PIX Internet access OK - but cannot get to VPN

Discussion in 'Cisco' started by Ned, Aug 31, 2006.

  1. Ned

    Ned Guest

    I have a new PIX set up with outbound Internet Access and an inbound
    VPN.
    The Internet access is working fine - but the VPN client can't get into
    the VPN.

    VPN Client log
    Cisco Systems VPN Client Version 4.0.1 (Rel)
    Copyright (C) 1998-2003 Cisco Systems, Inc. All Rights Reserved.
    Client Type(s): Windows, WinNT
    Running on: 5.1.2600
    1 08:23:01.731 08/31/06 Sev=Warning/2 IKE/0xA3000067
    Received Unexpected InitialContact Notify (PLMgrNotify:841)
    2 08:23:01.903 08/31/06 Sev=Warning/3 IKE/0xA300004B
    Received a NOTIFY message with an invalid protocol id (0)
    3 08:23:07.028 08/31/06 Sev=Warning/3 IKE/0xA3000056
    Driver says we received a packet with invalid SPI (0), sending
    INVALID-SPI notify.
    4 08:23:12.028 08/31/06 Sev=Warning/3 IKE/0xA3000056
    Driver says we received a packet with invalid SPI (0), sending
    INVALID-SPI notify.
    5 08:23:17.013 08/31/06 Sev=Warning/3 IKE/0xA3000056
    Driver says we received a packet with invalid SPI (0), sending
    INVALID-SPI notify.

    *********************
    When I try to VPN into my network I am getting debug messages on my
    PIX:

    IPSEC(validate_proposal): invalid local address 191.196.37.5
    IPSEC(validate_proposal): invalid local address 191.191.37.5
    IPSEC(validate_proposal): invalid local address 191.191.37.5
    IPSEC(validate_proposal): invalid local address 191.191.37.5

    The address is correct in that users on the inside can browse out from
    that interface and I can PING it from the outside. (I have changed the
    addresses for this posting...)

    I also get this debug:

    debug crypto isakmp
    crypto_isakmp_process_block:src:191.191.37.35, dest:191.191.37.5 spt:13
    dpt:500
    OAK_AG exchange
    ISAKMP (0): processing SA payload. message ID = 0

    ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash SHA
    ISAKMP: default group 2
    ISAKMP: extended auth pre-share (init)
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 256
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash MD5
    ISAKMP: default group 2
    ISAKMP: extended auth pre-share (init)
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 256
    ISAKMP (0): atts are not acceptable. Next payload is 3
    *************************************************
    I also get this debug output on the PIX:

    crypto_isakmp_process_block:src:191.191.37.35, dest:191.191.37.5
    spt:1027 dpt:4500
    crypto_isakmp_process_block:src:191.191.37.35, dest:191.191.37.5
    spt:1027 dpt:4500
    ISAKMP: phase 2 packet is a duplicate of a previous packet
    ISAKMP: resending last response
    crypto_isakmp_process_block:src:191.191.37.35, dest:191.191.37.5
    spt:1027 dpt:4500
    ISAKMP (0): processing NOTIFY payload 11 protocol 1
    spi 0, message ID = 2387466550IPSEC(key_engine): got a queue
    event...
    IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
    IPSEC(key_engine_delete_sas): delete all SAs shared with 191.191.37.35

    return status is IKMP_NO_ERR_NO_TRANS
    crypto_isakmp_process_block:src:191.191.37.35, dest:191.191.37.5
    spt:1027 dpt:4500
    ISAKMP: phase 2 packet is a duplicate of a previous packet
    ISAKMP: resending last response
    crypto_isakmp_process_block:src:191.191.37.35, dest:191.191.37.5
    spt:1027 dpt:4500
    ISAKMP (0): processing NOTIFY payload 11 protocol 1
    spi 0, message ID = 1206514397IPSEC(key_engine): got a queue
    event...
    IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
    IPSEC(key_engine_delete_sas): delete all SAs shared with 191.191.37.35

    return status is IKMP_NO_ERR_NO_TRANS
    crypto_isakmp_process_block:src:191.191.37.35, dest:191.191.37.5
    spt:1027 dpt:4500
    ISAKMP (0): processing DELETE payload. message ID = 1118155919, spi
    size = 4IPSEC(key_engine): got a queue event...
    IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

    VPN Peer: ISAKMP: Peer ip:191.191.37.35/1027 Ref cnt decremented to:0
    Total VPN Peers:1
    VPN Peer: ISAKMP: Deleted peer: ip:191.191.37.35/1027 Total VPN
    peers:0IPSEC(key_engine): got a queue event...
    IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
    IPSEC(key_engine_delete_sas): delete all SAs shared with 191.191.37.5


    ****************
    Any help appreciated...Ned
     
    Ned, Aug 31, 2006
    #1
    1. Advertising

  2. Ned

    mak Guest

    Ned wrote:
    > I have a new PIX set up with outbound Internet Access and an inbound
    > VPN.
    > The Internet access is working fine - but the VPN client can't get into
    > the VPN.


    how is the vpn terminated, directly on the pix or on a concentrator behind it?

    > VPN Client log
    > Cisco Systems VPN Client Version 4.0.1 (Rel)
    > Copyright (C) 1998-2003 Cisco Systems, Inc. All Rights Reserved.
    > Client Type(s): Windows, WinNT
    > Running on: 5.1.2600
    > 1 08:23:01.731 08/31/06 Sev=Warning/2 IKE/0xA3000067
    > Received Unexpected InitialContact Notify (PLMgrNotify:841)
    > 2 08:23:01.903 08/31/06 Sev=Warning/3 IKE/0xA300004B
    > Received a NOTIFY message with an invalid protocol id (0)
    > 3 08:23:07.028 08/31/06 Sev=Warning/3 IKE/0xA3000056
    > Driver says we received a packet with invalid SPI (0), sending
    > INVALID-SPI notify.
    > 4 08:23:12.028 08/31/06 Sev=Warning/3 IKE/0xA3000056
    > Driver says we received a packet with invalid SPI (0), sending
    > INVALID-SPI notify.
    > 5 08:23:17.013 08/31/06 Sev=Warning/3 IKE/0xA3000056
    > Driver says we received a packet with invalid SPI (0), sending
    > INVALID-SPI notify.
    >
    > *********************
    > When I try to VPN into my network I am getting debug messages on my
    > PIX:
    >
    > IPSEC(validate_proposal): invalid local address 191.196.37.5
    > IPSEC(validate_proposal): invalid local address 191.191.37.5
    > IPSEC(validate_proposal): invalid local address 191.191.37.5
    > IPSEC(validate_proposal): invalid local address 191.191.37.5


    are you mixing up the nat address and the real if address?

    > The address is correct in that users on the inside can browse out from
    > that interface and I can PING it from the outside. (I have changed the
    > addresses for this posting...)



    are you mixing up the nat address and the real if address?


    mak
     
    mak, Aug 31, 2006
    #2
    1. Advertising

  3. Ned

    Ned Guest

    Mak,
    No addresses are correct - I sorted the problem yesterday - I had left
    out -
    "crypto map map1 interface outside"
    Thanks, Ned

    >
    > are you mixing up the nat address and the real if address?
    >
    >
    > mak
     
    Ned, Sep 1, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. yar
    Replies:
    4
    Views:
    1,882
    Juan Carlos \(El fortinero\)
    Sep 21, 2004
  2. Warren Turner
    Replies:
    0
    Views:
    2,187
    Warren Turner
    Jan 9, 2004
  3. Marko Uusitalo
    Replies:
    1
    Views:
    1,569
    Frank Durham
    Apr 11, 2005
  4. Scott Townsend
    Replies:
    0
    Views:
    725
    Scott Townsend
    Jul 24, 2006
  5. BF
    Replies:
    2
    Views:
    809
Loading...

Share This Page