Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

First Pix-NoGo

Status
Not open for further replies.
tsgint

tsgint

IS-IT--Management
May 8, 2001
8
0
0
CA
Thanks for help YIZHAR but
Still unable to connect to VPN.
Configuration as follows:

PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol smtp 25
names
name 10.0.0.49 PixConsole1
name 10.0.0.101 MailSvr
name 10.0.0.99 WebSvr
access-list svrs_out permit tcp any host 111.111.111.226 eq www
access-list svrs_out permit tcp any host 111.111.111.227 eq smtp
access-list svrs_out permit udp any host 111.111.111.227 eq domain
access-list svrs_out permit tcp any host 111.111.111.227 eq 139
access-list svrs_out permit udp any host 111.111.111.227 eq netbios-ns
access-list svrs_out permit udp any host 111.111.111.227 eq netbios-dgm
access-list localtovpnclient permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list nonatinside permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging trap debugging
logging host inside PixConsole1
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 111.111.111.230 255.255.255.248
ip address inside 10.0.0.3 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnclientpool 10.0.1.1-10.0.1.99
pdm location 0.0.0.0 255.255.255.0 inside
pdm location 10.0.0.49 255.255.255.255 inside
pdm location PixConsole1 255.255.255.255 inside
pdm location WebSvr 255.255.255.255 inside
pdm location MailSvr 255.255.255.255 inside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 111.111.111.228-111.111.111.229
global (outside) 1 interface
nat (inside) 0 access-list nonatinside
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 111.111.111.226 WebSvr netmask 255.255.255.255 0 0
static (inside,outside) 111.111.111.227 MailSvr netmask 255.255.255.255 0 0
access-group svrs_out in interface outside
route outside 0.0.0.0 0.0.0.0 111.111.111.225 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http PixConsole1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set mytransform esp-3des
crypto dynamic-map mydynmap 10 set transform-set mytransform
crypto map mymap 100 ipsec-isakmp dynamic mydynmap
crypto map mymap interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup tfdlvpn address-pool vpnclientpool
vpngroup tfdlvpn split-tunnel localtovpnclient
vpngroup tfdlvpn idle-time 1800
vpngroup tfdlvpn password ********
telnet PixConsole1 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80

Attempt to vpn in to 111.111.111.230 get this
log on Cisco vpn 3.6
1 16:01:04.820 10/24/02 Sev=Info/6 DIALER/0x63300002
Initiating connection.
2 16:01:04.830 10/24/02 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 111.111.111.230.
3 16:01:05.181 10/24/02 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID, VID, VID, VID, VID) to 111.111.111.230
4 16:01:05.682 10/24/02 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
5 16:01:10.188 10/24/02 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 111.111.111.230
6 16:01:15.195 10/24/02 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 111.111.111.230
7 16:01:20.202 10/24/02 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 111.111.111.230
8 16:01:25.220 10/24/02 Sev=Warning/2 IKE/0xE300007C
Exceeded 3 IKE SA negotiation retransmits... peer is not responding
9 16:01:25.270 10/24/02 Sev=Warning/3 DIALER/0xE3300008
GI VPNStart callback failed "CM_PEER_NOT_RESPONDING" (16h).
10 16:01:26.291 10/24/02 Sev=Info/4 IPSEC/0x63700014
Deleted all keys


What am I missing????or wrong about here?
snrtech
'The more I know - the more I get wrong'


The more I know...the dumber I get.
snrtech
 
Sort by date Sort by votes
HI.

The configuration seems fine to me.

Did you try with a client using dial-up connection to ISP?
Did you try with a client connected directly to pix outside using Ethernet (only)?
What about the syslog messages at the pix side, what do you get there?
Can the client ping the pix outside interface?
No software firewall at the client side???
Not even the XP built in ICF in the internet connection properties?
What is the client OS?
What is the client Internet connection type?
Try another client, what do you get?

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Client connected to pix outside:
1 12:24:33.755 10/28/02 Sev=Info/6 DIALER/0x63300002
Initiating connection.
2 12:24:33.765 10/28/02 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 209.202.101.230.
3 12:24:34.155 10/28/02 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID, VID, VID, VID, VID) to 209.202.101.230
4 12:24:34.165 10/28/02 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 209.202.101.230
5 12:24:34.165 10/28/02 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (NOTIFY:NO_PROPOSAL_CHOSEN) from 209.202.101.230
6 12:24:34.165 10/28/02 Sev=Info/5 IKE/0x6300004A
Discarding IKE SA negotiation
7 12:24:34.756 10/28/02 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
8 12:24:35.708 10/28/02 Sev=Warning/3 DIALER/0xE3300008
GI VPNStart callback failed &quot;CM_IKE_ESTABLISH_FAIL&quot; (3h).
9 12:24:36.739 10/28/02 Sev=Info/4 IPSEC/0x63700014
Deleted all keys


Looks like its trying to get a connection but failing.
Can ping both from remote and pc on outside of pix.
Not sure how to turnon loging of ipsec etc...Just syslog
at the debugging level at moment and don't see any ipsec
messages.
No software firewall....Using an nt4 machine on outside
interface of pix.
What alternate client do you suggest?
Talk about frustrating....this should me moderately
simple...just to use the pix to terminate a vpn tunnel.
Tks for any suggestions.
snrtech
'The more I work...the behinder I get'

The more I know...the dumber I get.
snrtech
 
Upvote 0 Downvote
HI.

> isakmp policy 10 encryption 3des
Is 3DES enabled on your pix?
Check with &quot;show version&quot;.

> NOTIFY:NO_PROPOSAL_CHOSEN
This is different from the first log you have posted, which means that you should keep on troubleshooting with the VPN client connected directly to the pix first, and only after it works try with real remote connections.

What exactly is the VPN client software and version?

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Here's my guess:

Allow udp 500 in to the address 111.111.111.230, and also allow protocol 50 ESP to the same address.

access-list svrs_out permit 50 any host 111.111.111.230
access-list svrs_out permit udp any host 111.111.111.230 eq 500
 
Upvote 0 Downvote
Further in now:
Client NT4 with VPN 3.6 on outside interface of Pix.
Note step 33,77,107...What now? and how do I check.
At least some idea of what is going on...didn't think
I would have to become a pix expert to get this working -
ah well a little knowledge etc.

1 15:31:28.663 10/29/02 Sev=Info/6 DIALER/0x63300002
Initiating connection.
2 15:31:28.673 10/29/02 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 111.111.111.230.
3 15:31:28.964 10/29/02 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID, VID, VID, VID, VID) to 111.111.111.230
4 15:31:29.064 10/29/02 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
5 15:31:29.985 10/29/02 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 111.111.111.230
6 15:31:29.985 10/29/02 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID, VID, VID, KE, ID, NON, HASH) from 111.111.111.230
7 15:31:29.985 10/29/02 Sev=Info/5 IKE/0x63000059
Vendor ID payload = 12F5F28C457168A9702D9FE274CC0100
8 15:31:29.985 10/29/02 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
9 15:31:29.985 10/29/02 Sev=Info/5 IKE/0x63000059
Vendor ID payload = AFCAD71368A1F1C96B8696FC77570100
10 15:31:29.985 10/29/02 Sev=Info/5 IKE/0x63000001
Peer supports DPD
11 15:31:29.985 10/29/02 Sev=Info/5 IKE/0x63000059
Vendor ID payload = 298CDE59727C2FC95D535E75AB62F64D
12 15:31:30.376 10/29/02 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT) to 111.111.111.230
13 15:31:30.957 10/29/02 Sev=Info/5 IKE/0x6300005D
Client sending a firewall request to concentrator
14 15:31:30.957 10/29/02 Sev=Info/5 IKE/0x6300005C
Firewall Policy: Product=Cisco Integrated Client, Capability= (Centralized Protection Policy).
15 15:31:30.967 10/29/02 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 111.111.111.230
16 15:31:30.967 10/29/02 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 111.111.111.230
17 15:31:30.967 10/29/02 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 111.111.111.230
18 15:31:30.967 10/29/02 Sev=Info/5 IKE/0x63000044
RESPONDER-LIFETIME notify has value of 86400 seconds
19 15:31:30.967 10/29/02 Sev=Info/5 IKE/0x63000046
This SA has already been alive for 2 seconds, setting expiry to 86398 seconds from now
20 15:31:31.758 10/29/02 Sev=Info/5 IKE/0x6300005D
Client sending a firewall request to concentrator
21 15:31:31.758 10/29/02 Sev=Info/5 IKE/0x6300005C
Firewall Policy: Product=Cisco Integrated Client, Capability= (Centralized Protection Policy).
22 15:31:31.768 10/29/02 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 111.111.111.230
23 15:31:31.768 10/29/02 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 111.111.111.230
24 15:31:31.778 10/29/02 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 111.111.111.230
25 15:31:31.778 10/29/02 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 192.168.1.1
26 15:31:31.778 10/29/02 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000002
27 15:31:31.778 10/29/02 Sev=Info/5 IKE/0x6300000F
SPLIT_NET #1
subnet = 192.168.0.0
mask = 255.255.255.0
protocol = 0
src port = 0
dest port=0
28 15:31:31.778 10/29/02 Sev=Info/5 IKE/0x6300000F
SPLIT_NET #2
subnet = 111.111.111.230
mask = 255.255.255.255
protocol = 0
src port = 0
dest port=0
29 15:31:31.798 10/29/02 Sev=Info/5 IKE/0x63000055
Received a key request from Driver for IP address 111.111.111.230, GW IP = 111.111.111.230
30 15:31:31.798 10/29/02 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 111.111.111.230
31 15:31:31.808 10/29/02 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 111.111.111.230
32 15:31:31.808 10/29/02 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ) from 111.111.111.230
33 15:31:31.808 10/29/02 Sev=Warning/3 IKE/0xA3000058
Received malformed message or negotiation no longer active (message id: 0x5E14CCE1)
34 15:31:31.808 10/29/02 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
35 15:31:31.818 10/29/02 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 111.111.111.230
36 15:31:31.818 10/29/02 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from 111.111.111.230
37 15:31:31.818 10/29/02 Sev=Info/5 IKE/0x63000048
Discarding IPsec SA negotiation, message id = 72DA5B85
38 15:33:25.642 10/29/02 Sev=Info/6 DIALER/0x63300004
Canceling connection.
39 15:33:25.642 10/29/02 Sev=Info/5 IKE/0x63000017
Marking IKE SA for deletion (COOKIES = 9910729BC2934F38 DC4B7944727D2FC9) reason = DEL_REASON_RESET_SADB
40 15:33:25.642 10/29/02 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 111.111.111.230
41 15:33:25.702 10/29/02 Sev=Info/6 DIALER/0x63300005
Connection canceled.
42 15:33:26.683 10/29/02 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
43 15:33:26.683 10/29/02 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
44 15:33:26.683 10/29/02 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
45 15:34:33.169 10/29/02 Sev=Info/6 DIALER/0x63300002
Initiating connection.
46 15:34:33.179 10/29/02 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 111.111.111.230.
47 15:34:33.449 10/29/02 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID, VID, VID, VID, VID) to 111.111.111.230
48 15:34:33.589 10/29/02 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
49 15:34:34.521 10/29/02 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 111.111.111.230
50 15:34:34.521 10/29/02 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID, VID, VID, KE, ID, NON, HASH) from 111.111.111.230
51 15:34:34.521 10/29/02 Sev=Info/5 IKE/0x63000059
Vendor ID payload = 12F5F28C457168A9702D9FE274CC0100
52 15:34:34.521 10/29/02 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
53 15:34:34.521 10/29/02 Sev=Info/5 IKE/0x63000059
Vendor ID payload = AFCAD71368A1F1C96B8696FC77570100
54 15:34:34.521 10/29/02 Sev=Info/5 IKE/0x63000001
Peer supports DPD
55 15:34:34.521 10/29/02 Sev=Info/5 IKE/0x63000059
Vendor ID payload = 298CDE59012149D1DBEF8F3223553993
56 15:34:34.791 10/29/02 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT) to 111.111.111.230
57 15:34:35.091 10/29/02 Sev=Info/5 IKE/0x6300005D
Client sending a firewall request to concentrator
58 15:34:35.091 10/29/02 Sev=Info/5 IKE/0x6300005C
Firewall Policy: Product=Cisco Integrated Client, Capability= (Centralized Protection Policy).
59 15:34:35.101 10/29/02 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 111.111.111.230
60 15:34:35.101 10/29/02 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 111.111.111.230
61 15:34:35.101 10/29/02 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 111.111.111.230
62 15:34:35.101 10/29/02 Sev=Info/5 IKE/0x63000044
RESPONDER-LIFETIME notify has value of 86400 seconds
63 15:34:35.101 10/29/02 Sev=Info/5 IKE/0x63000046
This SA has already been alive for 2 seconds, setting expiry to 86398 seconds from now
64 15:34:35.402 10/29/02 Sev=Info/5 IKE/0x6300005D
Client sending a firewall request to concentrator
65 15:34:35.402 10/29/02 Sev=Info/5 IKE/0x6300005C
Firewall Policy: Product=Cisco Integrated Client, Capability= (Centralized Protection Policy).
66 15:34:35.412 10/29/02 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 111.111.111.230
67 15:34:35.412 10/29/02 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 111.111.111.230
68 15:34:35.412 10/29/02 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 111.111.111.230
69 15:34:35.412 10/29/02 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 192.168.1.1
70 15:34:35.412 10/29/02 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000002
71 15:34:35.412 10/29/02 Sev=Info/5 IKE/0x6300000F
SPLIT_NET #1
subnet = 192.168.0.0
mask = 255.255.255.0
protocol = 0
src port = 0
dest port=0
72 15:34:35.412 10/29/02 Sev=Info/5 IKE/0x6300000F
SPLIT_NET #2
subnet = 111.111.111.230
mask = 255.255.255.255
protocol = 0
src port = 0
dest port=0
73 15:34:35.432 10/29/02 Sev=Info/5 IKE/0x63000055
Received a key request from Driver for IP address 111.111.111.230, GW IP = 111.111.111.230
74 15:34:35.442 10/29/02 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 111.111.111.230
75 15:34:35.442 10/29/02 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 111.111.111.230
76 15:34:35.442 10/29/02 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ) from 111.111.111.230
77 15:34:35.442 10/29/02 Sev=Warning/3 IKE/0xA3000058
Received malformed message or negotiation no longer active (message id: 0x487774AB)
78 15:34:35.442 10/29/02 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
79 15:34:35.452 10/29/02 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 111.111.111.230
80 15:34:35.462 10/29/02 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from 111.111.111.230
81 15:34:35.462 10/29/02 Sev=Info/5 IKE/0x63000048
Discarding IPsec SA negotiation, message id = 9F44FA53
82 15:35:13.016 10/29/02 Sev=Info/5 IKE/0x63000055
Received a key request from Driver for IP address 192.168.0.3, GW IP = 111.111.111.230
83 15:35:13.016 10/29/02 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 111.111.111.230
84 15:35:13.036 10/29/02 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 111.111.111.230
85 15:35:13.036 10/29/02 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from 111.111.111.230
86 15:35:13.036 10/29/02 Sev=Info/5 IKE/0x63000048
Discarding IPsec SA negotiation, message id = B9EF2803
87 15:35:13.947 10/29/02 Sev=Info/4 IPSEC/0x63700010
Created a new key structure
88 15:35:34.517 10/29/02 Sev=Info/5 IKE/0x63000055
Received a key request from Driver for IP address 192.168.0.99, GW IP = 111.111.111.230
89 15:35:34.517 10/29/02 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 111.111.111.230
90 15:35:34.527 10/29/02 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 111.111.111.230
91 15:35:34.537 10/29/02 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from 111.111.111.230
92 15:35:34.537 10/29/02 Sev=Info/5 IKE/0x63000048
Discarding IPsec SA negotiation, message id = DAD1B787
93 15:35:34.977 10/29/02 Sev=Info/4 IPSEC/0x63700011
Key Expired SPI=0x00000000
94 15:35:34.977 10/29/02 Sev=Info/4 IPSEC/0x63700013
Delete internal key with SPI=0x00000000
95 15:35:34.977 10/29/02 Sev=Info/4 IPSEC/0x63700010
Created a new key structure
96 15:36:15.115 10/29/02 Sev=Info/5 IKE/0x63000055
Received a key request from Driver for IP address 192.168.0.99, GW IP = 111.111.111.230
97 15:36:15.115 10/29/02 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 111.111.111.230
98 15:36:15.135 10/29/02 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 111.111.111.230
99 15:36:15.135 10/29/02 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from 111.111.111.230
100 15:36:15.135 10/29/02 Sev=Info/5 IKE/0x63000048
Discarding IPsec SA negotiation, message id = 2DFFDAAC
101 15:36:16.087 10/29/02 Sev=Info/4 IPSEC/0x63700011
Key Expired SPI=0x00000000
102 15:36:16.087 10/29/02 Sev=Info/4 IPSEC/0x63700013
Delete internal key with SPI=0x00000000
103 15:36:16.087 10/29/02 Sev=Info/4 IPSEC/0x63700010
Created a new key structure
104 15:36:55.654 10/29/02 Sev=Info/5 IKE/0x63000055
Received a key request from Driver for IP address 111.111.111.230, GW IP = 111.111.111.230
105 15:36:55.664 10/29/02 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 111.111.111.230
106 15:36:55.674 10/29/02 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 111.111.111.230
107 15:36:55.674 10/29/02 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from 111.111.111.230
108 15:36:55.684 10/29/02 Sev=Info/5 IKE/0x63000048
Discarding IPsec SA negotiation, message id = 5B48631C
109 15:36:56.144 10/29/02 Sev=Info/4 IPSEC/0x63700010
Created a new key structure
110 15:36:57.146 10/29/02 Sev=Info/4 IPSEC/0x63700011
Key Expired SPI=0x00000000
111 15:36:57.146 10/29/02 Sev=Info/4 IPSEC/0x63700013
Delete internal key with SPI=0x00000000
112 15:37:09.954 10/29/02 Sev=Info/6 DIALER/0x63300004
Canceling connection.
113 15:37:09.954 10/29/02 Sev=Info/5 IKE/0x63000017
Marking IKE SA for deletion (COOKIES = DF283AAC8C18F3DC DC4B7944012049D1) reason = DEL_REASON_RESET_SADB
114 15:37:09.954 10/29/02 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 111.111.111.230
115 15:37:10.004 10/29/02 Sev=Info/6 DIALER/0x63300005
Connection canceled.
116 15:37:10.996 10/29/02 Sev=Info/4 IPSEC/0x63700013
Delete internal key with SPI=0x00000000
117 15:37:10.996 10/29/02 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
118 15:37:10.996 10/29/02 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
119 15:37:10.996 10/29/02 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

Thks for all the help to get me this far.
'The more I know ... the more I know I don't know' The more I know...the dumber I get.
snrtech
 
Upvote 0 Downvote
HI.

Try with a different VPN Client version, maybe there is a bug or compatiblity issue with the latest version that you are using (I think that someone wrote here about using SHA1 instead of MD5 - you can try that also).


I think that these are the errors you should look for more details:
36 15:31:31.818 10/29/02 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from 111.111.111.230


If you want, configure a temporary groupname and password, and send them to me (the email is at my site) - I will also try and send you the results.
You can remove this line &quot;sysopt connection permit-ipsec&quot; until the issue is solved and you delete the temporary credentials to be on the safe side.


Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Hi, if you use pre-share authentication,
where is the isakmp key ... address.. command ?

as the Cisco PIX Command Refference Doc, page 5-30, ISAKMP, mentioned If you specify pre-shared keys, you must seperately configure these pre-shared keys within the PIX firewall and its peer.
 
Upvote 0 Downvote
'Whenever I have trouble its always in an area I think
I know something about...except in those areas where I know nothing'
Not quite sure how isakmp works so suspect this is where the trouble is:
isakmp enable outside [already in]
isakmp identity address [not in]
isakmp policy 10 authentication pre-share
Now question is just exactly what is pre-share key and
how do you do it. If Adr3nalin is corect how do you get
a isakmp key -- make it up? and what address do I use
not knowing what one client will be comming from? and how to I tell client 3.6 to use it.
Yizhar - tks for offer...I will be down in clients office
tomorrow and send you an email from there...realize time
difference so will give you two address's to get me at.
Thks to All for patience and help. At least I'm reading
a log of Cisco docs lately.
The more I know...the dumber I get.
snrtech
 
Upvote 0 Downvote
Got IT!!! at least from the machine hung on
the outside interface of the Pix...I'll
write up some notes and post them for comments
Later...If I still can't connect from remote
I'll start a new thread...Thanks to all for the
help.
'The more I know...the smarter I think I am.'
snrtech The more I know...the dumber I get.
snrtech
 
Upvote 0 Downvote
Don't know if this is still of interest, but I had the same problem using Client V1.1 until I added:
sysopt ipsec pl-compatible

According to the PIX documentation, this should not be needed and is included for legacy support. But, you know, you go with what works.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
36
xwray
xwray
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
44
brownmab53
brownmab53
quazimotto
  • Locked
  • Question
Correct Upgrade Path for PIX
Replies
7
Views
95
quazimotto
quazimotto
quazimotto
  • Locked
  • Question
Ping thru PIX to subnet inside??!!
Replies
0
Views
30
quazimotto
quazimotto
hall5942
  • Locked
  • Question
Site to Site VPN with Cisco 881 and PIX
Replies
0
Views
34
hall5942
hall5942

Part and Inventory Search

Sponsor

Back
Top