Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Cisco VPN Client OUT thru ISA 2006
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Cisco VPN Client OUT thru ISA 2006 - 3.Oct.2007 10:07:25 AM
|
|
|
rliberty
Posts: 4
Joined: 3.Oct.2007
Status: offline
|
Hey everyone, new to the forum, but not to ISA... 
I'm having issues configuring a Cisco VPN client behind our ISA box, out to establish a connection. I have a rule setup to allow IKE Client & IPSec NAT-T Client from our internal network to the ip of the destination VPN Server for all users. Here is the client log...
Cisco Systems VPN Client Version 4.8.01.0300
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
197 09:58:18.365 10/03/07 Sev=Info/4 CM/0x63100002
Begin connection process
198 09:58:18.415 10/03/07 Sev=Info/4 CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully
199 09:58:18.415 10/03/07 Sev=Info/4 CM/0x63100004
Establish secure connection using Ethernet
200 09:58:18.415 10/03/07 Sev=Info/4 CM/0x63100024
Attempt connection with server "161.xxx.xxx.xxx" VPN Destination
201 09:58:19.419 10/03/07 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 161.xxx.xxx.xxx.
202 09:58:19.470 10/03/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 161.xxx.xxx.xxx
203 09:58:19.470 10/03/07 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
204 09:58:19.470 10/03/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
205 09:58:21.377 10/03/07 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 10.7.xxx.xxx ISA Server
206 09:58:21.377 10/03/07 Sev=Warning/2 IKE/0xE300009B
Packet is received from unknown peer (IKE_MAIN:286)
207 09:58:24.580 10/03/07 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
208 09:58:24.580 10/03/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 161.xxx.xxx.xxx
209 09:58:25.383 10/03/07 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 10.7.xxx.xxx
210 09:58:25.383 10/03/07 Sev=Warning/2 IKE/0xE300009B
Packet is received from unknown peer (IKE_MAIN:286)
211 09:58:29.599 10/03/07 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
212 09:58:29.599 10/03/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 161.xxx.xxx.xxx
213 09:58:33.404 10/03/07 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 10.7.xxx.xxx
214 09:58:33.404 10/03/07 Sev=Warning/2 IKE/0xE300009B
Packet is received from unknown peer (IKE_MAIN:286)
215 09:58:34.619 10/03/07 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
216 09:58:34.619 10/03/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 161.223.92.38
217 09:58:39.639 10/03/07 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=B6EC5D3B79829029 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
218 09:58:40.141 10/03/07 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=B6EC5D3B79829029 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
219 09:58:40.141 10/03/07 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "161.223.92.38" because of "DEL_REASON_PEER_NOT_RESPONDING"
220 09:58:40.141 10/03/07 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
221 09:58:40.141 10/03/07 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
222 09:58:40.141 10/03/07 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
223 09:58:40.151 10/03/07 Sev=Info/4 IKE/0x63000086
Microsoft IPSec Policy Agent service started successfully
224 09:58:40.653 10/03/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
225 09:58:40.653 10/03/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
226 09:58:40.653 10/03/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
227 09:58:40.653 10/03/07 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
Any thoughts to where I can look next?
Thank you!
|
|
|
|
RE: Cisco VPN Client OUT thru ISA 2006 - 4.Oct.2007 10:54:20 AM
|
|
|
rliberty
Posts: 4
Joined: 3.Oct.2007
Status: offline
|
Thank you, I actually found and used those exact directions to setup the access rule about a week ago. The only part I'm unsure of is the SecureNet part. Is there somehwere in the client that I'm missing? I'm running 4.8.01.0300
|
|
|
|
|
RE: Cisco VPN Client OUT thru ISA 2006 - 4.Oct.2007 1:17:48 PM
|
|
|
elmajdal
Posts: 5061
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: online
|
quote:
The only part I'm unsure of is the SecureNet part
To Set your client as a SecureNet client, configure its default gateway to point o ISA Server Internal IP.
_____________________________
Tarek Majdalani
MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8
|
|
|
|
|
RE: Cisco VPN Client OUT thru ISA 2006 - 19.Oct.2007 3:26:40 PM
|
|
|
rliberty
Posts: 4
Joined: 3.Oct.2007
Status: offline
|
Thank you for your response. Even setting the client to secureNet does not allot the connection. Doing a query on the origintating IP, it appears a rule 24 positions below the VPN rule I've created is stopping the traffic. Its labeled as internal access, and it allows all outbound traffice from internal to internal & local host to local host. From what I'm told that rule is in place to allow traffic to pass thru multiple subnets and can not be changed.
I cant figure out why the client is bypassing the top rule... could it be too specific?
|
|
|
|
|
RE: Cisco VPN Client OUT thru ISA 2006 - 20.Oct.2007 5:44:13 AM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hey guys,
looking through the Cisco VPN client log I see: quote:
Attempt connection with server "161.xxx.xxx.xxx" VPN Destination
201 09:58:19.419 10/03/07 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 161.xxx.xxx.xxx.
202 09:58:19.470 10/03/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 161.xxx.xxx.xxx
...
Received ISAKMP packet: peer = 10.7.xxx.xxx ISA Server
206 09:58:21.377 10/03/07 Sev=Warning/2 IKE/0xE300009B
Packet is received from unknown peer (IKE_MAIN:286)
207 09:58:24.580 10/03/07 Sev=Info/4 IKE/0x63000021
Why does 10.7.xxx.xxx respond instead of 161.xxx.xxx.xxx ? That don't seems right to me!
HTH,
Stefaan
< Message edited by spouseele -- 20.Oct.2007 5:47:24 AM >
|
|
|
|
|
RE: Cisco VPN Client OUT thru ISA 2006 - 22.Oct.2007 10:03:42 AM
|
|
|
rliberty
Posts: 4
Joined: 3.Oct.2007
Status: offline
|
Exactly... from what I can tell, the Internal Access rule is bouncing the traffic around, so its failing completely.
|
|
|
|
|
RE: Cisco VPN Client OUT thru ISA 2006 - 22.Oct.2007 4:30:31 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Rich,
can you show us a little network diagram so we can better understand your environment?
Thanks,
Stefaan
|
|
|
|
|
RE: Cisco VPN Client OUT thru ISA 2006 - 25.Oct.2007 5:11:44 PM
|
|
|
ClintD
Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
|
I was wondering if perhaps you've created a server publishing rule for UDP 500 and UDP 4500 that is intercepting the traffic? That's the only way I can see the ISA's IP address being used for the response traffic. Just a wild a$$ guess on my part though.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
