30
 service-module t1 timeslots 1-24
 no arp frame-relay
!
interface Serial0/1/0
 mtu 4470
 bandwidth 1536
 no ip address
 no ip redirects
 no ip proxy-arp
 ip virtual-reassembly
 encapsulation frame-relay MFR1
 load-interval 30
 service-module t1 timeslots 1-24
 no arp frame-relay
!
ip local pool nyko_pool 172.16.110.50 172.16.110.55
no ip classless
ip route 0.0.0.0 0.0.0.0 MFR1.500
!
ip flow-export source FastEthernet0/0
ip flow-export version 5
ip flow-export destination 192.168.110.111 9996
ip flow-top-talkers
 top 25
 sort-by bytes
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat pool TheNet 63.x.x.x 63.x.x.x netmask 255.255.255.224
ip nat inside source route-map NONAT pool TheNet overload
ip nat inside source static tcp 192.168.110.222 407 63.x.x.x 407 extendable
ip nat inside source static tcp 192.168.110.250 5250 63.x.x.x 5250 extendable
ip nat inside source static tcp 192.168.110.250 5251 63.x.x.x 5251 extendable
ip nat inside source static tcp 192.168.110.250 5631 63.x.x.x 5633 extendable
ip nat inside source static tcp 192.168.110.250 5632 63.x.x.x 5634 extendable
!
access-list 1 deny   63.x.x.x
access-list 1 deny   192.168.110.254
access-list 1 permit 192.168.110.0 0.0.0.255
access-list 100 permit ip any host 63.x.x.x
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 permit udp host 192.43.244.18 eq ntp any eq ntp
access-list 101 permit tcp any host 63.x.x.x eq 5634
access-list 101 permit tcp any host 63.x.x.x eq 5633
access-list 101 permit tcp any host 63.x.x.x eq 5251
access-list 101 permit tcp any host 63.x.x.x eq 5250
access-list 101 permit tcp any host 63.x.x.x eq 407
access-list 101 permit udp host 198.6.100.25 eq domain host 63.x.x.x
access-list 101 permit udp host 198.6.1.146 eq domain host 63.x.x.x
access-list 101 permit udp host 198.6.1.2 eq domain host 63.x.x.x
access-list 101 remark VerizonBusiness Uptime Monitor
access-list 101 permit icmp host 199.171.54.34 host 63.x.x.x
access-list 101 remark VerizonBusiness Uptime Monitor
access-list 101 permit icmp host 199.171.54.42 host 63.x.x.x
access-list 101 remark VerizonBusiness Uptime Monitor
access-list 101 permit icmp host 153.39.16.40 host 63.x.x.x
access-list 101 remark VerizonBusiness Uptime Monitor
access-list 101 permit icmp host 153.39.16.42 host 63.x.x.x
access-list 101 remark VerizonBusiness Uptime Monitor
access-list 101 permit icmp host 147.225.26.91 host 63.x.x.x
access-list 101 remark VerizonBusiness Uptime Monitor
access-list 101 permit icmp host 147.225.26.93 host 63.x.x.x
access-list 101 remark Access for Barry Reyes
access-list 101 permit ip host 66.x.x.x host 63.x.x.x
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
access-list 110 deny   ip 192.168.110.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 110 permit ip 192.168.110.0 0.0.0.255 any
snmp-server community NYKODOM RO
snmp-server ifindex persist
!
!
route-map NONAT permit 10
 match ip address 110
!
!
!
control-plane
!
!
line con 0
 login authentication no-authen
line aux 0
 login authentication no-authen
line vty 0 4
 privilege level 15
 login authentication l-authen
 transport input telnet ssh
!
scheduler allocate 20000 1000
ntp clock-period 17177880
ntp server 192.43.244.18
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end


VPN client log:

Cisco Systems VPN Client Version 5.0.00.0340
Copyright (C) 1998-2006 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2

1      14:08:22.884  02/04/08  Sev=Info/6      IKE/0x6300003B
Attempting to establish a connection with 63.117.127.65.

2      14:08:22.914  02/04/08  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 63.117.127.65

3      14:08:22.995  02/04/08  Sev=Info/4      IPSEC/0x63700008
IPSec driver successfully started

4      14:08:22.995  02/04/08  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

5      14:08:23.055  02/04/08  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 63.117.127.65

6      14:08:23.055  02/04/08  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?), VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D, NAT-D) from 63.117.127.65

7      14:08:23.055  02/04/08  Sev=Info/5      IKE/0x63000001
Peer is a Cisco-Unity compliant peer

8      14:08:23.055  02/04/08  Sev=Info/5      IKE/0x63000001
Peer supports DPD

9      14:08:23.055  02/04/08  Sev=Info/5      IKE/0x63000001
Peer supports DWR Code and DWR Text

10     14:08:23.055  02/04/08  Sev=Info/5      IKE/0x63000001
Peer supports XAUTH

11     14:08:23.055  02/04/08  Sev=Info/5      IKE/0x63000001
Peer supports NAT-T

12     14:08:23.085  02/04/08  Sev=Info/6      IKE/0x63000001
IOS Vendor ID Contruction successful

13     14:08:23.085  02/04/08  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 63.117.127.65

14     14:08:23.085  02/04/08  Sev=Info/6      IKE/0x63000055
Sent a keepalive on the IPSec SA

15     14:08:23.085  02/04/08  Sev=Info/4      IKE/0x63000083
IKE Port in use - Local Port =  0x0670, Remote Port = 0x1194

16     14:08:23.085  02/04/08  Sev=Info/5      IKE/0x63000072
Automatic NAT Detection Status:
   Remote end is NOT behind a NAT device
   This   end IS behind a NAT device

17     14:08:23.115  02/04/08  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 63.117.127.65

18     14:08:23.115  02/04/08  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 63.117.127.65

19     14:08:23.115  02/04/08  Sev=Info/5      IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds

20     14:08:23.115  02/04/08  Sev=Info/5      IKE/0x63000047
This SA has already been alive for 1 seconds, setting expiry to 86399 seconds from now

21     14:08:23.115  02/04/08  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 63.117.127.65

22     14:08:23.115  02/04/08  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 63.117.127.65

23     14:08:25.338  02/04/08  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 63.117.127.65

24     14:08:25.398  02/04/08  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 63.117.127.65

25     14:08:25.398  02/04/08  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 63.117.127.65

26     14:08:25.398  02/04/08  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 63.117.127.65

27     14:08:25.428  02/04/08  Sev=Info/5      IKE/0x6300005E
Client sending a firewall request to concentrator

28     14:08:25.428  02/04/08  Sev=Info/5      IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client Firewall, Capability= (Centralized Protection Policy).

29     14:08:25.428  02/04/08  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 63.117.127.65

30     14:08:25.458  02/04/08  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 63.117.127.65

31     14:08:25.458  02/04/08  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 63.117.127.65

32     14:08:25.458  02/04/08  Sev=Info/5      IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 198.6.100.25

33     14:08:25.458  02/04/08  Sev=Info/5      IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 198.6.1.146

34     14:08:25.458  02/04/08  Sev=Info/5      IKE/0xA3000017
MODE_CFG_REPLY: The received (INTERNAL_ADDRESS_EXPIRY) attribute and value (-972684910) is not supported

35     14:08:25.458  02/04/08  Sev=Info/5      IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000

36     14:08:25.458  02/04/08  Sev=Info/5      IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = nyko.com

37     14:08:25.458  02/04/08  Sev=Info/5      IKE/0xA3000015
MODE_CFG_REPLY: Received MODECFG_UNITY_SPLITDNS_NAME attribute with no data

38     14:08:25.458  02/04/08  Sev=Info/5      IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(6)T6, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Fri 08-Dec-06 13:36 by kellythw

39     14:08:25.458  02/04/08  Sev=Info/5      IKE/0x6300000D
MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194

40     14:08:25.458  02/04/08  Sev=Warning/2      IKE/0xE3000023
No private IP address was assigned by the peer

41     14:08:25.458  02/04/08  Sev=Warning/2      IKE/0xE300009B
Failed to process ModeCfg Reply (NavigatorTM:175)

42     14:08:25.468  02/04/08  Sev=Info/4      IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=46F085CE878BCB3D R_Cookie=B401A837E9423FDF) reason = DEL_REASON_IKE_NEG_FAILED

43     14:08:25.468  02/04/08  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to 63.117.127.65

44     14:08:25.468  02/04/08  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 63.117.127.65

45     14:08:25.468  02/04/08  Sev=Info/4      IKE/0x63000058
Received an ISAKMP message for a non-active SA, I_Cookie=46F085CE878BCB3D R_Cookie=B401A837E9423FDF

46     14:08:25.468  02/04/08  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(Dropped) from 63.117.127.65

47     14:08:28.493  02/04/08  Sev=Info/4      IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=46F085CE878BCB3D R_Cookie=B401A837E9423FDF) reason = DEL_REASON_IKE_NEG_FAILED

48     14:08:28.523  02/04/08  Sev=Info/4      IKE/0x63000001
IKE received signal to terminate VPN connection

49     14:08:29.004  02/04/08  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

50     14:08:29.004  02/04/08  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

51     14:08:29.004  02/04/08  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

52     14:08:29.004  02/04/08  Sev=Info/4      IPSEC/0x6370000A
IPSec driver successfully stopped

0
greenbeanx81
Asked:
greenbeanx81
  • 3
  • 2
1 Solution
 
ryansotoCommented:
Where is your vpn group config?  I didnt see that.
0
 
greenbeanx81Author Commented:
crypto isakmp client configuration group NYKOEZVPN
 key nYko_Connect
 dns 198.6.100.25 198.6.1.146
 domain nyko.com
 pool nyko_pool

This in in the router config
0
 
ryansotoCommented:
Yup I see it.  Thought I would give it a shot, sorry I am not a cisco expert
0
 
greenbeanx81Author Commented:
We had to rebuild the vpn config on the router. SDM was messing up the config. I'm not sure how the config worked in before.
0
 
ryansotoCommented:
You mean the web interface right?  If so yes this happened on my 501 unit so we used nothing but command line since
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now