Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > pix 501 VPN into SBS 2003 domain - RADIUS authentication fails.

Reply
Thread Tools

pix 501 VPN into SBS 2003 domain - RADIUS authentication fails.

 
 
Zen
Guest
Posts: n/a
 
      06-16-2006
Following an upgrade from w2k to sbs2003, remote vpn authentication has
stopped working.

Any help as to where to trouble shoot next will be greatly appriciated.

vpn into pix is ok, the radius authentication against sbs 2003 IAS does not
complete successfully, shared secret matches.

Looks like authentication has worked and then the user is immediately logged
off. Authentication failed is reported to remote client.

Pix debug has 'ISAKMP: reserved not zero on payload 8!' 'ISAKMP: malformed
payload' entries, which I think is part of the 'authentication success'
response . Because the pix is not processing this response IAS logs the
user off.

As a side issue, what does 'Checking ISAKMP transform 9 against priority 10
policy' mean?

The set up is as per these instructions
http://www.cisco.com/en/US/products/...800b6099.shtml

Connectivity is
internet -> speedtouch (510) modem (non nat) ->pix 501 (with public static
ip) ->SBS 2003 with IAS

Remote client is cisco VPN client 3.5 for windows

System event log shows that IAS has granted access, security event log show
log on, followed immediately by a logoff.

Security log has entries for:
Logon attempt using explicit credentials:
Successful Network Logon:
Special privileges assigned to new logon:
User Logoff:

Pix debug log has these entries.
ISAKMP: reserved not zero on payload 8!
ISAKMP: malformed payload

Pix log extract, complete log at end of message:
crypto_isakmp_process_block:src:<remote ip>, dest:<pix public ip>spt:500
dpt:500
ISAKMP_TRANSACTION exchange
ISAKMP (0:0): processing transaction payload from <remote ip>. message ID =
11168140
ISAKMP: Config payload CFG_REPLY
return status is IKMP_ERR_NO_RETRANS
crypto_isakmp_process_block:src:<remote ip>, dest:<pix public ip> spt:500
dpt:500
ISAKMP: reserved not zero on payload 8!
ISAKMP: malformed payload

IAS event log entry:
User phil.xxxxx was granted access.
Fully-Qualified-User-Name = <domain>.local/MyBusiness/Users/SBSUsers/Philip
xxxxxx
NAS-IP-Address = <pix ip>
NAS-Identifier = <not present>
Client-Friendly-Name = Pix
Client-IP-Address = <pix ip>
Calling-Station-Identifier = <remote client ip (dialup)>
NAS-Port-Type = <not present>
NAS-Port = 8
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Connections to other access servers
Authentication-Type = PAP
EAP-Type = <undetermined>

complete pic log:

crypto_isakmp_process_block:src:212.140.115.161, dest:<pix public ip>
spt:500 dpt:500
OAK_AG exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 192
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 192
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 192
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 192
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
crypto_isakmp_process_block:src:212.140.115.161, dest:<pix public ip>
spt:500 dpt:500
OAK_AG exchange
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
spi 0, message ID = 0
ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a queue
event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

crypto_isakmp_process_block:src:212.140.115.161, dest:<pix public ip>
spt:500 dpt:500
ISAKMP_TRANSACTION exchange
ISAKMP (0:0): processing transaction payload from 212.140.115.161. message
ID = 11168164
ISAKMP: Config payload CFG_REPLY
return status is IKMP_ERR_NO_RETRANS
crypto_isakmp_process_block:src:212.140.115.161, dest:<pix public ip>
spt:500 dpt:500
ISAKMP: reserved not zero on payload 8!
ISAKMP: malformed payload
crypto_isakmp_process_block:src:212.140.115.161, dest:<pix public ip>
spt:500 dpt:500
ISAKMP: reserved not zero on payload 8!
ISAKMP: malformed payload
crypto_isakmp_process_block:src:212.140.115.161, dest:<pix public ip>
spt:500 dpt:500
ISAKMP: reserved not zero on payload 8!
ISAKMP: malformed payload
crypto_isakmp_process_block:src:212.140.115.161, dest:<pix public ip>
spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 794882597
ISAMKP (0): received DPD_R_U_THERE from peer 212.140.115.161
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
ISAKMP (0:0): initiating peer config to 212.140.115.161. ID = 2773460662
(0xa54fa6b6)
crypto_isakmp_process_block:src:212.140.115.161, dest:<pix public ip>
spt:500 dpt:500
ISAKMP (0): processing DELETE payload. message ID = 3540473934, spi size =
16
ISAKMP (0): deleting SA: src 212.140.115.161, dst <pix public ip>
return status is IKMP_NO_ERR_NO_TRANS
ISADB: reaper checking SA 0xaef22c, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:212.140.115.161/500 Ref cnt decremented to:0 Total
VPN Peers:1
VPN Peer: ISAKMP: Deleted peer: ip:212.140.115.161/500 Total VPN
peers:0IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with 212.







 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
vpn with SBS 2003 RADIUS WCL Cisco 0 06-16-2006 11:52 AM
PIX 501 PPTP VPN RADIUS authentication problem oly Cisco 3 08-03-2005 08:30 PM
SBS 2000 upgrade to SBS std or premium 2003 =?Utf-8?B?amlsbGJvYg==?= Microsoft Certification 1 04-19-2004 05:18 PM



Advertisments