Remote peer no longer responding -- please help

Hi I am trying to connect to a PIX (a very old version) firewall and I get the dreaded 412 error (The remote peer is no longer responding). Googled it and no relevant posts. Can someone kindly help me figure this out?

Cisco Systems VPN Client Version 4.0.5 (Rel) Copyright (C) 1998-2003 Cisco Systems, Inc. All Rights Reserved. Client Type(s): Windows, WinNT Running on: 5.1.2600 Service Pack 2

1 21:52:59.515 12/14/06 Sev=Info/4 CM/0x63100002 Begin connection process

2 21:52:59.718 12/14/06 Sev=Info/4 CM/0x63100004 Establish secure connection using Ethernet

3 21:52:59.718 12/14/06 Sev=Info/4 CM/0x63100024 Attempt connection with server "209.178.198.242"

4 21:53:02.781 12/14/06 Sev=Critical/1 CVPND/0xE3400003 Function SocketApiBind() failed with an error code of

0xFFFFFFF8(f:\\temp\\IPSecClient\\Rel\\PubKeyPK\\SRC\\ike-init-state.cpp:390)

5 21:53:02.781 12/14/06 Sev=Critical/1 CVPND/0x63400012 Unable to bind to IKE port. This could be because there is another VPN client installed or running. Please disable or uninstall all VPN Clients other than the Cisco VPN Client.

6 21:53:02.828 12/14/06 Sev=Info/4 CM/0xE3100003 Failure to Initialize IKE ports

7 21:53:02.828 12/14/06 Sev=Info/5 CM/0x63100025 Initializing CVPNDrv

8 21:53:02.906 12/14/06 Sev=Info/4 IPSEC/0x63700008 IPSec driver successfully started

9 21:53:02.906 12/14/06 Sev=Info/4 IPSEC/0x63700014 Deleted all keys

10 21:53:02.906 12/14/06 Sev=Info/4 IPSEC/0x63700014 Deleted all keys

11 21:53:02.906 12/14/06 Sev=Info/4 IPSEC/0x63700014 Deleted all keys

12 21:53:02.906 12/14/06 Sev=Info/4 IPSEC/0x6370000A IPSec driver successfully stopped

13 21:54:28.671 12/14/06 Sev=Info/4 CM/0x63100002 Begin connection process

14 21:54:28.765 12/14/06 Sev=Info/4 CM/0x63100004 Establish secure connection using Ethernet

15 21:54:28.765 12/14/06 Sev=Info/4 CM/0x63100024 Attempt connection with server "209.178.198.242"

16 21:54:28.796 12/14/06 Sev=Info/6 IKE/0x6300003B Attempting to establish a connection with 209.178.198.242.

17 21:54:29.109 12/14/06 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to 209.178.198.242

18 21:54:29.453 12/14/06 Sev=Info/4 IPSEC/0x63700008 IPSec driver successfully started

19 21:54:29.453 12/14/06 Sev=Info/4 IPSEC/0x63700014 Deleted all keys

20 21:54:29.578 12/14/06 Sev=Info/5 IKE/0x6300002F Received ISAKMP packet: peer = 209.178.198.242

21 21:54:29.578 12/14/06 Sev=Info/4 IKE/0x63000014 RECEIVING > ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, VID(?), VID(Unity)) to 209.178.198.242

27 21:54:29.593 12/14/06 Sev=Info/4 IKE/0x63000082 IKE Port in use - Local Port = 0x01F4, Remote Port = 0x01F4

28 21:54:29.593 12/14/06 Sev=Info/4 CM/0x6310000E Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

29 21:54:29.593 12/14/06 Sev=Info/4 CM/0x6310000E Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

30 21:54:30.046 12/14/06 Sev=Info/5 IKE/0x6300005D Client sending a firewall request to concentrator

31 21:54:30.046 12/14/06 Sev=Info/5 IKE/0x6300005C Firewall Policy: Product=Cisco Systems Integrated Client, Capability= (Centralized Protection Policy).

32 21:54:30.046 12/14/06 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 209.178.198.242

33 21:54:30.109 12/14/06 Sev=Info/5 IKE/0x6300002F Received ISAKMP packet: peer = 209.178.198.242

34 21:54:30.109 12/14/06 Sev=Info/4 IKE/0x63000014 RECEIVING > ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 209.178.198.242

42 21:54:30.406 12/14/06 Sev=Info/5 IKE/0x6300002F Received ISAKMP packet: peer = 209.178.198.242

43 21:54:30.406 12/14/06 Sev=Info/4 IKE/0x63000014 RECEIVING > ISAKMP OAK QM *(Retransmission) to 209.178.198.242

48 21:54:40.453 12/14/06 Sev=Info/4 IKE/0x63000021 Retransmitting last packet!

49 21:54:40.453 12/14/06 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK QM *(Retransmission) to 209.178.198.242

50 21:54:45.453 12/14/06 Sev=Info/4 IKE/0x63000021 Retransmitting last packet!

51 21:54:45.453 12/14/06 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK QM *(Retransmission) to 209.178.198.242

52 21:54:50.453 12/14/06 Sev=Info/4 IKE/0x6300002D Phase-2 retransmission count exceeded: MsgID=586F5A33

53 21:54:50.453 12/14/06 Sev=Info/6 IKE/0x6300003D Sending DPD request to 209.178.198.242, seq# = 3403392917

54 21:54:50.453 12/14/06 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 209.178.198.242

55 21:54:50.453 12/14/06 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 209.178.198.242

56 21:54:50.453 12/14/06 Sev=Info/4 IKE/0x63000048 Discarding IPsec SA negotiation, MsgID=586F5A33

57 21:54:50.500 12/14/06 Sev=Info/5 IKE/0x6300002F Received ISAKMP packet: peer = 209.178.198.242

58 21:54:50.500 12/14/06 Sev=Info/4 IKE/0x63000014 RECEIVING > ISAKMP OAK INFO *(HASH, DEL) to 209.178.198.242

62 21:55:20.953 12/14/06 Sev=Info/4 IKE/0x6300004A Discarding IKE SA negotiation (I_Cookie=37BCC08204AE4596 R_Cookie=4DFC26D470437156) reason = DEL_REASON_PEER_NOT_RESPONDING

63 21:55:20.953 12/14/06 Sev=Info/4 CM/0x63100012 Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_PEER_NOT_RESPONDING". 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

64 21:55:20.953 12/14/06 Sev=Info/5 CM/0x63100025 Initializing CVPNDrv

65 21:55:20.984 12/14/06 Sev=Info/4 IKE/0x63000001 IKE received signal to terminate VPN connection

66 21:55:21.453 12/14/06 Sev=Info/4 IPSEC/0x63700014 Deleted all keys

67 21:55:21.453 12/14/06 Sev=Info/4 IPSEC/0x63700014 Deleted all keys

68 21:55:21.453 12/14/06 Sev=Info/4 IPSEC/0x63700014 Deleted all keys

69 21:55:21.453 12/14/06 Sev=Info/4 IPSEC/0x6370000A IPSec driver successfully stopped
Reply to
soup_or_power
Loading thread data ...

Possibly your end 192.168.99.1 is not set to route properly to

192.168.1.6 . This could happen, for example, if you use an ip pool in the 192.168 range without specifying the netmask on the ip pool. (For 192.168.x, it -should- choose /24 but it is better to not leave it to chance if you don't need to.)
Reply to
Walter Roberson

The PIX has these rules: crypto ipsec transform-set iexpect esp-des esp-md5-hmac crypto ipsec transform-set myset esp-des esp-md5-hmac crypto dynamic-map dynmap 10 set transform-set myset crypto map corp 1 ipsec-isakmp crypto map corp 1 match address ipsec crypto map corp 1 set peer 216.74.138.157 crypto map corp 1 set transform-set iexpect crypto map corp 10 ipsec-isakmp dynamic dynmap crypto map corp client configuration address initiate crypto map corp client configuration address respond crypto map corp interface outside isakmp enable outside isakmp key ******** address 216.74.138.157 netmask 255.255.255.255 isakmp identity address isakmp policy 1 authentication pre-share isakmp policy 1 encryption des isakmp policy 1 hash md5 isakmp policy 1 group 1 isakmp policy 1 lifetime 86400 isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup corphome address-pool corp-home vpngroup corphome dns-server 192.168.1.6 vpngroup corphome wins-server 192.168.1.6 vpngroup corphome default-domain corp.iexpect.com vpngroup corphome idle-time 1800 vpngroup corphome password ********

How can I configure the Cisco Client 4.0.5 to use key share?

Thanks

Walter Robers> >

Reply to
soup_or_power

Here is the debug from the PIX. I'd appreciate if Walter or someone can comment.

Thanks

crypto_isakmp_process_block: src 72.79.125.235, dest 209.178.198.242 VPN Peer: ISAKMP: Added new peer: ip:72.79.125.235 Total VPN Peers:1 VPN Peer: ISAKMP: Peer ip:72.79.125.235 Ref cnt incremented to:1 Total VPN Peers:1 OAK_AG exchange ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy ISAKMP: encryption... What? 7? ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: extended auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: attribute 3584 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 2 against priority 1 policy ISAKMP: encryption... What? 7? ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: extended auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: attribute 3584 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 3 against priority 1 policy ISAKMP: encryption... What? 7? ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: attribute 3584 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 4 against priority 1 policy ISAKMP: encryption... What? 7? ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: attribute 3584 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 5 against priority 1 policy ISAKMP: encryption... What? 7? ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: extended auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: attribute 3584 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 6 against priority 1 policy ISAKMP: encryption... What? 7? ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: extended auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: attribute 3584 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 7 against priority 1 policy ISAKMP: encryption... What? 7? ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: attribute 3584 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 8 against priority 1 policy ISAKMP: encryption... What? 7? ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: attribute 3584 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 9 against priority 1 policy ISAKMP: encryption 3DES-CBC ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: extended auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 crypto_isakmp_process_block: src 72.79.125.235, dest 209.178.198.242 OAK_AG exchange ISAKMP (0): processing HASH payload. message ID = 0 ISAKMP (0): processing NOTIFY payload 24578 protocol 1 spi 0, message ID = 0 ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a queue event... IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP IPSEC(key_engine_delete_sas): delete all SAs shared with

72.79.125.235

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a Unity client

ISAKMP (0): SA has been authenticated return status is IKMP_NO_ERROR crypto_isakmp_process_block: src 72.79.125.235, dest 209.178.198.242 ISAKMP_TRANSACTION exchange ISAKMP (0:0): processing transaction payload from 72.79.125.235. message ID = 0 ISAKMP: Config payload CFG_REQUEST ISAKMP (0:0): checking request: ISAKMP: attribute IP4_ADDRESS (1) ISAKMP: attribute IP4_NETMASK (2) ISAKMP: attribute IP4_DNS (3) ISAKMP: attribute IP4_NBNS (4) ISAKMP: attribute ADDRESS_EXPIRY (5) Unsupported Attr: 5 ISAKMP: attribute UNKNOWN (28672) Unsupported Attr: 28672 ISAKMP: attribute UNKNOWN (28673) Unsupported Attr: 28673 ISAKMP: attribute UNKNOWN (28674) ISAKMP: attribute UNKNOWN (28676) ISAKMP: attribute UNKNOWN (28675) Unsupported Attr: 28675 ISAKMP: attribute UNKNOWN (28679) Unsupported Attr: 28679 ISAKMP: attribute UNKNOWN (28681) Unsupported Attr: 28681 ISAKMP: attribute APPLICATION_VERSION (7) Unsupported Attr: 7 ISAKMP: attribute UNKNOWN (28680) Unsupported Attr: 28680 ISAKMP: attribute UNKNOWN (28682) Unsupported Attr: 28682 ISAKMP: attribute UNKNOWN (28677) Unsupported Attr: 28677 ISAKMP: attribute UNKNOWN (28678) Unsupported Attr: 28678 ISAKMP (0:0): responding to peer config from 72.79.125.235. ID =

3561348378 return status is IKMP_NO_ERROR crypto_isakmp_process_block: src 72.79.125.235, dest 209.178.198.242 OAK_QM exchange oakley_process_quick_mode: OAK_QM_IDLE ISAKMP (0): processing SA payload. message ID = 3146087570

ISAKMP : Checking IPSec proposal 1

ISAKMP: unknown ESP transform! ISAKMP: attributes in transform: ISAKMP: authenticator is HMAC-MD5 ISAKMP: key length is 256 ISAKMP: encaps is 1 ISAKMP: SA life type in seconds ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): invalid local address 209.178.198.242

ISAKMP (0): atts not acceptable. Next payload is 0 ISAKMP (0): skipping next ANDed proposal (1) ISAKMP : Checking IPSec proposal 2

ISAKMP: unknown ESP transform! ISAKMP: attributes in transform: ISAKMP: authenticator is HMAC-SHA ISAKMP: key length is 256 ISAKMP: encaps is 1 ISAKMP: SA life type in seconds ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): invalid local address 209.178.198.242

ISAKMP (0): atts not acceptable. Next payload is 0 ISAKMP (0): skipping next ANDed proposal (2) ISAKMP : Checking IPSec proposal 3

ISAKMP: unknown ESP transform! ISAKMP: attributes in transform: ISAKMP: authenticator is HMAC-MD5 ISAKMP: key length is 128 ISAKMP: encaps is 1 ISAKMP: SA life type in seconds ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): invalid local address 209.178.198.242

ISAKMP (0): atts not acceptable. Next payload is 0 ISAKMP (0): skipping next ANDed proposal (3) ISAKMP : Checking IPSec proposal 4

ISAKMP: unknown ESP transform! ISAKMP: attributes in transform: ISAKMP: authenticator is HMAC-SHA ISAKMP: key length is 128 ISAKMP: encaps is 1 ISAKMP: SA life type in seconds ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): invalid local address 209.178.198.242

ISAKMP (0): atts not acceptable. Next payload is 0 ISAKMP (0): skipping next ANDed proposal (4) ISAKMP : Checking IPSec proposal 5

ISAKMP: unknown ESP transform! ISAKMP: attributes in transform: ISAKMP: authenticator is HMAC-MD5 ISAKMP: key length is 256 ISAKMP: encaps is 1 ISAKMP: SA life type in seconds ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): invalid local address 209.178.198.242

ISAKMP (0): atts not acceptable. Next payload is 0 ISAKMP : Checking IPSec proposal 6

ISAKMP: unknown ESP transform! ISAKMP: attributes in transform: ISAKMP: authenticator is HMAC-SHA ISAKMP: key length is 256 ISAKMP: encaps is 1 ISAKMP: SA life type in seconds ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): invalid local address 209.178.198.242

ISAKMP (0): atts not acceptable. Next payload is 0 ISAKMP : Checking IPSec proposal 7

ISAKMP: unknown ESP transform! ISAKMP: attributes in transform: ISAKMP: authenticator is HMAC-MD5 ISAKMP: key length is 128 ISAKMP: encaps is 1 ISAKMP: SA life type in seconds ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): invalid local address 209.178.198.242

ISAKMP (0): atts not acceptable. Next payload is 0 ISAKMP : Checking IPSec proposal 8

ISAKMP: unknown ESP transform! ISAKMP: attributes in transform: ISAKMP: authenticator is HMAC-SHA ISAKMP: key length is 128 ISAKMP: encaps is 1 ISAKMP: SA life type in seconds ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): invalid local address 209.178.198.242 crypto_isakmp_process_block: src 72.79.125.235, dest 209.178.198.242 ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet. crypto_isakmp_process_block: src 72.79.125.235, dest 209.178.198.242 ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet. crypto_isakmp_process_block: src 72.79.125.235, dest 209.178.198.242 ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet. crypto_isakmp_process_block: src 72.79.125.235, dest 209.178.198.242 ISAKMP (0): processing NOTIFY payload 36136 protocol 1 spi 0, message ID = 4224895108 ISAMKP (0): received DPD_R_U_THERE from peer 72.79.125.235 ISAKMP (0): sending NOTIFY message 36137 protocol 1 return status is IKMP_NO_ERR_NO_TRANS crypto_isakmp_process_block: src 72.79.125.235, dest 209.178.198.242 ISAKMP (0): processing DELETE payload. message ID =

2699998900IPSEC(key_engine): got a queue event... IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

return status is IKMP_NO_ERR_NO_TRANS crypto_isakmp_process_block: src 72.79.125.235, dest 209.178.198.242 ISAKMP (0): processing DELETE payload. message ID = 3651836985 ISAKMP (0): deleting SA: src 72.79.125.235, dst 209.178.198.242 ISAKMP (0): deleting IPSEC SAs with peer at

72.79.125.235IPSEC(key_engine): got a queue event... IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP IPSEC(key_engine_delete_sas): delete all SAs shared with 72.79.125.235

return status is IKMP_NO_ERR_NO_TRANS ISADB: reaper checking SA 0x80c91590, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:72.79.125.235 Ref cnt decremented to:0 Total VPN Peers:1 VPN Peer: ISAKMP: Deleted peer: ip:72.79.125.235 Total VPN peers:0IPSEC(key_engine): got a queue event... IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP IPSEC(key_engine_delete_sas): delete all SAs shared with 72.79.125.235

Reply to
soup_or_power

I downloaded the GreenBow VPN client and tested the encryption. The PIX expects DES and MD5 for encryption and authentication respectively. The GreenBow VPN client passed the phase 1 and phase 2 but alas, it doesn't connect when a password is challenged. I have to make extensive changes on the PIX to make the GreenBow VPN client work. It is not a viable option to me. Also the GreenBow VPN client is not free. Now if I can replicate the limited success I had with GreenBow VPN client using Cisco VPN Client 4.0.5 that will be great. Can anyone please tell me what are the encryption and authentication schemes for the Cisco 4.0.5 VPN client? How can I set the options on Cisco 4.0.5. VPN client? Kindly note that the PIX firewall is very old and there is no way to change the encryption and authentication schemes.

Many thanks for your k> Here is the debug from the PIX. I'd appreciate if Walter or someone > can comment.

Reply to
soup_or_power

Reply to
soup_or_power

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.