12-19-2006 07:35 AM
This is my network setup
internet--- linksys firewall--cisco pix--myLAN
I have cisco pix 501 with IOS 6.3(4).
and running Cisco VPN client 4.6.04.config is IPSEC over UDP
I have a linksys firewall behind which the pix sits, I have forwarded UDP
port 4500, 500, TCP 10000 to the pix. for some reason the vpn client
connects from some internet connections and from some it does not and I
do not get any error messages.
Funny thing is when I reboot my Linksys firewall I am able to connect using VPN client but after about few hour it stops connecting again, then if I reboot linksys fiewall it will connect.
I have attached the log file from the vpn client, when it was not
connecting. Thanks for the help.
RTR
--------------------------------------------------------------------------------------------------------------------------
1 23:42:27.997 12/14/06 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 71.78.123.220.
2 23:42:28.017 12/14/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd),
VID(Nat-T), VID(Frag), VID(Unity)) to 71.78.123.220
3 23:42:28.037 12/14/06 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
4 23:42:28.037 12/14/06 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
5 23:42:33.034 12/14/06 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
6 23:42:33.034 12/14/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 71.78.123.220
7 23:42:38.041 12/14/06 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
8 23:42:38.041 12/14/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 71.78.123.220
9 23:42:43.048 12/14/06 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
10 23:42:43.048 12/14/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 71.78.123.220
11 23:42:48.055 12/14/06 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=7C22991E7FF28FA8
R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
12 23:42:48.556 12/14/06 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=7C22991E7FF28FA8
R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
13 23:42:48.596 12/14/06 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
14 23:42:48.626 12/14/06 Sev=Info/4 IKE/0x63000086
Microsoft IPSec Policy Agent service started successfully
15 23:42:49.067 12/14/06 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
16 23:42:49.067 12/14/06 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
17 23:42:49.067 12/14/06 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
18 23:42:49.067 12/14/06 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
12-26-2006 08:23 AM
Check the life time of isakmp and SA in PIX.
Try this link:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63rnotes/pixrn634.htm#wp32082
Also check the bug-id:CSCeg30023
01-03-2007 01:36 PM
Hi,
You should allow UDP 10000, not TCP. Try manually setting the MTU on the Cisco VPN client (SetMTU to 1300 or 1200). As well, if no NAT is performed, allow IP 50 (ESP). Full list: UDP 500, 4500, 10000; ICMP; IP 50
Rate if this helped.
Daniel
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide