Reason 412: VPN Client Cant Connect to PIX Firewall

Discussion in 'Cisco' started by Asif, Sep 23, 2004.

  1. Asif

    Asif Guest

    Hi,

    I am trying to connect to PIX firewall using Cisco VPN Client 4.0.3.
    When I try to connect it, after typing user name and password, its
    says "


    Secure VPN connection is terminated locally by the client

    Reason 412: The remote peer is no longer responding."


    The firewall config is as follows:

    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto shutdown
    interface ethernet3 auto shutdown
    interface ethernet4 auto shutdown
    interface ethernet5 auto shutdown
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 intf2 security4
    nameif ethernet3 intf3 security6
    nameif ethernet4 intf4 security8
    nameif ethernet5 intf5 security10
    enable password uZK encrypted
    passwd abcd encrypted
    hostname abcd
    domain-name ciscopix.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list ipsectraffic permit ip 192.168.0.0 255.255.255.0
    192.168.50.0 255.255.255.0
    access-list ipsectraffic permit ip 192.168.1.0 255.255.255.0
    192.168.50.0 255.255.255.0
    access-list ipsectraffic permit ip 10.1.0.0 255.255.255.0 192.168.50.0
    255.255.255.0
    access-list ipsectraffic permit ip 192.168.11.0 255.255.255.0
    192.168.50.0 255.255.255.0
    access-list ipsectraffic permit ip 192.168.21.0 255.255.255.0
    192.168.50.0 255.255.255.0
    access-list ipsectraffic permit ip 192.168.20.0 255.255.255.0
    192.168.50.0 255.255.255.0
    access-list ipsectraffic permit ip 192.168.10.0 255.255.255.0
    192.168.50.0 255.255.255.0
    access-list ipsectraffic permit ip 10.1.10.0 255.255.255.0
    192.168.50.0 255.255.255.0
    access-list ipsectraffic permit ip 10.1.20.0 255.255.255.0
    192.168.50.0 255.255.255.0
    access-list 100 permit icmp any any echo-reply
    access-list 100 permit icmp any any time-exceeded
    access-list 100 permit icmp any any unreachable

    pager lines 24
    mtu outside 1500
    mtu inside 1500
    mtu intf2 1500
    mtu intf3 1500
    mtu intf4 1500
    mtu intf5 1500
    ip address outside 105.279.139.34 255.255.255.240
    ip address inside 192.168.0.3 255.255.255.0
    no ip address intf2
    no ip address intf3
    no ip address intf4
    no ip address intf5
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool mydhcp 192.168.50.10-192.168.50.100
    ip local pool myuser 192.168.50.101-192.168.50.110
    no failover
    failover timeout 0:00:00
    failover poll 15
    no failover ip address outside
    no failover ip address inside
    no failover ip address intf2
    no failover ip address intf3
    no failover ip address intf4
    no failover ip address intf5
    pdm location 192.168.1.67 255.255.255.255 inside
    pdm location 10.1.0.0 255.255.255.0 inside
    pdm location 10.1.10.0 255.255.255.0 inside
    pdm location 10.1.20.0 255.255.255.0 inside
    pdm location 10.1.0.0 255.255.0.0 inside
    pdm location 192.168.1.13 255.255.255.255 inside
    pdm location 192.168.1.15 255.255.255.255 inside
    pdm location 192.168.1.0 255.255.255.0 inside
    pdm location 192.168.10.0 255.255.255.0 inside
    pdm location 192.168.11.0 255.255.255.0 inside
    pdm location 192.168.20.0 255.255.255.0 inside
    pdm location 192.168.21.0 255.255.255.0 inside
    pdm location 192.168.0.0 255.255.0.0 inside
    pdm location 192.168.50.0 255.255.255.0 outside
    pdm location 216.86.60.15 255.255.255.255 outside
    pdm history enable
    arp timeout 14400
    global (outside) 1 105.279.139.43 netmask 255.255.255.240
    nat (inside) 0 access-list ipsectraffic
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) 69.60.195.61 192.168.1.13 netmask
    255.255.255.255 0 0
    static (inside,outside) 69.60.195.59 192.168.1.15 netmask
    255.255.255.255 0 0
    access-group 100 in interface outside
    route outside 0.0.0.0 0.0.0.0 105.279.139.33 1
    route inside 10.1.0.0 255.255.0.0 192.168.0.1 1
    route inside 192.168.0.0 255.255.0.0 192.168.0.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    url-server (inside) vendor websense host 192.168.1.15 timeout 5
    protocol TCP version 1
    url-server (inside) vendor websense host 192.168.1.12 timeout 5
    protocol TCP version 1
    filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
    filter url 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
    filter ftp 21 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
    http server enable
    http 192.168.1.67 255.255.255.255 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set myset esp-3des esp-sha-hmac
    crypto dynamic-map dynmap 10 set transform-set myset
    crypto map mymap 10 ipsec-isakmp dynamic dynmap
    crypto map mymap client configuration address initiate
    crypto map mymap client configuration address respond
    crypto map mymap client authentication LOCAL
    crypto map mymap interface outside
    isakmp enable outside
    isakmp identity address
    isakmp client configuration address-pool local mydhcp outside
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup vpnuser address-pool mydhcp
    vpngroup vpnuser idle-time 1800
    vpngroup vpnuser password ********
    vpngroup admin address-pool gtpuser
    vpngroup admin idle-time 1800
    vpngroup admin password ********

    vpngroup idel-time idle-time 1800
    telnet 192.168.0.0 255.255.255.0 inside
    telnet 192.168.1.0 255.255.255.0 inside
    telnet 10.1.0.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0

    username admin password adkfjdkj encrypted privilege 15

    terminal width 80
    Cryptochecksum:bfb119199a1f9248cb102ef2c3edf1e9


    Please let me know whats I am doing wrong.

    Thanks alot for your help.

    JG
     
    Asif, Sep 23, 2004
    #1
    1. Advertising

  2. In article <>,
    Asif <> wrote:
    :I am trying to connect to PIX firewall using Cisco VPN Client 4.0.3.
    :When I try to connect it, after typing user name and password, its
    :says "
    :Secure VPN connection is terminated locally by the client
    :Reason 412: The remote peer is no longer responding."

    :ip address inside 192.168.0.3 255.255.255.0

    :route inside 192.168.0.0 255.255.0.0 192.168.0.1 1

    Your route statement overlaps with the IP range of your inside address.
    Are you sure that is what you want?? It pretty much hints that you
    have some inside hosts in the 192.168/16 net, which would have
    a broadcast IP of 192.168.255.255, but your inside interface is going
    to have a broadcast IP of 192.168.0.255 . Sounds like a recipie for
    trouble.

    :crypto ipsec transform-set myset esp-3des esp-sha-hmac
    :crypto dynamic-map dynmap 10 set transform-set myset
    :crypto map mymap 10 ipsec-isakmp dynamic dynmap
    :crypto map mymap client configuration address initiate
    :crypto map mymap client configuration address respond

    I seem to recall that address respond is redundant in conjunction
    with vpngroup, as the vpngroup is required to hand out an address from
    the address-pool. The server creates an IPSec proxy mapping the
    client internet IP to the address-pool address, and then communicates
    with the client via that allocated address-pool IP.

    :isakmp client configuration address-pool local mydhcp outside
    :vpngroup vpnuser address-pool mydhcp


    That's what pops to mind without deeper analysis.
    --
    This is not the same .sig the second time you read it.
     
    Walter Roberson, Sep 23, 2004
    #2
    1. Advertising

  3. Asif

    Asif Guest

    Thanks for the response. When I have turned on loggin on VPN Client,
    the following message appears in log:


    3 09:20:59.681 09/23/04 Sev=Warning/3 IKE/0xA300004B
    Received a NOTIFY message with an invalid protocol id (0)


    What do I have to fix?

    Thanks in advance.

    JG

    -cnrc.gc.ca (Walter Roberson) wrote in message news:<citqif$7e6$>...
    > In article <>,
    > Asif <> wrote:
    > :I am trying to connect to PIX firewall using Cisco VPN Client 4.0.3.
    > :When I try to connect it, after typing user name and password, its
    > :says "
    > :Secure VPN connection is terminated locally by the client
    > :Reason 412: The remote peer is no longer responding."
    >
    > :ip address inside 192.168.0.3 255.255.255.0
    >
    > :route inside 192.168.0.0 255.255.0.0 192.168.0.1 1
    >
    > Your route statement overlaps with the IP range of your inside address.
    > Are you sure that is what you want?? It pretty much hints that you
    > have some inside hosts in the 192.168/16 net, which would have
    > a broadcast IP of 192.168.255.255, but your inside interface is going
    > to have a broadcast IP of 192.168.0.255 . Sounds like a recipie for
    > trouble.
    >
    > :crypto ipsec transform-set myset esp-3des esp-sha-hmac
    > :crypto dynamic-map dynmap 10 set transform-set myset
    > :crypto map mymap 10 ipsec-isakmp dynamic dynmap
    > :crypto map mymap client configuration address initiate
    > :crypto map mymap client configuration address respond
    >
    > I seem to recall that address respond is redundant in conjunction
    > with vpngroup, as the vpngroup is required to hand out an address from
    > the address-pool. The server creates an IPSec proxy mapping the
    > client internet IP to the address-pool address, and then communicates
    > with the client via that allocated address-pool IP.
    >
    > :isakmp client configuration address-pool local mydhcp outside
    > :vpngroup vpnuser address-pool mydhcp
    >
    >
    > That's what pops to mind without deeper analysis.
     
    Asif, Sep 23, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Martin Nowles
    Replies:
    0
    Views:
    1,078
    Martin Nowles
    Nov 10, 2003
  2. GVB
    Replies:
    1
    Views:
    2,917
    Martin Bilgrav
    Feb 6, 2004
  3. James
    Replies:
    30
    Views:
    326,893
    diggisaur
    Jan 15, 2014
  4. D K
    Replies:
    4
    Views:
    515
  5. sali
    Replies:
    2
    Views:
    11,137
Loading...

Share This Page