Loss of VPN Access Using Pix 501
- From: Buck Rogers <buck@xxxxxxxxxx>
- Date: Fri, 21 Jul 2006 21:19:32 -0500
Hello,
My situation,
I have a client who is using a Pix 501, 50 User license. Until a
few days ago all worked fine.....no issues.
Pix version 6.3(5)
Cisco VPN Client 4.6.00.0049
Recently the company had a power outage prior to replacing a dead
battery on a UPS.....they have a spare on order now.
When the system came back up, there was a network IP conflict between
a work station and the file server attached to the dead power supply.
I fixed that, replaced the battery for the UPS, and decided to change
the dhcpd address range to take the server and file server's static IP
addresses out of the pool. Server is 10.0.0.2 and file server is
10.0.0.3
I ssh'd in to the Pix.
My commands were as follows:
no dchpd address 10.0.0.2-10.0.0.129 inside
dchpd address 10.0.0.4-10.0.0.129 inside
write memory
clear xlate
Rebooted the Pix to be sure. Then verified the change went through.
The issue I have is the VPN is now broken....no small issue. And I
can't imagine the commands I issued above would have an effect.
When I tested the VPN from the client machine, the error log shows the
following:
1 20:50:09.210 07/21/06 Sev=Info/4 CM/0x63100002
Begin connection process
2 20:50:09.390 07/21/06 Sev=Info/4 CM/0x63100004
Establish secure connection using Ethernet
3 20:50:09.390 07/21/06 Sev=Info/4 CM/0x63100024
Attempt connection with server "x.x.x.x"
4 20:50:10.414 07/21/06 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with x.x.x.x.
5 20:50:10.434 07/21/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to x.x.x.x
6 20:50:10.445 07/21/06 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
7 20:50:10.445 07/21/06 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
8 20:50:10.445 07/21/06 Sev=Info/6 IPSEC/0x6370002B
Sent 8 packets, 0 were fragmented.
9 20:50:11.599 07/21/06 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
10 20:50:11.599 07/21/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Xauth), VID(dpd), VID(Unity), VID(?), KE, ID, NON, VID(?), VID(Nat-T), NAT-D, NAT-D, HASH) from x.x.x.x
11 20:50:11.599 07/21/06 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
12 20:50:11.599 07/21/06 Sev=Info/5 IKE/0x63000001
Peer supports DPD
13 20:50:11.599 07/21/06 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
14 20:50:11.599 07/21/06 Sev=Info/5 IKE/0x63000081
Received IOS Vendor ID with unknown capabilities flag 0x000000A5
15 20:50:11.599 07/21/06 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
16 20:50:11.619 07/21/06 Sev=Warning/3 IKE/0xE3000056
The received HASH payload cannot be verified
17 20:50:11.619 07/21/06 Sev=Warning/2 IKE/0xE300007D
Hash verification failed... may be configured with invalid group password.
18 20:50:11.619 07/21/06 Sev=Warning/2 IKE/0xE3000099
Failed to authenticate peer (Navigator:904)
19 20:50:11.619 07/21/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO (NOTIFY:INVALID_HASH_INFO) to x.x.x.x
20 20:50:11.619 07/21/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO (NOTIFY:AUTH_FAILED) to x.x.x.x
21 20:50:11.619 07/21/06 Sev=Warning/2 IKE/0xE30000A5
Unexpected SW error occurred while processing Aggressive Mode negotiator:(Navigator:2202)
22 20:50:11.619 07/21/06 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=8DF5FF3D9390C28F R_Cookie=840483716085DE3B) reason = DEL_REASON_IKE_NEG_FAILED
23 20:50:12.523 07/21/06 Sev=Info/4 IKE/0x6300004A
Discarding IKE SA negotiation (I_Cookie=8DF5FF3D9390C28F R_Cookie=840483716085DE3B) reason = DEL_REASON_IKE_NEG_FAILED
24 20:50:12.523 07/21/06 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "x.x.x.x" because of "DEL_REASON_IKE_NEG_FAILED"
25 20:50:12.523 07/21/06 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
26 20:50:12.543 07/21/06 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
27 20:50:12.553 07/21/06 Sev=Info/4 IKE/0x63000085
Microsoft IPSec Policy Agent service started successfully
28 20:50:12.553 07/21/06 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
29 20:50:12.553 07/21/06 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
30 20:50:12.553 07/21/06 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
31 20:50:12.553 07/21/06 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
I've Googled the error messages from items 16, 17, and 18 above with
no solutions to my problem.
I've verified the password is correct on the client.
I've even changed the dhcpd address to reflect the original pool of
10.0.0.2-10.0.0.129 with no success.
I'm going to the office this weekend to "poke around" for a solution.
I'll verify the password is correct on the Pix. If that doesn't work,
I suspect a corrupt configuration file.
Before I blow away the config file and rebuild it if the verification
of the password doesn't solve the problem, what additional advice can
you provide to help troubleshoot the issue?
I'll provide more information if needed.
Thank you in advance for any and all suggestions.
Regards,
Buck
.
- Follow-Ups:
- Re: Loss of VPN Access Using Pix 501
- From: Buck Rogers
- Re: Loss of VPN Access Using Pix 501
- From: www.BradReese.Com
- Re: Loss of VPN Access Using Pix 501
- Prev by Date: 871 console port not working
- Next by Date: Re: 871 console port not working
- Previous by thread: 871 console port not working
- Next by thread: Re: Loss of VPN Access Using Pix 501
- Index(es):
Relevant Pages
|
|
