Pix 501 and cisco VPN 4.6 stale connection? 1

[KLewisBPM]

I am using Cisco VPN client 4.6 to connect in to our PIX 501. However I seem to keep hitting problems where people can't access any network resources once connected, there doesn't seem to be any specific reason.
This is intermittent, its like the connection is stale. If I reboot the PIX the first person on is ok once he disconnects he can log back on but then can't access anything on the network. Is there a limit to the number of users that can connect at once? Also can the connection become stale i.e. when someone disconnects the system still thinks they are connected?

Here is my activation key data, and below that is my PIX config. The users that are to use the VPN regularly are using WAG354G Linksys routers setup with DHCP - 192.168.1.65 - 192.168.1.70 IP Pool. 255.255.255.0 Subnet

Gateway01# show activation-key
Serial Number: 807094XXX (0x301b4XXX)

Running Activation Key: 0x11025XXX 0x85b85XXX 0x11403XXX 0x6d6aa601
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Disabled
Maximum Interfaces: 2
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: 50
Throughput: Unlimited
IKE peers: 10

This PIX has a Restricted (R) license.

The flash activation key is the SAME as the running key.

PIX CONFIG:

PIX Version 6.3(1)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 28dFWgBrWZwLQb2o encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname Gateway01
domain-name xxxxx.co.uk
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list outside_in permit tcp any host xxx.xxx.xxx.xxx eq smtp
access-list outside_in permit tcp any interface outside eq https
access-list nonat permit ip 172.20.250.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list nonat permit ip 172.20.0.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging on
logging trap warnings
logging host inside 172.20.250.9
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.252
ip address inside 172.20.250.254 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn_client2 192.168.2.1-192.168.2.11
ip local pool vpn_client 192.168.1.1-192.168.1.11
pdm location 172.20.250.1 255.255.255.255 inside
pdm location 172.20.250.3 255.255.255.255 inside
pdm location 172.20.250.9 255.255.255.255 inside
pdm location 172.120.250.3 255.255.255.255 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 172.20.0.9 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp 172.20.250.8 smtp netmask 255.255.255
.255 0 0
static (inside,outside) tcp interface https 172.20.250.13 https netmask 255.255.
255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server t+ protocol tacacs+
url-server (inside) vendor websense host 172.20.250.9 timeout 5 protocol TCP ver
sion 1
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
http server enable
http 192.168.1.0 255.255.255.0 inside
http 172.20.250.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set quick esp-des esp-md5-hmac
crypto dynamic-map cwl_dynmap 10 set transform-set quick
crypto map cwl 20 ipsec-isakmp dynamic cwl_dynmap
crypto map cwl interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp policy 15 authentication pre-share
isakmp policy 15 authentication pre-share
isakmp policy 15 hash md5
isakmp policy 15 group 2
isakmp policy 15 lifetime 86400
vpngroup SALES address-pool vpn_client
vpngroup SALES dns-server 172.20.250.1
vpngroup SALES wins-server 172.20.250.1
vpngroup SALES default-domain xxxxxxx.co.uk
vpngroup SALES idle-time 1800
vpngroup SALES password ********
vpngroup password idle-time 1800
vpngroup address-pool idle-time 1800
telnet 172.20.250.1 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username admin password xxxxxxxxxxxxxxx encrypted privilege 2
username Admin password xxxxxxxxxxxxxxx encrypted privilege 2
terminal width 80
Cryptochecksum:ed3900c23b8fad360345793f58e32df6
: end




Kind Regards

Kelley Lewis

 

[boymarty24]

Your vpn config looks abit strange.

add
access-list nonat permit ip 172.20.250.0 255.255.255.0 192.168.0.0 255.255.255.0
isakmp policy 15 encryption des
isakmp nat-traversal 20

remove

no access-list nonat permit ip 172.20.250.0 255.255.255.0 192.168.1.0 255.255.255.0

no access-list nonat permit ip 172.20.0.0 255.255.255.0 192.168.1.0 255.255.255.0


And dont use a vpnpool that uses the same adress range as the source, in this case your linksys. They both use 192.168.1.X. Use the second vpnpool you have configured.

 

[KLewisBPM]

I logged the VPN connection info in Cisco client software to get a better view on whats occurring. I connected to the VPN and it disconnected after 1 min. Here are the results.

Cisco Systems VPN Client Version 4.6.00.0045
Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
Config file directory: C:\Program Files\Cisco Systems\VPN Client

1 09:42:17.514 11/06/06 Sev=Info/4 CM/0x63100002
Begin connection process

2 09:42:17.524 11/06/06 Sev=Info/4 CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully

3 09:42:17.524 11/06/06 Sev=Info/4 CM/0x63100004
Establish secure connection using Ethernet

4 09:42:17.524 11/06/06 Sev=Info/4 CM/0x63100024
Attempt connection with server "xx.xxx.xxx.xxx"

5 09:42:18.526 11/06/06 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with xx.xxx.xxx.xxx.

6 09:42:18.536 11/06/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to xx.xxx.xxx.xxx

7 09:42:18.536 11/06/06 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started

8 09:42:18.536 11/06/06 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

9 09:42:20.358 11/06/06 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xx.xxx.xxx.xxx

10 09:42:20.358 11/06/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Xauth), VID(dpd), VID(Unity), VID(?), KE, ID, NON, HASH) from xx.xxx.xxx.xxx

11 09:42:20.358 11/06/06 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH

12 09:42:20.358 11/06/06 Sev=Info/5 IKE/0x63000001
Peer supports DPD

13 09:42:20.358 11/06/06 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer

14 09:42:20.358 11/06/06 Sev=Info/5 IKE/0x63000081
Received IOS Vendor ID with unknown capabilities flag 0x00000025

15 09:42:20.368 11/06/06 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful

16 09:42:20.368 11/06/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, VID(?), VID(Unity)) to xx.xxx.xxx.xxx

17 09:42:20.368 11/06/06 Sev=Info/4 IKE/0x63000082
IKE Port in use - Local Port = 0x01F4, Remote Port = 0x01F4

18 09:42:20.368 11/06/06 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

19 09:42:20.368 11/06/06 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

20 09:42:20.378 11/06/06 Sev=Info/5 IKE/0x6300005D
Client sending a firewall request to concentrator

21 09:42:20.378 11/06/06 Sev=Info/5 IKE/0x6300005C
Firewall Policy: Product=Cisco Systems Integrated Client, Capability= (Centralized Protection Policy).

22 09:42:20.388 11/06/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to xx.xxx.xxx.xxx

23 09:42:20.549 11/06/06 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xx.xxx.xxx.xxx

24 09:42:20.549 11/06/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from xx.xxx.xxx.xxx

25 09:42:20.549 11/06/06 Sev=Info/5 IKE/0x63000044
RESPONDER-LIFETIME notify has value of 86400 seconds

26 09:42:20.549 11/06/06 Sev=Info/5 IKE/0x63000046
This SA has already been alive for 2 seconds, setting expiry to 86398 seconds from now

27 09:42:20.559 11/06/06 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xx.xxx.xxx.xxx

28 09:42:20.559 11/06/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from xx.xxx.xxx.xxx

29 09:42:20.559 11/06/06 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 192.168.1.1

30 09:42:20.559 11/06/06 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 172.20.250.1

31 09:42:20.559 11/06/06 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NBNS(1) (a.k.a. WINS) : , value = 172.20.250.1

32 09:42:20.559 11/06/06 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = mydomain.co.uk

33 09:42:20.559 11/06/06 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000

34 09:42:20.559 11/06/06 Sev=Info/4 CM/0x63100019
Mode Config data received

35 09:42:20.749 11/06/06 Sev=Info/4 IKE/0x63000055
Received a key request from Driver: Local IP = 192.168.1.1, GW IP = xx.xxx.xxx.xxx, Remote IP = 0.0.0.0

36 09:42:20.749 11/06/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to xx.xxx.xxx.xxx

37 09:42:21.069 11/06/06 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

38 09:42:21.460 11/06/06 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xx.xxx.xxx.xxx

39 09:42:21.460 11/06/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NOTIFY:STATUS_RESP_LIFETIME) from xx.xxx.xxx.xxx

40 09:42:21.460 11/06/06 Sev=Info/5 IKE/0x63000044
RESPONDER-LIFETIME notify has value of 28800 seconds

41 09:42:21.460 11/06/06 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 4608000 kb

42 09:42:21.460 11/06/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH) to xx.xxx.xxx.xxx

43 09:42:21.460 11/06/06 Sev=Info/5 IKE/0x63000058
Loading IPsec SA (MsgID=CA88452C OUTBOUND SPI = 0xD1810E7E INBOUND SPI = 0xA5718438)

44 09:42:21.460 11/06/06 Sev=Info/5 IKE/0x63000025
Loaded OUTBOUND ESP SPI: 0xD1810E7E

45 09:42:21.460 11/06/06 Sev=Info/5 IKE/0x63000026
Loaded INBOUND ESP SPI: 0xA5718438

46 09:42:22.121 11/06/06 Sev=Info/4 CM/0x63100034
The Virtual Adapter was enabled:
IP=192.168.1.1/255.255.255.0
DNS=172.20.250.1,0.0.0.0
WINS=172.20.250.1,0.0.0.0
Domain=mydomain.co.uk
Split DNS Names=

47 09:42:22.131 11/06/06 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 0.0.0.0 192.168.1.68 20
0.0.0.0 0.0.0.0 0.0.0.0 192.168.1.1 1
127.0.0.0 127.0.0.0 127.0.0.0 127.0.0.1 1
192.168.1.0 192.168.1.0 192.168.1.0 192.168.1.1 10
192.168.1.0 192.168.1.0 192.168.1.0 192.168.1.68 20
192.168.1.1 192.168.1.1 192.168.1.1 127.0.0.1 10
192.168.1.68 192.168.1.68 192.168.1.68 127.0.0.1 20
192.168.1.255 192.168.1.255 192.168.1.255 192.168.1.1 10
192.168.1.255 192.168.1.255 192.168.1.255 192.168.1.68 20
224.0.0.0 224.0.0.0 224.0.0.0 192.168.1.1 10
224.0.0.0 224.0.0.0 224.0.0.0 192.168.1.68 20
255.255.255.255 255.255.255.255 255.255.255.255 0.0.0.0 1
255.255.255.255 255.255.255.255 255.255.255.255 192.168.1.1 1
255.255.255.255 255.255.255.255 255.255.255.255 192.168.1.68 1


48 09:42:22.171 11/06/06 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route: code 87
Destination xx.xxx.xxx.xxx
Netmask 255.255.255.255
Gateway 192.168.1.1
Interface 192.168.1.68

49 09:42:22.171 11/06/06 Sev=Warning/3 CM/0xA3100028
Failed to add route from public interface to secure gateway.

50 09:42:22.181 11/06/06 Sev=Warning/3 CM/0xA3100024
Failed to increment route metric to default gateway.

51 09:42:22.181 11/06/06 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 0.0.0.0 192.168.1.68 20
0.0.0.0 0.0.0.0 0.0.0.0 192.168.1.1 1
127.0.0.0 127.0.0.0 127.0.0.0 127.0.0.1 1
192.168.1.0 192.168.1.0 192.168.1.0 192.168.1.68 20
192.168.1.0 192.168.1.0 192.168.1.0 192.168.1.1 1
192.168.1.1 192.168.1.1 192.168.1.1 127.0.0.1 10
192.168.1.1 192.168.1.1 192.168.1.1 192.168.1.68 1
192.168.1.68 192.168.1.68 192.168.1.68 127.0.0.1 20
192.168.1.255 192.168.1.255 192.168.1.255 192.168.1.1 10
192.168.1.255 192.168.1.255 192.168.1.255 192.168.1.68 20
224.0.0.0 224.0.0.0 224.0.0.0 192.168.1.1 10
224.0.0.0 224.0.0.0 224.0.0.0 192.168.1.68 20
255.255.255.255 255.255.255.255 255.255.255.255 0.0.0.0 1
255.255.255.255 255.255.255.255 255.255.255.255 192.168.1.1 1
255.255.255.255 255.255.255.255 255.255.255.255 192.168.1.68 1


52 09:42:22.181 11/06/06 Sev=Info/6 CM/0x63100036
The routing table was updated for the Virtual Adapter

53 09:42:22.211 11/06/06 Sev=Info/4 CM/0x6310001A
One secure connection established

54 09:42:22.261 11/06/06 Sev=Info/4 CM/0x63100038
Address watch added for 192.168.1.68. Current address(es): 192.168.1.1, 192.168.1.68.

55 09:42:22.261 11/06/06 Sev=Info/4 CM/0x63100038
Address watch added for 192.168.1.1. Current address(es): 192.168.1.1, 192.168.1.68.

56 09:42:22.301 11/06/06 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xx.xxx.xxx.xxx

57 09:42:22.301 11/06/06 Sev=Warning/3 IKE/0xA3000029
No keys are available to decrypt the received ISAKMP payload

58 09:42:22.301 11/06/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(Opaque) from xx.xxx.xxx.xxx

59 09:42:22.301 11/06/06 Sev=Info/4 IPSEC/0x63700010
Created a new key structure

60 09:42:22.301 11/06/06 Sev=Info/4 IPSEC/0x6370000F
Added key with SPI=0x7e0e81d1 into key list

61 09:42:22.301 11/06/06 Sev=Info/4 IPSEC/0x63700010
Created a new key structure

62 09:42:22.301 11/06/06 Sev=Info/4 IPSEC/0x6370000F
Added key with SPI=0x388471a5 into key list

63 09:42:22.301 11/06/06 Sev=Info/4 IPSEC/0x6370002E
Assigned VA private interface addr 192.168.1.1

64 09:42:30.573 11/06/06 Sev=Info/6 IKE/0x6300003D
Sending DPD request to xx.xxx.xxx.xxx, seq# = 2206449191

65 09:42:30.573 11/06/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFYPD_REQUEST) to xx.xxx.xxx.xxx

66 09:42:35.580 11/06/06 Sev=Info/6 IKE/0x6300003D
Sending DPD request to xx.xxx.xxx.xxx, seq# = 2206449192

67 09:42:35.580 11/06/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFYPD_REQUEST) to xx.xxx.xxx.xxx

68 09:42:40.587 11/06/06 Sev=Info/6 IKE/0x6300003D
Sending DPD request to xx.xxx.xxx.xxx, seq# = 2206449193

69 09:42:40.587 11/06/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFYPD_REQUEST) to xx.xxx.xxx.xxx

70 09:42:45.595 11/06/06 Sev=Info/6 IKE/0x6300003D
Sending DPD request to xx.xxx.xxx.xxx, seq# = 2206449194

71 09:42:45.595 11/06/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFYPD_REQUEST) to xx.xxx.xxx.xxx

72 09:42:50.602 11/06/06 Sev=Info/6 IKE/0x6300003D
Sending DPD request to xx.xxx.xxx.xxx, seq# = 2206449195

73 09:42:50.602 11/06/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFYPD_REQUEST) to xx.xxx.xxx.xxx

74 09:42:55.609 11/06/06 Sev=Info/6 IKE/0x6300003D
Sending DPD request to xx.xxx.xxx.xxx, seq# = 2206449196

75 09:42:55.609 11/06/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFYPD_REQUEST) to xx.xxx.xxx.xxx

76 09:43:00.616 11/06/06 Sev=Info/6 IKE/0x6300003D
Sending DPD request to xx.xxx.xxx.xxx, seq# = 2206449197

77 09:43:00.616 11/06/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFYPD_REQUEST) to xx.xxx.xxx.xxx

78 09:43:05.623 11/06/06 Sev=Info/6 IKE/0x6300003D
Sending DPD request to xx.xxx.xxx.xxx, seq# = 2206449198

79 09:43:05.623 11/06/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFYPD_REQUEST) to xx.xxx.xxx.xxx

80 09:43:10.631 11/06/06 Sev=Info/6 IKE/0x6300003D
Sending DPD request to xx.xxx.xxx.xxx, seq# = 2206449199

81 09:43:10.631 11/06/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFYPD_REQUEST) to xx.xxx.xxx.xxx

82 09:43:15.638 11/06/06 Sev=Info/6 IKE/0x6300003D
Sending DPD request to xx.xxx.xxx.xxx, seq# = 2206449200

83 09:43:15.638 11/06/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFYPD_REQUEST) to xx.xxx.xxx.xxx

84 09:43:20.645 11/06/06 Sev=Info/6 IKE/0x6300003D
Sending DPD request to xx.xxx.xxx.xxx, seq# = 2206449201

85 09:43:20.645 11/06/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFYPD_REQUEST) to xx.xxx.xxx.xxx

86 09:43:25.652 11/06/06 Sev=Info/6 IKE/0x6300003D
Sending DPD request to xx.xxx.xxx.xxx, seq# = 2206449202

87 09:43:25.652 11/06/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFYPD_REQUEST) to xx.xxx.xxx.xxx

88 09:43:30.659 11/06/06 Sev=Info/6 IKE/0x6300003D
Sending DPD request to xx.xxx.xxx.xxx, seq# = 2206449203

89 09:43:30.659 11/06/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFYPD_REQUEST) to xx.xxx.xxx.xxx

90 09:43:35.667 11/06/06 Sev=Info/6 IKE/0x6300003D
Sending DPD request to xx.xxx.xxx.xxx, seq# = 2206449204

91 09:43:35.667 11/06/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFYPD_REQUEST) to xx.xxx.xxx.xxx

92 09:43:40.674 11/06/06 Sev=Info/6 IKE/0x6300003D
Sending DPD request to xx.xxx.xxx.xxx, seq# = 2206449205

93 09:43:40.674 11/06/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFYPD_REQUEST) to xx.xxx.xxx.xxx

94 09:43:45.681 11/06/06 Sev=Info/6 IKE/0x6300003D
Sending DPD request to xx.xxx.xxx.xxx, seq# = 2206449206

95 09:43:45.681 11/06/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFYPD_REQUEST) to xx.xxx.xxx.xxx

96 09:43:50.688 11/06/06 Sev=Info/6 IKE/0x6300003D
Sending DPD request to xx.xxx.xxx.xxx, seq# = 2206449207

97 09:43:50.688 11/06/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFYPD_REQUEST) to xx.xxx.xxx.xxx

98 09:43:55.695 11/06/06 Sev=Info/6 IKE/0x6300003D
Sending DPD request to xx.xxx.xxx.xxx, seq# = 2206449208

99 09:43:55.695 11/06/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFYPD_REQUEST) to xx.xxx.xxx.xxx

100 09:44:00.703 11/06/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to xx.xxx.xxx.xxx

101 09:44:00.703 11/06/06 Sev=Info/5 IKE/0x63000018
Deleting IPsec SA: (OUTBOUND SPI = D1810E7E INBOUND SPI = A5718438)

102 09:44:00.703 11/06/06 Sev=Info/4 IKE/0x63000048
Discarding IPsec SA negotiation, MsgID=CA88452C

103 09:44:00.703 11/06/06 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=B5FF0852D9162125 R_Cookie=10324ECC25284B52) reason = DEL_REASON_PEER_NOT_RESPONDING

104 09:44:00.703 11/06/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to xx.xxx.xxx.xxx

105 09:44:00.703 11/06/06 Sev=Info/4 IPSEC/0x63700013
Delete internal key with SPI=0x388471a5

106 09:44:00.703 11/06/06 Sev=Info/4 IPSEC/0x6370000C
Key deleted by SPI 0x388471a5

107 09:44:00.703 11/06/06 Sev=Info/4 IPSEC/0x63700013
Delete internal key with SPI=0x7e0e81d1

108 09:44:00.703 11/06/06 Sev=Info/4 IPSEC/0x6370000C
Key deleted by SPI 0x7e0e81d1

109 09:44:01.243 11/06/06 Sev=Info/4 IKE/0x6300004A
Discarding IKE SA negotiation (I_Cookie=B5FF0852D9162125 R_Cookie=10324ECC25284B52) reason = DEL_REASON_PEER_NOT_RESPONDING

110 09:44:01.243 11/06/06 Sev=Info/4 CM/0x63100013
Phase 1 SA deleted cause by DEL_REASON_PEER_NOT_RESPONDING. 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

111 09:44:01.243 11/06/06 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv

112 09:44:01.263 11/06/06 Sev=Info/6 CM/0x63100031
Tunnel to headend device xx.xxx.xxx.xxx disconnected: duration: 0 days 0:1:39

113 09:44:01.343 11/06/06 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection

114 09:44:01.354 11/06/06 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 0.0.0.0 192.168.1.68 20
0.0.0.0 0.0.0.0 0.0.0.0 192.168.1.1 1
127.0.0.0 127.0.0.0 127.0.0.0 127.0.0.1 1
192.168.1.0 192.168.1.0 192.168.1.0 192.168.1.68 20
192.168.1.0 192.168.1.0 192.168.1.0 192.168.1.1 1
192.168.1.1 192.168.1.1 192.168.1.1 127.0.0.1 10
192.168.1.1 192.168.1.1 192.168.1.1 192.168.1.68 1
192.168.1.68 192.168.1.68 192.168.1.68 127.0.0.1 20
192.168.1.255 192.168.1.255 192.168.1.255 192.168.1.1 10
192.168.1.255 192.168.1.255 192.168.1.255 192.168.1.68 20
224.0.0.0 224.0.0.0 224.0.0.0 192.168.1.1 10
224.0.0.0 224.0.0.0 224.0.0.0 192.168.1.68 20
255.255.255.255 255.255.255.255 255.255.255.255 0.0.0.0 1
255.255.255.255 255.255.255.255 255.255.255.255 192.168.1.1 1
255.255.255.255 255.255.255.255 255.255.255.255 192.168.1.68 1


115 09:44:01.354 11/06/06 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: DeleteIpForwardEntry, error 87

116 09:44:01.374 11/06/06 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 0.0.0.0 192.168.1.68 20
0.0.0.0 0.0.0.0 0.0.0.0 192.168.1.1 1
127.0.0.0 127.0.0.0 127.0.0.0 127.0.0.1 1
192.168.1.0 192.168.1.0 192.168.1.0 192.168.1.68 20
192.168.1.0 192.168.1.0 192.168.1.0 192.168.1.1 1
192.168.1.1 192.168.1.1 192.168.1.1 127.0.0.1 10
192.168.1.68 192.168.1.68 192.168.1.68 127.0.0.1 20
192.168.1.255 192.168.1.255 192.168.1.255 192.168.1.1 10
192.168.1.255 192.168.1.255 192.168.1.255 192.168.1.68 20
224.0.0.0 224.0.0.0 224.0.0.0 192.168.1.1 10
224.0.0.0 224.0.0.0 224.0.0.0 192.168.1.68 20
255.255.255.255 255.255.255.255 255.255.255.255 0.0.0.0 1
255.255.255.255 255.255.255.255 255.255.255.255 192.168.1.1 1
255.255.255.255 255.255.255.255 255.255.255.255 192.168.1.68 1


117 09:44:01.374 11/06/06 Sev=Info/6 CM/0x63100037
The routing table was returned to orginal state prior to Virtual Adapter

118 09:44:02.996 11/06/06 Sev=Info/4 CM/0x63100035
The Virtual Adapter was disabled

119 09:44:02.996 11/06/06 Sev=Info/4 IKE/0x63000085
Microsoft IPSec Policy Agent service started successfully

120 09:44:02.996 11/06/06 Sev=Info/4 IPSEC/0x63700010
Created a new key structure

121 09:44:02.996 11/06/06 Sev=Info/4 IPSEC/0x63700013
Delete internal key with SPI=0x00000000

122 09:44:02.996 11/06/06 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

123 09:44:02.996 11/06/06 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

124 09:44:02.996 11/06/06 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

125 09:44:02.996 11/06/06 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped

126 09:44:02.996 11/06/06 Sev=Warning/2 IKE/0xA3000067
Received an IPC message during invalid state (IKE_MAIN:511)

Kind Regards

Kelley Lewis

 

[boymarty24]

I did a mistake in the access-list statement.

no access-list nonat permit ip 172.20.250.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list nonat permit ip 172.20.250.0 255.255.255.0 192.168.2.0 255.255.255.0

 

[boymarty24]

Did you change the vpnpool for your vpn clients? By the looks of the log you havent. It seems that the linksys boxes have 192.168.1.1 as interface IP and your first ip
of the current pool is 192.168.1.1

So if you change your vpnpool for your vpnclients and make the changes i suggested i believe that things will start to work

 

[KLewisBPM]

Hi boymarty24,

I ran the Logs before I read your message.

I tried changing the VPN Pool last week hence the reason it shows up. But I found it didn't make any difference so i changed it back. Do you think that I should use an IP pool that is completely different with a different subnet also.

I was a bit weary of making the changes you suggested as I use the VPN and have never ever had a problem, my IP setup at home is 10.0.1.x - Please explain what the changes mean

Thanks for your help with this.

Kind Regards

Kelley Lewis

 

[boymarty24]

Nat traversal is used when you connect your vpnclient from a network running nat. If you dont have this feature you will be able to connect but not access anything on the network.

Your ike policy is not complete and thats why i asked you to add isakmp encrypy..

And use a complete different subnet to avoid any conflicts.

When you change your vpnpool you need to change the access-list bound to the vpnpool. Thats why i asked you to remove the access-lists.

You say that your vpn is working!? That you never had any problems. What do you mean? By the looks of the config it never would have worked since the ike policy is incomplete

 

[boymarty24]

check this document. Ignore the ias/radius part. In this example they havent enabled nat-traversal

http://www.cisco.com/en/US/products...s_configuration_example09186a00800b6099.shtml

 

[KLewisBPM]

Hi boymarty24,

I use the VPN myself on my work laptop and my home pc and like I said I have never had a problem i get full access to everything I need, I have another Guy who uses the VPN with an ADSL modem he has never had a problem either. The only users that seem to have problems are the 3 people who have the Linksys WAG354G router.



Kind Regards

Kelley Lewis

 

[KLewisBPM]

Ive applied these commands

no ip local pool vpn_client2
ip local pool vpn_client2 172.20.99.1-172.20.99.11

no vpngroup SALES address-pool vpn_client
vpngroup SALES address-pool vpn_client2

Do I need to change/add anything else?

Kind Regards

Kelley Lewis

 

[KLewisBPM]

How about :

no access-list nonat permit ip 172.20.250.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list nonat permit ip 172.20.250.0 255.255.255.0 172.20.99.0 255.255.255.0

Kind Regards

Kelley Lewis

 

[boymarty24]

That looks fine.

Dont forget to add the isakmp commands aswell!

you might need to do a clear xlate or a old fashioned reboot.

 

[KLewisBPM]

Thanks boymarty24 will try out and let you know how i get on!

Kind Regards

Kelley Lewis

 

[KLewisBPM]

boymarty24 thanks for your help - I have been testing it for a while now and everything seems fine!

Kind Regards

Kelley Lewis