PIX Internet access OK - but cannot get to VPN

Discussion in 'Cisco' started by Ned, Aug 31, 2006.

  1. Ned

    Ned Guest

    I have a new PIX set up with outbound Internet Access and an inbound
    VPN.
    The Internet access is working fine - but the VPN client can't get into
    the VPN.

    VPN Client log
    Cisco Systems VPN Client Version 4.0.1 (Rel)
    Copyright (C) 1998-2003 Cisco Systems, Inc. All Rights Reserved.
    Client Type(s): Windows, WinNT
    Running on: 5.1.2600
    1 08:23:01.731 08/31/06 Sev=Warning/2 IKE/0xA3000067
    Received Unexpected InitialContact Notify (PLMgrNotify:841)
    2 08:23:01.903 08/31/06 Sev=Warning/3 IKE/0xA300004B
    Received a NOTIFY message with an invalid protocol id (0)
    3 08:23:07.028 08/31/06 Sev=Warning/3 IKE/0xA3000056
    Driver says we received a packet with invalid SPI (0), sending
    INVALID-SPI notify.
    4 08:23:12.028 08/31/06 Sev=Warning/3 IKE/0xA3000056
    Driver says we received a packet with invalid SPI (0), sending
    INVALID-SPI notify.
    5 08:23:17.013 08/31/06 Sev=Warning/3 IKE/0xA3000056
    Driver says we received a packet with invalid SPI (0), sending
    INVALID-SPI notify.

    *********************
    When I try to VPN into my network I am getting debug messages on my
    PIX:

    IPSEC(validate_proposal): invalid local address 191.196.37.5
    IPSEC(validate_proposal): invalid local address 191.191.37.5
    IPSEC(validate_proposal): invalid local address 191.191.37.5
    IPSEC(validate_proposal): invalid local address 191.191.37.5

    The address is correct in that users on the inside can browse out from
    that interface and I can PING it from the outside. (I have changed the
    addresses for this posting...)

    I also get this debug:

    debug crypto isakmp
    crypto_isakmp_process_block:src:191.191.37.35, dest:191.191.37.5 spt:13
    dpt:500
    OAK_AG exchange
    ISAKMP (0): processing SA payload. message ID = 0

    ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash SHA
    ISAKMP: default group 2
    ISAKMP: extended auth pre-share (init)
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 256
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash MD5
    ISAKMP: default group 2
    ISAKMP: extended auth pre-share (init)
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 256
    ISAKMP (0): atts are not acceptable. Next payload is 3
    *************************************************
    I also get this debug output on the PIX:

    crypto_isakmp_process_block:src:191.191.37.35, dest:191.191.37.5
    spt:1027 dpt:4500
    crypto_isakmp_process_block:src:191.191.37.35, dest:191.191.37.5
    spt:1027 dpt:4500
    ISAKMP: phase 2 packet is a duplicate of a previous packet
    ISAKMP: resending last response
    crypto_isakmp_process_block:src:191.191.37.35, dest:191.191.37.5
    spt:1027 dpt:4500
    ISAKMP (0): processing NOTIFY payload 11 protocol 1
    spi 0, message ID = 2387466550IPSEC(key_engine): got a queue
    event...
    IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
    IPSEC(key_engine_delete_sas): delete all SAs shared with 191.191.37.35

    return status is IKMP_NO_ERR_NO_TRANS
    crypto_isakmp_process_block:src:191.191.37.35, dest:191.191.37.5
    spt:1027 dpt:4500
    ISAKMP: phase 2 packet is a duplicate of a previous packet
    ISAKMP: resending last response
    crypto_isakmp_process_block:src:191.191.37.35, dest:191.191.37.5
    spt:1027 dpt:4500
    ISAKMP (0): processing NOTIFY payload 11 protocol 1
    spi 0, message ID = 1206514397IPSEC(key_engine): got a queue
    event...
    IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
    IPSEC(key_engine_delete_sas): delete all SAs shared with 191.191.37.35

    return status is IKMP_NO_ERR_NO_TRANS
    crypto_isakmp_process_block:src:191.191.37.35, dest:191.191.37.5
    spt:1027 dpt:4500
    ISAKMP (0): processing DELETE payload. message ID = 1118155919, spi
    size = 4IPSEC(key_engine): got a queue event...
    IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

    VPN Peer: ISAKMP: Peer ip:191.191.37.35/1027 Ref cnt decremented to:0
    Total VPN Peers:1
    VPN Peer: ISAKMP: Deleted peer: ip:191.191.37.35/1027 Total VPN
    peers:0IPSEC(key_engine): got a queue event...
    IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
    IPSEC(key_engine_delete_sas): delete all SAs shared with 191.191.37.5


    ****************
    Any help appreciated...Ned
     
    Ned, Aug 31, 2006
    #1
    1. Advertisements

  2. Ned

    mak Guest

    how is the vpn terminated, directly on the pix or on a concentrator behind it?
    are you mixing up the nat address and the real if address?

    are you mixing up the nat address and the real if address?


    mak
     
    mak, Aug 31, 2006
    #2
    1. Advertisements

  3. Ned

    Ned Guest

    Mak,
    No addresses are correct - I sorted the problem yesterday - I had left
    out -
    "crypto map map1 interface outside"
    Thanks, Ned
     
    Ned, Sep 1, 2006
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.