VPN problems to a Pix from Cisco VPN client

[c182pilot]

I am having difficulty establishing an IPSec VPN with a Cisco Pix (v6.1(4))from the Cisco VPN client (v 4.0.1). The Pix is authenticating from RSA through radius.

The firewall is directly connected to the internet. The inside network is a single private class C that is NAT'd to the outside.

Any thoughts? Thanks in advance for any pointers.

The client returns the following output (ip removed for obvious reasons):

1 19:51:05.147 03/09/04 Sev=Info/4 CM/0x63100002
Begin connection process

2 19:51:05.147 03/09/04 Sev=Info/4 CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully

3 19:51:05.147 03/09/04 Sev=Info/4 CM/0x63100004
Establish secure connection using Ethernet

4 19:51:05.147 03/09/04 Sev=Info/4 CM/0x63100024
Attempt connection with server "aaa.bbb.ccc.ddd"

5 19:51:06.168 03/09/04 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with aaa.bbb.ccc.ddd.

6 19:51:06.178 03/09/04 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to aaa.bbb.ccc.ddd

7 19:51:06.178 03/09/04 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started

8 19:51:06.178 03/09/04 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

9 19:51:06.208 03/09/04 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = aaa.bbb.ccc.ddd

10 19:51:06.208 03/09/04 Sev=Warning/2 IKE/0xE3000099
Invalid SPI size (PayloadNotify:116)

11 19:51:06.208 03/09/04 Sev=Info/4 IKE/0xE30000A4
Invalid payload: Stated payload length, 568, is not sufficient for NotificationPayloadList:148)

12 19:51:06.208 03/09/04 Sev=Warning/3 IKE/0xA3000058
Received malformed message or negotiation no longer active (message id: 0x00000000)

13 19:51:06.208 03/09/04 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = aaa.bbb.ccc.ddd

14 19:51:06.208 03/09/04 Sev=Warning/2 IKE/0xE3000099
Invalid SPI size (PayloadNotify:116)

15 19:51:06.208 03/09/04 Sev=Info/4 IKE/0xE30000A4
Invalid payload: Stated payload length, 568, is not sufficient for NotificationPayloadList:148)

16 19:51:06.208 03/09/04 Sev=Warning/3 IKE/0xA3000058
Received malformed message or negotiation no longer active (message id: 0x00000000)

17 19:51:11.266 03/09/04 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!

18 19:51:11.266 03/09/04 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to aaa.bbb.ccc.ddd

19 19:51:16.273 03/09/04 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!

20 19:51:16.273 03/09/04 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to aaa.bbb.ccc.ddd

21 19:51:21.280 03/09/04 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!

22 19:51:21.280 03/09/04 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to aaa.bbb.ccc.ddd

23 19:51:26.287 03/09/04 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=F27F72D2F8C0710A R_Cookie=B1A79BF40B86328E) reason = DEL_REASON_PEER_NOT_RESPONDING

24 19:51:26.788 03/09/04 Sev=Info/4 IKE/0x6300004A
Discarding IKE SA negotiation (I_Cookie=F27F72D2F8C0710A R_Cookie=B1A79BF40B86328E) reason = DEL_REASON_PEER_NOT_RESPONDING

25 19:51:26.788 03/09/04 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "aaa.bbb.ccc.ddd" because of "DEL_REASON_PEER_NOT_RESPONDING"

26 19:51:26.788 03/09/04 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv

27 19:51:26.798 03/09/04 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection

28 19:51:26.808 03/09/04 Sev=Info/4 IKE/0x63000085
Microsoft IPSec Policy Agent service started successfully

29 19:51:27.289 03/09/04 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

30 19:51:27.289 03/09/04 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

31 19:51:27.289 03/09/04 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

32 19:51:27.289 03/09/04 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped

 

[dopehead]

Debug from "debug cry isa" and "debug cry ipsec" on the pix and some config would be much more usefull.

Jan

Network Systems Engineer
CCNA/CQS/CCSP