Pro4ia
asked on
Cisco Easy VPN problem with 871 router
Hello experts,
I'm hoping someone can shed some lights here to my question.
We have a Cisco 871 router setup for Easy VPN through a wizard to connect to a Cisco UC 520 device.
It worked initially (after I had to manually type in my username & password on the console for xauth) but all of a sudden, I'm having a problem. I'm getting the following messages on the 871 console over and over.
*Mar 4 15:20:36.863: %CRYPTO-6-EZVPN_CONNECTION
When I do "debug crypto isakmp" I get the following -
*Mar 4 15:23:39.543: ISAKMP: Deleting peer node by peer_reap for 216.210.34.63: 82D53040
*Mar 4 15:23:39.543: %CRYPTO-6-EZVPN_CONNECTION
*Mar 4 15:23:39.543: ISAKMP: Created a peer struct for 216.210.34.63, peer port 500
*Mar 4 15:23:41.135: ISAKMP:(0): SA request profile is (NULL)
*Mar 4 15:23:41.135: ISAKMP: Found a peer struct for 216.210.34.63, peer port 500
*Mar 4 15:23:41.135: ISAKMP: Locking peer struct 0x82D082CC, refcount 1 for isakmp_initiator
*Mar 4 15:23:41.135: ISAKMP:(0):Setting client config settings 825234C4
*Mar 4 15:23:41.135: ISAKMP: local port 500, remote port 500
*Mar 4 15:23:41.135: insert sa successfully sa = 82601900
*Mar 4 15:23:41.135: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Mar 4 15:23:41.135: ISAKMP:(0):found peer pre-shared key matching 216.210.34.63
*Mar 4 15:23:41.135: ISAKMP:(0): construct_initial_message:
*Mar 4 15:23:41.135: ISAKMP: Unlocking peer struct 0x82D082CC for isadb_unlock_peer_delete_s
*Mar 4 15:23:41.135: ISAKMP: Deferring peer node 82D082CC deletion, by peer_reap as there are other users 4
*Mar 4 15:23:41.135: ISAKMP:(0):purging SA., sa=82601900, delme=82601900
*Mar 4 15:23:41.135: ISAKMP: Error while processing SA request: Failed to initialize SA
*Mar 4 15:23:41.135: ISAKMP: Error while processing KMI message 0, error 2.
It states - ISAKMP: Error while processing SA request: Failed to initialize SA
I can ping the gateway & out to the Internet with NO problem.
Anyone know why I'm getting this error message? I will attach the 871 config. (please I changed the IP information for security reasons)
I'm hoping someone can shed some lights here to my question.
We have a Cisco 871 router setup for Easy VPN through a wizard to connect to a Cisco UC 520 device.
It worked initially (after I had to manually type in my username & password on the console for xauth) but all of a sudden, I'm having a problem. I'm getting the following messages on the 871 console over and over.
*Mar 4 15:20:36.863: %CRYPTO-6-EZVPN_CONNECTION
When I do "debug crypto isakmp" I get the following -
*Mar 4 15:23:39.543: ISAKMP: Deleting peer node by peer_reap for 216.210.34.63: 82D53040
*Mar 4 15:23:39.543: %CRYPTO-6-EZVPN_CONNECTION
*Mar 4 15:23:39.543: ISAKMP: Created a peer struct for 216.210.34.63, peer port 500
*Mar 4 15:23:41.135: ISAKMP:(0): SA request profile is (NULL)
*Mar 4 15:23:41.135: ISAKMP: Found a peer struct for 216.210.34.63, peer port 500
*Mar 4 15:23:41.135: ISAKMP: Locking peer struct 0x82D082CC, refcount 1 for isakmp_initiator
*Mar 4 15:23:41.135: ISAKMP:(0):Setting client config settings 825234C4
*Mar 4 15:23:41.135: ISAKMP: local port 500, remote port 500
*Mar 4 15:23:41.135: insert sa successfully sa = 82601900
*Mar 4 15:23:41.135: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Mar 4 15:23:41.135: ISAKMP:(0):found peer pre-shared key matching 216.210.34.63
*Mar 4 15:23:41.135: ISAKMP:(0): construct_initial_message:
*Mar 4 15:23:41.135: ISAKMP: Unlocking peer struct 0x82D082CC for isadb_unlock_peer_delete_s
*Mar 4 15:23:41.135: ISAKMP: Deferring peer node 82D082CC deletion, by peer_reap as there are other users 4
*Mar 4 15:23:41.135: ISAKMP:(0):purging SA., sa=82601900, delme=82601900
*Mar 4 15:23:41.135: ISAKMP: Error while processing SA request: Failed to initialize SA
*Mar 4 15:23:41.135: ISAKMP: Error while processing KMI message 0, error 2.
It states - ISAKMP: Error while processing SA request: Failed to initialize SA
I can ping the gateway & out to the Internet with NO problem.
Anyone know why I'm getting this error message? I will attach the 871 config. (please I changed the IP information for security reasons)
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ISR
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool sdm-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
option 150 ip 10.1.1.1
lease 0 2
!
!
no ip domain lookup
ip domain name domain.com
!
!
crypto pki trustpoint TP-self-signed-2068528647
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2068528647
revocation-check none
rsakeypair TP-self-signed-2068528647
!
!
crypto pki certificate chain TP-self-signed-2068528647
certificate self-signed 01
3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32303638 35323836 3437301E 170D3032 30333034 31353030
32315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 30363835
32383634 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100AB65 397D98BE C51EB311 5EF73877 39C0C23B FC6DC76C 1B3B8182 8ED1B155
8755C8B3 20B62A44 A13D5DE9 7AF09724 B3DB743E 886BA009 72DB0773 148280CB
837B4D21 820C8124 2D1D0716 BA4749A5 54F93FC8 C50E9367 FE8C377E 1EFFEC8D
EDE56C82 7A0F7030 837CDB9A 97CA5DFB AB6A4334 3F0B89F9 3B00A1BE A614558A
E0810203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603
551D1104 18301682 14536572 67495352 2E70726F 34696130 312E636F 6D301F06
03551D23 04183016 80149709 D437A677 42677124 81E70625 71E11BF7 3424301D
0603551D 0E041604 149709D4 37A67742 67712481 E7062571 E11BF734 24300D06
092A8648 86F70D01 01040500 03818100 12768DD2 0CE3C27A 55EDCE69 A107F868
5715BB3F D3C2F699 4589B1A0 7BE4F538 B38EEB69 4BD270AE 88A14A99 1918A7DE
C4DABDB8 D7E9E4ED E4F625C9 32577511 46DDE100 2A2FC930 59042B6B E1028B97
055D68E5 E3572CF3 E5640A40 83B13D7A 71629862 48F2D4CA 12184872 C563D019
8C45946C BE5FEB0D FAA95DFE 235830FC
quit
!
!
!
!
crypto ipsec client ezvpn xauth
connect auto
mode client
xauth userid mode interactive
crypto ipsec client ezvpn EZVPN_REMOTE_CONNECTION_1
connect auto
group VPNGROUP1 key sharedkey
mode client
peer 216.210.34.63
xauth userid mode interactive
!
bridge irb
!
!
interface Loopback0
ip address 10.1.20.13 255.255.255.255
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address 12.34.56.78 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto ipsec client ezvpn EZVPN_REMOTE_CONNECTION_1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
interface BVI1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.10.10.1 255.255.255.248
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
crypto ipsec client ezvpn EZVPN_REMOTE_CONNECTION_1 inside
!
ip classless
ip route 0.0.0.0 0.0.0.0 12.34.56.77
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.7
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
I'd say the key is incorrect if its terminating where it is.
is there a reason for using easy vpn vs site to site vpn?
is there a reason for using easy vpn vs site to site vpn?
From Cisco page : http://www.cisco.com/en/US/products/hw/routers/ps221/prod_bulletin09186a00801adbb6.html
"2. Cisco Easy VPN Server
* Supports accepting VPN connection from Cisco VPN clients and Cisco Easy VPN Remote devices
*
o The Cisco 800 platform can support up to 5 simultaneous IPSec connections in the server mode
o The Cisco 1700 platforms can support up to 100 simultaneous connections in the server mode"
"2. Cisco Easy VPN Server
* Supports accepting VPN connection from Cisco VPN clients and Cisco Easy VPN Remote devices
*
o The Cisco 800 platform can support up to 5 simultaneous IPSec connections in the server mode
o The Cisco 1700 platforms can support up to 100 simultaneous connections in the server mode"
ASKER
This 800 device is not in the server mode but is connecting to a VPN device that is running the server mode. Currently this is the only thing that is trying to establish a tunnel to the VPN server.
I'm using the Easy VPN because it's easier to setup and it's the recommended mode for the 800 series + UC500. (has a gui setup in the Cisco Configuration Assistant)
I'm using the Easy VPN because it's easier to setup and it's the recommended mode for the 800 series + UC500. (has a gui setup in the Cisco Configuration Assistant)
i'm actually doing the UC500 tech training next week - if you still have the problem i'll come back to you later next week
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
*Mar 4 15:23:41.135: ISAKMP: Deferring peer node 82D082CC deletion, by peer_reap as there are other users 4
There is a maximum number of users for easy vpn, which from memory is 4 or 5......