smokey7244521
IS-IT--Management
I have a Pix 515E with a VPN setup. I recently tried to connect Cisco VPN Client and get the following error:
"Secure VPN Connection terminated locally by the client. Reason 412: The remote peer is no longer responding"
I have previously been able to connect to this VPN using Cisco VPN Client, but i am unsure if this was before or after our last ISP change (the only thing that was changed on the config was the outside IP & route info). We went from DSL to Newwave Communications Cable Internet.
Below is a copy of my config and VPN Client log. Thank you in advance for any assistance!
*******************************************************************************************************************************************
pix1(config)# sh run
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ********encrypted
passwd ******** encrypted
hostname ABC
domain-name abc.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 102 permit ip 10.10.10.0 255.255.255.0 192.168.100.0 255.255.255.0
pager lines 24
logging on
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside xx.xx.xx.xx xx.xx.xx.xx
ip address inside 10.10.10.200 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool1 192.168.100.1-192.168.100.254
arp timeout 14400
global (outside) 1 xx.xx.xx.xx
nat (inside) 0 access-list 102
nat (inside) 1 10.10.10.0 255.255.255.0 0 0
outbound 10 deny 0.0.0.0 0.0.0.0 0 tcp
outbound 10 deny 0.0.0.0 0.0.0.0 0 esp
outbound 10 permit 10.10.0.0 255.255.0.0 21 tcp
outbound 10 permit 10.10.0.0 255.255.0.0 53 tcp
outbound 10 permit 10.10.0.0 255.255.0.0 53 udp
outbound 10 permit 10.10.0.0 255.255.0.0 443 tcp
outbound 10 permit 10.10.0.0 255.255.0.0 443 udp
outbound 10 permit 10.10.0.0 255.255.0.0 21 udp
outbound 10 permit 10.10.0.0 255.255.0.0 110 tcp
outbound 10 permit 10.10.0.0 255.255.0.0 143 tcp
outbound 10 permit 10.10.0.0 255.255.0.0 80 tcp
outbound 10 permit 10.10.0.0 255.255.0.0 20 tcp
outbound 10 permit 10.10.0.0 255.255.0.0 23 tcp
outbound 10 permit 10.10.0.0 255.255.0.0 25 tcp
outbound 10 permit 10.10.0.0 255.255.0.0 1494 tcp
outbound 10 permit 10.10.0.0 255.255.0.0 22 tcp
outbound 10 permit 10.10.0.0 255.255.0.0 22 udp
outbound 10 permit 0.0.0.0 0.0.0.0 0 udp
outbound 10 permit 10.10.10.0 255.255.255.0 0 udp
outbound 11 permit 0.0.0.0 0.0.0.0 0 tcp
outbound 11 permit 0.0.0.0 0.0.0.0 0 udp
outbound 11 permit 0.0.0.0 0.0.0.0 0 esp
apply (inside) 10 outgoing_src
route outside 0.0.0.0 0.0.0.0 63.142.125.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community ABC-manage
no snmp-server enable traps
tftp-server inside 10.10.10.230 floodguard enable
sysopt connection tcpmss 0
sysopt connection permit-ipsec
crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac
crypto dynamic-map map2 10 set transform-set trmset1
crypto map map1 10 ipsec-isakmp dynamic map2
crypto map map1 interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup VPN1 address-pool vpnpool1
vpngroup VPN1 dns-server 10.10.10.1
vpngroup VPN1 wins-server 10.10.10.1
vpngroup VPN1 split-tunnel 102
vpngroup VPN1 idle-time 1800
vpngroup VPN1 password ********
telnet timeout 15
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:296bd7d8bf19bb87f2545918c45288bd
: end
FRKpix1(config)#
**************************************************************************************************************************
VPN Client Log
Cisco Systems VPN Client Version 5.0.07.0290
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7601 Service Pack 1
2206 16:05:24.654 12/17/12 Sev=Info/4 CM/0x63100002
Begin connection process
2207 16:05:24.657 12/17/12 Sev=Info/4 CM/0x63100004
Establish secure connection
2208 16:05:24.657 12/17/12 Sev=Info/4 CM/0x63100024
Attempt connection with server "x.x.x.x"
2209 16:05:24.659 12/17/12 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with x.x.x.x.
2210 16:05:24.662 12/17/12 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation
2211 16:05:24.665 12/17/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to x.x.x.x
2212 16:05:25.584 12/17/12 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
2213 16:05:25.584 12/17/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
2214 16:05:30.139 12/17/12 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
2215 16:05:30.139 12/17/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to x.x.x.x
2216 16:05:35.224 12/17/12 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
2217 16:05:35.224 12/17/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to x.x.x.x
2218 16:05:40.295 12/17/12 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
2219 16:05:40.295 12/17/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to x.x.x.x
2220 16:05:45.364 12/17/12 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=6184BB1B3C3B2746 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
2221 16:05:45.864 12/17/12 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=6184BB1B3C3B2746 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
2222 16:05:45.864 12/17/12 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "x.x.x.x" because of "DEL_REASON_PEER_NOT_RESPONDING"
2223 16:05:45.864 12/17/12 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
2224 16:05:45.870 12/17/12 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
2225 16:05:45.870 12/17/12 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
2226 16:05:46.378 12/17/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
2227 16:05:46.378 12/17/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
2228 16:05:46.378 12/17/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
2229 16:05:46.378 12/17/12 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
"Secure VPN Connection terminated locally by the client. Reason 412: The remote peer is no longer responding"
I have previously been able to connect to this VPN using Cisco VPN Client, but i am unsure if this was before or after our last ISP change (the only thing that was changed on the config was the outside IP & route info). We went from DSL to Newwave Communications Cable Internet.
Below is a copy of my config and VPN Client log. Thank you in advance for any assistance!
*******************************************************************************************************************************************
pix1(config)# sh run
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ********encrypted
passwd ******** encrypted
hostname ABC
domain-name abc.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 102 permit ip 10.10.10.0 255.255.255.0 192.168.100.0 255.255.255.0
pager lines 24
logging on
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside xx.xx.xx.xx xx.xx.xx.xx
ip address inside 10.10.10.200 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool1 192.168.100.1-192.168.100.254
arp timeout 14400
global (outside) 1 xx.xx.xx.xx
nat (inside) 0 access-list 102
nat (inside) 1 10.10.10.0 255.255.255.0 0 0
outbound 10 deny 0.0.0.0 0.0.0.0 0 tcp
outbound 10 deny 0.0.0.0 0.0.0.0 0 esp
outbound 10 permit 10.10.0.0 255.255.0.0 21 tcp
outbound 10 permit 10.10.0.0 255.255.0.0 53 tcp
outbound 10 permit 10.10.0.0 255.255.0.0 53 udp
outbound 10 permit 10.10.0.0 255.255.0.0 443 tcp
outbound 10 permit 10.10.0.0 255.255.0.0 443 udp
outbound 10 permit 10.10.0.0 255.255.0.0 21 udp
outbound 10 permit 10.10.0.0 255.255.0.0 110 tcp
outbound 10 permit 10.10.0.0 255.255.0.0 143 tcp
outbound 10 permit 10.10.0.0 255.255.0.0 80 tcp
outbound 10 permit 10.10.0.0 255.255.0.0 20 tcp
outbound 10 permit 10.10.0.0 255.255.0.0 23 tcp
outbound 10 permit 10.10.0.0 255.255.0.0 25 tcp
outbound 10 permit 10.10.0.0 255.255.0.0 1494 tcp
outbound 10 permit 10.10.0.0 255.255.0.0 22 tcp
outbound 10 permit 10.10.0.0 255.255.0.0 22 udp
outbound 10 permit 0.0.0.0 0.0.0.0 0 udp
outbound 10 permit 10.10.10.0 255.255.255.0 0 udp
outbound 11 permit 0.0.0.0 0.0.0.0 0 tcp
outbound 11 permit 0.0.0.0 0.0.0.0 0 udp
outbound 11 permit 0.0.0.0 0.0.0.0 0 esp
apply (inside) 10 outgoing_src
route outside 0.0.0.0 0.0.0.0 63.142.125.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community ABC-manage
no snmp-server enable traps
tftp-server inside 10.10.10.230 floodguard enable
sysopt connection tcpmss 0
sysopt connection permit-ipsec
crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac
crypto dynamic-map map2 10 set transform-set trmset1
crypto map map1 10 ipsec-isakmp dynamic map2
crypto map map1 interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup VPN1 address-pool vpnpool1
vpngroup VPN1 dns-server 10.10.10.1
vpngroup VPN1 wins-server 10.10.10.1
vpngroup VPN1 split-tunnel 102
vpngroup VPN1 idle-time 1800
vpngroup VPN1 password ********
telnet timeout 15
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:296bd7d8bf19bb87f2545918c45288bd
: end
FRKpix1(config)#
**************************************************************************************************************************
VPN Client Log
Cisco Systems VPN Client Version 5.0.07.0290
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7601 Service Pack 1
2206 16:05:24.654 12/17/12 Sev=Info/4 CM/0x63100002
Begin connection process
2207 16:05:24.657 12/17/12 Sev=Info/4 CM/0x63100004
Establish secure connection
2208 16:05:24.657 12/17/12 Sev=Info/4 CM/0x63100024
Attempt connection with server "x.x.x.x"
2209 16:05:24.659 12/17/12 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with x.x.x.x.
2210 16:05:24.662 12/17/12 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation
2211 16:05:24.665 12/17/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to x.x.x.x
2212 16:05:25.584 12/17/12 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
2213 16:05:25.584 12/17/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
2214 16:05:30.139 12/17/12 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
2215 16:05:30.139 12/17/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to x.x.x.x
2216 16:05:35.224 12/17/12 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
2217 16:05:35.224 12/17/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to x.x.x.x
2218 16:05:40.295 12/17/12 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
2219 16:05:40.295 12/17/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to x.x.x.x
2220 16:05:45.364 12/17/12 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=6184BB1B3C3B2746 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
2221 16:05:45.864 12/17/12 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=6184BB1B3C3B2746 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
2222 16:05:45.864 12/17/12 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "x.x.x.x" because of "DEL_REASON_PEER_NOT_RESPONDING"
2223 16:05:45.864 12/17/12 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
2224 16:05:45.870 12/17/12 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
2225 16:05:45.870 12/17/12 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
2226 16:05:46.378 12/17/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
2227 16:05:46.378 12/17/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
2228 16:05:46.378 12/17/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
2229 16:05:46.378 12/17/12 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped