[vpn-help] Can't connect to Cisco ASA that worked fine yesterday
Alexis La Goutte
alexis.lagoutte at gmail.com
Thu Mar 27 03:20:37 CDT 2014
On Wed, Mar 26, 2014 at 11:32 PM, Nathan Stone <nathan at enots.com> wrote:
> I was finally able to get back and grab some logs from both the ASA and the Shrew Client. I sanitized the External IP and the VPN Group information otherwise everything is intact. I am not sure exactly what I am looking for or how to discipher everything. Would anyone else be willing to spend a few minutes looking this over and seeing if anything jumps out at you?
>
>
> Logs from the ASA when ShrewSoft client tries to connect (reads from bottom to top). Same results with Windows 7 and 8.
> 4|Mar 26 2014|14:23:39|113019|Group = , Username = , IP = 0.0.0.0, Session disconnected. Session Type: , Duration: 0h:00m:32s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown
> 4|Mar 26 2014|14:23:39|713903|Group = XXXXXXXX, Username = back, IP = 173.164.82.61, Error: Unable to remove PeerTblEntry
> 3|Mar 26 2014|14:23:39|713902|Group = XXXXXXXX, Username = back, IP = 173.164.82.61, Removing peer from peer table failed, no match!
> 6|Mar 26 2014|14:23:07|713228|Group = XXXXXXXX, Username = back, IP = 173.164.82.61, Assigned private IP address 192.168.168.5 to remote user
> 6|Mar 26 2014|14:23:07|713184|Group = XXXXXXXX, Username = back, IP = 173.164.82.61, Client Type: WinNT Client Application Version: 4.8.01.0300
> 5|Mar 26 2014|14:23:07|713130|Group = XXXXXXXX, Username = back, IP = 173.164.82.61, Received unsupported transaction mode attribute: 5
>
>
>
> Windows 7 using Cisco VPN client. Connects fine.
> 5|Mar 26 2014|14:35:43|713120|Group = XXXXXXXX, Username = Back, IP = 173.164.82.61, PHASE 2 COMPLETED (msgid=ccf3064a)
> 6|Mar 26 2014|14:35:43|602303|IPSEC: An inbound remote access SA (SPI= 0x07ABBAA7) between outside-interface and 173.164.82.61 (user= back) has been created.
> 5|Mar 26 2014|14:35:43|713049|Group = XXXXXXXX, Username = Back, IP = 173.164.82.61, Security negotiation complete for User (back) Responder, Inbound SPI = 0x07abbaa7, Outbound SPI = 0xd76b1221
> 6|Mar 26 2014|14:35:43|602303|IPSEC: An outbound remote access SA (SPI= 0xD76B1221) between outside-interface and 173.164.82.61 (user= back) has been created.
> 5|Mar 26 2014|14:35:43|713075|Group = XXXXXXXX, Username = Back, IP = 173.164.82.61, Overriding Initiator's IPSec rekeying duration from 2147483 to 28800 seconds
> 5|Mar 26 2014|14:35:43|713119|Group = XXXXXXXX, Username = Back, IP = 173.164.82.61, PHASE 1 COMPLETED
> 6|Mar 26 2014|14:35:43|713228|Group = XXXXXXXX, Username = Back, IP = 173.164.82.61, Assigned private IP address 192.168.168.5 to remote user
> 6|Mar 26 2014|14:35:43|713184|Group = XXXXXXXX, Username = Back, IP = 173.164.82.61, Client Type: WinNT Client Application Version: 5.0.07.0440
> 5|Mar 26 2014|14:35:43|713130|Group = XXXXXXXX, Username = Back, IP = 173.164.82.61, Received unsupported transaction mode attribute: 5
>
>
> Logs from ShrewSoft VPN Trace - IKE Service (Level output = Errors)
> 10 May 2012
> 14/03/26 15:02:18 !! : unable to connect to pfkey interface
> 14/03/26 15:02:24 !! : invalid private netmask, defaulting to 255.255.255.0
> 14/03/26 15:02:32 !! : config packet ignored ( config already mature )
> 14/03/26 15:02:40 !! : config packet ignored ( config already mature )
> 14/03/26 15:02:48 !! : config packet ignored ( config already mature )
>
>
> Logs from ShrewSoft VPN Trace - IKE Service (Level output = Informational)
> 14/03/26 15:23:18 ## : IKE Daemon, ver 2.2.2
> 14/03/26 15:23:18 ## : Copyright 2013 Shrew Soft Inc.
> 14/03/26 15:23:18 ## : This product linked OpenSSL 1.0.1c 10 May 2012
> 14/03/26 15:23:18 ii : opened 'C:\Program Files\ShrewSoft\VPN Client\debug\iked.log'
> 14/03/26 15:23:18 ii : rebuilding vnet device list ...
> 14/03/26 15:23:18 ii : device ROOT\VNET\0000 disabled
> 14/03/26 15:23:18 ii : network process thread begin ...
> 14/03/26 15:23:18 ii : pfkey process thread begin ...
> 14/03/26 15:23:18 ii : ipc server process thread begin ...
> 14/03/26 15:23:25 ii : ipc client process thread begin ...
> 14/03/26 15:23:25 <A : peer config add message
> 14/03/26 15:23:25 <A : proposal config message
> 14/03/26 15:23:25 <A : proposal config message
> 14/03/26 15:23:25 <A : client config message
> 14/03/26 15:23:25 <A : xauth username message
> 14/03/26 15:23:25 <A : xauth password message
> 14/03/26 15:23:25 <A : local id 'XXXXXX' message
> 14/03/26 15:23:25 <A : preshared key message
> 14/03/26 15:23:25 <A : peer tunnel enable message
> 14/03/26 15:23:25 ii : local supports XAUTH
> 14/03/26 15:23:25 ii : local supports nat-t ( draft v00 )
> 14/03/26 15:23:25 ii : local supports nat-t ( draft v01 )
> 14/03/26 15:23:25 ii : local supports nat-t ( draft v02 )
> 14/03/26 15:23:25 ii : local supports nat-t ( draft v03 )
> 14/03/26 15:23:25 ii : local supports nat-t ( rfc )
> 14/03/26 15:23:25 ii : local supports DPDv1
> 14/03/26 15:23:25 ii : local is SHREW SOFT compatible
> 14/03/26 15:23:25 ii : local is NETSCREEN compatible
> 14/03/26 15:23:25 ii : local is SIDEWINDER compatible
> 14/03/26 15:23:25 ii : local is CISCO UNITY compatible
> 14/03/26 15:23:25 >= : cookies ed576b33c000da7e:0000000000000000
> 14/03/26 15:23:25 >= : message 00000000
> 14/03/26 15:23:25 ii : processing phase1 packet ( 440 bytes )
> 14/03/26 15:23:25 =< : cookies ed576b33c000da7e:bdb0dc6b4f35101c
> 14/03/26 15:23:25 =< : message 00000000
> 14/03/26 15:23:25 ii : matched isakmp proposal #1 transform #14
> 14/03/26 15:23:25 ii : - transform = ike
> 14/03/26 15:23:25 ii : - cipher type = 3des
> 14/03/26 15:23:25 ii : - key length = default
> 14/03/26 15:23:25 ii : - hash type = sha1
> 14/03/26 15:23:25 ii : - dh group = group2 ( modp-1024 )
> 14/03/26 15:23:25 ii : - auth type = xauth-initiator-psk
> 14/03/26 15:23:25 ii : - life seconds = 86400
> 14/03/26 15:23:25 ii : - life kbytes = 0
> 14/03/26 15:23:25 ii : phase1 id target is any
> 14/03/26 15:23:25 ii : phase1 id match
> 14/03/26 15:23:25 ii : received = ipv4-host 1.2.3.4
> 14/03/26 15:23:25 ii : peer is CISCO UNITY compatible
> 14/03/26 15:23:25 ii : peer supports XAUTH
> 14/03/26 15:23:25 ii : peer supports DPDv1
> 14/03/26 15:23:25 ii : peer supports nat-t ( draft v02 )
> 14/03/26 15:23:25 ii : nat discovery - local address is translated
> 14/03/26 15:23:25 ii : switching to src nat-t udp port 4500
> 14/03/26 15:23:25 ii : switching to dst nat-t udp port 4500
> 14/03/26 15:23:25 >= : cookies ed576b33c000da7e:bdb0dc6b4f35101c
> 14/03/26 15:23:25 >= : message 00000000
> 14/03/26 15:23:25 ii : phase1 sa established
> 14/03/26 15:23:25 ii : 1.2.3.4:4500 <-> 192.168.246.115:4500
> 14/03/26 15:23:25 ii : ed576b33c000da7e:bdb0dc6b4f35101c
> 14/03/26 15:23:25 ii : sending peer INITIAL-CONTACT notification
> 14/03/26 15:23:25 ii : - 192.168.246.115:4500 -> 1.2.3.4:4500
> 14/03/26 15:23:25 ii : - isakmp spi = ed576b33c000da7e:bdb0dc6b4f35101c
> 14/03/26 15:23:25 ii : - data size 0
> 14/03/26 15:23:25 >= : cookies ed576b33c000da7e:bdb0dc6b4f35101c
> 14/03/26 15:23:25 >= : message 09fa64cc
> 14/03/26 15:23:25 ii : processing config packet ( 76 bytes )
> 14/03/26 15:23:25 =< : cookies ed576b33c000da7e:bdb0dc6b4f35101c
> 14/03/26 15:23:25 =< : message a15d44a7
> 14/03/26 15:23:25 ii : - xauth authentication type
> 14/03/26 15:23:25 ii : - xauth username
> 14/03/26 15:23:25 ii : - xauth password
> 14/03/26 15:23:25 ii : received basic xauth request -
> 14/03/26 15:23:25 ii : - standard xauth username
> 14/03/26 15:23:25 ii : - standard xauth password
> 14/03/26 15:23:25 ii : sending xauth response for back
> 14/03/26 15:23:25 >= : cookies ed576b33c000da7e:bdb0dc6b4f35101c
> 14/03/26 15:23:25 >= : message a15d44a7
> 14/03/26 15:23:25 ii : processing config packet ( 68 bytes )
> 14/03/26 15:23:25 =< : cookies ed576b33c000da7e:bdb0dc6b4f35101c
> 14/03/26 15:23:25 =< : message a8ef0bbf
> 14/03/26 15:23:25 ii : received xauth result -
> 14/03/26 15:23:25 ii : user back authentication succeeded
> 14/03/26 15:23:25 ii : sending xauth acknowledge
> 14/03/26 15:23:25 >= : cookies ed576b33c000da7e:bdb0dc6b4f35101c
> 14/03/26 15:23:25 >= : message a8ef0bbf
> 14/03/26 15:23:25 ii : building config attribute list
> 14/03/26 15:23:25 ii : sending config pull request
> 14/03/26 15:23:25 >= : cookies ed576b33c000da7e:bdb0dc6b4f35101c
> 14/03/26 15:23:25 >= : message 9fc87ac5
> 14/03/26 15:23:25 ii : processing config packet ( 220 bytes )
> 14/03/26 15:23:25 =< : cookies ed576b33c000da7e:bdb0dc6b4f35101c
> 14/03/26 15:23:25 =< : message 9fc87ac5
> 14/03/26 15:23:25 ii : received config pull response
> 14/03/26 15:23:25 !! : invalid private netmask, defaulting to 255.255.255.0
> 14/03/26 15:23:25 ii : adapter ROOT\VNET\0000 unavailable, retrying ...
> 14/03/26 15:23:26 ii : creating NONE INBOUND policy ANY:1.2.3.4:* -> ANY:192.168.246.115:*
> 14/03/26 15:23:26 ii : creating NONE OUTBOUND policy ANY:192.168.246.115:* -> ANY:1.2.3.4:*
> 14/03/26 15:23:26 ii : created NONE policy route for 1.2.3.4/32
> 14/03/26 15:23:26 ii : creating NONE INBOUND policy ANY:192.168.246.1:* -> ANY:192.168.168.5:*
> 14/03/26 15:23:26 ii : creating NONE OUTBOUND policy ANY:192.168.168.5:* -> ANY:192.168.246.1:*
> 14/03/26 15:23:26 ii : creating IPSEC INBOUND policy ANY:10.0.0.0/8:* -> ANY:192.168.168.5:*
> 14/03/26 15:23:26 ii : creating IPSEC OUTBOUND policy ANY:192.168.168.5:* -> ANY:10.0.0.0/8:*
> 14/03/26 15:23:26 ii : created IPSEC policy route for 10.0.0.0/8
> 14/03/26 15:23:26 >= : cookies ed576b33c000da7e:bdb0dc6b4f35101c
> 14/03/26 15:23:26 >= : message 0c659a3f
> 14/03/26 15:23:26 ii : split DNS is disabled
> 14/03/26 15:23:29 >= : cookies ed576b33c000da7e:bdb0dc6b4f35101c
> 14/03/26 15:23:29 >= : message 2a54a656
> 14/03/26 15:23:31 -> : resend 1 phase2 packet(s) [0/2] 192.168.246.115:4500 -> 1.2.3.4:4500
> 14/03/26 15:23:33 ii : processing config packet ( 220 bytes )
> 14/03/26 15:23:33 !! : config packet ignored ( config already mature )
> 14/03/26 15:23:34 -> : resend 1 phase2 packet(s) [0/2] 192.168.246.115:4500 -> 1.2.3.4:4500
> 14/03/26 15:23:36 -> : resend 1 phase2 packet(s) [1/2] 192.168.246.115:4500 -> 1.2.3.4:4500
> 14/03/26 15:23:39 -> : resend 1 phase2 packet(s) [1/2] 192.168.246.115:4500 -> 1.2.3.4:4500
> 14/03/26 15:23:40 ii : sending peer DPDV1-R-U-THERE notification
> 14/03/26 15:23:40 ii : - 192.168.246.115:4500 -> 1.2.3.4:4500
> 14/03/26 15:23:40 ii : - isakmp spi = ed576b33c000da7e:bdb0dc6b4f35101c
> 14/03/26 15:23:40 ii : - data size 4
> 14/03/26 15:23:40 >= : cookies ed576b33c000da7e:bdb0dc6b4f35101c
> 14/03/26 15:23:40 >= : message 1064e267
> 14/03/26 15:23:41 ii : processing config packet ( 220 bytes )
> 14/03/26 15:23:41 !! : config packet ignored ( config already mature )
> 14/03/26 15:23:41 -> : resend 1 phase2 packet(s) [2/2] 192.168.246.115:4500 -> 1.2.3.4:4500
> 14/03/26 15:23:44 -> : resend 1 phase2 packet(s) [2/2] 192.168.246.115:4500 -> 1.2.3.4:4500
> 14/03/26 15:23:46 >= : cookies ed576b33c000da7e:bdb0dc6b4f35101c
> 14/03/26 15:23:46 >= : message 7d536ba4
> 14/03/26 15:23:46 ii : resend limit exceeded for phase2 exchange
> 14/03/26 15:23:46 ii : phase2 removal before expire time
> 14/03/26 15:23:49 ii : processing config packet ( 220 bytes )
> 14/03/26 15:23:49 !! : config packet ignored ( config already mature )
> 14/03/26 15:23:49 ii : resend limit exceeded for phase2 exchange
> 14/03/26 15:23:49 ii : phase2 removal before expire time
> 14/03/26 15:23:51 -> : resend 1 phase2 packet(s) [0/2] 192.168.246.115:4500 -> 1.2.3.4:4500
> 14/03/26 15:23:55 ii : sending peer DPDV1-R-U-THERE notification
> 14/03/26 15:23:55 ii : - 192.168.246.115:4500 -> 1.2.3.4:4500
> 14/03/26 15:23:55 ii : - isakmp spi = ed576b33c000da7e:bdb0dc6b4f35101c
> 14/03/26 15:23:55 ii : - data size 4
> 14/03/26 15:23:55 >= : cookies ed576b33c000da7e:bdb0dc6b4f35101c
> 14/03/26 15:23:55 >= : message 344d9b88
> 14/03/26 15:23:56 -> : resend 1 phase2 packet(s) [1/2] 192.168.246.115:4500 -> 1.2.3.4:4500
> 14/03/26 15:23:57 ii : processing informational packet ( 84 bytes )
> 14/03/26 15:23:57 =< : cookies ed576b33c000da7e:bdb0dc6b4f35101c
> 14/03/26 15:23:57 =< : message ebc92a2c
> 14/03/26 15:23:57 ii : received peer DELETE message
> 14/03/26 15:23:57 ii : - 1.2.3.4:4500 -> 192.168.246.115:4500
> 14/03/26 15:23:57 ii : - isakmp spi = ed576b33c000da7e:bdb0dc6b4f35101c
> 14/03/26 15:23:57 ii : cleanup, marked phase1 ed576b33c000da7e:bdb0dc6b4f35101c for removal
> 14/03/26 15:23:57 ii : phase1 removal before expire time
> 14/03/26 15:23:57 ii : removing IPSEC INBOUND policy ANY:10.0.0.0/8:* -> ANY:192.168.168.5:*
> 14/03/26 15:23:57 ii : removing IPSEC OUTBOUND policy ANY:192.168.168.5:* -> ANY:10.0.0.0/8:*
> 14/03/26 15:23:57 ii : removed IPSEC policy route for ANY:10.0.0.0/8:*
> 14/03/26 15:23:57 ii : removing NONE INBOUND policy ANY:192.168.246.1:* -> ANY:192.168.168.5:*
> 14/03/26 15:23:57 ii : removing NONE OUTBOUND policy ANY:192.168.168.5:* -> ANY:192.168.246.1:*
> 14/03/26 15:23:57 ii : removing NONE INBOUND policy ANY:1.2.3.4:* -> ANY:192.168.246.115:*
> 14/03/26 15:23:57 ii : removing NONE OUTBOUND policy ANY:192.168.246.115:* -> ANY:1.2.3.4:*
> 14/03/26 15:23:57 ii : removed NONE policy route for ANY:1.2.3.4:*
> 14/03/26 15:23:57 DB : removing tunnel config references
> 14/03/26 15:23:57 DB : removing tunnel phase2 references
> 14/03/26 15:23:57 ii : phase2 removal before expire time
> 14/03/26 15:23:57 DB : removing tunnel phase1 references
> 14/03/26 15:23:57 DB : removing all peer tunnel references
> 14/03/26 15:23:57 ii : ipc client process thread exit ...
>
>
Hi,
Thanks for the log,
There is Cisco VPN client and Shrew VPN on the same machine ?
You use the lasted VPN release ?
Do you have try other setting for Policy Generation Level ?
Regards,
> Nathan Stone | Enots IT Solutions | www.enots.com | 541.933.5010
>
> -----Original Message-----
> From: prolag at gmail.com [mailto:prolag at gmail.com] On Behalf Of Alexis La Goutte
> Sent: Friday, March 21, 2014 6:47 AM
> Subject: Re: [vpn-help] Can't connect to Cisco ASA that worked fine yesterday
>
> Hi Nathan,
>
> You need to check the log of Gateway, there is a reason of session
> terminated by gateway. (check also Shrew Log).
>
> Regards,
>
>
> On Thu, Mar 20, 2014 at 9:59 PM, Nathan Stone <nathan at enots.com> wrote:
>> I have an issue with Shrewsoft that seems to have happened over night. Connecting to a Cisco ASA 5510. Was working yesterday and now today it connects, but after 33 seconds I get the message "session terminated by gateway"
>>
>> I am running Windows 8.1, have a remote staff person that uses this all day long and it is doing the same for her. She has Windows 8. As a test I installed the client on a Windows 7 32bit install and I get the same behavior. From a different Windows 7 computer, with the Cisco client I can connect just fine.
>>
>> I checked Windows updates and nothing has been installed.
>>
>> Logged in to the ASA. Nothing has changed in months and the last time it was rebooted was almost 200 days ago. I rebooted it anyway to see if that would help, but it doesn't.
>>
>> I have another client with a Cisco ASA 5505 and I can still connect to their IPSec VPN. So it is something with this particular firewall and ShrewSoft combination. I created another VPN on this firewall and it is doing the same thing.
>>
>> Here is what shows in the ShrewSoft VPN Connect tab
>>
>> config loaded for site 'OSM'
>> attached to key daemon ...
>> peer configured
>> iskamp proposal configured
>> esp proposal configured
>> client configured
>> local id configured
>> remote id configured
>> pre-shared key configured
>> bringing up tunnel ...
>> network device configured
>> tunnel enabled
>> session terminated by gateway
>> tunnel disabled
>> detached from key daemon
>>
>>
>> If I switch to the Network tab, under Security Associations it shows Failed - 2.
>>
>> I am at a loss, anyone have any ideas at all?
>>
>> Nathan
>>
>> _______________________________________________
>> vpn-help mailing list
>> vpn-help at lists.shrew.net
>> https://lists.shrew.net/mailman/listinfo/vpn-help
>
> _______________________________________________
> vpn-help mailing list
> vpn-help at lists.shrew.net
> https://lists.shrew.net/mailman/listinfo/vpn-help
More information about the vpn-help
mailing list