VPN Connectivity Problems

Discussion in 'Cisco' started by J1C, Oct 28, 2004.

  1. J1C

    J1C Guest

    I have a VPN setup that has a connectivity problem. After 1 user is
    connected 98% of the time other users can not connect. I have been able
    to get 2, or 3 connections established once but never after that.

    The error in the Cisco VPN Client (4.6) is:
    33 08:43:50.266 10/28/04 Sev=Info/4 IKE/0x6300004A
    Discarding IKE SA negotiation (I_Cookie=F66CE40F75834CFE
    R_Cookie=0D67E19AD6DA16C1) reason = DEL_REASON_IKE_NEG_FAILED

    All users are Windows XP SP2, all users are behind a Linksys BEFSR41
    router/firewall, all users use the Cisco VPN Client v4.6

    I used this as a guideline when configuring the VPN:
    http://www.cisco.com/en/US/products...s_configuration_example09186a00801e71c0.shtml
     
    J1C, Oct 28, 2004
    #1
    1. Advertising

  2. "J1C" <> wrote:

    > I have a VPN setup that has a connectivity problem. After 1 user is
    > connected 98% of the time other users can not connect. I have been able
    > to get 2, or 3 connections established once but never after that.
    >
    > The error in the Cisco VPN Client (4.6) is:
    > 33 08:43:50.266 10/28/04 Sev=Info/4 IKE/0x6300004A
    > Discarding IKE SA negotiation (I_Cookie=F66CE40F75834CFE
    > R_Cookie=0D67E19AD6DA16C1) reason = DEL_REASON_IKE_NEG_FAILED
    >
    > All users are Windows XP SP2, all users are behind a Linksys BEFSR41
    > router/firewall, all users use the Cisco VPN Client v4.6
    >
    > I used this as a guideline when configuring the VPN:
    > http://www.cisco.com/en/US/products...s_configuration_example09186a00801e71c0.shtml



    If you have Pix OS 6.3(1) or higher you can try:

    isakmp nat-traversal 20


    BTW: Where did you get the Cisco VPN Client v4.6? I visited
    Cisco's pages today and the latest version I saw for Windows
    XP was 4.0.5.C-k9.
     
    Jyri Korhonen, Oct 28, 2004
    #2
    1. Advertising

  3. J1C

    J1C Guest

    Thanks - I already have isakmp nat-traversal 20 in the config... any
    other ideas? I think it has something to do with NAT & the ol' Linksys
    router, but since SOMETIMES I have have >1 user connected I can not be
    certain.

    I got 4.6 from Cisco's site... it took a while to find it though... You
    have to be a registered user too with a valid support license.
     
    J1C, Oct 28, 2004
    #3
  4. "J1C" <> wrote:

    > Thanks - I already have isakmp nat-traversal 20 in the config... any
    > other ideas? I think it has something to do with NAT & the ol' Linksys
    > router, but since SOMETIMES I have have >1 user connected I can not be
    > certain.


    If you check your VPN connections from the Pix with command

    show isakmp sa detail

    you get something like this

    Local Remote Encr Hash Auth State Lifetime
    X.X.X.X:500 Y.Y.Y.Y:500 3des md5 psk QM_IDLE 8258
    X.X.X.X:4500 Z.Z.Z.Z:4500 3des md5 psk QM_IDLE 13444

    What does the line of the VPN client user show? If it shows X.X.X.X:500
    then it is possible that the Linksys router cannot handle simultaneous
    AH or ESP sessions.

    But I'm sorry. You have

    - an unknown configuration in an unknown Pix model running an unknown
    Pix OS version
    - an unknown (to me) Linksys router with unknown configuration
    - an unknown (to me) Cisco VPN Client version

    With that information I'm afraid that I can give you only good guesses.
    I hope that somebody knows more about Linksys BEFSR41 and Cisco VPN
    Client v4.6.
     
    Jyri Korhonen, Oct 28, 2004
    #4
  5. J1C

    J1C Guest

    Sorry, I forgot about this:
    PIX Version 6.3(3)

    show isakmp sa detail
    Local Remote Encr Hash Auth State Lifetime
    a.b.c.98:500 d.e.f.205:500 3des md5 psk QM_IDLE 86149
    a.b.c.98:4500 x.y.z.82:164 3des md5 psk QM_IDLE 86363
    a.b.c.98:4500 x.y.z.82:4500 3des md5 psk QM_IDLE 82544

    The first line is an existing PIX-PIX VPN ... I have never had trouble
    with that...
    The next two lines show the two connections from the Linksys...
     
    J1C, Oct 28, 2004
    #5
  6. "J1C" <> wrote:

    > a.b.c.98:4500 x.y.z.82:164 3des md5 psk QM_IDLE 86363
    > a.b.c.98:4500 x.y.z.82:4500 3des md5 psk QM_IDLE 82544
    >
    > The [above] two lines show the two connections from the Linksys...


    Interesting. The first line tells that the peer uses port 164.
    I have never seen a port number as low as that in a VPN connection.

    Well, the above also tells that you are running port address translation
    with your Linksys and the VPN connections use nat-traversal. Do you have
    any filters or port forwarding settings in the Linksys that could make
    the peer to select an unusual low UDP port?
     
    Jyri Korhonen, Oct 28, 2004
    #6
  7. J1C

    J1C Guest

    There are several port forwarding rules in place, most are typical
    though... like:

    external port tcp 80 --> internal IP tcp 80
    external port tcp 25 --> internal IP tcp 25
    external port tcp 3389 --> internal IP tcp 3389
    external port tcp + udp 5000 --> internal IP tcp + udp 5000 (OpenVPN)
    external port tcp + udp 5001 --> internal IP tcp + udp 5001 (OpenVPN)
    Anything I should look at/for specifically?
     
    J1C, Oct 28, 2004
    #7
  8. J1C

    J1C Guest

    Here's something else...

    show isakmp sa detail
    Local Remote Encr Hash Auth State
    a.b.c.98:500 d.e.f.205:500 3des md5 psk QM_IDLE
    a.b.c.98:4500 x.y.z.82:4500 3des md5 psk QM_IDLE
    a.b.c.98:4500 x.y.z.82:164 3des md5 psk QM_IDLE
    a.b.c.98:4500 x.y.z.82:164 3des md5 psk QM_IDLE

    It looks like the first connection gets :4500 on the router, but any
    connection after that gets :164 ... that then works for a few minutes
    .... maybe less ... then all on the :164 drop and have to wait X seconds
    before establishing a new connection...
     
    J1C, Oct 28, 2004
    #8
  9. J1C

    PES Guest

    Have you tried turning off IPSEC pass through on the Linksys. Also, I'm in
    agreement, that is an unusually low source port. I wonder if the Linksys is
    translating it that low, or if the pc is actually initiating the connection
    that low (doubtful). Also, I don't understand how another nat session in
    the linksys could be tracked using the same source and destination port as
    the ca detail suggest. So I have to assume that the nat translation is
    being flushed quicker than the isakmp ca table in the pix is. I would
    recommend two other items.

    1) set you isakmp nat-traversal down to 10. At 20, it is possible that
    linksys could assume that it can break the udp nat translation (it shouldn't
    but it might).

    2) try a firmware upgrade on the linksys. These things are a bit flaky
    sometimes. I had a wireless one that would only allow me to connect via
    pptp through the wired interface and not the wireless side. A firmware
    fixed it.

    "J1C" <> wrote in message
    news:...
    > Here's something else...
    >
    > show isakmp sa detail
    > Local Remote Encr Hash Auth State
    > a.b.c.98:500 d.e.f.205:500 3des md5 psk QM_IDLE
    > a.b.c.98:4500 x.y.z.82:4500 3des md5 psk QM_IDLE
    > a.b.c.98:4500 x.y.z.82:164 3des md5 psk QM_IDLE
    > a.b.c.98:4500 x.y.z.82:164 3des md5 psk QM_IDLE
    >
    > It looks like the first connection gets :4500 on the router, but any
    > connection after that gets :164 ... that then works for a few minutes
    > ... maybe less ... then all on the :164 drop and have to wait X seconds
    > before establishing a new connection...
    >
     
    PES, Oct 29, 2004
    #9
  10. J1C

    J1C Guest

    Thanks! I will try your suggestions and update...
     
    J1C, Oct 29, 2004
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Skipdog
    Replies:
    1
    Views:
    4,789
    worldonline
    Jul 19, 2006
  2. Erwin Drager
    Replies:
    2
    Views:
    387
    Erwin Drager
    Apr 21, 2005
  3. Gary
    Replies:
    2
    Views:
    2,092
  4. X
    Replies:
    0
    Views:
    1,254
  5. jsandlin0803
    Replies:
    1
    Views:
    479
    Walter Roberson
    Oct 11, 2005
Loading...

Share This Page