1. Home
  2. Cisco Systems
  3. pix 501 VPN into SBS 2003 domain - RADIUS authentication fails.

pix 501 VPN into SBS 2003 domain - RADIUS authentication fails.

Following an upgrade from w2k to sbs2003, remote vpn authentication has stopped working.

Any help as to where to trouble shoot next will be greatly appriciated.

vpn into pix is ok, the radius authentication against sbs 2003 IAS does not complete successfully, shared secret matches.

Looks like authentication has worked and then the user is immediately logged off. Authentication failed is reported to remote client.

Pix debug has 'ISAKMP: reserved not zero on payload 8!' 'ISAKMP: malformed payload' entries, which I think is part of the 'authentication success' response . Because the pix is not processing this response IAS logs the user off.

As a side issue, what does 'Checking ISAKMP transform 9 against priority 10 policy' mean?

The set up is as per these instructions

formatting link
Connectivity is internet -> speedtouch (510) modem (non nat) ->pix 501 (with public static ip) ->SBS 2003 with IAS

Remote client is cisco VPN client 3.5 for windows

System event log shows that IAS has granted access, security event log show log on, followed immediately by a logoff.

Security log has entries for: Logon attempt using explicit credentials: Successful Network Logon: Special privileges assigned to new logon: User Logoff:

Pix debug log has these entries. ISAKMP: reserved not zero on payload 8! ISAKMP: malformed payload

Pix log extract, complete log at end of message: crypto_isakmp_process_block:src:, dest:spt:500 dpt:500 ISAKMP_TRANSACTION exchange ISAKMP (0:0): processing transaction payload from . message ID =

11168140 ISAKMP: Config payload CFG_REPLY return status is IKMP_ERR_NO_RETRANS crypto_isakmp_process_block:src:, dest: spt:500 dpt:500 ISAKMP: reserved not zero on payload 8! ISAKMP: malformed payload

IAS event log entry: User phil.xxxxx was granted access. Fully-Qualified-User-Name = .local/MyBusiness/Users/SBSUsers/Philip xxxxxx NAS-IP-Address = NAS-Identifier = Client-Friendly-Name = Pix Client-IP-Address = Calling-Station-Identifier = NAS-Port-Type = NAS-Port = 8 Proxy-Policy-Name = Use Windows authentication for all users Authentication-Provider = Windows Authentication-Server = Policy-Name = Connections to other access servers Authentication-Type = PAP EAP-Type =

complete pic log:

crypto_isakmp_process_block:src:212.140.115.161, dest: spt:500 dpt:500 OAK_AG exchange ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy ISAKMP: encryption AES-CBC ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: extended auth pre-share (init) ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: keylength of 256 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy ISAKMP: encryption AES-CBC ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: extended auth pre-share (init) ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: keylength of 256 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy ISAKMP: encryption AES-CBC ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: keylength of 256 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy ISAKMP: encryption AES-CBC ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: keylength of 256 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy ISAKMP: encryption AES-CBC ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: extended auth pre-share (init) ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: keylength of 192 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy ISAKMP: encryption AES-CBC ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: extended auth pre-share (init) ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: keylength of 192 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy ISAKMP: encryption AES-CBC ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: keylength of 192 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy ISAKMP: encryption AES-CBC ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: keylength of 192 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy ISAKMP: encryption AES-CBC ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: extended auth pre-share (init) ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: keylength of 128 crypto_isakmp_process_block:src:212.140.115.161, dest: spt:500 dpt:500 OAK_AG exchange ISAKMP (0): processing HASH payload. message ID = 0 ISAKMP (0): processing NOTIFY payload 24578 protocol 1 spi 0, message ID = 0 ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a queue event... IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

crypto_isakmp_process_block:src:212.140.115.161, dest: spt:500 dpt:500 ISAKMP_TRANSACTION exchange ISAKMP (0:0): processing transaction payload from 212.140.115.161. message ID = 11168164 ISAKMP: Config payload CFG_REPLY return status is IKMP_ERR_NO_RETRANS crypto_isakmp_process_block:src:212.140.115.161, dest: spt:500 dpt:500 ISAKMP: reserved not zero on payload 8! ISAKMP: malformed payload crypto_isakmp_process_block:src:212.140.115.161, dest: spt:500 dpt:500 ISAKMP: reserved not zero on payload 8! ISAKMP: malformed payload crypto_isakmp_process_block:src:212.140.115.161, dest: spt:500 dpt:500 ISAKMP: reserved not zero on payload 8! ISAKMP: malformed payload crypto_isakmp_process_block:src:212.140.115.161, dest: spt:500 dpt:500 ISAKMP (0): processing NOTIFY payload 36136 protocol 1 spi 0, message ID = 794882597 ISAMKP (0): received DPD_R_U_THERE from peer 212.140.115.161 ISAKMP (0): sending NOTIFY message 36137 protocol 1 return status is IKMP_NO_ERR_NO_TRANS ISAKMP (0:0): initiating peer config to 212.140.115.161. ID = 2773460662 (0xa54fa6b6) crypto_isakmp_process_block:src:212.140.115.161, dest: spt:500 dpt:500 ISAKMP (0): processing DELETE payload. message ID = 3540473934, spi size =

16 ISAKMP (0): deleting SA: src 212.140.115.161, dst return status is IKMP_NO_ERR_NO_TRANS ISADB: reaper checking SA 0xaef22c, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:212.140.115.161/500 Ref cnt decremented to:0 Total VPN Peers:1 VPN Peer: ISAKMP: Deleted peer: ip:212.140.115.161/500 Total VPN peers:0IPSEC(key_engine): got a queue event... IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP IPSEC(key_engine_delete_sas): delete all SAs shared with 212.

Reply to
Zen
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.