Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Pix 515, RSA and Cisco VPN 4.6 problem

Status
Not open for further replies.
EntilzaSte

EntilzaSte

Technical User
Jun 20, 2001
73
GB
Hi,

I am having the following issue, any help is greatly welcomed:

Client PC (both XP and 2000 pro) has CiscoVPNClient 4.6 installed.
The client connects to the external port of the Cisco Pix515 firewall.
I am prompted for User name and password, once entered it authenticates at the RSA server, logs from the server prove successful connection.
Client PC gains IP Address, DNS info and Domain name information from PIX.
During the onscreen message of "Securing Communications Channel" it stops and shows as disconnected.

The VPN Log file shows the following messages:

Marking IKE SA for deletion (I_Cookie=90E119B87B16EC06 R_Cookie=5612AA5A648CFDD5) reason = DEL_REASON_IKE_NEG_FAILED

56 20:15:50.921 01/05/06 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

57 20:15:53.916 01/05/06 Sev=Info/4 IKE/0x6300004A
Discarding IKE SA negotiation (I_Cookie=90E119B87B16EC06 R_Cookie=5612AA5A648CFDD5) reason = DEL_REASON_IKE_NEG_FAILED

58 20:15:53.916 01/05/06 Sev=Info/4 CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED". 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system


If anyone can give me some ideas of where to look next, I would appreciate it.

Thanks

Steve
 
Sort by date Sort by votes
Steve-

Cna you post your config of the PIX. It will be much easier. If you like, you can X out your Public Ip addresses.

Frank
 
Upvote 0 Downvote
Here you go

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname xxxxxxxxxxx
domain-name xxxxxxxxxxxx
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.xxx.xxx rras-ias
access-list outside_access_in permit icmp any any echo
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit tcp any interface outside eq smtp
access-list outside_access_in permit tcp any interface outside eq 3299
access-list outside_access_in permit tcp any interface outside eq 3200
access-list outside_access_in deny ip any any
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.0.0 192.168.222.0 255.255.255.128
access-list outside_cryptomap_dyn_20 permit ip 192.168.0.0 255.255.0.0 192.168.222.0 255.255.255.128
pager lines 24
logging timestamp
logging trap warnings
logging history emergencies
logging host inside cw
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
ip address inside 192.168.xxx.xxx 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn-in 192.168.222.1-192.168.222.100
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
pdm location 192.168.xxx.xxx 255.255.255.255 inside
pdm location rras-ias 255.255.255.255 inside
pdm location 192.168.xxx.xxx 255.255.255.128 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.xxx.xxx somepassword timeout 10
aaa-server LOCAL protocol local
http server enable
http 192.168.xxx.xxx 255.255.255.255 inside
snmp-server host inside cw
snmp-server location mnsrvr
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 60 ipsec-isakmp
crypto map outside_map 60 match address outside_cryptomap_60
crypto map outside_map 60 set peer xxx.xxx.xxx.xxx
crypto map outside_map 60 set transform-set ESP-3DES-MD5
crypto map outside_map 60 set security-association lifetime seconds 28800 kilobytes 28800
crypto map outside_map 100 ipsec-isakmp
crypto map outside_map 100 match address outside_cryptomap_100
crypto map outside_map 100 set peer xxx.xxx.xxx.xxx
crypto map outside_map 100 set transform-set ESP-3DES-MD5
crypto map outside_map 120 ipsec-isakmp
crypto map outside_map 120 match address outside_cryptomap_120
crypto map outside_map 120 set peer xxx.xxx.xxx.xxx
crypto map outside_map 120 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication RADIUS
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 60 authentication pre-share
isakmp policy 60 encryption 3des
isakmp policy 60 hash md5
isakmp policy 60 group 1
isakmp policy 60 lifetime 28800
vpngroup VPNIn address-pool vpn-in
vpngroup VPNIn dns-server 192.168.200.x 192.168.200.x
vpngroup VPNIn default-domain xxxxxxxxx
vpngroup VPNIn idle-time 1800
vpngroup VPNIn password ********
telnet 192.168.xxx.xxx 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn enable outside
dhcpd address 192.168.xxx.xxx-192.168.xxx.xxx inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:88191c90b4d7b6e2093c27f04244e28c
: end
[OK]
 
Upvote 0 Downvote
Hi there,

I removed all VPN, AAA and other settings from the firewall, rebooted the unit and entered the VPN settings again and all worked.

Many thanks

Steve
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
283
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
297
intel233
intel233
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
88
WhosYourDiffie
WhosYourDiffie
MottoK
  • Locked
  • Question
Cisco ISE blank GUI
Replies
0
Views
246
MottoK
MottoK
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
325
intel233
intel233

Part and Inventory Search

Sponsor

Back
Top