1. Home
  2. Cisco Systems
  3. PIX Internet access OK - but cannot get to VPN

PIX Internet access OK - but cannot get to VPN

I have a new PIX set up with outbound Internet Access and an inbound VPN. The Internet access is working fine - but the VPN client can't get into the VPN.

VPN Client log Cisco Systems VPN Client Version 4.0.1 (Rel) Copyright (C) 1998-2003 Cisco Systems, Inc. All Rights Reserved. Client Type(s): Windows, WinNT Running on: 5.1.2600

1 08:23:01.731 08/31/06 Sev=Warning/2 IKE/0xA3000067 Received Unexpected InitialContact Notify (PLMgrNotify:841) 2 08:23:01.903 08/31/06 Sev=Warning/3 IKE/0xA300004B Received a NOTIFY message with an invalid protocol id (0) 3 08:23:07.028 08/31/06 Sev=Warning/3 IKE/0xA3000056 Driver says we received a packet with invalid SPI (0), sending INVALID-SPI notify. 4 08:23:12.028 08/31/06 Sev=Warning/3 IKE/0xA3000056 Driver says we received a packet with invalid SPI (0), sending INVALID-SPI notify. 5 08:23:17.013 08/31/06 Sev=Warning/3 IKE/0xA3000056 Driver says we received a packet with invalid SPI (0), sending INVALID-SPI notify.

********************* When I try to VPN into my network I am getting debug messages on my PIX:

IPSEC(validate_proposal): invalid local address 191.196.37.5 IPSEC(validate_proposal): invalid local address 191.191.37.5 IPSEC(validate_proposal): invalid local address 191.191.37.5 IPSEC(validate_proposal): invalid local address 191.191.37.5

The address is correct in that users on the inside can browse out from that interface and I can PING it from the outside. (I have changed the addresses for this posting...)

I also get this debug:

debug crypto isakmp crypto_isakmp_process_block:src:191.191.37.35, dest:191.191.37.5 spt:13 dpt:500 OAK_AG exchange ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy ISAKMP: encryption AES-CBC ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: extended auth pre-share (init) ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: keylength of 256 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy ISAKMP: encryption AES-CBC ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: extended auth pre-share (init) ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: keylength of 256 ISAKMP (0): atts are not acceptable. Next payload is 3

************************************************* I also get this debug output on the PIX:

crypto_isakmp_process_block:src:191.191.37.35, dest:191.191.37.5 spt:1027 dpt:4500 crypto_isakmp_process_block:src:191.191.37.35, dest:191.191.37.5 spt:1027 dpt:4500 ISAKMP: phase 2 packet is a duplicate of a previous packet ISAKMP: resending last response crypto_isakmp_process_block:src:191.191.37.35, dest:191.191.37.5 spt:1027 dpt:4500 ISAKMP (0): processing NOTIFY payload 11 protocol 1 spi 0, message ID = 2387466550IPSEC(key_engine): got a queue event... IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP IPSEC(key_engine_delete_sas): delete all SAs shared with 191.191.37.35

return status is IKMP_NO_ERR_NO_TRANS crypto_isakmp_process_block:src:191.191.37.35, dest:191.191.37.5 spt:1027 dpt:4500 ISAKMP: phase 2 packet is a duplicate of a previous packet ISAKMP: resending last response crypto_isakmp_process_block:src:191.191.37.35, dest:191.191.37.5 spt:1027 dpt:4500 ISAKMP (0): processing NOTIFY payload 11 protocol 1 spi 0, message ID = 1206514397IPSEC(key_engine): got a queue event... IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP IPSEC(key_engine_delete_sas): delete all SAs shared with 191.191.37.35

return status is IKMP_NO_ERR_NO_TRANS crypto_isakmp_process_block:src:191.191.37.35, dest:191.191.37.5 spt:1027 dpt:4500 ISAKMP (0): processing DELETE payload. message ID = 1118155919, spi size = 4IPSEC(key_engine): got a queue event... IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

VPN Peer: ISAKMP: Peer ip:191.191.37.35/1027 Ref cnt decremented to:0 Total VPN Peers:1 VPN Peer: ISAKMP: Deleted peer: ip:191.191.37.35/1027 Total VPN peers:0IPSEC(key_engine): got a queue event... IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP IPSEC(key_engine_delete_sas): delete all SAs shared with 191.191.37.5

**************** Any help appreciated...Ned
Reply to
Ned
Loading thread data ...

how is the vpn terminated, directly on the pix or on a concentrator behind it?

are you mixing up the nat address and the real if address?

are you mixing up the nat address and the real if address?

mak

Reply to
mak

Mak, No addresses are correct - I sorted the problem yesterday - I had left out - "crypto map map1 interface outside" Thanks, Ned

Reply to
Ned

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.