Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > VPN Connectivity Problems

Reply
Thread Tools

VPN Connectivity Problems

 
 
J1C
Guest
Posts: n/a
 
      10-28-2004
I have a VPN setup that has a connectivity problem. After 1 user is
connected 98% of the time other users can not connect. I have been able
to get 2, or 3 connections established once but never after that.

The error in the Cisco VPN Client (4.6) is:
33 08:43:50.266 10/28/04 Sev=Info/4 IKE/0x6300004A
Discarding IKE SA negotiation (I_Cookie=F66CE40F75834CFE
R_Cookie=0D67E19AD6DA16C1) reason = DEL_REASON_IKE_NEG_FAILED

All users are Windows XP SP2, all users are behind a Linksys BEFSR41
router/firewall, all users use the Cisco VPN Client v4.6

I used this as a guideline when configuring the VPN:
http://www.cisco.com/en/US/products/...801e71c0.shtml

 
Reply With Quote
 
 
 
 
Jyri Korhonen
Guest
Posts: n/a
 
      10-28-2004
"J1C" <(E-Mail Removed)> wrote:

> I have a VPN setup that has a connectivity problem. After 1 user is
> connected 98% of the time other users can not connect. I have been able
> to get 2, or 3 connections established once but never after that.
>
> The error in the Cisco VPN Client (4.6) is:
> 33 08:43:50.266 10/28/04 Sev=Info/4 IKE/0x6300004A
> Discarding IKE SA negotiation (I_Cookie=F66CE40F75834CFE
> R_Cookie=0D67E19AD6DA16C1) reason = DEL_REASON_IKE_NEG_FAILED
>
> All users are Windows XP SP2, all users are behind a Linksys BEFSR41
> router/firewall, all users use the Cisco VPN Client v4.6
>
> I used this as a guideline when configuring the VPN:
> http://www.cisco.com/en/US/products/...801e71c0.shtml



If you have Pix OS 6.3(1) or higher you can try:

isakmp nat-traversal 20


BTW: Where did you get the Cisco VPN Client v4.6? I visited
Cisco's pages today and the latest version I saw for Windows
XP was 4.0.5.C-k9.

 
Reply With Quote
 
 
 
 
J1C
Guest
Posts: n/a
 
      10-28-2004
Thanks - I already have isakmp nat-traversal 20 in the config... any
other ideas? I think it has something to do with NAT & the ol' Linksys
router, but since SOMETIMES I have have >1 user connected I can not be
certain.

I got 4.6 from Cisco's site... it took a while to find it though... You
have to be a registered user too with a valid support license.

 
Reply With Quote
 
Jyri Korhonen
Guest
Posts: n/a
 
      10-28-2004
"J1C" <(E-Mail Removed)> wrote:

> Thanks - I already have isakmp nat-traversal 20 in the config... any
> other ideas? I think it has something to do with NAT & the ol' Linksys
> router, but since SOMETIMES I have have >1 user connected I can not be
> certain.


If you check your VPN connections from the Pix with command

show isakmp sa detail

you get something like this

Local Remote Encr Hash Auth State Lifetime
X.X.X.X:500 Y.Y.Y.Y:500 3des md5 psk QM_IDLE 8258
X.X.X.X:4500 Z.Z.Z.Z:4500 3des md5 psk QM_IDLE 13444

What does the line of the VPN client user show? If it shows X.X.X.X:500
then it is possible that the Linksys router cannot handle simultaneous
AH or ESP sessions.

But I'm sorry. You have

- an unknown configuration in an unknown Pix model running an unknown
Pix OS version
- an unknown (to me) Linksys router with unknown configuration
- an unknown (to me) Cisco VPN Client version

With that information I'm afraid that I can give you only good guesses.
I hope that somebody knows more about Linksys BEFSR41 and Cisco VPN
Client v4.6.

 
Reply With Quote
 
J1C
Guest
Posts: n/a
 
      10-28-2004
Sorry, I forgot about this:
PIX Version 6.3(3)

show isakmp sa detail
Local Remote Encr Hash Auth State Lifetime
a.b.c.98:500 d.e.f.205:500 3des md5 psk QM_IDLE 86149
a.b.c.98:4500 x.y.z.82:164 3des md5 psk QM_IDLE 86363
a.b.c.98:4500 x.y.z.82:4500 3des md5 psk QM_IDLE 82544

The first line is an existing PIX-PIX VPN ... I have never had trouble
with that...
The next two lines show the two connections from the Linksys...

 
Reply With Quote
 
Jyri Korhonen
Guest
Posts: n/a
 
      10-28-2004
"J1C" <(E-Mail Removed)> wrote:

> a.b.c.98:4500 x.y.z.82:164 3des md5 psk QM_IDLE 86363
> a.b.c.98:4500 x.y.z.82:4500 3des md5 psk QM_IDLE 82544
>
> The [above] two lines show the two connections from the Linksys...


Interesting. The first line tells that the peer uses port 164.
I have never seen a port number as low as that in a VPN connection.

Well, the above also tells that you are running port address translation
with your Linksys and the VPN connections use nat-traversal. Do you have
any filters or port forwarding settings in the Linksys that could make
the peer to select an unusual low UDP port?

 
Reply With Quote
 
J1C
Guest
Posts: n/a
 
      10-28-2004
There are several port forwarding rules in place, most are typical
though... like:

external port tcp 80 --> internal IP tcp 80
external port tcp 25 --> internal IP tcp 25
external port tcp 3389 --> internal IP tcp 3389
external port tcp + udp 5000 --> internal IP tcp + udp 5000 (OpenVPN)
external port tcp + udp 5001 --> internal IP tcp + udp 5001 (OpenVPN)
Anything I should look at/for specifically?

 
Reply With Quote
 
J1C
Guest
Posts: n/a
 
      10-28-2004
Here's something else...

show isakmp sa detail
Local Remote Encr Hash Auth State
a.b.c.98:500 d.e.f.205:500 3des md5 psk QM_IDLE
a.b.c.98:4500 x.y.z.82:4500 3des md5 psk QM_IDLE
a.b.c.98:4500 x.y.z.82:164 3des md5 psk QM_IDLE
a.b.c.98:4500 x.y.z.82:164 3des md5 psk QM_IDLE

It looks like the first connection gets :4500 on the router, but any
connection after that gets :164 ... that then works for a few minutes
.... maybe less ... then all on the :164 drop and have to wait X seconds
before establishing a new connection...

 
Reply With Quote
 
PES
Guest
Posts: n/a
 
      10-28-2004
Have you tried turning off IPSEC pass through on the Linksys. Also, I'm in
agreement, that is an unusually low source port. I wonder if the Linksys is
translating it that low, or if the pc is actually initiating the connection
that low (doubtful). Also, I don't understand how another nat session in
the linksys could be tracked using the same source and destination port as
the ca detail suggest. So I have to assume that the nat translation is
being flushed quicker than the isakmp ca table in the pix is. I would
recommend two other items.

1) set you isakmp nat-traversal down to 10. At 20, it is possible that
linksys could assume that it can break the udp nat translation (it shouldn't
but it might).

2) try a firmware upgrade on the linksys. These things are a bit flaky
sometimes. I had a wireless one that would only allow me to connect via
pptp through the wired interface and not the wireless side. A firmware
fixed it.

"J1C" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
> Here's something else...
>
> show isakmp sa detail
> Local Remote Encr Hash Auth State
> a.b.c.98:500 d.e.f.205:500 3des md5 psk QM_IDLE
> a.b.c.98:4500 x.y.z.82:4500 3des md5 psk QM_IDLE
> a.b.c.98:4500 x.y.z.82:164 3des md5 psk QM_IDLE
> a.b.c.98:4500 x.y.z.82:164 3des md5 psk QM_IDLE
>
> It looks like the first connection gets :4500 on the router, but any
> connection after that gets :164 ... that then works for a few minutes
> ... maybe less ... then all on the :164 drop and have to wait X seconds
> before establishing a new connection...
>



 
Reply With Quote
 
J1C
Guest
Posts: n/a
 
      10-29-2004
Thanks! I will try your suggestions and update...

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
VPN site to site & Remote access VPN ( vpn client) over the same interface pasatealinux Cisco 1 12-17-2007 07:41 PM
Cisco VPN 3030 client connectivity issues Skipdog Cisco 1 07-19-2006 12:13 PM
Do i need to VPN module for VPN connectivity ? jsandlin0803 Cisco 1 10-11-2005 10:50 PM
VPN over L2TP patchy connectivity while L2TP Traffic without VPN is fine. Gary Cisco 2 04-24-2005 02:48 AM
Cisco vpn server enabled / VPN and no-VPN connections mix Elise Cisco 6 05-22-2004 07:55 AM



Advertisments