Help !! Pix 515 VPN client connection refused.

[runer56]

Hi, my VPN clients suddendly just stopped working. It is not able to establish a Ipsec connection. Turning on debug crypto isakmp gives me this error at the end >>ISAKMP: error, msg not encrypted. What is wrong? I have not changed my config at all. I am running Pix 515 R ver 6.3 and VPN CLient ver 3.6.

Below is the full output:


crypto_isakmp_process_block:src:207.168.63.4, dest:207.168.63.2 spt:500 dpt:500
OAK_AG exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP (0): atts are not acceptable.
crypto_isakmp_process_block:src:207.168.63.4, dest:207.168.63.2 spt:500 dpt:500
ISAKMP: error, msg not encrypted
ISAKMP (0): deleting SA: src 207.168.63.4, dst 207.168.63.2
ISADB: reaper checking SA 0x1159484, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for 207.168.63.4/500 not found - peers:0

 

[chadb4]

I am having the exact same problem...out of nowhere!

any ideas yet?

 

[bytehd]

tried version 4 client?

http://www.insyncva.com

 

[dapCZ]

Cisco Systems VPN Client Version 4.0.2 (C)
Copyright (C) 1998-2003 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Mac OS X
Running on: Darwin 7.4.0 Darwin Kernel Version 7.4.0: Wed May 12 16:58:24 PDT 2004; root:xnu/xnu-517.7.7.obj~7/RELEASE_PPC Power Macintosh

1 00:54:07.128 07/02/2004 Sev=Info/4 CM/0x43100002
Begin connection process

2 00:54:07.130 07/02/2004 Sev=Info/4 CM/0x43100004
Establish secure connection using Ethernet

3 00:54:07.130 07/02/2004 Sev=Info/4 CM/0x43100024
Attempt connection with server "*.*.*.*"

4 00:54:07.130 07/02/2004 Sev=Info/6 IKE/0x4300003B
Attempting to establish a connection with *.*.*.*.

5 00:54:07.188 07/02/2004 Sev=Info/4 IKE/0x43000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to *.*.*.*

6 00:54:07.371 07/02/2004 Sev=Info/5 IKE/0x4300002F
Received ISAKMP packet: peer = *.*.*.*

7 00:54:07.371 07/02/2004 Sev=Info/4 IKE/0x43000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Xauth), VID(dpd), VID(Unity), VID(?), KE, ID, NON, HASH) from *.*.*.*

8 00:54:07.371 07/02/2004 Sev=Info/5 IKE/0x43000001
Peer supports XAUTH

9 00:54:07.371 07/02/2004 Sev=Info/5 IKE/0x43000001
Peer supports DPD

10 00:54:07.371 07/02/2004 Sev=Info/5 IKE/0x43000001
Peer is a Cisco-Unity compliant peer

11 00:54:07.371 07/02/2004 Sev=Info/5 IKE/0x43000081
Received IOS Vendor ID with unknown capabilities flag 0x00000025

12 00:54:07.590 07/02/2004 Sev=Warning/3 IKE/0xC3000056
The received HASH payload cannot be verified

13 00:54:07.590 07/02/2004 Sev=Warning/2 IKE/0xC300007D
Hash verification failed... may be configured with invalid group password.

14 00:54:07.590 07/02/2004 Sev=Warning/2 IKE/0xC3000099
Failed to authenticate peer (Navigator:899)

15 00:54:07.590 07/02/2004 Sev=Info/4 IKE/0x43000013
SENDING >>> ISAKMP OAK INFO (NOTIFY:INVALID_HASH_INFO) to *.*.*.*

16 00:54:07.590 07/02/2004 Sev=Info/4 IKE/0x43000013
SENDING >>> ISAKMP OAK INFO (NOTIFY:AUTH_FAILED) to *.*.*.*

17 00:54:07.590 07/02/2004 Sev=Warning/2 IKE/0xC30000A5
Unexpected SW error occurred while processing Aggressive Mode negotiatorNavigator:2199)

18 00:54:07.590 07/02/2004 Sev=Info/4 IKE/0x43000017
Marking IKE SA for deletion (I_Cookie=2CC507B0BD2001B5 R_Cookie=4B8C68F9FE5E1FB7) reason = DEL_REASON_IKE_NEG_FAILED

19 00:54:07.590 07/02/2004 Sev=Info/4 IPSEC/0x43700008
IPSec driver successfully started

20 00:54:07.591 07/02/2004 Sev=Info/4 IPSEC/0x43700014
Deleted all keys

21 00:54:08.431 07/02/2004 Sev=Info/4 IKE/0x4300004A
Discarding IKE SA negotiation (I_Cookie=2CC507B0BD2001B5 R_Cookie=4B8C68F9FE5E1FB7) reason = DEL_REASON_IKE_NEG_FAILED

22 00:54:08.431 07/02/2004 Sev=Info/4 CM/0x43100014
Unable to establish Phase 1 SA with server "*.*.*.*" because of "DEL_REASON_IKE_NEG_FAILED"

23 00:54:08.431 07/02/2004 Sev=Info/5 CM/0x43100025
Initializing CVPNDrv

24 00:54:08.433 07/02/2004 Sev=Info/4 IKE/0x43000001
IKE received signal to terminate VPN connection

25 00:54:08.434 07/02/2004 Sev=Info/4 IPSEC/0x43700014
Deleted all keys

26 00:54:08.434 07/02/2004 Sev=Info/4 IPSEC/0x43700014
Deleted all keys

27 00:54:08.434 07/02/2004 Sev=Info/4 IPSEC/0x43700014
Deleted all keys

28 00:54:08.434 07/02/2004 Sev=Info/4 IPSEC/0x4370000A
IPSec driver successfully stopped


Thanx for help.

 

[bytehd]

same client-side errors here
ive tried with both 3.6 and 4.04 client
with both a NATted address and public address.
maybe its my v6.1.1 firmware.
or I need to make all possible combinations of isakmp policies

can you post your config?

http://www.insyncva.com