Why doesn't my Cisco VPN Client work anymore?

CryoAdmin
CryoAdmin used Ask the Experts™
on
Hello,
My company's VPN is running on our Cisco ASA 5510 firewall. We have it set up to do IPSec over L2TP. At one point in time we were able to utilize the Cisco VPN client to connect to the vpn. Now, however, we have to utilize a custom built Microsoft CMAK client. MS-CHAPv2 is being utilized in this custom client.

Basically, we can connect all day long utilizing the cmak vpn client, but the cisco client bombs out on us every time. I have attached the log flie in the code section here.
Cisco Systems VPN Client Version 5.0.01.0600
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3
Config file directory: C:\Program Files\Cisco Systems\VPN Client\
 
1      12:44:19.372  09/02/09  Sev=Info/4	CM/0x63100002
Begin connection process
 
2      12:44:19.388  09/02/09  Sev=Info/4	CM/0x63100004
Establish secure connection
 
3      12:44:19.388  09/02/09  Sev=Info/4	CM/0x63100024
Attempt connection with server "***.***.***.***"
 
4      12:44:19.404  09/02/09  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to ***.***.***.***
 
5      12:44:19.435  09/02/09  Sev=Info/4	IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from ***.***.***.***
 
6      12:44:19.435  09/02/09  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to ***.***.***.***
 
7      12:44:19.435  09/02/09  Sev=Info/4	IKE/0x63000083
IKE Port in use - Local Port =  0x05AC, Remote Port = 0x1194
 
8      12:44:19.435  09/02/09  Sev=Info/4	CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
 
9      12:44:19.466  09/02/09  Sev=Info/4	IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from ***.***.***.***
 
10     12:44:19.466  09/02/09  Sev=Info/4	CM/0x63100015
Launch xAuth application
 
11     12:44:19.872  09/02/09  Sev=Info/4	IPSEC/0x63700008
IPSec driver successfully started
 
12     12:44:19.872  09/02/09  Sev=Info/4	IPSEC/0x63700014
Deleted all keys
 
13     12:44:40.013  09/02/09  Sev=Info/4	CM/0x63100017
xAuth application returned
 
14     12:44:40.029  09/02/09  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to ***.***.***.***
 
15     12:44:40.044  09/02/09  Sev=Info/4	IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from ***.***.***.***
 
16     12:44:40.044  09/02/09  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to ***.***.***.***
 
17     12:44:40.044  09/02/09  Sev=Info/4	CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
 
18     12:44:40.075  09/02/09  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to ***.***.***.***
 
19     12:44:40.107  09/02/09  Sev=Info/4	IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from ***.***.***.***
 
20     12:44:40.107  09/02/09  Sev=Info/4	CM/0x63100019
Mode Config data received
 
21     12:44:40.122  09/02/09  Sev=Info/4	IKE/0x63000056
Received a key request from Driver: Local IP = 192.168.200.164, GW IP = ***.***.***.***, Remote IP = 0.0.0.0
 
22     12:44:40.122  09/02/09  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to ***.***.***.***
 
23     12:44:40.154  09/02/09  Sev=Info/4	IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from ***.***.***.***
 
24     12:44:40.154  09/02/09  Sev=Info/4	IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from ***.***.***.***
 
25     12:44:40.154  09/02/09  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to ***.***.***.***
 
26     12:44:40.154  09/02/09  Sev=Info/4	IKE/0x63000049
Discarding IPsec SA negotiation, MsgID=B03F2F3B
 
27     12:44:40.154  09/02/09  Sev=Info/4	IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=D05A154523CAA0AB R_Cookie=78BAA81BB148B7CC) reason = DEL_REASON_IKE_NEG_FAILED
 
28     12:44:40.154  09/02/09  Sev=Info/4	IKE/0x63000058
Received an ISAKMP message for a non-active SA, I_Cookie=D05A154523CAA0AB R_Cookie=78BAA81BB148B7CC
 
29     12:44:40.154  09/02/09  Sev=Info/4	IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(Dropped) from ***.***.***.***
 
30     12:44:40.372  09/02/09  Sev=Info/4	IPSEC/0x63700014
Deleted all keys
 
31     12:44:43.372  09/02/09  Sev=Info/4	IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=D05A154523CAA0AB R_Cookie=78BAA81BB148B7CC) reason = DEL_REASON_IKE_NEG_FAILED
 
32     12:44:43.372  09/02/09  Sev=Info/4	CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
 
33     12:44:43.372  09/02/09  Sev=Info/4	IKE/0x63000001
IKE received signal to terminate VPN connection
 
34     12:44:43.388  09/02/09  Sev=Info/4	IPSEC/0x63700014
Deleted all keys
 
35     12:44:43.388  09/02/09  Sev=Info/4	IPSEC/0x63700014
Deleted all keys
 
36     12:44:43.388  09/02/09  Sev=Info/4	IPSEC/0x63700014
Deleted all keys
 
37     12:44:43.388  09/02/09  Sev=Info/4	IPSEC/0x6370000A
IPSec driver successfully stopped

Open in new window

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
the debug logs are showing phase 1 forms, but gets deleted
try resetting shared secret on client

it is possible that two software vpn clients on the same machine can cause issues with deterministic vpn drivers. I have seen this happen, and uninstalling one allows the other to work

Author

Commented:
bignewf: Thank you for your quick response. I tried resetting the shared secret on the cisco client, and received the same error in the log file.  By the way the machine I tested with does not have the custom cmak client on it. So there was only 1 vpn client, the cisco one... Unfortunately the Cisco client can still not connect.

Commented:
something else comes to mind-
are you using radius authentication?
If so, there is issue with XAuth and radius  wherby cisco clients cannot connect and AAA server timeout must be increased

check this setting on asa, maybe something with xauth got changed with this microsoft cmak client?
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Commented:
Also, check you NAT-T settings on the client -  anything change here?

you also might try using an older version of the client, such as a 4.X version (more stable)

Author

Commented:
bignewf:
Thanks for the suggestions. We are you using radius authentication, and have changed the timeout on the AAA server, as you recommended. It was set to 5, we upped it to 30. We will test today and get back to you.
We are using v.5 of the client, so I'll check the NAT-T settings you mentioned and see if anything looks out of place.
 
Stay Tuned. Updates to come.



Author

Commented:
Updates:
With the timeout set to 30, we still get the same error.
Under the Transport tab of the client, "Enable Transparent Tunneling" with "IPSEC over UDP (NAT/PAT)" selected. I've also tried with "enable transp. tunneling" unchecked, also gives us the same error.
We are using v 5.0.01.0600 of the client. I'm not sure if we have the 4.x client lying around anywhere.

Commented:
are the above nat-t settings also enabled on the asa? how about tcp port 10000 on the group policy sett gings of the tunnel group?

Author

Commented:
Here's the setting from our ASA.

crypto isakmp nat-traversal  20
crypto isakmp ipsec-over-tcp port 10000 500 512 4500 

Open in new window

Author

Commented:
I went back to the client and set it to ipsec over tcp on port 1000 and got the following error:
 

300    17:00:02.125  10/27/09  Sev=Info/6	IPSEC/0x6370001D
TCP RST received from 74.11.14.74, src port 10000, dst port 1079
 
301    17:00:05.125  10/27/09  Sev=Info/4	IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=A06551D26FC96475 R_Cookie=BD2F261A0657A79F) reason = DEL_REASON_IKE_NEG_FAILED
 
302    17:00:05.125  10/27/09  Sev=Info/4	CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

Open in new window

Commented:
Question- before cmak client was installed, was ms-chapv2 enabled in any way on your clients?  (normally this is enabled on microsoft built-in vpn client)

on a test machine, if you disable ms-chapv2 that has both cisco vpn client install and cmak client, can you connect with cisco vpn client?

a copy of asa config (hide all public ip's please) before cmak client deployed and config after (just to make sure no changes in config)
We contacted Cisco support, and they pointed out that we removed myset from our Outside_dyn_map 20.  The following are the before and after code:

*Before Update*
crypto dynamic-map Outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA

*After Update*
crypto dynamic-map Outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA myset

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial