I have a new PIX set up with outbound Internet Access and an inbound VPN. The Internet access is working fine - but the VPN client can't get into the VPN.
VPN Client log Cisco Systems VPN Client Version 4.0.1 (Rel) Copyright (C) 1998-2003 Cisco Systems, Inc. All Rights Reserved. Client Type(s): Windows, WinNT Running on: 5.1.2600
1 08:23:01.731 08/31/06 Sev=Warning/2 IKE/0xA3000067 Received Unexpected InitialContact Notify (PLMgrNotify:841) 2 08:23:01.903 08/31/06 Sev=Warning/3 IKE/0xA300004B Received a NOTIFY message with an invalid protocol id (0) 3 08:23:07.028 08/31/06 Sev=Warning/3 IKE/0xA3000056 Driver says we received a packet with invalid SPI (0), sending INVALID-SPI notify. 4 08:23:12.028 08/31/06 Sev=Warning/3 IKE/0xA3000056 Driver says we received a packet with invalid SPI (0), sending INVALID-SPI notify. 5 08:23:17.013 08/31/06 Sev=Warning/3 IKE/0xA3000056 Driver says we received a packet with invalid SPI (0), sending INVALID-SPI notify.********************* When I try to VPN into my network I am getting debug messages on my PIX:
IPSEC(validate_proposal): invalid local address 191.196.37.5 IPSEC(validate_proposal): invalid local address 191.191.37.5 IPSEC(validate_proposal): invalid local address 191.191.37.5 IPSEC(validate_proposal): invalid local address 191.191.37.5
The address is correct in that users on the inside can browse out from that interface and I can PING it from the outside. (I have changed the addresses for this posting...)
I also get this debug:
debug crypto isakmp crypto_isakmp_process_block:src:191.191.37.35, dest:191.191.37.5 spt:13 dpt:500 OAK_AG exchange ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy ISAKMP: encryption AES-CBC ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: extended auth pre-share (init) ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: keylength of 256 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy ISAKMP: encryption AES-CBC ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: extended auth pre-share (init) ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: keylength of 256 ISAKMP (0): atts are not acceptable. Next payload is 3
************************************************* I also get this debug output on the PIX:crypto_isakmp_process_block:src:191.191.37.35, dest:191.191.37.5 spt:1027 dpt:4500 crypto_isakmp_process_block:src:191.191.37.35, dest:191.191.37.5 spt:1027 dpt:4500 ISAKMP: phase 2 packet is a duplicate of a previous packet ISAKMP: resending last response crypto_isakmp_process_block:src:191.191.37.35, dest:191.191.37.5 spt:1027 dpt:4500 ISAKMP (0): processing NOTIFY payload 11 protocol 1 spi 0, message ID = 2387466550IPSEC(key_engine): got a queue event... IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP IPSEC(key_engine_delete_sas): delete all SAs shared with 191.191.37.35
return status is IKMP_NO_ERR_NO_TRANS crypto_isakmp_process_block:src:191.191.37.35, dest:191.191.37.5 spt:1027 dpt:4500 ISAKMP: phase 2 packet is a duplicate of a previous packet ISAKMP: resending last response crypto_isakmp_process_block:src:191.191.37.35, dest:191.191.37.5 spt:1027 dpt:4500 ISAKMP (0): processing NOTIFY payload 11 protocol 1 spi 0, message ID = 1206514397IPSEC(key_engine): got a queue event... IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP IPSEC(key_engine_delete_sas): delete all SAs shared with 191.191.37.35
return status is IKMP_NO_ERR_NO_TRANS crypto_isakmp_process_block:src:191.191.37.35, dest:191.191.37.5 spt:1027 dpt:4500 ISAKMP (0): processing DELETE payload. message ID = 1118155919, spi size = 4IPSEC(key_engine): got a queue event... IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
VPN Peer: ISAKMP: Peer ip:191.191.37.35/1027 Ref cnt decremented to:0 Total VPN Peers:1 VPN Peer: ISAKMP: Deleted peer: ip:191.191.37.35/1027 Total VPN peers:0IPSEC(key_engine): got a queue event... IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP IPSEC(key_engine_delete_sas): delete all SAs shared with 191.191.37.5
**************** Any help appreciated...Ned