Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 382
  • Last Modified:

Cisco VPN no longer works - PIX 515e

Hi Expert guru's,

I'm having an issue here where our Cisco VPN no longer works. Yesterday, our PIX 515e took a crap and I had to restore the config file. Firewall is back up and operational now, but issue is now management is unable to connect via VPN.

We uses Version 4.6.03 & 5.0.07 of the VPN client. I compared both config files side by side and both are identical. I don't understand why it's not working and my Cisco knowledge is limited.

Here is the log that I received when trying to connect:

Any help is greatly appreciated! Thank you.


------------------------------------------------------------------------------
Cisco Systems VPN Client Version 4.6.03.0021
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3
Config file directory: C:\Program Files\Cisco Systems\VPN Client\

1      10:05:54.437  11/08/13  Sev=Warning/3    IKE/0xE3000056
The received HASH payload cannot be verified

2      10:05:54.453  11/08/13  Sev=Warning/2    IKE/0xE300007D
Hash verification failed... may be configured with invalid group password.

3      10:05:54.453  11/08/13  Sev=Warning/2    IKE/0xE3000099
Failed to authenticate peer (Navigator:904)

4      10:05:54.453  11/08/13  Sev=Warning/2    IKE/0xE30000A5
Unexpected SW error occurred while processing Aggressive Mode negotiator:(Navigator:2202)

5      10:06:05.109  11/08/13  Sev=Warning/3    IKE/0xE3000056
The received HASH payload cannot be verified

6      10:06:05.109  11/08/13  Sev=Warning/2    IKE/0xE300007D
Hash verification failed... may be configured with invalid group password.

7      10:06:05.109  11/08/13  Sev=Warning/2    IKE/0xE3000099
Failed to authenticate peer (Navigator:904)

8      10:06:05.109  11/08/13  Sev=Warning/2    IKE/0xE30000A5
Unexpected SW error occurred while processing Aggressive Mode negotiator:(Navigator:2202)
0
ZerodotZerodotZerodotZero
Asked:
ZerodotZerodotZerodotZero
  • 5
  • 5
1 Solution
 
Ernie BeekExpertCommented:
I think you might want to look at:

Hash verification failed... may be configured with invalid group password

Do you still know what the group password is or should be?
0
 
ArneLoviusCommented:
I've not seen a PIX just lose it's config before.

however, from your log above

Hash verification failed... may be configured with invalid group password.

Open in new window


I would check the Cisco client prf file to make sure that the group password has not changed between the backup that you restored, and the live config when it was running.

Although the password is encrypted in the prf file, there are several tools that can decrypt it.

I use rancid to ensure that any changes to the config are automatically archived.
0
 
Ernie BeekExpertCommented:
You should have something like:
tunnel-group RAVPN ipsec-attributes
pre-shared-key *****


In your config. Might differ a bit, depending on the version of the PIX.
This is where the group password is set. This is also set in the VPN client.
0
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

 
Ernie BeekExpertCommented:
This is also set in the VPN client.
Ah, like ArneLovius said.
Have to remember to refresh before posting :)
0
 
ZerodotZerodotZerodotZeroAuthor Commented:
Group password has been reset. New Group name has been setup with a new Group password and still no go.
0
 
Ernie BeekExpertCommented:
Just to make sure, you also changed that at the clients side?
0
 
ZerodotZerodotZerodotZeroAuthor Commented:
yes, on the client side as well.
0
 
ZerodotZerodotZerodotZeroAuthor Commented:
I may have figured this out. Will confirm.
0
 
Ernie BeekExpertCommented:
Do let us know :)
0
 
ZerodotZerodotZerodotZeroAuthor Commented:
I'm not sure if this have anything to do with it, but I rebooted the firewall and now everything seems to be working.

Management confirmed they are all able to get connected.
0
 
ZerodotZerodotZerodotZeroAuthor Commented:
Rebooted the firewall resolved the issue.
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now