Troubleshooting Cisco Remote Access VPN Clients

Cisco's remote access IPSec-based VPN solution includes the Unity software (SW) client, the 3002 VPN Hardware (HW) client, the 806/17xx IOS-based easy VPN and PIX-based VPN clients. See Chapter 19, "VPN Technology Background," and Chapter 20, "Remote Access VPN Design and Configuration Solutions" for details.

In this chapter, common VPN troubleshooting techniques and recommended approaches (methodologies) are provided. The examples are demonstrated using the Cisco 3000 family of concentrators as termination devices for the following remote access solutions:

Cisco VPN Unity SW client
Cisco 3002 HW client
Cisco Easy VPN client
Cisco PIX VPN client

First, general restrictions and limitations exist for each solution. After these are understood, actual operational issues can be resolved by isolating the components that might affect the establishment of an IPSec VPN tunnel, and the flow of data through the tunnel. By using the initial troubleshooting tools, you isolate the source of the issue to one or more areas, then further investigate until the actual cause is identified and corrective actions are implemented.

Cisco VPN Unity SW Client

In this section, you focus on the Cisco VPN Unity SW client. The following sections address the client in the following order:

Restrictions and limitations
Initial problem identification and troubleshooting
Cisco VPN Unity client event log
Cisco 3000 concentrator event log

Restrictions and Limitations of the Cisco VPN Unity Software Client

The Cisco VPN Unity client on the Windows 2000 (W2K) host has several restrictions and limitations, which serve as a foundation for the other remote access solutions that are covered in this chapter; specifically, the text includes the 3002 VPN HW client, and the Easy VPN client that operates on a Cisco 806 router. In sections dedicated to these alternative solutions, differences between them and the Cisco VPN Unity client, and any unique circumstances that might be applicable, are highlighted.

The following briefly summarizes the major restrictions and limitations of the Unity client. They are listed in Table 21-1:

The Cisco VPN Unity client cannot function correctly if installed on a host on which another VPN client has been installed. You can install other VPN clients on the same host and use them, but then you cannot use your Cisco VPN Unity client.
The native VPN client included in Microsoft W2K and other Windows platforms is not compatible with the IPSec implementation on Cisco 3000 concentrators, which forces you to ensure that on a W2K platform, the MS IPSec Policy Agent is completely disabled.
If a software firewall, such as Zone Alarm Pro from Zone Labs, is installed on the host, the maximum security setting must not be configured, to allow the VPN client to function. This setting and the terminology varies for each firewall that is compatible with the Unity client.
You cannot view multicast streams through the VPN client at this time. VPN clients can participate as a client when using Microsoft NetMeeting for data sharing and collaboration applications, but cannot host the meeting. This varies among data collaboration solutions.
NOTE

Although you can configure the Unity client to enable viewing of multicast sessions through applications such as Cisco IP/TV, the configuration requires access to a multicast-enabled UNIX host that is beyond what can be implemented for most clients.

NOTE

Remote users must be made aware of security policies and restrictions such as split tunneling, especially if it is not permitted because the user cannot reach LAN devices when the tunnel is established.

Some of these restrictions might no longer be applicable, and readers are encouraged to review the latest status at www.cisco.com.
Finally, the security administrator of the network must open the required IP protocol, User Datagram Protocol (UDP) ports, and Transmission Control Protocol (TCP) ports necessary to establish and transmit data across the IPSec tunnel and permit it through the corporate firewalls.

Table 21-1. Cisco VPN Unity Client Restrictions and Limitations When Choosing MD5-ESP-3DES Tunnel Mode
Restriction/Limitations	Requirement	Corrective Action
Host
Only the Cisco VPN client can be installed on the PC.	Verify that no other VPN client is installed on the PC.	Check the Start, Settings, Control Panel, Add/Remove Programs to determine that no other VPN clients have been installed. If they have, you must uninstall that client. To ensure smooth operation, you might want to also uninstall the Cisco VPN Unity client, shut down the PC, and then reinstall it.
MS IPSEC Policy Agent should not be active.	IPSec Policy Service Agent State mode should be stopped and the Start mode should be disabled.	To disable and stop the service: Start, Settings, Network and Dial-Up Connections, "your active network connection," Properties, Internet Protocol (TCP/IP), Advanced, Options, IP Security, Properties, Do not use IPSECthen restart PC, as shown in Figure 21-1. Verify the State and Start Mode of the IPSEC Policy: Start, Programs, Accessories, System Tools, System Information, Software Environment, Services, as shown in Figure 21-2.
TCP/IP filtering does not permit traffic on the required ports to establish a VPN tunnel.	Disable TCP/IP filtering, or if required, permit necessary TCP or UDP Network Address Translation (NAT) encapsulation ports (default is 10,000).	To verify and permit required traffic: Start, Settings, Network and Dial-Up Connections, "your active network connection," Properties, Internet Protocol (TCP/IP), Advanced, Options, TCP/IP filtering, Enable TCP/IP Filtering (all adapters) should not be checked. An alternative is to permit IP protocol 50 (Encapsulating Security Payload [ESP]) and UDP Port 500 (Internet Security Association and Key Management Protocol [ISAKMP]), and if necessary, permit the TCP or UDP port for encapsulation in the respective protocol (default on the concentrator is 10,000 but is configurable on the concentrator) (see Figure 21-3).
Personal firewall blocks access for the client.	Adjust settings on the firewall to maximum security that permits Cisco VPN Unity client to establish tunnel and send/receive data.	As an example, on Zone Alarm Pro from Zone Labs, the Security Settings must be set at medium or low for LAN and Internet access, as shown in Figure 21-4.
Cannot view multicast streams.	The Cisco 3000 concentrators and the Cisco VPN Unity client do not support multicast at the time this book was written.	The multicast traffic flows must be converted to a unicast session. A workaround can be implemented if you have access to a multicast enabled UNIX host.
Cannot host real-time collaboration sessions.	The Cisco VPN Unity client does not permit hosting of real-time collaboration sessions for some applications.	The workaround is to host the session from a user on the corporate intranet and require VPN clients to connect to it, or use a collaboration solution that works with the Unity client, such as Lotus Sametime.
Split-tunneling policy is controlled from the central concentrator.	Clients must be informed that policy is "pushed" from core.	On the core concentrator split tunneling is controlled through Configuration, User Management, Base Group or Groups, Mode Config menu.
LAN
Local and remote firewalls permit VPN connectivity.	To establish an IPSec VPN tunnel and send traffic over it, local and remote firewalls must permit IP protocol 50 ESP, UDP port 500 ISAKMP, and the TCP or UDP port encapsulation (if applicable).	Verify that the local and remote firewalls allow the required protocols through the firewall. Confirm that the tunnel can be successfully established from behind the firewall. If the core concentrator is configured for UDP or TCP encapsulation, confirm the port set on the client, as shown in Figure 21-5. TCP encapsulation is available in VPN 3.5x and higher.

Figure 21-1. IPSec Policy Setting

Figure 21-2. IPSec Policy Agent Setting

Figure 21-3. TCP/IP Filter Set Menu

Figure 21-4. Security Settings on Zone Alarm Client

Figure 21-5. Setting the Tunnel Port on Cisco VPN Unity Client

NOTE

To prevent a conflict with other VPN clients and the Cisco VPN Unity client, the VPN 3.5x installer (and later versions) automatically issues a warning and permits the user to disable the IPSec Policy Agent Service. If this service is not disabled, the error message, "The necessary sub-system is not available," is displayed when the user starts the VPN client. See Table 21-2 for more information.

Initial Problem Identification and Troubleshooting with the Cisco VPN Unity SW Client

Assume that you successfully set up the core concentrator and security environment, and confirmed that remote users can successfully establish an IPSec tunnel to send and receive data across the tunnel using the Cisco VPN Unity client. Based on the problem reported by a user experiencing issues, potential sources and suggested corrective action are listed in Table 21-2.

Table 21-2. Initial Troubleshooting Checklist for Cisco VPN Unity Client
Issue	Possible Source	Corrective Action
Host
1. User never receives the "Authenticating user . . ." prompt during the initial dialer connection attempt (see Figure 21-6).	a. Internet Connectivity and Domain Name System (DNS) services. Confirm that the user can access public Internet sites such as www.cisco.com from the host by using ping or a browser.	If the client cannot access public Internet sites, run Start, Run, CMD, IPCONFIG and verify IP address information. If the user cannot ping the local gateway from the host, you must work with a LAN administrator to resolve basic network connectivity, or confirm Point-to-Point Protocol over Ethernet (PPPoE) username and password if using a PPPoE SW client, such as RASPPPoE.
	b. IP address or host name of concentrator might be incorrect.	Verify the host name and IP address entered in the host name or IP address of the remote server block of the Cisco VPN Unity client dialer.
	c. DNS services are not working correctly. User cannot resolve host name of core concentrator from the Cisco VPN Unity client host.	Request user run NSLOOKUP, Go to Start, Run, CMD, NSLOOKUP <Hostname> to verify host lookup function. If the user cannot resolve the hostname of the concentrator from the host, reconfigure the Cisco VPN Unity Client profile with the specific IP address of the core concentrator, and contact LAN support to resolve.
	d. Group name and group password might not match the concentrator.	Verify the groupname and groupname password in the Cisco VPN Unity client profile Options, Properties, Authentication.
	e. Cisco VPN Unity client is not configured with the correct TCP encapsulation port.	Verify that the installed Cisco VPN Unity client is version 3.5 or later, and the profile is configured with one of the TCP encapsulation ports configured on the core concentrator. Options, Properties, General.
	f. Required protocols and ports are not permitted through the local firewall to the Internet. To establish an IPSec VPN tunnel and send traffic over it, local and remote firewalls must permit IP protocol 50 (ESP) and UDP port 500 (ISAKMP), or UDP port 500 and the UDP port used for encapsulation of the ESP traffic, or the TCP port used for encapsulation of both ESP and ISAKMP traffic. The core concentrator must be configured for encapsulation of UDP or TCP for clients to establish a tunnel through encapsulation.	Verify if the remote LAN permits one of the required combinations of traffic: - ESP and ISAKMP - ISAKMP and UDP (default 10,000) encapsulation port configured on the concentrator - TCP encapsulation port configured on the concentrator (usually but not limited to a port already opened for other traffic, such as port 80, 443 or 22)
	g. Gateway router on user's LAN might not correctly handle redirects if trying to connect to a cluster instead of a specific concentrator.	Reconfigure Cisco VPN Unity client profile to connect to a specific concentrator. Verify if IPSec tunnel can be established.
	h. Maximum transmission unit (MTU) must be reduced to =< MTU of the segment with the lowest MTU between the client and the concentrator.	Run SetMTU utility to reduce MTU on network interface card (NIC), or if applicable, change MTU in PPPoE SW client to a size that permits a connection (See the sections, "MTUA Critical Factor for Troubleshooting Internet IPSec Connectivity," and "VPN and Asymmetric DSL").
2. User is connected and authenticated but cannot pass any traffic.	a. Determine if the host is connected to a device that performs NAT. If yes, verify that the user has a selected profile that supports UDP encapsulation of IPSec traffic on the Cisco VPN 3000.	If host is behind a NAT device, confirm that UDP encapsulation is configured on the concentrator. Also verify that the Cisco VPN Unity client profile on the host supports UDP encapsulation, and is configured with the UDP encapsulation port supported by the concentrator.
	b. MTU must be reduced to =< MTU of the segment with the lowest MTU between the host and the concentrator.	Run SetMTU utility to reduce MTU of the NIC, or if applicable change the MTU in the PPPoE SW client (such as RASPPPoE) to a size that permits a connection (see the sections, "MTUA Critical Factor for Troubleshooting Internet IPSec Connectivity" and "VPN and Asymmetric DSL").
3. User cannot access devices on the local network behind the NAT device.	Split tunneling might not be enabled by the administrator.	Verify with your system administrator if split tunneling is enabled.
4. User receives the message "VPN Client Sub-system cannot be started."	a. The Cisco VPN Daemon (CVPND) service cannot be started.	Verify that the MS IPSEC Policy Agent is stopped and is disabled (see Figure 21-2).
	b. Corrupt installation of Cisco VPN Unity client.	Uninstall the Cisco VPN client. Shut down the host, then reinstall the Cisco VPN Unity client from a different source file.
5. User cannot log in to Windows after installation of the VPN client.	Incompatible Graphical Identification and Authentication (GINA) program.	See the section, "Incompatible GINAs and Workarounds."
6. User cannot establish two concurrent IPSec VPN tunnels from two hosts connected behind the same router to the same concentrator. When the second Cisco VPN Unity client authenticates, the first client is disconnected.	If the router performs NAT/Port Address Translation (PAT), it might be designed to force the ISAKMP UDP source port to 500, for all IPSec tunnels from devices behind the router, regardless if a VPN tunnel is already established.	For the NAT device, switch to a device or SW version that does not require the UDP source port of an ISAKMP exchange to be 500. See the section, "Multiple VPN Clients Behind a NAT Device" in the LAN section of this chapter.

Figure 21-6. Cisco VPN Unity Client Dialog Box Indicating Authentication Process Has Been Initiated Between the Client and the Concentrator with an IP Address of 192.68.1.2

Cisco VPN Unity Client Event Log

The VPN Client Event Log Viewer provides a real-time event log of the VPN client from starting the connection, negotiating authentication, maintaining the connection, and terminating the VPN tunnel. The Log Viewer collects event messages from all processes that contribute to the client-peer connection, and it can be especially helpful if you cannot identify the source of a problem for a client in an environment that you do not have access to or cannot replicate. Also, if you believe you have identified a bug with the client or have other reasons to open a Technical Assistance Center (TAC) case, you will most likely be required to provide a copy of the Log Viewer event log. Sometimes, you might find it helpful to collect and examine the log information on the core concentrator that terminates the remote access VPN session.

For your reference, this section of the text is divided into the following sections:

Starting the Client Log Viewer
ISAKMP and Its Phases
Reviewing a VPN Client Log

Starting the Client Log Viewer

To start the Log Viewer on a W2K host, select Start, Programs, Cisco Systems VPN Client, Log Viewer. The Log Viewer displays its main window upon startup. The VPN client version is indicated under the Help option. To collect the log information, the client must turn on the capture feature, under Options, Capture.

By default, the filter is set to low for the ten log classes identified in the Log Viewer, as shown in Table 21-3. As a result, you might not see the required events displayed in the Log Viewer. To change the filter for a specific event class, select Options, Filter, or click the Filter icon. You should see the screen shown in Figure 21-7. Next, select the event class filters you want to change, right-click your selection and change the filter verbose level to the desired setting. For the purposes of working with remote clients, it is easier to instruct the client to change all filters to high. When using the Log Viewer with the high filter setting, it might impact performance of all applications on the client's PC, but there is no impact to performance when it is not in use.^[1]

Figure 21-7. Software VPN Log Filter

Table 21-3. Event Generating Classes in the VPN Client^[1]
Class Name	Definition
CERT	Certificate management process, which handles getting, validating, and renewing certificates from certificate authorities. CERT also displays errors that occur as you use the application.
CLI	Command line interface, which is used instead of Windows ipsecdialer application.
CM	Connection manager, which drives VPN connections. It dials a PPP device, configures IKE for establishing secure connections, and manages connection states.
CVPND	Cisco VPN Daemon (main daemon), which starts client services and controls messaging process and flow.
DIALER	Windows-only component, which handles configuring a profile, initiating a connection, and monitoring.
FIREWALL	Available in versions that support firewall SW client integrated operations with the VPN client.
IKE	Internet Key Exchange module, which manages secure associations.
IPSEC	IPSec module, which obtains network traffic and applies IPSec rules to it.
PPP	Point-to-Point Protocol.
XAUTH	Extended authorization application, which validates a remote user's credentials.

ISAKMP and Its Phases

Before you review the log, a brief review is required of the ISAKMP and IPSec negotiation phases and modes (see Chapter 19 for more information). Recall that ISAKMP has two phases: Phase 1 establishes a secure channel between ISAKMP peers that negotiate the parameters of the Phase 2 services.

Phase 1 has two modes: Main mode and Aggressive mode. After Phase 1 negotiation is successfully completed, Phase 2 negotiation occurs. Phase 2 ISAKMP also negotiates security parameters for the actual data transfer over the secure channel. Phase 2 only has one modeQuick mode. After Phase 2 negotiation is complete, the VPN peers exchange data over their secure IPSec tunnel.

Reviewing a VPN Client Log

The log of a successful VPN client connection is reviewed in Example 21-1. Example 21-1 is the captured Log Viewer results of a version 3.0 Unity client. Each entry is numbered, has a time and date stamp, is marked with a severity level (1-6) with 1 being the most severe, and is noted with a specific event class and message ID.

Example 21-1 provides detailed output from two separate processes: establishing the VPN connection and termination of the VPN connection. It is relatively large, which is why inline comments help you to comprehend the content. This type of connect-disconnect scenario is rare in the real world. However, when a troubleshooting problem arises and is beyond the scope of well-known issues, this is a possibility with which you need to be familiar.

Example 21-1. Log Viewer Results for Establishing and Terminating a VPN v3.5.2 Unity Client

[View full width]

 ***** 1      05:52:44.564  07/15/02  Sev=Info/6 DIALER/0x63300002 Initiating connection. 2      05:52:44.564  07/15/02  Sev=Info/4 CM/0x63100002 Begin connection process 3      05:52:44.584  07/15/02  Sev=Info/4 CM/0x63100004 Establish secure connection using Ethernet 4      05:52:44.584  07/15/02  Sev=Info/4 CM/0x63100026 Attempt connection with server "vpn-concentrator.xyz.com" ! Core VPN concentrator is "vpn-concentrator.xyz.com". 5      05:52:44.604  07/15/02  Sev=Info/6 IKE/0x6300003B Attempting to establish a connection with 192.68.192.81. ! Core VPN concentrator IP address is 192.168.192.81. 6      05:52:44.644  07/15/02  Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID, VID, VID) to 192.68.192.81 ! OAK=Oakley ! AG=Aggressive Mode ! SA=Security Association ! KE=Key Exchange ! NON=Nonce ! ID=Identifier ! HASH ! VID=Vendor Identifier 7      05:52:44.804  07/15/02  Sev=Info/5 IKE/0x6300002F Received ISAKMP packet: peer = 192.68.192.81 8      05:52:44.804  07/15/02  Sev=Info/4 IKE/0x63000014 RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID, VID, VID, VID)     from 192.68.192.81 9      05:52:44.804  07/15/02  Sev=Info/5 IKE/0x63000059 Vendor ID payload = 12F5F28C457168A9702D9FE274CC0100 10     05:52:44.804  07/15/02  Sev=Info/5 IKE/0x63000001 Peer is a Cisco-Unity compliant peer ! Client authentication. Successful verification for trusted source. ! Group name and password is verified. 11     05:52:44.804  07/15/02  Sev=Info/5 IKE/0x63000059 Vendor ID payload = 09002689DFD6B712 12     05:52:44.804  07/15/02  Sev=Info/5 IKE/0x63000059 Vendor ID payload = AFCAD71368A1F1C96B8696FC77570100 13     05:52:44.804  07/15/02  Sev=Info/5 IKE/0x63000001 Peer supports DPD ! DPD: Dead Peer Detection. The client will send a series of query ! packets to the core concentrator if it does not receive a ! response to data it has sent. ! If there is no response after a predefined time period, ! (90 seconds is the default) then the client will assume ! the IPSec connection is inactive and tear it down. 14     05:52:44.804  07/15/02  Sev=Info/5 IKE/0x63000059 Vendor ID payload = 1F07F70EAA6514D3B0FA96542A500305 15     05:52:44.834  07/15/02  Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT) to 192.68.192.81 16     05:52:44.854  07/15/02  Sev=Info/5 IKE/0x6300002F Received ISAKMP packet: peer = 192.68.192.81 17     05:52:44.854  07/15/02  Sev=Info/4 IKE/0x63000014 RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 192.68.192.81 18     05:52:44.854  07/15/02  Sev=Info/4 CM/0x63100015 Launch xAuth application ! User authentication launched. 19     05:52:45.585  07/15/02  Sev=Info/4 IPSEC/0x63700014 Deleted all keys 20     05:52:51.024  07/15/02  Sev=Info/4 CM/0x63100017 xAuth application returned 21     05:52:51.024  07/15/02  Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 192.68.192.81 22     05:52:51.334  07/15/02  Sev=Info/5 IKE/0x6300002F Received ISAKMP packet: peer = 192.68.192.81 23     05:52:51.334  07/15/02  Sev=Info/4 IKE/0x63000014 RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 192.68.192.81 24     05:52:51.334  07/15/02  Sev=Info/4 CM/0x6310000E Established Phase 1 SA.  1 Phase 1 SA in the system ! Phase 1 Security Association has been successfully established. 25     05:52:51.354  07/15/02  Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 192.68.192.81 26     05:52:51.535  07/15/02  Sev=Info/5 IKE/0x6300005D Client sending a firewall request to concentrator 27     05:52:51.535  07/15/02  Sev=Info/5 IKE/0x6300005C Firewall Policy: Product=Cisco Integrated Client, Capability= (Centralized Policy Push). ! Cisco VPN Unity Client has integrated firewall 28     05:52:51.535  07/15/02  Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 192.68.192.81 29     05:52:51.575  07/15/02  Sev=Info/5 IKE/0x6300002F Received ISAKMP packet: peer = 192.68.192.81 30     05:52:51.575  07/15/02  Sev=Info/4 IKE/0x63000014 RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 192.68.192.81 31     05:52:51.575  07/15/02  Sev=Info/5 IKE/0x63000010 MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 10.25.250.2 ! IP address assigned to the client by the VPN ! concentrator for the IPSec tunnel. 32     05:52:51.575  07/15/02  Sev=Info/5 IKE/0x63000010 MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 192.168.226.120 ! IP address of the primary DNS server assigned to the ! client by the concentrator. 33     05:52:51.575  07/15/02  Sev=Info/5 IKE/0x63000010 MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 192.168.168.183 ! IP address of the secondary DNS server assigned to the ! client by the concentrator. 34     05:52:51.575  07/15/02  Sev=Info/5 IKE/0x63000010 MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NBNS(1) (a.k.a. WINS) : , value = 192.168.2.87 ! IP address of the primary WINS server assigned to ! the client by the concentrator. 35     05:52:51.575  07/15/02  Sev=Info/5 IKE/0x63000010 MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NBNS(2) (a.k.a. WINS): , value = 192.168.235.228 ! IP address of the secondary WINS server assigned to ! the client by the concentrator. 36     05:52:51.575  07/15/02  Sev=Info/5 IKE/0x6300000E MODE_CFG_REPLY: Attribute = MODECFG_UNITY_BANNER, value = Unauthorized access is  prohibited.  Connected to vpn-concentrator. ! Banner that Cisco VPN Unity client receives from the concentrator. ! The banner indicated the Configuration mode was done successfully. 37     05:52:51.575  07/15/02  Sev=Info/5 IKE/0x6300000D MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000 38     05:52:51.575  07/15/02  Sev=Info/5 IKE/0x6300000E MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = xyz.com ! Domain assigned to the concentrator by the VPN concentrator, xyz.com. 39     05:52:51.575  07/15/02  Sev=Info/5 IKE/0x6300000D MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000 ! PFS=Perfect Forward Secrecy; not being used ! This parameter specifies whether to use Perfect Forward Secrecy ! and the size of the numbers to use in generating Phase 2 IPSec keys. ! Perfect Forward Secrecy is a cryptographic concept; ! each new key is unrelated to any previous key. ! In IPSec negotiations, Phase 2 keys are based on Phase 1 keys unless ! Perfect Forward Secrecy is specified. ! Perfect Forward Secrecy uses Diffie-Hellman techniques to generate the keys.^[2] 40     05:52:51.575  07/15/02  Sev=Info/5 IKE/0x6300000E MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc./VPN 3000  Concentrator Version 3.5.2.Rel built by vmurphy on Feb 14 2002 12:10:21 41     05:52:51.575  07/15/02  Sev=Info/4 CM/0x63100019 Mode Config data received 42     05:52:51.595  07/15/02  Sev=Info/5 IKE/0x63000055 Received a key request from Driver for IP address 192.68.192.81, GW IP = 192.68.192.81 43     05:52:51.595  07/15/02  Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 192.68.192.81 ! QM=Quick Mode 44     05:52:51.595  07/15/02  Sev=Info/5 IKE/0x63000055 Received a key request from Driver for IP address 10.10.10.255, GW IP = 192.68.192.81 45     05:52:51.595  07/15/02  Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 192.68.192.81 46     05:52:51.595  07/15/02  Sev=Info/4 IPSEC/0x63700014 Deleted all keys 47     05:52:51.645  07/15/02  Sev=Info/5 IKE/0x6300002F Received ISAKMP packet: peer = 192.68.192.81 48     05:52:51.645  07/15/02  Sev=Info/4 IKE/0x63000014 RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 192.68.192.81 49     05:52:51.645  07/15/02  Sev=Info/5 IKE/0x63000044 RESPONDER-LIFETIME notify has value of 86400 seconds ! Lifetime of IPSec SA keys.  Set by core concentrator 50     05:52:51.645  07/15/02  Sev=Info/5 IKE/0x63000046 This SA has already been alive for 7 seconds, setting expiry to 86393     seconds from now 51     05:52:51.645  07/15/02  Sev=Info/5 IKE/0x6300002F Received ISAKMP packet: peer = 192.68.192.81 52     05:52:51.645  07/15/02  Sev=Info/4 IKE/0x63000014RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID,     NOTIFY:STATUS_RESP_LIFETIME) from 192.68.192.81 53     05:52:51.645  07/15/02  Sev=Info/5 IKE/0x63000044 RESPONDER-LIFETIME notify has value of 28800 seconds 54     05:52:51.645  07/15/02  Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK QM *(HASH) to 192.68.192.81 55     05:52:51.645  07/15/02  Sev=Info/5 IKE/0x63000058 Loading IPsec SA (Message ID = 0xD6D39C1E OUTBOUND SPI = 0x2FC49467     INBOUND SPI = 0x50A8DB73) 56     05:52:51.645  07/15/02  Sev=Info/5 IKE/0x63000025 Loaded OUTBOUND ESP SPI: 0x2FC49467 57     05:52:51.645  07/15/02  Sev=Info/5 IKE/0x63000026 Loaded INBOUND ESP SPI: 0x50A8DB73 58     05:52:51.645  07/15/02  Sev=Info/4 CM/0x6310001A One secure connection established 59     05:52:51.695  07/15/02  Sev=Info/6 DIALER/0x63300003 Connection established. 60     05:52:51.755  07/15/02  Sev=Info/5 IKE/0x6300002F Received ISAKMP packet: peer = 192.68.192.81 61     05:52:51.755  07/15/02  Sev=Info/4 IKE/0x63000014 RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID,     NOTIFY:STATUS_RESP_LIFETIME) from 192.68.192.81 62     05:52:51.765  07/15/02  Sev=Info/5 IKE/0x63000044 RESPONDER-LIFETIME notify has value of 28800 seconds 63     05:52:51.765  07/15/02  Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK QM *(HASH) to 192.68.192.81 64     05:52:51.765  07/15/02  Sev=Info/5 IKE/0x63000058 Loading IPsec SA (Message ID = 0xD765C6C4 OUTBOUND SPI = 0x07742CDC     INBOUND SPI = 0xCB7C70B2) ! Concentrator connecting to this client will have the same SPI numbers but ! its inbound and outbound SPI's will be reversed as seen in Table 21-3. 65     05:52:51.765  07/15/02  Sev=Info/5 IKE/0x63000025 Loaded OUTBOUND ESP SPI: 0x07742CDC 66     05:52:51.765  07/15/02  Sev=Info/5 IKE/0x63000026 Loaded INBOUND ESP SPI: 0xCB7C70B2 67     05:52:51.765  07/15/02  Sev=Info/4 CM/0x63100022 Additional Phase 2 SA established. ! The Phase 2 SA (IPSec SA) was successfully established. 68     05:52:51.765  07/15/02  Sev=Info/5 IKE/0x63000055 Received a key request from Driver for IP address 192.168.2.87,     GW IP = 192.68.192.81 69     05:52:51.765  07/15/02  Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 192.68.192.81 70     05:52:51.805  07/15/02  Sev=Info/5 IKE/0x6300002F Received ISAKMP packet: peer = 192.68.192.81 71     05:52:51.805  07/15/02  Sev=Info/4 IKE/0x63000014 RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID,     NOTIFY:STATUS_RESP_LIFETIME) from 192.68.192.81 72     05:52:51.805  07/15/02  Sev=Info/5 IKE/0x63000044 RESPONDER-LIFETIME notify has value of 28800 seconds 73     05:52:51.805  07/15/02  Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK QM *(HASH) to 192.68.192.81 74     05:52:51.805  07/15/02  Sev=Info/5 IKE/0x63000058 Loading IPsec SA (Message ID = 0x8367341C OUTBOUND SPI = 0x044318D0     INBOUND SPI = 0x682F214E) 75     05:52:51.805  07/15/02  Sev=Info/5 IKE/0x63000025 Loaded OUTBOUND ESP SPI: 0x044318D0 76     05:52:51.805  07/15/02  Sev=Info/5 IKE/0x63000026 Loaded INBOUND ESP SPI: 0x682F214E 77     05:52:51.805  07/15/02  Sev=Info/4 CM/0x63100022 Additional Phase 2 SA established. 78     05:52:52.807  07/15/02  Sev=Info/4 IPSEC/0x63700010 Created a new key structure ! A new key structure was created. 79     05:52:52.807  07/15/02  Sev=Info/4 IPSEC/0x6370000F Added key with SPI=0x6794c42f into key list <Output Omitted> 90     05:52:53.187  07/15/02  Sev=Info/6 DIALER/0x63300008 MAPI32 Information - Outlook not default mail client ! This message does not affect operation of the VPN Client. ! The issue occurs when Microsoft Outlook is installed but not ! configured for email, although it is the default mail client. ! It is caused by a Registry Key that is set when the user installs Outlook. ! To eliminate this message, do one of the following: ! -Right-click the Outlook icon, go to Properties, and configure it to use !  Microsoft Exchange or Internet Mail as the default mail client ! -Use Internet Explorer to configure the system to have no default mail client ! -Configure Outlook as the default mail client (CSCdv67594)^[3] 91     05:52:54.189  07/15/02  Sev=Info/4 IPSEC/0x63700019 Activate outbound key with SPI=0xdc2c7407 for inbound key with SPI=0xb2707ccb 92     05:53:21.803  07/15/02  Sev=Info/5 IKE/0x6300002F Received ISAKMP packet: peer = 192.68.192.81 93     05:53:21.803  07/15/02  Sev=Info/4 IKE/0x63000014 RECEIVING <<< ISAKMP OAK INFO *(HASH, DEL) from 192.68.192.81 94     05:53:21.803  07/15/02  Sev=Info/5 IKE/0x63000018 Deleting IPsec SA: (OUTBOUND SPI = 7742CDC INBOUND SPI = CB7C70B2) 95     05:53:22.734  07/15/02  Sev=Info/4 IPSEC/0x63700013 Delete internal key with SPI=0xb2707ccb 96     05:53:22.734  07/15/02  Sev=Info/4 IPSEC/0x6370000C Key deleted by SPI 0xb2707ccb 97     05:53:22.734  07/15/02  Sev=Info/4 IPSEC/0x63700013 Delete internal key with SPI=0xdc2c7407 98     05:53:22.734  07/15/02  Sev=Info/4 IPSEC/0x6370000C Key deleted by SPI 0xdc2c7407 99     05:53:26.741  07/15/02  Sev=Info/4 IPSEC/0x63700019 Activate outbound key with SPI=0xd0184304 for inbound key with SPI=0x4e212f68 100    05:54:49.903  07/15/02  Sev=Info/6 DIALER/0x63300006 Disconnecting connection. ! Termination process has been initiated. 101    05:54:49.913  07/15/02  Sev=Info/4 CM/0x6310000A Secure connections terminated 102    05:54:49.913  07/15/02  Sev=Info/5 IKE/0x63000018 Deleting IPsec SA: (OUTBOUND SPI = 44318D0 INBOUND SPI = 682F214E) ! Deleting SA  Recall the SA is IP address + IPSec protocol +S PI 103    05:54:49.913  07/15/02  Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 192.68.192.81 104    05:54:49.913  07/15/02  Sev=Info/5 IKE/0x63000018 Deleting IPsec SA: (OUTBOUND SPI = 2FC49467 INBOUND SPI = 50A8DB73) 105    05:54:49.913  07/15/02  Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 192.68.192.81 106    05:54:49.913  07/15/02  Sev=Info/5 IKE/0x63000017 Marking IKE SA for deletion (COOKIES = FA981A927C24915F AED77DA44D19D140) reason = DEL_REASON_RESET_SADB ! Reason for disconnect was a reset of the security association data base  SADB. 107    05:54:49.913  07/15/02  Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 192.68.192.81 108    05:54:49.913  07/15/02  Sev=Info/4 CM/0x63100013 Phase 1 SA deleted cause by DEL_REASON_RESET_SADB.  0 Phase 1 SA currently in the system 109    05:54:49.973  07/15/02  Sev=Info/5 CM/0x63100029 Initializing CVPNDrv 110    05:54:49.973  07/15/02  Sev=Info/6 CM/0x63100035 Tunnel to headend device vpn-concentrator.xyz.com disconnected: duration: 0 days 0:1:58 111    05:54:49.973  07/15/02  Sev=Info/5 CM/0x63100029 Initializing CVPNDrv 112    05:54:49.983  07/15/02  Sev=Info/4 IPSEC/0x63700013 Delete internal key with SPI=0x4e212f68 113    05:54:49.983  07/15/02  Sev=Info/4 IPSEC/0x63700013 Delete internal key with SPI=0xd0184304 114    05:54:49.983  07/15/02  Sev=Info/4 IPSEC/0x63700013 Delete internal key with SPI=0x73dba850 115    05:54:49.983  07/15/02  Sev=Info/4 IPSEC/0x63700013 Delete internal key with SPI=0x6794c42f 116    05:54:49.983  07/15/02  Sev=Info/4 IPSEC/0x63700014 Deleted all keys 117    05:54:49.983  07/15/02  Sev=Info/4 IPSEC/0x63700010 Created a new key structure 118    05:54:49.983  07/15/02  Sev=Info/4 IPSEC/0x63700013 Delete internal key with SPI=0x00000000 119    05:54:49.983  07/15/02  Sev=Info/4 IPSEC/0x63700014 Deleted all keys 120    05:54:49.983  07/15/02  Sev=Info/4 IPSEC/0x63700014 Deleted all keys 121    05:54:49.983  07/15/02  Sev=Info/4 IPSEC/0x63700014 Deleted all keys 122    05:54:49.983  07/15/02  Sev=Info/5 IKE/0x6300002F Received ISAKMP packet: peer = 192.68.192.81 123    05:54:49.983  07/15/02  Sev=Warning/2 IKE/0xA3000062 Attempted incoming connection from 192.68.192.81. Inbound connections are     not allowed. 124    05:54:49.983  07/15/02  Sev=Info/5 IKE/0x63000055 Received a key request from Driver for IP address 192.168.2.87,     GW IP = 192.68.192.81 125    05:54:49.983  07/15/02  Sev=Warning/3 IKE/0xE3000065 Could not find an IKE SA for 192.68.192.81.  KEY_REQ aborted. ! In addition to the termination, this message may appear when the WAN ! IP address has changed due to problems such as flapping WAN connections or ! ISP issues (see Chapter 22 for more information). 126    05:54:50.413  07/15/02  Sev=Info/6 DIALER/0x63300007 Disconnected.

Log files showing that a Phase 1 SA cannot be established is an indication that the client cannot successfully communicate with the core concentrator. Clients that cannot establish the Phase 2 SA might be encountering an issue related to MTU size, and the clients need to consider reducing the size. Clients with connections that randomly fail after successfully passing data, and receive an error message similar to the one in Example 21-2, is an indication that connectivity between the client and the VPN concentrator is suspect.

Example 21-2. Log Entry for Terminating VPN Session

 IKE lost contact with remote peer, deleting connection (keepalive type: DPD) ! Cause of termination was loss of Network Connectivity to ! VPN terminating device

Cisco 3000 Concentrator Event Log

The concentrator also has a log feature that is helpful in troubleshooting remote access VPN connections. Example 21-3 shows the concentrator log entries for the same client shown in Example 21-1. Example 21-3 shows the benefit of being a troubleshooting engineer in the enterprise environment, where usually you have access to the concentrator and can check the log, which shows the same connection that is shown in Example 21-1 from the other end. For the purposes of the example, the beginning of the negotiation process is skipped and line 29299 starts from the user authentication phase, which allows you to identify the user by login name (smith) in the log. As mentioned in Example 21-1, the log shows the output from the connect-disconnect scenario, and it is provided here solely for the purposes of explanation.

Example 21-3. Concentrator Log for Unity

 VPN SW Client Connection (client v3.5.2, concentrator v3.5) 29299 07/15/2002 05:52:11.970 SEV=4 IKE/52 RPT=4502 12.235.95.31 Group [vpn] User [smith] User (smith) authenticated. ! 12.235.95.31 is the actual IP address of the client. 29301 07/15/2002 05:52:12.500 SEV=4 AUTH/22 RPT=4691 User smith connected 29302 07/15/2002 05:52:12.500 SEV=4 IKE/119 RPT=15983 12.235.95.31 Group [vpn] User [smith] PHASE 1 COMPLETED 29304 07/15/2002 05:52:12.500 SEV=5 IKE/25 RPT=39263 12.235.95.31 Group [vpn] User [smith] Received remote Proxy Host data in ID Payload: Address 10.25.250.2, Protocol 0, Port 0 ! 10.25.250.2 is the IP address assigned to the client by ! the concentrator for the VPN tunnel. 29307 07/15/2002 05:52:12.500 SEV=5 IKE/24 RPT=38566 12.235.95.31 Group [vpn] User [smith] Received local Proxy Host data in ID Payload: Address 192.168.192.81, Protocol 0, Port 0 29310 07/15/2002 05:52:12.500 SEV=5 IKE/66 RPT=20250 12.235.95.31 Group [vpn] User [smith] IKE Remote Peer configured for SA: ESP/IKE-3DES-MD5 29311 07/15/2002 05:52:12.510 SEV=5 IKE/75 RPT=19355 12.235.95.31 Group [vpn] User [smith] Overriding Initiator's IPSec rekeying duration from 2147483 to 28800 seconds ! The lower value offered for re-keying between both concentrator and ! client is the agreed upon value for key lifetime. 29313 07/15/2002 05:52:12.530 SEV=5 IKE/25 RPT=39264 12.235.95.31 Group [vpn] User [smith] Received remote Proxy Host data in ID Payload: Address 10.25.250.2, Protocol 0, Port 0 29316 07/15/2002 05:52:12.530 SEV=5 IKE/34 RPT=47224 12.235.95.31 Group [vpn] User [smith] Received local IP Proxy Subnet data in ID Payload:  Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0 29319 07/15/2002 05:52:12.530 SEV=5 IKE/66 RPT=20251 12.235.95.31 Group [vpn] User [smith] IKE Remote Peer configured for SA: ESP/IKE-3DES-MD5 ! SA protocol ESP, encryption algorithm 3DES, and hash MD5. 29320 07/15/2002 05:52:12.530 SEV=5 IKE/75 RPT=19356 12.235.95.31 Group [vpn] User [smith] Overriding Initiator's IPSec rekeying duration from 2147483 to 28800 seconds ! The group on the VPN concentrator is set to rekey the keys for ! the IPSec negotiations. 29322 07/15/2002 05:52:12.540 SEV=4 IKE/49 RPT=20311 12.235.95.31 Group [vpn] User [smith] Security negotiation complete for User (smith) Responder, Inbound SPI = 0x0db4b5a1, Outbound SPI = 0x7e6fc994 ! You can see the SPI's reversed from the client as shown in Example 21-1. 29325 07/15/2002 05:52:12.540 SEV=4 IKE/120 RPT=20311 12.235.95.31 Group [vpn] User [smith] PHASE 2 COMPLETED (msgid=32e87ed3) 29326 07/15/2002 05:52:12.790 SEV=4 IKE/49 RPT=20312 12.235.95.31 Group [vpn] User [smith] Security negotiation complete for User (smith) Responder, Inbound SPI = 0x73558664, Outbound SPI = 0xa9a80dcf 29329 07/15/2002 05:52:12.790 SEV=4 IKE/120 RPT=20312 12.235.95.31 Group [vpn] User [smith] PHASE 2 COMPLETED (msgid=6fdb7e4d) 29330 07/15/2002 05:52:12.810 SEV=5 IKE/25 RPT=39265 12.235.95.31 Group [vpn] User [smith] Received remote Proxy Host data in ID Payload: Address 10.25.250.2, Protocol 0, Port 0 29333 07/15/2002 05:52:12.810 SEV=5 IKE/34 RPT=47225 12.235.95.31 Group [vpn] User [smith] Received local IP Proxy Subnet data in ID Payload:  Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0 29336 07/15/2002 05:52:12.810 SEV=5 IKE/66 RPT=20252 12.235.95.31 Group [vpn] User [smith] IKE Remote Peer configured for SA: ESP/IKE-3DES-MD5 29337 07/15/2002 05:52:12.810 SEV=5 IKE/75 RPT=19357 12.235.95.31 Group [vpn] User [smith] Overriding Initiator's IPSec rekeying duration from 2147483 to 28800 seconds 29339 07/15/2002 05:52:12.830 SEV=4 IKE/49 RPT=20313 12.235.95.31 Group [vpn] User [smith] Security negotiation complete for User (smith) Responder, Inbound SPI = 0x398539b4, Outbound SPI = 0x7cc8d0c0 29342 07/15/2002 05:52:12.840 SEV=4 IKE/120 RPT=20313 12.235.95.31 Group [vpn] User [smith] PHASE 2 COMPLETED (msgid=ba313b15) ! Disconnect process follows. 29349 07/15/2002 05:52:22.280 SEV=5 IKE/50 RPT=3452 12.235.95.31 Group [vpn] User [smith] Connection terminated for peer smith (Peer Terminate) Remote Proxy 10.25.250.2, Local Proxy 0.0.0.0 29352 07/15/2002 05:52:22.280 SEV=5 IKE/170 RPT=34237 12.235.95.31 Group [vpn] User [smith] IKE Received delete for rekeyed centry IKE peer: 10.25.250.2, centry addr: 0727a5f0, msgid: 0x6fdb7e4d 29355 07/15/2002 05:52:22.280 SEV=5 IKE/50 RPT=3453 12.235.95.31 Group [vpn] User [smith] Connection terminated for peer smith (Peer Terminate) Remote Proxy 10.25.250.2, Local Proxy 192.168.192.81 29358 07/15/2002 05:52:22.290 SEV=4 AUTH/28 RPT=4322 12.235.95.31 User [smith] disconnected:  Duration: 0:00:09  Bytes xmt: 456  Bytes rcv: 680  Reason: User Requested

The concentrator event classes and corresponding descriptions are found in Table 21-4.

Table 21-4. VPN Concentrator Event Classes ^[2]
Class Name	Class Description (Event Source)
AUTH	Authentication
AUTHDBG	Authentication debugging
AUTHDECODE	Authentication protocol decoding
AUTOUPDATE	Autoupdate subsystem
CAPI	Cryptography subsystem
CERT	Digital certificates subsystem
CONFIG	Configuration subsystem
DHCP	Dynamic Host Configuration Protocol (DHCP) subsystem
DHCPDBG	DHCP debugging
DHCPDECODE	DHCP decoding
DM	Data movement subsystem
DNS	DNS subsystem
DNSDBG	DNS debugging
DNSDECODE	DNS decoding
EVENT	Event subsystem
EVENTDBG	Event subsystem debugging
EVENTMIB	Event Management Information Base (MIB) changes
EXPANSIONCARD	Expansion card (module) subsystem
FILTER	Filter subsystem
FILTERDBG	Filter debugging
FSM	Finite state machine subsystem (for debugging)
FTPD	FTP daemon subsystem
GENERAL	Network Time Protocol (NTP) subsystem and other general events
GRE	Generic routing encapsulation (GRE) subsystem
GREDBG	GRE debugging
GREDECODE	GRE decoding
HARDWAREMON	Hardware monitoring (fans, temperature, voltages, and so on)
HTTP	HTTP subsystem
IKE	ISAKMP/Oakley (IKE) subsystem
IKEDBG	ISAKMP/Oakley (IKE) debugging
IKEDECODE	ISAKMP/Oakley (IKE) decoding
IP	IP router subsystem
IPDBG	IP router debugging
IPDECODE	IP packet decoding
IPSEC	IPSec subsystem
IPSECDBG	IPSec debugging
IPSECDECODE	IPSec decoding
L2TP	Layer 2 Tunnel Protocol (L2TP) subsystem
L2TPDBG	L2TP debugging
L2TPDECODE	L2TP decoding
LBSSF	Load balancing subsystem
MIB2TRAP	MIB-II trap subsystem: Simple Network Management Protocol (SNMP) MIB-II traps
OSPF	Open Shortest Path First (OSPF) subsystem
PPP	PPP subsystem
PPPDBG	PPP debugging
PPPDECODE	PPP decoding
PPTP	PPTP subsystem
PPTPDBG	PPTP debugging
PPTPDECODE	PPTP decoding
PSH	Operating system command shell
PSOS	Embedded real-time operating system
QUEUE	System queue
REBOOT	System rebooting
RM	Resource manager subsystem
SMTP	Simple Mail Transfer Protocol (SMTP) event handling
SNMP	SNMP trap subsystem
SSH	Secure Shell (SSH) subsystem
SSL	Secure Socket Layer (SSL) subsystem
SYSTEM	Buffer, heap, and other system utilities
TCP	TCP subsystem
TELNET	Telnet subsystem
TELNETDBG	Telnet debugging
TELNETDECODE	Telnet decoding
TIME	System time (clock)
VRRP	Virtual Router Redundancy Protocol (VRRP) subsystem
XML	XML

The impact of these events, or their severity levels, is measured and shown in the event logs per Table 21-5.

Table 21-5. VPN Concentrator Event Severity Levels ^[2]
Level	Category	Description
1	Fault	A crash or non-recoverable error
2	Warning	A pending crash or severe problem that requires user intervention
3	Warning	A potentially serious problem that might require user action
4	Information	An information-only event with few details
5	Information	An information-only event with moderate detail
6	Information	An information-only event with greatest detail
7	Debug	Least amount of debugging detail
8	Debug	Moderate amount of debugging detail
9	Debug	Greatest amount of debugging detail
10	Packet Decode	High-level packet header decoding
11	Packet Decode	Low-level packet header decoding
12	Packet Decode	Hex dump of header
13	Packet Decode	Hex dump of packet

Cisco indicates that within a severity level category, higher-numbered events provide more details than lower-numbered events. You can change the severity level of the events displayed in the concentrator event log and console, as well as those displayed in the syslog, e-mail and traps, with the concentrator menu Configuration, System, Events, General. An example of a specific event and severity level is shown in Example 21-4, in which the concentrator deletes its connection with User "smith" because of no response using the Dead Peer Detection (DPD) feature. Actually, the concentrator reports two separate events, first no response, then disconnection. For the "no response" event, the severity level is 4 the event class is IKE, and the event number is 123. The disconnection is also classified as severity level 4, and the event class is authentication. RPT stands for repeat and indicates the number of times that the event has occurred since the concentrator was reloaded.^[2]

Example 21-4. Event Log for Deleted Connection Because of No Response from the Client

 8157 07/11/2002 12:54:19.140 SEV=4 IKE/123 RPT=6792 128.216.126.77 Group [xyz-vpn] User [smith] IKE lost contact with remote peer, deleting connection (keepalive type: DPD) 8162 07/11/2002 12:54:19.150 SEV=4 AUTH/28 RPT=16579 128.216.126.77 User [smith] disconnected:  Duration: 0:51:22  Bytes xmt: 276824  Bytes rcv: 311120  Reason: User Requested

Incompatible GINAs and Workarounds

GINA is the system that Microsoft devised to control access to the W2K and NT host environments. GINAs are the modules that force clients to log in to their host. Two types of GINAs are in use: authenticator and filter.^[4] There can be multiple filters, but only one authenticator. In this case, the filters chain to each other but the last GINA called in this chain must be the authenticator. The authenticator manages the user login process, and the filters offer additional benefits.

The default GINA for W2K is MSGINA.DLL. Unfortunately, some GINAs cannot coexist and participate in a chain of GINAs. If you install the Cisco VPN Unity client v3.5 or earlier on a host that already has a third party GINA, which is incompatible with the GINA for the Cisco VPN Unity client (CSGINA.DLL), the W2K host might experience a startup failure.^[5] A typical failure message that is as a result of installing incompatible GINAs during the boot process is as follows:

 SAS window: winlogon.exe  Application Error The instruction at "0x00000000" referenced memory at "0x00000000".   The memory could not be "read".

You might need to restart your host in Safe mode, and implement the following sequence to restore your host to the state it was in before the Cisco VPN Unity client installed its GINA:

1.	Copy CSGINA.DLL in the SYSTEM32 directory to TEMPORARY_CSGINA.DLL.
2.	In the same SYSTEM32 directory, copy MSGINA.DLL to CSGINA.DLL.
3.	Reboot the host and log into the host as Administrator.
4.	Type "run32dll temporary_csgina.dll,GinaUnregister," omitting the quotes at the command line, or use Start, Run.
5.	Reboot the host.

This procedure can also result in extended delays for clients who log into Windows NT networks after authenticating their Cisco VPN Unity client. This delay, of up to 30 seconds or more, can occur because the client is preempted by other tasks running on the host. If you want to force the host to disregard any third-party GINAs and to restore the backup method for logging into Windows NT networks, after authenticating the Cisco VPN Unity client, Cisco suggests the following:

1.	Copy MSGINA.DLL to CSGINA.DLL in the SYSTEM32 directory.
2.	Reboot the host and log in as Administrator.
3.	Delete the "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WinLogon" subkey in the Registry editor.
4.	Set the "HKEY_LOCAL_MACHINE\Software\Cisco Systems\VPN Client" subkey to 0.
5.	Reboot the host.

Cisco 3002 HW Client Troubleshooting

The Cisco VPN 3002 HW client can be configured in either Client mode or Network Extension mode. In Client mode, the 3002 performs as the Cisco VPN Unity SW client, obtaining an IP address from the device terminating the VPN tunnel. PAT/NAT is implemented on the VPN 3002 to direct network traffic to/from hosts connected to its private interface. In Network Extension mode, the VPN 3002 HW client is configured with an IP address subnet that is routable throughout the organization, which provides the capability to remotely access hosts connected to the private interface from the enterprise network.

In this section, you review methods and tools for troubleshooting the VPN 3002 HW client, including the following:

Initial troubleshooting checklist
Using the VPN 3002 HW client event log

Initial Troubleshooting Checklist

As with the Cisco VPN Unity client, this section is written under the assumption that the configuration of the 3002 HW client is correct; however, the first steps are to verify the configuration, as suggested in Table 21-6. Issues that clients might encounter are related to end-to-end connectivity, MTU, and address assignment. The end-to-end connectivity and MTU issues are similar to those encountered with the SW client. The address assignment issue is unique to the 3002. At the time of writing this book, Cisco was working to address the MTU and subnet mask assignment issues for the 3002. Other features that most probably will be available in the near future are support for viewing multicast streams and two-way IP telephony when the 3002 HW client is in Client mode.

Table 21-6. Initial Troubleshooting Checklist for the VPN 3002 HW Client
Issue	Possible Source	Corrective Action
1. User does not receive login prompt if using XAUTH for unit authentication.	a. VPN 3002 HW client might need to be reset.	Administration, Ping, and attempt to ping an Internet site, such as www.cisco.com. If successful, save the VPN 3002 concentrator configuration and reload the VPN 3002.
	b. VPN 3002 HW client does not have Internet connectivity because it is incorrectly configured.	If VPN 3002 HW client cannot resolve host name, verify DNS server addresses. Next, verify the public interface connectivity. If using PPPoE, verify PPPoE username and password. Check log to verify PPPoE authentication, Monitoring, Filterable Event Log, Get Log. Verify that the VPN 3002 HW client is properly configured or learning correct route(s). If not using PPPoE, verify that the public interface is either learning IP address information through DHCP, or is configured with the correct static IP address information. If applicable, verify Internet connectivity from a router in front of the VPN 3002 HW client.
2. User is authenticated but cannot pass any data.	a. The correct client mode was not selectedeither Network Extension or Client mode.	Configuration, Interfaces, Verify the private interface is configured with the correct IP address and subnet mask.
	b. If Network Extension mode is used, another client might have an overlapping subnet.	On the core VPN3000 concentrator, the administrator needs to verify the subnet mask for each client with subnets adjacent to the client experiencing the problem: Administration, Administer Sessions. Next, check masks for subnets that might have been mistakenly set. After the device causing the problem is identified, correct the setting and confirm that the 3002 HW client with the original issue can now send/receive data.
3. User is authenticated but cannot send/receive data for applications with large packet sizes such as HTTP, e-mail or Network File System (NFS).	a. MTU of host is too large (at the time of writing, the VPN 3002 HW client does not have a mechanism to set/change the MTU on its interfaces).	Reduce the MTU on the network interface for each host exhibiting the issue (see the section, "MTUA Critical Factor for Troubleshooting Internet IPSec Connectivity").

Using the VPN 30002 HW Client Event Log

Similar to the Cisco VPN Unity client, the Event Console Messages and Event Log for the VPN 3002 HW client can prove useful when troubleshooting remote access connectivity issues. The settings that control the events reported in the VPN 3002 HW Client Event Log are found under Configuration, System, Events. The VPN 3002 HW Client Help menu provides an excellent overview and detailed information of the features of the Event Logging system.

A significant number of event classes exist for the VPN 3002 HW client (see Table 21-7), some of which are designed exclusively for Cisco to provide support. However, some can provide useful information when troubleshooting a VPN 3002 HW client.^[6]

Table 21-7. VPN 3002 HW Client Event Classes for General Users^[6]
Class Name	Class Description (Event Source)
CERT	Digital certificates subsystem
DHCP	DHCP subsystem
DNS	DNS subsystem
FTPD	FTP daemon subsystem
GENERAL	NTP subsystem and other general events
HARDWAREMON	Hardware monitoring (fans, temperature, voltages, and so on)
HTTP	HTTP subsystem
IKE	ISAKMP/Oakley (IKE) subsystem
IP	IP router subsystem
IPSEC	IPSec subsystem
PPP	PPP subsystem
PPPoE	PPPoE subsystem
REBOOT	System rebooting
SNMP	SNMP trap subsystem
SSH	SSH subsystem
SSL	SSL subsystem
TCP	TCP subsystem
TELNET	Telnet subsystem
TIME	System time (clock)

By default, the VPN 3002 displays all events of severity level 1 through 3 on the console. It writes all events of severity level 1 through 5 to the event log. Severity 1 is the most severe and indicates a system crash. Levels 1 to 13 are available, although setting logging for some event classes up to level 13 can cause the concentrator to become inaccessible as a result of processor overuse.

Example 21-5 shows the entries for the Event Log from a 3060 concentrator that successfully authenticates a 3002 VPN HW client and negotiates and establishes a VPN tunnel.

Example 21-5. Event Log from the VPN 3000 Core Concentrator Authenticating a VPN 3002 HW Client v3.5 in Network Extension Mode (Using Default Event Reporting Settings)

 52714 03/04/2002 02:38:10.010 SEV=4 IKE/52 RPT=113 12.234.185.130 Group [TEST] User [smith] User (smithsmith) authenticated. !Client IP address= 12.234.185.130 Group name= TEST Username = smith 52715 03/04/2002 02:38:10.070 SEV=4 AUTH/22 RPT=116 User smith connected 52716 03/04/2002 02:38:10.070 SEV=4 IKE/119 RPT=185 12.234.185.130 Group [TEST] User [smith] PHASE 1 COMPLETED 52718 03/04/2002 02:38:10.070 SEV=5 IKE/25 RPT=390 12.234.185.130 Group [TEST] User [smith] Received remote Proxy Host data in ID Payload: Address 12.234.185.130, Protocol 0, Port 0 52721 03/04/2002 02:38:10.070 SEV=5 IKE/24 RPT=386 12.234.185.130 Group [TEST] User [smith] Received local Proxy Host data in ID Payload: Address 1928.168.192.81, Protocol 0, Port 0 ! 192.168.192.81 is IP address of the concentrator 52724 03/04/2002 02:38:10.070 SEV=5 IKE/66 RPT=835 12.234.185.130 Group [TEST] User [smith] IKE Remote Peer configured for SA: ESP-3DES-MD5 ! SA protocol ESP, encryption algorithm 3DES, and hash MD5. 52726 03/04/2002 02:38:10.070 SEV=5 IKE/75 RPT=835 12.234.185.130 Group [TEST] User [smith] Overriding Initiator's IPSec rekeying duration from 2147483647 to 28800 seconds ! Lifetime of IPSec SA keys.  Set by this concentrator. 52728 03/04/2002 02:38:10.100 SEV=4 IKE/49 RPT=835 12.234.185.130 Group [TEST] User [smith] Security negotiation complete for User (smith) Responder, Inbound SPI = 0x72b26536, Outbound SPI = 0x76018499 52731 03/04/2002 02:38:10.100 SEV=4 IKE/120 RPT=835 12.234.185.130 Group [TEST] User [smith] PHASE 2 COMPLETED (msgid=6573ee0a) 52732 03/04/2002 02:38:10.100 SEV=4 AUTOUPDATE/19 RPT=114 Sending IKE Notify: AutoUpdating clients in group [TEST] Client delay: 0, instID: 0000046F 52734 03/04/2002 02:38:14.110 SEV=5 IKE/35 RPT=446 12.234.185.130 Group [TEST] User [smith] Received remote IP Proxy Subnet data in ID Payload:  Address 10.25.0.128, Mask 255.255.255.240, Protocol 0, Port 0 ! IP address subnet configured on the client is 10.25.0.128/28. ! The subnet could also be assigned via a Radius authentication server. 52737 03/04/2002 02:38:14.110 SEV=5 IKE/34 RPT=450 12.234.185.130 Group [TEST] User [smith] Received local IP Proxy Subnet data in ID Payload:  Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0 52740 03/04/2002 02:38:14.110 SEV=5 IKE/66 RPT=836 12.234.185.130 Group [TEST] User [smith] IKE Remote Peer configured for SA: ESP-3DES-MD5 52742 03/04/2002 02:38:14.110 SEV=5 IKE/75 RPT=836 12.234.185.130 Group [TEST] User [smith] Overriding Initiator's IPSec rekeying duration from 2147483647 to 28800 seconds 52744 03/04/2002 02:38:14.150 SEV=4 IKE/49 RPT=836 12.234.185.130 Group [TEST] User [smith] Security negotiation complete for User (smith) Responder, Inbound SPI = 0x6f1c24f7, Outbound SPI = 0x25f707f3 52747 03/04/2002 02:38:14.150 SEV=4 IKE/120 RPT=836 12.234.185.130 Group [TEST] User [smith] PHASE 2 COMPLETED (msgid=6b8ddbe7) ! At this point the IPSec SA was successfully negotiated and ! data can be sent to/from hosts connected behind the VPN 3002 HW Client. ! The disconnect process begins. 54625 03/04/2002 04:10:59.250 SEV=4 IKE/123 RPT=28 12.234.185.130 Group [TEST] User [smith] IKE lost contact with remote peer, deleting connection (keepalive type: DPD) 54629 03/04/2002 04:10:59.250 SEV=4 AUTH/28 RPT=47 12.234.185.130 User [smith] disconnected:  Duration: 1:32:49  Bytes xmt: 156848  Bytes rcv: 242112  Reason: User Requested

Example 21-6 shows the event log from a 3002 client during its authentication, negotiation, and establishment of a VPN tunnel.

Example 21-6. Event Log from a VPN 3002 HW Client for Establishing a VPN Tunnel (Using Default Event Reporting Settings)

 1235 03/04/2002 02:35:52.520 SEV=4 IKE/41 RPT=156 192.168.192.81 IKE Initiator: New Phase 1, Intf 2, IKE Peer 192.168.192.81 local Proxy Address 12.234.185.130, remote Proxy Address 192.168.192.81, SA (ESP-3DES-MD5) 1238 03/04/2002 02:36:00.640 SEV=5 DHCP/66 RPT=32 DHCPREQUEST received by server.  MAC Addr: 00.00.86.46.2E.8E.  Requested IP: 10. 25.0.130. ! 3002 VPN HW Client configured as DHCP server.  Receives DHCP request. 1240 03/04/2002 02:36:00.640 SEV=5 DHCP/72 RPT=31 DHCPACK sent by server.  MAC Addr: 00.00.86.46.2E.8E ! 3002 VPN HW Client Responds to DHCP request. 1241 03/04/2002 02:36:23.590 SEV=3 AUTH/24 RPT=3 Tunnel to headend device 192.168.192.81 connected 1242 03/04/2002 02:36:23.590 SEV=4 IKE/119 RPT=4 192.168.192.81 Group [192.168.192.81192.168.192.81] PHASE 1 COMPLETED 1243 03/04/2002 02:36:23.620 SEV=5 IKE/73 RPT=14 192.168.192.81 Group [192.168.192.81] Responder forcing change of IKE rekeying duration from 2147483647 to 86400 seconds ! Core terminating concentrator forces IKE rekey duration change. 1246 03/04/2002 02:36:23.620 SEV=5 IKE/73 RPT=15 192.168.192.81 Group [192.168.192.81] Responder forcing change of IPSec rekeying duration from 2147483647 to 28800 seconds 1249 03/04/2002 02:36:23.630 SEV=4 IKE/49 RPT=11 192.168.192.81 Group [192.168.192.81] Security negotiation complete for peer (192.168.192.81) Initiator, Inbound SPI = 0x76018499, Outbound SPI = 0x72b26536 1252 03/04/2002 02:36:23.640 SEV=4 IKE/120 RPT=11 192.168.192.81 Group [192.168.192.81] PHASE 2 COMPLETED (msgid=6573ee0a) 1253 03/04/2002 02:36:23.660 SEV=4 AUTOUPDATE/5 RPT=3 Current version 3.5.Rel is up to date. ! Core terminating concentrator checked SW version running on this ! 3002 HW client and verified it matches its requirement. ! Otherwise it could have been configured to push new SW image to the client. 1254 03/04/2002 02:36:27.640 SEV=4 IKE/41 RPT=157 IKE Initiator: New Phase 2, Intf 2, IKE Peer 1-192.168.192.81 local Proxy Address 10.25.0.128, remote Proxy Address 0.0.0.0, SA (ESP-3DES-MD5) 1256 03/04/2002 02:36:27.660 SEV=5 IKE/73 RPT=16 192.168.192.81 Group [192.168.192.81] Responder forcing change of IPSec rekeying duration from 2147483647 to 28800 seconds 1259 03/04/2002 02:36:27.670 SEV=4 IKE/49 RPT=12 192.168.192.81 Group [192.168.192.81] Security negotiation complete for peer (192.168.192.81) Initiator, Inbound SPI = 0x25f707f3, Outbound SPI = 0x6f1c24f7 1262 03/04/2002 02:36:27.680 SEV=4 IKE/120 RPT=12 192.168.192.81 Group [192.168.192.81] PHASE 2 COMPLETED (msgid=6b8ddbe7) ! At this point the IPSec SA was successfully negotiated, and data !can be sent to/from hosts connected behind the VPN 3002 HW Client. ! The disconnect process begins. 1282 03/04/2002 04:03:55.070 SEV=3 IP/31 RPT=1 Deleting Default Gateway 12.234.184.1 learned via DHCP on interface 2. 1283 03/04/2002 04:03:55.090 SEV=3 AUTH/25 RPT=3 192.168.192.81 Tunnel to headend device 192.168.192.81 disconnected: duration: 1:27:31

Cisco Easy VPN Client

In this section, you review information specific to the Cisco Easy VPN client. Similar to the VPN 3002 HW client, an Easy VPN client can be configured to operate in Client or Network Extension mode. However, configuring and troubleshooting an Easy VPN client presents its own unique challenges that you review in this section. In particular, you learn about the following:

Restrictions and limitations
Troubleshooting the Cisco Easy VPN client

Restrictions and Limitations of the Cisco Easy VPN Client

Features are constantly being implemented in the Cisco Easy VPN client. At the time this book was written, the Easy VPN client did not yet support NAT transparency (UDP/TCP encapsulation). Additional restrictions and limitations are outlined in Table 21-8. Some are similar to the Cisco VPN Unity client and some are specific to the Cisco Easy VPN client. For the most recent list of restrictions and limitations, consult www.cisco.com.

Table 21-8. Cisco Easy VPN Client Selected Restrictions and Limitations for an 806 Router Running IOS v12.2(4)YA
Restriction	Requirement	Corrective Action
Host
Cisco Easy VPN Client does not support perfect forward secrecy (PFS).	Disable PFS option.	On core concentrator, disable PFS option through Configuration, Policy Management, Traffic Management, Security Associations.
Cisco Easy VPN client uses SA that does not exist in the default configuration of the VPN 3000 concentrator series running v3.5.	Cisco Easy VPN uses a modified form of ESP/IKE-3DES-MD5 on the VPN 3000 concentrator that is modified to use the IKE proposal CiscoVPNClient-3DES-MD5.	Copy the ESP/IKE-3DES-MD5 SA and change the IKE proposal to CiscoVPNClient-3DES-MD5 in the Configuration, Policy Management, Traffic Management, Security Associations menu.
Manual NAT/PAT configuration is not permitted.	Do not configure NAT /PAT on any interface when using the Cisco Easy VPN client.	Remove any manual NAT/PAT configuration on the router.
Digital Certificates are not supported in the release 12.2(4)YA.	Cannot use digital certificates.	Do not use digital certificates for authentication.
Supports only Group 2 ISAKMP policy (1024 bit Diffie-Hellman (DH) IKE negotiation).	Is not compatible with ISAKMP Group 1 or Group 1 policies.	Configure the core concentrator IKE proposal to use only Group 2 policies (the default for most preconfigured IKE proposals). Select Configuration, System, Tunneling Protocols, IPSEC, IKE Proposals.
Cisco Easy VPN client does not support the transform sets that provide encryption without authentication.	Intended transform set for Cisco Easy VPN clients must include both encryption and authentication.	Confirm that selected transform set supports both encryption and authentication. Do not use preconfigured transform sets that do not provide authentication (ESP-DES and ESP-3DES), or transform sets that do not provide encryption (ESP-NULL, ESP-SHA-HMAC, ESP-NULL, and ESP-MD5-HMAC).
Cannot host real-time collaboration application sessions.	The Cisco Easy VPN client does not permit hosting of real-time collaboration sessions for some applications such as MS NetMeeting.	The workaround is to host the session from a user on the corporate intranet and require VPN clients to connect to it, or select a data collaboration application that supports the Easy VPN client.

Troubleshooting the Cisco Easy VPN Client

Because Easy VPN is a Cisco IOS feature, one of the most effective methods to troubleshoot the Cisco Easy VPN client is through the use of the show and debug commands. The commands in the following list are specific to the Cisco Easy VPN client to troubleshoot the establishment of the VPN IPSec tunnels, and as data transmission and reception. You can perform the following commands from the console if using a telnet (SSH, if it is configured) session into the router:

The show crypto ipsec client ezvpn command displays the status of the Easy VPN client, as shown in Example 21-8 and Example 21-9.
The debug crypto ezvpn command enables debugging of the Cisco Easy VPN client.
The clear crypto ipsec client ezvpn command resets the VPN connection, as shown in Example 21-10. However, if you have enabled debugging, you might prefer to use the clear crypto sa and clear crypto isakmp commands.
The debug crypto ipsec and debug crypto isakmp commands enable debugging of the IPSec and IKE key events. The results of the debug crypto isakmp are shown in Example 21-11.
The show crypto engine connections active command displays the active IPSec VPN connections.

A suggested troubleshooting checklist for the Easy VPN client is presented in Table 21-9.

Table 21-9. Initial Troubleshooting Checklist for the Cisco Easy VPN Client
Issue	Possible Source	Corrective Action
1. Cannot establish a VPN IPSec tunnel between the Cisco Easy VPN client and the core VPN 3000 concentrator.	a. Cisco Easy VPN client router does not have Internet connectivity.	Run show ip interface brief to verify that the router has IP addresses on both the inside and outside (public) interfaces, as shown in Example 21-7. If applicable, verify the PPPoE configuration (see the section, "ADSL"). Check the DHCP client configuration for outside interface (if appropriate). Confirm that you can ping Internet hosts such as www.cisco.com.
	b. Cisco Easy VPN client is not active.	Run show crypto ipsec client ezvpn to verify if the Cisco Easy VPN client is active, as in Example 21-8. If inactive, run crypto ipsec client ezvpn <name> to verify output, as shown in Example 21-9.
		Run debug crypto ipsec client ezvpn and then clear the active IPSec tunnel using the command clear crypto ipsec client ezvpn, as shown in Example 21-10. Run a second debug, debug crypto isakmp, and then start a tunnel, as shown in Example 21-11. Identify the source of the error from the output and correct accordingly.
	c. Core VPN 3000 concentrator authentication parameter is not set to NONE.	Verify that authentication is set to none under the Configuration, User Management, Base Group, IPSec menu, and in Configuration, User Management, Groups, specific group, IPSec.
2. Data is not transmitted/received by the hosts connected to the inside (private) interface of the router running the Cisco Easy VPN client.	a. IPSec VPN tunnel has been terminated.	Verify that VPN IPSec tunnel is established using show crypto ipsec client ezvpn.
	b. NAT and the access-list configuration on the Cisco Easy VPN client router are invalid. NAT might have been manually configured on the router prior to establishment of the VPN IPSec tunnel.	Verify that NAT is not configured under the interfaces by using show running-config, and by identifying if ip nat inside or ip nat outside is configured.
	c. The DHCP pool is not configured correctly.	Verify the DHCP pool configuration on the router or server for hosts on the inside interface.

Example 21-7. Output of show ip interface brief Command

 Router-EzVPN#show ip interface brief Interface       IP-Address       OK? Method      Status   Protocol Ethernet0       10.1.1.1         YES NVRAM       up       up Ethernet1       66.127.241.85    YES NVRAM       up       up ! Ethernet1 is the Public interface. ! The address 66.127.241.85 has been assigned by the ISP.

Example 21-8. Output of show crypto ipsec client ezvpn Command for an Inactive Client

 Inactive EzVPN client Router-EzVPN #show crypto ipsec client ezvpn Current State: XAUTH_REQ ! Client requests XAUTH response in current state Last Event: XAUTH_REQUEST Router-EzVPN#

Example 21-9. Output of show crypto ipsec client ezvpn Command for an Active Easy VPN Client Configured for Client Mode

 Router-EzVPN#show crypto ipsec client ezvpn Current State: IPSEC_ACTIVE Last Event: SOCKET_UP Address: 10.25.250.1 ! The IP address obtained from the address pool on the terminating concentrator Mask: 255.255.255.255 ! The subnet mask obtained from the pool, defined in the server configuration. DNS Primary: 192.168.226.120 DNS Secondary: 192.168.168.183 ! The primary and secondary DNS servers defined for the group on the ! concentrator terminating the VPN tunnel NBMS/WINS Primary: 192.168.2.87 NBMS/WINS Secondary: 192.168.235.228 ! The primary and secondary WINS servers defined for the group on the ! concentrator terminating the VPN tunnel Default Domain: cisco.com

Example 21-10. Output of clear crypto ipsec client ezvpn Command

 Router-EzVPN#clear crypto ipsec client ezvpn Router-EzVPN# 00:09:25: EZVPN: Current State: IPSEC_ACTIVE 00:09:25: EZVPN: Event: RESET 00:09:25: ezvpn_reconnect_request 00:09:25: ezvpn_close 00:09:25: ezvpn_connect_request 00:09:25: EZVPN: New State: READY 00:09:26: EZVPN: Current State: READY 00:09:26: EZVPN: Event: XAUTH_REQUEST 00:09:26: ezvpn_xauth_request 00:09:26: ezvpn_parse_xauth_msg 00:09:26: EZVPN: Attributes sent in xauth request message: 00:09:26:         XAUTH_TYPE_V2: 0 00:09:26:         XAUTH_USER_NAME_V2: 00:09:26:         XAUTH_USER_PASSWORD_V2: 00:09:26:         XAUTH_MESSAGE_V2 <Enter Username and Password.> 00:09:26: EZVPN: New State: XAUTH_REQ 00:09:27: EZVPN: Pending XAuth Request, Please enter the following command: 00:09:27: EZVPN: crypto ipsec client ezvpn xauth

Example 21-11. Output from a 8xx Router Running 12.2(4)YA, Configured as an Easy VPN Client with debug crypto isakmp When Attempting to Establish an IPSec VPN Tunnel

 Router-EzVPN #debug crypto isakmp Router-EzVPN#crypto ipsec client ezvpn xauth Enter Username and Password.: login_name Password: password. ! The user provides the login name and password Router-EzVPN# 00:12:48:         xauth-type: 0 00:12:48:         username: login_name 00:12:48:         password: <omitted> 00:12:48:         message <Enter Username and Password.> 00:12:48: ISAKMP (0:7): responding to peer config from 192.168.192.81. ID =     -252864948 00:12:48: ISAKMP (0:7): sending packet to 192.168.192.81 (I) CONF_XAUTH 00:12:48: ISAKMP (0:7): deleting node -252864948 error FALSE reason     "done with xauth request/reply exchange" 00:12:48: ISAKMP (0:7): Input = IKE_MESG_INTERNAL, IKE_XAUTH_REPLY_ATTR Old State = IKE_XAUTH_REPLY_AWAIT  New State = IKE_XAUTH_REPLY_SENT 00:12:48: ISAKMP (0:7): received packet from 192.168.192.81 (I) CONF_XAUTH 00:12:48: ISAKMP: set new node 1465183127 to CONF_XAUTH ! The server confirms the login name and password ! Authentication  is successful 00:12:48: ISAKMP (0:7): processing transaction payload from     192.168.192.81. message ID = 1465183127 00:12:48: ISAKMP: Config payload SET 00:12:48: ISAKMP (0:7): Xauth process set, status = 1 00:12:48: ISAKMP (0:7): checking SET: 00:12:48: ISAKMP:    XAUTH_STATUS_V2 XAUTH-OK 00:12:48: ISAKMP (0:7): attributes sent in message: 00:12:48:         Status: 1 00:12:48: ISAKMP (0:7): sending packet to 192.168.192.81 (I) CONF_XAUTH 00:12:48: ISAKMP (0:7): deleting node 1465183127 error FALSE reason "" 00:12:48: ISAKMP (0:7): Input = IKE_MESG_FROM_PEER, IKE_CFG_SET Old State = IKE_XAUTH_REPLY_SENT  New State = IKE_P1_COMPLETE ! IKE phase one completed successfully. 00:12:48: ISAKMP (0:7): Need config/address 00:12:48: ISAKMP (0:7): Need config/address 00:12:48: ISAKMP: set new node 1868961837 to CONF_ADDR 00:12:48: ISAKMP (0:7): initiating peer config to 192.168.192.81. ID = 1868961837 00:12:48: ISAKMP (0:7): sending packet to 192.168.192.81 (I) CONF_ADDR 00:12:48: ISAKMP (0:7): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE Old State = IKE_P1_COMPLETE  New State = IKE_CONFIG_MODE_REQ_SENT ! The end user receives a configuration from the server. 00:12:48: ISAKMP (0:7): received packet from 192.168.192.81 (I) CONF_ADDR 00:12:48: ISAKMP (0:7): processing transaction payload from 192.168.192.81.     message ID = 1868961837 00:12:48: ISAKMP: Config payload REPLY 00:12:48: ISAKMP(0:7) process config reply 00:12:48: ISAKMP (0:7): deleting node 1868961837 error FALSE reason     "done with transaction" 00:12:48: ISAKMP (0:7): Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY Old State = IKE_CONFIG_MODE_REQ_SENT  New State = IKE_P1_COMPLETE ! Request for configuration mode sent. 00:12:48: ISAKMP (0:7): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE 00:12:48: ISAKMP: received ke message (1/4) 00:12:48: ISAKMP: set new node 0 to QM_IDLE 00:12:48: ISAKMP (0:7): sitting IDLE. Starting QM immediately (QM_IDLE      ) 00:12:48: ISAKMP (0:7): beginning Quick Mode exchange, M-ID of 85557524 ! Quick mode begins. 00:12:48: ISAKMP (0:7): sending packet to 192.168.192.81 (I) QM_IDLE 00:12:48: ISAKMP (0:7): Node 85557524, Input = IKE_MESG_INTERNAL, IKE_INIT_QM Old State = IKE_QM_READY  New State = IKE_QM_I_QM1 00:12:48: ISAKMP (0:7): received packet from 192.168.192.81 (I) QM_IDLE ! Quick mode exchange 00:12:48: ISAKMP (0:7): processing HASH payload. message ID = 85557524 00:12:48: ISAKMP (0:7): processing SA payload. message ID = 85557524 00:12:48: ISAKMP (0:7): Checking IPSec proposal 1 ! IPSec proposal 1 sent. 00:12:48: ISAKMP: transform 1, ESP_3DES 00:12:48: ISAKMP:   attributes in transform: 00:12:48: ISAKMP:      SA life type in seconds 00:12:48: ISAKMP:      SA life duration (basic) of 3600 00:12:48: ISAKMP:      SA life type in kilobytes 00:12:48: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0 00:12:48: ISAKMP:      encaps is 1 00:12:48: ISAKMP:      authenticator is HMAC-MD5 00:12:48: ISAKMP (0:7): atts are acceptable. 00:12:48: ISAKMP (0:7): processing NONCE payload. message ID = 85557524 00:12:48: ISAKMP (0:7): processing ID payload. message ID = 85557524 00:12:48: ISAKMP (0:7): processing ID payload. message ID = 85557524 00:12:48: ISAKMP (0:7): Creating IPSec Sas ! Creating the security association, which includes the IP addresses, ! the protocol (ESP or AH), and SPI. 00:12:48:         inbound SA from 192.168.192.81 to 66.127.241.85 ! The public IP address         (proxy 0.0.0.0 to 10.31.17.129) 00:12:48:         has spi 0x9608BACF and conn_id 2000 and flags 4 00:12:48:         lifetime of 3600 seconds 00:12:48:         lifetime of 4608000 kilobytes 00:12:48:         outbound SA from 66.127.241.85     to 192.168.192.81     (proxy 10.31.17.129     to 0.0.0.0        ) 00:12:48:         has spi 703036318 and conn_id 2001 and flags C 00:12:48:         lifetime of 3600 seconds 00:12:48:         lifetime of 4608000 kilobytes 00:12:48: ISAKMP (0:7): sending packet to 192.168.192.81 (I) QM_IDLE 00:12:48: ISAKMP (0:7): deleting node 85557524 error FALSE reason "" 00:12:48: ISAKMP (0:7): Node 85557524, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE ! ISAKMP phase 2 complete and the parameters are negotiated. 00:12:48: ISAKMP: received ke message (4/1) 00:12:48: ISAKMP: Locking CONFIG struct 0x80F93638 for     crypto_ikmp_config_handle_kei_mess, count 3 00:12:48: ISAKMP (0:7): received packet from 192.168.192.81 (I) QM_IDLE 00:12:48: ISAKMP: set new node 1502656406 to QM_IDLE 00:12:48: ISAKMP (0:7): processing HASH payload. message ID = 1502656406 00:12:48: ISAKMP (0:7): processing NOTIFY unknown protocol 1         spi 0, message ID = 1502656406, sa = 80EB31E8 00:12:48: ISAKMP (0:7): deleting node 1502656406 error FALSE reason     "informational (in) state 1" 00:12:48: ISAKMP (0:7): Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

In addition to the steps outlined in Table 21-9 for troubleshooting connectivity issues, you might find the following commands useful for monitoring the Cisco Easy VPN environment:

To verify the applied policy, use show crypto isakmp policy (see Example 21-12).
To check the ISAKMP security association, use show crypto isakmp sa (see Example 21-13).
To check the status of the Cisco Easy VPN client profile, use show crypto ipsec profile (see Example 21-14).
To check the status of the IPSec SA, use show crypto ipsec sa (see Example 21-15).
To check the status of the crypto engine connections, use show crypto engine connections active (see Example 21-16).

Example 21-12. Output of show crypto isakmp policy Command

 Router-EzVPN#show crypto isakmp policy Protection suite of priority 65527         encryption algorithm:   DES - Data Encryption Standard (56 bit keys).         hash algorithm:         Secure Hash Standard         authentication method:         Diffie-Hellman group:   #2 (1024 bit)         lifetime:               65535 seconds, no volume limit <output omitted> Default protection suite         encryption algorithm:   DES - Data Encryption Standard (56 bit keys).         hash algorithm:         Secure Hash Standard         authentication method:  Rivest-Shamir-Adleman Signature         Diffie-Hellman group:   #1 (768 bit)         lifetime:               86400 seconds, no volume limit

Example 21-13. Output of show crypto isakmp sa Command

 Router-EzVPN#show crypto isakmp sa dst              src               state           conn-id    slot 192.168.192.81   66.127.241.85     QM_IDLE         7          0

Example 21-14. Output of show crypto ipsec profile Command

 Router-EzVPN#show crypto ipsec profile IPSEC profile ezvpn-profile         Security association lifetime: 4608000 kilobytes/3600 seconds         PFS (Y/N): N         Transform sets={                 ezvpn-profile-autoconfig-transform-0,                 ezvpn-profile-autoconfig-transform-1,                 ezvpn-profile-autoconfig-transform-2,                 ezvpn-profile-autoconfig-transform-3,         }

Example 21-15. Output of show crypto ipsec sa Command

 Route-EzVPN#show crypto ipsec sa interface: Ethernet1     Crypto map tag: Ethernet1-head-0, local addr. 66.127.241.85    local  ident (addr/mask/prot/port): (192.168.192.81/255.255.255.255/0/0)    remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)    current_peer: 192.168.192.81      PERMIT, flags={origin_is_acl,}     #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0     #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0     #pkts compressed: 0, #pkts decompressed: 0     #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0     #send errors 0, #recv errors 0      local crypto endpt.: 66.127.241.85, remote crypto endpt.: 192.168.192.81      path mtu 1500, media mtu 1500      current outbound spi: 36B6AD4B      inbound esp sas: ! Inbound direction of ESP Security Association       spi: 0x74FBAEB0(1962651312)         transform: esp-3des esp-md5-hmac ,         in use settings ={Tunnel, }         slot: 0, conn id: 2000, flow_id: 1, crypto map: Ethernet1-head-0         sa timing: remaining key lifetime (k/sec): (4608000/3374)         IV size: 8 bytes         replay detection support: Y      inbound ah sas: ! The client is not running the AH protocol, so it is empty      inbound pcp sas: ! The client is not running PCP, so it is empty      outbound esp sas: ! Outbound direction of ESP SA       spi: 0x36B6AD4B(917941579)         transform: esp-3des esp-md5-hmac ,         in use settings ={Tunnel, }         slot: 0, conn id: 2001, flow_id: 2, crypto map: Ethernet1-head-0         sa timing: remaining key lifetime (k/sec): (4608000/3374)         IV size: 8 bytes         replay detection support: Y      outbound ah sas:      outbound pcp sas:

Example 21-16. Output of show crypto engine connections active Command

 Router-EzVPN #show crypto engine connections active ID Interface       IP-Address     State  Algorithm     Encrypt  Decrypt   22 Ethernet1     66.127.241.85  set    HMAC_MD5+3DES_56_C   0        0 2000 Ethernet1     66.127.241.85  set    HMAC_MD5+3DES_56_C   0        0 2001 Ethernet1     66.127.241.85  set    HMAC_MD5+3DES_56_C   0        0

Cisco PIX VPN Client

Starting with v6.2, the Pix 501 and 506 can be configured as VPN clients. These platforms can be configured in Client or Network Extension mode, and perform similarly to the Cisco VPN 3002 HW client.

Restrictions and Limitations

The PIX 501 and 506, when configured as VPN clients, share the same restrictions as the VPN 3002 HW client, such as a lack of support for multicast traffic and IP telephony when configured in Client mode. At the time this was written, a notable limitation was the lack of support for NAT transparency. However, most of these features might be addressed by the time this book is available. For the latest feature status, consult www.cisco.com.

Verifying and Troubleshooting the VPN Connection

Assuming that you have correctly configured your PIX 501 or 506 to provide Internet connectivity, you can verify the VPN Client configuration with the command, show vpnclient. Results are shown in Example 21-17. All examples in this section were created on a PIX 501 running v6.2 of the PIX operating system.

Example 21-17. Output of show vpnclient Command on PIX

 pix#show vpnclient Local Configuration vpnclient vpngroup pix password ******** vpnclient username smith password ******** vpnclient server 192.168.192.81 ! Core device terminating the VPN tunnel. vpnclient mode client-mode ! PIX can be configured in Client or Network Extension mode. vpnclient enable

At this point, the VPN tunnel is not established. You should be able to establish the VPN tunnel by trying to ping a device on the internal network on the other end of the tunnel. The first few pings might fail but a tunnel should be established. The tunnel information can be viewed with the output from the following commands:

show vpnclient (see Example 21-18)
show crypto ipsec sa (see Example 21-19)
show crypto isakmp sa (see Example 21-20)

If the tunnel is not established, you cannot see any Downloaded Dynamic Policy parameters, and the ESP SA or (SPI) security parameter index is not established. At that point, if you have confirmed the PIX configuration and Internet connectivity, you might want to clear the VPN client information by using the command clear vpnclient in the global configuration mode. Then, re-enter the VPN client configuration information.

Example 21-18. Output from show vpnclient Command on PIX Configured as a VPN Client after Establishing a VPN Tunnel

 pix#show vpnclient Local Configuration vpnclient vpngroup pix password ******** ! pix was the entered groupname vpnclient username smith password ******** ! smith was the entered username vpnclient server 192.168.192.81 vpnclient mode network-extension-mode vpnclient enable Downloaded Dynamic Policy Current Server : 192.168.192.81 Primary DNS    : 192.168.226.120 Secondary DNS  : 192.168.168.183 Primary WINS   : 192.168.2.87 Secondary WINS : 192.168.235.228 Default Domain : cisco.com PFS Enabled    : No Split DNS      : cisco.com_

Example 21-19. Output from show crypto ipsec sa Command After Establishment of VPN Tunnel

 pix#show crypto ipsec sa interface: outside     Crypto map tag: _vpnc_cm, local addr. 12.235.95.31 ! 12.235.95.31 is the IP address of outside interface of the PIX    local  ident (addr/mask/prot/port): (10.25.250.1/255.255.255.255/0/0)    remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)    current_peer: 192.168.192.81 ! 192.168.192.81 is IP address of the core VPN terminating device      PERMIT, flags={origin_is_acl,}     #pkts encaps: 101, #pkts encrypt: 101, #pkts digest 101 ! Number of packets encrypted     #pkts decaps: 140, #pkts decrypt: 140, #pkts verify 140     #pkts compressed: 0, #pkts decompressed: 0     #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0     #send errors 1, #recv errors 0      local crypto endpt.: 12.235.95.31, remote crypto endpt.: 192.168.192.81      path mtu 1500, ipsec overhead 56, media mtu 1500      current outbound spi: 321e317b ! SPI has been created      inbound esp sas:       spi: 0xb84c8c89(3092024457)         transform: esp-3des esp-md5-hmac ,         in use settings ={Tunnel, }         slot: 0, conn id: 1, crypto map: _vpnc_cm         sa timing: remaining key lifetime (k/sec): (4607889/28424)         IV size: 8 bytes         replay detection support: Y ! Inbound SA has been created with the esp protocol using ! 3DES encryption, md5 hash      inbound ah sas: ! Authentication Header (AH) was not an option on the core device ! terminating the VPN connection      inbound pcp sas: ! Payload Compression Protocol (pcp) was not an option on the core device ! terminating the VPN tunnel^[7]      outbound esp sas:       spi: 0x321e317b(840839547)         transform: esp-3des esp-md5-hmac ,         in use settings ={Tunnel, }         slot: 0, conn id: 2, crypto map: _vpnc_cm         sa timing: remaining key lifetime (k/sec): (4607995/28419)         IV size: 8 bytes         replay detection support: Y ! Outbound esp SAS      outbound ah sas:      outbound pcp sas:      outbound ah sas:      outbound pcp sas: local  ident (addr/mask/prot/port): (12.235.95.31/255.255.255.255/0/0)    remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)    current_peer: 192.168.192.81      PERMIT, flags={origin_is_acl,}     #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0     #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0     #pkts compressed: 0, #pkts decompressed: 0     #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0     #send errors 1, #recv errors 0      local crypto endpt.: 12.235.95.31, remote crypto endpt.: 192.168.192.81      path mtu 1500, ipsec overhead 56, media mtu 1500      current outbound spi: 76accd0d      inbound esp sas:       spi: 0x948b4d0c(2492157196)         transform: esp-3des esp-md5-hmac ,         in use settings ={Tunnel, }         slot: 0, conn id: 3, crypto map: _vpnc_cm         sa timing: remaining key lifetime (k/sec): (4608000/28706)         IV size: 8 bytes         replay detection support: Y      inbound ah sas:      inbound pcp sas:      outbound esp sas:       spi: 0x76accd0d(1991036173)         transform: esp-3des esp-md5-hmac ,         in use settings ={Tunnel, }         slot: 0, conn id: 4, crypto map: _vpnc_cm         sa timing: remaining key lifetime (k/sec): (4608000/28706)         IV size: 8 bytes         replay detection support: Y      outbound ah sas:      outbound pcp sas:

Example 21-20. Output from show crypto isakmp sa Command After Establishing VPN Tunnel

 pix#show crypto isakmp sa Total     : 1 Embryonic : 0         dst       src          state       pending    created    192.168.192.81  12.235.95.31 QM_IDLE         0           2 ! If the VPN tunnel had not been established then the created ! entry would have been zero.

The log from a VPN 3000 series concentrator that shows the establishment of the VPN tunnel illustrated in the previous two examples is shown in Example 21-21. This again shows how the troubleshooting engineer can analyze the process from the other end, and what the process looks like.

Example 21-21. Log from a VPN 3000 Series Concentrator for a PIX Client

 13160 07/17/2002 08:13:50.200 SEV=4 IKE/52 RPT=4625 12.235.95.31 Group [pix] User [smith] User (smith) authenticated. 13161 07/17/2002 08:13:51.690 SEV=4 AUTH/22 RPT=4826 User smith connected 13162 07/17/2002 08:13:51.690 SEV=4 IKE/119 RPT=16260 12.235.95.31 Group [pix] User [smith] PHASE 1 COMPLETED 13164 07/17/2002 08:13:51.690 SEV=5 IKE/25 RPT=39847 12.235.95.31 Group [pix] User [smith] Received remote Proxy Host data in ID Payload: Address 10.25.250.1, Protocol 0, Port 0 13167 07/17/2002 08:13:51.690 SEV=5 IKE/34 RPT=47957 12.235.95.31 Group [pix] User [smith] Received local IP Proxy Subnet data in ID Payload:  Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0 13170 07/17/2002 08:13:51.690 SEV=5 IKE/66 RPT=21557 12.235.95.31 Group [pix] User [smith] IKE Remote Peer configured for SA: ESP/IKE-3DES-MD5 13171 07/17/2002 08:13:51.710 SEV=4 IKE/49 RPT=21627 12.235.95.31 Group [pix] User [smith] Security negotiation complete for User (smith) Responder, Inbound SPI = 0x321e317b, Outbound SPI = 0xb84c8c89 ! The Inbound and Outbound SPI are reversed compared ! to the log from PIX client. 13174 07/17/2002 08:13:51.710 SEV=4 IKE/120 RPT=21627 12.235.95.31 Group [pix] User [smith] PHASE 2 COMPLETED (msgid=e367589c) 13181 07/17/2002 08:13:55.270 SEV=5 IKE/25 RPT=39848 12.235.95.31 Group [pix] User [smith] Received remote Proxy Host data in ID Payload: Address 12.235.95.31, Protocol 0, Port 0 13184 07/17/2002 08:13:55.270 SEV=5 IKE/34 RPT=47958 12.235.95.31 Group [pix] User [smith] Received local IP Proxy Subnet data in ID Payload:  Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0 13187 07/17/2002 08:13:55.270 SEV=5 IKE/66 RPT=21558 12.235.95.31 Group [pix] User [smith] IKE Remote Peer configured for SA: ESP/IKE-3DES-MD5 13188 07/17/2002 08:13:55.290 SEV=4 IKE/49 RPT=21628 12.235.95.31 Group [pix] User [smith] Security negotiation complete for User (smith) Responder, Inbound SPI = 0x76accd0d, Outbound SPI = 0x948b4d0c ! Again, the SPI identifying the IPSec SAs reversed on the PIX client. 13191 07/17/2002 08:13:55.290 SEV=4 IKE/120 RPT=21628 12.235.95.31 Group [pix] User [smith] PHASE 2 COMPLETED (msgid=3be10994)

Two debug commands that can provide detailed information during the negotiation of the VPN tunnels are the following:

debug crypto ipsec sa
debug crypto isakmp sa

Output on the PIX 501 after enabling these debugs before the VPN tunnel negotiation is shown in Example 21-22. By checking this output, you can observe if something is failing during the tunnel negotiation process.

Example 21-22. Output on PIX After Implementing debug crypto ipsec sa and debug crypto isakmp sa and Enabling a VPN Client

 pix# debug crypto ipsec pix# debug crypto isakmp pix# show debug debug crypto ipsec 1 debug crypto isakmp 1 pix#config terminal pix(config)# vpnclient vpngroup pix password abcd pix(config)# vpnclient server 192.168.192.81 pix(config)# vpnclient mode network pix(config)# vpnclient username smith password efghij pix(config)# vpnclient enable ! After this group of configuration commands, you can see the following events: pViPx(coNnCfig )#C FG: transform set unconfig attempt done VPNC CLI: no isakmp keepalive 10 VPNC CFG: IKE unconfig successful VPNC CLI: no crypto map _vpnc_cm VPNC CFG: crypto map deletion attempt done VPNC CFG: crypto unconfig successful VPNC CLI: no global 65001 VPNC CLI: no nat (inside) 0 access-list _vpnc_acl VPNC CFG: nat unconfig attempt failed VPNC CLI: no access-list _vpnc_acl VPNC CFG: ACL deletion attempt failed VPNC CLI: no crypto     ALT_DEF_DOMAIN         INTERNAL_IPV_NBNS         INTERNAL_IPV_DNS         ALT_SPLIT_INCLUDE         ALT_SPLITDNS_NAME         ALT_PFS map _vpnc_cm interface outside VPNC CFG: crypto map de/attach failed VPNC CLI: no sysopt connection permit-ipsec VPNC CLI: sysopt connection permit-ipsec VPNC CFG: transform sets configured VPNC CFG: crypto config successful VPNC CLI: isakmp keepalive 10 VPNC CFG: IKE config successful VPNC CLI: no access-list _vpnc_acl VPNC CFG: ACL deletion attempt failed VPNC CLI: access-list _vpnc_acl permit ip host 12.235.95.31 host 192.168.192.81 VPNC CLI: crypto map _vpnc_cm 10 match address _vpnc_acl VPNC CFG: crypto map acl update successful VPNC CLI: no crypto map _vpnc_cm interface outside VPNC CLI: crypto map _vpnc_cm interface outside VPN Peer: ISAKMP: Added new peer: ip:192.168.192.81 Total VPN Peers:1 VPN Peer: ISAKMP: Peer ip:192.168.192.81 Ref cnt incremented to:1 Total     VPN Peers:1 ISAKMP (0): ID payload         next-payload : 13         type         : 11         protocol     : 17         port         : 500         length       : 7 ISAKMP (0): Total payload length: 11 ISAKMP (0): beginning Aggressive Mode exchangeVPNC INF: Request for     IKE trigger done crypto_isakmp_process_block: src 192.168.192.81, dest 12.235.95.31 OAK_AG exchange ISAKMP (0): processing SA payload. message ID = 0 ISAKMP (0): Checking ISAKMP transform 2 against priority 65010 policy ISAKMP:      encryption 3DES-CBC ISAKMP:      hash MD5 ISAKMP:      default group 2 ISAKMP:      extended auth pre-share ISAKMP:      life type in seconds ! Lifetime duration of the ISAKMP SA in seconds ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 ISAKMP (0): atts are not acceptable. Next payload is 0 ISAKMP (0): Checking ISAKMP transform 2 against priority 65020 policy ISAKMP:      encryption 3DES-CBC ISAKMP:      hash MD5 ISAKMP:      default group 2 ISAKMP:      extended auth pre-share ISAKMP:      life type in seconds ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 crypto_isakmp_process_block: src 192.168.192.81, dest 12.235.95.31 ISAKMP_TRANSACTION exchange ISAKMP (0:0): processing transaction payload from 192.168.192.81.     message ID = 2158353436 crypto_isakmp_process_block: src 192.168.192.81, dest 12.235.95.31 ISAKMP_TRANSACTION exchange ISAKMP (0:0): processing transaction payload from 192.168.192.81.     message ID = 2158353436 ISAKMP: Config payload CFG_SET ISAKMP (0:0): checking SET: ISAKMP:    XAUTH_STATUS ISAKMP (0:0): attributes sent in message:         Status: 1 return status is IKMP_NO_ERROR VPNC INF: Constructing policy download req VPNC INF: Packing attributes for policy request VPNC INF: Attributes being requested ISAKMP : attributes being requested ISAKMP (0:0): initiating peer config to 192.168.192.81. ID =     3931692763 (0xea58dedb) crypto_isakmp_process_block: src 192.168.192.81, dest 12.235.95.31 ISAKMP_TRANSACTION exchange ISAKMP (0:0): processing transaction payload from 192.168.192.81.     message ID = 2158353436 ISAKMP: Config payload CFG_REPLYVPNC ATTR: INTERNAL_IP4_DNS: 192.168.226.120 VPNC ATTR: INTERNAL_IP4_DNS: 192.168.168.183 VPNC ATTR: INTERNAL_IP4_NBNS: 192.168.2.87 VPNC ATTR: INTERNAL_IP4_NBNS: 192.168.235.228 VPNC ATTR: ALT_DEF_DOMAIN: cisco.com VPNC ATTR: ALT_SPLITDNS_NAME         cisco.com_ VPNC ATTR: ALT_PFS: 0 VPNC INF: Received application version 'Cisco Systems, Inc./VPN 3000     Concentrator Version 3.5.2.Rel built by vmurphy on     Feb 14 2002 12:10:21 ! Version information of VPN 3000 Concentrator terminating the IPSec tunnel VPNC CLI: no VPNC INF: IPSec rmt mgmt trigger done ISAKMP (0): beginning Quick Mode exchange, M-ID of 1015758940:3c8b405cIPSEC    (key_engine): got a queue event... IPSEC(spi_response): getting spi 0x689d0b46(1755122502) for SA         from   192.168.192.81 to    12.235.95.31 for prot 3 crypto_isakmp_process_block: src 192.168.192.81, dest 12.235.95.31 OAK_QM exchange oakley_process_quick_mode: OAK_QM_IDLE ISAKMP (0): processing SA payload. message ID = 1015758940 ISAKMP : Checking IPSec proposal 1 ISAKMP: transform 1, ESP_3DES ISAKMP:   attributes in transform: ISAKMP:      SA life type in seconds ISAKMP:      SA life duration (basic) of 28800 ISAKMP:      SA life type in kilobytes ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0 ISAKMP:      encaps is 1 ISAKMP:      authenticator is HMAC-MD5 ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request):     proposal part #1,   (key eng. msg.) dest= 192.168.192.81, src= 12.235.95.31,     dest_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),     src_proxy= 12.235.95.31/255.255.255.255/0/0 (type=1),     protocol= ESP, transform= esp-3des esp-md5-hmac ,     lifedur= 0s and 0kb,     spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4 ISAKMP (0): processing NONCE payload. message ID = 1015758940 ISAKMP (0): processing ID payload. message ID = 1015758940 ISAKMP (0): processing ID payload. message ID = 1015758940 ISAKMP (0): Creating IPSec SAs         inbound SA from   192.168.192.81 to    12.235.95.31 (proxy          0.0.0.0 to    12.235.95.31)         has spi 1755122502 and conn_id 4 and flags 4         lifetime of 28800 seconds         lifetime of 4608000 kilobytes         outbound SA from    12.235.95.31 to   192.168.192.81 (proxy     12.235.95.31 to         0.0.0.0)         has spi 865892405 and conn_id 3 and flags 4         lifetime of 28800 seconds         lifetime of 4608000 kilobytesIPSEC(key_engine): got a queue event... IPSEC(initialize_sas): ,   (key eng. msg.) dest= 12.235.95.31, src= 192.168.192.81,     dest_proxy= 12.235.95.31/255.255.255.255/0/0 (type=1),     src_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),     protocol= ESP, transform= esp-3des esp-md5-hmac ,     lifedur= 28800s and 4608000kb,     spi= 0x689d0b46(1755122502), conn_id= 4, keysize= 0, flags= 0x4 IPSEC(initialize_sas): ,   (key eng. msg.) src= 12.235.95.31, dest= 192.168.192.81,     src_proxy= 12.235.95.31/255.255.255.255/0/0 (type=1),     dest_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),     protocol= ESP, transform= esp-3des esp-md5-hmac ,     lifedur= 28800s and 4608000kb,     spi= 0x339c7835(865892405), conn_id= 3, keysize= 0, flags= 0x4 VPN Peer: IPSEC: Peer ip:192.168.192.81 Ref cnt incremented to:2     Total VPN Peers:1 VPN Peer: IPSEC: Peer ip:192.168.192.81 Ref cnt incremented to:3     Total VPN Peers:1 return status is IKMP_NO_ERROR ISAKMP (0): beginning Quick Mode exchange, M-ID of 1352049028:5096a184IPSEC     (key_engine): got a queue event... IPSEC(spi_response): getting spi 0x4dbb61e3(1304125923) for SA         from   192.168.192.81 to    12.235.95.31 for prot 3 crypto_isakmp_process_block: src 192.168.192.81, dest 12.235.95.31 OAK_QM exchange oakley_process_quick_mode: OAK_QM_IDLE ISAKMP (0): processing SA payload. message ID = 1352049028 ISAKMP : Checking IPSec proposal 1 ISAKMP: transform 1, ESP_3DES ISAKMP:   attributes in transform: ISAKMP:      SA life type in seconds ISAKMP:      SA life duration (basic) of 28800 ISAKMP:      SA life type in kilobytes ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0 ISAKMP:      encaps is 1 ISAKMP:      authenticator is HMAC-MD5 ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request):     proposal part #1,   (key eng. msg.) dest= 192.168.192.81, src= 12.235.95.31,     dest_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),     src_proxy= 10.25.0.128/255.255.255.240/0/0 (type=4),     protocol= ESP, transform= esp-3des esp-md5-hmac ,     lifedur= 0s and 0kb,     spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4 ISAKMP (0): processing NONCE payload. message ID = 1352049028 ISAKMP (0): processing ID payload. message ID = 1352049028 ISAKMP (0): processing ID payload. message ID = 1352049028 ISAKMP (0): Creating IPSec SAs         inbound SA from   192.168.192.81 to    12.235.95.31 (proxy          0.0.0.0 to     10.25.0.128)         has spi 1304125923 and conn_id 2 and flags 4         lifetime of 28800 seconds         lifetime of 4608000 kilobytes         outbound SA from    12.235.95.31 to   192.168.192.81 (proxy      10.25.0.128 to         0.0.0.0)         has spi 17882921 and conn_id 1 and flags 4         lifetime of 28800 seconds         lifetime of 4608000 kilobytesIPSEC(key_engine): got a queue event... IPSEC(initialize_sas): ,   (key eng. msg.) dest= 12.235.95.31, src= 192.168.192.81,     dest_proxy= 10.25.0.128/255.255.255.240/0/0 (type=4),     src_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),     protocol= ESP, transform= esp-3des esp-md5-hmac ,     lifedur= 28800s and 4608000kb,     spi= 0x4dbb61e3(1304125923), conn_id= 2, keysize= 0, flags= 0x4 IPSEC(initialize_sas): ,   (key eng. msg.) src= 12.235.95.31, dest= 192.168.192.81,     src_proxy= 10.25.0.128/255.255.255.240/0/0 (type=4),     dest_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),     protocol= ESP, transform= esp-3des esp-md5-hmac ,     lifedur= 28800s and 4608000kb,     spi= 0x110df29(17882921), conn_id= 1, keysize= 0, flags= 0x4 VPN Peer: IPSEC: Peer ip:192.168.192.81 Ref cnt incremented to:4     Total VPN Peers:1 VPN Peer: IPSEC: Peer ip:192.168.192.81 Ref cnt incremented to:5     Total VPN Peers:1 return status is IKMP_NO_ERROR

An overall discussion of PIX-based solutions is beyond the scope of this book. The objectives of this section are only to help you troubleshoot PIX-based VPN solutions. For further details on PIX-based VPN solutions as part of the overall security strategy of Cisco, see Cisco Secure PIX Firewalls by David W. Chapman and Andy Fox (Cisco Press, 2002).