dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
4688
raimondas
join:2005-10-05

raimondas

Member

Cisco Client VPN Connection Problem Reason 412

I'm trying to set up connection from my home LAN to office via VPN, but keep getting this error (subj).
System setup:
two PCs behind the DI-604 router, one running XP Professional SP1, another W2000 Professional SP4. Cisco VPN Client, Transport - IPSec over UDP, transparent tunneling enabled.

Router settings:
Connection to ISP via PPPoE, static IP,
IPSec pass through enabled, PPTP enabled, ports UDP 500, 4500, 10000, TCP 50, 51, 1723, 10000 open.
Latest firmware.

Neither of PC's can set up the connection, I keep getting
"Secure VPN Connection terminated locally by the Client.
Reason 412: The remote peer is no longer responding."
Can't even get the login prompt from the remote VPN server.

Cisco VPN client log:
Cisco Systems VPN Client Version 4.0.3 (Rel)
Copyright (C) 1998-2003 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.0.2195

1 10:44:37.957 10/05/05 Sev=Info/4 CM/0x63100002
Begin connection process

2 10:44:38.307 10/05/05 Sev=Info/4 CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully

3 10:44:38.307 10/05/05 Sev=Info/4 CM/0x63100004
Establish secure connection using Ethernet

4 10:44:38.357 10/05/05 Sev=Info/4 CM/0x63100024
Attempt connection with server "xxx.xxx.xxx"

5 10:44:40.711 10/05/05 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 1.2.3.4.

6 10:44:40.931 10/05/05 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to 1.2.3.4

7 10:44:40.971 10/05/05 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started

8 10:44:40.981 10/05/05 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

9 10:44:46.169 10/05/05 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!

10 10:44:46.169 10/05/05 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 1.2.3.4

11 10:44:51.176 10/05/05 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!

12 10:44:51.176 10/05/05 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 1.2.3.4

13 10:44:56.183 10/05/05 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!

14 10:44:56.183 10/05/05 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 1.2.3.4

15 10:45:01.190 10/05/05 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=4127BBA15702F2A3 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

16 10:45:01.731 10/05/05 Sev=Info/4 IKE/0x6300004A
Discarding IKE SA negotiation (I_Cookie=4127BBA15702F2A3 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

17 10:45:01.731 10/05/05 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "xxx.xxx.xxx" because of "DEL_REASON_PEER_NOT_RESPONDING"

18 10:45:01.731 10/05/05 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv

19 10:45:01.831 10/05/05 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection

20 10:45:01.841 10/05/05 Sev=Info/4 IKE/0x63000085
Microsoft IPSec Policy Agent service started successfully

21 10:45:01.841 10/05/05 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

22 10:45:01.841 10/05/05 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

23 10:45:01.841 10/05/05 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

24 10:45:01.841 10/05/05 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
----------------------------------------------------

Ethereal shows only outbound traffic from me:

No. Time Source Destination Protocol Info
52 5.418701 172.16.1.118 172.16.1.255 UDP Source port: 62514 Destination port: 62514

Frame 52 (50 bytes on wire, 50 bytes captured)
Ethernet II, Src: ZonetTec_b1:81:2f (00:50:22:b1:81:2f), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Internet Protocol, Src: 172.16.1.118 (172.16.1.118), Dst: 172.16.1.255 (172.16.1.255)
User Datagram Protocol, Src Port: 62514 (62514), Dst Port: 62514 (62514)
Data (8 bytes)

0000 00 00 a5 4b 01 00 00 01 ...K....

No. Time Source Destination Protocol Info
58 5.833718 172.16.1.118 217.17.85.1 DNS Standard query A xxx.xxx.xxx

Frame 58 (80 bytes on wire, 80 bytes captured)
Ethernet II, Src: ZonetTec_b1:81:2f (00:50:22:b1:81:2f), Dst: D-Link_54:0c:6f (00:13:46:54:0c:6f)
Internet Protocol, Src: 172.16.1.118 (172.16.1.118), Dst: 217.17.85.1 (217.17.85.1)
User Datagram Protocol, Src Port: 1113 (1113), Dst Port: domain (53)
Domain Name System (query)

No. Time Source Destination Protocol Info
65 6.138434 217.17.85.1 172.16.1.118 DNS Standard query response A 1.2.3.4

Frame 65 (201 bytes on wire, 201 bytes captured)
Ethernet II, Src: D-Link_54:0c:6f (00:13:46:54:0c:6f), Dst: ZonetTec_b1:81:2f (00:50:22:b1:81:2f)
Internet Protocol, Src: 217.17.85.1 (217.17.85.1), Dst: 172.16.1.118 (172.16.1.118)
User Datagram Protocol, Src Port: domain (53), Dst Port: 1113 (1113)
Domain Name System (response)

No. Time Source Destination Protocol Info
67 6.165954 172.16.1.118 1.2.3.4 UDP Source port: 1114 Destination port: 62514

Frame 67 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: ZonetTec_b1:81:2f (00:50:22:b1:81:2f), Dst: D-Link_54:0c:6f (00:13:46:54:0c:6f)
Internet Protocol, Src: 172.16.1.118 (172.16.1.118), Dst: 1.2.3.4 (1.2.3.4)
User Datagram Protocol, Src Port: 1114 (1114), Dst Port: 62514 (62514)
Data (12 bytes)

0000 00 00 a5 4b 01 00 00 08 00 00 00 00 ...K........

No. Time Source Destination Protocol Info
69 6.289967 172.16.1.118 1.2.3.4 UDP Source port: 1115 Destination port: 62514

Frame 69 (50 bytes on wire, 50 bytes captured)
Ethernet II, Src: ZonetTec_b1:81:2f (00:50:22:b1:81:2f), Dst: D-Link_54:0c:6f (00:13:46:54:0c:6f)
Internet Protocol, Src: 172.16.1.118 (172.16.1.118), Dst: 1.2.3.4 (1.2.3.4)
User Datagram Protocol, Src Port: 1115 (1115), Dst Port: 62514 (62514)
Data (8 bytes)

0000 00 00 a5 4b 01 00 00 02 ...K....

No. Time Source Destination Protocol Info
83 8.084867 172.16.1.118 1.2.3.4 ISAKMP Aggressive

Frame 83 (908 bytes on wire, 908 bytes captured)
Ethernet II, Src: ZonetTec_b1:81:2f (00:50:22:b1:81:2f), Dst: D-Link_54:0c:6f (00:13:46:54:0c:6f)
Internet Protocol, Src: 172.16.1.118 (172.16.1.118), Dst: 1.2.3.4 (1.2.3.4)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Internet Security Association and Key Management Protocol

No. Time Source Destination Protocol Info
144 13.413955 172.16.1.118 1.2.3.4 ISAKMP Aggressive

Frame 144 (908 bytes on wire, 908 bytes captured)
Ethernet II, Src: ZonetTec_b1:81:2f (00:50:22:b1:81:2f), Dst: D-Link_54:0c:6f (00:13:46:54:0c:6f)
Internet Protocol, Src: 172.16.1.118 (172.16.1.118), Dst: 1.2.3.4 (1.2.3.4)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Internet Security Association and Key Management Protocol

No. Time Source Destination Protocol Info
279 18.789665 172.16.1.118 1.2.3.4 ISAKMP Aggressive

Frame 279 (908 bytes on wire, 908 bytes captured)
Ethernet II, Src: ZonetTec_b1:81:2f (00:50:22:b1:81:2f), Dst: D-Link_54:0c:6f (00:13:46:54:0c:6f)
Internet Protocol, Src: 172.16.1.118 (172.16.1.118), Dst: 1.2.3.4 (1.2.3.4)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Internet Security Association and Key Management Protocol

No. Time Source Destination Protocol Info
333 23.798416 172.16.1.118 1.2.3.4 ISAKMP Aggressive

Frame 333 (908 bytes on wire, 908 bytes captured)
Ethernet II, Src: ZonetTec_b1:81:2f (00:50:22:b1:81:2f), Dst: D-Link_54:0c:6f (00:13:46:54:0c:6f)
Internet Protocol, Src: 172.16.1.118 (172.16.1.118), Dst: 1.2.3.4 (1.2.3.4)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Internet Security Association and Key Management Protocol
------------------------------------------------------------

Port UDP 500 on remote is open, at least NMapWin says so.

Now what I'm trying to figure out is whether DI-604 is set up correctly and when/where packets are dropped - on the way to remote VPN server or on the way back. Could this be ISP fault - what settings on ISP side should be enabled for this connection to work ?
I hope admin on remote system will assist some time but that might take quite a while.

Anybody has any ideas or suggestions ?
Thanks a lot.
raimondas

raimondas

Member

In addition, should router's MTU match MTU on a Cisco VPN Client ?
Currently Cisco Client has MTU set to 1300, router 1492
sirozha
join:2001-11-18
Kennesaw, GA

sirozha to raimondas

Member

to raimondas
1 UDP ports 4500 and 500 have to be open on the remote side (the head-end) where the VPN server is located. Your DI-604 router doesn't need those ports open.

2. You are confusing IPSec Transparent Tunneling (also called NAT Traversal) with IPSec Pass-through. Here are two great links for you to read:

»expertanswercenter.techt ··· ,00.html

»expertanswercenter.techt ··· ,00.html

You may want to disable IPSec Pass-through and use IPSec Transparent Tunneling over UDP (the setting you are using in the Cisco VPN client). If that doesn't work, and you have no control over your head-end (which has to have UDP port 4500 open for IPSec Transparent Tunneling to work), you may want to disable IPSec Transparent Tunneling in the Cisco VPN client and enable IPSec VPN pass-through in your DI-604 router. This way, you will not have to have UDP port 4500 open on the head-end.

3. Which device terminates your tunnel at the head-end?