vpn with SBS 2003 RADIUS 
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
||||||||||
|
Posted by WCL on June 16, 2006, 7:52 am
Please log in for more thread options stopped working. Any help as to where to trouble shoot next will be greatly appriciated. vpn into pix is ok, the radius authentication against sbs 2003 IAS does not complete successfully, shared secret matches. Looks like authentication has worked and then the user is immediately logged off. Authentication failed is reported to remote client. Pix debug has 'ISAKMP: reserved not zero on payload 8!' 'ISAKMP: malformed payload' entries, which I think is part of the 'authentication success' response . Because the pix is not processing this response IAS logs the user off. As a side issue, what does 'Checking ISAKMP transform 9 against priority 10 policy' mean? The set up is as per these instructions http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml Connectivity is Remote client is cisco VPN client 3.5 for windows System event log shows that IAS has granted access, security event log show log on, followed immediately by a logoff. Security log has entries for: Logon attempt using explicit credentials: Successful Network Logon: Special privileges assigned to new logon: User Logoff: Pix debug log has these entries. ISAKMP: reserved not zero on payload 8! ISAKMP: malformed payload Pix log extract, complete log at end of message: crypto_isakmp_process_block:src:<remote ip>, dest:<pix public ip>spt:500
dpt:500
ISAKMP_TRANSACTION exchange ISAKMP (0:0): processing transaction payload from <remote ip>. message ID =
11168140
ISAKMP: Config payload CFG_REPLY return status is IKMP_ERR_NO_RETRANS crypto_isakmp_process_block:src:<remote ip>, dest:<pix public ip> spt:500
dpt:500
ISAKMP: reserved not zero on payload 8! ISAKMP: malformed payload IAS event log entry: User phil.xxxxx was granted access. Fully-Qualified-User-Name = <domain>.local/MyBusiness/Users/SBSUsers/Philip
xxxxxx
NAS-IP-Address = <pix ip>
Client-Friendly-Name = Pix
NAS-Identifier = <not present> Client-IP-Address = <pix ip>
NAS-Port = 8
Calling-Station-Identifier = <remote client ip (dialup)> NAS-Port-Type = <not present> Proxy-Policy-Name = Use Windows authentication for all users Authentication-Provider = Windows Authentication-Server = <undetermined>
Policy-Name = Connections to other access servers
Authentication-Type = PAP EAP-Type = <undetermined>
complete pic log: crypto_isakmp_process_block:src:212.140.115.161, dest:<pix public ip>
spt:500 dpt:500
OAK_AG exchange ISAKMP (0): processing SA payload. message ID = 0 ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy ISAKMP: encryption AES-CBC ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: extended auth pre-share (init) ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: keylength of 256 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy ISAKMP: encryption AES-CBC ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: extended auth pre-share (init) ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: keylength of 256 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy ISAKMP: encryption AES-CBC ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: keylength of 256 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy ISAKMP: encryption AES-CBC ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: keylength of 256 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy ISAKMP: encryption AES-CBC ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: extended auth pre-share (init) ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: keylength of 192 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy ISAKMP: encryption AES-CBC ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: extended auth pre-share (init) ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: keylength of 192 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy ISAKMP: encryption AES-CBC ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: keylength of 192 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy ISAKMP: encryption AES-CBC ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: keylength of 192 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy ISAKMP: encryption AES-CBC ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: extended auth pre-share (init) ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: keylength of 128 crypto_isakmp_process_block:src:212.140.115.161, dest:<pix public ip>
spt:500 dpt:500
OAK_AG exchange ISAKMP (0): processing HASH payload. message ID = 0 ISAKMP (0): processing NOTIFY payload 24578 protocol 1 spi 0, message ID = 0 ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a queue event... IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP crypto_isakmp_process_block:src:212.140.115.161, dest:<pix public ip>
spt:500 dpt:500
ISAKMP_TRANSACTION exchange ISAKMP (0:0): processing transaction payload from 212.140.115.161. message ID = 11168164 ISAKMP: Config payload CFG_REPLY return status is IKMP_ERR_NO_RETRANS crypto_isakmp_process_block:src:212.140.115.161, dest:<pix public ip>
spt:500 dpt:500
ISAKMP: reserved not zero on payload 8! ISAKMP: malformed payload crypto_isakmp_process_block:src:212.140.115.161, dest:<pix public ip>
spt:500 dpt:500
ISAKMP: reserved not zero on payload 8! ISAKMP: malformed payload crypto_isakmp_process_block:src:212.140.115.161, dest:<pix public ip>
spt:500 dpt:500
ISAKMP: reserved not zero on payload 8! ISAKMP: malformed payload crypto_isakmp_process_block:src:212.140.115.161, dest:<pix public ip>
spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1 spi 0, message ID = 794882597 ISAMKP (0): received DPD_R_U_THERE from peer 212.140.115.161 ISAKMP (0): sending NOTIFY message 36137 protocol 1 return status is IKMP_NO_ERR_NO_TRANS ISAKMP (0:0): initiating peer config to 212.140.115.161. ID = 2773460662 (0xa54fa6b6) crypto_isakmp_process_block:src:212.140.115.161, dest:<pix public ip>
spt:500 dpt:500
ISAKMP (0): processing DELETE payload. message ID = 3540473934, spi size = 16 ISAKMP (0): deleting SA: src 212.140.115.161, dst <pix public ip>
return status is IKMP_NO_ERR_NO_TRANS
ISADB: reaper checking SA 0xaef22c, conn_id = 0 DELETE IT! VPN Peer: ISAKMP: Peer ip:212.140.115.161/500 Ref cnt decremented to:0 Total VPN Peers:1 VPN Peer: ISAKMP: Deleted peer: ip:212.140.115.161/500 Total VPN peers:0IPSEC(key_engine): got a queue event... IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP IPSEC(key_engine_delete_sas): delete all SAs shared with 212. | ||||||||||
| Similar Threads | Posted |
| vpn with SBS 2003 RADIUS | June 16, 2006, 7:52 am |
| VPN client & PIX with Windows 2003 CA & RADIUS | June 21, 2006, 12:37 pm |
| Cisco login and Windows 2003 SP1 IAS radius | April 15, 2006, 9:41 am |
| pix 501 VPN into SBS 2003 domain - RADIUS authentication fails. | June 16, 2006, 7:05 am |
| Vpn Client and Win 2003 | February 14, 2006, 4:48 pm |
| Troubleshooting PIX firewall and IAS 2003 | July 25, 2005, 1:14 pm |
| Win Server 2003 Services | January 31, 2006, 11:07 am |
| PIX and Windows 2003 Servers | April 26, 2006, 8:56 am |
| Puzzling VPN problem with Windows 2003 | March 14, 2006, 2:19 pm |
| Win2000/2003 server as ntp source | November 7, 2006, 1:47 am |
| 871W Wireless VPN to SBS 2003 Routing | December 20, 2006, 1:15 pm |
| Cisco ACS 3.3 and Windows 2003 IAS using EAP-TLS and TKIP | January 16, 2007, 1:41 pm |
| Running SDM on Windows Server 2003 R2? | July 14, 2008, 10:11 am |
| Older ACS version on Windows Server 2003 | January 11, 2006, 2:59 pm |
| Has the Network + Study Manuals Changed Much Since 2003? | May 22, 2006, 4:33 pm |
ip) ->SBS 2003 with IAS