Solved

CANNOT CONNECT VIA CISCO VPN CLIENT

Posted on 2011-09-07
5
1,500 Views
Last Modified: 2012-06-27
Hi all

I am trying for hours to get a pc with cisco vpn client to connect on a remote site configured with easyvpn, i get the xauth screen and after it says not connected.

27    14:08:23.524  09/07/11  Sev=Info/5      IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco IOS Software, C181X Software (C181X-ADVIPSERVICESK9-M), Version 12.3(14)YT1, RELEASE SOFTWARE (fc1)
Synched to version 12.4(1.7)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Wed 07-Sep-05 16:58 by ealyon

828    14:08:23.524  09/07/11  Sev=Info/5      IKE/0x6300000D
MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194

829    14:08:23.528  09/07/11  Sev=Info/4      CM/0x63100019
Mode Config data received

830    14:08:23.537  09/07/11  Sev=Info/4      IKE/0x63000056
Received a key request from Driver: Local IP = 192.168.200.22, GW IP = 93.109.248.210, Remote IP = 0.0.0.0

831    14:08:23.537  09/07/11  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 93.109.248.210

832    14:08:23.594  09/07/11  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 93.109.248.210

833    14:08:23.594  09/07/11  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from 93.109.248.210

834    14:08:23.594  09/07/11  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 93.109.248.210

835    14:08:23.594  09/07/11  Sev=Info/4      IKE/0x63000049
Discarding IPsec SA negotiation, MsgID=3C452402

836    14:08:23.594  09/07/11  Sev=Info/4      IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=F329FBBD10609C2F R_Cookie=AD3F799962747F6A) reason = DEL_REASON_IKE_NEG_FAILED

837    14:08:24.334  09/07/11  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

838    14:08:26.835  09/07/11  Sev=Info/4      IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=F329FBBD10609C2F R_Cookie=AD3F799962747F6A) reason = DEL_REASON_IKE_NEG_FAILED

839    14:08:26.835  09/07/11  Sev=Info/4      CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

840    14:08:26.835  09/07/11  Sev=Info/5      CM/0x63100025
Initializing CVPNDrv

841    14:08:26.872  09/07/11  Sev=Info/6      CM/0x63100046
Set tunnel established flag in registry to 0.

842    14:08:26.872  09/07/11  Sev=Info/4      IKE/0x63000001
IKE received signal to terminate VPN connection

843    14:08:26.974  09/07/11  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

844    14:08:26.974  09/07/11  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

845    14:08:26.974  09/07/11  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

846    14:08:26.974  09/07/11  Sev=Info/4      IPSEC/0x6370000A
IPSec driver successfully stopped



ANY IDEAS
0
Comment
Question by:giorgosy78
  • 2
  • 2
5 Comments
 
LVL 18

Expert Comment

by:jmeggers
ID: 36494930
Please post your config.  Looks to me like your ISAKMP settings aren't matching what's required.  "DEL_REASON_IKE_NEG_FAILED"  My first guess would be the DH group being used.  EZVPN requires DH group 2.
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36494954
DEL_REASON_IKE_NEG_FAILED - looks like config issue
0
 

Author Comment

by:giorgosy78
ID: 36495103
Please find atatched config and let me know pls what i may doing wrong.

Thanks for help
config.txt
0
 
LVL 18

Accepted Solution

by:
jmeggers earned 500 total points
ID: 36506140
Nothing jumps out at me from the config as being wrong.  You definitely have ISAKMP profiles with DH group 2, so that doesn't seem to be the problem.  

Since you say xauth is failing, can you test from the router that you can authenticate the user by using the "test aaa..." command?  (See http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_t1.html#wp1060379)

If that passes, it means the username and password can authenticate, so something else must be happening.  At that point we will probably want to look at some aaa debugs.
0
 

Author Comment

by:giorgosy78
ID: 36508270
Hi and thanks for taking the time to look at the config. However since i needed to do this urgently i have setup PPTP VPN on Windows 2003 and passthrough it through the cisco router.

Thanks
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now