Reason 412: The remote peer is no longer responding.

Discussion in 'Cisco' started by James, Feb 10, 2006.

  1. James

    James Guest

    lost the last response!

    I can only see the 857 log, I have no text equivalent to copy and
    paste. It only has 5 info records the last being:

    Processing of Quick mode failed with peer at "my pc's ip"

    But here is the log of the client with IKE set to medium. I changed
    the group key on both.
    Cisco Systems VPN Client Version 4.6.00.0045
    Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.
    Client Type(s): Windows, WinNT
    Running on: 5.1.2600 Service Pack 2

    1 16:12:21.348 02/14/06 Sev=Warning/3 GUI/0xE3B00003
    GI EnumPPP callback timed out.

    Cisco Systems VPN Client Version 4.6.00.0045
    Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.
    Client Type(s): Windows, WinNT
    Running on: 5.1.2600 Service Pack 2
    Config file directory: C:\Program Files\Cisco Systems\VPN Client

    1 16:14:50.652 02/14/06 Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd),
    VID(Nat-T), VID(Frag), VID(Unity)) to 80.177.223.54

    2 16:14:50.732 02/14/06 Sev=Info/4 IKE/0x63000014
    RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?),
    VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D, NAT-D) from
    80.177.223.54

    3 16:14:50.742 02/14/06 Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D,
    NAT-D, VID(?), VID(Unity)) to 80.177.223.54

    4 16:14:50.742 02/14/06 Sev=Info/4 IKE/0x63000082
    IKE Port in use - Local Port = 0x01F4, Remote Port = 0x01F4

    5 16:14:50.752 02/14/06 Sev=Info/4 IKE/0x63000014
    RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from
    80.177.223.54

    6 16:14:50.752 02/14/06 Sev=Warning/2 IKE/0xA3000062
    Attempted incoming connection from 80.177.223.54. Inbound connections
    are not allowed.

    7 16:14:50.762 02/14/06 Sev=Info/4 IKE/0x63000014
    RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 80.177.223.54

    8 16:14:55.750 02/14/06 Sev=Info/4 IKE/0x63000014
    RECEIVING <<< ISAKMP OAK TRANS *(Retransmission) from 80.177.223.54

    9 16:14:57.172 02/14/06 Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 80.177.223.54

    10 16:14:57.182 02/14/06 Sev=Info/4 IKE/0x63000014
    RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 80.177.223.54

    11 16:14:57.192 02/14/06 Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 80.177.223.54

    12 16:14:57.212 02/14/06 Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 80.177.223.54

    13 16:14:57.222 02/14/06 Sev=Info/4 IKE/0x63000014
    RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 80.177.223.54

    14 16:14:57.532 02/14/06 Sev=Info/4 IKE/0x63000055
    Received a key request from Driver: Local IP = 192.168.36.55, GW IP =
    80.177.223.54, Remote IP = 0.0.0.0

    15 16:14:57.532 02/14/06 Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 80.177.223.54

    16 16:14:57.542 02/14/06 Sev=Info/4 IKE/0x63000014
    RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from
    80.177.223.54

    17 16:14:57.552 02/14/06 Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 80.177.223.54

    18 16:14:57.552 02/14/06 Sev=Info/4 IKE/0x63000048
    Discarding IPsec SA negotiation, MsgID=CABD5A7C

    19 16:14:57.552 02/14/06 Sev=Info/4 IKE/0x63000017
    Marking IKE SA for deletion (I_Cookie=5ED0E3343207D013
    R_Cookie=E82601E7412816C6) reason = DEL_REASON_IKE_NEG_FAILED

    20 16:15:00.957 02/14/06 Sev=Info/4 IKE/0x6300004A
    Discarding IKE SA negotiation (I_Cookie=5ED0E3343207D013
    R_Cookie=E82601E7412816C6) reason = DEL_REASON_IKE_NEG_FAILED

    21 16:15:01.037 02/14/06 Sev=Info/4 IKE/0x63000001
    IKE received signal to terminate VPN connection
     
    James, Feb 14, 2006
    #21
    1. Advertisements

  2. James

    Merv Guest

    Try deleting crypto policy 1 and changing the hash on policy 2 from MD5
    to sha so that it matches with the transform set.

    Do this with the command line interface from the console not any Cisco
    GUI.
     
    Merv, Feb 14, 2006
    #22
    1. Advertisements

  3. James

    James Guest

    How? I'm not familiar with any CLI and don't know the commands! Sorry.
    If you could point to the prog that would be great.

    To save time I did use the GUI and it seems that DES3 will work because
    if using DES I get Peer not reponding - don't even get log on option.
    Changing 2 to sha and DES3 has not changed the error which I think is
    related to one of the log entries:

    NOTIFY:NO_PROPOSAL_CHOSEN

    whatever that means! Thanks for perservering.
     
    James, Feb 14, 2006
    #23
  4. James

    James Guest

    Going home to try connecting from there, just in case. What is trying
    to take place that fails? It seems that we have established the
    security policy as we then move on to establishing the "Securing
    communications channel" bit - or is this like coding where to fix an
    error it can often be in the line above?!

    Will let you know how I get on tonight... thanks again.
     
    James, Feb 14, 2006
    #24
  5. James

    James Guest

    When connecting from home I don't even get offered to enter my username
    & pwd...
     
    James, Feb 15, 2006
    #25
  6. James

    mirzonisa

    Joined:
    Nov 18, 2006
    Messages:
    1
    Likes Received:
    0
    I Find A Solution!!!

    OK guys, in my situation I found a solution. Let me start with my configuration: Cisco VPN Client on Windows XP SP1 machine...Next, my LAN is connected to Internet through ISA 2000 SP2 FP1, and it is connected directly to PIX501, with static ( public ) IP...Obviously, I nave a NAT/PAT on my PIX, and a static IP on outside interface of ISA...SO MANY POSSIBLE PROBLEMS,HUH?! :) After many unsuccessful combinations, the only thing I should worry about was actually allowing specific protocol definitions in ISA protocols, namely UDP 500 SendReceive, and UDP 4500 SendReceive!!! After that, everything worked perfect!!! Don’t let me bother you with other configuration of my ISA server and PIX firewall, but feel free to contact me, if you need any of these…Good Luck guys, I hope this will help you enough…
     
    mirzonisa, Nov 18, 2006
    #26
  7. James

    Sen Fo

    Joined:
    Dec 17, 2007
    Messages:
    1
    Likes Received:
    0
    Hi

    My reply is a bit late I know, :stupido: but having encountered a simmilar problem and trying to find a sollution I came across this thread eventually. So while my reply is irrelevant for the original posrter (I should think) hopefully for someone else it could be helpfull :veryprou:

    The issue is that

    Apparently Cisco VPN clients from version 3.7 and up do not like SHA.

    So if one makes sure that the VPN gateway is configured with MD5 instead of SHA - it should help in the cases when the connection breakes because of

    RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from x.x.x.x

    It is worth while playing with DES - 3DES as well, but SHA should be changed to MD5
     
    Sen Fo, Dec 17, 2007
    #27
  8. James

    mikeshtown

    Joined:
    Jul 8, 2007
    Messages:
    2
    Likes Received:
    0
    Possible solution

    Problem: an existing FiOS installation using coax (coaxial cable) works flawlessly with Cisco VPN for two years. Then, all of a sudden, the VPN client can no longer connect. The exact error message from the Notifications tab of the VPN control panel: "Reason 412: the remote peer is no longer responding".

    Router: Actiontec M1424-WR rev. C running firmware 4.0.16.1.56.0.10.11.6

    Solution: re-provision FiOS service to Ethernet from coax, powercycle Actiontec.

    Proof that it's a FiOS/Actiontec problem:

    1) Restore Actiontec router to factory default (hard reset).
    2) Connect to Internet w/o VPN. Success.
    3) Connect via VPN using Actiontec provisioned for coax. Fails.
    4) Technician installs Ethernet and I powercycle router. No other changes made -- didn't even re-start VPN client.
    5) I click Connect button on VPN client and the VPN client connects flawlessly.

    While I did not account for all variables like cosmic rays, a Verizon network specialist playing a prank on me or an intermittent hardware problem that randomly occurs (and doesn't occur) at all the right times, I'm going to posit that either FiOS Ethernet and coax behave differently, or the Actiontec behaves differently.

    My (excellent) technician was equally convinced, and called his office -- no charge for the installation!

    My Verizon tech support contacts (four people) ranged from friendly but unhelpful to unfriendly and unhelpful.
     
    mikeshtown, Mar 30, 2010
    #28
  9. James

    blanken79

    Joined:
    Apr 16, 2010
    Messages:
    8
    Likes Received:
    0
    Location:
    Greenville,SC
    Not sure if this will help.

    But your config you posted doesn't have the crypto map applied to the WAN (dialer0) interface. So, any connection attempts from the outside will fail.

    The IP on the dialer interface is 80.177.223.54 and the error message stated:
    inbound connections not allowed.

    Just a thought,
    Correct me if I'm wrong.
     
    blanken79, Apr 16, 2010
    #29
  10. James

    sebasparanoid

    Joined:
    Mar 2, 2011
    Messages:
    1
    Likes Received:
    0
    Add the UseLegacyIKEPort=1 option in the .pcf file.
     
    sebasparanoid, Mar 2, 2011
    #30
  11. James

    diggisaur

    Joined:
    Jan 15, 2014
    Messages:
    1
    Likes Received:
    0
    I ran into this same error code recently and all articles pointed towards the client side being the most common causes of the problem. In my case it was actually a NAT statement on the ASA firewall that I was trying to connect to that caused the issue.
     
    diggisaur, Jan 15, 2014
    #31
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.