Cisco's remote access IPSec-based VPN solution includes the Unity software (SW) client, the 3002 VPN Hardware (HW) client, the 806/17xx IOS-based easy VPN and PIX-based VPN clients. See Chapter 19, "VPN Technology Background," and Chapter 20, "Remote Access VPN Design and Configuration Solutions" for details. In this chapter, common VPN troubleshooting techniques and recommended approaches (methodologies) are provided. The examples are demonstrated using the Cisco 3000 family of concentrators as termination devices for the following remote access solutions:
First, general restrictions and limitations exist for each solution. After these are understood, actual operational issues can be resolved by isolating the components that might affect the establishment of an IPSec VPN tunnel, and the flow of data through the tunnel. By using the initial troubleshooting tools, you isolate the source of the issue to one or more areas, then further investigate until the actual cause is identified and corrective actions are implemented. Cisco VPN Unity SW ClientIn this section, you focus on the Cisco VPN Unity SW client. The following sections address the client in the following order:
Restrictions and Limitations of the Cisco VPN Unity Software ClientThe Cisco VPN Unity client on the Windows 2000 (W2K) host has several restrictions and limitations, which serve as a foundation for the other remote access solutions that are covered in this chapter; specifically, the text includes the 3002 VPN HW client, and the Easy VPN client that operates on a Cisco 806 router. In sections dedicated to these alternative solutions, differences between them and the Cisco VPN Unity client, and any unique circumstances that might be applicable, are highlighted. The following briefly summarizes the major restrictions and limitations of the Unity client. They are listed in Table 21-1:
Figure 21-1. IPSec Policy SettingFigure 21-2. IPSec Policy Agent SettingFigure 21-3. TCP/IP Filter Set MenuFigure 21-4. Security Settings on Zone Alarm ClientFigure 21-5. Setting the Tunnel Port on Cisco VPN Unity ClientNOTE To prevent a conflict with other VPN clients and the Cisco VPN Unity client, the VPN 3.5x installer (and later versions) automatically issues a warning and permits the user to disable the IPSec Policy Agent Service. If this service is not disabled, the error message, "The necessary sub-system is not available," is displayed when the user starts the VPN client. See Table 21-2 for more information. Initial Problem Identification and Troubleshooting with the Cisco VPN Unity SW ClientAssume that you successfully set up the core concentrator and security environment, and confirmed that remote users can successfully establish an IPSec tunnel to send and receive data across the tunnel using the Cisco VPN Unity client. Based on the problem reported by a user experiencing issues, potential sources and suggested corrective action are listed in Table 21-2.
Figure 21-6. Cisco VPN Unity Client Dialog Box Indicating Authentication Process Has Been Initiated Between the Client and the Concentrator with an IP Address of 192.68.1.2Cisco VPN Unity Client Event LogThe VPN Client Event Log Viewer provides a real-time event log of the VPN client from starting the connection, negotiating authentication, maintaining the connection, and terminating the VPN tunnel. The Log Viewer collects event messages from all processes that contribute to the client-peer connection, and it can be especially helpful if you cannot identify the source of a problem for a client in an environment that you do not have access to or cannot replicate. Also, if you believe you have identified a bug with the client or have other reasons to open a Technical Assistance Center (TAC) case, you will most likely be required to provide a copy of the Log Viewer event log. Sometimes, you might find it helpful to collect and examine the log information on the core concentrator that terminates the remote access VPN session. For your reference, this section of the text is divided into the following sections:
Starting the Client Log ViewerTo start the Log Viewer on a W2K host, select Start, Programs, Cisco Systems VPN Client, Log Viewer. The Log Viewer displays its main window upon startup. The VPN client version is indicated under the Help option. To collect the log information, the client must turn on the capture feature, under Options, Capture. By default, the filter is set to low for the ten log classes identified in the Log Viewer, as shown in Table 21-3. As a result, you might not see the required events displayed in the Log Viewer. To change the filter for a specific event class, select Options, Filter, or click the Filter icon. You should see the screen shown in Figure 21-7. Next, select the event class filters you want to change, right-click your selection and change the filter verbose level to the desired setting. For the purposes of working with remote clients, it is easier to instruct the client to change all filters to high. When using the Log Viewer with the high filter setting, it might impact performance of all applications on the client's PC, but there is no impact to performance when it is not in use.[1] Figure 21-7. Software VPN Log Filter
ISAKMP and Its PhasesBefore you review the log, a brief review is required of the ISAKMP and IPSec negotiation phases and modes (see Chapter 19 for more information). Recall that ISAKMP has two phases: Phase 1 establishes a secure channel between ISAKMP peers that negotiate the parameters of the Phase 2 services. Phase 1 has two modes: Main mode and Aggressive mode. After Phase 1 negotiation is successfully completed, Phase 2 negotiation occurs. Phase 2 ISAKMP also negotiates security parameters for the actual data transfer over the secure channel. Phase 2 only has one modeQuick mode. After Phase 2 negotiation is complete, the VPN peers exchange data over their secure IPSec tunnel. Reviewing a VPN Client LogThe log of a successful VPN client connection is reviewed in Example 21-1. Example 21-1 is the captured Log Viewer results of a version 3.0 Unity client. Each entry is numbered, has a time and date stamp, is marked with a severity level (1-6) with 1 being the most severe, and is noted with a specific event class and message ID. Example 21-1 provides detailed output from two separate processes: establishing the VPN connection and termination of the VPN connection. It is relatively large, which is why inline comments help you to comprehend the content. This type of connect-disconnect scenario is rare in the real world. However, when a troubleshooting problem arises and is beyond the scope of well-known issues, this is a possibility with which you need to be familiar. Example 21-1. Log Viewer Results for Establishing and Terminating a VPN v3.5.2 Unity Client[View full width] ***** 1 05:52:44.564 07/15/02 Sev=Info/6 DIALER/0x63300002 Initiating connection. 2 05:52:44.564 07/15/02 Sev=Info/4 CM/0x63100002 Begin connection process 3 05:52:44.584 07/15/02 Sev=Info/4 CM/0x63100004 Establish secure connection using Ethernet 4 05:52:44.584 07/15/02 Sev=Info/4 CM/0x63100026 Attempt connection with server "vpn-concentrator.xyz.com" ! Core VPN concentrator is "vpn-concentrator.xyz.com". 5 05:52:44.604 07/15/02 Sev=Info/6 IKE/0x6300003B Attempting to establish a connection with 192.68.192.81. ! Core VPN concentrator IP address is 192.168.192.81. 6 05:52:44.644 07/15/02 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID, VID, VID) to 192.68.192.81 ! OAK=Oakley ! AG=Aggressive Mode ! SA=Security Association ! KE=Key Exchange ! NON=Nonce ! ID=Identifier ! HASH ! VID=Vendor Identifier 7 05:52:44.804 07/15/02 Sev=Info/5 IKE/0x6300002F Received ISAKMP packet: peer = 192.68.192.81 8 05:52:44.804 07/15/02 Sev=Info/4 IKE/0x63000014 RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID, VID, VID, VID) from 192.68.192.81 9 05:52:44.804 07/15/02 Sev=Info/5 IKE/0x63000059 Vendor ID payload = 12F5F28C457168A9702D9FE274CC0100 10 05:52:44.804 07/15/02 Sev=Info/5 IKE/0x63000001 Peer is a Cisco-Unity compliant peer ! Client authentication. Successful verification for trusted source. ! Group name and password is verified. 11 05:52:44.804 07/15/02 Sev=Info/5 IKE/0x63000059 Vendor ID payload = 09002689DFD6B712 12 05:52:44.804 07/15/02 Sev=Info/5 IKE/0x63000059 Vendor ID payload = AFCAD71368A1F1C96B8696FC77570100 13 05:52:44.804 07/15/02 Sev=Info/5 IKE/0x63000001 Peer supports DPD ! DPD: Dead Peer Detection. The client will send a series of query ! packets to the core concentrator if it does not receive a ! response to data it has sent. ! If there is no response after a predefined time period, ! (90 seconds is the default) then the client will assume ! the IPSec connection is inactive and tear it down. 14 05:52:44.804 07/15/02 Sev=Info/5 IKE/0x63000059 Vendor ID payload = 1F07F70EAA6514D3B0FA96542A500305 15 05:52:44.834 07/15/02 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT) to 192.68.192.81 16 05:52:44.854 07/15/02 Sev=Info/5 IKE/0x6300002F Received ISAKMP packet: peer = 192.68.192.81 17 05:52:44.854 07/15/02 Sev=Info/4 IKE/0x63000014 RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 192.68.192.81 18 05:52:44.854 07/15/02 Sev=Info/4 CM/0x63100015 Launch xAuth application ! User authentication launched. 19 05:52:45.585 07/15/02 Sev=Info/4 IPSEC/0x63700014 Deleted all keys 20 05:52:51.024 07/15/02 Sev=Info/4 CM/0x63100017 xAuth application returned 21 05:52:51.024 07/15/02 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 192.68.192.81 22 05:52:51.334 07/15/02 Sev=Info/5 IKE/0x6300002F Received ISAKMP packet: peer = 192.68.192.81 23 05:52:51.334 07/15/02 Sev=Info/4 IKE/0x63000014 RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 192.68.192.81 24 05:52:51.334 07/15/02 Sev=Info/4 CM/0x6310000E Established Phase 1 SA. 1 Phase 1 SA in the system ! Phase 1 Security Association has been successfully established. 25 05:52:51.354 07/15/02 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 192.68.192.81 26 05:52:51.535 07/15/02 Sev=Info/5 IKE/0x6300005D Client sending a firewall request to concentrator 27 05:52:51.535 07/15/02 Sev=Info/5 IKE/0x6300005C Firewall Policy: Product=Cisco Integrated Client, Capability= (Centralized Policy Push). ! Cisco VPN Unity Client has integrated firewall 28 05:52:51.535 07/15/02 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 192.68.192.81 29 05:52:51.575 07/15/02 Sev=Info/5 IKE/0x6300002F Received ISAKMP packet: peer = 192.68.192.81 30 05:52:51.575 07/15/02 Sev=Info/4 IKE/0x63000014 RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 192.68.192.81 31 05:52:51.575 07/15/02 Sev=Info/5 IKE/0x63000010 MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 10.25.250.2 ! IP address assigned to the client by the VPN ! concentrator for the IPSec tunnel. 32 05:52:51.575 07/15/02 Sev=Info/5 IKE/0x63000010 MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 192.168.226.120 ! IP address of the primary DNS server assigned to the ! client by the concentrator. 33 05:52:51.575 07/15/02 Sev=Info/5 IKE/0x63000010 MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 192.168.168.183 ! IP address of the secondary DNS server assigned to the ! client by the concentrator. 34 05:52:51.575 07/15/02 Sev=Info/5 IKE/0x63000010 MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NBNS(1) (a.k.a. WINS) : , value = 192.168.2.87 ! IP address of the primary WINS server assigned to ! the client by the concentrator. 35 05:52:51.575 07/15/02 Sev=Info/5 IKE/0x63000010 MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NBNS(2) (a.k.a. WINS): , value = 192.168.235.228 ! IP address of the secondary WINS server assigned to ! the client by the concentrator. 36 05:52:51.575 07/15/02 Sev=Info/5 IKE/0x6300000E MODE_CFG_REPLY: Attribute = MODECFG_UNITY_BANNER, value = Unauthorized access is prohibited. Connected to vpn-concentrator. ! Banner that Cisco VPN Unity client receives from the concentrator. ! The banner indicated the Configuration mode was done successfully. 37 05:52:51.575 07/15/02 Sev=Info/5 IKE/0x6300000D MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000 38 05:52:51.575 07/15/02 Sev=Info/5 IKE/0x6300000E MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = xyz.com ! Domain assigned to the concentrator by the VPN concentrator, xyz.com. 39 05:52:51.575 07/15/02 Sev=Info/5 IKE/0x6300000D MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000 ! PFS=Perfect Forward Secrecy; not being used ! This parameter specifies whether to use Perfect Forward Secrecy ! and the size of the numbers to use in generating Phase 2 IPSec keys. ! Perfect Forward Secrecy is a cryptographic concept; ! each new key is unrelated to any previous key. ! In IPSec negotiations, Phase 2 keys are based on Phase 1 keys unless ! Perfect Forward Secrecy is specified. ! Perfect Forward Secrecy uses Diffie-Hellman techniques to generate the keys.[2] 40 05:52:51.575 07/15/02 Sev=Info/5 IKE/0x6300000E MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc./VPN 3000 Concentrator Version 3.5.2.Rel built by vmurphy on Feb 14 2002 12:10:21 41 05:52:51.575 07/15/02 Sev=Info/4 CM/0x63100019 Mode Config data received 42 05:52:51.595 07/15/02 Sev=Info/5 IKE/0x63000055 Received a key request from Driver for IP address 192.68.192.81, GW IP = 192.68.192.81 43 05:52:51.595 07/15/02 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 192.68.192.81 ! QM=Quick Mode 44 05:52:51.595 07/15/02 Sev=Info/5 IKE/0x63000055 Received a key request from Driver for IP address 10.10.10.255, GW IP = 192.68.192.81 45 05:52:51.595 07/15/02 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 192.68.192.81 46 05:52:51.595 07/15/02 Sev=Info/4 IPSEC/0x63700014 Deleted all keys 47 05:52:51.645 07/15/02 Sev=Info/5 IKE/0x6300002F Received ISAKMP packet: peer = 192.68.192.81 48 05:52:51.645 07/15/02 Sev=Info/4 IKE/0x63000014 RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 192.68.192.81 49 05:52:51.645 07/15/02 Sev=Info/5 IKE/0x63000044 RESPONDER-LIFETIME notify has value of 86400 seconds ! Lifetime of IPSec SA keys. Set by core concentrator 50 05:52:51.645 07/15/02 Sev=Info/5 IKE/0x63000046 This SA has already been alive for 7 seconds, setting expiry to 86393 seconds from now 51 05:52:51.645 07/15/02 Sev=Info/5 IKE/0x6300002F Received ISAKMP packet: peer = 192.68.192.81 52 05:52:51.645 07/15/02 Sev=Info/4 IKE/0x63000014RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NOTIFY:STATUS_RESP_LIFETIME) from 192.68.192.81 53 05:52:51.645 07/15/02 Sev=Info/5 IKE/0x63000044 RESPONDER-LIFETIME notify has value of 28800 seconds 54 05:52:51.645 07/15/02 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK QM *(HASH) to 192.68.192.81 55 05:52:51.645 07/15/02 Sev=Info/5 IKE/0x63000058 Loading IPsec SA (Message ID = 0xD6D39C1E OUTBOUND SPI = 0x2FC49467 INBOUND SPI = 0x50A8DB73) 56 05:52:51.645 07/15/02 Sev=Info/5 IKE/0x63000025 Loaded OUTBOUND ESP SPI: 0x2FC49467 57 05:52:51.645 07/15/02 Sev=Info/5 IKE/0x63000026 Loaded INBOUND ESP SPI: 0x50A8DB73 58 05:52:51.645 07/15/02 Sev=Info/4 CM/0x6310001A One secure connection established 59 05:52:51.695 07/15/02 Sev=Info/6 DIALER/0x63300003 Connection established. 60 05:52:51.755 07/15/02 Sev=Info/5 IKE/0x6300002F Received ISAKMP packet: peer = 192.68.192.81 61 05:52:51.755 07/15/02 Sev=Info/4 IKE/0x63000014 RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NOTIFY:STATUS_RESP_LIFETIME) from 192.68.192.81 62 05:52:51.765 07/15/02 Sev=Info/5 IKE/0x63000044 RESPONDER-LIFETIME notify has value of 28800 seconds 63 05:52:51.765 07/15/02 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK QM *(HASH) to 192.68.192.81 64 05:52:51.765 07/15/02 Sev=Info/5 IKE/0x63000058 Loading IPsec SA (Message ID = 0xD765C6C4 OUTBOUND SPI = 0x07742CDC INBOUND SPI = 0xCB7C70B2) ! Concentrator connecting to this client will have the same SPI numbers but ! its inbound and outbound SPI's will be reversed as seen in Table 21-3. 65 05:52:51.765 07/15/02 Sev=Info/5 IKE/0x63000025 Loaded OUTBOUND ESP SPI: 0x07742CDC 66 05:52:51.765 07/15/02 Sev=Info/5 IKE/0x63000026 Loaded INBOUND ESP SPI: 0xCB7C70B2 67 05:52:51.765 07/15/02 Sev=Info/4 CM/0x63100022 Additional Phase 2 SA established. ! The Phase 2 SA (IPSec SA) was successfully established. 68 05:52:51.765 07/15/02 Sev=Info/5 IKE/0x63000055 Received a key request from Driver for IP address 192.168.2.87, GW IP = 192.68.192.81 69 05:52:51.765 07/15/02 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 192.68.192.81 70 05:52:51.805 07/15/02 Sev=Info/5 IKE/0x6300002F Received ISAKMP packet: peer = 192.68.192.81 71 05:52:51.805 07/15/02 Sev=Info/4 IKE/0x63000014 RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NOTIFY:STATUS_RESP_LIFETIME) from 192.68.192.81 72 05:52:51.805 07/15/02 Sev=Info/5 IKE/0x63000044 RESPONDER-LIFETIME notify has value of 28800 seconds 73 05:52:51.805 07/15/02 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK QM *(HASH) to 192.68.192.81 74 05:52:51.805 07/15/02 Sev=Info/5 IKE/0x63000058 Loading IPsec SA (Message ID = 0x8367341C OUTBOUND SPI = 0x044318D0 INBOUND SPI = 0x682F214E) 75 05:52:51.805 07/15/02 Sev=Info/5 IKE/0x63000025 Loaded OUTBOUND ESP SPI: 0x044318D0 76 05:52:51.805 07/15/02 Sev=Info/5 IKE/0x63000026 Loaded INBOUND ESP SPI: 0x682F214E 77 05:52:51.805 07/15/02 Sev=Info/4 CM/0x63100022 Additional Phase 2 SA established. 78 05:52:52.807 07/15/02 Sev=Info/4 IPSEC/0x63700010 Created a new key structure ! A new key structure was created. 79 05:52:52.807 07/15/02 Sev=Info/4 IPSEC/0x6370000F Added key with SPI=0x6794c42f into key list <Output Omitted> 90 05:52:53.187 07/15/02 Sev=Info/6 DIALER/0x63300008 MAPI32 Information - Outlook not default mail client ! This message does not affect operation of the VPN Client. ! The issue occurs when Microsoft Outlook is installed but not ! configured for email, although it is the default mail client. ! It is caused by a Registry Key that is set when the user installs Outlook. ! To eliminate this message, do one of the following: ! -Right-click the Outlook icon, go to Properties, and configure it to use ! Microsoft Exchange or Internet Mail as the default mail client ! -Use Internet Explorer to configure the system to have no default mail client ! -Configure Outlook as the default mail client (CSCdv67594)[3] 91 05:52:54.189 07/15/02 Sev=Info/4 IPSEC/0x63700019 Activate outbound key with SPI=0xdc2c7407 for inbound key with SPI=0xb2707ccb 92 05:53:21.803 07/15/02 Sev=Info/5 IKE/0x6300002F Received ISAKMP packet: peer = 192.68.192.81 93 05:53:21.803 07/15/02 Sev=Info/4 IKE/0x63000014 RECEIVING <<< ISAKMP OAK INFO *(HASH, DEL) from 192.68.192.81 94 05:53:21.803 07/15/02 Sev=Info/5 IKE/0x63000018 Deleting IPsec SA: (OUTBOUND SPI = 7742CDC INBOUND SPI = CB7C70B2) 95 05:53:22.734 07/15/02 Sev=Info/4 IPSEC/0x63700013 Delete internal key with SPI=0xb2707ccb 96 05:53:22.734 07/15/02 Sev=Info/4 IPSEC/0x6370000C Key deleted by SPI 0xb2707ccb 97 05:53:22.734 07/15/02 Sev=Info/4 IPSEC/0x63700013 Delete internal key with SPI=0xdc2c7407 98 05:53:22.734 07/15/02 Sev=Info/4 IPSEC/0x6370000C Key deleted by SPI 0xdc2c7407 99 05:53:26.741 07/15/02 Sev=Info/4 IPSEC/0x63700019 Activate outbound key with SPI=0xd0184304 for inbound key with SPI=0x4e212f68 100 05:54:49.903 07/15/02 Sev=Info/6 DIALER/0x63300006 Disconnecting connection. ! Termination process has been initiated. 101 05:54:49.913 07/15/02 Sev=Info/4 CM/0x6310000A Secure connections terminated 102 05:54:49.913 07/15/02 Sev=Info/5 IKE/0x63000018 Deleting IPsec SA: (OUTBOUND SPI = 44318D0 INBOUND SPI = 682F214E) ! Deleting SA Recall the SA is IP address + IPSec protocol +S PI 103 05:54:49.913 07/15/02 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 192.68.192.81 104 05:54:49.913 07/15/02 Sev=Info/5 IKE/0x63000018 Deleting IPsec SA: (OUTBOUND SPI = 2FC49467 INBOUND SPI = 50A8DB73) 105 05:54:49.913 07/15/02 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 192.68.192.81 106 05:54:49.913 07/15/02 Sev=Info/5 IKE/0x63000017 Marking IKE SA for deletion (COOKIES = FA981A927C24915F AED77DA44D19D140) reason = DEL_REASON_RESET_SADB ! Reason for disconnect was a reset of the security association data base SADB. 107 05:54:49.913 07/15/02 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 192.68.192.81 108 05:54:49.913 07/15/02 Sev=Info/4 CM/0x63100013 Phase 1 SA deleted cause by DEL_REASON_RESET_SADB. 0 Phase 1 SA currently in the system 109 05:54:49.973 07/15/02 Sev=Info/5 CM/0x63100029 Initializing CVPNDrv 110 05:54:49.973 07/15/02 Sev=Info/6 CM/0x63100035 Tunnel to headend device vpn-concentrator.xyz.com disconnected: duration: 0 days 0:1:58 111 05:54:49.973 07/15/02 Sev=Info/5 CM/0x63100029 Initializing CVPNDrv 112 05:54:49.983 07/15/02 Sev=Info/4 IPSEC/0x63700013 Delete internal key with SPI=0x4e212f68 113 05:54:49.983 07/15/02 Sev=Info/4 IPSEC/0x63700013 Delete internal key with SPI=0xd0184304 114 05:54:49.983 07/15/02 Sev=Info/4 IPSEC/0x63700013 Delete internal key with SPI=0x73dba850 115 05:54:49.983 07/15/02 Sev=Info/4 IPSEC/0x63700013 Delete internal key with SPI=0x6794c42f 116 05:54:49.983 07/15/02 Sev=Info/4 IPSEC/0x63700014 Deleted all keys 117 05:54:49.983 07/15/02 Sev=Info/4 IPSEC/0x63700010 Created a new key structure 118 05:54:49.983 07/15/02 Sev=Info/4 IPSEC/0x63700013 Delete internal key with SPI=0x00000000 119 05:54:49.983 07/15/02 Sev=Info/4 IPSEC/0x63700014 Deleted all keys 120 05:54:49.983 07/15/02 Sev=Info/4 IPSEC/0x63700014 Deleted all keys 121 05:54:49.983 07/15/02 Sev=Info/4 IPSEC/0x63700014 Deleted all keys 122 05:54:49.983 07/15/02 Sev=Info/5 IKE/0x6300002F Received ISAKMP packet: peer = 192.68.192.81 123 05:54:49.983 07/15/02 Sev=Warning/2 IKE/0xA3000062 Attempted incoming connection from 192.68.192.81. Inbound connections are not allowed. 124 05:54:49.983 07/15/02 Sev=Info/5 IKE/0x63000055 Received a key request from Driver for IP address 192.168.2.87, GW IP = 192.68.192.81 125 05:54:49.983 07/15/02 Sev=Warning/3 IKE/0xE3000065 Could not find an IKE SA for 192.68.192.81. KEY_REQ aborted. ! In addition to the termination, this message may appear when the WAN ! IP address has changed due to problems such as flapping WAN connections or ! ISP issues (see Chapter 22 for more information). 126 05:54:50.413 07/15/02 Sev=Info/6 DIALER/0x63300007 Disconnected. Log files showing that a Phase 1 SA cannot be established is an indication that the client cannot successfully communicate with the core concentrator. Clients that cannot establish the Phase 2 SA might be encountering an issue related to MTU size, and the clients need to consider reducing the size. Clients with connections that randomly fail after successfully passing data, and receive an error message similar to the one in Example 21-2, is an indication that connectivity between the client and the VPN concentrator is suspect. Example 21-2. Log Entry for Terminating VPN SessionIKE lost contact with remote peer, deleting connection (keepalive type: DPD) ! Cause of termination was loss of Network Connectivity to ! VPN terminating device Cisco 3000 Concentrator Event LogThe concentrator also has a log feature that is helpful in troubleshooting remote access VPN connections. Example 21-3 shows the concentrator log entries for the same client shown in Example 21-1. Example 21-3 shows the benefit of being a troubleshooting engineer in the enterprise environment, where usually you have access to the concentrator and can check the log, which shows the same connection that is shown in Example 21-1 from the other end. For the purposes of the example, the beginning of the negotiation process is skipped and line 29299 starts from the user authentication phase, which allows you to identify the user by login name (smith) in the log. As mentioned in Example 21-1, the log shows the output from the connect-disconnect scenario, and it is provided here solely for the purposes of explanation. Example 21-3. Concentrator Log for UnityVPN SW Client Connection (client v3.5.2, concentrator v3.5) 29299 07/15/2002 05:52:11.970 SEV=4 IKE/52 RPT=4502 12.235.95.31 Group [vpn] User [smith] User (smith) authenticated. ! 12.235.95.31 is the actual IP address of the client. 29301 07/15/2002 05:52:12.500 SEV=4 AUTH/22 RPT=4691 User smith connected 29302 07/15/2002 05:52:12.500 SEV=4 IKE/119 RPT=15983 12.235.95.31 Group [vpn] User [smith] PHASE 1 COMPLETED 29304 07/15/2002 05:52:12.500 SEV=5 IKE/25 RPT=39263 12.235.95.31 Group [vpn] User [smith] Received remote Proxy Host data in ID Payload: Address 10.25.250.2, Protocol 0, Port 0 ! 10.25.250.2 is the IP address assigned to the client by ! the concentrator for the VPN tunnel. 29307 07/15/2002 05:52:12.500 SEV=5 IKE/24 RPT=38566 12.235.95.31 Group [vpn] User [smith] Received local Proxy Host data in ID Payload: Address 192.168.192.81, Protocol 0, Port 0 29310 07/15/2002 05:52:12.500 SEV=5 IKE/66 RPT=20250 12.235.95.31 Group [vpn] User [smith] IKE Remote Peer configured for SA: ESP/IKE-3DES-MD5 29311 07/15/2002 05:52:12.510 SEV=5 IKE/75 RPT=19355 12.235.95.31 Group [vpn] User [smith] Overriding Initiator's IPSec rekeying duration from 2147483 to 28800 seconds ! The lower value offered for re-keying between both concentrator and ! client is the agreed upon value for key lifetime. 29313 07/15/2002 05:52:12.530 SEV=5 IKE/25 RPT=39264 12.235.95.31 Group [vpn] User [smith] Received remote Proxy Host data in ID Payload: Address 10.25.250.2, Protocol 0, Port 0 29316 07/15/2002 05:52:12.530 SEV=5 IKE/34 RPT=47224 12.235.95.31 Group [vpn] User [smith] Received local IP Proxy Subnet data in ID Payload: Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0 29319 07/15/2002 05:52:12.530 SEV=5 IKE/66 RPT=20251 12.235.95.31 Group [vpn] User [smith] IKE Remote Peer configured for SA: ESP/IKE-3DES-MD5 ! SA protocol ESP, encryption algorithm 3DES, and hash MD5. 29320 07/15/2002 05:52:12.530 SEV=5 IKE/75 RPT=19356 12.235.95.31 Group [vpn] User [smith] Overriding Initiator's IPSec rekeying duration from 2147483 to 28800 seconds ! The group on the VPN concentrator is set to rekey the keys for ! the IPSec negotiations. 29322 07/15/2002 05:52:12.540 SEV=4 IKE/49 RPT=20311 12.235.95.31 Group [vpn] User [smith] Security negotiation complete for User (smith) Responder, Inbound SPI = 0x0db4b5a1, Outbound SPI = 0x7e6fc994 ! You can see the SPI's reversed from the client as shown in Example 21-1. 29325 07/15/2002 05:52:12.540 SEV=4 IKE/120 RPT=20311 12.235.95.31 Group [vpn] User [smith] PHASE 2 COMPLETED (msgid=32e87ed3) 29326 07/15/2002 05:52:12.790 SEV=4 IKE/49 RPT=20312 12.235.95.31 Group [vpn] User [smith] Security negotiation complete for User (smith) Responder, Inbound SPI = 0x73558664, Outbound SPI = 0xa9a80dcf 29329 07/15/2002 05:52:12.790 SEV=4 IKE/120 RPT=20312 12.235.95.31 Group [vpn] User [smith] PHASE 2 COMPLETED (msgid=6fdb7e4d) 29330 07/15/2002 05:52:12.810 SEV=5 IKE/25 RPT=39265 12.235.95.31 Group [vpn] User [smith] Received remote Proxy Host data in ID Payload: Address 10.25.250.2, Protocol 0, Port 0 29333 07/15/2002 05:52:12.810 SEV=5 IKE/34 RPT=47225 12.235.95.31 Group [vpn] User [smith] Received local IP Proxy Subnet data in ID Payload: Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0 29336 07/15/2002 05:52:12.810 SEV=5 IKE/66 RPT=20252 12.235.95.31 Group [vpn] User [smith] IKE Remote Peer configured for SA: ESP/IKE-3DES-MD5 29337 07/15/2002 05:52:12.810 SEV=5 IKE/75 RPT=19357 12.235.95.31 Group [vpn] User [smith] Overriding Initiator's IPSec rekeying duration from 2147483 to 28800 seconds 29339 07/15/2002 05:52:12.830 SEV=4 IKE/49 RPT=20313 12.235.95.31 Group [vpn] User [smith] Security negotiation complete for User (smith) Responder, Inbound SPI = 0x398539b4, Outbound SPI = 0x7cc8d0c0 29342 07/15/2002 05:52:12.840 SEV=4 IKE/120 RPT=20313 12.235.95.31 Group [vpn] User [smith] PHASE 2 COMPLETED (msgid=ba313b15) ! Disconnect process follows. 29349 07/15/2002 05:52:22.280 SEV=5 IKE/50 RPT=3452 12.235.95.31 Group [vpn] User [smith] Connection terminated for peer smith (Peer Terminate) Remote Proxy 10.25.250.2, Local Proxy 0.0.0.0 29352 07/15/2002 05:52:22.280 SEV=5 IKE/170 RPT=34237 12.235.95.31 Group [vpn] User [smith] IKE Received delete for rekeyed centry IKE peer: 10.25.250.2, centry addr: 0727a5f0, msgid: 0x6fdb7e4d 29355 07/15/2002 05:52:22.280 SEV=5 IKE/50 RPT=3453 12.235.95.31 Group [vpn] User [smith] Connection terminated for peer smith (Peer Terminate) Remote Proxy 10.25.250.2, Local Proxy 192.168.192.81 29358 07/15/2002 05:52:22.290 SEV=4 AUTH/28 RPT=4322 12.235.95.31 User [smith] disconnected: Duration: 0:00:09 Bytes xmt: 456 Bytes rcv: 680 Reason: User Requested The concentrator event classes and corresponding descriptions are found in Table 21-4.
The impact of these events, or their severity levels, is measured and shown in the event logs per Table 21-5.
Cisco indicates that within a severity level category, higher-numbered events provide more details than lower-numbered events. You can change the severity level of the events displayed in the concentrator event log and console, as well as those displayed in the syslog, e-mail and traps, with the concentrator menu Configuration, System, Events, General. An example of a specific event and severity level is shown in Example 21-4, in which the concentrator deletes its connection with User "smith" because of no response using the Dead Peer Detection (DPD) feature. Actually, the concentrator reports two separate events, first no response, then disconnection. For the "no response" event, the severity level is 4 the event class is IKE, and the event number is 123. The disconnection is also classified as severity level 4, and the event class is authentication. RPT stands for repeat and indicates the number of times that the event has occurred since the concentrator was reloaded.[2] Example 21-4. Event Log for Deleted Connection Because of No Response from the Client8157 07/11/2002 12:54:19.140 SEV=4 IKE/123 RPT=6792 128.216.126.77 Group [xyz-vpn] User [smith] IKE lost contact with remote peer, deleting connection (keepalive type: DPD) 8162 07/11/2002 12:54:19.150 SEV=4 AUTH/28 RPT=16579 128.216.126.77 User [smith] disconnected: Duration: 0:51:22 Bytes xmt: 276824 Bytes rcv: 311120 Reason: User Requested Incompatible GINAs and WorkaroundsGINA is the system that Microsoft devised to control access to the W2K and NT host environments. GINAs are the modules that force clients to log in to their host. Two types of GINAs are in use: authenticator and filter.[4] There can be multiple filters, but only one authenticator. In this case, the filters chain to each other but the last GINA called in this chain must be the authenticator. The authenticator manages the user login process, and the filters offer additional benefits. The default GINA for W2K is MSGINA.DLL. Unfortunately, some GINAs cannot coexist and participate in a chain of GINAs. If you install the Cisco VPN Unity client v3.5 or earlier on a host that already has a third party GINA, which is incompatible with the GINA for the Cisco VPN Unity client (CSGINA.DLL), the W2K host might experience a startup failure.[5] A typical failure message that is as a result of installing incompatible GINAs during the boot process is as follows: SAS window: winlogon.exe Application Error The instruction at "0x00000000" referenced memory at "0x00000000". The memory could not be "read". You might need to restart your host in Safe mode, and implement the following sequence to restore your host to the state it was in before the Cisco VPN Unity client installed its GINA:
This procedure can also result in extended delays for clients who log into Windows NT networks after authenticating their Cisco VPN Unity client. This delay, of up to 30 seconds or more, can occur because the client is preempted by other tasks running on the host. If you want to force the host to disregard any third-party GINAs and to restore the backup method for logging into Windows NT networks, after authenticating the Cisco VPN Unity client, Cisco suggests the following:
Cisco 3002 HW Client TroubleshootingThe Cisco VPN 3002 HW client can be configured in either Client mode or Network Extension mode. In Client mode, the 3002 performs as the Cisco VPN Unity SW client, obtaining an IP address from the device terminating the VPN tunnel. PAT/NAT is implemented on the VPN 3002 to direct network traffic to/from hosts connected to its private interface. In Network Extension mode, the VPN 3002 HW client is configured with an IP address subnet that is routable throughout the organization, which provides the capability to remotely access hosts connected to the private interface from the enterprise network. In this section, you review methods and tools for troubleshooting the VPN 3002 HW client, including the following:
Initial Troubleshooting ChecklistAs with the Cisco VPN Unity client, this section is written under the assumption that the configuration of the 3002 HW client is correct; however, the first steps are to verify the configuration, as suggested in Table 21-6. Issues that clients might encounter are related to end-to-end connectivity, MTU, and address assignment. The end-to-end connectivity and MTU issues are similar to those encountered with the SW client. The address assignment issue is unique to the 3002. At the time of writing this book, Cisco was working to address the MTU and subnet mask assignment issues for the 3002. Other features that most probably will be available in the near future are support for viewing multicast streams and two-way IP telephony when the 3002 HW client is in Client mode.
Using the VPN 30002 HW Client Event LogSimilar to the Cisco VPN Unity client, the Event Console Messages and Event Log for the VPN 3002 HW client can prove useful when troubleshooting remote access connectivity issues. The settings that control the events reported in the VPN 3002 HW Client Event Log are found under Configuration, System, Events. The VPN 3002 HW Client Help menu provides an excellent overview and detailed information of the features of the Event Logging system. A significant number of event classes exist for the VPN 3002 HW client (see Table 21-7), some of which are designed exclusively for Cisco to provide support. However, some can provide useful information when troubleshooting a VPN 3002 HW client.[6]
By default, the VPN 3002 displays all events of severity level 1 through 3 on the console. It writes all events of severity level 1 through 5 to the event log. Severity 1 is the most severe and indicates a system crash. Levels 1 to 13 are available, although setting logging for some event classes up to level 13 can cause the concentrator to become inaccessible as a result of processor overuse. Example 21-5 shows the entries for the Event Log from a 3060 concentrator that successfully authenticates a 3002 VPN HW client and negotiates and establishes a VPN tunnel. Example 21-5. Event Log from the VPN 3000 Core Concentrator Authenticating a VPN 3002 HW Client v3.5 in Network Extension Mode (Using Default Event Reporting Settings)52714 03/04/2002 02:38:10.010 SEV=4 IKE/52 RPT=113 12.234.185.130 Group [TEST] User [smith] User (smithsmith) authenticated. !Client IP address= 12.234.185.130 Group name= TEST Username = smith 52715 03/04/2002 02:38:10.070 SEV=4 AUTH/22 RPT=116 User smith connected 52716 03/04/2002 02:38:10.070 SEV=4 IKE/119 RPT=185 12.234.185.130 Group [TEST] User [smith] PHASE 1 COMPLETED 52718 03/04/2002 02:38:10.070 SEV=5 IKE/25 RPT=390 12.234.185.130 Group [TEST] User [smith] Received remote Proxy Host data in ID Payload: Address 12.234.185.130, Protocol 0, Port 0 52721 03/04/2002 02:38:10.070 SEV=5 IKE/24 RPT=386 12.234.185.130 Group [TEST] User [smith] Received local Proxy Host data in ID Payload: Address 1928.168.192.81, Protocol 0, Port 0 ! 192.168.192.81 is IP address of the concentrator 52724 03/04/2002 02:38:10.070 SEV=5 IKE/66 RPT=835 12.234.185.130 Group [TEST] User [smith] IKE Remote Peer configured for SA: ESP-3DES-MD5 ! SA protocol ESP, encryption algorithm 3DES, and hash MD5. 52726 03/04/2002 02:38:10.070 SEV=5 IKE/75 RPT=835 12.234.185.130 Group [TEST] User [smith] Overriding Initiator's IPSec rekeying duration from 2147483647 to 28800 seconds ! Lifetime of IPSec SA keys. Set by this concentrator. 52728 03/04/2002 02:38:10.100 SEV=4 IKE/49 RPT=835 12.234.185.130 Group [TEST] User [smith] Security negotiation complete for User (smith) Responder, Inbound SPI = 0x72b26536, Outbound SPI = 0x76018499 52731 03/04/2002 02:38:10.100 SEV=4 IKE/120 RPT=835 12.234.185.130 Group [TEST] User [smith] PHASE 2 COMPLETED (msgid=6573ee0a) 52732 03/04/2002 02:38:10.100 SEV=4 AUTOUPDATE/19 RPT=114 Sending IKE Notify: AutoUpdating clients in group [TEST] Client delay: 0, instID: 0000046F 52734 03/04/2002 02:38:14.110 SEV=5 IKE/35 RPT=446 12.234.185.130 Group [TEST] User [smith] Received remote IP Proxy Subnet data in ID Payload: Address 10.25.0.128, Mask 255.255.255.240, Protocol 0, Port 0 ! IP address subnet configured on the client is 10.25.0.128/28. ! The subnet could also be assigned via a Radius authentication server. 52737 03/04/2002 02:38:14.110 SEV=5 IKE/34 RPT=450 12.234.185.130 Group [TEST] User [smith] Received local IP Proxy Subnet data in ID Payload: Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0 52740 03/04/2002 02:38:14.110 SEV=5 IKE/66 RPT=836 12.234.185.130 Group [TEST] User [smith] IKE Remote Peer configured for SA: ESP-3DES-MD5 52742 03/04/2002 02:38:14.110 SEV=5 IKE/75 RPT=836 12.234.185.130 Group [TEST] User [smith] Overriding Initiator's IPSec rekeying duration from 2147483647 to 28800 seconds 52744 03/04/2002 02:38:14.150 SEV=4 IKE/49 RPT=836 12.234.185.130 Group [TEST] User [smith] Security negotiation complete for User (smith) Responder, Inbound SPI = 0x6f1c24f7, Outbound SPI = 0x25f707f3 52747 03/04/2002 02:38:14.150 SEV=4 IKE/120 RPT=836 12.234.185.130 Group [TEST] User [smith] PHASE 2 COMPLETED (msgid=6b8ddbe7) ! At this point the IPSec SA was successfully negotiated and ! data can be sent to/from hosts connected behind the VPN 3002 HW Client. ! The disconnect process begins. 54625 03/04/2002 04:10:59.250 SEV=4 IKE/123 RPT=28 12.234.185.130 Group [TEST] User [smith] IKE lost contact with remote peer, deleting connection (keepalive type: DPD) 54629 03/04/2002 04:10:59.250 SEV=4 AUTH/28 RPT=47 12.234.185.130 User [smith] disconnected: Duration: 1:32:49 Bytes xmt: 156848 Bytes rcv: 242112 Reason: User Requested Example 21-6 shows the event log from a 3002 client during its authentication, negotiation, and establishment of a VPN tunnel. Example 21-6. Event Log from a VPN 3002 HW Client for Establishing a VPN Tunnel (Using Default Event Reporting Settings)1235 03/04/2002 02:35:52.520 SEV=4 IKE/41 RPT=156 192.168.192.81 IKE Initiator: New Phase 1, Intf 2, IKE Peer 192.168.192.81 local Proxy Address 12.234.185.130, remote Proxy Address 192.168.192.81, SA (ESP-3DES-MD5) 1238 03/04/2002 02:36:00.640 SEV=5 DHCP/66 RPT=32 DHCPREQUEST received by server. MAC Addr: 00.00.86.46.2E.8E. Requested IP: 10. 25.0.130. ! 3002 VPN HW Client configured as DHCP server. Receives DHCP request. 1240 03/04/2002 02:36:00.640 SEV=5 DHCP/72 RPT=31 DHCPACK sent by server. MAC Addr: 00.00.86.46.2E.8E ! 3002 VPN HW Client Responds to DHCP request. 1241 03/04/2002 02:36:23.590 SEV=3 AUTH/24 RPT=3 Tunnel to headend device 192.168.192.81 connected 1242 03/04/2002 02:36:23.590 SEV=4 IKE/119 RPT=4 192.168.192.81 Group [192.168.192.81192.168.192.81] PHASE 1 COMPLETED 1243 03/04/2002 02:36:23.620 SEV=5 IKE/73 RPT=14 192.168.192.81 Group [192.168.192.81] Responder forcing change of IKE rekeying duration from 2147483647 to 86400 seconds ! Core terminating concentrator forces IKE rekey duration change. 1246 03/04/2002 02:36:23.620 SEV=5 IKE/73 RPT=15 192.168.192.81 Group [192.168.192.81] Responder forcing change of IPSec rekeying duration from 2147483647 to 28800 seconds 1249 03/04/2002 02:36:23.630 SEV=4 IKE/49 RPT=11 192.168.192.81 Group [192.168.192.81] Security negotiation complete for peer (192.168.192.81) Initiator, Inbound SPI = 0x76018499, Outbound SPI = 0x72b26536 1252 03/04/2002 02:36:23.640 SEV=4 IKE/120 RPT=11 192.168.192.81 Group [192.168.192.81] PHASE 2 COMPLETED (msgid=6573ee0a) 1253 03/04/2002 02:36:23.660 SEV=4 AUTOUPDATE/5 RPT=3 Current version 3.5.Rel is up to date. ! Core terminating concentrator checked SW version running on this ! 3002 HW client and verified it matches its requirement. ! Otherwise it could have been configured to push new SW image to the client. 1254 03/04/2002 02:36:27.640 SEV=4 IKE/41 RPT=157 IKE Initiator: New Phase 2, Intf 2, IKE Peer 1-192.168.192.81 local Proxy Address 10.25.0.128, remote Proxy Address 0.0.0.0, SA (ESP-3DES-MD5) 1256 03/04/2002 02:36:27.660 SEV=5 IKE/73 RPT=16 192.168.192.81 Group [192.168.192.81] Responder forcing change of IPSec rekeying duration from 2147483647 to 28800 seconds 1259 03/04/2002 02:36:27.670 SEV=4 IKE/49 RPT=12 192.168.192.81 Group [192.168.192.81] Security negotiation complete for peer (192.168.192.81) Initiator, Inbound SPI = 0x25f707f3, Outbound SPI = 0x6f1c24f7 1262 03/04/2002 02:36:27.680 SEV=4 IKE/120 RPT=12 192.168.192.81 Group [192.168.192.81] PHASE 2 COMPLETED (msgid=6b8ddbe7) ! At this point the IPSec SA was successfully negotiated, and data !can be sent to/from hosts connected behind the VPN 3002 HW Client. ! The disconnect process begins. 1282 03/04/2002 04:03:55.070 SEV=3 IP/31 RPT=1 Deleting Default Gateway 12.234.184.1 learned via DHCP on interface 2. 1283 03/04/2002 04:03:55.090 SEV=3 AUTH/25 RPT=3 192.168.192.81 Tunnel to headend device 192.168.192.81 disconnected: duration: 1:27:31 Cisco Easy VPN ClientIn this section, you review information specific to the Cisco Easy VPN client. Similar to the VPN 3002 HW client, an Easy VPN client can be configured to operate in Client or Network Extension mode. However, configuring and troubleshooting an Easy VPN client presents its own unique challenges that you review in this section. In particular, you learn about the following:
Restrictions and Limitations of the Cisco Easy VPN ClientFeatures are constantly being implemented in the Cisco Easy VPN client. At the time this book was written, the Easy VPN client did not yet support NAT transparency (UDP/TCP encapsulation). Additional restrictions and limitations are outlined in Table 21-8. Some are similar to the Cisco VPN Unity client and some are specific to the Cisco Easy VPN client. For the most recent list of restrictions and limitations, consult www.cisco.com.
Troubleshooting the Cisco Easy VPN ClientBecause Easy VPN is a Cisco IOS feature, one of the most effective methods to troubleshoot the Cisco Easy VPN client is through the use of the show and debug commands. The commands in the following list are specific to the Cisco Easy VPN client to troubleshoot the establishment of the VPN IPSec tunnels, and as data transmission and reception. You can perform the following commands from the console if using a telnet (SSH, if it is configured) session into the router:
A suggested troubleshooting checklist for the Easy VPN client is presented in Table 21-9.
Example 21-7. Output of show ip interface brief CommandRouter-EzVPN#show ip interface brief Interface IP-Address OK? Method Status Protocol Ethernet0 10.1.1.1 YES NVRAM up up Ethernet1 66.127.241.85 YES NVRAM up up ! Ethernet1 is the Public interface. ! The address 66.127.241.85 has been assigned by the ISP. Example 21-8. Output of show crypto ipsec client ezvpn Command for an Inactive ClientInactive EzVPN client Router-EzVPN #show crypto ipsec client ezvpn Current State: XAUTH_REQ ! Client requests XAUTH response in current state Last Event: XAUTH_REQUEST Router-EzVPN# Example 21-9. Output of show crypto ipsec client ezvpn Command for an Active Easy VPN Client Configured for Client ModeRouter-EzVPN#show crypto ipsec client ezvpn Current State: IPSEC_ACTIVE Last Event: SOCKET_UP Address: 10.25.250.1 ! The IP address obtained from the address pool on the terminating concentrator Mask: 255.255.255.255 ! The subnet mask obtained from the pool, defined in the server configuration. DNS Primary: 192.168.226.120 DNS Secondary: 192.168.168.183 ! The primary and secondary DNS servers defined for the group on the ! concentrator terminating the VPN tunnel NBMS/WINS Primary: 192.168.2.87 NBMS/WINS Secondary: 192.168.235.228 ! The primary and secondary WINS servers defined for the group on the ! concentrator terminating the VPN tunnel Default Domain: cisco.com Example 21-10. Output of clear crypto ipsec client ezvpn Command Router-EzVPN#clear crypto ipsec client ezvpn Router-EzVPN# 00:09:25: EZVPN: Current State: IPSEC_ACTIVE 00:09:25: EZVPN: Event: RESET 00:09:25: ezvpn_reconnect_request 00:09:25: ezvpn_close 00:09:25: ezvpn_connect_request 00:09:25: EZVPN: New State: READY 00:09:26: EZVPN: Current State: READY 00:09:26: EZVPN: Event: XAUTH_REQUEST 00:09:26: ezvpn_xauth_request 00:09:26: ezvpn_parse_xauth_msg 00:09:26: EZVPN: Attributes sent in xauth request message: 00:09:26: XAUTH_TYPE_V2: 0 00:09:26: XAUTH_USER_NAME_V2: 00:09:26: XAUTH_USER_PASSWORD_V2: 00:09:26: XAUTH_MESSAGE_V2 <Enter Username and Password.> 00:09:26: EZVPN: New State: XAUTH_REQ 00:09:27: EZVPN: Pending XAuth Request, Please enter the following command: 00:09:27: EZVPN: crypto ipsec client ezvpn xauth Example 21-11. Output from a 8xx Router Running 12.2(4)YA, Configured as an Easy VPN Client with debug crypto isakmp When Attempting to Establish an IPSec VPN TunnelRouter-EzVPN #debug crypto isakmp Router-EzVPN#crypto ipsec client ezvpn xauth Enter Username and Password.: login_name Password: password. ! The user provides the login name and password Router-EzVPN# 00:12:48: xauth-type: 0 00:12:48: username: login_name 00:12:48: password: <omitted> 00:12:48: message <Enter Username and Password.> 00:12:48: ISAKMP (0:7): responding to peer config from 192.168.192.81. ID = -252864948 00:12:48: ISAKMP (0:7): sending packet to 192.168.192.81 (I) CONF_XAUTH 00:12:48: ISAKMP (0:7): deleting node -252864948 error FALSE reason "done with xauth request/reply exchange" 00:12:48: ISAKMP (0:7): Input = IKE_MESG_INTERNAL, IKE_XAUTH_REPLY_ATTR Old State = IKE_XAUTH_REPLY_AWAIT New State = IKE_XAUTH_REPLY_SENT 00:12:48: ISAKMP (0:7): received packet from 192.168.192.81 (I) CONF_XAUTH 00:12:48: ISAKMP: set new node 1465183127 to CONF_XAUTH ! The server confirms the login name and password ! Authentication is successful 00:12:48: ISAKMP (0:7): processing transaction payload from 192.168.192.81. message ID = 1465183127 00:12:48: ISAKMP: Config payload SET 00:12:48: ISAKMP (0:7): Xauth process set, status = 1 00:12:48: ISAKMP (0:7): checking SET: 00:12:48: ISAKMP: XAUTH_STATUS_V2 XAUTH-OK 00:12:48: ISAKMP (0:7): attributes sent in message: 00:12:48: Status: 1 00:12:48: ISAKMP (0:7): sending packet to 192.168.192.81 (I) CONF_XAUTH 00:12:48: ISAKMP (0:7): deleting node 1465183127 error FALSE reason "" 00:12:48: ISAKMP (0:7): Input = IKE_MESG_FROM_PEER, IKE_CFG_SET Old State = IKE_XAUTH_REPLY_SENT New State = IKE_P1_COMPLETE ! IKE phase one completed successfully. 00:12:48: ISAKMP (0:7): Need config/address 00:12:48: ISAKMP (0:7): Need config/address 00:12:48: ISAKMP: set new node 1868961837 to CONF_ADDR 00:12:48: ISAKMP (0:7): initiating peer config to 192.168.192.81. ID = 1868961837 00:12:48: ISAKMP (0:7): sending packet to 192.168.192.81 (I) CONF_ADDR 00:12:48: ISAKMP (0:7): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE Old State = IKE_P1_COMPLETE New State = IKE_CONFIG_MODE_REQ_SENT ! The end user receives a configuration from the server. 00:12:48: ISAKMP (0:7): received packet from 192.168.192.81 (I) CONF_ADDR 00:12:48: ISAKMP (0:7): processing transaction payload from 192.168.192.81. message ID = 1868961837 00:12:48: ISAKMP: Config payload REPLY 00:12:48: ISAKMP(0:7) process config reply 00:12:48: ISAKMP (0:7): deleting node 1868961837 error FALSE reason "done with transaction" 00:12:48: ISAKMP (0:7): Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY Old State = IKE_CONFIG_MODE_REQ_SENT New State = IKE_P1_COMPLETE ! Request for configuration mode sent. 00:12:48: ISAKMP (0:7): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE 00:12:48: ISAKMP: received ke message (1/4) 00:12:48: ISAKMP: set new node 0 to QM_IDLE 00:12:48: ISAKMP (0:7): sitting IDLE. Starting QM immediately (QM_IDLE ) 00:12:48: ISAKMP (0:7): beginning Quick Mode exchange, M-ID of 85557524 ! Quick mode begins. 00:12:48: ISAKMP (0:7): sending packet to 192.168.192.81 (I) QM_IDLE 00:12:48: ISAKMP (0:7): Node 85557524, Input = IKE_MESG_INTERNAL, IKE_INIT_QM Old State = IKE_QM_READY New State = IKE_QM_I_QM1 00:12:48: ISAKMP (0:7): received packet from 192.168.192.81 (I) QM_IDLE ! Quick mode exchange 00:12:48: ISAKMP (0:7): processing HASH payload. message ID = 85557524 00:12:48: ISAKMP (0:7): processing SA payload. message ID = 85557524 00:12:48: ISAKMP (0:7): Checking IPSec proposal 1 ! IPSec proposal 1 sent. 00:12:48: ISAKMP: transform 1, ESP_3DES 00:12:48: ISAKMP: attributes in transform: 00:12:48: ISAKMP: SA life type in seconds 00:12:48: ISAKMP: SA life duration (basic) of 3600 00:12:48: ISAKMP: SA life type in kilobytes 00:12:48: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 00:12:48: ISAKMP: encaps is 1 00:12:48: ISAKMP: authenticator is HMAC-MD5 00:12:48: ISAKMP (0:7): atts are acceptable. 00:12:48: ISAKMP (0:7): processing NONCE payload. message ID = 85557524 00:12:48: ISAKMP (0:7): processing ID payload. message ID = 85557524 00:12:48: ISAKMP (0:7): processing ID payload. message ID = 85557524 00:12:48: ISAKMP (0:7): Creating IPSec Sas ! Creating the security association, which includes the IP addresses, ! the protocol (ESP or AH), and SPI. 00:12:48: inbound SA from 192.168.192.81 to 66.127.241.85 ! The public IP address (proxy 0.0.0.0 to 10.31.17.129) 00:12:48: has spi 0x9608BACF and conn_id 2000 and flags 4 00:12:48: lifetime of 3600 seconds 00:12:48: lifetime of 4608000 kilobytes 00:12:48: outbound SA from 66.127.241.85 to 192.168.192.81 (proxy 10.31.17.129 to 0.0.0.0 ) 00:12:48: has spi 703036318 and conn_id 2001 and flags C 00:12:48: lifetime of 3600 seconds 00:12:48: lifetime of 4608000 kilobytes 00:12:48: ISAKMP (0:7): sending packet to 192.168.192.81 (I) QM_IDLE 00:12:48: ISAKMP (0:7): deleting node 85557524 error FALSE reason "" 00:12:48: ISAKMP (0:7): Node 85557524, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE ! ISAKMP phase 2 complete and the parameters are negotiated. 00:12:48: ISAKMP: received ke message (4/1) 00:12:48: ISAKMP: Locking CONFIG struct 0x80F93638 for crypto_ikmp_config_handle_kei_mess, count 3 00:12:48: ISAKMP (0:7): received packet from 192.168.192.81 (I) QM_IDLE 00:12:48: ISAKMP: set new node 1502656406 to QM_IDLE 00:12:48: ISAKMP (0:7): processing HASH payload. message ID = 1502656406 00:12:48: ISAKMP (0:7): processing NOTIFY unknown protocol 1 spi 0, message ID = 1502656406, sa = 80EB31E8 00:12:48: ISAKMP (0:7): deleting node 1502656406 error FALSE reason "informational (in) state 1" 00:12:48: ISAKMP (0:7): Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE In addition to the steps outlined in Table 21-9 for troubleshooting connectivity issues, you might find the following commands useful for monitoring the Cisco Easy VPN environment:
Example 21-12. Output of show crypto isakmp policy Command Router-EzVPN#show crypto isakmp policy Protection suite of priority 65527 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Diffie-Hellman group: #2 (1024 bit) lifetime: 65535 seconds, no volume limit <output omitted> Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit Example 21-13. Output of show crypto isakmp sa Command Router-EzVPN#show crypto isakmp sa dst src state conn-id slot 192.168.192.81 66.127.241.85 QM_IDLE 7 0 Example 21-14. Output of show crypto ipsec profile Command Router-EzVPN#show crypto ipsec profile IPSEC profile ezvpn-profile Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ ezvpn-profile-autoconfig-transform-0, ezvpn-profile-autoconfig-transform-1, ezvpn-profile-autoconfig-transform-2, ezvpn-profile-autoconfig-transform-3, } Example 21-15. Output of show crypto ipsec sa CommandRoute-EzVPN#show crypto ipsec sa interface: Ethernet1 Crypto map tag: Ethernet1-head-0, local addr. 66.127.241.85 local ident (addr/mask/prot/port): (192.168.192.81/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) current_peer: 192.168.192.81 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 66.127.241.85, remote crypto endpt.: 192.168.192.81 path mtu 1500, media mtu 1500 current outbound spi: 36B6AD4B inbound esp sas: ! Inbound direction of ESP Security Association spi: 0x74FBAEB0(1962651312) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2000, flow_id: 1, crypto map: Ethernet1-head-0 sa timing: remaining key lifetime (k/sec): (4608000/3374) IV size: 8 bytes replay detection support: Y inbound ah sas: ! The client is not running the AH protocol, so it is empty inbound pcp sas: ! The client is not running PCP, so it is empty outbound esp sas: ! Outbound direction of ESP SA spi: 0x36B6AD4B(917941579) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2001, flow_id: 2, crypto map: Ethernet1-head-0 sa timing: remaining key lifetime (k/sec): (4608000/3374) IV size: 8 bytes replay detection support: Y outbound ah sas: outbound pcp sas: Example 21-16. Output of show crypto engine connections active Command Router-EzVPN #show crypto engine connections active ID Interface IP-Address State Algorithm Encrypt Decrypt 22 Ethernet1 66.127.241.85 set HMAC_MD5+3DES_56_C 0 0 2000 Ethernet1 66.127.241.85 set HMAC_MD5+3DES_56_C 0 0 2001 Ethernet1 66.127.241.85 set HMAC_MD5+3DES_56_C 0 0 Cisco PIX VPN ClientStarting with v6.2, the Pix 501 and 506 can be configured as VPN clients. These platforms can be configured in Client or Network Extension mode, and perform similarly to the Cisco VPN 3002 HW client. Restrictions and LimitationsThe PIX 501 and 506, when configured as VPN clients, share the same restrictions as the VPN 3002 HW client, such as a lack of support for multicast traffic and IP telephony when configured in Client mode. At the time this was written, a notable limitation was the lack of support for NAT transparency. However, most of these features might be addressed by the time this book is available. For the latest feature status, consult www.cisco.com. Verifying and Troubleshooting the VPN ConnectionAssuming that you have correctly configured your PIX 501 or 506 to provide Internet connectivity, you can verify the VPN Client configuration with the command, show vpnclient. Results are shown in Example 21-17. All examples in this section were created on a PIX 501 running v6.2 of the PIX operating system. Example 21-17. Output of show vpnclient Command on PIXpix#show vpnclient Local Configuration vpnclient vpngroup pix password ******** vpnclient username smith password ******** vpnclient server 192.168.192.81 ! Core device terminating the VPN tunnel. vpnclient mode client-mode ! PIX can be configured in Client or Network Extension mode. vpnclient enable At this point, the VPN tunnel is not established. You should be able to establish the VPN tunnel by trying to ping a device on the internal network on the other end of the tunnel. The first few pings might fail but a tunnel should be established. The tunnel information can be viewed with the output from the following commands:
If the tunnel is not established, you cannot see any Downloaded Dynamic Policy parameters, and the ESP SA or (SPI) security parameter index is not established. At that point, if you have confirmed the PIX configuration and Internet connectivity, you might want to clear the VPN client information by using the command clear vpnclient in the global configuration mode. Then, re-enter the VPN client configuration information. Example 21-18. Output from show vpnclient Command on PIX Configured as a VPN Client after Establishing a VPN Tunnelpix#show vpnclient Local Configuration vpnclient vpngroup pix password ******** ! pix was the entered groupname vpnclient username smith password ******** ! smith was the entered username vpnclient server 192.168.192.81 vpnclient mode network-extension-mode vpnclient enable Downloaded Dynamic Policy Current Server : 192.168.192.81 Primary DNS : 192.168.226.120 Secondary DNS : 192.168.168.183 Primary WINS : 192.168.2.87 Secondary WINS : 192.168.235.228 Default Domain : cisco.com PFS Enabled : No Split DNS : cisco.com_ Example 21-19. Output from show crypto ipsec sa Command After Establishment of VPN Tunnelpix#show crypto ipsec sa interface: outside Crypto map tag: _vpnc_cm, local addr. 12.235.95.31 ! 12.235.95.31 is the IP address of outside interface of the PIX local ident (addr/mask/prot/port): (10.25.250.1/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) current_peer: 192.168.192.81 ! 192.168.192.81 is IP address of the core VPN terminating device PERMIT, flags={origin_is_acl,} #pkts encaps: 101, #pkts encrypt: 101, #pkts digest 101 ! Number of packets encrypted #pkts decaps: 140, #pkts decrypt: 140, #pkts verify 140 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0 local crypto endpt.: 12.235.95.31, remote crypto endpt.: 192.168.192.81 path mtu 1500, ipsec overhead 56, media mtu 1500 current outbound spi: 321e317b ! SPI has been created inbound esp sas: spi: 0xb84c8c89(3092024457) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 1, crypto map: _vpnc_cm sa timing: remaining key lifetime (k/sec): (4607889/28424) IV size: 8 bytes replay detection support: Y ! Inbound SA has been created with the esp protocol using ! 3DES encryption, md5 hash inbound ah sas: ! Authentication Header (AH) was not an option on the core device ! terminating the VPN connection inbound pcp sas: ! Payload Compression Protocol (pcp) was not an option on the core device ! terminating the VPN tunnel[7] outbound esp sas: spi: 0x321e317b(840839547) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2, crypto map: _vpnc_cm sa timing: remaining key lifetime (k/sec): (4607995/28419) IV size: 8 bytes replay detection support: Y ! Outbound esp SAS outbound ah sas: outbound pcp sas: outbound ah sas: outbound pcp sas: local ident (addr/mask/prot/port): (12.235.95.31/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) current_peer: 192.168.192.81 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0 local crypto endpt.: 12.235.95.31, remote crypto endpt.: 192.168.192.81 path mtu 1500, ipsec overhead 56, media mtu 1500 current outbound spi: 76accd0d inbound esp sas: spi: 0x948b4d0c(2492157196) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 3, crypto map: _vpnc_cm sa timing: remaining key lifetime (k/sec): (4608000/28706) IV size: 8 bytes replay detection support: Y inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x76accd0d(1991036173) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 4, crypto map: _vpnc_cm sa timing: remaining key lifetime (k/sec): (4608000/28706) IV size: 8 bytes replay detection support: Y outbound ah sas: outbound pcp sas: Example 21-20. Output from show crypto isakmp sa Command After Establishing VPN Tunnelpix#show crypto isakmp sa Total : 1 Embryonic : 0 dst src state pending created 192.168.192.81 12.235.95.31 QM_IDLE 0 2 ! If the VPN tunnel had not been established then the created ! entry would have been zero. The log from a VPN 3000 series concentrator that shows the establishment of the VPN tunnel illustrated in the previous two examples is shown in Example 21-21. This again shows how the troubleshooting engineer can analyze the process from the other end, and what the process looks like. Example 21-21. Log from a VPN 3000 Series Concentrator for a PIX Client13160 07/17/2002 08:13:50.200 SEV=4 IKE/52 RPT=4625 12.235.95.31 Group [pix] User [smith] User (smith) authenticated. 13161 07/17/2002 08:13:51.690 SEV=4 AUTH/22 RPT=4826 User smith connected 13162 07/17/2002 08:13:51.690 SEV=4 IKE/119 RPT=16260 12.235.95.31 Group [pix] User [smith] PHASE 1 COMPLETED 13164 07/17/2002 08:13:51.690 SEV=5 IKE/25 RPT=39847 12.235.95.31 Group [pix] User [smith] Received remote Proxy Host data in ID Payload: Address 10.25.250.1, Protocol 0, Port 0 13167 07/17/2002 08:13:51.690 SEV=5 IKE/34 RPT=47957 12.235.95.31 Group [pix] User [smith] Received local IP Proxy Subnet data in ID Payload: Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0 13170 07/17/2002 08:13:51.690 SEV=5 IKE/66 RPT=21557 12.235.95.31 Group [pix] User [smith] IKE Remote Peer configured for SA: ESP/IKE-3DES-MD5 13171 07/17/2002 08:13:51.710 SEV=4 IKE/49 RPT=21627 12.235.95.31 Group [pix] User [smith] Security negotiation complete for User (smith) Responder, Inbound SPI = 0x321e317b, Outbound SPI = 0xb84c8c89 ! The Inbound and Outbound SPI are reversed compared ! to the log from PIX client. 13174 07/17/2002 08:13:51.710 SEV=4 IKE/120 RPT=21627 12.235.95.31 Group [pix] User [smith] PHASE 2 COMPLETED (msgid=e367589c) 13181 07/17/2002 08:13:55.270 SEV=5 IKE/25 RPT=39848 12.235.95.31 Group [pix] User [smith] Received remote Proxy Host data in ID Payload: Address 12.235.95.31, Protocol 0, Port 0 13184 07/17/2002 08:13:55.270 SEV=5 IKE/34 RPT=47958 12.235.95.31 Group [pix] User [smith] Received local IP Proxy Subnet data in ID Payload: Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0 13187 07/17/2002 08:13:55.270 SEV=5 IKE/66 RPT=21558 12.235.95.31 Group [pix] User [smith] IKE Remote Peer configured for SA: ESP/IKE-3DES-MD5 13188 07/17/2002 08:13:55.290 SEV=4 IKE/49 RPT=21628 12.235.95.31 Group [pix] User [smith] Security negotiation complete for User (smith) Responder, Inbound SPI = 0x76accd0d, Outbound SPI = 0x948b4d0c ! Again, the SPI identifying the IPSec SAs reversed on the PIX client. 13191 07/17/2002 08:13:55.290 SEV=4 IKE/120 RPT=21628 12.235.95.31 Group [pix] User [smith] PHASE 2 COMPLETED (msgid=3be10994) Two debug commands that can provide detailed information during the negotiation of the VPN tunnels are the following:
Output on the PIX 501 after enabling these debugs before the VPN tunnel negotiation is shown in Example 21-22. By checking this output, you can observe if something is failing during the tunnel negotiation process. Example 21-22. Output on PIX After Implementing debug crypto ipsec sa and debug crypto isakmp sa and Enabling a VPN Clientpix# debug crypto ipsec pix# debug crypto isakmp pix# show debug debug crypto ipsec 1 debug crypto isakmp 1 pix#config terminal pix(config)# vpnclient vpngroup pix password abcd pix(config)# vpnclient server 192.168.192.81 pix(config)# vpnclient mode network pix(config)# vpnclient username smith password efghij pix(config)# vpnclient enable ! After this group of configuration commands, you can see the following events: pViPx(coNnCfig )#C FG: transform set unconfig attempt done VPNC CLI: no isakmp keepalive 10 VPNC CFG: IKE unconfig successful VPNC CLI: no crypto map _vpnc_cm VPNC CFG: crypto map deletion attempt done VPNC CFG: crypto unconfig successful VPNC CLI: no global 65001 VPNC CLI: no nat (inside) 0 access-list _vpnc_acl VPNC CFG: nat unconfig attempt failed VPNC CLI: no access-list _vpnc_acl VPNC CFG: ACL deletion attempt failed VPNC CLI: no crypto ALT_DEF_DOMAIN INTERNAL_IPV_NBNS INTERNAL_IPV_DNS ALT_SPLIT_INCLUDE ALT_SPLITDNS_NAME ALT_PFS map _vpnc_cm interface outside VPNC CFG: crypto map de/attach failed VPNC CLI: no sysopt connection permit-ipsec VPNC CLI: sysopt connection permit-ipsec VPNC CFG: transform sets configured VPNC CFG: crypto config successful VPNC CLI: isakmp keepalive 10 VPNC CFG: IKE config successful VPNC CLI: no access-list _vpnc_acl VPNC CFG: ACL deletion attempt failed VPNC CLI: access-list _vpnc_acl permit ip host 12.235.95.31 host 192.168.192.81 VPNC CLI: crypto map _vpnc_cm 10 match address _vpnc_acl VPNC CFG: crypto map acl update successful VPNC CLI: no crypto map _vpnc_cm interface outside VPNC CLI: crypto map _vpnc_cm interface outside VPN Peer: ISAKMP: Added new peer: ip:192.168.192.81 Total VPN Peers:1 VPN Peer: ISAKMP: Peer ip:192.168.192.81 Ref cnt incremented to:1 Total VPN Peers:1 ISAKMP (0): ID payload next-payload : 13 type : 11 protocol : 17 port : 500 length : 7 ISAKMP (0): Total payload length: 11 ISAKMP (0): beginning Aggressive Mode exchangeVPNC INF: Request for IKE trigger done crypto_isakmp_process_block: src 192.168.192.81, dest 12.235.95.31 OAK_AG exchange ISAKMP (0): processing SA payload. message ID = 0 ISAKMP (0): Checking ISAKMP transform 2 against priority 65010 policy ISAKMP: encryption 3DES-CBC ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: extended auth pre-share ISAKMP: life type in seconds ! Lifetime duration of the ISAKMP SA in seconds ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 ISAKMP (0): atts are not acceptable. Next payload is 0 ISAKMP (0): Checking ISAKMP transform 2 against priority 65020 policy ISAKMP: encryption 3DES-CBC ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: extended auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x1 0x51 crypto_isakmp_process_block: src 192.168.192.81, dest 12.235.95.31 ISAKMP_TRANSACTION exchange ISAKMP (0:0): processing transaction payload from 192.168.192.81. message ID = 2158353436 crypto_isakmp_process_block: src 192.168.192.81, dest 12.235.95.31 ISAKMP_TRANSACTION exchange ISAKMP (0:0): processing transaction payload from 192.168.192.81. message ID = 2158353436 ISAKMP: Config payload CFG_SET ISAKMP (0:0): checking SET: ISAKMP: XAUTH_STATUS ISAKMP (0:0): attributes sent in message: Status: 1 return status is IKMP_NO_ERROR VPNC INF: Constructing policy download req VPNC INF: Packing attributes for policy request VPNC INF: Attributes being requested ISAKMP : attributes being requested ISAKMP (0:0): initiating peer config to 192.168.192.81. ID = 3931692763 (0xea58dedb) crypto_isakmp_process_block: src 192.168.192.81, dest 12.235.95.31 ISAKMP_TRANSACTION exchange ISAKMP (0:0): processing transaction payload from 192.168.192.81. message ID = 2158353436 ISAKMP: Config payload CFG_REPLYVPNC ATTR: INTERNAL_IP4_DNS: 192.168.226.120 VPNC ATTR: INTERNAL_IP4_DNS: 192.168.168.183 VPNC ATTR: INTERNAL_IP4_NBNS: 192.168.2.87 VPNC ATTR: INTERNAL_IP4_NBNS: 192.168.235.228 VPNC ATTR: ALT_DEF_DOMAIN: cisco.com VPNC ATTR: ALT_SPLITDNS_NAME cisco.com_ VPNC ATTR: ALT_PFS: 0 VPNC INF: Received application version 'Cisco Systems, Inc./VPN 3000 Concentrator Version 3.5.2.Rel built by vmurphy on Feb 14 2002 12:10:21 ! Version information of VPN 3000 Concentrator terminating the IPSec tunnel VPNC CLI: no VPNC INF: IPSec rmt mgmt trigger done ISAKMP (0): beginning Quick Mode exchange, M-ID of 1015758940:3c8b405cIPSEC (key_engine): got a queue event... IPSEC(spi_response): getting spi 0x689d0b46(1755122502) for SA from 192.168.192.81 to 12.235.95.31 for prot 3 crypto_isakmp_process_block: src 192.168.192.81, dest 12.235.95.31 OAK_QM exchange oakley_process_quick_mode: OAK_QM_IDLE ISAKMP (0): processing SA payload. message ID = 1015758940 ISAKMP : Checking IPSec proposal 1 ISAKMP: transform 1, ESP_3DES ISAKMP: attributes in transform: ISAKMP: SA life type in seconds ISAKMP: SA life duration (basic) of 28800 ISAKMP: SA life type in kilobytes ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 ISAKMP: encaps is 1 ISAKMP: authenticator is HMAC-MD5 ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) dest= 192.168.192.81, src= 12.235.95.31, dest_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), src_proxy= 12.235.95.31/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-3des esp-md5-hmac , lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4 ISAKMP (0): processing NONCE payload. message ID = 1015758940 ISAKMP (0): processing ID payload. message ID = 1015758940 ISAKMP (0): processing ID payload. message ID = 1015758940 ISAKMP (0): Creating IPSec SAs inbound SA from 192.168.192.81 to 12.235.95.31 (proxy 0.0.0.0 to 12.235.95.31) has spi 1755122502 and conn_id 4 and flags 4 lifetime of 28800 seconds lifetime of 4608000 kilobytes outbound SA from 12.235.95.31 to 192.168.192.81 (proxy 12.235.95.31 to 0.0.0.0) has spi 865892405 and conn_id 3 and flags 4 lifetime of 28800 seconds lifetime of 4608000 kilobytesIPSEC(key_engine): got a queue event... IPSEC(initialize_sas): , (key eng. msg.) dest= 12.235.95.31, src= 192.168.192.81, dest_proxy= 12.235.95.31/255.255.255.255/0/0 (type=1), src_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), protocol= ESP, transform= esp-3des esp-md5-hmac , lifedur= 28800s and 4608000kb, spi= 0x689d0b46(1755122502), conn_id= 4, keysize= 0, flags= 0x4 IPSEC(initialize_sas): , (key eng. msg.) src= 12.235.95.31, dest= 192.168.192.81, src_proxy= 12.235.95.31/255.255.255.255/0/0 (type=1), dest_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), protocol= ESP, transform= esp-3des esp-md5-hmac , lifedur= 28800s and 4608000kb, spi= 0x339c7835(865892405), conn_id= 3, keysize= 0, flags= 0x4 VPN Peer: IPSEC: Peer ip:192.168.192.81 Ref cnt incremented to:2 Total VPN Peers:1 VPN Peer: IPSEC: Peer ip:192.168.192.81 Ref cnt incremented to:3 Total VPN Peers:1 return status is IKMP_NO_ERROR ISAKMP (0): beginning Quick Mode exchange, M-ID of 1352049028:5096a184IPSEC (key_engine): got a queue event... IPSEC(spi_response): getting spi 0x4dbb61e3(1304125923) for SA from 192.168.192.81 to 12.235.95.31 for prot 3 crypto_isakmp_process_block: src 192.168.192.81, dest 12.235.95.31 OAK_QM exchange oakley_process_quick_mode: OAK_QM_IDLE ISAKMP (0): processing SA payload. message ID = 1352049028 ISAKMP : Checking IPSec proposal 1 ISAKMP: transform 1, ESP_3DES ISAKMP: attributes in transform: ISAKMP: SA life type in seconds ISAKMP: SA life duration (basic) of 28800 ISAKMP: SA life type in kilobytes ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 ISAKMP: encaps is 1 ISAKMP: authenticator is HMAC-MD5 ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) dest= 192.168.192.81, src= 12.235.95.31, dest_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), src_proxy= 10.25.0.128/255.255.255.240/0/0 (type=4), protocol= ESP, transform= esp-3des esp-md5-hmac , lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4 ISAKMP (0): processing NONCE payload. message ID = 1352049028 ISAKMP (0): processing ID payload. message ID = 1352049028 ISAKMP (0): processing ID payload. message ID = 1352049028 ISAKMP (0): Creating IPSec SAs inbound SA from 192.168.192.81 to 12.235.95.31 (proxy 0.0.0.0 to 10.25.0.128) has spi 1304125923 and conn_id 2 and flags 4 lifetime of 28800 seconds lifetime of 4608000 kilobytes outbound SA from 12.235.95.31 to 192.168.192.81 (proxy 10.25.0.128 to 0.0.0.0) has spi 17882921 and conn_id 1 and flags 4 lifetime of 28800 seconds lifetime of 4608000 kilobytesIPSEC(key_engine): got a queue event... IPSEC(initialize_sas): , (key eng. msg.) dest= 12.235.95.31, src= 192.168.192.81, dest_proxy= 10.25.0.128/255.255.255.240/0/0 (type=4), src_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), protocol= ESP, transform= esp-3des esp-md5-hmac , lifedur= 28800s and 4608000kb, spi= 0x4dbb61e3(1304125923), conn_id= 2, keysize= 0, flags= 0x4 IPSEC(initialize_sas): , (key eng. msg.) src= 12.235.95.31, dest= 192.168.192.81, src_proxy= 10.25.0.128/255.255.255.240/0/0 (type=4), dest_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), protocol= ESP, transform= esp-3des esp-md5-hmac , lifedur= 28800s and 4608000kb, spi= 0x110df29(17882921), conn_id= 1, keysize= 0, flags= 0x4 VPN Peer: IPSEC: Peer ip:192.168.192.81 Ref cnt incremented to:4 Total VPN Peers:1 VPN Peer: IPSEC: Peer ip:192.168.192.81 Ref cnt incremented to:5 Total VPN Peers:1 return status is IKMP_NO_ERROR An overall discussion of PIX-based solutions is beyond the scope of this book. The objectives of this section are only to help you troubleshoot PIX-based VPN solutions. For further details on PIX-based VPN solutions as part of the overall security strategy of Cisco, see Cisco Secure PIX Firewalls by David W. Chapman and Andy Fox (Cisco Press, 2002). |