PIX VPN Client Config Problem

Discussion in 'Cisco' started by Ben, Aug 8, 2007.

  1. Ben

    Ben Guest

    Hello All,

    I am trying to set up a client VPN on my PIX 515E. Everything seems to
    be going well on the client side until I get this error:

    Phase 1 SA deleted before first Phase 2 SA is up cause by
    "DEL_REASON_IKE_NEG_FAILED". 0 Crypto Active IKE SA, 0 User
    Authenticated IKE SA in the system

    I currently have 3 Site-to-Site VPNs up and running with no problems,
    but the client VPN is giving me fits. Any help would be appreciated.
    Log Files and PIX Configs posted below...

    Thanks!

    ************ VPN Client Log Output ******************************

    638 14:13:29.151 08/08/07 Sev=Info/4 CM/0x63100002

    Begin connection process



    639 14:13:29.161 08/08/07 Sev=Info/4 CVPND/0xE3400001

    Microsoft IPSec Policy Agent service stopped successfully



    640 14:13:29.161 08/08/07 Sev=Info/4 CM/0x63100004

    Establish secure connection using Ethernet



    641 14:13:29.161 08/08/07 Sev=Info/4 CM/0x63100024

    Attempt connection with server "xx.xx.xx.xx"



    642 14:13:30.162 08/08/07 Sev=Info/6 IKE/0x6300003B

    Attempting to establish a connection with xx.xx.xx.xx.



    643 14:13:30.172 08/08/07 Sev=Info/4 IKE/0x63000013

    SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd),
    VID(Nat-T), VID(Frag), VID(Unity)) to xx.xx.xx.xx



    644 14:13:30.172 08/08/07 Sev=Info/4 IPSEC/0x63700008

    IPSec driver successfully started



    645 14:13:30.172 08/08/07 Sev=Info/4 IPSEC/0x63700014

    Deleted all keys



    646 14:13:30.713 08/08/07 Sev=Info/5 IKE/0x6300002F

    Received ISAKMP packet: peer = xx.xx.xx.xx



    647 14:13:30.713 08/08/07 Sev=Info/4 IKE/0x63000014

    RECEIVING <<< ISAKMP OAK AG (SA, VID(Xauth), VID(dpd), VID(Unity),
    VID(?), KE, ID, NON, HASH) from xx.xx.xx.xx



    648 14:13:30.713 08/08/07 Sev=Info/5 IKE/0x63000001

    Peer supports XAUTH



    649 14:13:30.713 08/08/07 Sev=Info/5 IKE/0x63000001

    Peer supports DPD



    650 14:13:30.713 08/08/07 Sev=Info/5 IKE/0x63000001

    Peer is a Cisco-Unity compliant peer



    651 14:13:30.713 08/08/07 Sev=Info/5 IKE/0x63000082

    Received IOS Vendor ID with unknown capabilities flag 0x00000025



    652 14:13:30.723 08/08/07 Sev=Info/6 IKE/0x63000001

    IOS Vendor ID Contruction successful



    653 14:13:30.723 08/08/07 Sev=Info/4 IKE/0x63000013

    SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT,
    VID(?), VID(Unity)) to xx.xx.xx.xx



    654 14:13:30.723 08/08/07 Sev=Info/4 IKE/0x63000083

    IKE Port in use - Local Port = 0x01F4, Remote Port = 0x01F4



    655 14:13:30.723 08/08/07 Sev=Info/4 CM/0x6310000E

    Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated
    IKE SA in the system



    656 14:13:30.723 08/08/07 Sev=Info/4 CM/0x6310000E

    Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated
    IKE SA in the system



    657 14:13:30.733 08/08/07 Sev=Info/5 IKE/0x6300005E

    Client sending a firewall request to concentrator



    658 14:13:30.733 08/08/07 Sev=Info/5 IKE/0x6300005D

    Firewall Policy: Product=Cisco Systems Integrated Client Firewall,
    Capability= (Centralized Protection Policy).



    659 14:13:30.733 08/08/07 Sev=Info/4 IKE/0x63000013

    SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to xx.xx.xx.xx



    660 14:13:30.783 08/08/07 Sev=Info/5 IKE/0x6300002F

    Received ISAKMP packet: peer = xx.xx.xx.xx



    661 14:13:30.783 08/08/07 Sev=Info/4 IKE/0x63000014

    RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME)
    from xx.xx.xx.xx



    662 14:13:30.783 08/08/07 Sev=Info/5 IKE/0x63000045

    RESPONDER-LIFETIME notify has value of 86400 seconds



    663 14:13:30.783 08/08/07 Sev=Info/5 IKE/0x63000047

    This SA has already been alive for 0 seconds, setting expiry to 86400
    seconds from now



    664 14:13:30.793 08/08/07 Sev=Info/5 IKE/0x6300002F

    Received ISAKMP packet: peer = xx.xx.xx.xx



    665 14:13:30.793 08/08/07 Sev=Info/4 IKE/0x63000014

    RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from xx.xx.xx.xx



    666 14:13:30.793 08/08/07 Sev=Info/5 IKE/0x63000010

    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value =
    192.168.xx.1



    667 14:13:30.793 08/08/07 Sev=Info/5 IKE/0x63000010

    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value =
    10.xx.xx.xx



    668 14:13:30.793 08/08/07 Sev=Info/5 IKE/0x63000010

    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value =
    10.xx.xx.x1



    669 14:13:30.793 08/08/07 Sev=Info/5 IKE/0x6300000E

    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value =
    local.mydomain.com



    670 14:13:30.793 08/08/07 Sev=Info/5 IKE/0x6300000D

    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of
    split_nets), value = 0x00000001



    671 14:13:30.793 08/08/07 Sev=Info/5 IKE/0x6300000F

    SPLIT_NET #1
    subnet = 10.xx.xx.0
    mask = 255.255.0.0
    protocol = 0
    src port = 0
    dest port=0



    672 14:13:30.793 08/08/07 Sev=Info/5 IKE/0x6300000D

    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000



    673 14:13:30.793 08/08/07 Sev=Info/4 CM/0x63100019

    Mode Config data received



    674 14:13:30.803 08/08/07 Sev=Info/4 IKE/0x63000056

    Received a key request from Driver: Local IP = 192.168.xx.1, GW IP =
    xx.xx.xx.xx, Remote IP = 0.0.0.0



    675 14:13:30.803 08/08/07 Sev=Info/4 IKE/0x63000013

    SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to xx.xx.xx.xx



    676 14:13:30.943 08/08/07 Sev=Info/5 IKE/0x6300002F

    Received ISAKMP packet: peer = xx.xx.xx.xx



    677 14:13:30.943 08/08/07 Sev=Info/4 IKE/0x63000014

    RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from
    xx.xx.xx.xx



    678 14:13:30.943 08/08/07 Sev=Info/4 IKE/0x63000013

    SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to xx.xx.xx.xx



    679 14:13:30.943 08/08/07 Sev=Info/4 IKE/0x63000049

    Discarding IPsec SA negotiation, MsgID=9E1C54AA



    680 14:13:30.943 08/08/07 Sev=Info/4 IKE/0x63000017

    Marking IKE SA for deletion (I_Cookie=C9B6EE20393CEF5A
    R_Cookie=5BB8D6BA7145EA8D) reason = DEL_REASON_IKE_NEG_FAILED



    681 14:13:31.384 08/08/07 Sev=Info/4 IPSEC/0x63700014

    Deleted all keys



    682 14:13:31.785 08/08/07 Sev=Info/5 IKE/0x6300002F

    Received ISAKMP packet: peer = xx.xx.xx.xx



    683 14:13:31.785 08/08/07 Sev=Warning/3 IKE/0xA3000029

    No keys are available to decrypt the received ISAKMP payload



    684 14:13:31.785 08/08/07 Sev=Info/4 IKE/0x63000014

    RECEIVING <<< ISAKMP OAK INFO *(Opaque) from xx.xx.xx.xx



    685 14:13:34.388 08/08/07 Sev=Info/4 IKE/0x6300004B

    Discarding IKE SA negotiation (I_Cookie=C9B6EE20393CEF5A
    R_Cookie=5BB8D6BA7145EA8D) reason = DEL_REASON_IKE_NEG_FAILED



    686 14:13:34.388 08/08/07 Sev=Info/4 CM/0x63100012

    Phase 1 SA deleted before first Phase 2 SA is up cause by
    "DEL_REASON_IKE_NEG_FAILED". 0 Crypto Active IKE SA, 0 User
    Authenticated IKE SA in the system



    687 14:13:34.388 08/08/07 Sev=Info/5 CM/0x63100025

    Initializing CVPNDrv



    688 14:13:34.398 08/08/07 Sev=Info/4 IKE/0x63000001

    IKE received signal to terminate VPN connection



    689 14:13:34.398 08/08/07 Sev=Info/4 IKE/0x63000086

    Microsoft IPSec Policy Agent service started successfully



    690 14:13:34.398 08/08/07 Sev=Info/4 IPSEC/0x63700014

    Deleted all keys



    691 14:13:34.398 08/08/07 Sev=Info/4 IPSEC/0x63700014

    Deleted all keys



    692 14:13:34.398 08/08/07 Sev=Info/4 IPSEC/0x63700014

    Deleted all keys



    693 14:13:34.398 08/08/07 Sev=Info/4 IPSEC/0x6370000A

    IPSec driver successfully stopped


    ************* PIX Debug Messages **********************************

    debug crypto isakmp
    pixprimary#
    crypto_isakmp_process_block:src:"My Client VPN Location IP Address",
    dest:xx.xx.xx.xx spt:500 dpt:500
    OAK_AG exchange
    ISAKMP (0): processing SA payload. message ID = 0

    ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash SHA
    ISAKMP: default group 2
    ISAKMP: extended auth pre-share (init)
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 256
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 2 against priority 1 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash MD5
    ISAKMP: default group 2
    ISAKMP: extended auth pre-share (init)
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 256
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 3 against priority 1 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash SHA
    ISAKMP: default group 2
    ISAKMP: auth pre-share
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 256
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 4 against priority 1 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash MD5
    ISAKMP: default group 2
    ISAKMP: auth pre-share
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 256
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 5 against priority 1 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash SHA
    ISAKMP: default group 2
    ISAKMP: extended auth pre-share (init)
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 128
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 6 against priority 1 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash MD5
    ISAKMP: default group 2
    ISAKMP: extended auth pre-share (init)
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 128
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 7 against priority 1 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash SHA
    ISAKMP: default group 2
    ISAKMP: auth pre-share
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 128
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 8 against priority 1 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash MD5
    ISAKMP: default group 2
    ISAKMP: auth pre-share
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 128
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 9 against priority 1 policy
    ISAKMP: encryption 3DES-CBC
    ISAKMP: hash SHA
    ISAKMP: default group 2
    ISAKMP: extended auth pre-share (init)
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP (0): atts are not acceptable.
    crypto_isakmp_process_block:src:yy.yy.yy.yy, dest:xx.xx.xx.xx spt:500
    dpt:500
    ISAKMP (0): processing NOTIFY payload 36136 protocol 1
    spi 0, message ID = 1134262884
    ISAMKP (0): received DPD_R_U_THERE from peer yy.yy.yy.yy
    ISAKMP (0): sending NOTIFY message 36137 protocol 1
    return status is IKMP_NO_ERR_NO_TRANS
    crypto_isakmp_process_block:src:"My Client VPN Location IP Address",
    dest:xx.xx.xx.xx spt:500 dpt:500
    OAK_AG exchange
    ISAKMP (0): processing HASH payload. message ID = 0
    ISAKMP (0): processing NOTIFY payload 24578 protocol 1
    spi 0, message ID = 0
    ISAKMP (0): processing notify INITIAL_CONTACT
    ISAKMP (0): deleting SA: src "My Client VPN Location IP Address", dst
    xx.xx.xx.xx
    ISAKMP (0): processing vendor id payload

    ISAKMP (0): speaking to another IOS box!

    ISAKMP (0): processing vendor id payload

    ISAKMP (0): speaking to a Unity client

    ISAKMP (0): SA has been authenticated
    return status is IKMP_NO_ERROR
    ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify
    ISAKMP (0): sending NOTIFY message 24576 protocol 1
    VPN Peer: ISAKMP: Peer ip:"My Client VPN Location IP Address"/500 Ref
    cnt incremented to:2 Total VPN Peers:4
    ISAKMP: peer is a remote access client
    crypto_isakmp_process_block:src:"My Client VPN Location IP Address",
    dest:xx.xx.xx.xx spt:500 dpt:500
    ISAKMP_TRANSACTION exchange
    ISAKMP (0:0): processing transaction payload from "My Client VPN
    Location IP Address". message ID = 18588276
    ISAKMP: Config payload CFG_REQUEST
    ISAKMP (0:0): checking request:
    ISAKMP: attribute IP4_ADDRESS (1)
    ISAKMP: attribute IP4_NETMASK (2)
    ISAKMP: attribute IP4_DNS (3)
    ISAKMP: attribute IP4_NBNS (4)
    ISAKMP: attribute ADDRESS_EXPIRY (5)
    Unsupported Attr: 5
    ISAKMP: attribute UNKNOWN (28672)
    Unsupported Attr: 28672
    ISAKMP: attribute UNKNOWN (28673)
    Unsupported Attr: 28673
    ISAKMP: attribute ALT_DEF_DOMAIN (28674)
    ISAKMP: attribute ALT_SPLIT_INCLUDE (28676)
    ISAKMP: attribute ALT_SPLITDNS_NAME (28675)
    ISAKMP: attribute ALT_PFS (28679)
    ISAKMP: attribute UNKNOWN (28683)
    Unsupported Attr: 28683
    ISAKMP: attribute ALT_BACKUP_SERVERS (28681)
    ISAKMP: attribute APPLICATION_VERSION (7)
    ISAKMP: attribute UNKNOWN (28680)
    Unsupported Attr: 28680
    ISAKMP: attribute UNKNOWN (28682)
    Unsupported Attr: 28682
    ISAKMP: attribute UNKNOWN (28677)
    Unsupported Attr: 28677
    ISAKMP (0:0): responding to peer config from "My Client VPN Location
    IP Address". ID = 2054906934
    return status is IKMP_NO_ERROR
    crypto_isakmp_process_block:src:"My Client VPN Location IP Address",
    dest:xx.xx.xx.xx spt:500 dpt:500
    OAK_QM exchange
    oakley_process_quick_mode:
    OAK_QM_IDLE
    ISAKMP (0): processing SA payload. message ID = 2652656810

    ISAKMP : Checking IPSec proposal 1

    ISAKMP: transform 1, ESP_AES
    ISAKMP: attributes in transform:
    ISAKMP: authenticator is HMAC-MD5
    ISAKMP: key length is 256
    ISAKMP: encaps is 1
    ISAKMP: SA life type in seconds
    ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP (0): atts not acceptable. Next payload is 0
    ISAKMP (0): skipping next ANDed proposal (1)
    ISAKMP : Checking IPSec proposal 2

    ISAKMP: transform 1, ESP_AES
    ISAKMP: attributes in transform:
    ISAKMP: authenticator is HMAC-SHA
    ISAKMP: key length is 256
    ISAKMP: encaps is 1
    ISAKMP: SA life type in seconds
    ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP (0): atts not acceptable. Next payload is 0
    ISAKMP (0): skipping next ANDed proposal (2)
    ISAKMP : Checking IPSec proposal 3

    ISAKMP: transform 1, ESP_AES
    ISAKMP: attributes in transform:
    ISAKMP: authenticator is HMAC-MD5
    ISAKMP: key length is 128
    ISAKMP: encaps is 1
    ISAKMP: SA life type in seconds
    ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP (0): atts not acceptable. Next payload is 0
    ISAKMP (0): skipping next ANDed proposal (3)
    ISAKMP : Checking IPSec proposal 4

    ISAKMP: transform 1, ESP_AES
    ISAKMP: attributes in transform:
    ISAKMP: authenticator is HMAC-SHA
    ISAKMP: key length is 128
    ISAKMP: encaps is 1
    ISAKMP: SA life type in seconds
    ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP (0): atts not acceptable. Next payload is 0
    ISAKMP (0): skipping next ANDed proposal (4)
    ISAKMP : Checking IPSec proposal 5

    ISAKMP: transform 1, ESP_AES
    ISAKMP: attributes in transform:
    ISAKMP: authenticator is HMAC-MD5
    ISAKMP: key length is 256
    ISAKMP: encaps is 1
    ISAKMP: SA life type in seconds
    ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP (0): atts not acceptable. Next payload is 0
    ISAKMP : Checking IPSec proposal 6

    ISAKMP: transform 1, ESP_AES
    ISAKMP: attributes in transform:
    ISAKMP: authenticator is HMAC-SHA
    ISAKMP: key length is 256
    ISAKMP: encaps is 1
    ISAKMP: SA life type in seconds
    ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP (0): atts not acceptable. Next payload is 0
    ISAKMP : Checking IPSec proposal 7

    ISAKMP: transform 1, ESP_AES
    ISAKMP: attributes in transform:
    ISAKMP: authenticator is HMAC-MD5
    ISAKMP: key length is 128
    ISAKMP: encaps is 1
    ISAKMP: SA life type in seconds
    ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP (0): atts not acceptable. Next payload is 0
    ISAKMP : Checking IPSec proposal 8

    ISAKMP: transform 1, ESP_AES
    ISAKMP: attributes in transform:
    ISAKMP: authenticator is HMAC-SHA
    ISAKMP: key length is 128
    ISAKMP: encaps is 1
    ISAKMP: SA life type in seconds
    ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP (0): atts not acceptable. Next payload is 0
    ISAKMP : Checking IPSec proposal 9

    ISAKMP: transform 1, ESP_3DES
    ISAKMP: attributes in transform:
    ISAKMP: authenticator is HMAC-MD5
    ISAKMP: encaps is 1
    ISAKMP: SA life type in seconds
    ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP (0): atts are acceptable.
    ISAKMP (0): bad SPI size of 2 octets!
    ISAKMP : Checking IPSec proposal 10

    crypto_isakmp_process_block:src:"My Client VPN Location IP Address",
    dest:xx.xx.xx.xx spt:500 dpt:500
    ISAKMP (0): processing DELETE payload. message ID = 3057963672, spi
    size = 4
    return status is IKMP_NO_ERR_NO_TRANS
    ISADB: reaper checking SA 0x127cb64, conn_id = 0
    ISADB: reaper checking SA 0x127c3dc, conn_id = 0
    ISADB: reaper checking SA 0x127a7f4, conn_id = 0
    ISADB: reaper checking SA 0x128692c, conn_id = 0
    ISADB: reaper checking SA 0x1279324, conn_id = 0 DELETE IT!

    VPN Peer: ISAKMP: Peer ip:"My Client VPN Location IP Address"/500 Ref
    cnt decremented to:1 Total VPN Peers:4
    ISADB: reaper checking SA 0x127cb64, conn_id = 0
    ISADB: reaper checking SA 0x127c3dc, conn_id = 0
    ISADB: reaper checking SA 0x127a7f4, conn_id = 0
    ISADB: reaper checking SA 0x128692c, conn_id = 0
    crypto_isakmp_process_block:src:yy.yy.yy.yy, dest:xx.xx.xx.xx spt:500
    dpt:500
    ISAKMP (0): processing NOTIFY payload 36136 protocol 1
    spi 0, message ID = 172466264
    ISAMKP (0): received DPD_R_U_THERE from peer yy.yy.yy.yy
    ISAKMP (0): sending NOTIFY message 36137 protocol 1
    return status is IKMP_NO_ERR_NO_TRANS
    pixprimary#
    crypto_isakmp_process_block:src:yy.yy.yy.yy, dest:xx.xx.xx.xx spt:500
    dpt:500
    ISAKMP (0): processing NOTIFY payload 36136 protocol 1
    spi 0, message ID = 3996635256
    ISAMKP (0): received DPD_R_U_THERE from peer yy.yy.yy.yy
    ISAKMP (0): sending NOTIFY message 36137 protocol 1
    return status is IKMP_NO_ERR_NO_TRANSno deubg   bug all
    pixprimary# exit

    Logoff

    ********** PIX CONFIG
    ****************************************************************'

    PIX Version 6.3(4)
    interface ethernet0 100full
    interface ethernet1 100full
    interface ethernet2 10baset
    interface ethernet3 auto shutdown
    interface ethernet4 auto shutdown
    interface ethernet5 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 dmz security50
    nameif ethernet3 intf3 security15
    nameif ethernet4 intf4 security20
    nameif ethernet5 intf5 security25
    enable password HmIaExXCAJ17HpiK encrypted
    passwd aj0IysBpb1wUf0G. encrypted
    hostname pixprimary
    domain-name local.mydomain.com
    clock timezone EST -5
    clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 bb0
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list 110 permit ip host xx.yy.zz.zz aa.bb.249.192
    255.255.255.224
    access-list 110 permit ip host xx.yy.zz.2 aa.bb.249.192
    255.255.255.224
    access-list 110 permit ip host xx.yy.zz.3 aa.bb.249.192
    255.255.255.224
    access-list 110 permit ip host xx.yy.zz.4 aa.bb.249.192
    255.255.255.224
    access-list 110 permit ip host xx.yy.1.140 aa.bb.249.192
    255.255.255.224
    access-list 110 permit ip xx.yy.0.0 255.255.0.0 192.168.3.0
    255.255.255.0
    access-list acl-out permit tcp xx.yy.1.0 255.255.255.0 any eq www
    access-list acl-out permit tcp xx.yy.4.0 255.255.255.0 any eq www
    access-list acl-out permit tcp xx.yy.10.0 255.255.255.0 any eq www
    access-list acl-out permit tcp xx.yy.30.0 255.255.255.0 any eq www
    access-list acl-out permit tcp xx.yy.zz.0 255.255.255.0 any eq www
    access-list acl-out permit tcp xx.yy.20.0 255.255.255.0 any eq www
    access-list acl-out permit tcp xx.yy.21.0 255.255.255.0 any eq www
    access-list acl-out permit tcp xx.yy.22.0 255.255.255.0 any eq www
    access-list acl-out permit tcp xx.yy.35.0 255.255.255.0 any eq www
    access-list acl-out permit tcp host xx.yy.6.46 any eq www
    access-list acl-out permit tcp host xx.yy.7.25 any eq www
    access-list acl-out permit tcp host xx.yy.7.25 any eq https
    access-list acl-out permit tcp host xx.yy.14.1 any eq ftp
    access-list acl-out permit tcp host xx.yy.14.1 any eq www
    access-list acl-out permit tcp xx.yy.14.0 255.255.255.0 any eq www
    access-list acl-out permit tcp host xx.yy.1.140 any eq ftp
    access-list acl-out permit tcp host xx.yy.9.30 any eq www
    access-list acl-out deny tcp any any eq www
    access-list acl-out permit ip any any
    access-list outside_cryptomap_dyn_20 permit ip any bb.16.1.0
    255.255.255.128
    access-list outside_cryptomap_dyn_40 permit ip any bb.16.1.0
    255.255.255.128
    access-list 102 permit ip xx.yy.11.0 255.255.255.0 xx.yy.91.0
    255.255.255.0
    access-list 102 permit ip bb.30.4.224 255.255.255.240 xx.yy.91.0
    255.255.255.0
    access-list endoworkssrv1 permit ip host xx.yy.11.1 xx.yy.91.0
    255.255.255.0
    access-list 103 permit ip host xx.xx.1.6 129.73.116.88
    255.255.255.248
    access-list 103 permit ip host xx.xx.1.40 xx.73.116.88
    255.255.255.248
    access-list 104 permit ip host xx.yy.1.80 xx.41.86.0 255.255.255.0
    access-list 104 permit ip xx.41.86.0 255.255.255.0 host xx.yy.1.80
    access-list 104 permit ip host xx.xx.1.31 xx.41.86.0 255.255.255.0
    access-list 104 permit ip xx.41.86.0 255.255.255.0 host xx.xx.1.31
    access-list 109 permit ip xx.yy.0.0 255.255.0.0 192.168.xx.0
    255.255.255.0
    no pager
    logging trap debugging
    logging facility 0
    mtu outside 1500
    mtu inside 1500
    mtu dmz 1500
    mtu intf3 1500
    mtu intf4 1500
    mtu intf5 1500
    ip address outside xx.xx.xx.xx 255.255.255.0
    ip address inside xx.yy.1.1 255.255.0.0
    ip address dmz 192.168.xx.1 255.255.255.0
    ip address intf3 192.168.xx.1 255.255.255.0
    ip address intf4 192.168.xx.1 255.255.255.0
    ip address intf5 192.168.xx.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool vpnpool 192.168.xx.1-192.168.xx.254
    failover
    failover timeout -1
    failover poll 8
    failover ip address outside xx.xx.xx.xx53
    failover ip address inside xx.yy.1.2
    failover ip address dmz 192.168.1.2
    failover ip address intf3 192.168.xx.2
    failover ip address intf4 192.168.xx.2
    failover ip address intf5 192.168.xx.2
    failover link intf5
    pdm history enable
    arp timeout 1zz00
    global (outside) 1 xx.xx.1.100-xx.xx.xx.xx00
    global (outside) 1 xx.xx.1.4
    global (dmz) 1 192.168.xx.100-192.168.xx.254 netmask 255.255.255.0
    nat (inside) 0 access-list 110
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    nat (dmz) 1 192.168.xx.0 255.255.255.0 0 0
    static (inside,outside) xx.xx.1.10 xx.yy.4.62 netmask 255.255.255.255
    0 0
    static (inside,outside) xx.xx.xx.xx5 xx.yy.1.147 netmask
    255.255.255.255 0 0
    static (inside,outside) xx.xx.xx.xx6 xx.yy.1.148 netmask
    255.255.255.255 0 0
    static (inside,outside) xx.xx.xx.xx7 xx.yy.1.149 netmask
    255.255.255.255 0 0
    static (inside,dmz) xx.yy.4.62 xx.yy.4.62 netmask 255.255.255.255 0 0
    static (inside,outside) xx.xx.1.30 xx.yy.1.133 netmask 255.255.255.255
    0 0
    static (inside,outside) xx.xx.1.12 xx.yy.zz.zz netmask 255.255.255.255
    0 0
    static (inside,outside) xx.xx.xx.xx8 xx.yy.1.219 dns netmask
    255.255.255.255 0 0
    static (inside,outside) xx.xx.1.14 xx.yy.zz.2 netmask 255.255.255.255
    0 0
    static (inside,outside) xx.xx.1.15 xx.yy.zz.3 netmask 255.255.255.255
    0 0
    static (inside,outside) xx.xx.1.16 xx.yy.zz.4 netmask 255.255.255.255
    0 0
    static (inside,outside) xx.xx.1.5 xx.yy.1.6 netmask 255.255.255.255 0
    0
    static (dmz,outside) xx.xx.1.5 192.168.xx.5 netmask 255.255.255.255 0
    0
    static (inside,outside) xx.xx.1.17 xx.yy.22.11 netmask 255.255.255.255
    0 0
    static (inside,outside) xx.xx.1.7 xx.yy.7.27 netmask 255.255.255.255 0
    0
    static (inside,outside) xx.xx.1.9 xx.yy.4.61 netmask 255.255.255.255 0
    0
    static (inside,outside) xx.xx.1.8 xx.yy.21.51 netmask 255.255.255.255
    0 0
    static (inside,outside) bb.30.4.225 access-list endoworkssrv1 0 0
    static (inside,outside) xx.xx.1.18 xx.yy.1.zz netmask 255.255.255.255
    0 0
    static (inside,outside) xx.xx.xx.xx4 xx.yy.1.114 netmask
    255.255.255.255 0 0
    static (inside,outside) xx.xx.1.40 xx.yy.zz.70 netmask 255.255.255.255
    0 0
    static (inside,outside) xx.xx.1.6 xx.yy.zz.69 netmask 255.255.255.255
    0 0
    static (inside,outside) xx.xx.1.31 xx.yy.1.80 netmask 255.255.255.255
    0 0
    static (dmz,outside) xx.xx.1.11 192.168.xx.15 netmask 255.255.255.255
    0 0
    static (inside,outside) xx.xx.1.32 xx.yy.1.140 netmask 255.255.255.255
    0 0
    access-group acl-out in interface inside
    conduit permit tcp host xx.xx.1.10 eq smtp any
    conduit permit tcp host xx.xx.xx.xx5 eq www any
    conduit permit tcp host xx.xx.xx.xx6 eq www any
    conduit permit tcp host xx.xx.xx.xx7 eq www any
    conduit permit tcp host xx.xx.xx.xx5 eq citrix-ica any
    conduit permit tcp host xx.xx.xx.xx6 eq citrix-ica any
    conduit permit tcp host xx.xx.xx.xx8 eq www any
    conduit deny tcp any any eq 135
    conduit deny tcp any any eq netbios-ssn
    conduit deny tcp any any eq zz5
    conduit deny udp any any eq 135
    conduit permit tcp any eq 5101 host xx.xx.193.104
    conduit permit tcp any eq 5101 host xx.xx.193.105
    conduit permit tcp any eq 9030 host xx.xx.193.104
    conduit permit tcp any eq 9030 host xx.xx.193.105
    conduit permit tcp host xx.xx.1.11 eq smtp any
    conduit permit tcp host xx.yy.4.62 eq smtp any
    conduit deny tcp any any eq 6667
    conduit permit tcp host xx.xx.1.30 eq www any
    conduit permit tcp host xx.xx.1.12 eq www any
    conduit permit tcp host xx.xx.1.12 eq https any
    conduit permit tcp host xx.xx.1.12 eq 81 any
    conduit permit ip host xx.xx.xx.xx host aa.bb.249.33
    conduit permit tcp any eq 3389 host aa.bb.249.233
    conduit permit tcp host xx.xx.1.14 eq https any
    conduit permit tcp host xx.xx.1.14 eq 1433 any
    conduit permit tcp host xx.xx.1.14 eq 8085 any
    conduit permit tcp host xx.xx.1.14 eq www any
    conduit permit tcp host xx.xx.1.14 eq 81 any
    conduit permit tcp host xx.xx.1.14 eq 5635 any
    conduit permit tcp host xx.xx.1.14 eq 5636 any
    conduit permit tcp host xx.xx.1.14 eq 2222 any
    conduit permit tcp host xx.xx.1.15 eq https any
    conduit permit tcp host xx.xx.1.16 eq https any
    conduit permit tcp host xx.xx.1.16 eq 2222 any
    conduit permit tcp host xx.xx.1.15 eq 2222 any
    conduit permit tcp host xx.xx.1.15 eq 8060 any
    conduit permit tcp host xx.xx.1.16 eq 8060 any
    conduit permit tcp host xx.xx.1.16 eq 5635 any
    conduit permit tcp host xx.xx.1.15 eq 5635 any
    conduit permit tcp host xx.xx.1.15 eq 5636 any
    conduit permit tcp host xx.xx.1.16 eq 5636 any
    conduit permit tcp host xx.xx.1.15 eq 1433 any
    conduit permit tcp host xx.xx.1.15 eq 8085 any
    conduit permit tcp host xx.xx.1.15 eq www any
    conduit permit tcp host xx.xx.1.15 eq 81 any
    conduit permit tcp host xx.xx.1.17 eq www any
    conduit permit tcp host xx.xx.1.17 eq 3389 any
    conduit permit icmp any any
    conduit permit tcp host xx.xx.1.30 eq https any
    conduit permit tcp host xx.xx.1.9 eq smtp any
    conduit permit tcp host xx.xx.1.9 eq pop3 any
    conduit permit tcp host xx.xx.1.8 eq www any
    conduit permit tcp host xx.xx.xx.xx8 eq ftp any
    conduit permit tcp host xx.xx.1.18 eq 3389 host xx.xx.195.234
    conduit permit tcp host xx.xx.1.18 eq 3389 host xx.xx.28.42
    conduit permit tcp host xx.xx.xx.xx4 eq www any
    conduit permit tcp host xx.xx.xx.xx4 eq citrix-ica any
    conduit permit tcp host xx.xx.1.99 eq www any
    conduit permit tcp host xx.xx.1.32 eq ftp any
    conduit permit tcp host xx.xx.1.32 range 4950 5000 any
    route outside 0.0.0.0 0.0.0.0 xx.xx.1.1 1
    route inside 192.168.xx.0 255.255.255.0 xx.yy.30.10 1
    route inside xx.xx.xx.xx 255.255.255.192 xx.yy.1.228 1
    route outside 204.146.91.0 255.255.255.0 xx.xx.xx.xx0 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    ntp server xx.yy.1.128 source inside prefer
    http server enable
    http xx.yy.20.1 255.255.255.255 inside
    http xx.yy.21.13 255.255.255.255 inside
    http xx.yy.21.51 255.255.255.255 inside
    http xx.yy.21.121 255.255.255.255 inside
    snmp-server host inside xx.yy.1.254
    snmp-server host inside xx.yy.1.8
    snmp-server location pharmacy
    snmp-server contact tech support
    snmp-server community Private
    snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    crypto ipsec transform-set cisco1 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto dynamic-map outside_dyn_map 20 match address
    outside_cryptomap_dyn_20
    crypto dynamic-map outside_dyn_map 20 set transform-set cisco1
    crypto dynamic-map outside_dyn_map 40 match address
    outside_cryptomap_dyn_40
    crypto dynamic-map outside_dyn_map 40 set transform-set cisco1
    crypto map cisco 10 ipsec-isakmp
    crypto map cisco 10 match address 110
    crypto map cisco 10 set peer aa.bb.249.33
    crypto map cisco 10 set transform-set cisco1
    crypto map cisco 20 ipsec-isakmp
    crypto map cisco 20 match address 102
    crypto map cisco 20 set peer xx.xx.126.243
    crypto map cisco 20 set transform-set cisco1
    crypto map cisco 30 ipsec-isakmp
    crypto map cisco 30 match address 103
    crypto map cisco 30 set peer xx.xx.135.193
    crypto map cisco 30 set transform-set cisco1
    crypto map cisco 30 set security-association lifetime seconds 3600
    kilobytes 4608000
    crypto map cisco 40 ipsec-isakmp
    crypto map cisco 40 match address 104
    crypto map cisco 40 set peer xx.xx.86.229
    crypto map cisco 40 set transform-set cisco1
    crypto map cisco 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map cisco interface outside
    isakmp enable outside
    isakmp key ******** address aa.bb.249.33 netmask 255.255.255.255
    isakmp key ******** address xx.xx.126.243 netmask 255.255.255.255
    isakmp key ******** address xx.xx.135.193 netmask 255.255.255.255 no-
    xauth no-config-mode
    isakmp key ******** address xx.xx.86.229 netmask 255.255.255.255
    isakmp identity address
    isakmp keepalive 10 3
    isakmp policy 1 authentication pre-share
    isakmp policy 1 encryption 3des
    isakmp policy 1 hash md5
    isakmp policy 1 group 2
    isakmp policy 1 lifetime 86400
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption aes-256
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    isakmp policy 21 authentication pre-share
    isakmp policy 21 encryption aes-256
    isakmp policy 21 hash sha
    isakmp policy 21 group 5
    isakmp policy 21 lifetime 86400
    vpngroup vpnaccess address-pool vpnpool
    vpngroup vpnaccess dns-server xx.yy.1.128 xx.yy.1.130
    vpngroup vpnaccess default-domain hrmc.halifaxmedicalcenter.org
    vpngroup vpnaccess split-tunnel 109
    vpngroup vpnaccess idle-time 1800
    vpngroup vpnaccess password ********
    console timeout 0
    terminal width 80
    Cryptochecksum:2fd5eb7a29e408dd6c1b50bfb69ac82f
    : end
    pixprimary#
     
    Ben, Aug 8, 2007
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. GVB
    Replies:
    1
    Views:
    2,920
    Martin Bilgrav
    Feb 6, 2004
  2. AlanP
    Replies:
    3
    Views:
    982
    Mirek
    Apr 7, 2004
  3. Nick
    Replies:
    2
    Views:
    2,495
  4. Svenn
    Replies:
    3
    Views:
    780
    Svenn
    Mar 13, 2006
  5. Ben
    Replies:
    0
    Views:
    461
Loading...

Share This Page