Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Securing communication channel... 1

Status
Not open for further replies.
pdk68

pdk68

Vendor
Oct 17, 2002
14
US
When I try and VPN into a remote PIX 501 it gets to "Securing communication channel..." and just sets there. I have 2 other PIX's at different locations configured the same way and they all work fine. I am using the same computer and client to access them all.

Thanks
 
Sort by date Sort by votes
I forgot to add the VPN CLient Log shows this:

1 12:39:45.209 10/17/02 Sev=Warning/3 IKE/0xA3000058
Received malformed message or negotiation no longer active (message id: 0x1528FD70)

2 12:39:45.249 10/17/02 Sev=Warning/3 IKE/0xA300004B
Received a NOTIFY message with an invalid protocol id (0)

The 1 I don't mind it shows that for the connections on the other 2 Pix's but the number 2 I assume is my problem. I searched cisco.com but couldn't find anyhting relevant.

Thanks.
 
Upvote 0 Downvote
If you are using the latest version of VPN client (3.6) this doesn't support 'sha'. If the pix is configured with 'sha' the connection will hang and at "Securing communication channel..." Or you may just have the line missing!

Check your config for the line...

crypto dynamic-map cisco 4 set transform-set XXXXX

then find the transform-set (XXXXXX)

crypto ipsec transform-set XXXXX esp-des esp-sha-hmac

change to:

crypto ipsec transform-set XXXXX esp-des esp-md5-hmac

It may also be necessary to change the isakmp policy,

isakmp policy 8 hash sha

change to:

isakmp policy 8 hash md5

again you should be able to add the new line and it overwrites the old one...

I hope this helps...

----

Sunyasee B-)
 
Upvote 0 Downvote
I am using client version 3.5.2. I have two other firewalls configred the exact same way, except for IP address's and passwords, and they both work fine it is only this one box that is giving me trouble. Also all three are running the same IOS version 6.1(4). Next time I am at the customers site I will make these changes to see if they help but since I am not running client 3.6 and the other two boxes with identical configs work fine is there anything else I could check?

Thanks for the help
 
Upvote 0 Downvote
This would indicate that there is a problem with the second phase of the tunnel negotiation, sounds like the client is authenticating ok but the tunnel is not being established. You could try doing a 'debug crypto ipsec' and 'debug crypto isakmp'this may provide some clues as to what is going wrong.

Also try rebooting the PIX or clear cached crypto info by entering the commands (in config mode) 'clear ipsec sa' and 'clear isakmp sa'.

----

Sunyasee B-)
 
Upvote 0 Downvote
HI.

Can the client ping the pix outside interface before establishing the VPN tunnel?

Check the configuration of the router and ISP connection to the Internet of the pix with the problem.
Is the router doing NAT?
Do they filter traffic?
What are the differences between the ISP connections in each place (connection type, ISP company, etc..)

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

handle2110
  • Locked
  • Question
Communication between interfaces
Replies
0
Views
65
handle2110
handle2110
disturbedone
  • Locked
  • Question
Securing VLAN so it has limited access
Replies
1
Views
61
burtsbees
burtsbees
Dsaldana2880
  • Locked
  • Question
ASA 5510 communication between inside interfaces(same security level)
Replies
0
Views
43
Dsaldana2880
Dsaldana2880
mennojd
  • Locked
  • Question
ASA 5505 VPN client communication through SitetoSite
Replies
6
Views
88
mennojd
mennojd
J001
  • Locked
  • Question
ASA Trunking / Port channels
Replies
0
Views
26
J001
J001

Part and Inventory Search

Sponsor

Back
Top