We encountered Cisco VPN client (Cisco Systems VPN Client Version 5.0.07.0440)
connection issues in the last couple days after I've upgraded to
2.1.2-RELEASE (amd64) recently.
The issues disappear when client connects though a different gateway
(an ADSL Fritzbox 7270 with latest firmware).
I suspect IPsec regression in pfSense, or, alternatively, some
undocumented changes on our ISP's side in the last couple months.
It would be nice if some IPsec cognoscenti could help isolate
the exact point of trouble. I'd rather not regress the firewall
to diagnose since it's in production.
I've included some (hopefully sufficiently sanitized) IPsec client
attempted connection log.
Any ideas what is going wrong here?
Cisco Systems VPN Client Version 5.0.07.0440
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7601 Service Pack 1
1 09:57:47.204 04/25/14 Sev=Info/4 CM/0x63100002
Begin connection process
2 09:57:47.210 04/25/14 Sev=Info/4 CM/0x63100004
Establish secure connection
3 09:57:47.210 04/25/14 Sev=Info/4 CM/0x63100024
Attempt connection with server "vpn.xxxxxxx.com"
4 09:57:47.214 04/25/14 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with xxxxxx.10.10.
5 09:57:47.219 04/25/14 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation
6 09:57:47.225 04/25/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag),
VID(Nat-T), VID(Unity)) to xxxxxxx.10.10
7 09:57:47.252 04/25/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xxxxxxxxx10.10
8 09:57:47.252 04/25/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth),
VID(dpd), VID(Frag), VID(?)) from xxxxxx10.10
9 09:57:47.253 04/25/14 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
10 09:57:47.253 04/25/14 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
11 09:57:47.253 04/25/14 Sev=Info/5 IKE/0x63000001
Peer supports DPD
12 09:57:47.253 04/25/14 Sev=Info/5 IKE/0x63000001
Peer supports IKE fragmentation payloads
13 09:57:47.259 04/25/14 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
14 09:57:47.259 04/25/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, VID(?),
VID(Unity)) to xxxxxxx.10.10
15 09:57:47.259 04/25/14 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0xE7FD, Remote Port = 0x01F4
16 09:57:47.259 04/25/14 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in
the system
17 09:57:47.282 04/25/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xxxxxxxx10.10
18 09:57:47.282 04/25/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from xxxxxxx10.10
19 09:57:47.282 04/25/14 Sev=Info/4 CM/0x63100015
Launch xAuth application
20 09:57:47.284 04/25/14 Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 6h.
21 09:57:47.487 04/25/14 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
22 09:57:47.487 04/25/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
23 09:57:55.445 04/25/14 Sev=Info/4 CM/0x63100017
xAuth application returned
24 09:57:55.445 04/25/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to xxxxxx10.10
25 09:57:55.487 04/25/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xxxxxxx10.10
26 09:57:55.487 04/25/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from xxxxxxx10.10
27 09:57:55.487 04/25/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to xxxxxxx10.10
28 09:57:55.487 04/25/14 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in
the system
29 09:57:55.490 04/25/14 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator
30 09:57:55.490 04/25/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to xxxxxx10.10
31 09:57:57.627 04/25/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:HEARTBEAT) to xxxxxxx10.10
32 09:57:57.627 04/25/14 Sev=Info/6 IKE/0x63000053
Sent a keepalive on the IKE SA
33 09:57:57.979 04/25/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xxxxxxx10.10
34 09:57:57.979 04/25/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from xxxxxx10.10
35 09:57:57.979 04/25/14 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 10.254.251.30
36 09:57:57.979 04/25/14 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0
37 09:57:57.979 04/25/14 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = xxxxxxxx67.135
38 09:57:57.979 04/25/14 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = xxxxxx67.234
39 09:57:57.979 04/25/14 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NBNS(1) (a.k.a. WINS) : , value =
xxxxxxx.64.55
40 09:57:57.979 04/25/14 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_BANNER, value = Welcome to Springer.
Your device must have up to date Anti Malware software, otherwise you are
required to disconnect!
41 09:57:57.979 04/25/14 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000
42 09:57:57.979 04/25/14 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets),
value = 0x00000005
43 09:57:57.979 04/25/14 Sev=Info/5 IKE/0x6300000F
SPLIT_NET #1
subnet = 10.0.20.0
mask = 255.255.255.0
protocol = 0
src port = 0
dest port=0
44 09:57:57.979 04/25/14 Sev=Info/5 IKE/0x6300000F
SPLIT_NET #2
subnet = xxxxxxxx0.31
mask = 255.255.255.255
protocol = 0
src port = 0
dest port=0
45 09:57:57.979 04/25/14 Sev=Info/5 IKE/0x6300000F
SPLIT_NET #3
subnet = xxxxxxxx67.234
mask = 255.255.255.255
protocol = 0
src port = 0
dest port=0
46 09:57:57.979 04/25/14 Sev=Info/5 IKE/0x6300000F
SPLIT_NET #4
subnet = xxxxxxxx5.44
mask = 255.255.255.255
protocol = 0
src port = 0
dest port=0
47 09:57:57.979 04/25/14 Sev=Info/5 IKE/0x6300000F
SPLIT_NET #5
subnet = 10.9.0.86
mask = 255.255.255.255
protocol = 0
src port = 0
dest port=0
48 09:57:57.979 04/25/14 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = xxxxxxxxxx.com
49 09:57:57.979 04/25/14 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
50 09:57:57.979 04/25/14 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc
ASA5520 Version 9.0(3) built by builders on Fri 19-Jul-13 16:37
51 09:57:57.979 04/25/14 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT: , value
= 0x00000001
52 09:57:57.981 04/25/14 Sev=Info/4 CM/0x63100019
Mode Config data received
53 09:57:57.986 04/25/14 Sev=Info/4 IKE/0x63000056
Received a key request from Driver: Local IP = 10.254.251.30, GW IP =
xxxxxx10.10, Remote IP = 0.0.0.0
54 09:57:57.986 04/25/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to xxxxxxx.10.10
55 09:57:58.011 04/25/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xxxxxxx10.10
56 09:57:58.011 04/25/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from
xxxxxxxx10.10
57 09:57:58.011 04/25/14 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
58 09:57:58.011 04/25/14 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 11 seconds, setting expiry to 86389 seconds
from now
59 09:57:58.015 04/25/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xxxxxxxx10.10
60 09:57:58.015 04/25/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from xxxxxxx.10.10
61 09:57:58.015 04/25/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xxxxxxxxx10.10
62 09:57:58.015 04/25/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from xxxxxxxx.10.10
63 09:57:58.015 04/25/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xxxxxxxx.10.10
64 09:57:58.015 04/25/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from xxxxxxx.10.10
65 09:57:58.015 04/25/14 Sev=Info/5 IKE/0x63000073
All fragments received.
66 09:57:58.015 04/25/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:INVALID_ID_INFO) from xxxxxxxx10.10
67 09:57:58.015 04/25/14 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to xxxxxxxxx10.10
68 09:57:58.015 04/25/14 Sev=Info/4 IKE/0x63000049
Discarding IPsec SA negotiation, MsgID=4735BD4F
69 09:57:58.016 04/25/14 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=D409664D2BDFA02B
R_Cookie=5E9333E20ED46093) reason = DEL_REASON_IKE_NEG_FAILED
70 09:57:58.017 04/25/14 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xxxxxxx10.10
71 09:57:58.017 04/25/14 Sev=Info/4 IKE/0x63000058
Received an ISAKMP message for a non-active SA, I_Cookie=D409664D2BDFA02B
R_Cookie=5E9333E20ED46093
72 09:57:58.017 04/25/14 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(Dropped) from xxxxxxxx10.10
73 09:57:58.131 04/25/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
74 09:58:01.169 04/25/14 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=D409664D2BDFA02B
R_Cookie=5E9333E20ED46093) reason = DEL_REASON_IKE_NEG_FAILED
75 09:58:01.169 04/25/14 Sev=Info/4 CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by
"DEL_REASON_IKE_NEG_FAILED". 0 Crypto Active IKE SA, 0 User Authenticated IKE
SA in the system
76 09:58:01.169 04/25/14 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
77 09:58:01.175 04/25/14 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
78 09:58:01.175 04/25/14 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
79 09:58:01.178 04/25/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
80 09:58:01.178 04/25/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
81 09:58:01.179 04/25/14 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
82 09:58:01.179 04/25/14 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
_______________________________________________
List mailing list
[email protected]
https://lists.pfsense.org/mailman/listinfo/list
