Solved

CANNOT CONNECT VIA CISCO VPN CLIENT

Posted on 2011-09-07
5
1,528 Views
Last Modified: 2012-06-27
Hi all

I am trying for hours to get a pc with cisco vpn client to connect on a remote site configured with easyvpn, i get the xauth screen and after it says not connected.

27    14:08:23.524  09/07/11  Sev=Info/5      IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco IOS Software, C181X Software (C181X-ADVIPSERVICESK9-M), Version 12.3(14)YT1, RELEASE SOFTWARE (fc1)
Synched to version 12.4(1.7)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Wed 07-Sep-05 16:58 by ealyon

828    14:08:23.524  09/07/11  Sev=Info/5      IKE/0x6300000D
MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194

829    14:08:23.528  09/07/11  Sev=Info/4      CM/0x63100019
Mode Config data received

830    14:08:23.537  09/07/11  Sev=Info/4      IKE/0x63000056
Received a key request from Driver: Local IP = 192.168.200.22, GW IP = 93.109.248.210, Remote IP = 0.0.0.0

831    14:08:23.537  09/07/11  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 93.109.248.210

832    14:08:23.594  09/07/11  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 93.109.248.210

833    14:08:23.594  09/07/11  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from 93.109.248.210

834    14:08:23.594  09/07/11  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 93.109.248.210

835    14:08:23.594  09/07/11  Sev=Info/4      IKE/0x63000049
Discarding IPsec SA negotiation, MsgID=3C452402

836    14:08:23.594  09/07/11  Sev=Info/4      IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=F329FBBD10609C2F R_Cookie=AD3F799962747F6A) reason = DEL_REASON_IKE_NEG_FAILED

837    14:08:24.334  09/07/11  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

838    14:08:26.835  09/07/11  Sev=Info/4      IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=F329FBBD10609C2F R_Cookie=AD3F799962747F6A) reason = DEL_REASON_IKE_NEG_FAILED

839    14:08:26.835  09/07/11  Sev=Info/4      CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

840    14:08:26.835  09/07/11  Sev=Info/5      CM/0x63100025
Initializing CVPNDrv

841    14:08:26.872  09/07/11  Sev=Info/6      CM/0x63100046
Set tunnel established flag in registry to 0.

842    14:08:26.872  09/07/11  Sev=Info/4      IKE/0x63000001
IKE received signal to terminate VPN connection

843    14:08:26.974  09/07/11  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

844    14:08:26.974  09/07/11  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

845    14:08:26.974  09/07/11  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

846    14:08:26.974  09/07/11  Sev=Info/4      IPSEC/0x6370000A
IPSec driver successfully stopped



ANY IDEAS
0
Comment
Question by:giorgosy78
  • 2
  • 2
5 Comments
 
LVL 18

Expert Comment

by:jmeggers
ID: 36494930
Please post your config.  Looks to me like your ISAKMP settings aren't matching what's required.  "DEL_REASON_IKE_NEG_FAILED"  My first guess would be the DH group being used.  EZVPN requires DH group 2.
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36494954
DEL_REASON_IKE_NEG_FAILED - looks like config issue
0
 

Author Comment

by:giorgosy78
ID: 36495103
Please find atatched config and let me know pls what i may doing wrong.

Thanks for help
config.txt
0
 
LVL 18

Accepted Solution

by:
jmeggers earned 500 total points
ID: 36506140
Nothing jumps out at me from the config as being wrong.  You definitely have ISAKMP profiles with DH group 2, so that doesn't seem to be the problem.  

Since you say xauth is failing, can you test from the router that you can authenticate the user by using the "test aaa..." command?  (See http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_t1.html#wp1060379)

If that passes, it means the username and password can authenticate, so something else must be happening.  At that point we will probably want to look at some aaa debugs.
0
 

Author Comment

by:giorgosy78
ID: 36508270
Hi and thanks for taking the time to look at the config. However since i needed to do this urgently i have setup PPTP VPN on Windows 2003 and passthrough it through the cisco router.

Thanks
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

930 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now