«

I have a VPN setup that has a connectivity problem. After 1 user is
connected 98% of the time other users can not connect. I have been able
to get 2, or 3 connections established once but never after that.

The error in the Cisco VPN Client (4.6) is:
33 08:43:50.266 10/28/04 Sev=Info/4 IKE/0x6300004A
Discarding IKE SA negotiation (I_Cookie=F66CE40F75834CFE
R_Cookie=0D67E19AD6DA16C1) reason = DEL_REASON_IKE_NEG_FAILED

All users are Windows XP SP2, all users are behind a Linksys BEFSR41
router/firewall, all users use the Cisco VPN Client v4.6

I used this as a guideline when configuring the VPN:
http://www.cisco.com/en/US/products/...801e71c0.shtml

"J1C" <> wrote:

> I have a VPN setup that has a connectivity problem. After 1 user is
> connected 98% of the time other users can not connect. I have been able
> to get 2, or 3 connections established once but never after that.
>
> The error in the Cisco VPN Client (4.6) is:
> 33 08:43:50.266 10/28/04 Sev=Info/4 IKE/0x6300004A
> Discarding IKE SA negotiation (I_Cookie=F66CE40F75834CFE
> R_Cookie=0D67E19AD6DA16C1) reason = DEL_REASON_IKE_NEG_FAILED
>
> All users are Windows XP SP2, all users are behind a Linksys BEFSR41
> router/firewall, all users use the Cisco VPN Client v4.6
>
> I used this as a guideline when configuring the VPN:
> http://www.cisco.com/en/US/products/...801e71c0.shtml


If you have Pix OS 6.3(1) or higher you can try:

isakmp nat-traversal 20


BTW: Where did you get the Cisco VPN Client v4.6? I visited
Cisco's pages today and the latest version I saw for Windows
XP was 4.0.5.C-k9.

Thanks - I already have isakmp nat-traversal 20 in the config... any
other ideas? I think it has something to do with NAT & the ol' Linksys
router, but since SOMETIMES I have have >1 user connected I can not be
certain.

I got 4.6 from Cisco's site... it took a while to find it though... You
have to be a registered user too with a valid support license.

"J1C" <> wrote:

> Thanks - I already have isakmp nat-traversal 20 in the config... any
> other ideas? I think it has something to do with NAT & the ol' Linksys
> router, but since SOMETIMES I have have >1 user connected I can not be
> certain.

If you check your VPN connections from the Pix with command

show isakmp sa detail

you get something like this

Local Remote Encr Hash Auth State Lifetime
X.X.X.X:500 Y.Y.Y.Y:500 3des md5 psk QM_IDLE 8258
X.X.X.X:4500 Z.Z.Z.Z:4500 3des md5 psk QM_IDLE 13444

What does the line of the VPN client user show? If it shows X.X.X.X:500
then it is possible that the Linksys router cannot handle simultaneous
AH or ESP sessions.

But I'm sorry. You have

- an unknown configuration in an unknown Pix model running an unknown
Pix OS version
- an unknown (to me) Linksys router with unknown configuration
- an unknown (to me) Cisco VPN Client version

With that information I'm afraid that I can give you only good guesses.
I hope that somebody knows more about Linksys BEFSR41 and Cisco VPN
Client v4.6.

Sorry, I forgot about this:
PIX Version 6.3(3)

show isakmp sa detail
Local Remote Encr Hash Auth State Lifetime
a.b.c.98:500 d.e.f.205:500 3des md5 psk QM_IDLE 86149
a.b.c.98:4500 x.y.z.82:164 3des md5 psk QM_IDLE 86363
a.b.c.98:4500 x.y.z.82:4500 3des md5 psk QM_IDLE 82544

The first line is an existing PIX-PIX VPN ... I have never had trouble
with that...
The next two lines show the two connections from the Linksys...

"J1C" <> wrote:

> a.b.c.98:4500 x.y.z.82:164 3des md5 psk QM_IDLE 86363
> a.b.c.98:4500 x.y.z.82:4500 3des md5 psk QM_IDLE 82544
>
> The [above] two lines show the two connections from the Linksys...

Interesting. The first line tells that the peer uses port 164.
I have never seen a port number as low as that in a VPN connection.

Well, the above also tells that you are running port address translation
with your Linksys and the VPN connections use nat-traversal. Do you have
any filters or port forwarding settings in the Linksys that could make
the peer to select an unusual low UDP port?

There are several port forwarding rules in place, most are typical
though... like:

external port tcp 80 --> internal IP tcp 80
external port tcp 25 --> internal IP tcp 25
external port tcp 3389 --> internal IP tcp 3389
external port tcp + udp 5000 --> internal IP tcp + udp 5000 (OpenVPN)
external port tcp + udp 5001 --> internal IP tcp + udp 5001 (OpenVPN)
Anything I should look at/for specifically?

Here's something else...

show isakmp sa detail
Local Remote Encr Hash Auth State
a.b.c.98:500 d.e.f.205:500 3des md5 psk QM_IDLE
a.b.c.98:4500 x.y.z.82:4500 3des md5 psk QM_IDLE
a.b.c.98:4500 x.y.z.82:164 3des md5 psk QM_IDLE
a.b.c.98:4500 x.y.z.82:164 3des md5 psk QM_IDLE

It looks like the first connection gets :4500 on the router, but any
connection after that gets :164 ... that then works for a few minutes
.... maybe less ... then all on the :164 drop and have to wait X seconds
before establishing a new connection...

Have you tried turning off IPSEC pass through on the Linksys. Also, I'm in
agreement, that is an unusually low source port. I wonder if the Linksys is
translating it that low, or if the pc is actually initiating the connection
that low (doubtful). Also, I don't understand how another nat session in
the linksys could be tracked using the same source and destination port as
the ca detail suggest. So I have to assume that the nat translation is
being flushed quicker than the isakmp ca table in the pix is. I would
recommend two other items.

1) set you isakmp nat-traversal down to 10. At 20, it is possible that
linksys could assume that it can break the udp nat translation (it shouldn't
but it might).

2) try a firmware upgrade on the linksys. These things are a bit flaky
sometimes. I had a wireless one that would only allow me to connect via
pptp through the wired interface and not the wireless side. A firmware
fixed it.

"J1C" <> wrote in message
news: ups.com...
> Here's something else...
>
> show isakmp sa detail
> Local Remote Encr Hash Auth State
> a.b.c.98:500 d.e.f.205:500 3des md5 psk QM_IDLE
> a.b.c.98:4500 x.y.z.82:4500 3des md5 psk QM_IDLE
> a.b.c.98:4500 x.y.z.82:164 3des md5 psk QM_IDLE
> a.b.c.98:4500 x.y.z.82:164 3des md5 psk QM_IDLE
>
> It looks like the first connection gets :4500 on the router, but any
> connection after that gets :164 ... that then works for a few minutes
> ... maybe less ... then all on the :164 drop and have to wait X seconds
> before establishing a new connection...
>

Thanks! I will try your suggestions and update...