|
Cisco Client VPN Connection Problem Reason 412I'm trying to set up connection from my home LAN to office via VPN, but keep getting this error (subj). System setup: two PCs behind the DI-604 router, one running XP Professional SP1, another W2000 Professional SP4. Cisco VPN Client, Transport - IPSec over UDP, transparent tunneling enabled.
Router settings: Connection to ISP via PPPoE, static IP, IPSec pass through enabled, PPTP enabled, ports UDP 500, 4500, 10000, TCP 50, 51, 1723, 10000 open. Latest firmware.
Neither of PC's can set up the connection, I keep getting "Secure VPN Connection terminated locally by the Client. Reason 412: The remote peer is no longer responding." Can't even get the login prompt from the remote VPN server.
Cisco VPN client log: Cisco Systems VPN Client Version 4.0.3 (Rel) Copyright (C) 1998-2003 Cisco Systems, Inc. All Rights Reserved. Client Type(s): Windows, WinNT Running on: 5.0.2195
1 10:44:37.957 10/05/05 Sev=Info/4 CM/0x63100002 Begin connection process
2 10:44:38.307 10/05/05 Sev=Info/4 CVPND/0xE3400001 Microsoft IPSec Policy Agent service stopped successfully
3 10:44:38.307 10/05/05 Sev=Info/4 CM/0x63100004 Establish secure connection using Ethernet
4 10:44:38.357 10/05/05 Sev=Info/4 CM/0x63100024 Attempt connection with server "xxx.xxx.xxx"
5 10:44:40.711 10/05/05 Sev=Info/6 IKE/0x6300003B Attempting to establish a connection with 1.2.3.4.
6 10:44:40.931 10/05/05 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to 1.2.3.4
7 10:44:40.971 10/05/05 Sev=Info/4 IPSEC/0x63700008 IPSec driver successfully started
8 10:44:40.981 10/05/05 Sev=Info/4 IPSEC/0x63700014 Deleted all keys
9 10:44:46.169 10/05/05 Sev=Info/4 IKE/0x63000021 Retransmitting last packet!
10 10:44:46.169 10/05/05 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK AG (Retransmission) to 1.2.3.4
11 10:44:51.176 10/05/05 Sev=Info/4 IKE/0x63000021 Retransmitting last packet!
12 10:44:51.176 10/05/05 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK AG (Retransmission) to 1.2.3.4
13 10:44:56.183 10/05/05 Sev=Info/4 IKE/0x63000021 Retransmitting last packet!
14 10:44:56.183 10/05/05 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK AG (Retransmission) to 1.2.3.4
15 10:45:01.190 10/05/05 Sev=Info/4 IKE/0x63000017 Marking IKE SA for deletion (I_Cookie=4127BBA15702F2A3 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
16 10:45:01.731 10/05/05 Sev=Info/4 IKE/0x6300004A Discarding IKE SA negotiation (I_Cookie=4127BBA15702F2A3 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
17 10:45:01.731 10/05/05 Sev=Info/4 CM/0x63100014 Unable to establish Phase 1 SA with server "xxx.xxx.xxx" because of "DEL_REASON_PEER_NOT_RESPONDING"
18 10:45:01.731 10/05/05 Sev=Info/5 CM/0x63100025 Initializing CVPNDrv
19 10:45:01.831 10/05/05 Sev=Info/4 IKE/0x63000001 IKE received signal to terminate VPN connection
20 10:45:01.841 10/05/05 Sev=Info/4 IKE/0x63000085 Microsoft IPSec Policy Agent service started successfully
21 10:45:01.841 10/05/05 Sev=Info/4 IPSEC/0x63700014 Deleted all keys
22 10:45:01.841 10/05/05 Sev=Info/4 IPSEC/0x63700014 Deleted all keys
23 10:45:01.841 10/05/05 Sev=Info/4 IPSEC/0x63700014 Deleted all keys
24 10:45:01.841 10/05/05 Sev=Info/4 IPSEC/0x6370000A IPSec driver successfully stopped ----------------------------------------------------
Ethereal shows only outbound traffic from me:
No. Time Source Destination Protocol Info 52 5.418701 172.16.1.118 172.16.1.255 UDP Source port: 62514 Destination port: 62514
Frame 52 (50 bytes on wire, 50 bytes captured) Ethernet II, Src: ZonetTec_b1:81:2f (00:50:22:b1:81:2f), Dst: Broadcast (ff:ff:ff:ff:ff:ff) Internet Protocol, Src: 172.16.1.118 (172.16.1.118), Dst: 172.16.1.255 (172.16.1.255) User Datagram Protocol, Src Port: 62514 (62514), Dst Port: 62514 (62514) Data (8 bytes)
0000 00 00 a5 4b 01 00 00 01 ...K....
No. Time Source Destination Protocol Info 58 5.833718 172.16.1.118 217.17.85.1 DNS Standard query A xxx.xxx.xxx
Frame 58 (80 bytes on wire, 80 bytes captured) Ethernet II, Src: ZonetTec_b1:81:2f (00:50:22:b1:81:2f), Dst: D-Link_54:0c:6f (00:13:46:54:0c:6f) Internet Protocol, Src: 172.16.1.118 (172.16.1.118), Dst: 217.17.85.1 (217.17.85.1) User Datagram Protocol, Src Port: 1113 (1113), Dst Port: domain (53) Domain Name System (query)
No. Time Source Destination Protocol Info 65 6.138434 217.17.85.1 172.16.1.118 DNS Standard query response A 1.2.3.4
Frame 65 (201 bytes on wire, 201 bytes captured) Ethernet II, Src: D-Link_54:0c:6f (00:13:46:54:0c:6f), Dst: ZonetTec_b1:81:2f (00:50:22:b1:81:2f) Internet Protocol, Src: 217.17.85.1 (217.17.85.1), Dst: 172.16.1.118 (172.16.1.118) User Datagram Protocol, Src Port: domain (53), Dst Port: 1113 (1113) Domain Name System (response)
No. Time Source Destination Protocol Info 67 6.165954 172.16.1.118 1.2.3.4 UDP Source port: 1114 Destination port: 62514
Frame 67 (54 bytes on wire, 54 bytes captured) Ethernet II, Src: ZonetTec_b1:81:2f (00:50:22:b1:81:2f), Dst: D-Link_54:0c:6f (00:13:46:54:0c:6f) Internet Protocol, Src: 172.16.1.118 (172.16.1.118), Dst: 1.2.3.4 (1.2.3.4) User Datagram Protocol, Src Port: 1114 (1114), Dst Port: 62514 (62514) Data (12 bytes)
0000 00 00 a5 4b 01 00 00 08 00 00 00 00 ...K........
No. Time Source Destination Protocol Info 69 6.289967 172.16.1.118 1.2.3.4 UDP Source port: 1115 Destination port: 62514
Frame 69 (50 bytes on wire, 50 bytes captured) Ethernet II, Src: ZonetTec_b1:81:2f (00:50:22:b1:81:2f), Dst: D-Link_54:0c:6f (00:13:46:54:0c:6f) Internet Protocol, Src: 172.16.1.118 (172.16.1.118), Dst: 1.2.3.4 (1.2.3.4) User Datagram Protocol, Src Port: 1115 (1115), Dst Port: 62514 (62514) Data (8 bytes)
0000 00 00 a5 4b 01 00 00 02 ...K....
No. Time Source Destination Protocol Info 83 8.084867 172.16.1.118 1.2.3.4 ISAKMP Aggressive
Frame 83 (908 bytes on wire, 908 bytes captured) Ethernet II, Src: ZonetTec_b1:81:2f (00:50:22:b1:81:2f), Dst: D-Link_54:0c:6f (00:13:46:54:0c:6f) Internet Protocol, Src: 172.16.1.118 (172.16.1.118), Dst: 1.2.3.4 (1.2.3.4) User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500) Internet Security Association and Key Management Protocol
No. Time Source Destination Protocol Info 144 13.413955 172.16.1.118 1.2.3.4 ISAKMP Aggressive
Frame 144 (908 bytes on wire, 908 bytes captured) Ethernet II, Src: ZonetTec_b1:81:2f (00:50:22:b1:81:2f), Dst: D-Link_54:0c:6f (00:13:46:54:0c:6f) Internet Protocol, Src: 172.16.1.118 (172.16.1.118), Dst: 1.2.3.4 (1.2.3.4) User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500) Internet Security Association and Key Management Protocol
No. Time Source Destination Protocol Info 279 18.789665 172.16.1.118 1.2.3.4 ISAKMP Aggressive
Frame 279 (908 bytes on wire, 908 bytes captured) Ethernet II, Src: ZonetTec_b1:81:2f (00:50:22:b1:81:2f), Dst: D-Link_54:0c:6f (00:13:46:54:0c:6f) Internet Protocol, Src: 172.16.1.118 (172.16.1.118), Dst: 1.2.3.4 (1.2.3.4) User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500) Internet Security Association and Key Management Protocol
No. Time Source Destination Protocol Info 333 23.798416 172.16.1.118 1.2.3.4 ISAKMP Aggressive
Frame 333 (908 bytes on wire, 908 bytes captured) Ethernet II, Src: ZonetTec_b1:81:2f (00:50:22:b1:81:2f), Dst: D-Link_54:0c:6f (00:13:46:54:0c:6f) Internet Protocol, Src: 172.16.1.118 (172.16.1.118), Dst: 1.2.3.4 (1.2.3.4) User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500) Internet Security Association and Key Management Protocol ------------------------------------------------------------
Port UDP 500 on remote is open, at least NMapWin says so.
Now what I'm trying to figure out is whether DI-604 is set up correctly and when/where packets are dropped - on the way to remote VPN server or on the way back. Could this be ISP fault - what settings on ISP side should be enabled for this connection to work ? I hope admin on remote system will assist some time but that might take quite a while.
Anybody has any ideas or suggestions ? Thanks a lot. |