Improve company productivity with a Business Account.Sign Up

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 664
  • Last Modified:

Cisco VPN client won't connect to PIX506

Last week without warning, all of my remote VPN clients lost the ability to connect and establish a VPN session to our PIX 506.  Everything had been working fine one day, then  stopped the next.  Nothing changed on the PIX, same ISP on the host side, same everything, but no client can connect.

The PC's my users are trying to connect from are a mix of WindowsXP, Windows 7, and Windows 8.  All are running the Cisco VPN client 5.0.07, 32bit or 64bit where applicable.  When I try to connect the VPN client appears to reach out to the PIX and start negotiating, says it's securing communications, then times out and says "Not Connected".

I have no idea why it worked fine for everyone one day, and stopped for everyone the next.

I will post a connection log from one of the clients in a separate post.

I'm not an experienced CISCO guy, so any help would be greatly appreciated.

  • 6
  • 3
1 Solution
NShifflettAuthor Commented:
Below is a log from one of the VPN clients that is experiencing the problem.  Please note that for privacy I have changed every occurrence of our actual external IP with "999.999.999.999" and our domain to "".  Everything else was left as-is.

Cisco Systems VPN Client Version
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3

52     15:43:01.968  04/14/14  Sev=Info/4      CM/0x63100002
Begin connection process

53     15:43:02.015  04/14/14  Sev=Info/4      CM/0x63100004
Establish secure connection

54     15:43:02.015  04/14/14  Sev=Info/4      CM/0x63100024
Attempt connection with server "999.999.999.999"

55     15:43:02.031  04/14/14  Sev=Info/6      IKE/0x6300003B
Attempting to establish a connection with 999.999.999.999.

56     15:43:02.031  04/14/14  Sev=Info/4      IKE/0x63000001
Starting IKE Phase 1 Negotiation

57     15:43:02.062  04/14/14  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 999.999.999.999

58     15:43:02.093  04/14/14  Sev=Info/4      IPSEC/0x63700008
IPSec driver successfully started

59     15:43:02.093  04/14/14  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

60     15:43:04.781  04/14/14  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 999.999.999.999

61     15:43:04.781  04/14/14  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Xauth), VID(dpd), VID(Unity), VID(?), KE, ID, NON, HASH) from 999.999.999.999

62     15:43:04.781  04/14/14  Sev=Info/5      IKE/0x63000001
Peer supports XAUTH

63     15:43:04.781  04/14/14  Sev=Info/5      IKE/0x63000001
Peer supports DPD

64     15:43:04.781  04/14/14  Sev=Info/5      IKE/0x63000001
Peer is a Cisco-Unity compliant peer

65     15:43:04.781  04/14/14  Sev=Info/5      IKE/0x63000082
Received IOS Vendor ID with unknown capabilities flag 0x00000025

66     15:43:04.796  04/14/14  Sev=Info/6      IKE/0x63000001
IOS Vendor ID Contruction successful

67     15:43:04.796  04/14/14  Sev=Info/4      IKE/0x63000013

68     15:43:04.796  04/14/14  Sev=Info/4      IKE/0x63000083
IKE Port in use - Local Port =  0x0443, Remote Port = 0x01F4

69     15:43:04.796  04/14/14  Sev=Info/4      CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

70     15:43:04.796  04/14/14  Sev=Info/4      CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

71     15:43:04.859  04/14/14  Sev=Info/5      IKE/0x6300005E
Client sending a firewall request to concentrator

72     15:43:04.859  04/14/14  Sev=Info/5      IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client Firewall, Capability= (Centralized Protection Policy).

73     15:43:04.859  04/14/14  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 999.999.999.999

74     15:43:04.953  04/14/14  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 999.999.999.999

75     15:43:04.953  04/14/14  Sev=Info/4      IKE/0x63000014

76     15:43:04.953  04/14/14  Sev=Info/5      IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds

77     15:43:04.953  04/14/14  Sev=Info/5      IKE/0x63000047
This SA has already been alive for 2 seconds, setting expiry to 86398 seconds from now

78     15:43:05.031  04/14/14  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 999.999.999.999

79     15:43:05.031  04/14/14  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 999.999.999.999

80     15:43:05.031  04/14/14  Sev=Info/5      IKE/0x63000010

81     15:43:05.031  04/14/14  Sev=Info/5      IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value =

82     15:43:05.031  04/14/14  Sev=Info/5      IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NBNS(1) (a.k.a. WINS) : , value =

83     15:43:05.031  04/14/14  Sev=Info/5      IKE/0x6300000E

84     15:43:05.031  04/14/14  Sev=Info/5      IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000

85     15:43:05.031  04/14/14  Sev=Info/4      CM/0x63100019
Mode Config data received

86     15:43:05.046  04/14/14  Sev=Info/4      IKE/0x63000056
Received a key request from Driver: Local IP =, GW IP = 999.999.999.999, Remote IP =

87     15:43:05.046  04/14/14  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 999.999.999.999

88     15:43:05.078  04/14/14  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

89     15:43:05.343  04/14/14  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 999.999.999.999

90     15:43:05.343  04/14/14  Sev=Info/4      IKE/0x63000014

91     15:43:05.343  04/14/14  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 999.999.999.999

92     15:43:05.343  04/14/14  Sev=Info/4      IKE/0x63000049
Discarding IPsec SA negotiation, MsgID=7C3856AA

93     15:43:05.343  04/14/14  Sev=Info/4      IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=E5B711386352E016 R_Cookie=0A8777D7A04BAC95) reason = DEL_REASON_IKE_NEG_FAILED

94     15:43:08.578  04/14/14  Sev=Info/4      IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=E5B711386352E016 R_Cookie=0A8777D7A04BAC95) reason = DEL_REASON_IKE_NEG_FAILED

95     15:43:08.578  04/14/14  Sev=Info/4      CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

96     15:43:08.578  04/14/14  Sev=Info/5      CM/0x63100025
Initializing CVPNDrv

97     15:43:08.593  04/14/14  Sev=Info/6      CM/0x63100046
Set tunnel established flag in registry to 0.

98     15:43:08.593  04/14/14  Sev=Info/4      IKE/0x63000001
IKE received signal to terminate VPN connection

99     15:43:08.593  04/14/14  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

100    15:43:08.593  04/14/14  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

101    15:43:08.593  04/14/14  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

102    15:43:08.593  04/14/14  Sev=Info/4      IPSEC/0x6370000A
IPSec driver successfully stopped
Hassan BesherCommented:
can you post the running config for pix?
NShifflettAuthor Commented:
Yes, I will.  Can you please tell me the easiest way to get that listing?
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

Hassan BesherCommented:
PIX506# sh run

at the command line get me the result of #sh running command
NShifflettAuthor Commented:
Building configuration...
: Saved
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable <REMOVED FOR PRIVACY> encrypted
passwd <REMOVED FOR PRIVACY> encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list inside_outbound_nat0_acl permit ip any host
access-list outside_cryptomap_dyn_20 permit ip any host
pager lines 24
logging on
logging trap informational
icmp deny any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside
ip address inside
ip audit info action alarm
ip audit attack action alarm
ip local pool MISPOOL2
pdm location inside
pdm location inside
pdm location inside
pdm location inside
pdm location inside
pdm location inside
pdm location inside
pdm location inside
pdm location inside
pdm location inside
pdm location inside
pdm location outside
pdm location outside
pdm location outside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0 0
static (inside,outside) tcp interface 6600 6600 netmask 0 0
static (inside,outside) tcp interface 6601 6601 netmask 0 0
static (inside,outside) udp interface 6600 6600 netmask 0 0
static (inside,outside) udp interface 6601 6601 netmask 0 0
route outside 1
route inside 1
route inside 1
route inside 1
route inside 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup MPIMIS address-pool MISPOOL2
vpngroup MPIMIS dns-server
vpngroup MPIMIS wins-server
vpngroup MPIMIS default-domain
vpngroup MPIMIS idle-time 1800
vpngroup MPIMIS password ********
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address inside
dhcpd dns
dhcpd wins
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username <REMOVED> password <REMOVED> encrypted privilege 15
terminal width 80
: end
NShifflettAuthor Commented:
Hopefully the config I just posted works for you.  I used "Show Running Configuration in New Window" from within PDM.   If this won't do it, let me know and I'll try your method.
Hassan BesherCommented:
let us check another thing,  IPsec policy mismatch at the log usually means  IPsec policy mismatch Double-check your client security parameters (encryption and authentication algorithms) to make sure they match the settings of your PIX.
NShifflettAuthor Commented:
I was unable to find anything mismatched anywhere in the configuration between the client and the PIX.  I decided to run through the VPN wizard to try and set things up again from scratch - that worked.  The client PC's can now connect and access network resources.

Thank you for trying to help.
NShifflettAuthor Commented:
I was able to resolve the problem myself independent of any advice I received for my question, so I accepted my own resolution as the answer.  I rated it "C" since I stumbled into the resolution.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 6
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now