• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 8689
  • Last Modified:

Cisco Easy VPN problem with 871 router

Hello experts,

I'm hoping someone can shed some lights here to my question.

We have a Cisco 871 router setup for Easy VPN through a wizard to connect to a Cisco UC 520 device.

It worked initially (after I had to manually type in my username & password on the console for xauth) but all of a sudden, I'm having a problem.  I'm getting the following messages on the 871 console over and over.

*Mar  4 15:20:36.863: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  Group=VPNGROUP1  Client_public_addr=12.34.56.78  Server_public_addr=216.210.34.63

When I do "debug crypto isakmp" I get the following -
*Mar  4 15:23:39.543: ISAKMP: Deleting peer node by peer_reap for 216.210.34.63: 82D53040
*Mar  4 15:23:39.543: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  Group=VPNGROUP1  Client_public_addr=12.34.56.78  Server_public_addr=216.210.34.63
*Mar  4 15:23:39.543: ISAKMP: Created a peer struct for 216.210.34.63, peer port 500
*Mar  4 15:23:41.135: ISAKMP:(0): SA request profile is (NULL)
*Mar  4 15:23:41.135: ISAKMP: Found a peer struct for 216.210.34.63, peer port 500
*Mar  4 15:23:41.135: ISAKMP: Locking peer struct 0x82D082CC, refcount 1 for isakmp_initiator
*Mar  4 15:23:41.135: ISAKMP:(0):Setting client config settings 825234C4
*Mar  4 15:23:41.135: ISAKMP: local port 500, remote port 500
*Mar  4 15:23:41.135: insert sa successfully sa = 82601900
*Mar  4 15:23:41.135: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Mar  4 15:23:41.135: ISAKMP:(0):found peer pre-shared key matching 216.210.34.63
*Mar  4 15:23:41.135: ISAKMP:(0): construct_initial_message: Can not start Main mode
*Mar  4 15:23:41.135: ISAKMP: Unlocking peer struct 0x82D082CC for isadb_unlock_peer_delete_sa(), count 0
*Mar  4 15:23:41.135: ISAKMP: Deferring peer node 82D082CC deletion, by peer_reap as there are other users 4
*Mar  4 15:23:41.135: ISAKMP:(0):purging SA., sa=82601900, delme=82601900
*Mar  4 15:23:41.135: ISAKMP: Error while processing SA request: Failed to initialize SA
*Mar  4 15:23:41.135: ISAKMP: Error while processing KMI message 0, error 2.

It states - ISAKMP: Error while processing SA request: Failed to initialize SA

I can ping the gateway & out to the Internet with NO problem.
Anyone know why I'm getting this error message?  I will attach the 871 config. (please I changed the IP information for security reasons)


version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ISR
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool sdm-pool
   import all
   network 10.10.10.0 255.255.255.248
   default-router 10.10.10.1
   option 150 ip 10.1.1.1
   lease 0 2
!
!
no ip domain lookup
ip domain name domain.com
!
!
crypto pki trustpoint TP-self-signed-2068528647
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2068528647
 revocation-check none
 rsakeypair TP-self-signed-2068528647
!
!
crypto pki certificate chain TP-self-signed-2068528647
 certificate self-signed 01
  3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32303638 35323836 3437301E 170D3032 30333034 31353030
  32315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 30363835
  32383634 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100AB65 397D98BE C51EB311 5EF73877 39C0C23B FC6DC76C 1B3B8182 8ED1B155
  8755C8B3 20B62A44 A13D5DE9 7AF09724 B3DB743E 886BA009 72DB0773 148280CB
  837B4D21 820C8124 2D1D0716 BA4749A5 54F93FC8 C50E9367 FE8C377E 1EFFEC8D
  EDE56C82 7A0F7030 837CDB9A 97CA5DFB AB6A4334 3F0B89F9 3B00A1BE A614558A
  E0810203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603
  551D1104 18301682 14536572 67495352 2E70726F 34696130 312E636F 6D301F06
  03551D23 04183016 80149709 D437A677 42677124 81E70625 71E11BF7 3424301D
  0603551D 0E041604 149709D4 37A67742 67712481 E7062571 E11BF734 24300D06
  092A8648 86F70D01 01040500 03818100 12768DD2 0CE3C27A 55EDCE69 A107F868
  5715BB3F D3C2F699 4589B1A0 7BE4F538 B38EEB69 4BD270AE 88A14A99 1918A7DE
  C4DABDB8 D7E9E4ED E4F625C9 32577511 46DDE100 2A2FC930 59042B6B E1028B97
  055D68E5 E3572CF3 E5640A40 83B13D7A 71629862 48F2D4CA 12184872 C563D019
  8C45946C BE5FEB0D FAA95DFE 235830FC
  quit
!
!
!
!
crypto ipsec client ezvpn xauth
 connect auto
 mode client
 xauth userid mode interactive
crypto ipsec client ezvpn EZVPN_REMOTE_CONNECTION_1
 connect auto
 group VPNGROUP1 key sharedkey
 mode client
 peer 216.210.34.63
 xauth userid mode interactive
!
bridge irb
!
!
interface Loopback0
 ip address 10.1.20.13 255.255.255.255
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 ip address 12.34.56.78 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto ipsec client ezvpn EZVPN_REMOTE_CONNECTION_1
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 no ip address
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface BVI1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 ip address 10.10.10.1 255.255.255.248
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 crypto ipsec client ezvpn EZVPN_REMOTE_CONNECTION_1 inside
!
ip classless
ip route 0.0.0.0 0.0.0.0 12.34.56.77 
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.7
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
end

Open in new window

0
Pro4ia
Asked:
Pro4ia
  • 2
  • 2
  • 2
1 Solution
 
trinak96Commented:
I think this is the problem area :
*Mar  4 15:23:41.135: ISAKMP: Deferring peer node 82D082CC deletion, by peer_reap as there are other users 4

There is a maximum number of users for easy vpn, which from memory is 4 or 5......
0
 
naughtonCommented:
I'd say the key is incorrect if its terminating where it is.

is there a reason for using easy vpn vs site to site vpn?  
0
 
trinak96Commented:
From Cisco page : http://www.cisco.com/en/US/products/hw/routers/ps221/prod_bulletin09186a00801adbb6.html

"2. Cisco Easy VPN Server

    * Supports accepting VPN connection from Cisco VPN clients and Cisco Easy VPN Remote devices
    *
          o The Cisco 800 platform can support up to 5 simultaneous IPSec connections in the server mode
          o The Cisco 1700 platforms can support up to 100 simultaneous connections in the server mode"

0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
Pro4iaAuthor Commented:
This 800 device is not in the server mode but is connecting to a VPN device that is running the server mode.  Currently this is the only thing that is trying to establish a tunnel to the VPN server.

I'm using the Easy VPN because it's easier to setup and it's the recommended mode for the 800 series + UC500. (has a gui setup in the Cisco Configuration Assistant)
0
 
naughtonCommented:
i'm actually doing the UC500 tech training next week - if you still have the problem i'll come back to you later next week
0
 
Pro4iaAuthor Commented:
I had to rebuild the configuration to resolve this.  Thanks for helping out.
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 2
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now