Cisco VPN disconnects immediately after authenticating

Here is the log from the client.  I see that it is failing here: DEL_REASON_IKE_NEG_FAILED.  But I just cant seem to find the error in the config. Any help is appreciated.

 

 

Cisco Systems VPN Client Version 5.0.07.0290
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7601 Service Pack 1
 
97     08:32:59.231  07/30/15  Sev=Info/4 CM/0x63100002
Begin connection process
 
98     08:32:59.236  07/30/15  Sev=Info/4 CM/0x63100004
Establish secure connection
 
99     08:32:59.236  07/30/15  Sev=Info/4 CM/0x63100024
Attempt connection with server "69.46.48.30"
 
100    08:32:59.240  07/30/15  Sev=Info/6 CM/0x6310002F
Allocated local TCP port 60404 for TCP connection.
 
101    08:32:59.357  07/30/15  Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
 
102    08:32:59.357  07/30/15  Sev=Info/4 IPSEC/0x63700014
Deleted all keys
 
103    08:32:59.357  07/30/15  Sev=Info/6 IPSEC/0x6370002C
Sent 2 packets, 0 were fragmented.
 
104    08:32:59.357  07/30/15  Sev=Info/6 IPSEC/0x63700020
TCP SYN sent to 69.46.48.30, src port 60404, dst port 10000
 
105    08:32:59.358  07/30/15  Sev=Info/6 IPSEC/0x6370001C
TCP SYN-ACK received from 69.46.48.30, src port 10000, dst port 60404
 
106    08:32:59.358  07/30/15  Sev=Info/6 IPSEC/0x63700021
TCP ACK sent to 69.46.48.30, src port 60404, dst port 10000
 
107    08:32:59.358  07/30/15  Sev=Info/4 CM/0x63100029
TCP connection established on port 10000 with server "69.46.48.30"
 
108    08:32:59.858  07/30/15  Sev=Info/4 CM/0x63100024
Attempt connection with server "69.46.48.30"
 
109    08:32:59.866  07/30/15  Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 69.46.48.30.
 
110    08:32:59.877  07/30/15  Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation
 
111    08:32:59.883  07/30/15  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Unity)) to 69.46.48.30
 
112    08:32:59.902  07/30/15  Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.46.48.30
 
113    08:32:59.902  07/30/15  Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Frag), VID(?)) from 69.46.48.30
 
114    08:32:59.902  07/30/15  Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
 
115    08:32:59.902  07/30/15  Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
 
116    08:32:59.902  07/30/15  Sev=Info/5 IKE/0x63000001
Peer supports DPD
 
117    08:32:59.902  07/30/15  Sev=Info/5 IKE/0x63000001
Peer supports IKE fragmentation payloads
 
118    08:32:59.908  07/30/15  Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
 
119    08:32:59.908  07/30/15  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, VID(?), VID(Unity)) to 69.46.48.30
 
120    08:32:59.909  07/30/15  Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port =  0xF207, Remote Port = 0x01F4
 
121    08:32:59.909  07/30/15  Sev=Info/4 CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
 
122    08:32:59.922  07/30/15  Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.46.48.30
 
123    08:32:59.922  07/30/15  Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 69.46.48.30
 
124    08:32:59.922  07/30/15  Sev=Info/4 CM/0x63100015
Launch xAuth application
 
125    08:32:59.925  07/30/15  Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 6h.
 
126    08:33:03.664  07/30/15  Sev=Info/4 CM/0x63100017
xAuth application returned
 
127    08:33:03.664  07/30/15  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 69.46.48.30
 
128    08:33:03.776  07/30/15  Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.46.48.30
 
129    08:33:03.777  07/30/15  Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 69.46.48.30
 
130    08:33:03.777  07/30/15  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 69.46.48.30
 
131    08:33:03.778  07/30/15  Sev=Info/4 CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
 
132    08:33:03.785  07/30/15  Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator
 
133    08:33:03.786  07/30/15  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 69.46.48.30
 
134    08:33:03.798  07/30/15  Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.46.48.30
 
135    08:33:03.798  07/30/15  Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 69.46.48.30
 
136    08:33:03.798  07/30/15  Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 172.16.100.10
 
137    08:33:03.798  07/30/15  Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0
 
138    08:33:03.798  07/30/15  Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 10.1.1.20
 
139    08:33:03.798  07/30/15  Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 69.46.48.13
 
140    08:33:03.798  07/30/15  Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000
 
141    08:33:03.798  07/30/15  Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x0000000B
 
142    08:33:03.799  07/30/15  Sev=Info/5 IKE/0x6300000F
SPLIT_NET #1
subnet = 10.5.5.0
mask = 255.255.255.0
protocol = 0
src port = 0
dest port=0
 
143    08:33:03.799  07/30/15  Sev=Info/5 IKE/0x6300000F
SPLIT_NET #2
subnet = 10.100.1.0
mask = 255.255.255.0
protocol = 0
src port = 0
dest port=0
 
144    08:33:03.799  07/30/15  Sev=Info/5 IKE/0x6300000F
SPLIT_NET #3
subnet = 10.101.0.0
mask = 255.255.0.0
protocol = 0
src port = 0
dest port=0
 
145    08:33:03.799  07/30/15  Sev=Info/5 IKE/0x6300000F
SPLIT_NET #4
subnet = 10.1.0.0
mask = 255.255.0.0
protocol = 0
src port = 0
dest port=0
 
146    08:33:03.799  07/30/15  Sev=Info/5 IKE/0x6300000F
SPLIT_NET #5
subnet = 10.50.0.0
mask = 255.255.0.0
protocol = 0
src port = 0
dest port=0
 
147    08:33:03.799  07/30/15  Sev=Info/5 IKE/0x6300000F
SPLIT_NET #6
subnet = 10.1.40.0
mask = 255.255.255.0
protocol = 0
src port = 0
dest port=0
 
148    08:33:03.799  07/30/15  Sev=Info/5 IKE/0x6300000F
SPLIT_NET #7
subnet = 10.51.0.0
mask = 255.255.255.0
protocol = 0
src port = 0
dest port=0
 
149    08:33:03.799  07/30/15  Sev=Info/5 IKE/0x6300000F
SPLIT_NET #8
subnet = 10.52.0.0
mask = 255.255.255.0
protocol = 0
src port = 0
dest port=0
 
150    08:33:03.799  07/30/15  Sev=Info/5 IKE/0x6300000F
SPLIT_NET #9
subnet = 10.55.0.0
mask = 255.255.255.0
protocol = 0
src port = 0
dest port=0
 
151    08:33:03.799  07/30/15  Sev=Info/5 IKE/0x6300000F
SPLIT_NET #10
subnet = 10.60.0.0
mask = 255.255.0.0
protocol = 0
src port = 0
dest port=0
 
152    08:33:03.799  07/30/15  Sev=Info/5 IKE/0x6300000F
SPLIT_NET #11
subnet = 10.30.0.0
mask = 255.255.0.0
protocol = 0
src port = 0
dest port=0
 
153    08:33:03.799  07/30/15  Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = peoplescom.local
 
154    08:33:03.800  07/30/15  Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
 
155    08:33:03.800  07/30/15  Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5510 Version 8.0(4) built by builders on Thu 07-Aug-08 20:53
 
156    08:33:03.800  07/30/15  Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT: , value = 0x00000001
 
157    08:33:03.802  07/30/15  Sev=Info/4 CM/0x63100019
Mode Config data received
 
158    08:33:03.810  07/30/15  Sev=Info/4 IKE/0x63000056
Received a key request from Driver: Local IP = 172.16.100.10, GW IP = 69.46.48.30, Remote IP = 0.0.0.0
 
159    08:33:03.810  07/30/15  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 69.46.48.30
 
160    08:33:03.830  07/30/15  Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.46.48.30
 
161    08:33:03.830  07/30/15  Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 69.46.48.30
 
162    08:33:03.830  07/30/15  Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
 
163    08:33:03.830  07/30/15  Sev=Info/5 IKE/0x63000047
This SA has already been alive for 4 seconds, setting expiry to 86396 seconds from now
 
164    08:33:03.830  07/30/15  Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.46.48.30
 
165    08:33:03.831  07/30/15  Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from 69.46.48.30
 
166    08:33:03.831  07/30/15  Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.46.48.30
 
167    08:33:03.831  07/30/15  Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from 69.46.48.30
 
168    08:33:03.832  07/30/15  Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.46.48.30
 
169    08:33:03.832  07/30/15  Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from 69.46.48.30
 
170    08:33:03.832  07/30/15  Sev=Info/5 IKE/0x63000073
All fragments received.
 
171    08:33:03.832  07/30/15  Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:INVALID_ID_INFO) from 69.46.48.30
 
172    08:33:03.832  07/30/15  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 69.46.48.30
 
173    08:33:03.833  07/30/15  Sev=Info/4 IKE/0x63000049
Discarding IPsec SA negotiation, MsgID=3E68C570
 
174    08:33:03.833  07/30/15  Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=617FC15C827335C7 R_Cookie=CDE7EF9A4E0D2D40) reason = DEL_REASON_IKE_NEG_FAILED
 
175    08:33:03.833  07/30/15  Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 69.46.48.30
 
176    08:33:03.833  07/30/15  Sev=Info/4 IKE/0x63000058
Received an ISAKMP message for a non-active SA, I_Cookie=617FC15C827335C7 R_Cookie=CDE7EF9A4E0D2D40
 
177    08:33:03.833  07/30/15  Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(Dropped) from 69.46.48.30
 
178    08:33:03.915  07/30/15  Sev=Info/4 IPSEC/0x63700014
Deleted all keys
 
179    08:33:03.916  07/30/15  Sev=Info/6 IPSEC/0x6370002C
Sent 5 packets, 0 were fragmented.
 
180    08:33:03.916  07/30/15  Sev=Info/6 IPSEC/0x6370001D
TCP RST received from 69.46.48.30, src port 10000, dst port 60404
 
181    08:33:06.957  07/30/15  Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=617FC15C827335C7 R_Cookie=CDE7EF9A4E0D2D40) reason = DEL_REASON_IKE_NEG_FAILED
 
182    08:33:06.957  07/30/15  Sev=Info/4 CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
 
183    08:33:06.958  07/30/15  Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
 
184    08:33:06.966  07/30/15  Sev=Info/4 CM/0x6310002D
Resetting TCP connection on port 10000
 
185    08:33:06.967  07/30/15  Sev=Info/6 CM/0x63100030
Removed local TCP port 60404 for TCP connection.
 
186    08:33:06.972  07/30/15  Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
 
187    08:33:06.973  07/30/15  Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
 
188    08:33:06.976  07/30/15  Sev=Info/6 IPSEC/0x63700023
TCP RST sent to 69.46.48.30, src port 60404, dst port 10000
 
189    08:33:06.977  07/30/15  Sev=Info/4 IPSEC/0x63700014
Deleted all keys
 
190    08:33:06.977  07/30/15  Sev=Info/4 IPSEC/0x63700014
Deleted all keys
 
191    08:33:06.977  07/30/15  Sev=Info/4 IPSEC/0x63700014
Deleted all keys
 
192    08:33:06.977  07/30/15  Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
 
 
 
 
 
 
 
 
config:
access-list remote_vpn_client_splitTunnelAcl standard permit 10.5.5.0 255.255.255.0
access-list remote_vpn_client_splitTunnelAcl standard permit 10.1.0.0 255.255.0.0
access-list remote_vpn_client_splitTunnelAcl standard permit 10.50.0.0 255.255.0.0
access-list remote_vpn_client_splitTunnelAcl standard permit 10.1.40.0 255.255.255.0
access-list remote_vpn_client_splitTunnelAcl standard permit 10.51.0.0 255.255.255.0
access-list remote_vpn_client_splitTunnelAcl standard permit 10.52.0.0 255.255.255.0
access-list remote_vpn_client_splitTunnelAcl standard permit 10.55.0.0 255.255.255.0
access-list remote_vpn_client_splitTunnelAcl standard permit 10.60.0.0 255.255.0.0
access-list remote_vpn_client_splitTunnelAcl standard permit 10.30.0.0 255.255.0.0
 
 
ip local pool remote_vpn_pool 172.16.100.10-172.16.100.50 mask 255.255.255.0
 
 
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server radiusgroup protocol radius
aaa-server radiusgroup (inside) host 10.1.1.20
 timeout 5
 key ***
 
 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set nat-t-disable
 
crypto isakmp identity address
crypto isakmp enable outside
 
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
crypto isakmp ipsec-over-tcp port 10000
 
 
group-policy remote_vpn_client internal
group-policy remote_vpn_client attributes
 dns-server value 10.1.1.20 69.46.48.13
 vpn-idle-timeout none
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value remote_vpn_client_splitTunnelAcl
 default-domain value peoplescom.local
 
tunnel-group remote_vpn_client type remote-access
tunnel-group remote_vpn_client general-attributes
 address-pool remote_vpn_pool
 authentication-server-group (outside) radiusgroup
 default-group-policy remote_vpn_client
tunnel-group remote_vpn_client ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 900 retry 2
 
 
Then attached is a debug output from the ASA.
debug-asa-vpn-issue.txt
LVL 4
ddsviAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ddsviAuthor Commented:
I found my issue. I was missing my crypto map statement...

crypto map vpnmsm 30 ipsec-isakmp dynamic outside_dyn_map
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.