Link to home
Create AccountLog in
Avatar of icdl101
icdl101Flag for Barbados

asked on

Unable to VPN into Cisco Router

hello,
we have a cisco 1871 cisco router with the config below.
we have  site to vpn which is up and running.
the problem is when we try to set up vpn with cisco client we get get following error message.
We do not even get as far as entering the user name and password.

 "Secure VPN connection terminated locally by client.
Reason 412: the Remote peer is no longer responding."

 here are the log files    *** 1.2.3.4 i have replaced for my External ip address

Cisco Systems VPN Client Version 4.0.5 (Rel)
Copyright (C) 1998-2003 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2

135    15:14:47.031  12/30/10  Sev=Info/4      CM/0x63100002
Begin connection process

136    15:14:47.046  12/30/10  Sev=Info/4      CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully

137    15:14:47.046  12/30/10  Sev=Info/4      CM/0x63100004
Establish secure connection using Ethernet

138    15:14:47.046  12/30/10  Sev=Info/4      CM/0x63100024
Attempt connection with server "1.2.3.4"

139    15:14:48.046  12/30/10  Sev=Info/6      IKE/0x6300003B
Attempting to establish a connection with 1.2.3.4.

140    15:14:48.046  12/30/10  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to 1.2.3.4

141    15:14:48.046  12/30/10  Sev=Info/4      IPSEC/0x63700008
IPSec driver successfully started

142    15:14:48.046  12/30/10  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

143    15:14:53.390  12/30/10  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

144    15:14:53.390  12/30/10  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 1.2.3.4

145    15:14:58.390  12/30/10  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

146    15:14:58.390  12/30/10  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 1.2.3.4

147    15:15:03.390  12/30/10  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

148    15:15:03.390  12/30/10  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 1.2.3.4

149    15:15:08.390  12/30/10  Sev=Info/4      IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=9B9E27C5A61416E1 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

150    15:15:08.953  12/30/10  Sev=Info/4      IKE/0x6300004A
Discarding IKE SA negotiation (I_Cookie=9B9E27C5A61416E1 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

151    15:15:08.953  12/30/10  Sev=Info/4      CM/0x63100014
Unable to establish Phase 1 SA with server "1.2.3.4" because of "DEL_REASON_PEER_NOT_RESPONDING"

152    15:15:08.953  12/30/10  Sev=Info/5      CM/0x63100025
Initializing CVPNDrv

153    15:15:08.968  12/30/10  Sev=Info/4      IKE/0x63000001
IKE received signal to terminate VPN connection

154    15:15:08.968  12/30/10  Sev=Info/4      IKE/0x63000085
Microsoft IPSec Policy Agent service started successfully

155    15:15:09.390  12/30/10  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

156    15:15:09.390  12/30/10  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

157    15:15:09.390  12/30/10  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

158    15:15:09.390  12/30/10  Sev=Info/4      IPSEC/0x6370000A
IPSec driver successfully stopped
******************************************************************************************************************
so from researching on the net it seems that, it is either the "ACCESS LIST" or the CRYPTO MAP
i am not sure. Plus i am not too familiar with the CLi.

i can reach the router and login thru SSH from the outside.

Please assist, thanks in advance.





TestFile.doc
ASKER CERTIFIED SOLUTION
Avatar of norgetek
norgetek
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Firewall must be configured to permit UDP ports 500 and 62515 whcih are
required for cisco vpn client.

also The message means what it says - your client cannot connect to the remote site.
Has it ever worked?
If not, then you need to look at the router or firewall that is protecting the branch office from the Internet to ensure that it has VPN pass through capabilities.
If you are using a PIX to protect the branch office then there is a command that needs to be entered in to the PIX to allow VPN pass through.

also check this link
http://homecommunity.cisco.com/t5/Wireless-Routers/Secure-VPN-connection-terminated-Reason-412/td-p/259540

Hope this help

Vikrant

In my first post I assumed in your ACL 104 that X.X.X.x was the source IP address was for the VPN client.  If that is not the case and X.X.X.X is the source address for the site-to-site IPSEC remote end the you need to open up the ACL.

access-list 104 permit udp host X.X.X.X host 1.2.3.4 eq isakmp
access-list 104 permit udp host X.X.X.X host 1.2.3.4 eq non500-isakmp
access-list 104 permit esp host X.X.X.X host 1.2.3.4


You need to make sure you allow both the site-to-site in the ACL 104 and the remote access VPN clients.  Typically you will need to change to this to a source of any as the remote access VPN clients could be anywhere.  You might also need to add UDP port 10000 to the ACL if you configured your Cisco VPN client to encapsulate IPSEC in UDP.  Port 10000 is the default port for this.  

I am assuming when Vikrant mentions port 62515, etc he is talking about ensuring that the if the PC with the Cisco VPN client on it has a "personal firewall" installed to ensure that these ports are allowed to talk to itself.  This should be an issue with the MS built-in firewalls but could possibly be an issue with some 3rd party products.

You should also investigate using ISAKMP profiles as I stated in my last post.  When you start having mulitple type of IPSEC VPNs on a IOS router it can get confused about what to connect to what.
Avatar of ograso
ograso

Hi icdl101,

We have avaya problem as i see you already solve the problem before can u help us ?

BR
Avatar of icdl101

ASKER

hello thank you for responding. I m very sorry with such late reply as i has to go out of town for family emergency.

the issue has been resolved with removing the old vpn settings and starting fresh with 2 new policies as suggested by norgetek.

Thank you both of you for responding and taking the time out to help.