1. Home
  2. Cisco Systems
  3. Cisco VPN client to PIX

Cisco VPN client to PIX

I am having a problenm with connecting to a VPN. I keepo getting errors on the PIX "ATTS not acceptable" - also apparentlt different key lengths appearing on the debug... ANy assistance appreciated. Client is Cisco VPN client v4.8.00.0440 I have tried various settings for DES - 3DES - AES ... all results similar.

******************* Current debug is: crypto_isakmp_process_block:src:87.192.152.28, dest:194.196.37.3 spt:500 dpt:500 OAK_AG exchange ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy ISAKMP: encryption AES-CBC ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: extended auth pre-share (init) ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: keylength of 256 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy ISAKMP: encryption AES-CBC ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: extended auth pre-share (init) ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: keylength of 256 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy ISAKMP: encryption AES-CBC ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: keylength of 256 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy ISAKMP: encryption AES-CBC ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: keylength of 256 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy ISAKMP: encryption AES-CBC ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: extended auth pre-share (init) ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: keylength of 128 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy ISAKMP: encryption AES-CBC ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: extended auth pre-share (init) ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: keylength of 128 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy ISAKMP: encryption AES-CBC ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: keylength of 128 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy ISAKMP: encryption AES-CBC ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: keylength of 128 ISAKMP (0): Proposed key length does not match policy ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy ISAKMP: encryption 3DES-CBC ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: extended auth pre-share (init) ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b crypto_isakmp_process_block:src:87.192.152.28, dest:194.196.37.3 spt:500 dpt:500 VPN Peer:ISAKMP: Peer Info for 87.192.152.28/500 not found - peers:0

ISAKMP: larval sa found crypto_isakmp_process_block:src:87.192.152.28, dest:194.196.37.3 spt:500 dpt:500 VPN Peer:ISAKMP: Peer Info for 87.192.152.28/500 not found - peers:0

ISAKMP: larval sa found crypto_isakmp_process_block:src:87.192.152.28, dest:194.196.37.3 spt:500 dpt:500 VPN Peer:ISAKMP: Peer Info for 87.192.152.28/500 not found - peers:0

ISAKMP: larval sa found ISAKMP (0): deleting SA: src 87.192.152.28, dst 194.196.37.3 ISADB: reaper checking SA 0x3ac8cd4, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for 87.192.152.28/500 not found - peers:0

***********: PIX Version 6.3(5) nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 intf2 security10 nameif ethernet3 intf3 security6 nameif ethernet4 intf4 security8 nameif ethernet5 intf5 security10 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pixvpn fixup protocol dns maximum-length 512 names access-list 102 permit tcp any any eq www access-list 102 permit icmp any any pager lines 24 logging on logging buffered debugging ip address outside 192.192.37.3 255.255.255.240 ip address inside 10.0.0.254 255.0.0.0 ip address intf2 127.0.0.1 255.255.255.255 ip audit info action alarm ip audit attack action alarm ip local pool myownvpn 10.1.1.10-10.1.1.254 no failover failover timeout 0:00:00 failover poll 15 no failover ip address outside no failover ip address inside no failover ip address intf2 no failover ip address intf3 no failover ip address intf4 no failover ip address intf5 pdm history enable arp timeout 14400 global (outside) 1 192.192.37.33-192.192.37.34 netmask 255.255.255.240 global (outside) 1 192.192.37.35 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 access-group 102 in interface outside route outside 0.0.0.0 0.0.0.0 192.192.37.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set myset esp-aes-256 esp-md5-hmac crypto dynamic-map dynmap 10 set transform-set myset crypto map mymap 10 ipsec-isakmp dynamic dynmap crypto map mymap interface outside isakmp enable outside isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption aes-256 isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 86400 vpngroup user1 address-pool myownvpn vpngroup user1 idle-time 600 vpngroup user1 password ******** vpngroup user2 address-pool myownvpn vpngroup user2 idle-time 600 vpngroup user3 address-pool myownvpn vpngroup user3 idle-time 600 telnet timeout 5 ssh timeout 5 console timeout 0 terminal width 80 ************** VPN Client log: Cisco Systems VPN Client Version 4.8.00.0440 Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved. Client Type(s): Windows, WinNT Running on: 5.1.2600 Service Pack 1

8 12:30:02.991 07/19/06 Sev=Warning/2 IKE/0xE3000099 Invalid SPI size (PayloadNotify:116)

9 12:30:02.991 07/19/06 Sev=Warning/3 IKE/0xA3000058 Received malformed message or negotiation no longer active (message id:

0x00000000)

***********************************
Reply to
Ned
Loading thread data ...

Hi Ned,

Regarding:

"ATTS not acceptable"

formatting link
Invalid Local Address This output is an example of the error message.

IPSEC(validate_proposal): invalid local address 12.2.6.2 ISAKMP (0:3): atts not acceptable. Next payload is 0 ISAKMP (0:3): SA not acceptable!This error message is attributed to one of these two common problems.

  1. The crypto map map-name local-address interface-id command causes the router to use an incorrect address as the identity because it forces the router to use a specified address.

  1. Crypto map is applied to the wrong interface or is not applied at all. Check the configuration in order to ensure that crypto map is applied to the correct interface.

Hope this helps.

Brad Reese BradReese.Com - Global Cisco Systems Pre-Sales Support

formatting link
Hendersonville Road, Suite 17 Asheville, North Carolina USA 28803 USA & Canada: 877-549-2680 International: 828-277-7272 Fax: 775-254-3558 AIM: R2MGrant BradReese.Com - Cisco Technical Forums
formatting link

Reply to
www.BradReese.Com

Brad, Thanks for the response - I did have the crypto applied correctly; anyway I have reapplied the VPN settings according to the Cisco manual and now have a VPN connection, but I still have a few issues;

I am getting a VPN connection now; is it correct that I don't get a default gateway? I still get the "atts not acceptable message in the debug

Ethernet adapter Local Area Connection 8:

Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 10.1.1.10 Subnet Mask . . . . . . . . . . . : 255.0.0.0 Default Gateway . . . . . . . . . :

*****************************************************

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: keylength of 128 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy ISAKMP: encryption 3DES-CBC ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: extended auth pre-share (init) ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP (0): atts are not acceptable. crypto_isakmp_process_block:src:111.192.152.28, dest:192.192.37.3 spt:500 dpt:500 OAK_AG exchange crypto_isakmp_process_block:src:111.192.152.28, dest:192.192.37.3 spt:500 dpt:500 crypto_isakmp_process_block:src:111.192.152.28, dest:192.192.37.3 spt:500 dpt:500 OAK_QM exchange crypto_isakmp_process_block:src:111.192.152.28, dest:192.192.37.3 spt:500 dpt:500 OAK_QM exchange pixvpn(config)# pixvpn(config)#

access-list 102 permit tcp any any eq www access-list 102 permit icmp any any access-list 101 permit ip any any access-list 103 permit ip 10.0.0.0 255.255.255.0 10.1.1.0 255.255.255.0 pager lines 24 logging on logging buffered debugging mtu outside 1500 mtu inside 1500 mtu intf2 1500 mtu intf3 1500 mtu intf4 1500 mtu intf5 1500 ip address outside 192.192.37.3 255.255.255.240 ip address inside 10.0.0.254 255.255.255.0 ip address intf2 127.0.0.1 255.255.255.255 no ip address intf3 no ip address intf4 no ip address intf5 ip audit info action alarm ip audit attack action alarm ip local pool myownvpn 10.1.1.10-10.1.1.254 no failover failover timeout 0:00:00 failover poll 15 no failover ip address outside no failover ip address inside no failover ip address intf2 no failover ip address intf3 no failover ip address intf4 no failover ip address intf5 pdm history enable arp timeout 14400 global (outside) 1 192.192.37.33-192.192.37.34 netmask 255.255.255.240 global (outside) 1 192.192.37.35 nat (inside) 0 access-list 103 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 access-group 102 in interface outside route outside 0.0.0.0 0.0.0.0 192.192.37.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225

1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set trns1 esp-3des esp-sha-hmac crypto ipsec transform-set trmset1 esp-3des esp-sha-hmac crypto dynamic-map map2 10 set transform-set trmset1 crypto map map1 10 ipsec-isakmp dynamic map2 crypto map map1 interface outside isakmp enable outside isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup user1 address-pool myownvpn vpngroup user1 split-tunnel 103 vpngroup user1 idle-time 1800 vpngroup user1 password ******** vpngroup user2 idle-time 1800 vpngroup user3 idle-time 1800 telnet timeout 15 *************************

formatting link
wrote:

formatting link

Reply to
Ned

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.