Peer no longer responding

Discussion in 'Cisco' started by James, Nov 18, 2005.

  1. James

    James Guest

    As far as I can see it never responded! Recently setup a VPN and
    having no joy. Log reports the following and sometimes the VPN Client
    hangs. Using winXP and Cisco 857W (new model). Pointers would be
    gratefully received.

    Thanks

    1 17:36:39.943 11/18/05 Sev=Warning/2 IKE/0xE3000099
    Invalid SPI size (PayloadNotify:116)

    2 17:36:39.943 11/18/05 Sev=Warning/3 IKE/0xA3000058
    Received malformed message or negotiation no longer active (message id:
    0x00000000)
    James, Nov 18, 2005
    #1
    1. Advertising

  2. In article <>,
    James <> wrote:
    :As far as I can see it never responded! Recently setup a VPN and
    :having no joy. Log reports the following and sometimes the VPN Client
    :hangs. Using winXP and Cisco 857W (new model). Pointers would be
    :gratefully received.

    :1 17:36:39.943 11/18/05 Sev=Warning/2 IKE/0xE3000099
    :Invalid SPI size (PayloadNotify:116)

    That's a bit odd, but likely indicates a problem with the IKE
    Phase 1 shared secrets not matching. From the perspective of
    a VPN Client, that would mean that the group name or group password
    was incorrect, I think.
    --
    Many food scientists have reported chocolate to be the single most
    craved food. -- Northwestern University, 2001
    Walter Roberson, Nov 18, 2005
    #2
    1. Advertising

  3. James

    James Guest

    Thanks. Do you know what passwords are used? I do not remember adding
    one for the VPN, or any group used by the VPN for that matter. Thanks.
    James, Nov 21, 2005
    #3
  4. James

    James Guest

    Should I have XAuth Group Lock on? Is so where on the VPN do I enter
    the name/group? In the trial above I was never prompted for anything
    before the link failed.
    James, Nov 21, 2005
    #4
  5. James

    James Guest

    For those who can read this stuff I have included a dump of the router
    (edited)! Please let me know if there are some howlers here. Most is
    the default tho'.

    This is the running config of the router: xxx.xxx.xxx.100
    ----------------------------------------------------------------------------
    !version 12.3
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    !
    hostname Router
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 51200 debugging
    logging console critical
    enable secret 5 blahxxxblah
    !
    username James privilege 15 secret 5 blahxxxblah
    clock timezone PCTime 0
    clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authentication login sdm_vpn_xauth_ml_1 local enable
    aaa authorization exec default local
    aaa authorization network sdm_vpn_group_ml_1 local if-authenticated
    aaa session-id common
    ip subnet-zero
    no ip source-route
    !
    !
    ip cef
    ip inspect name DEFAULT100 cuseeme
    ip inspect name DEFAULT100 ftp
    ip inspect name DEFAULT100 h323
    ip inspect name DEFAULT100 icmp
    ip inspect name DEFAULT100 rcmd
    ip inspect name DEFAULT100 realaudio
    ip inspect name DEFAULT100 rtsp
    ip inspect name DEFAULT100 esmtp
    ip inspect name DEFAULT100 sqlnet
    ip inspect name DEFAULT100 streamworks
    ip inspect name DEFAULT100 tftp
    ip inspect name DEFAULT100 tcp
    ip inspect name DEFAULT100 udp
    ip inspect name DEFAULT100 vdolive
    ip tcp synwait-time 10
    no ip bootp server
    ip domain name Blah
    ip name-server 158.152.1.58
    ip name-server 158.152.1.43
    ip ssh time-out 60
    ip ssh authentication-retries 2
    no ftp-server write-enable
    !
    !
    !
    !
    !
    crypto isakmp policy 1
    encr aes
    authentication pre-share
    group 2
    lifetime 1200
    crypto isakmp key blahxxxblah address 82.0.98.178
    !
    crypto isakmp client configuration group Hovarians
    key blahxxxblah
    dns 158.152.1.58 158.152.1.43
    wins xxx.xxx.xxx.200
    domain Blah
    pool SDM_POOL_1
    group-lock
    save-password
    include-local-lan
    max-users 1
    max-logins 3
    !
    !
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
    crypto ipsec transform-set MyDefault esp-aes esp-sha-hmac
    !
    crypto dynamic-map SDM_DYNMAP_1 1
    set transform-set MyDefault
    reverse-route
    !
    !
    crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
    crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
    crypto map SDM_CMAP_1 client configuration address respond
    crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
    !
    bridge irb
    !
    !
    interface Null0
    no ip unreachables
    !
    interface ATM0
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip route-cache flow
    no atm ilmi-keepalive
    dsl operating-mode auto
    !
    interface ATM0.1 point-to-point
    description $ES_WAN$$FW_OUTSIDE$
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    !
    interface FastEthernet0
    no ip address
    no cdp enable
    !
    interface FastEthernet1
    no ip address
    no cdp enable
    !
    interface FastEthernet2
    no ip address
    no cdp enable
    !
    interface FastEthernet3
    no ip address
    no cdp enable
    !
    interface Dot11Radio0
    no ip address
    !
    ssid blahxxxblah
    authentication open
    !
    speed basic-1.0 2.0 5.5 6.0 9.0 11.0
    channel 2462
    no cdp enable
    bridge-group 1
    bridge-group 1 spanning-disabled
    !
    interface Vlan1
    description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
    no ip address
    bridge-group 1
    !
    interface Dialer0
    description $FW_OUTSIDE$
    ip address 80.177.223.54 255.0.0.0
    ip access-group 101 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip inspect DEFAULT100 out
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    ip route-cache flow
    dialer pool 1
    dialer-group 1
    no cdp enable
    ppp authentication chap callin
    ppp chap hostname
    ppp chap password 7 blahxxxblah
    crypto map SDM_CMAP_1
    !
    interface BVI1
    description $ES_LAN$$FW_INSIDE$
    ip address xxx.xxx.xxx.100 255.255.255.0
    ip access-group 100 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    ip route-cache flow
    ip tcp adjust-mss 1452
    !
    ip local pool SDM_POOL_1 xxx.xxx.xxx.50 xxx.xxx.xxx.55
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer0
    !
    ip http server
    ip http access-class 2
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 600 life 86400 requests 10000
    ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
    !
    logging trap debugging
    logging xxx.xxx.xxx.100
    logging 80.177.223.54
    access-list 1 remark INSIDE_IF=BVI1
    access-list 1 remark SDM_ACL Category=2
    access-list 1 permit xxx.xxx.xxx.0 0.0.0.255
    access-list 2 remark HTTP Access-class list
    access-list 2 remark SDM_ACL Category=1
    access-list 2 permit xxx.xxx.xxx.0 0.0.0.255
    access-list 2 deny any
    access-list 100 remark auto generated by Cisco SDM Express firewall
    configuration
    access-list 100 remark SDM_ACL Category=1
    access-list 100 deny ip 80.0.0.0 0.255.255.255 any
    access-list 100 deny ip host 255.255.255.255 any
    access-list 100 deny ip 127.0.0.0 0.255.255.255 any
    access-list 100 permit ip any any
    access-list 101 remark auto generated by Cisco SDM Express firewall
    configuration
    access-list 101 remark SDM_ACL Category=1
    access-list 101 permit ip host xxx.xxx.xxx.50 any
    access-list 101 permit ip host xxx.xxx.xxx.51 any
    access-list 101 permit ip host xxx.xxx.xxx.52 any
    access-list 101 permit ip host xxx.xxx.xxx.53 any
    access-list 101 permit ip host xxx.xxx.xxx.54 any
    access-list 101 permit ip host xxx.xxx.xxx.55 any
    access-list 101 permit udp any host 80.177.223.54 eq non500-isakmp
    access-list 101 permit udp any host 80.177.223.54 eq isakmp
    access-list 101 permit esp any host 80.177.223.54
    access-list 101 permit ahp any host 80.177.223.54
    access-list 101 permit udp host 82.0.98.178 host 80.177.223.54 eq
    non500-isakmp
    access-list 101 permit udp host 82.0.98.178 host 80.177.223.54 eq
    isakmp
    access-list 101 permit esp host 82.0.98.178 host 80.177.223.54
    access-list 101 permit ahp host 82.0.98.178 host 80.177.223.54
    access-list 101 permit udp host 158.152.1.43 eq domain host
    80.177.223.54
    access-list 101 permit udp host 158.152.1.58 eq domain host
    80.177.223.54
    access-list 101 deny ip xxx.xxx.xxx.0 0.0.0.255 any
    access-list 101 permit icmp any host 80.177.223.54 echo-reply
    access-list 101 permit icmp any host 80.177.223.54 time-exceeded
    access-list 101 permit icmp any host 80.177.223.54 unreachable
    access-list 101 deny ip 10.0.0.0 0.255.255.255 any
    access-list 101 deny ip 172.16.0.0 0.15.255.255 any
    access-list 101 deny ip 192.168.0.0 0.0.255.255 any
    access-list 101 deny ip 127.0.0.0 0.255.255.255 any
    access-list 101 deny ip host 255.255.255.255 any
    access-list 101 deny ip host 0.0.0.0 any
    access-list 101 deny ip any any
    access-list 101 remark IPSec Rule
    access-list 101 permit ip xxx.xxx.xxx.0 0.0.0.255 xxx.xxx.xxx.0
    0.0.0.255
    access-list 103 remark SDM_ACL Category=2
    access-list 103 deny ip any host xxx.xxx.xxx.50
    access-list 103 deny ip any host xxx.xxx.xxx.51
    access-list 103 deny ip any host xxx.xxx.xxx.52
    access-list 103 deny ip any host xxx.xxx.xxx.53
    access-list 103 deny ip any host xxx.xxx.xxx.54
    access-list 103 deny ip any host xxx.xxx.xxx.55
    access-list 103 permit ip xxx.xxx.xxx.0 0.0.0.255 any
    access-list 105 remark VTY Access-class list
    access-list 105 remark SDM_ACL Category=1
    access-list 105 permit ip xxx.xxx.xxx.0 0.0.0.255 any
    access-list 105 deny ip any any
    access-list 700 permit 0001.e694.aa0a 0000.0000.0000
    access-list 700 deny 0000.0000.0000 ffff.ffff.ffff
    dialer-list 1 protocol ip permit
    no cdp run
    route-map SDM_RMAP_1 permit 1
    match ip address 103
    !
    !
    control-plane
    !
    bridge 1 protocol ieee
    bridge 1 route ip
    banner login ^CAuthorized access only!
    Disconnect IMMEDIATELY if you are not an authorized user!^C
    !
    line con 0
    no modem enable
    transport preferred all
    transport output telnet
    line aux 0
    transport preferred all
    transport output telnet
    line vty 0 4
    access-class 105 in
    transport preferred all
    transport input telnet ssh
    transport output all
    !
    scheduler max-task-time 5000
    scheduler allocate 4000 1000
    scheduler interval 500
    ntp server 130.88.203.12 prefer
    end
    James, Nov 21, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Doug A Moller

    Need help with peer to peer no hub network

    Doug A Moller, Jun 23, 2004, in forum: Wireless Networking
    Replies:
    3
    Views:
    5,724
  2. James
    Replies:
    30
    Views:
    325,642
    diggisaur
    Jan 15, 2014
  3. James
    Replies:
    3
    Views:
    2,884
    James
    Oct 3, 2006
  4. Replies:
    4
    Views:
    5,403
  5. Replies:
    5
    Views:
    2,744
Loading...

Share This Page