Reason 412: The remote peer is no longer responding.

Discussion in 'Cisco' started by James, Feb 10, 2006.

  1. James

    James Guest

    I just can't get this to work out of the box/running wizard. I'm
    getting error on client of:

    Secure VPN Connection terminated locally by the Client.
    Reason 412: The remote peer is no longer responding.

    What areas should I be looking at please? I've set the VPN Easy Server
    up and made it Initiate as well as Respond. I'm using a key phrase to
    connect with. I've tested the VPN server in the SDM software and its
    says its ok.

    Short of an entire dump please let me know what more info you need?
    James, Feb 10, 2006
    #1
    1. Advertising

  2. James

    Merv Guest

    Are you using a firewall on your PC such as Windows XP firewall ?

    Did you add the Cisco VPN client as an exception ?

    Firewall must be configured to permit UDP ports 500 and 62515 whcih are
    required for cisco vpn client.
    Merv, Feb 10, 2006
    #2
    1. Advertising

  3. James

    James Guest

    I have F-Secure on client which I think is configured to allow the VPN
    client - I will check. As for the network there is no software
    firewall on the server, just the Cisco box. I assume that the wizard
    setup the correct rules to allow clients in but how do I check this
    port config?

    Thanks for responding - you are the first one in over a month and I was
    going slowly mad!
    James, Feb 10, 2006
    #3
  4. In article <>,
    Merv <> wrote:
    >Firewall must be configured to permit UDP ports 500 and 62515 whcih are
    >required for cisco vpn client.


    I'd never heard of 62515 being required before. I see it listed in
    the VPN 3000 concentrator FAQ,
    http://www.cisco.com/warp/public/471/vpn_3000_faq.shtml
    along with 62514 thru 62524.

    The description of the port use given in the FAQ does not suggest
    to me that the firewall would need to be opened to permit any of those
    ports: they appear to me to only to be talking from the local machine
    to itself?
    Walter Roberson, Feb 10, 2006
    #4
  5. James

    Merv Guest

    besides disabling your firewall, verify that you PC is actually
    transmitting packets.
    Start a cmd windows and run the command "netstat -s -p ip 60" to see IP
    sned and receive packet counts
    Merv, Feb 10, 2006
    #5
  6. James

    Merv Guest

    UDP port 62515 - Cisco Systems IPSec Driver to Cisco Systems, Inc. VPN
    Service

    Perhaps depends on where a firewall inserts itself in the dataflow
    Merv, Feb 11, 2006
    #6
  7. "James" <> wrote in message
    news:...
    >I just can't get this to work out of the box/running wizard. I'm
    > getting error on client of:
    >
    > Secure VPN Connection terminated locally by the Client.
    > Reason 412: The remote peer is no longer responding.
    >


    Are you using IP/ESP, NAT-T, or TCP as your connect (Are you using NAT?)

    Make sure you use a NAT-friendly VPN scheme. I think the default is IP/ESP
    which fails with a lot of NAT devices.
    Phillip Remaker, Feb 11, 2006
    #7
  8. James

    Merv Guest

    Also try the following commands to see a summary of what is or is not
    happening:

    C:\Program Files\Cisco Systems \ VPN Client\vpnclient stat traffic

    C:\Program Files\Cisco Systems \ VPN Client\vpnclient stat tunnel
    Merv, Feb 12, 2006
    #8
  9. James

    James Guest

    Great, thanks I will see what it states tonight.
    James, Feb 14, 2006
    #9
  10. James

    James Guest

    Phillip,
    Sorry for late reply - have been to France to try and chill from this
    mess!!

    I have NAT on the firewall. What am I using as my connect? Good
    question!
    Do I search for this on the firewall or is it configured on the client
    end -
    or both?

    Thanks,
    James
    James, Feb 14, 2006
    #10
  11. James

    Merv Guest

    How are you making out wih this issue ?
    Merv, Feb 14, 2006
    #11
  12. James

    James Guest

    I can only test this when at another site - unfortunately I can not be
    in the same building and "dial in". So progress is slow. However I
    will add your command prompts tonight and let you know the outcome. I
    am still very confused by the whole thing as the webhelp that comes
    with the SDM package is quite frankly - bloody useless!

    Phillip has suggested IP/ESP as something to explore - but I am
    awaiting where I look for this. Also it makes me wonder what the
    "wizard" is doing in setting up a complex system that basically then
    fails to work.

    Having had to reboot the box due to a total freeze I realise that I
    have lost some previous settings - c'est la vie! In wandering round
    the maze again I see I don't have any IPSec Rules (ACL). Do I need
    some? should not the "wizard" have produced the ones it needs? Does
    this "wizard" only work on Sundays!?

    Thanks
    James, Feb 14, 2006
    #12
  13. James

    James Guest

    Is now a good time to post the config?
    James, Feb 14, 2006
    #13
  14. James

    James Guest

    OK, I've just tried from within the site. Hoping that my packets will
    leave and then come back to establish a link. I now get an error:

    Secure VPN Connection terminated locally by the Client.
    Reason 401: An unrecognized error occurred while establishing the VPN
    connection.

    This happens after I log in:

    Negotiating security policies...
    Securing communications channel...

    Can I assume that my security policies are at least set up ok?
    James, Feb 14, 2006
    #14
  15. James

    James Guest

    Also found this in the log of the client:
    1 11:58:32.550 02/14/06 Sev=Warning/3 GUI/0xE3B00003
    GI EnumPPP callback timed out.

    2 12:00:43.688 02/14/06 Sev=Warning/2 IKE/0xA3000062
    Attempted incoming connection from 80.177.223.54. Inbound connections
    are not allowed.

    3 12:08:04.452 02/14/06 Sev=Warning/2 IKE/0xA3000062
    Attempted incoming connection from 80.177.223.54. Inbound connections
    are not allowed.
    James, Feb 14, 2006
    #15
  16. James

    Merv Guest

    Have you always been getting as far as getting the messages:

    Negotiating security policies...
    Securing communications channel...

    post the firewall config and the contents of the client VPN profile for
    the connection

    post the contents of the PIX firewall log - use command "show log"

    is the IP address 80.177.223.54. for your firewall ?
    Merv, Feb 14, 2006
    #16
  17. James

    Merv Guest

    BTW is this a new VPN server setup or are there other users that are
    able to connect to the VPN server sucessfully?
    Merv, Feb 14, 2006
    #17
  18. James

    James Guest

    Here's the config:

    Building configuration...

    Current configuration : 8568 bytes
    !
    version 12.3
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    !
    hostname Router
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 51200 debugging
    logging console critical
    enable secret 5 $1$LR.f$pB8.ZdKhW3GXtV8S4gj3J.
    !
    username James privilege 15 secret 5 $1$lURO$tewOxEtKEAqZxNz7Zdbd4.
    clock timezone London 0
    clock summer-time London date Mar 30 2003 1:00 Oct 26 2003 2:00
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authorization exec default if-authenticated local
    aaa authorization network default local
    aaa session-id common
    ip subnet-zero
    no ip source-route
    !
    !
    ip cef
    ip inspect name DEFAULT100 cuseeme
    ip inspect name DEFAULT100 ftp
    ip inspect name DEFAULT100 h323
    ip inspect name DEFAULT100 icmp
    ip inspect name DEFAULT100 rcmd
    ip inspect name DEFAULT100 realaudio
    ip inspect name DEFAULT100 rtsp
    ip inspect name DEFAULT100 esmtp
    ip inspect name DEFAULT100 sqlnet
    ip inspect name DEFAULT100 streamworks
    ip inspect name DEFAULT100 tftp
    ip inspect name DEFAULT100 tcp
    ip inspect name DEFAULT100 udp
    ip inspect name DEFAULT100 vdolive
    ip tcp synwait-time 10
    no ip bootp server
    ip domain name XXX
    ip name-server 158.152.1.58
    ip name-server 158.152.1.43
    ip ssh time-out 60
    ip ssh authentication-retries 2
    no ftp-server write-enable
    !
    !
    !
    !
    !
    crypto isakmp policy 1
    encr 3des
    hash md5
    authentication pre-share
    group 2
    !
    crypto isakmp policy 2
    hash md5
    authentication pre-share
    group 2
    crypto isakmp key pwd address 82.0.98.178
    !
    crypto isakmp client configuration group groupname
    key key
    dns 158.152.1.58 158.152.1.43
    wins xxx.xxx.xxx.200
    domain XXX
    pool SDM_POOL_1
    include-local-lan
    max-users 1
    max-logins 3
    !
    !
    crypto ipsec transform-set TransformSet1 esp-3des esp-sha-hmac
    !
    crypto ipsec profile IPSecProfile1
    set transform-set TransformSet1
    !
    !
    crypto dynamic-map SDM_DYNMAP_1 1
    set transform-set TransformSet1
    reverse-route
    !
    !
    crypto map SDM_CMAP_1 client authentication list default
    crypto map SDM_CMAP_1 isakmp authorization list default
    crypto map SDM_CMAP_1 client configuration address respond
    crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
    !
    bridge irb
    !
    !
    interface Null0
    no ip unreachables
    !
    interface ATM0
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip route-cache flow
    no atm ilmi-keepalive
    dsl operating-mode auto
    !
    interface ATM0.1 point-to-point
    description $ES_WAN$$FW_OUTSIDE$
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    !
    interface FastEthernet0
    no ip address
    no cdp enable
    !
    interface FastEthernet1
    no ip address
    no cdp enable
    !
    interface FastEthernet2
    no ip address
    no cdp enable
    !
    interface FastEthernet3
    no ip address
    no cdp enable
    !
    interface Dot11Radio0
    no ip address
    !
    ssid SSIDname
    authentication open
    !
    speed basic-1.0 2.0 5.5 6.0 9.0 11.0
    channel 2462
    no cdp enable
    bridge-group 1
    bridge-group 1 spanning-disabled
    !
    interface Vlan1
    description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
    no ip address
    bridge-group 1
    !
    interface Dialer0
    description $FW_OUTSIDE$
    ip address 80.177.223.54 255.0.0.0
    ip access-group 101 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip inspect DEFAULT100 out
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    ip route-cache flow
    dialer pool 1
    dialer-group 1
    no cdp enable
    ppp authentication chap callin
    ppp chap hostname
    ppp chap password 7 05082E1D2042405A0A
    !
    interface BVI1
    description $ES_LAN$$FW_INSIDE$
    ip address xxx.xxx.xxx.100 255.255.255.0
    ip access-group 100 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    ip route-cache flow
    ip tcp adjust-mss 1452
    crypto map SDM_CMAP_1
    !
    ip local pool SDM_POOL_1 xxx.xxx.xxx.50 xxx.xxx.xxx.55
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer0
    !
    ip http server
    ip http access-class 2
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 600 life 86400 requests 10000
    ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
    !
    logging trap debugging
    logging xxx.xxx.xxx.100
    logging 80.177.223.54
    access-list 1 remark INSIDE_IF=BVI1
    access-list 1 remark SDM_ACL Category=2
    access-list 1 permit xxx.xxx.xxx.0 0.0.0.255
    access-list 2 remark HTTP Access-class list
    access-list 2 remark SDM_ACL Category=1
    access-list 2 permit xxx.xxx.xxx.0 0.0.0.255
    access-list 2 deny any
    access-list 100 remark auto generated by Cisco SDM Express firewall
    configuration
    access-list 100 remark SDM_ACL Category=1
    access-list 100 permit ip host xxx.xxx.xxx.50 any
    access-list 100 permit ip host xxx.xxx.xxx.51 any
    access-list 100 permit ip host xxx.xxx.xxx.52 any
    access-list 100 permit ip host xxx.xxx.xxx.53 any
    access-list 100 permit ip host xxx.xxx.xxx.54 any
    access-list 100 permit ip host xxx.xxx.xxx.55 any
    access-list 100 permit udp any host xxx.xxx.xxx.100 eq non500-isakmp
    access-list 100 permit udp any host xxx.xxx.xxx.100 eq isakmp
    access-list 100 permit esp any host xxx.xxx.xxx.100
    access-list 100 permit ahp any host xxx.xxx.xxx.100
    access-list 100 deny ip 80.0.0.0 0.255.255.255 any
    access-list 100 deny ip host 255.255.255.255 any
    access-list 100 deny ip 127.0.0.0 0.255.255.255 any
    access-list 100 permit ip any any
    access-list 101 remark auto generated by Cisco SDM Express firewall
    configuration
    access-list 101 remark SDM_ACL Category=1
    access-list 101 permit ip host xxx.xxx.xxx.50 any
    access-list 101 permit ip host xxx.xxx.xxx.51 any
    access-list 101 permit ip host xxx.xxx.xxx.52 any
    access-list 101 permit ip host xxx.xxx.xxx.53 any
    access-list 101 permit ip host xxx.xxx.xxx.54 any
    access-list 101 permit ip host xxx.xxx.xxx.55 any
    access-list 101 permit udp any host 80.177.223.54 eq non500-isakmp
    access-list 101 permit udp any host 80.177.223.54 eq isakmp
    access-list 101 permit esp any host 80.177.223.54
    access-list 101 permit ahp any host 80.177.223.54
    access-list 101 permit udp host 82.0.98.178 host 80.177.223.54 eq
    non500-isakmp
    access-list 101 permit udp host 82.0.98.178 host 80.177.223.54 eq
    isakmp
    access-list 101 permit esp host 82.0.98.178 host 80.177.223.54
    access-list 101 permit ahp host 82.0.98.178 host 80.177.223.54
    access-list 101 permit udp host 158.152.1.43 eq domain host
    80.177.223.54
    access-list 101 permit udp host 158.152.1.58 eq domain host
    80.177.223.54
    access-list 101 deny ip xxx.xxx.xxx.0 0.0.0.255 any
    access-list 101 permit icmp any host 80.177.223.54 echo-reply
    access-list 101 permit icmp any host 80.177.223.54 time-exceeded
    access-list 101 permit icmp any host 80.177.223.54 unreachable
    access-list 101 deny ip 10.0.0.0 0.255.255.255 any
    access-list 101 deny ip 172.16.0.0 0.15.255.255 any
    access-list 101 deny ip 192.168.0.0 0.0.255.255 any
    access-list 101 deny ip 127.0.0.0 0.255.255.255 any
    access-list 101 deny ip host 255.255.255.255 any
    access-list 101 deny ip host 0.0.0.0 any
    access-list 101 deny ip any any
    access-list 101 remark IPSec Rule
    access-list 101 permit ip xxx.xxx.xxx.0 0.0.0.255 xxx.xxx.xxx.0
    0.0.0.255
    access-list 103 remark SDM_ACL Category=2
    access-list 103 deny ip any host xxx.xxx.xxx.50
    access-list 103 deny ip any host xxx.xxx.xxx.51
    access-list 103 deny ip any host xxx.xxx.xxx.52
    access-list 103 deny ip any host xxx.xxx.xxx.53
    access-list 103 deny ip any host xxx.xxx.xxx.54
    access-list 103 deny ip any host xxx.xxx.xxx.55
    access-list 103 permit ip xxx.xxx.xxx.0 0.0.0.255 any
    access-list 105 remark VTY Access-class list
    access-list 105 remark SDM_ACL Category=1
    access-list 105 permit ip xxx.xxx.xxx.0 0.0.0.255 any
    access-list 105 deny ip any any
    access-list 700 permit 0001.e694.aa0a 0000.0000.0000
    access-list 700 deny 0000.0000.0000 ffff.ffff.ffff
    dialer-list 1 protocol ip permit
    no cdp run
    route-map SDM_RMAP_1 permit 1
    match ip address 103
    !
    !
    control-plane
    !
    bridge 1 protocol ieee
    bridge 1 route ip
    banner login ^CAuthorized access only!
    Disconnect IMMEDIATELY if you are not an authorized user!^C
    !
    line con 0
    no modem enable
    transport preferred all
    transport output telnet
    line aux 0
    transport preferred all
    transport output telnet
    line vty 0 4
    access-class 105 in
    transport preferred all
    transport input telnet ssh
    transport output all
    !
    scheduler max-task-time 5000
    scheduler allocate 4000 1000
    scheduler interval 500
    ntp server 130.88.203.12 prefer
    end

    I'm a bit unclear about the PIX bit - the client has a log but it is
    only populated on attempted connection. At the moment it only contains
    this:

    Cisco Systems VPN Client Version 4.6.00.0045
    Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.
    Client Type(s): Windows, WinNT
    Running on: 5.1.2600 Service Pack 2
    Config file directory: C:\Program Files\Cisco Systems\VPN Client

    I can increase the logging of such things like IPSec, IKE, PPP, GUI
    etc.

    Thanks for all your help.

    And yes 80.177.223.54 is the external NAT'd address of the firewall
    (Cisco 857W).
    James, Feb 14, 2006
    #18
  19. James

    James Guest

    This is a new setup - and only one person (myself) will be allowed in.
    Also forgot to say that the Negotiating security etc is new to me!!
    Must be getting somewhere, right. Trouble is that was from within the
    site and all previous tests have been from outside. Not sure what diff
    that makes...
    James, Feb 14, 2006
    #19
  20. James

    Merv Guest

    On your VPN client profile setup, please confirm that the groupname is
    set to"groupname" and the password is set to "key"

    BTW I would suggest for clarity during testing that you change these
    settings on both the 837W and your PC.
    For example use a captilized groupname and password

    clear the logging buffer ("clear log") , attempt a connection, and then
    post the contents of the 857's logging buffer (" show log')
    Merv, Feb 14, 2006
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Asif
    Replies:
    2
    Views:
    12,628
  2. James
    Replies:
    3
    Views:
    2,875
    James
    Oct 3, 2006
  3. Replies:
    4
    Views:
    5,386
  4. Replies:
    5
    Views:
    2,732
  5. sali
    Replies:
    2
    Views:
    10,942
Loading...

Share This Page