pix 501 VPN into SBS 2003 domain - RADIUS authentication fails.

Discussion in 'Cisco' started by Zen, Jun 16, 2006.

  1. Zen

    Zen Guest

    Following an upgrade from w2k to sbs2003, remote vpn authentication has
    stopped working.

    Any help as to where to trouble shoot next will be greatly appriciated.

    vpn into pix is ok, the radius authentication against sbs 2003 IAS does not
    complete successfully, shared secret matches.

    Looks like authentication has worked and then the user is immediately logged
    off. Authentication failed is reported to remote client.

    Pix debug has 'ISAKMP: reserved not zero on payload 8!' 'ISAKMP: malformed
    payload' entries, which I think is part of the 'authentication success'
    response . Because the pix is not processing this response IAS logs the
    user off.

    As a side issue, what does 'Checking ISAKMP transform 9 against priority 10
    policy' mean?

    The set up is as per these instructions
    http://www.cisco.com/en/US/products...s_configuration_example09186a00800b6099.shtml

    Connectivity is
    internet -> speedtouch (510) modem (non nat) ->pix 501 (with public static
    ip) ->SBS 2003 with IAS

    Remote client is cisco VPN client 3.5 for windows

    System event log shows that IAS has granted access, security event log show
    log on, followed immediately by a logoff.

    Security log has entries for:
    Logon attempt using explicit credentials:
    Successful Network Logon:
    Special privileges assigned to new logon:
    User Logoff:

    Pix debug log has these entries.
    ISAKMP: reserved not zero on payload 8!
    ISAKMP: malformed payload

    Pix log extract, complete log at end of message:
    crypto_isakmp_process_block:src:<remote ip>, dest:<pix public ip>spt:500
    dpt:500
    ISAKMP_TRANSACTION exchange
    ISAKMP (0:0): processing transaction payload from <remote ip>. message ID =
    11168140
    ISAKMP: Config payload CFG_REPLY
    return status is IKMP_ERR_NO_RETRANS
    crypto_isakmp_process_block:src:<remote ip>, dest:<pix public ip> spt:500
    dpt:500
    ISAKMP: reserved not zero on payload 8!
    ISAKMP: malformed payload

    IAS event log entry:
    User phil.xxxxx was granted access.
    Fully-Qualified-User-Name = <domain>.local/MyBusiness/Users/SBSUsers/Philip
    xxxxxx
    NAS-IP-Address = <pix ip>
    NAS-Identifier = <not present>
    Client-Friendly-Name = Pix
    Client-IP-Address = <pix ip>
    Calling-Station-Identifier = <remote client ip (dialup)>
    NAS-Port-Type = <not present>
    NAS-Port = 8
    Proxy-Policy-Name = Use Windows authentication for all users
    Authentication-Provider = Windows
    Authentication-Server = <undetermined>
    Policy-Name = Connections to other access servers
    Authentication-Type = PAP
    EAP-Type = <undetermined>

    complete pic log:

    crypto_isakmp_process_block:src:212.140.115.161, dest:<pix public ip>
    spt:500 dpt:500
    OAK_AG exchange
    ISAKMP (0): processing SA payload. message ID = 0

    ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash SHA
    ISAKMP: default group 2
    ISAKMP: extended auth pre-share (init)
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 256
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash MD5
    ISAKMP: default group 2
    ISAKMP: extended auth pre-share (init)
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 256
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash SHA
    ISAKMP: default group 2
    ISAKMP: auth pre-share
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 256
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash MD5
    ISAKMP: default group 2
    ISAKMP: auth pre-share
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 256
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash SHA
    ISAKMP: default group 2
    ISAKMP: extended auth pre-share (init)
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 192
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash MD5
    ISAKMP: default group 2
    ISAKMP: extended auth pre-share (init)
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 192
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash SHA
    ISAKMP: default group 2
    ISAKMP: auth pre-share
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 192
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash MD5
    ISAKMP: default group 2
    ISAKMP: auth pre-share
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 192
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash SHA
    ISAKMP: default group 2
    ISAKMP: extended auth pre-share (init)
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 128
    crypto_isakmp_process_block:src:212.140.115.161, dest:<pix public ip>
    spt:500 dpt:500
    OAK_AG exchange
    ISAKMP (0): processing HASH payload. message ID = 0
    ISAKMP (0): processing NOTIFY payload 24578 protocol 1
    spi 0, message ID = 0
    ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a queue
    event...
    IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

    crypto_isakmp_process_block:src:212.140.115.161, dest:<pix public ip>
    spt:500 dpt:500
    ISAKMP_TRANSACTION exchange
    ISAKMP (0:0): processing transaction payload from 212.140.115.161. message
    ID = 11168164
    ISAKMP: Config payload CFG_REPLY
    return status is IKMP_ERR_NO_RETRANS
    crypto_isakmp_process_block:src:212.140.115.161, dest:<pix public ip>
    spt:500 dpt:500
    ISAKMP: reserved not zero on payload 8!
    ISAKMP: malformed payload
    crypto_isakmp_process_block:src:212.140.115.161, dest:<pix public ip>
    spt:500 dpt:500
    ISAKMP: reserved not zero on payload 8!
    ISAKMP: malformed payload
    crypto_isakmp_process_block:src:212.140.115.161, dest:<pix public ip>
    spt:500 dpt:500
    ISAKMP: reserved not zero on payload 8!
    ISAKMP: malformed payload
    crypto_isakmp_process_block:src:212.140.115.161, dest:<pix public ip>
    spt:500 dpt:500
    ISAKMP (0): processing NOTIFY payload 36136 protocol 1
    spi 0, message ID = 794882597
    ISAMKP (0): received DPD_R_U_THERE from peer 212.140.115.161
    ISAKMP (0): sending NOTIFY message 36137 protocol 1
    return status is IKMP_NO_ERR_NO_TRANS
    ISAKMP (0:0): initiating peer config to 212.140.115.161. ID = 2773460662
    (0xa54fa6b6)
    crypto_isakmp_process_block:src:212.140.115.161, dest:<pix public ip>
    spt:500 dpt:500
    ISAKMP (0): processing DELETE payload. message ID = 3540473934, spi size =
    16
    ISAKMP (0): deleting SA: src 212.140.115.161, dst <pix public ip>
    return status is IKMP_NO_ERR_NO_TRANS
    ISADB: reaper checking SA 0xaef22c, conn_id = 0 DELETE IT!

    VPN Peer: ISAKMP: Peer ip:212.140.115.161/500 Ref cnt decremented to:0 Total
    VPN Peers:1
    VPN Peer: ISAKMP: Deleted peer: ip:212.140.115.161/500 Total VPN
    peers:0IPSEC(key_engine): got a queue event...
    IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
    IPSEC(key_engine_delete_sas): delete all SAs shared with 212.
    Zen, Jun 16, 2006
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?amlsbGJvYg==?=

    SBS 2000 upgrade to SBS std or premium 2003

    =?Utf-8?B?amlsbGJvYg==?=, Apr 19, 2004, in forum: Microsoft Certification
    Replies:
    1
    Views:
    593
    Marlin Munrow
    Apr 19, 2004
  2. tejlor
    Replies:
    2
    Views:
    2,264
    tejlor
    Nov 25, 2003
  3. oly
    Replies:
    3
    Views:
    5,594
  4. DCS
    Replies:
    2
    Views:
    5,059
    eshan_amiran
    Mar 26, 2009
  5. WCL

    vpn with SBS 2003 RADIUS

    WCL, Jun 16, 2006, in forum: Cisco
    Replies:
    0
    Views:
    4,235
Loading...

Share This Page