I am having problems getting remote access to work on a 2911 ISR router which is also running a DMVPN back to our central hubs. I am using Zone Based Firewalling on the router. I have four main zones (but could move the Tunnel interface to the INside Zone (and have tried this)).
Outside to Self
Inside to Outside
Tunnel to Inside
Inside to Tunnel
The connection initiates but it seems to get hung up on the authentication part.
I am reasonably confident that the basic config on the router is correct as we have other spokes that are just running CBAC which work fine.
So there must be a problem with the zoning somehow but I find it strange that the DMVPN will work but not remote access, the router is able to communicate with the RADIUS server ok and if I check in the ACS logs it shows the client has been authenticated, but the message never seems to get back to the router that the client has been authenticated.
Any Ideas?
show crypto isakmp sa
dst src state conn-id status
4.4.4.4(RouterIP) 1.1.1.1(RemoteIP) CONF_XAUTH 1004 ACTIVE RemoteVPN
4.4.4.4(RouterIP) 1.1.1.1(RemoteIP) MM_NO_STATE 1003 ACTIVE (deleted) RemoteVPN
The debugs:
Sep 3 16:28:46 UTC: ISAKMP:(0):atts are not acceptable. Next payload is 3
Sep 3 16:28:46 UTC: ISAKMP:(0):Checking ISAKMP transform 9 against priority 10 policy
Sep 3 16:28:46 UTC: ISAKMP: encryption 3DES-CBC
Sep 3 16:28:46 UTC: ISAKMP: hash SHA
Sep 3 16:28:46 UTC: ISAKMP: default group 2
Sep 3 16:28:46 UTC: ISAKMP: auth XAUTHInitPreShared
Sep 3 16:28:46 UTC: ISAKMP: life type in seconds
Sep 3 16:28:46 UTC: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Sep 3 16:28:46 UTC: ISAKMP:(0):atts are acceptable. Next payload is 3
Sep 3 16:28:46 UTC: ISAKMP:(0):Acceptable atts:actual life: 86400
Sep 3 16:28:46 UTC: ISAKMP:(0):Acceptable atts:life: 0
Sep 3 16:28:46 UTC: ISAKMP:(0):Fill atts in sa vpi_length:4
Sep 3 16:28:46 UTC: ISAKMP:(0):Fill atts in sa life_in_seconds:2147483
Sep 3 16:28:46 UTC: ISAKMP:(0):Returning Actual lifetime: 86400
Sep 3 16:28:46 UTC: ISAKMP:(0)::Started lifetime timer: 86400.
Sep 3 16:28:46 UTC: ISAKMP:(0): processing KE payload. message ID = 0
Sep 3 16:28:46 UTC: ISAKMP:(0): processing NONCE payload. message ID = 0
Sep 3 16:28:46 UTC: ISAKMP:(0): vendor ID is NAT-T v2
Sep 3 16:28:46 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
Sep 3 16:28:46 UTC: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_AM_AAA_AWAIT
Sep 3 16:28:46 UTC: ISAKMP:(1005): constructed NAT-T vendor-02 ID
Sep 3 16:28:46 UTC: ISAKMP:(1005):SA is doing pre-shared key authentication plus XAUTH using id type ID_IPV4_ADDR
Sep 3 16:28:46 UTC: ISAKMP (1005): ID payload
next-payload : 10
type : 1
address : 1.1.1.1(RouterIP)
protocol : 0
port : 0
length : 12
Sep 3 16:28:46 UTC: ISAKMP:(1005):Total payload length: 12
Sep 3 16:28:46 UTC: ISAKMP:(1005): sending packet to 4.4.4.4(RemoteIP) my_port 500 peer_port 58450 (R) AG_INIT_EXCH
Sep 3 16:28:46 UTC: ISAKMP:(1005):Sending an IKE IPv4 Packet.
Sep 3 16:28:46 UTC: ISAKMP:(1005):Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY
Sep 3 16:28:46 UTC: ISAKMP:(1005):Old State = IKE_R_AM_AAA_AWAIT New State = IKE_R_AM2
Sep 3 16:28:47 UTC: ISAKMP (1005): received packet from 4.4.4.4(RemoteIP) dport 4500 sport 50520 Global (R) AG_INIT_EXCH
Sep 3 16:28:47 UTC: ISAKMP:(1005): processing HASH payload. message ID = 0
Sep 3 16:28:47 UTC: ISAKMP:(1005): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 3193F278
Sep 3 16:28:47 UTC: ISAKMP:received payload type 20
Sep 3 16:28:47 UTC: ISAKMP (1005): His hash no match - this node outside NAT
Sep 3 16:28:47 UTC: ISAKMP:received payload type 20
Sep 3 16:28:47 UTC: ISAKMP (1005): His hash no match - this node outside NAT
Sep 3 16:28:47 UTC: ISAKMP:(1005):SA authentication status:
authenticated
Sep 3 16:28:47 UTC: ISAKMP:(1005):SA has been authenticated with 4.4.4.4(RemoteIP)
Sep 3 16:28:47 UTC: ISAKMP:(1005):Detected port,floating to port = 50520
Sep 3 16:28:47 UTC: ISAKMP: Trying to find existing peer 1.1.1.1(RouterIP)/4.4.4.4(RemoteIP)/50520/
Sep 3 16:28:47 UTC: ISAKMP:(1005):SA authentication status:
authenticated
Sep 3 16:28:47 UTC: ISAKMP:(1005): Process initial contact,
bring down existing phase 1 and 2 SA's with local 1.1.1.1(RouterIP) remote 4.4.4.4(RemoteIP) remote port 50520
Sep 3 16:28:47 UTC: ISAKMP:(1005):returning IP addr to the address pool
Sep 3 16:28:47 UTC: ISAKMP: Trying to insert a peer 1.1.1.1(RouterIP)/4.4.4.4(RemoteIP)/50520/, and inserted successfully 2AC3FFF4.
Sep 3 16:28:47 UTC: ISAKMP:(1005):Returning Actual lifetime: 86400
Sep 3 16:28:47 UTC: ISAKMP: set new node 2072161512 to CONF_XAUTH
Sep 3 16:28:47 UTC: ISAKMP:(1005):Sending NOTIFY RESPONDER_LIFETIME protocol 1
spi 820986048, message ID = 2072161512
Sep 3 16:28:47 UTC: ISAKMP:(1005): sending packet to 4.4.4.4(RemoteIP) my_port 4500 peer_port 50520 (R) QM_IDLE
Sep 3 16:28:47 UTC: ISAKMP:(1005):Sending an IKE IPv4 Packet.
Sep 3 16:28:47 UTC: ISAKMP:(1005):purging node 2072161512
Sep 3 16:28:47 UTC: ISAKMP: Sending phase 1 responder lifetime 86400
Sep 3 16:28:47 UTC: ISAKMP: Attempting to insert peer index node : 0x3
Sep 3 16:28:47 UTC: ISAKMP:(1005):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
Sep 3 16:28:47 UTC: ISAKMP:(1005):Old State = IKE_R_AM2 New State = IKE_P1_COMPLETE
Sep 3 16:28:47 UTC: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Sep 3 16:28:47 UTC: ISAKMP:(1005):Need XAUTH
Sep 3 16:28:47 UTC: ISAKMP: set new node 906706528 to CONF_XAUTH
Sep 3 16:28:47 UTC: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
Sep 3 16:28:47 UTC: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2
Sep 3 16:28:47 UTC: ISAKMP:(1005): initiating peer config to 4.4.4.4(RemoteIP). ID = 906706528
Sep 3 16:28:47 UTC: ISAKMP:(1005): sending packet to 4.4.4.4(RemoteIP) my_port 4500 peer_port 50520 (R) CONF_XAUTH
Sep 3 16:28:47 UTC: ISAKMP:(1005):Sending an IKE IPv4 Packet.
Sep 3 16:28:47 UTC: ISAKMP:(1005):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Sep 3 16:28:47 UTC: ISAKMP:(1005):Old State = IKE_P1_COMPLETE New State = IKE_XAUTH_REQ_SENT
Sep 3 16:28:52 UTC: ISAKMP (1005): received packet from 4.4.4.4(RemoteIP) dport 4500 sport 50520 Global (R) CONF_XAUTH
Sep 3 16:28:52 UTC: ISAKMP:(1005):processing transaction payload from 4.4.4.4(RemoteIP). message ID = 906706528
Sep 3 16:28:52 UTC: ISAKMP: Config payload REPLY
Sep 3 16:28:52 UTC: ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2
Sep 3 16:28:52 UTC: ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2
Sep 3 16:28:52 UTC: ISAKMP:(1005):deleting node 906706528 error FALSE reason "Done with xauth request/reply exchange"
Sep 3 16:28:52 UTC: ISAKMP:(1005):Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY
Sep 3 16:28:52 UTC: ISAKMP:(1005):Old State = IKE_XAUTH_REQ_SENT New State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT
Sep 3 16:29:03 UTC: %FW-6-LOG_SUMMARY: 2 packets were passed from 4.4.4.4(RemoteIP):58450 => 1.1.1.1(RouterIP):500 (target:class)-(CSM_Outside-self_1:CSM_ZBF_CLASS_MAP_9)
Sep 3 16:29:03 UTC: %FW-6-LOG_SUMMARY: 8 packets were passed from 4.4.4.4(RemoteIP):50520 => 1.1.1.1(RouterIP):4500 (target:class)-(CSM_Outside-self_1:CSM_ZBF_CLASS_MAP_9)
Sep 3 16:29:11 UTC: ISAKMP: set new node 1595228160 to CONF_XAUTH
Sep 3 16:29:11 UTC: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
Sep 3 16:29:11 UTC: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2
Sep 3 16:29:11 UTC: ISAKMP:(1005): initiating peer config to 4.4.4.4(RemoteIP). ID = 1595228160
Sep 3 16:29:11 UTC: ISAKMP:(1005): sending packet to 4.4.4.4(RemoteIP) my_port 4500 peer_port 50520 (R) CONF_XAUTH
Sep 3 16:29:11 UTC: ISAKMP:(1005):Sending an IKE IPv4 Packet.
Sep 3 16:29:11 UTC: ISAKMP:(1005):Input = IKE_MESG_FROM_AAA, IKE_AAA_START_LOGIN
Sep 3 16:29:11 UTC: ISAKMP:(1005):Old State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT New State = IKE_XAUTH_REQ_SENT
Sep 3 16:29:12 UTC: ISAKMP (1005): received packet from 4.4.4.4(RemoteIP) dport 4500 sport 50520 Global (R) CONF_XAUTH
Sep 3 16:29:12 UTC: ISAKMP:(1005):processing transaction payload from 4.4.4.4(RemoteIP). message ID = 1595228160
Sep 3 16:29:12 UTC: ISAKMP: Config payload REPLY
Sep 3 16:29:12 UTC: ISAKMP/xauth: reply attribute XAUTH_STATUS_V2 unexpected.
Sep 3 16:29:12 UTC: ISAKMP:(1005):peer does not do paranoid keepalives.
Sep 3 16:29:12 UTC: ISAKMP:(1005):Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY
Sep 3 16:29:12 UTC: ISAKMP:(1005):Old State = IKE_XAUTH_REQ_SENT New State = IKE_XAUTH_REQ_SENT
Sep 3 16:29:12 UTC: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Sep 3 16:29:12 UTC: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
Sep 3 16:29:12 UTC: IPSEC(key_engine_delete_sas): delete all SAs shared with peer 4.4.4.4(RemoteIP)
Sep 3 16:29:12 UTC: ISAKMP (1005): received packet from 4.4.4.4(RemoteIP) dport 4500 sport 50520 Global (R) CONF_XAUTH
Sep 3 16:29:12 UTC: ISAKMP: set new node -482620186 to CONF_XAUTH
Sep 3 16:29:12 UTC: ISAKMP:(1005): processing HASH payload. message ID = -482620186
Sep 3 16:29:12 UTC: ISAKMP:received payload type 18
Sep 3 16:29:12 UTC: ISAKMP:(1005):Processing delete with reason payload
Sep 3 16:29:12 UTC: ISAKMP:(1005):delete doi = 0
Sep 3 16:29:12 UTC: ISAKMP:(1005):delete protocol id = 1
Sep 3 16:29:12 UTC: ISAKMP:(1005):delete spi_size = 16
Sep 3 16:29:12 UTC: ISAKMP:(1005):delete num spis = 1
Sep 3 16:29:12 UTC: ISAKMP:(1005):delete_reason = 2
Sep 3 16:29:12 UTC: ISAKMP:(1005): processing DELETE_WITH_REASON payload, message ID = -482620186, reason: DELETE_BY_USER_COMMAND
Sep 3 16:29:12 UTC: ISAKMP:(1005):peer does not do paranoid keepalives.
Sep 3 16:29:12 UTC: ISAKMP:(1005):peer does not do paranoid keepalives.
Sep 3 16:29:12 UTC: ISAKMP:(1005):deleting SA reason "BY user command" state (R) CONF_XAUTH (peer 4.4.4.4(RemoteIP))
Sep 3 16:29:12 UTC: ISAKMP:(1005):deleting node -482620186 error FALSE reason "Informational (in) state 1"
Sep 3 16:29:12 UTC: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Sep 3 16:29:12 UTC: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
Sep 3 16:29:12 UTC: IPSEC(key_engine_delete_sas): delete all SAs shared with peer 4.4.4.4(RemoteIP)
Sep 3 16:29:12 UTC: ISAKMP: set new node 1723852315 to CONF_XAUTH
Sep 3 16:29:12 UTC: ISAKMP:(1005): sending packet to 4.4.4.4(RemoteIP) my_port 4500 peer_port 50520 (R) CONF_XAUTH
Sep 3 16:29:12 UTC: ISAKMP:(1005):Sending an IKE IPv4 Packet.
Sep 3 16:29:12 UTC: ISAKMP:(1005):purging node 1723852315
Sep 3 16:29:12 UTC: ISAKMP:(1005):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Sep 3 16:29:12 UTC: ISAKMP:(1005):Old State = IKE_XAUTH_REQ_SENT New State = IKE_DEST_SA
Sep 3 16:29:12 UTC: ISAKMP:(1005):deleting SA reason "BY user command" state (R) CONF_XAUTH (peer 4.4.4.4(RemoteIP))
Sep 3 16:29:12 UTC: ISAKMP:(0):Can't decrement IKE Call Admission Control stat incoming_active since it's already 0.
Sep 3 16:29:12 UTC: ISAKMP: Unlocking peer struct 0x2AC3FFF4 for isadb_mark_sa_deleted(), count 0
Sep 3 16:29:12 UTC: ISAKMP: Free peer_index node 0x3
Sep 3 16:29:12 UTC: ISAKMP: Deleting peer node by peer_reap for 4.4.4.4(RemoteIP): 2AC3FFF4
Sep 3 16:29:12 UTC: ISAKMP:(1005):deleting node 1595228160 error FALSE reason "IKE deleted"
Sep 3 16:29:12 UTC: ISAKMP:(1005):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Sep 3 16:29:12 UTC: ISAKMP:(1005):Old State = IKE_DEST_SA New State = IKE_DEST_SA
Sep 3 16:29:12 UTC: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Interface virtual-template1 type tunnel
zone-member security RemoteVPN