Solved

CISCO Client VPN terminates with reason = DEL_REASON_WE_FAILED_AUTH

Posted on 2008-10-29
13
6,190 Views
Last Modified: 2012-05-05
We current running local Authenication on the ASA and we have just moved across to Radius authenication on our 2003 DC which when I test the radius within-side SDM we authenicate 100%, but when I test from a cisco vpn client i get the following error

Log from client below and running conf

Cisco Systems VPN Client Version 5.0.02.0060
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.0.6000
Config file directory: C:\Program Files\Cisco Systems\VPN Client\

1      10:14:22.415  10/30/08  Sev=Info/4      CM/0x63100002
Begin connection process

2      10:14:22.477  10/30/08  Sev=Info/4      CM/0x63100004
Establish secure connection

3      10:14:22.477  10/30/08  Sev=Info/4      CM/0x63100024
Attempt connection with server "194.70.149.90"

4      10:14:22.477  10/30/08  Sev=Info/6      IKE/0x6300003B
Attempting to establish a connection with 194.70.149.90.

5      10:14:22.524  10/30/08  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 194.70.149.90

6      10:14:22.571  10/30/08  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 194.70.149.90

7      10:14:22.571  10/30/08  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from 194.70.149.90

8      10:14:22.571  10/30/08  Sev=Info/5      IKE/0x63000001
Peer is a Cisco-Unity compliant peer

9      10:14:22.571  10/30/08  Sev=Info/5      IKE/0x63000001
Peer supports XAUTH

10     10:14:22.571  10/30/08  Sev=Info/5      IKE/0x63000001
Peer supports DPD

11     10:14:22.571  10/30/08  Sev=Info/5      IKE/0x63000001
Peer supports NAT-T

12     10:14:22.571  10/30/08  Sev=Info/5      IKE/0x63000001
Peer supports IKE fragmentation payloads

13     10:14:22.587  10/30/08  Sev=Info/6      IKE/0x63000001
IOS Vendor ID Contruction successful

14     10:14:22.587  10/30/08  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 194.70.149.90

15     10:14:22.587  10/30/08  Sev=Info/6      IKE/0x63000055
Sent a keepalive on the IPSec SA

16     10:14:22.587  10/30/08  Sev=Info/4      IKE/0x63000083
IKE Port in use - Local Port =  0xED43, Remote Port = 0x1194

17     10:14:22.587  10/30/08  Sev=Info/5      IKE/0x63000072
Automatic NAT Detection Status:
   Remote end is NOT behind a NAT device
   This   end IS behind a NAT device

18     10:14:22.587  10/30/08  Sev=Info/4      CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

19     10:14:22.618  10/30/08  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 194.70.149.90

20     10:14:22.618  10/30/08  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 194.70.149.90

21     10:14:22.618  10/30/08  Sev=Info/4      CM/0x63100015
Launch xAuth application

22     10:14:22.774  10/30/08  Sev=Info/4      IPSEC/0x63700008
IPSec driver successfully started

23     10:14:22.774  10/30/08  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

24     10:14:26.533  10/30/08  Sev=Info/4      CM/0x63100017
xAuth application returned

25     10:14:26.533  10/30/08  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 194.70.149.90

26     10:14:26.643  10/30/08  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 194.70.149.90

27     10:14:26.643  10/30/08  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 194.70.149.90

28     10:14:26.643  10/30/08  Sev=Info/4      CM/0x63100015
Launch xAuth application

29     10:14:29.669  10/30/08  Sev=Info/4      CM/0x63100017
xAuth application returned

30     10:14:29.669  10/30/08  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 194.70.149.90

31     10:14:29.763  10/30/08  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 194.70.149.90

32     10:14:29.763  10/30/08  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 194.70.149.90

33     10:14:29.763  10/30/08  Sev=Info/4      CM/0x63100015
Launch xAuth application

34     10:14:32.446  10/30/08  Sev=Info/4      CM/0x63100017
xAuth application returned

35     10:14:32.446  10/30/08  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 194.70.149.90

36     10:14:32.477  10/30/08  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 194.70.149.90

37     10:14:32.477  10/30/08  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 194.70.149.90

38     10:14:32.477  10/30/08  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 194.70.149.90

39     10:14:32.477  10/30/08  Sev=Info/4      IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=9ACA6442BCEDC3D2 R_Cookie=B372A91ACBF05FF5) reason = DEL_REASON_WE_FAILED_AUTH

40     10:14:32.477  10/30/08  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 194.70.149.90

41     10:14:32.539  10/30/08  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 194.70.149.90

42     10:14:32.539  10/30/08  Sev=Info/4      IKE/0x63000058
Received an ISAKMP message for a non-active SA, I_Cookie=9ACA6442BCEDC3D2 R_Cookie=B372A91ACBF05FF5

43     10:14:32.539  10/30/08  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(Dropped) from 194.70.149.90

44     10:14:33.023  10/30/08  Sev=Info/4      IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=9ACA6442BCEDC3D2 R_Cookie=B372A91ACBF05FF5) reason = DEL_REASON_WE_FAILED_AUTH

45     10:14:33.023  10/30/08  Sev=Info/4      CM/0x63100014
Unable to establish Phase 1 SA with server "194.70.149.90" because of "DEL_REASON_WE_FAILED_AUTH"

46     10:14:33.023  10/30/08  Sev=Info/5      CM/0x63100025
Initializing CVPNDrv

47     10:14:33.023  10/30/08  Sev=Info/6      CM/0x63100046
Set tunnel established flag in registry to 0.

48     10:14:33.023  10/30/08  Sev=Info/4      IKE/0x63000001
IKE received signal to terminate VPN connection

49     10:14:33.039  10/30/08  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

50     10:14:33.039  10/30/08  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

51     10:14:33.039  10/30/08  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

52     10:14:33.039  10/30/08  Sev=Info/4      IPSEC/0x6370000A
IPSec driver successfully stopped


: Saved
:
ASA Version 7.2(3)
!
hostname XXX
domain-name default.domain.invalid
enable password 0bTcqBL8HEmvhLiO encrypted
names

name 172.16.26.1
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.16.X.X 255.255.254.0
!
interface Vlan11
 nameif outside
 security-level 0
 ip address 194.X.X.X 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 11
 speed 100
 duplex full
!
interface Ethernet0/1
 speed 100
 duplex full
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list nonat extended permit ip 172.16.0.0 255.255.224.0 172.16.27.192 255.255.255.224
access-list acl_split extended permit ip 172.16.0.0 255.255.224.0 172.16.27.192 255.255.255.224
access-list acl_outside extended permit tcp any host 194.X.X.X eq smtp
access-list acl_outside remark Allows https traffic through the firewall on port 443 for exchange OMA
access-list acl_outside extended permit tcp any host 194.X.X.X eq https  
access-list acl_outside remark Allows https traffic through the firewall on port 443 for exchange OMA
access-list acl_outside extended permit udp any interface outside eq isakmp
access-list acl_outside extended permit udp any interface outside eq 4500
access-list acl_outside extended permit udp any interface outside eq 10000
access-list acl_outside extended permit udp any interface outside eq 1270
access-list acl_outside extended permit udp any interface outside eq 37000
access-list acl_outside extended permit tcp any host 194.70.149.91 eq https
access-list 101 extended permit udp any interface outside eq isakmp
access-list 101 extended permit udp any interface outside eq 4500
access-list 101 extended permit udp any interface outside eq 10000
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpn-pool2 172.16.X.X-172.16.X.X
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 194.70.X.X 172.16.26.3 netmask 255.255.255.255
static (inside,outside) 194.70.X.X 172.16.26.9 netmask 255.255.255.255
access-group acl_outside in interface outside
route inside 10.10.11.0 255.255.255.0 10.10.10.2 1
route inside 172.16.20.0 255.255.254.0 172.16.X.X 1
route inside 172.16.22.0 255.255.254.0 172.16.X.X 1
route inside 172.16.24.0 255.255.254.0 172.16.X.X 1
route inside 172.16.28.0 255.255.254.0 172.16.X.X 1
route inside 172.16.30.0 255.255.254.0 172.16.X.X 1
route outside 0.0.0.0 0.0.0.0 194.70.X.X 1
route outside 172.16.X.X 255.255.255.224 194.70.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS host X
 key X
 radius-common-pw X
aaa-server fred protocol tacacs+
aaa authentication ssh console LOCAL
http server enable
http 172.16.26.0 255.255.254.0 inside
http 172.16.0.0 255.255.224.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set aes256sha esp-aes-256 esp-sha-hmac
crypto dynamic-map dynmap 999 set transform-set aes256sha
crypto map ENC 999 ipsec-isakmp dynamic dynmap
crypto map ENC interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet 172.16.0.0 255.255.224.0 inside
telnet timeout 5
ssh 217.37.245.0 255.255.255.0 outside
ssh intrinsic-fw-support 255.255.255.240 outside
ssh timeout 5
console timeout 0
management-access inside

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
ntp server X source inside prefer
ntp server 172.16.X.X source inside prefer
group-policy XXX internal
group-policy XXX attributes
 dns-server value 172.16.X.X
 vpn-idle-timeout 30
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value acl_split
group-policy networksfirst internal
group-policy networksfirst attributes
 vpn-idle-timeout 30
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value acl_split
username XXXX level 15
tunnel-group XXX -VPN type ipsec-ra
tunnel-group XXX-VPN general-attributes
 address-pool vpn-pool2
 default-group-policy XXX-VPN
tunnel-group XXX-VPN ipsec-attributes
 pre-shared-key *
tunnel-group networksfirst type ipsec-ra
tunnel-group networksfirst general-attributes
 address-pool vpn-pool2
 default-group-policy networksfirst
tunnel-group networksfirst ipsec-attributes
 pre-shared-key *
tunnel-group "XXX Radius" type ipsec-ra
tunnel-group "XXX Radius" general-attributes
 address-pool vpn-pool2
 authentication-server-group RADIUS LOCAL
 authentication-server-group (inside) RADIUS
 authorization-server-group RADIUS
 authorization-server-group (outside) RADIUS
 accounting-server-group RADIUS
 default-group-policy XXX-VPN
tunnel-group "XXX Radius" ipsec-attributes
 pre-shared-key *
tunnel-group "XXX Radius" ppp-attributes
 authentication pap
prompt hostname context
Cryptochecksum:ca46b368278137d257dbe3351ebbb91e
: end
asdm image disk0:/asdm-523.bin
no asdm history enable
0
Comment
Question by:highlanderit
  • 7
  • 5
13 Comments
 
LVL 2

Expert Comment

by:inrouted
ID: 22841013
What do the Radius logs say? What kind of authentication are you using? I saw PAP up there..is it just users in the radius users configuration file? no ntlm_auth or LDAP or MSCHAP or anything like that?


0
 

Author Comment

by:highlanderit
ID: 22841053
We are using PAP for all radius authenication nothing special
0
 
LVL 2

Expert Comment

by:inrouted
ID: 22841109
What kind of RADIUS server is this?
Have you tried executing a test aaa-server authentication group1 username user password passwd ?

0
 

Author Comment

by:highlanderit
ID: 22841215
Yes already tried this and works 100% also test via the SDM with same results
0
 
LVL 2

Expert Comment

by:inrouted
ID: 22842298
I assume based on the language of your question, you are running the radius on a windows 2003 server.  Is this correct?  I have seen where you have to add an OU=tunnel group name class attribute to the remote access policy.  
0
 

Author Comment

by:highlanderit
ID: 22842324
Yes we are running Windows 2003 Server hosting Radius, do you have any idea's what is coursing the problem
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 2

Expert Comment

by:inrouted
ID: 22842339
http://crazyvlan.blogspot.com/2008/02/vpn-and-radius-with-cisco-asa-and.html

Check that article out.  I have a feeling this is going to resolve your headaches.

-route

0
 

Author Comment

by:highlanderit
ID: 22842360
I will try the link and post if sucessful.

Thx
0
 

Author Comment

by:highlanderit
ID: 22843401
Still having the same problems
0
 
LVL 2

Expert Comment

by:inrouted
ID: 22843428
So when you attempt to authenticate, what does the windows 2003 radius server logs give you (can be seen in event viewer)
0
 

Author Comment

by:highlanderit
ID: 22844388
cannot see any activity in eventvwr
0
 

Accepted Solution

by:
highlanderit earned 0 total points
ID: 22845148
I have found the route of the problem the local radius group was taking perference over radius, i change radius as primary and set local as failback and all is work
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now