zhshqzyc
asked on
VPN Connection error,
Hi, I tried remote to connect the company's desktop but failed. The log file is below.
The error message is
Thanks for help.
The error message is
Cisco VPN Client error: Secure VPN Connection terminated by Peer. Reason 427: Unkown Error occurred at Peer.Thanks for help.
Cisco Systems VPN Client Version 5.0.07.0290
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7600
Config file directory: C:\Program Files (x86)\Cisco Systems\VPN Client\
1 08:33:35.568 04/24/11 Sev=Info/4 CM/0x63100002
Begin connection process
2 08:33:35.568 04/24/11 Sev=Info/4 CM/0x63100004
Establish secure connection
3 08:33:35.568 04/24/11 Sev=Info/4 CM/0x63100024
Attempt connection with server "con.wfubmc.edu"
4 08:33:35.584 04/24/11 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 152.11.118.227.
5 08:33:35.584 04/24/11 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation
6 08:33:35.600 04/24/11 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 152.11.118.227
7 08:33:35.740 04/24/11 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 152.11.118.227
8 08:33:35.740 04/24/11 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?), VID(?)) from 152.11.118.227
9 08:33:35.787 04/24/11 Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 7h.
10 08:33:35.740 04/24/11 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
11 08:33:35.740 04/24/11 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
12 08:33:35.740 04/24/11 Sev=Info/5 IKE/0x63000001
Peer supports DPD
13 08:33:35.740 04/24/11 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
14 08:33:35.740 04/24/11 Sev=Info/5 IKE/0x63000001
Peer supports IKE fragmentation payloads
15 08:33:35.740 04/24/11 Sev=Info/5 IKE/0x63000001
Peer supports DWR Code and DWR Text
16 08:33:35.756 04/24/11 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
17 08:33:35.756 04/24/11 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 152.11.118.227
18 08:33:35.756 04/24/11 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
19 08:33:35.756 04/24/11 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0xD183, Remote Port = 0x1194
20 08:33:35.756 04/24/11 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device
21 08:33:35.756 04/24/11 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
22 08:33:35.787 04/24/11 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 152.11.118.227
23 08:33:35.787 04/24/11 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 152.11.118.227
24 08:33:35.787 04/24/11 Sev=Info/4 CM/0x63100015
Launch xAuth application
25 08:33:36.567 04/24/11 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
26 08:33:36.567 04/24/11 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
27 08:33:43.681 04/24/11 Sev=Info/4 CM/0x63100017
xAuth application returned
28 08:33:43.681 04/24/11 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 152.11.118.227
29 08:33:44.024 04/24/11 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 152.11.118.227
30 08:33:44.024 04/24/11 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 152.11.118.227
31 08:33:44.024 04/24/11 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 152.11.118.227
32 08:33:44.024 04/24/11 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
33 08:33:44.024 04/24/11 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator
34 08:33:44.024 04/24/11 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 152.11.118.227
35 08:33:44.071 04/24/11 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 152.11.118.227
36 08:33:44.071 04/24/11 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, DWR) from 152.11.118.227
37 08:33:44.071 04/24/11 Sev=Info/4 IKE/0x63000081
Delete Reason Code: 4 --> PEER_DELETE-IKE_DELETE_NO_ERROR.
38 08:33:44.071 04/24/11 Sev=Info/5 IKE/0x6300003C
Received a DELETE payload for IKE SA with Cookies: I_Cookie=66138775FADEBAE8 R_Cookie=C38F3BBFF608B525
39 08:33:44.071 04/24/11 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=66138775FADEBAE8 R_Cookie=C38F3BBFF608B525) reason = PEER_DELETE-IKE_DELETE_NO_ERROR
40 08:33:44.695 04/24/11 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=66138775FADEBAE8 R_Cookie=C38F3BBFF608B525) reason = PEER_DELETE-IKE_DELETE_NO_ERROR
41 08:33:44.695 04/24/11 Sev=Info/4 CM/0x6310000F
Phase 1 SA deleted before Mode Config is completed cause by "PEER_DELETE-IKE_DELETE_NO_ERROR". 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
42 08:33:44.695 04/24/11 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
43 08:33:44.695 04/24/11 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
44 08:33:44.695 04/24/11 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
45 08:33:44.710 04/24/11 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
46 08:33:44.710 04/24/11 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
47 08:33:44.710 04/24/11 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
48 08:33:44.710 04/24/11 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
Qlemo
You need to have a look at your Cisco Concentrator (router) logs - it is terminating the connection when user authentication takes place.
Phase 1 completed as User authenticated, so it looks like a Phase 2 problem which normally means that your VPn client did not receive a proper IP address.
Either the server end is not configured correctly to give you a proper IP address based on your VPN group policy, or there could be a conflict with IP addresses where you are vs what you would get on VPN.
For example, your Local LAN subnet on the laptop (wireless LAN) is 192.168.1.0
AND your VPN client profile tries to give you an IP address from a pool of IP's in the 192.168.1.x range, you will have a conflict and will fail Phase 2.
Either the server end is not configured correctly to give you a proper IP address based on your VPN group policy, or there could be a conflict with IP addresses where you are vs what you would get on VPN.
For example, your Local LAN subnet on the laptop (wireless LAN) is 192.168.1.0
AND your VPN client profile tries to give you an IP address from a pool of IP's in the 192.168.1.x range, you will have a conflict and will fail Phase 2.
Hello,
VPN client is allocated IP address from a pool of IP addresses defined for a VPN group on the VPN Server. This IP allocation to the client is based on first come first served, so it is possible the IP address pool has been used up.
It may also be worth checking with the VPN server administrator to make sure your VPN connection details are all correct.
What type of VPN client are you using and what is the OS of your laptop?
See also: https://www.experts-exchange.com/questions/26370483/Cisco-VPN-client-and-ASA-5510-not-working.html
Thanks.
VPN client is allocated IP address from a pool of IP addresses defined for a VPN group on the VPN Server. This IP allocation to the client is based on first come first served, so it is possible the IP address pool has been used up.
It may also be worth checking with the VPN server administrator to make sure your VPN connection details are all correct.
What type of VPN client are you using and what is the OS of your laptop?
See also: https://www.experts-exchange.com/questions/26370483/Cisco-VPN-client-and-ASA-5510-not-working.html
Thanks.
ASKER
Sometimes it works and sometimes not.
@Qlemo:
@koudry:
@Qlemo:
How to look at my Cisco Concentrator (router) logs?@koudry:
Cisco Systems VPN Client Version 5.0.07.0290
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Hello,
Thanks for the info on the VPN client side. Could you please confirm if this is Windows 7, XP or Vista?
It says "Windows, WinNT" but it could be any of the above.
I just want to check the release note of the VPN client and any unresolved and resolved caveats.
I am not sure if you have seen the post below:
------
Re: Cisco VPN Error 427
I just encountered this exact same error message and I found that my authentication password had expired and therefore was promptly disconnecting my tunnel after I supplied my login information; hence the 427 reason code. After I reset my password, I could successfully authenticate and establish my vpn client connectivity.
So, you might verify that your username and password for authentication are correct and/or not expired.
If that is not your issue, then I found this page that states that it could possibly be a IP address allocation issue from the vpn server/concentrator.
(search the page for 427)
http://fengnet.com/book/VPNconf/ch12lev1sec6.html
My setup info: OS is WinXP Pro, client version is 5.0.03.0530, and I'm connecting to a Cisco 3030 VPN concentrator that uses active directory for the user database.
Hope that helps...
-------
Source: http://www.techsupportforum.com/forums/f139/cisco-vpn-error-427-a-242493.html
According to this post, the password could be the problem. So you may want to check that up.
Thanks.
Thanks for the info on the VPN client side. Could you please confirm if this is Windows 7, XP or Vista?
It says "Windows, WinNT" but it could be any of the above.
I just want to check the release note of the VPN client and any unresolved and resolved caveats.
I am not sure if you have seen the post below:
------
Re: Cisco VPN Error 427
I just encountered this exact same error message and I found that my authentication password had expired and therefore was promptly disconnecting my tunnel after I supplied my login information; hence the 427 reason code. After I reset my password, I could successfully authenticate and establish my vpn client connectivity.
So, you might verify that your username and password for authentication are correct and/or not expired.
If that is not your issue, then I found this page that states that it could possibly be a IP address allocation issue from the vpn server/concentrator.
(search the page for 427)
http://fengnet.com/book/VPNconf/ch12lev1sec6.html
My setup info: OS is WinXP Pro, client version is 5.0.03.0530, and I'm connecting to a Cisco 3030 VPN concentrator that uses active directory for the user database.
Hope that helps...
-------
Source: http://www.techsupportforum.com/forums/f139/cisco-vpn-error-427-a-242493.html
According to this post, the password could be the problem. So you may want to check that up.
Thanks.
ASKER
Yes. Windows 7 in installed on my laptop.
The password will expired in 10 days. But it is still working. The system reminds me to change the password everyday.
The password will expired in 10 days. But it is still working. The system reminds me to change the password everyday.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks.
I have no control on the server side, so the only thing is to call the adminstrator?
And how do I know NAT on the client side?
I have no control on the server side, so the only thing is to call the adminstrator?
And how do I know NAT on the client side?
Hello,
The VPN administrator should be able to advise whether NAT-T has been enabled or not.
I used to think that my home ADSL modem has NAT-enabled but I have just checked via the web browser and cannot find anything. I cannot get telnet to the modem to work, so I am sorry I cannot check.
Let's hope somebody will post some info.
Thanks.
The VPN administrator should be able to advise whether NAT-T has been enabled or not.
I used to think that my home ADSL modem has NAT-enabled but I have just checked via the web browser and cannot find anything. I cannot get telnet to the modem to work, so I am sorry I cannot check.
Let's hope somebody will post some info.
Thanks.
ASKER
Thanks.