VPN client hangs after password authentication
Hello
When a remote client tries to establish a VPN session with our (6.3 ongoing) Pix Firewall, it crashes right after the prompt of password with this message (see attachment). When I try the same all works very well. I've included bits of code, I think that relate to their installation.
name 128.51.0.3 ATG-STELPLAN-Svr
name 128.60.4.4 ATG-Irish-EMS-Svr
name 194.201.29.0 LAN-Metalogic
name 192.168.2.0 LAN-Metalogic2
name 128.31.1.78 MultiMetals-new-Svr
name 10.10.253.253 Metalogic_Support_Host
acl_mdc_inside_nat0 list of allowed access host ip host MultiMetals-new-Svr Metalogic_Support_Host
acl_mdc_inside_nat0 list of allowed access host ip host EMS Metalogic_Support_Host
acl_mdc_inside_nat0 list of allowed access host ip host ATG-EMS1 Metalogic_Support_Host
acl_mdc_inside_nat0 list of allowed access host ip host ATG-STELPLAN-Svr Metalogic_Support_Host
acl_mdc_inside_nat0 list of allowed access host ip host ATG-Irish-EMS-Svr Metalogic_Support_Host
acl_mdc_Metalogic-remote_split_tunnel permitted object-group Murray_Subnets ip access-list all
Metalogic_Pool Metalogic_Support_Host local pool IP 255.255.255.255 mask
NAT (inside) 0-list of access acl_mdc_inside_nat0
vpngroup address pool Metalogic_Pool Metalogic_Support
vpngroup Metalogic_Support by default-field carnegie - it.com
vpngroup split acl_mdc_Metalogic-remote_split_tunnel tunnel Metalogic_Support
vpngroup idle 1800 Metalogic_Support-time
vpngroup password Metalogic_Support *.
Help, please.
Thank you
Rex
Well, if they have a Linux IPSEC firewall will pass through. A similar problem and the issue of the Linux not passed IPSEC traffic. I suggested to the other party to try the laptop worked outside area and power.
Therefore, do not worry coz your configuration is correct.
Let me know if you need help,
Kind regards
Tags: Cisco Security
Similar Questions
-
SSL VPN Client username and passwords save
Hello
We use SSL VPN with ASA, we want to save the user name and password to connect to the customers in the SSL VPN client, if user only has not to type again to connect to the enterprise resources, employees normally use iPhone IOS and Android for VPN access.
Is their a way, we can save the credentials username and password for iphone and android?
I googled for it and found a way using URIS to pre-fill the name of user and password but I'm not sure how it works, and it will be beneficial.
http://www.Cisco.com/c/en/us/TD/docs/security/vpn_client/AnyConnect/ANYC...
Hello
You can use the URIs, if your method of methods must use WBS for the password pre-population.
I would recommed you use certificate authentication, so they don't have to use the user name and password, and the process will be done automatically.
You can take a look at this Document that created one of my peers:
- https://supportforums.cisco.com/blog/152941/anyconnect-certificate-based...
He has the details you will need.
Don t forget to rate and score as correct the helpful post!
David Castro,
Kind regards
-
VPN client disconnects after 2 hours
workstation running XP SP2 and installed the 4.8.00.0440 vpn client and cisco 1721. client VPN connected and after 2 hours, it cuts
details of the journal
1203 14:25:04.125 07/06/06 Sev = Info/4 IKE / 0 x 63000017
Marking of IKE SA delete (I_Cookie = 0EBB7101F2891E6A R_Cookie = F6E2CF4A2C238EAE) reason = DEL_REASON_PEER_NOT_RESPONDING
1204 14:25:04.125 07/06/06 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK INFO *(HASH, DWR) to 192.168. *. *
1205 14:25:04.640 07/06/06 Sev = Info/4 IKE/0x6300004B
IKE negotiation to throw HIS (I_Cookie = 0EBB7101F2891E6A R_Cookie = F6E2CF4A2C238EAE) reason = DEL_REASON_PEER_NOT_RESPONDING
1206 14:25:04.640 07/06/06 Sev = Info/4 CM / 0 x 63100013
ITS phase 1 deleted because of DEL_REASON_PEER_NOT_RESPONDING. Crypto 0 Active IKE SA, 0 IKE SA authenticated user in the system
1207 14:25:04.640 07/06/06 Sev = Info/5 CM / 0 x 63100025
Initializing CVPNDrv
1208 14:25:04.640 07/06/06 Sev = Info/6 CM / 0 x 63100031
Head of network device disconnected 192.168.117.165 tunnel: duration: 0 day 2:0:31
1209 14:25:04.671 07/06/06 Sev = Info/4 IKE / 0 x 63000001
Signal received IKE to complete the VPN connection
I don't like push "connect" every two hours :)
What should I do?
What are the values of session on the endpoint device timeout?
-
I've recently updated to 8.3.2 and I have been informed of these NAT changes, but even after reading the https://supportforums.cisco.com/docs/DOC-12569 I am still unable to rectify the communication network 192.168.100.0 VPN with hosts on 172.16.1.0 and 172.16.9.0. VPN clients connect to the external interface, and I try to ping inside and the demilitarized zone, respectable 172.16.1.0 and 172.16.9.0 hosts. VPN client shows that the two previously mentioned networks such as roads of security, but still not to the ping pong.
# sh nat
Manual NAT policies (Section 1)
1 (inside) to the (whole) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - obj - unidirectional 192.168.100.0 192.168.100.0
translate_hits = 0, untranslate_hits = 0
2 (inside) to the (whole) source static obj - 172.16.1.0 obj - 172.16.1.0 destination static obj - obj - unidirectional 192.168.100.0 192.168.100.0
translate_hits = 0, untranslate_hits = 0
3 (inside) to the (whole) source static obj - 172.16.1.0 obj - 172.16.1.0 destination static obj - 172.16.12.0 obj - one-way 172.16.12.0
translate_hits = 0, untranslate_hits = 0
4 (dmz) to (outside) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - obj - unidirectional 192.168.100.0 192.168.100.0
translate_hits = 0, untranslate_hits = 0
5 (dmz) to (outside) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - 172.16.12.0 obj - one-way 172.16.12.0
translate_hits = 0, untranslate_hits = 0
Auto NAT policies (Section 2)
1 (dmz), to the source (external) static obj - 172.16.9.5 interface tcp www www service
translate_hits = 0, untranslate_hits = 142
2 (dmz) (outdoor) source static obj - 172.16.9.5 - 01 interface service tcp 3389 3389
translate_hits = 0, untranslate_hits = 2
3 (dmz) (outdoor) source static obj - 172.16.9.5 - 02 interface tcp ldap ldap service
translate_hits = 0, untranslate_hits = 0
4 (dmz) (outdoor) source static obj interface - 172.16.9.5 - 03 service ftp ftp tcp
translate_hits = 0, untranslate_hits = 0
5 (dmz) to (outside) of the source static obj - 172.16.9.5 - 04 interface tcp smtp smtp service
translate_hits = 0, untranslate_hits = 267
6 (inside) source static obj - 172.16.9.0 172.16.9.0 (dmz)
translate_hits = 4070, untranslate_hits = 224
7 (inside) to (dmz) source static obj - 10.1.0.0 10.1.0.0
translate_hits = 0, untranslate_hits = 0
8 (inside) to (dmz) source static obj - 172.16.0.0 172.16.0.0
translate_hits = 152, untranslate_hits = 4082
9 (dmz) to dynamic interface of the obj - 172.16.9.0 - 01 source (outdoor)
translate_hits = 69, untranslate_hits = 0
10 (inside) to the obj_any interface dynamic source (external)
translate_hits = 196, untranslate_hits = 32
I think you must following two NAT config
NAT (inside, outside) source static obj - 172.16.1.0 obj - 172.16.1.0 destination static obj - 192.168.100.0 obj - 192.168.100.0
NAT (dmz, external) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - 192.168.100.0 obj - 192.168.100.0Please configure them and remove any additional NAT configuration and then try again.
-
Dial-up access hangs after the authenticated message
switched freezes after authenticated message or register your computer on the network.
using windows xp
ISP contacted all my settings are correct and registered with them
What is the fix for this problem. help certainly appreciatedWell, on the off chance that it might help someone here - I found that my problem was related to my McAfee security software. I got a Dell Inspiron (Win XP SP3) who came with McAfee and I had kept the subscription updated. I knew that about when my problem of 'blocking of the system' has started and so I did a restore of the system from that date. Bingo, problem solved. I could get online again.
However, after the system restore, I noted that my McAfee Security Center was no longer functional. When I reinstalled McAfee (via McAfee account identifier when you're connected via Wi - Fi), I found that the problem of returned system freeze. I immediately uninstalled McAfee and found I could connect again without problem.
That was the clincher for me. While I might have spent weeks haggling with McAfee that, I decided that it was not worth my time. I cancelled my subscription and got a security suite from 'black and yellow' guys and things have been fine since.
It's a long shot, but I hope this helps someone.
-
VPN client - multiple connection possibilities?
Hi people,
My basic question is, Cisco VPN Client allows two simultaneous VPN connections at the same time?
I would like to implement the following:
Customer user (remote access VPN via Internet)--> Head Office c/o ASA 5520 pair--> (VPN remote access via Internet)--> pair of Branch Office ASA 5510 S + a/s
For example, to access the Branch Office system, the user must:
1. connect to the peer of Head Office ASA via Cisco VPN Client (the user/password authentication)
Head Office ASA peer gives an 172.16.1.x private IP address and is configured to route all requests for public office ASA IP through its own public IP address.
2. once Head Office VPN is established, the user establishes a SECOND VPN tunnel of the Cisco VPN client (user/password and focused on the cert auth)
I.e. branch sees the VPN connection try from the public IP address of Headquarters and therefore allows the VPN through the ACL traffic and allows the continuation of the VPN negotiations as usual. Customer is given another IP address private, 192.168.10.x.
Basically, I need to limit the remote access VPN branch to make it only accessible from Headquarters public IP address, no public IP address of the user (and therefore the entire internet).
I know this is an unusual configuration, and some will say on the sensitivity of security to allow two simultaneous VPN connections. These are the two networks of trust, strict ACL would be at stake and there is a long history behind this requirement...
Thanks in advance!
Alistair,
You can limit the access of VPN connections to branch by blocking connections on UDP ports 500, 4500 UDP and ESP and allowing him only from your home office. In this way, only the explicitly authorized public IP address of your home office would be able to connect to your remote sites by using an IPSec tunnel.
Now, on the second tunnel I don't think it's possible. As far I am aware you cannot have two connections to VPN at the same time of the same customer. The VPN will not let you do, it's mainly because when you have a VPN Client the VPN map session comes up and you can only one card virtual VPN.
Because I don't think it is possible I would advice to try something like this:
Could provide you the connectivity that you are looking for without needing a second tunnel VPN from the client side.
I hope this helps.
Raga
-
Cisco VPN client (ASA) password expiry messages
Hi all
I am looking for a way to change the message displayed on the Cisco VPN client, when a password change is required. This configuration uses an ASA 5520 with Windows 2003 IAS radius for authentication server.
I have configured the option 'password-management' under the tunnel-group, but when the password expires the vpn client prompts you to "enter a new pin code.
This customizable message, for example "Please enter a new password to 8 characters etc.
The original message communicates enough information for the user.
Thank you
Hi Matt,
This is a known defect CSCeh13180 (when using RADIUS with expiry) and there is currently no plan to fix this bug.
But you can try this for one of your VPN client and see if that helps.
you need to change the VPNClient.ini on the PC that installed the VPN Client. Here are the settings you will need...
[RadiusSDI]
NewPinSubStr = "" enter the new password: ""
HTH
Kind regards
JK
-
Authentication failure - 5505 8.3 configuration to windows server RAIDUS vpn client
Hello
I'm trying to put up a 5505 (8.3 running) so that I can use vpn client through the RADIUS authentication
I set up a new local RAIDUS windows box and used the ASDM Assistant and a few other installation guides the 5505.
I get the following error:
INFO: Attempt to <10.0.0.92>IP address authentication test (timeout: 12 seconds)
ERROR: Authentication rejected: failure of the AAA
any help would be greatly appreciated
Here is my config sanitized:
lit5505-02 # sh run
: Saved
:
ASA Version 8.3 (1)
!
hostname lit5505-02
no names
!
interface Vlan1
nameif inside
security-level 100
10.0.0.100 IP address 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
banner motd ****************************************
Banner motd No. unauthorized access is allowed
banner motd ****************************************
passive FTP mode
DNS server-group DefaultDNS
domain name
network obj_any object
subnet 0.0.0.0 0.0.0.0
object network lotus_notes
host 10.0.0.3
network sonicwall_ssl_2000 object
Home 10.0.0.12
network of the NETWORK_OBJ_10.0.0.0_24 object
10.0.0.0 subnet 255.255.255.0
network of the ABD_LAN object
10.7.0.0 subnet 255.255.0.0
network of the LIT_LAN object
10.0.0.0 subnet 255.255.0.0
network of the LIT_LAN_vlan101 object
subnet 10.0.1.0 255.255.255.0
network of the LIT_LAN_vlan102 object
10.0.2.0 subnet 255.255.255.0
network of the LIT_LAN_vlan103 object
subnet 10.0.3.0 255.255.255.0
network of the LIT_LAN_vlan104 object
10.0.4.0 subnet 255.255.255.0
network of the LIT_LAN_vlan105 object
10.0.5.0 subnet 255.255.255.0
network of the LIT_LAN_vlan106 object
10.0.6.0 subnet 255.255.255.0
network of the LIT_LAN_vlan109 object
10.0.9.0 subnet 255.255.255.0
network of the LIT_LAN_vlan112 object
10.0.112.0 subnet 255.255.255.0
network of the LIT_LAN_vlan114 object
10.0.114.0 subnet 255.255.255.0
network of the LIT_LAN_vlan120 object
10.0.20.0 subnet 255.255.255.0
network of the LIT_LAN_vlan121 object
10.0.21.0 subnet 255.255.255.0
network of the LIT_LAN_vlan100 object
10.0.0.0 subnet 255.255.255.0
network of the LIT_LAN_vlan107 object
10.0.7.0 subnet 255.255.255.0
network of the LIT_LAN_vlan108 object
10.0.8.0 subnet 255.255.255.0
network of the BER_vlan1 object
subnet 10.8.0.0 255.255.255.0
the LIT_VLANS object-group network
network-object, object LIT_LAN_vlan100
network-object, object LIT_LAN_vlan101
network-object, object LIT_LAN_vlan102
network-object, object LIT_LAN_vlan103
network-object, object LIT_LAN_vlan104
network-object, object LIT_LAN_vlan105
network-object, object LIT_LAN_vlan106
network-object, object LIT_LAN_vlan107
network-object, object LIT_LAN_vlan108
network-object, object LIT_LAN_vlan109
network-object, object LIT_LAN_vlan112
network-object, object LIT_LAN_vlan114
network-object, object LIT_LAN_vlan120
network-object, object LIT_LAN_vlan121
the BER_VLANS object-group network
network-object, object BER_vlan1
access list off - in extended permit icmp any one
out-in access-list extended permit tcp any object sonicwall_ssl_2000 eq https
access-list out-in extended permit tcp any eq smtp lotus_notes object
access list-based ip allowed any one
outside_1_cryptomap list extended access permitted ip LIT_VLANS object ABD_LAN object-group
outside_2_cryptomap list extended access permitted ip object-group LIT_VLANS-group of objects BER_VLANS
pager lines 24
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
ICMP unreachable rate-limit 1 burst-size 110.0.0.92>
don't allow no asdm history
ARP timeout 14400
NAT static LIT_VLANS LIT_VLANS destination (indoor, outdoor) static source ABD_LAN ABD_LAN
NAT static LIT_VLANS LIT_VLANS destination (indoor, outdoor) static source BER_VLANS BER_VLANS
!
network obj_any object
NAT dynamic interface (indoor, outdoor)
object network lotus_notes
Static NAT (indoor, outdoor)
network sonicwall_ssl_2000 object
Static NAT (indoor, outdoor)
Access-group all-out in the interface inside
out-in access-group in external interface
Route outside 0.0.0.0 0.0.0.0
Route inside 10.0.1.0 255.255.255.0 10.0.0.254 1
Route inside 10.0.2.0 255.255.255.0 10.0.0.254 1
Route inside between 10.0.3.0 255.255.255.0 10.0.0.254 1
Route inside 10.0.4.0 255.255.255.0 10.0.0.254 1
Route inside 10.0.5.0 255.255.255.0 10.0.0.254 1
Route inside 10.0.6.0 255.255.255.0 10.0.0.254 1
Route inside 10.0.7.0 255.255.255.0 10.0.0.254 1
Route inside 10.0.8.0 255.255.255.0 10.0.0.254 1
Route inside 10.0.9.0 255.255.255.0 10.0.0.254 1
Route inside 10.0.20.0 255.255.255.0 10.0.0.254 1
Route inside 10.0.21.0 255.255.255.0 10.0.0.254 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
RADIUS protocol AAA-server litvms03
litvms03 AAA-server (inside) host 10.0.0.92
key *.
RADIUS-common-pw *.
the ssh LOCAL console AAA authentication
Enable http server
http 10.0.0.0 255.255.0.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set pfs Group1
map 1 set outside_map crypto peer
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
card crypto outside_map 2 match address outside_2_cryptomap
card crypto outside_map 2 pfs Group1 set
card crypto outside_map 2 defined peer
card crypto outside_map 2 game of transformation-ESP-3DES-SHA
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
No encryption isakmp nat-traversal
Telnet timeout 5
SSH 10.0.0.0 255.255.0.0 inside
SSH 10.7.0.0 255.255.0.0 inside
SSH timeout 5
SSH version 2
Console timeout 0
management-access inside
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP server 216.14.98.234 prefer external source
NTP server 204.15.208.61 prefer external source
WebVPN
internal jdr_littleport_employee_vpn group policy
attributes of the strategy of group jdr_littleport_employee_vpn
banner value
value of 10.0.0.8 WINS server 10.100.1.141
value of 10.0.0.8 DNS server 10.100.1.141
Split-tunnel-policy tunnelall
jdrcables.com value by default-field
Split-dns value jdrcables.com
IPv6 address pools no
type of tunnel-group ipsec-l2l
Tunnel ipsec-attributes group
pre-shared key *.
type of tunnel-group ipsec-l2l
Tunnel ipsec-attributes group
pre-shared key *.
!
!
context of prompt hostname
Cryptochecksum:6d1868630c83f17fe0c7de41006a1526
: end
Rich
I have checked the road conditions but missed the VIRTUAL LAN address. Sorry about that.
I'm glad to see that you solved the problem and am not surprised that the question seems to have been some incompatible in the serttings server. I think you should be able to close the thread based on your response. Give it a try.
HTH
Rick
-
Hello
IPhone 4 s last IOS5 V 5.1.1 installed
I'm not able to make the native IPSEC VPN connection upset my company Cisco 877
Instead, all my computer laptop and netbook with Cisco VPN Client work installed fine when they connect remotely to society 877
Turn debugging 877, it seems Iphone successfully passes the 1 connection ike (actually Iphone wonder phase2 user/pass), but it hung to phase2 give me the error 'Negotiation with the VPN server has no' back
An idea or a known issue on this?
This is how I configured my VPN 877 part:
R1 (config) # aaa new-model
R1 (config) # aaa authentication default local connection
R1 (config) # aaa authentication login vpn_xauth_ml_1 local
R1 (config) # aaa authentication login local sslvpn
R1 (config) # aaa authorization network vpn_group_ml_1 local
R1 (config) # aaa - the id of the joint session
Crypto isakmp policy of R1 (config) # 1
R1(config-ISAKMP) # BA 3des
# Preshared authentication R1(config-ISAKMP)
Group R1(config-ISAKMP) # 2
R1(config-ISAKMP) #.
R1(config-ISAKMP) #crypto isakmp policy 2
R1(config-ISAKMP) # BA 3des
Md5 hash of R1(config-ISAKMP) #.
# Preshared authentication R1(config-ISAKMP)
Group R1(config-ISAKMP) # 2
Output R1(config-ISAKMP) #.
R1 (config) # CUSTOMER - VPN crypto isakmp client configuration group
R1(config-ISAKMP-Group) # key xxxxxxxx
R1(config-ISAKMP-Group) # 192.168.0.1 dns
R1(config-ISAKMP-Group) # VPN - pool
ACL R1(config-ISAKMP-Group) # 120
R1(config-ISAKMP-Group) max-users # 5
Output R1(config-ISAKMP-Group) #.
R1 (config) # ip local pool VPN-pool 192.168.0.20 192.168.0.25
R1 (config) # crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac
R1 (config) # crypto ipsec VPN-profile-1 profile
R1(IPSec-Profile) # set the transform-set encrypt method 1
Tunnel type interface virtual-Template2 R1 (config) #.
R1(Config-if) # ip unnumbered FastEthernet0/0
R1(Config-if) # tunnel mode ipsec ipv4
Ipsec protection tunnel R1(Config-if) # VPN - profile - 1 profile
Profile of R1 (config) # isakmp crypto vpn-ike-profile-1
R1(conf-ISA-Prof) # match group identity CUSTOMER VPN
R1(conf-ISA-Prof) # vpn_xauth_ml_1 list client authentication
R1(conf-ISA-Prof) # isakmp authorization list vpn_group_ml_1
R1(conf-ISA-Prof) # client configuration address respond
R1(conf-ISA-Prof) virtual-model # 2
Then run AccessList 120 for desired traffic ("access-list 120 now allows ip any any")
I have configured my VPN Cisco "CUSTOMER-VPN" clients and relative password
Whenever they connect, they are prompted for the password and username phase2 then they join the VPN with an IP address from local subnet released.
With the same parameters required and confirmed in section ipsec VPN Iphone it does not work.
It's 877 isakmp debug output after that Iphone wonder name of user and password (then I suppose that phase 1 completed):
* 14:29:30.731 May 19: ISAKMP (0:2081): received 151.38.197.143 packet 500 Global 500 (R) sport dport CONF_XAUTH
* 14:29:30.735 May 19: ISAKMP: (2081): responsible for operation of 151.38.197.143 of treatment. Message ID =-1427983983
* 14:29:30.735 May 19: ISAKMP: Config payload RESPONSE
* 14:29:30.735 May 19: ISAKMP/xauth: response XAUTH_USER_NAME_V2 attribute
* 14:29:30.735 May 19: ISAKMP/xauth: response XAUTH_USER_PASSWORD_V2 attribute
* 14:29:30.735 May 19: ISAKMP: (2081): node-1427983983 error suppression FALSE reason "made with Exchange of request/response xauth.
* 14:29:30.735 May 19: ISAKMP: (2081): entry = IKE_MESG_FROM_PEER, IKE_CFG_REPLY
* 14:29:30.735 May 19: ISAKMP: (2081): former State = new State IKE_XAUTH_REQ_SENT = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT
* 14:29:30.743 May 19: ISAKMP: node set 1322685842 to CONF_XAUTH
* 19 May 14:29:30.747: ISAKMP: (2081): launch peer 151.38.197.143 config. ID = 1322685842
* 19 May 14:29:30.747: ISAKMP: (2081): lot of 151.38.197.143 sending my_port 500 peer_port 500 (R) CONF_XAUTH
* 14:29:30.747 May 19: ISAKMP: (2081): sending a packet IPv4 IKE.
* 14:29:30.747 May 19: ISAKMP: (2081): entry = IKE_MESG_FROM_AAA, IKE_AAA_CONT_LOGIN
* 14:29:30.747 May 19: ISAKMP: (2081): former State = new State IKE_XAUTH_AAA_CONT_LOGIN_AWAIT = IKE_XAUTH_SET_SENT
* 14:29:31.299 May 19: ISAKMP (0:2081): received 151.38.197.143 packet 500 Global 500 (R) sport dport CONF_XAUTH
* 14:29:31.299 May 19: ISAKMP: (2081): responsible for operation of 151.38.197.143 of treatment. Message ID = 1322685842
* 14:29:31.299 May 19: ISAKMP: Config payload ACK
* 19 May 14:29:31.303: ISAKMP: (2081): XAUTH ACK processed
* 14:29:31.303 May 19: ISAKMP: (2081): error suppression node 1322685842 FALSE basis "Mode of Transaction.
* 14:29:31.303 May 19: ISAKMP: (2081): talking to a customer of the unit
* 14:29:31.303 May 19: ISAKMP: (2081): entry = IKE_MESG_FROM_PEER, IKE_CFG_ACK
* 14:29:31.303 May 19: ISAKMP: (2081): former State = new State IKE_XAUTH_SET_SENT = IKE_P1_COMPLETE
* 14:29:31.303 May 19: ISAKMP: (2081): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
* 14:29:31.303 May 19: ISAKMP: (2081): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE
* 19 May 14:29:31.303: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
* 14:29:31.315 May 19: ISAKMP: (2081): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
* 14:29:31.315 May 19: ISAKMP: (2081): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE
* 14:29:31.623 may 19: ISAKMP (0:2081): received 151.38.197.143 packet 500 Global 500 (R) sport dport QM_IDLE
* 14:29:31.623 may 19: ISAKMP: node set-851463821 to QM_IDLE
* 14:29:31.623 may 19: ISAKMP: (2081): responsible for operation of 151.38.197.143 of treatment. Message ID =-851463821
* 14:29:31.623 may 19: ISAKMP: Config payload REQUEST
* 14:29:31.623 may 19: ISAKMP: (2081): verification of claim:
* 14:29:31.623 may 19: ISAKMP: IP4_ADDRESS
* 14:29:31.623 may 19: ISAKMP: IP4_NETMASK
* 14:29:31.623 may 19: ISAKMP: IP4_DNS
* 14:29:31.623 may 19: ISAKMP: IP4_NBNS
* 14:29:31.623 may 19: ISAKMP: ADDRESS_EXPIRY
* 14:29:31.623 may 19: ISAKMP: APPLICATION_VERSION
* 14:29:31.623 may 19: ISAKMP: MODECFG_BANNER
* 14:29:31.623 may 19: ISAKMP: domaine_par_defaut
* 14:29:31.623 may 19: ISAKMP: SPLIT_DNS
* 14:29:31.623 may 19: ISAKMP: SPLIT_INCLUDE
* 14:29:31.623 may 19: ISAKMP: INCLUDE_LOCAL_LAN
* 14:29:31.623 may 19: ISAKMP: PFS
* 14:29:31.623 may 19: ISAKMP: MODECFG_SAVEPWD
* 14:29:31.623 may 19: ISAKMP: FW_RECORD
* 14:29:31.623 may 19: ISAKMP: serveur_sauvegarde
* 14:29:31.623 may 19: ISAKMP: MODECFG_BROWSER_PROXY
* 14:29:31.627 May 19: ISAKMP/author: author asks for CUSTOMER-VPNsuccessfully group AAA
* 14:29:31.627 May 19: ISAKMP: (2081): entry = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST
* 14:29:31.627 May 19: ISAKMP: (2081): former State = new State IKE_P1_COMPLETE = IKE_CONFIG_AUTHOR_AAA_AWAIT
* 14:29:31.627 May 19: ISAKMP: (2081): attributes sent in the message:
* 19 May 14:29:31.627: address: 0.2.0.0
* 19 May 14:29:31.627: ISAKMP: (2081):address of 192.168.0.21 assignment
* 14:29:31.627 May 19: ISAKMP: sending private address: 192.168.0.21
* 14:29:31.627 May 19: ISAKMP: send the subnet mask: 255.255.255.0
* 14:29:31.631 May 19: ISAKMP: sending IP4_DNS server address: 192.168.0.1
* 14:29:31.631 May 19: ISAKMP: sending ADDRESS_EXPIRY seconds left to use the address: 3576
* 14:29:31.631 May 19: ISAKMP: string APPLICATION_VERSION sending: Cisco IOS software, software C870 (C870-ADVIPSERVICESK9-M), Version 12.4 (15) T7, VERSION of the SOFTWARE (fc3)
Technical support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Updated Friday 14 August 08 07:43 by prod_rel_team
* 14:29:31.631 May 19: ISAKMP: split shipment include the name Protocol 120 network 0.0.0.0 mask 0.0.0.0 0 src port 0, port 0 DST
* 14:29:31.631 May 19: ISAKMP: sending save the password answer value 0
* 19 May 14:29:31.631: ISAKMP: (2081): respond to peer 151.38.197.143 config. ID =-851463821
* 19 May 14:29:31.631: ISAKMP: (2081): lot of 151.38.197.143 sending my_port 500 peer_port 500 (R) CONF_ADDR
* 14:29:31.631 May 19: ISAKMP: (2081): sending a packet IPv4 IKE.
* 14:29:31.631 May 19: ISAKMP: (2081): node-851463821 error suppression FALSE reason "error no.".
* 14:29:31.631 May 19: ISAKMP: (2081): talking to a customer of the unit
* 14:29:31.631 May 19: ISAKMP: (2081): entry = IKE_MESG_FROM_AAA, IKE_AAA_GROUP_ATTR
* 14:29:31.631 May 19: ISAKMP: (2081): former State = new State IKE_CONFIG_AUTHOR_AAA_AWAIT = IKE_P1_COMPLETE
* 14:29:31.635 May 19: ISAKMP: (2081): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
* 14:29:31.635 May 19: ISAKMP: (2081): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE
Here the Iphone remains unused for a few seconds...
* 14:29:48.391 May 19: ISAKMP (0:2081): received 151.38.197.143 packet 500 Global 500 (R) sport dport QM_IDLE
* 14:29:48.391 May 19: ISAKMP: node set 1834509506 to QM_IDLE
* 19 May 14:29:48.391: ISAKMP: (2081): HASH payload processing. Message ID = 1834509506
* 19 May 14:29:48.391: ISAKMP: (2081): treatment of payload to DELETE. Message ID = 1834509506
* 14:29:48.391 May 19: ISAKMP: (2081): peer does not paranoid KeepAlive.
* 14:29:48.395 May 19: ISAKMP: (2081): peer does not paranoid KeepAlive.
* 14:29:48.395 May 19: ISAKMP: (2081): removal of HIS right State 'No reason' (R) QM_IDLE (post 151.38.197.143)
* 14:29:48.395 May 19: ISAKMP: (2081): error suppression node 1834509506 FALSE reason 'informational (en) State 1.
* 19 May 14:29:48.395: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
* 19 May 14:29:48.395: IPSEC (key_engine_delete_sas): rec would notify of ISAKMP
* 19 May 14:29:48.395: IPSEC (key_engine_delete_sas): remove all SAs shared with peer 151.38.197.143
* 14:29:48.395 May 19: ISAKMP: node set-1711408233 to QM_IDLE
* 19 May 14:29:48.395: ISAKMP: (2081): lot of 151.38.197.143 sending my_port 500 peer_port 500 (R) QM_IDLE
* 14:29:48.395 May 19: ISAKMP: (2081): sending a packet IPv4 IKE.
* 14:29:48.399 May 19: ISAKMP: (2081): purge the node-1711408233
* 14:29:48.399 May 19: ISAKMP: (2081): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
* 14:29:48.399 May 19: ISAKMP: (2081): former State = new State IKE_P1_COMPLETE = IKE_DEST_SA
* 14:29:48.399 May 19: ISAKMP: (2081): removal of HIS right State 'No reason' (R) QM_IDLE (post 151.38.197.143)
* 14:29:48.399 May 19: ISAKMP: (0): cannot decrement IKE Call Admission Control incoming_active stat because he's already 0.
* 14:29:48.399 May 19: ISAKMP (0:2081): return address 192.168.0.21 to pool
* 14:29:48.399 May 19: ISAKMP: Unlocking counterpart struct 0 x 84084990 for isadb_mark_sa_deleted(), count 0
* 14:29:48.399 May 19: ISAKMP: return address 192.168.0.21 to pool
* 14:29:48.399 May 19: ISAKMP: delete peer node by peer_reap for 151.38.197.143: 84084990
* 14:29:48.399 May 19: ISAKMP: return address 192.168.0.21 to pool
* 14:29:48.403 May 19: ISAKMP: (2081): node-1427983983 error suppression FALSE reason 'IKE deleted.
* 14:29:48.403 May 19: ISAKMP: (2081): error suppression node 1322685842 FALSE reason 'IKE deleted.
* 14:29:48.403 May 19: ISAKMP: (2081): node-851463821 error suppression FALSE reason 'IKE deleted.
* 14:29:48.403 May 19: ISAKMP: (2081): error suppression node 1834509506 FALSE reason 'IKE deleted.
* 14:29:48.403 May 19: ISAKMP: (2081): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
* 14:29:48.403 May 19: ISAKMP: (2081): former State = new State IKE_DEST_SA = IKE_DEST_SA
* 19 May 14:29:48.403: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
It seems 877 comes even to assign a local ip address of LAN for Iphone (192.168.0.21) but then something goes wrong...
Any idea or suggestion on this?
Thank you very much
Hi Federico,.
Please let us know.
Please mark this message as answered while others will be able to learn the lessons.
Thank you.
Portu.
-
Cannot ping inside the vpn client hosts. It's a NAT problem
Hello everyone, I'm running into what seems to be a cause of exclusion with an IOS IPSEC VPN NAT/nat. I can connect to the VPN with cisco IPSEC VPN client, and I am able to authenticate. Once I have authenticate, I'm not able to reach one of the guests inside. Below is my relevant config. Any help would be greatly appreciated.
AAA new-model
!
!
AAA authentication login default local
radius of group AAA authentication login userauthen
AAA authorization exec default local
AAA authorization groupauthor LAN
crypto ISAKMP policy 3
BA 3des
preshared authentication
Group 2
!
ISAKMP crypto client configuration group businessVPN
key xxxxxx
DNS 192.168.10.2
business.local field
pool vpnpool
ACL 108
Crypto isakmp VPNclient profile
businessVPN group identity match
client authentication list userauthen
ISAKMP authorization list groupauthor
client configuration address respond
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
!
Crypto-map dynamic dynmap 10
Set transform-set RIGHT
Define VPNclient isakmp-profile
market arriere-route
!
!
10 ipsec-isakmp crypto map clientmap Dynamics dynmap
interface Loopback0
IP 10.1.10.2 255.255.255.252
no ip redirection
no ip unreachable
no ip proxy-arp
IP virtual-reassembly
!
Null0 interface
no ip unreachable
!
interface FastEthernet0/0
IP 111.111.111.138 255.255.255.252
IP access-group outside_in in
no ip redirection
no ip unreachable
no ip proxy-arp
NAT outside IP
inspect the outgoing IP outside
IP virtual-reassembly
automatic duplex
automatic speed
clientmap card crypto
!
the integrated-Service-Engine0/0 interface
description Locator is initialized with default IMAP group
IP unnumbered Loopback0
no ip redirection
no ip unreachable
no ip proxy-arp
IP virtual-reassembly
ip address of service-module 10.1.10.1 255.255.255.252
Service-module ip default gateway - 10.1.10.2
interface BVI1
IP 192.168.10.1 255.255.255.0
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
IP virtual-reassembly
IP nat inside source static tcp 192.168.10.2 25 interface FastEthernet0/0 25
IP nat inside source static tcp 192.168.10.2 443 interface FastEthernet0/0 443
IP nat inside source static tcp 192.168.10.2 3389 interface FastEthernet0/0 3389
IP nat inside source map route nat interface FastEthernet0/0 overload
nat extended IP access list
deny ip 192.168.10.0 0.0.0.255 192.168.109.0 0.0.0.255
refuse the 10.1.1.0 ip 0.0.0.255 192.168.109.0 0.0.0.255
ip licensing 10.1.1.0 0.0.0.255 any
permit ip 192.168.10.0 0.0.0.255 any
sheep extended IP access list
permit ip 192.168.10.0 0.0.0.255 192.168.109.0 0.0.0.255
ip permit 10.1.10.0 0.0.0.255 192.168.109.0 0.0.0.255
ip licensing 10.1.1.0 0.0.0.255 192.168.109.0 0.0.0.255
outside_in extended IP access list
permit tcp object-group Yes_SMTP host 111.111.111.138 eq smtp
permit any any eq 443 tcp
permit tcp 20.20.20.96 0.0.0.31 host 111.111.111.138 eq 3389
permit tcp 20.20.20.96 0.0.0.31 host 111.111.111.138 eq 22
allow any host 111.111.111.138 esp
allow any host 111.111.111.138 eq isakmp udp
allow any host 111.111.111.138 eq non500-isakmp udp
allow any host 111.111.111.138 ahp
allow accord any host 111.111.111.138
access-list 108 allow ip 192.168.109.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 108 allow ip 192.168.109.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 108 allow ip 192.168.109.0 0.0.0.255 10.1.10.0 0.0.0.255
!
!
!
!
route nat allowed 10 map
match ip address nat
1 channel ip bridge
In my view, the acl applied to customer is back. It must allow traffic from the internal network to the pool of customers.
To confirm, you can open the Cisco VPN client statistics (after login) then go in the route Details tab. We should see the networks you should be able to reach the customer. Make sure that the good ones are here.
Kind regards
-
Hi all
can someone help me troubleshoot vpn client with the following configuration:
CLI (config) # ip local pool 172.16.1.100 - 172.16.1.199 mask 255.255.255.0 vpnpool
Password marty CLI (config) #username 12345678Share front of CLI (config) political #isakmp 1 authentication
CLI (config) political #isakmp 1 3des encryption
CLI (config) political #isakmp sha 1 hash
Policy group CLI (config) #isakmp 1 2
#isakmp (config) CLI policy 1 life 43200
Enable #isakmp CLI (config) outside
CLI (config) #crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmacCLI (config) #crypto dynamic-map outside_dyn_map 10 the value transform-set ESP-3DES-SHA
CLI (config) #crypto dynamic-map Outside_dyn_map 10 the value reverse-road
CLI (config) #crypto outside_dyn_map dynamic-map 10 set - the association of safety to life seconds 288000Map of #crypto CLI (config) Outside_map 10-isakmp dynamic ipsec Outside_dyn_map
Outside_map interface card CLI (config) #crypto outside
CLI (config) #crypto isakmp nat-traversalCLI (config) #-internal groupvpn group policy
Attributes CLI (config) #-groupvpn group policy
CLI (config) #(groupe politique-config) # Protocol - tunnel - vpn IPSec
CLI (config) #tunnel - group groupvpn type ipsec-ra
CLI (config) #tunnel - group groupvpn ipsec-attributes
CLI (ipsec-tunnel-config) key #pre - shared - key
CLI (config) #tunnel - group groupvpn General attributes
CLI (general-tunnel-config) #authentication - server - LOCAL group
Strategy-group-by default CLI (config - IPSec - tunnel) Solidarityvpn #.
CLI (general-tunnel-config) #address - pool vpnpool
then try to connect using the vpn client it ask for authentication and authentication it when negotiating course political channel, but it gives me not connected.
can anyone help in this.
Thanks in advance,
Ayman
Have you changed the card encryption as advised earlier?
Please provide us with the following output to see the rest of the changes:
See the isa crypto his
Crypto ipsec to show his
-
Cisco VPN Client with Windows 7 Home Premium 64-bit
I recently bought a new laptop with Windows 7 Home Premium 64-bit. I need to connect to a VPN IPSEC to work. I tried the current VPN client and after reading the posts in this group, I tried vpnclient-win-msi-5.0.07.0240-k9-BETA.exe. When I tried to install the beta version, I get the following error message:
Error 28011: Windows 64-bit is not supported by Cisco Systems VPN Client 5.0.07.0240.
Any suggestion would be appreciated.
Hello
You should download the 64-bit version. vpnclient-winx64-MSI-5.0.07.0240-K9-Beta.exe is the version you tried to install the 32-bit version
Thank you
John
-
'Connected' but 5.0.07.0440 VPN client does not work
Hello
IMPORTANT THING I FORGOT: the customer seems to be connected. It shows a lock locked and says connected but ping shows that nothing is not working too.
I recently tried, in vain, to connect my win7 64 bit laptop to my place of work with the Client VPN 5.0.07.0440. All technitians and support staff could not understand the problem that prevented successful login. Later, I could connect my laptop using the VPN Client 5.0.07.0410 - same home network via an old k9, winXP.
What could be the problem with Win7 system? Work on my old laptop is a temporary solution, but not a good thing. I would be grateful for all the help I can get.
I tried:
-For each access to the Cisco VPN client on my ZoneAlarm firewall.
-Turning off the firewall completely.
-Connect to a different network (in an Internet Café).
Personal support at work said this isn't the network (they checked my too just in case wifi router settings) from my old computer obviously connects without any problem on the first try.
ANY ideas would be very appreciated!
Here is the info yet:
-Cisco VPN Client 5.0.07.0440
-64-bit Windows 7 Home Premium SP 1.
My security software (which may cause the problem as far as I know, even if I close ZoneAlarm):
-Free firewall zone alarm
-Microsoft Security Essentials.
(maybe windows firewall too, if it automatically restarts when I turned off zone alarm)
IMPORTANT THING I FORGOT: the customer seems to be connected. It shows a lock locked and says connected but ping shows that nothing is not working too.
Hello
VPN client traffic is not transmitted from your computer to the VPN at all tunnel.
It's if you have even tried the connection to the remote server before you took this screenshot?
ID say it is a problem with your computer. Some software cause problems for the VPN Client or Client VPN software has problems with the network card real or something similar.
One thing I might suggest is uninstall the firewall software and the VPN Client. After that, it is enough to install the VPN Client and try to login and check the statistics of same as in the pictures above.
-Jouni
EDIT: Whoa 300 posts already
Edit2: If you have a full VPN tunnel, your computer must usually generate connections to the VPN tunnel even if you do not manually connect what either. What makes it even more strange that there are absolutely no traffic in the tunnel. Full VPN tunnel means that all traffic from your computer is transferred to the VPN tunnel when his assets.
-
Problem Cisco VPN Client with local authentication
I configured PIX for the Cisco VPN client for remote access. It must be connected and also inside network is accessible. It is without any authentication username. It works well with a vpngroup name and the password for the vpngroup, configured on PIX and also on the Cisco VPN client. (version 4.6)
When I configure crypto for local authentication, it did not work. configuration is as follows.
#crypto card: name of the map of local authentication client
I created a user with private = 15.
Client VPN must be connected, and then it pops up a window user name and password. After giving these details. The user is not authenticated.
Are there patterns more to do in / isakmp / ipsec / aaa configurations.
Thank you
AAA-server local LOCAL Protocol
client authentication card crypto remote_vpn LOCAL
client configuration address card crypto remote_vpn throw
client configuration address card crypto remote_vpn answer
-
How to save the password to the Cisco VPN Client?
Hello
I use version 4.8 to connect to the VPN from my client, I would like to save my password so that I don't have to enter it each time.
I've amended the FCP file to include:
! SaveUserPassword = 1
and my password in UserPassword =, but it worked only once, after I restart it no longer works.
Then I see the method to use the command-line vpnclient.exe to connect and provide the password as a parameter to the command:
vpnclient connect
user pwd But I got this error when you try to connect:
Setting user password failed. User password is read-only.
And the client always requests the password.
Any ideas?
Thank you
The server sets the password save, you will not be able save locally unlessit is enabled on the server side. If the customer has an ASA, follows allows him under the group policy for VPN clients.
allow password-storage
Maybe you are looking for
-
S75-b7218 Windows 8.1 satellite cannot see the bluetooth headset
Satellite 8.1 Windows cannot see the Philips SHB5500 bluetooth headset. Driver: Intel (r) wireless Bluetooth (r)2014 08-12Version: 17.1.14342 Help! Please, I beg you!
-
CQ61 Bluetooth driver for Windows XP
Please tell me this driver... everyone!
-
Hi all, I tried to figure out why I got with the Teredo Tunneling Pseudo Interface 10 exclamation point error code and the error code 2 adapter 6to4 31, tried to update driver and somehow changed Teredo to Tun Miniport, can someone help me change to
-
I downloaded vista of a school site web does not work help
I used a MSDNAA web site / product: Windows Vista Business DVD e - bigship.com / / is not working help
-
HelloI have a few packages of oracle I plan in a Linux environment using crontab. Its simple to plan their calendar months however, my requirement is to race the working days of the month. For example on the 1st or the 2nd business day of the month,