Solved

Cisco VPN client won't connect to PIX506

Posted on 2014-04-15
9
635 Views
Last Modified: 2014-04-21
Last week without warning, all of my remote VPN clients lost the ability to connect and establish a VPN session to our PIX 506.  Everything had been working fine one day, then  stopped the next.  Nothing changed on the PIX, same ISP on the host side, same everything, but no client can connect.

The PC's my users are trying to connect from are a mix of WindowsXP, Windows 7, and Windows 8.  All are running the Cisco VPN client 5.0.07, 32bit or 64bit where applicable.  When I try to connect the VPN client appears to reach out to the PIX and start negotiating, says it's securing communications, then times out and says "Not Connected".

I have no idea why it worked fine for everyone one day, and stopped for everyone the next.

I will post a connection log from one of the clients in a separate post.

I'm not an experienced CISCO guy, so any help would be greatly appreciated.

Thanks.
0
Comment
Question by:NShifflett
  • 6
  • 3
9 Comments
 

Author Comment

by:NShifflett
ID: 40002140
Below is a log from one of the VPN clients that is experiencing the problem.  Please note that for privacy I have changed every occurrence of our actual external IP with "999.999.999.999" and our domain to "myworkdomain.com".  Everything else was left as-is.

Cisco Systems VPN Client Version 5.0.07.0290
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3

52     15:43:01.968  04/14/14  Sev=Info/4      CM/0x63100002
Begin connection process

53     15:43:02.015  04/14/14  Sev=Info/4      CM/0x63100004
Establish secure connection

54     15:43:02.015  04/14/14  Sev=Info/4      CM/0x63100024
Attempt connection with server "999.999.999.999"

55     15:43:02.031  04/14/14  Sev=Info/6      IKE/0x6300003B
Attempting to establish a connection with 999.999.999.999.

56     15:43:02.031  04/14/14  Sev=Info/4      IKE/0x63000001
Starting IKE Phase 1 Negotiation

57     15:43:02.062  04/14/14  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 999.999.999.999

58     15:43:02.093  04/14/14  Sev=Info/4      IPSEC/0x63700008
IPSec driver successfully started

59     15:43:02.093  04/14/14  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

60     15:43:04.781  04/14/14  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 999.999.999.999

61     15:43:04.781  04/14/14  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Xauth), VID(dpd), VID(Unity), VID(?), KE, ID, NON, HASH) from 999.999.999.999

62     15:43:04.781  04/14/14  Sev=Info/5      IKE/0x63000001
Peer supports XAUTH

63     15:43:04.781  04/14/14  Sev=Info/5      IKE/0x63000001
Peer supports DPD

64     15:43:04.781  04/14/14  Sev=Info/5      IKE/0x63000001
Peer is a Cisco-Unity compliant peer

65     15:43:04.781  04/14/14  Sev=Info/5      IKE/0x63000082
Received IOS Vendor ID with unknown capabilities flag 0x00000025

66     15:43:04.796  04/14/14  Sev=Info/6      IKE/0x63000001
IOS Vendor ID Contruction successful

67     15:43:04.796  04/14/14  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, VID(?), VID(Unity)) to 999.999.999.999

68     15:43:04.796  04/14/14  Sev=Info/4      IKE/0x63000083
IKE Port in use - Local Port =  0x0443, Remote Port = 0x01F4

69     15:43:04.796  04/14/14  Sev=Info/4      CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

70     15:43:04.796  04/14/14  Sev=Info/4      CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

71     15:43:04.859  04/14/14  Sev=Info/5      IKE/0x6300005E
Client sending a firewall request to concentrator

72     15:43:04.859  04/14/14  Sev=Info/5      IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client Firewall, Capability= (Centralized Protection Policy).

73     15:43:04.859  04/14/14  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 999.999.999.999

74     15:43:04.953  04/14/14  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 999.999.999.999

75     15:43:04.953  04/14/14  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 999.999.999.999

76     15:43:04.953  04/14/14  Sev=Info/5      IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds

77     15:43:04.953  04/14/14  Sev=Info/5      IKE/0x63000047
This SA has already been alive for 2 seconds, setting expiry to 86398 seconds from now

78     15:43:05.031  04/14/14  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 999.999.999.999

79     15:43:05.031  04/14/14  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 999.999.999.999

80     15:43:05.031  04/14/14  Sev=Info/5      IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 10.1.3.249

81     15:43:05.031  04/14/14  Sev=Info/5      IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 10.1.3.14

82     15:43:05.031  04/14/14  Sev=Info/5      IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NBNS(1) (a.k.a. WINS) : , value = 10.1.3.14

83     15:43:05.031  04/14/14  Sev=Info/5      IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = myworkdomain.com

84     15:43:05.031  04/14/14  Sev=Info/5      IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000

85     15:43:05.031  04/14/14  Sev=Info/4      CM/0x63100019
Mode Config data received

86     15:43:05.046  04/14/14  Sev=Info/4      IKE/0x63000056
Received a key request from Driver: Local IP = 10.1.3.249, GW IP = 999.999.999.999, Remote IP = 0.0.0.0

87     15:43:05.046  04/14/14  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 999.999.999.999

88     15:43:05.078  04/14/14  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

89     15:43:05.343  04/14/14  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 999.999.999.999

90     15:43:05.343  04/14/14  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from 999.999.999.999

91     15:43:05.343  04/14/14  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 999.999.999.999

92     15:43:05.343  04/14/14  Sev=Info/4      IKE/0x63000049
Discarding IPsec SA negotiation, MsgID=7C3856AA

93     15:43:05.343  04/14/14  Sev=Info/4      IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=E5B711386352E016 R_Cookie=0A8777D7A04BAC95) reason = DEL_REASON_IKE_NEG_FAILED

94     15:43:08.578  04/14/14  Sev=Info/4      IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=E5B711386352E016 R_Cookie=0A8777D7A04BAC95) reason = DEL_REASON_IKE_NEG_FAILED

95     15:43:08.578  04/14/14  Sev=Info/4      CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

96     15:43:08.578  04/14/14  Sev=Info/5      CM/0x63100025
Initializing CVPNDrv

97     15:43:08.593  04/14/14  Sev=Info/6      CM/0x63100046
Set tunnel established flag in registry to 0.

98     15:43:08.593  04/14/14  Sev=Info/4      IKE/0x63000001
IKE received signal to terminate VPN connection

99     15:43:08.593  04/14/14  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

100    15:43:08.593  04/14/14  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

101    15:43:08.593  04/14/14  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

102    15:43:08.593  04/14/14  Sev=Info/4      IPSEC/0x6370000A
IPSec driver successfully stopped
0
 
LVL 6

Expert Comment

by:Hassan Besher
ID: 40002191
can you post the running config for pix?
0
 

Author Comment

by:NShifflett
ID: 40002200
Yes, I will.  Can you please tell me the easiest way to get that listing?
0
 
LVL 6

Expert Comment

by:Hassan Besher
ID: 40002210
PIX506# sh run

at the command line get me the result of #sh running command
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:NShifflett
ID: 40002222
Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable <REMOVED FOR PRIVACY> encrypted
passwd <REMOVED FOR PRIVACY> encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip any host 10.1.3.37
access-list outside_cryptomap_dyn_20 permit ip any host 10.1.3.37
pager lines 24
logging on
logging trap informational
icmp deny any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.0
ip address inside 10.1.3.16 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool MISPOOL2 10.1.3.246-10.1.3.252
pdm location 10.1.12.0 255.255.255.0 inside
pdm location 10.1.12.5 255.255.255.255 inside
pdm location 10.1.9.5 255.255.255.255 inside
pdm location 10.1.9.0 255.255.255.0 inside
pdm location 10.1.13.5 255.255.255.255 inside
pdm location 10.1.13.0 255.255.255.0 inside
pdm location 10.1.15.5 255.255.255.255 inside
pdm location 10.1.15.0 255.255.255.0 inside
pdm location 10.1.3.200 255.255.255.255 inside
pdm location 10.1.3.1 255.255.255.255 inside
pdm location 10.1.3.34 255.255.255.255 inside
pdm location 216.217.32.77 255.255.255.255 outside
pdm location 216.217.32.0 255.255.255.0 outside
pdm location 10.1.3.37 255.255.255.255 outside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 6600 10.1.3.1 6600 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 6601 10.1.3.1 6601 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 6600 10.1.3.1 6600 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 6601 10.1.3.1 6601 netmask 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
route inside 10.1.9.0 255.255.255.0 10.1.3.5 1
route inside 10.1.12.0 255.255.255.0 10.1.3.5 1
route inside 10.1.13.0 255.255.255.0 10.1.3.5 1
route inside 10.1.15.0 255.255.255.0 10.1.3.5 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.1.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup MPIMIS address-pool MISPOOL2
vpngroup MPIMIS dns-server 10.1.3.14
vpngroup MPIMIS wins-server 10.1.3.14
vpngroup MPIMIS default-domain myworkidomain.com
vpngroup MPIMIS idle-time 1800
vpngroup MPIMIS password ********
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.1.3.101-10.1.3.175 inside
dhcpd dns 10.1.3.14
dhcpd wins 10.1.3.14
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username <REMOVED> password <REMOVED> encrypted privilege 15
terminal width 80
Cryptochecksum:3b753d6571e24b43debe3c4256522161
: end
[OK]
0
 

Author Comment

by:NShifflett
ID: 40002225
Hopefully the config I just posted works for you.  I used "Show Running Configuration in New Window" from within PDM.   If this won't do it, let me know and I'll try your method.
0
 
LVL 6

Expert Comment

by:Hassan Besher
ID: 40002330
let us check another thing,  IPsec policy mismatch at the log usually means  IPsec policy mismatch Double-check your client security parameters (encryption and authentication algorithms) to make sure they match the settings of your PIX.
0
 

Accepted Solution

by:
NShifflett earned 0 total points
ID: 40004630
I was unable to find anything mismatched anywhere in the configuration between the client and the PIX.  I decided to run through the VPN wizard to try and set things up again from scratch - that worked.  The client PC's can now connect and access network resources.

Thank you for trying to help.
0
 

Author Closing Comment

by:NShifflett
ID: 40012218
I was able to resolve the problem myself independent of any advice I received for my question, so I accepted my own resolution as the answer.  I rated it "C" since I stumbled into the resolution.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Backup UPS - email alert 3 83
Simple Guest VLAN Help 17 36
Extending  a subnet 9 36
Does Surface Pro 2 have a max broadband speed 18 38
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now