Discussion:
[vpn-help] Can't connect to Cisco ASA that worked fine yesterday
Nathan Stone
2014-03-20 20:59:42 UTC
Permalink
I have an issue with Shrewsoft that seems to have happened over night. Connecting to a Cisco ASA 5510. Was working yesterday and now today it connects, but after 33 seconds I get the message "session terminated by gateway"

I am running Windows 8.1, have a remote staff person that uses this all day long and it is doing the same for her. She has Windows 8. As a test I installed the client on a Windows 7 32bit install and I get the same behavior. From a different Windows 7 computer, with the Cisco client I can connect just fine.

I checked Windows updates and nothing has been installed.

Logged in to the ASA. Nothing has changed in months and the last time it was rebooted was almost 200 days ago. I rebooted it anyway to see if that would help, but it doesn't.

I have another client with a Cisco ASA 5505 and I can still connect to their IPSec VPN. So it is something with this particular firewall and ShrewSoft combination. I created another VPN on this firewall and it is doing the same thing.

Here is what shows in the ShrewSoft VPN Connect tab

config loaded for site 'OSM'
attached to key daemon ...
peer configured
iskamp proposal configured
esp proposal configured
client configured
local id configured
remote id configured
pre-shared key configured
bringing up tunnel ...
network device configured
tunnel enabled
session terminated by gateway
tunnel disabled
detached from key daemon


If I switch to the Network tab, under Security Associations it shows Failed - 2.

I am at a loss, anyone have any ideas at all?

Nathan
Alexis La Goutte
2014-03-21 13:46:43 UTC
Permalink
Hi Nathan,

You need to check the log of Gateway, there is a reason of session
terminated by gateway. (check also Shrew Log).

Regards,
Post by Nathan Stone
I have an issue with Shrewsoft that seems to have happened over night. Connecting to a Cisco ASA 5510. Was working yesterday and now today it connects, but after 33 seconds I get the message "session terminated by gateway"
I am running Windows 8.1, have a remote staff person that uses this all day long and it is doing the same for her. She has Windows 8. As a test I installed the client on a Windows 7 32bit install and I get the same behavior. From a different Windows 7 computer, with the Cisco client I can connect just fine.
I checked Windows updates and nothing has been installed.
Logged in to the ASA. Nothing has changed in months and the last time it was rebooted was almost 200 days ago. I rebooted it anyway to see if that would help, but it doesn't.
I have another client with a Cisco ASA 5505 and I can still connect to their IPSec VPN. So it is something with this particular firewall and ShrewSoft combination. I created another VPN on this firewall and it is doing the same thing.
Here is what shows in the ShrewSoft VPN Connect tab
config loaded for site 'OSM'
attached to key daemon ...
peer configured
iskamp proposal configured
esp proposal configured
client configured
local id configured
remote id configured
pre-shared key configured
bringing up tunnel ...
network device configured
tunnel enabled
session terminated by gateway
tunnel disabled
detached from key daemon
If I switch to the Network tab, under Security Associations it shows Failed - 2.
I am at a loss, anyone have any ideas at all?
Nathan
_______________________________________________
vpn-help mailing list
vpn-help at lists.shrew.net
https://lists.shrew.net/mailman/listinfo/vpn-help
Nathan Stone
2014-03-26 22:32:22 UTC
Permalink
I was finally able to get back and grab some logs from both the ASA and the Shrew Client. I sanitized the External IP and the VPN Group information otherwise everything is intact. I am not sure exactly what I am looking for or how to discipher everything. Would anyone else be willing to spend a few minutes looking this over and seeing if anything jumps out at you?


Logs from the ASA when ShrewSoft client tries to connect (reads from bottom to top). Same results with Windows 7 and 8.
4|Mar 26 2014|14:23:39|113019|Group = , Username = , IP = 0.0.0.0, Session disconnected. Session Type: , Duration: 0h:00m:32s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown
4|Mar 26 2014|14:23:39|713903|Group = XXXXXXXX, Username = back, IP = 173.164.82.61, Error: Unable to remove PeerTblEntry
3|Mar 26 2014|14:23:39|713902|Group = XXXXXXXX, Username = back, IP = 173.164.82.61, Removing peer from peer table failed, no match!
6|Mar 26 2014|14:23:07|713228|Group = XXXXXXXX, Username = back, IP = 173.164.82.61, Assigned private IP address 192.168.168.5 to remote user
6|Mar 26 2014|14:23:07|713184|Group = XXXXXXXX, Username = back, IP = 173.164.82.61, Client Type: WinNT Client Application Version: 4.8.01.0300
5|Mar 26 2014|14:23:07|713130|Group = XXXXXXXX, Username = back, IP = 173.164.82.61, Received unsupported transaction mode attribute: 5



Windows 7 using Cisco VPN client. Connects fine.
5|Mar 26 2014|14:35:43|713120|Group = XXXXXXXX, Username = Back, IP = 173.164.82.61, PHASE 2 COMPLETED (msgid=ccf3064a)
6|Mar 26 2014|14:35:43|602303|IPSEC: An inbound remote access SA (SPI= 0x07ABBAA7) between outside-interface and 173.164.82.61 (user= back) has been created.
5|Mar 26 2014|14:35:43|713049|Group = XXXXXXXX, Username = Back, IP = 173.164.82.61, Security negotiation complete for User (back) Responder, Inbound SPI = 0x07abbaa7, Outbound SPI = 0xd76b1221
6|Mar 26 2014|14:35:43|602303|IPSEC: An outbound remote access SA (SPI= 0xD76B1221) between outside-interface and 173.164.82.61 (user= back) has been created.
5|Mar 26 2014|14:35:43|713075|Group = XXXXXXXX, Username = Back, IP = 173.164.82.61, Overriding Initiator's IPSec rekeying duration from 2147483 to 28800 seconds
5|Mar 26 2014|14:35:43|713119|Group = XXXXXXXX, Username = Back, IP = 173.164.82.61, PHASE 1 COMPLETED
6|Mar 26 2014|14:35:43|713228|Group = XXXXXXXX, Username = Back, IP = 173.164.82.61, Assigned private IP address 192.168.168.5 to remote user
6|Mar 26 2014|14:35:43|713184|Group = XXXXXXXX, Username = Back, IP = 173.164.82.61, Client Type: WinNT Client Application Version: 5.0.07.0440
5|Mar 26 2014|14:35:43|713130|Group = XXXXXXXX, Username = Back, IP = 173.164.82.61, Received unsupported transaction mode attribute: 5


Logs from ShrewSoft VPN Trace - IKE Service (Level output = Errors)
10 May 2012
14/03/26 15:02:18 !! : unable to connect to pfkey interface
14/03/26 15:02:24 !! : invalid private netmask, defaulting to 255.255.255.0
14/03/26 15:02:32 !! : config packet ignored ( config already mature )
14/03/26 15:02:40 !! : config packet ignored ( config already mature )
14/03/26 15:02:48 !! : config packet ignored ( config already mature )


Logs from ShrewSoft VPN Trace - IKE Service (Level output = Informational)
14/03/26 15:23:18 ## : IKE Daemon, ver 2.2.2
14/03/26 15:23:18 ## : Copyright 2013 Shrew Soft Inc.
14/03/26 15:23:18 ## : This product linked OpenSSL 1.0.1c 10 May 2012
14/03/26 15:23:18 ii : opened 'C:\Program Files\ShrewSoft\VPN Client\debug\iked.log'
14/03/26 15:23:18 ii : rebuilding vnet device list ...
14/03/26 15:23:18 ii : device ROOT\VNET\0000 disabled
14/03/26 15:23:18 ii : network process thread begin ...
14/03/26 15:23:18 ii : pfkey process thread begin ...
14/03/26 15:23:18 ii : ipc server process thread begin ...
14/03/26 15:23:25 ii : ipc client process thread begin ...
14/03/26 15:23:25 <A : peer config add message
14/03/26 15:23:25 <A : proposal config message
14/03/26 15:23:25 <A : proposal config message
14/03/26 15:23:25 <A : client config message
14/03/26 15:23:25 <A : xauth username message
14/03/26 15:23:25 <A : xauth password message
14/03/26 15:23:25 <A : local id 'XXXXXX' message
14/03/26 15:23:25 <A : preshared key message
14/03/26 15:23:25 <A : peer tunnel enable message
14/03/26 15:23:25 ii : local supports XAUTH
14/03/26 15:23:25 ii : local supports nat-t ( draft v00 )
14/03/26 15:23:25 ii : local supports nat-t ( draft v01 )
14/03/26 15:23:25 ii : local supports nat-t ( draft v02 )
14/03/26 15:23:25 ii : local supports nat-t ( draft v03 )
14/03/26 15:23:25 ii : local supports nat-t ( rfc )
14/03/26 15:23:25 ii : local supports DPDv1
14/03/26 15:23:25 ii : local is SHREW SOFT compatible
14/03/26 15:23:25 ii : local is NETSCREEN compatible
14/03/26 15:23:25 ii : local is SIDEWINDER compatible
14/03/26 15:23:25 ii : local is CISCO UNITY compatible
14/03/26 15:23:25 >= : cookies ed576b33c000da7e:0000000000000000
14/03/26 15:23:25 >= : message 00000000
14/03/26 15:23:25 ii : processing phase1 packet ( 440 bytes )
14/03/26 15:23:25 =< : cookies ed576b33c000da7e:bdb0dc6b4f35101c
14/03/26 15:23:25 =< : message 00000000
14/03/26 15:23:25 ii : matched isakmp proposal #1 transform #14
14/03/26 15:23:25 ii : - transform = ike
14/03/26 15:23:25 ii : - cipher type = 3des
14/03/26 15:23:25 ii : - key length = default
14/03/26 15:23:25 ii : - hash type = sha1
14/03/26 15:23:25 ii : - dh group = group2 ( modp-1024 )
14/03/26 15:23:25 ii : - auth type = xauth-initiator-psk
14/03/26 15:23:25 ii : - life seconds = 86400
14/03/26 15:23:25 ii : - life kbytes = 0
14/03/26 15:23:25 ii : phase1 id target is any
14/03/26 15:23:25 ii : phase1 id match
14/03/26 15:23:25 ii : received = ipv4-host 1.2.3.4
14/03/26 15:23:25 ii : peer is CISCO UNITY compatible
14/03/26 15:23:25 ii : peer supports XAUTH
14/03/26 15:23:25 ii : peer supports DPDv1
14/03/26 15:23:25 ii : peer supports nat-t ( draft v02 )
14/03/26 15:23:25 ii : nat discovery - local address is translated
14/03/26 15:23:25 ii : switching to src nat-t udp port 4500
14/03/26 15:23:25 ii : switching to dst nat-t udp port 4500
14/03/26 15:23:25 >= : cookies ed576b33c000da7e:bdb0dc6b4f35101c
14/03/26 15:23:25 >= : message 00000000
14/03/26 15:23:25 ii : phase1 sa established
14/03/26 15:23:25 ii : 1.2.3.4:4500 <-> 192.168.246.115:4500
14/03/26 15:23:25 ii : ed576b33c000da7e:bdb0dc6b4f35101c
14/03/26 15:23:25 ii : sending peer INITIAL-CONTACT notification
14/03/26 15:23:25 ii : - 192.168.246.115:4500 -> 1.2.3.4:4500
14/03/26 15:23:25 ii : - isakmp spi = ed576b33c000da7e:bdb0dc6b4f35101c
14/03/26 15:23:25 ii : - data size 0
14/03/26 15:23:25 >= : cookies ed576b33c000da7e:bdb0dc6b4f35101c
14/03/26 15:23:25 >= : message 09fa64cc
14/03/26 15:23:25 ii : processing config packet ( 76 bytes )
14/03/26 15:23:25 =< : cookies ed576b33c000da7e:bdb0dc6b4f35101c
14/03/26 15:23:25 =< : message a15d44a7
14/03/26 15:23:25 ii : - xauth authentication type
14/03/26 15:23:25 ii : - xauth username
14/03/26 15:23:25 ii : - xauth password
14/03/26 15:23:25 ii : received basic xauth request -
14/03/26 15:23:25 ii : - standard xauth username
14/03/26 15:23:25 ii : - standard xauth password
14/03/26 15:23:25 ii : sending xauth response for back
14/03/26 15:23:25 >= : cookies ed576b33c000da7e:bdb0dc6b4f35101c
14/03/26 15:23:25 >= : message a15d44a7
14/03/26 15:23:25 ii : processing config packet ( 68 bytes )
14/03/26 15:23:25 =< : cookies ed576b33c000da7e:bdb0dc6b4f35101c
14/03/26 15:23:25 =< : message a8ef0bbf
14/03/26 15:23:25 ii : received xauth result -
14/03/26 15:23:25 ii : user back authentication succeeded
14/03/26 15:23:25 ii : sending xauth acknowledge
14/03/26 15:23:25 >= : cookies ed576b33c000da7e:bdb0dc6b4f35101c
14/03/26 15:23:25 >= : message a8ef0bbf
14/03/26 15:23:25 ii : building config attribute list
14/03/26 15:23:25 ii : sending config pull request
14/03/26 15:23:25 >= : cookies ed576b33c000da7e:bdb0dc6b4f35101c
14/03/26 15:23:25 >= : message 9fc87ac5
14/03/26 15:23:25 ii : processing config packet ( 220 bytes )
14/03/26 15:23:25 =< : cookies ed576b33c000da7e:bdb0dc6b4f35101c
14/03/26 15:23:25 =< : message 9fc87ac5
14/03/26 15:23:25 ii : received config pull response
14/03/26 15:23:25 !! : invalid private netmask, defaulting to 255.255.255.0
14/03/26 15:23:25 ii : adapter ROOT\VNET\0000 unavailable, retrying ...
14/03/26 15:23:26 ii : creating NONE INBOUND policy ANY:1.2.3.4:* -> ANY:192.168.246.115:*
14/03/26 15:23:26 ii : creating NONE OUTBOUND policy ANY:192.168.246.115:* -> ANY:1.2.3.4:*
14/03/26 15:23:26 ii : created NONE policy route for 1.2.3.4/32
14/03/26 15:23:26 ii : creating NONE INBOUND policy ANY:192.168.246.1:* -> ANY:192.168.168.5:*
14/03/26 15:23:26 ii : creating NONE OUTBOUND policy ANY:192.168.168.5:* -> ANY:192.168.246.1:*
14/03/26 15:23:26 ii : creating IPSEC INBOUND policy ANY:10.0.0.0/8:* -> ANY:192.168.168.5:*
14/03/26 15:23:26 ii : creating IPSEC OUTBOUND policy ANY:192.168.168.5:* -> ANY:10.0.0.0/8:*
14/03/26 15:23:26 ii : created IPSEC policy route for 10.0.0.0/8
14/03/26 15:23:26 >= : cookies ed576b33c000da7e:bdb0dc6b4f35101c
14/03/26 15:23:26 >= : message 0c659a3f
14/03/26 15:23:26 ii : split DNS is disabled
14/03/26 15:23:29 >= : cookies ed576b33c000da7e:bdb0dc6b4f35101c
14/03/26 15:23:29 >= : message 2a54a656
14/03/26 15:23:31 -> : resend 1 phase2 packet(s) [0/2] 192.168.246.115:4500 -> 1.2.3.4:4500
14/03/26 15:23:33 ii : processing config packet ( 220 bytes )
14/03/26 15:23:33 !! : config packet ignored ( config already mature )
14/03/26 15:23:34 -> : resend 1 phase2 packet(s) [0/2] 192.168.246.115:4500 -> 1.2.3.4:4500
14/03/26 15:23:36 -> : resend 1 phase2 packet(s) [1/2] 192.168.246.115:4500 -> 1.2.3.4:4500
14/03/26 15:23:39 -> : resend 1 phase2 packet(s) [1/2] 192.168.246.115:4500 -> 1.2.3.4:4500
14/03/26 15:23:40 ii : sending peer DPDV1-R-U-THERE notification
14/03/26 15:23:40 ii : - 192.168.246.115:4500 -> 1.2.3.4:4500
14/03/26 15:23:40 ii : - isakmp spi = ed576b33c000da7e:bdb0dc6b4f35101c
14/03/26 15:23:40 ii : - data size 4
14/03/26 15:23:40 >= : cookies ed576b33c000da7e:bdb0dc6b4f35101c
14/03/26 15:23:40 >= : message 1064e267
14/03/26 15:23:41 ii : processing config packet ( 220 bytes )
14/03/26 15:23:41 !! : config packet ignored ( config already mature )
14/03/26 15:23:41 -> : resend 1 phase2 packet(s) [2/2] 192.168.246.115:4500 -> 1.2.3.4:4500
14/03/26 15:23:44 -> : resend 1 phase2 packet(s) [2/2] 192.168.246.115:4500 -> 1.2.3.4:4500
14/03/26 15:23:46 >= : cookies ed576b33c000da7e:bdb0dc6b4f35101c
14/03/26 15:23:46 >= : message 7d536ba4
14/03/26 15:23:46 ii : resend limit exceeded for phase2 exchange
14/03/26 15:23:46 ii : phase2 removal before expire time
14/03/26 15:23:49 ii : processing config packet ( 220 bytes )
14/03/26 15:23:49 !! : config packet ignored ( config already mature )
14/03/26 15:23:49 ii : resend limit exceeded for phase2 exchange
14/03/26 15:23:49 ii : phase2 removal before expire time
14/03/26 15:23:51 -> : resend 1 phase2 packet(s) [0/2] 192.168.246.115:4500 -> 1.2.3.4:4500
14/03/26 15:23:55 ii : sending peer DPDV1-R-U-THERE notification
14/03/26 15:23:55 ii : - 192.168.246.115:4500 -> 1.2.3.4:4500
14/03/26 15:23:55 ii : - isakmp spi = ed576b33c000da7e:bdb0dc6b4f35101c
14/03/26 15:23:55 ii : - data size 4
14/03/26 15:23:55 >= : cookies ed576b33c000da7e:bdb0dc6b4f35101c
14/03/26 15:23:55 >= : message 344d9b88
14/03/26 15:23:56 -> : resend 1 phase2 packet(s) [1/2] 192.168.246.115:4500 -> 1.2.3.4:4500
14/03/26 15:23:57 ii : processing informational packet ( 84 bytes )
14/03/26 15:23:57 =< : cookies ed576b33c000da7e:bdb0dc6b4f35101c
14/03/26 15:23:57 =< : message ebc92a2c
14/03/26 15:23:57 ii : received peer DELETE message
14/03/26 15:23:57 ii : - 1.2.3.4:4500 -> 192.168.246.115:4500
14/03/26 15:23:57 ii : - isakmp spi = ed576b33c000da7e:bdb0dc6b4f35101c
14/03/26 15:23:57 ii : cleanup, marked phase1 ed576b33c000da7e:bdb0dc6b4f35101c for removal
14/03/26 15:23:57 ii : phase1 removal before expire time
14/03/26 15:23:57 ii : removing IPSEC INBOUND policy ANY:10.0.0.0/8:* -> ANY:192.168.168.5:*
14/03/26 15:23:57 ii : removing IPSEC OUTBOUND policy ANY:192.168.168.5:* -> ANY:10.0.0.0/8:*
14/03/26 15:23:57 ii : removed IPSEC policy route for ANY:10.0.0.0/8:*
14/03/26 15:23:57 ii : removing NONE INBOUND policy ANY:192.168.246.1:* -> ANY:192.168.168.5:*
14/03/26 15:23:57 ii : removing NONE OUTBOUND policy ANY:192.168.168.5:* -> ANY:192.168.246.1:*
14/03/26 15:23:57 ii : removing NONE INBOUND policy ANY:1.2.3.4:* -> ANY:192.168.246.115:*
14/03/26 15:23:57 ii : removing NONE OUTBOUND policy ANY:192.168.246.115:* -> ANY:1.2.3.4:*
14/03/26 15:23:57 ii : removed NONE policy route for ANY:1.2.3.4:*
14/03/26 15:23:57 DB : removing tunnel config references
14/03/26 15:23:57 DB : removing tunnel phase2 references
14/03/26 15:23:57 ii : phase2 removal before expire time
14/03/26 15:23:57 DB : removing tunnel phase1 references
14/03/26 15:23:57 DB : removing all peer tunnel references
14/03/26 15:23:57 ii : ipc client process thread exit ...


Nathan Stone?| Enots IT Solutions |?www.enots.com?| 541.933.5010

-----Original Message-----
From: prolag at gmail.com [mailto:prolag at gmail.com] On Behalf Of Alexis La Goutte
Sent: Friday, March 21, 2014 6:47 AM
Subject: Re: [vpn-help] Can't connect to Cisco ASA that worked fine yesterday

Hi Nathan,

You need to check the log of Gateway, there is a reason of session
terminated by gateway. (check also Shrew Log).

Regards,
Post by Nathan Stone
I have an issue with Shrewsoft that seems to have happened over night. Connecting to a Cisco ASA 5510. Was working yesterday and now today it connects, but after 33 seconds I get the message "session terminated by gateway"
I am running Windows 8.1, have a remote staff person that uses this all day long and it is doing the same for her. She has Windows 8. As a test I installed the client on a Windows 7 32bit install and I get the same behavior. From a different Windows 7 computer, with the Cisco client I can connect just fine.
I checked Windows updates and nothing has been installed.
Logged in to the ASA. Nothing has changed in months and the last time it was rebooted was almost 200 days ago. I rebooted it anyway to see if that would help, but it doesn't.
I have another client with a Cisco ASA 5505 and I can still connect to their IPSec VPN. So it is something with this particular firewall and ShrewSoft combination. I created another VPN on this firewall and it is doing the same thing.
Here is what shows in the ShrewSoft VPN Connect tab
config loaded for site 'OSM'
attached to key daemon ...
peer configured
iskamp proposal configured
esp proposal configured
client configured
local id configured
remote id configured
pre-shared key configured
bringing up tunnel ...
network device configured
tunnel enabled
session terminated by gateway
tunnel disabled
detached from key daemon
If I switch to the Network tab, under Security Associations it shows Failed - 2.
I am at a loss, anyone have any ideas at all?
Nathan
_______________________________________________
vpn-help mailing list
vpn-help at lists.shrew.net
https://lists.shrew.net/mailman/listinfo/vpn-help
Alexis La Goutte
2014-03-27 08:20:37 UTC
Permalink
Post by Nathan Stone
I was finally able to get back and grab some logs from both the ASA and the Shrew Client. I sanitized the External IP and the VPN Group information otherwise everything is intact. I am not sure exactly what I am looking for or how to discipher everything. Would anyone else be willing to spend a few minutes looking this over and seeing if anything jumps out at you?
Logs from the ASA when ShrewSoft client tries to connect (reads from bottom to top). Same results with Windows 7 and 8.
4|Mar 26 2014|14:23:39|113019|Group = , Username = , IP = 0.0.0.0, Session disconnected. Session Type: , Duration: 0h:00m:32s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown
4|Mar 26 2014|14:23:39|713903|Group = XXXXXXXX, Username = back, IP = 173.164.82.61, Error: Unable to remove PeerTblEntry
3|Mar 26 2014|14:23:39|713902|Group = XXXXXXXX, Username = back, IP = 173.164.82.61, Removing peer from peer table failed, no match!
6|Mar 26 2014|14:23:07|713228|Group = XXXXXXXX, Username = back, IP = 173.164.82.61, Assigned private IP address 192.168.168.5 to remote user
6|Mar 26 2014|14:23:07|713184|Group = XXXXXXXX, Username = back, IP = 173.164.82.61, Client Type: WinNT Client Application Version: 4.8.01.0300
5|Mar 26 2014|14:23:07|713130|Group = XXXXXXXX, Username = back, IP = 173.164.82.61, Received unsupported transaction mode attribute: 5
Windows 7 using Cisco VPN client. Connects fine.
5|Mar 26 2014|14:35:43|713120|Group = XXXXXXXX, Username = Back, IP = 173.164.82.61, PHASE 2 COMPLETED (msgid=ccf3064a)
6|Mar 26 2014|14:35:43|602303|IPSEC: An inbound remote access SA (SPI= 0x07ABBAA7) between outside-interface and 173.164.82.61 (user= back) has been created.
5|Mar 26 2014|14:35:43|713049|Group = XXXXXXXX, Username = Back, IP = 173.164.82.61, Security negotiation complete for User (back) Responder, Inbound SPI = 0x07abbaa7, Outbound SPI = 0xd76b1221
6|Mar 26 2014|14:35:43|602303|IPSEC: An outbound remote access SA (SPI= 0xD76B1221) between outside-interface and 173.164.82.61 (user= back) has been created.
5|Mar 26 2014|14:35:43|713075|Group = XXXXXXXX, Username = Back, IP = 173.164.82.61, Overriding Initiator's IPSec rekeying duration from 2147483 to 28800 seconds
5|Mar 26 2014|14:35:43|713119|Group = XXXXXXXX, Username = Back, IP = 173.164.82.61, PHASE 1 COMPLETED
6|Mar 26 2014|14:35:43|713228|Group = XXXXXXXX, Username = Back, IP = 173.164.82.61, Assigned private IP address 192.168.168.5 to remote user
6|Mar 26 2014|14:35:43|713184|Group = XXXXXXXX, Username = Back, IP = 173.164.82.61, Client Type: WinNT Client Application Version: 5.0.07.0440
5|Mar 26 2014|14:35:43|713130|Group = XXXXXXXX, Username = Back, IP = 173.164.82.61, Received unsupported transaction mode attribute: 5
Logs from ShrewSoft VPN Trace - IKE Service (Level output = Errors)
10 May 2012
14/03/26 15:02:18 !! : unable to connect to pfkey interface
14/03/26 15:02:24 !! : invalid private netmask, defaulting to 255.255.255.0
14/03/26 15:02:32 !! : config packet ignored ( config already mature )
14/03/26 15:02:40 !! : config packet ignored ( config already mature )
14/03/26 15:02:48 !! : config packet ignored ( config already mature )
Logs from ShrewSoft VPN Trace - IKE Service (Level output = Informational)
14/03/26 15:23:18 ## : IKE Daemon, ver 2.2.2
14/03/26 15:23:18 ## : Copyright 2013 Shrew Soft Inc.
14/03/26 15:23:18 ## : This product linked OpenSSL 1.0.1c 10 May 2012
14/03/26 15:23:18 ii : opened 'C:\Program Files\ShrewSoft\VPN Client\debug\iked.log'
14/03/26 15:23:18 ii : rebuilding vnet device list ...
14/03/26 15:23:18 ii : device ROOT\VNET\0000 disabled
14/03/26 15:23:18 ii : network process thread begin ...
14/03/26 15:23:18 ii : pfkey process thread begin ...
14/03/26 15:23:18 ii : ipc server process thread begin ...
14/03/26 15:23:25 ii : ipc client process thread begin ...
14/03/26 15:23:25 <A : peer config add message
14/03/26 15:23:25 <A : proposal config message
14/03/26 15:23:25 <A : proposal config message
14/03/26 15:23:25 <A : client config message
14/03/26 15:23:25 <A : xauth username message
14/03/26 15:23:25 <A : xauth password message
14/03/26 15:23:25 <A : local id 'XXXXXX' message
14/03/26 15:23:25 <A : preshared key message
14/03/26 15:23:25 <A : peer tunnel enable message
14/03/26 15:23:25 ii : local supports XAUTH
14/03/26 15:23:25 ii : local supports nat-t ( draft v00 )
14/03/26 15:23:25 ii : local supports nat-t ( draft v01 )
14/03/26 15:23:25 ii : local supports nat-t ( draft v02 )
14/03/26 15:23:25 ii : local supports nat-t ( draft v03 )
14/03/26 15:23:25 ii : local supports nat-t ( rfc )
14/03/26 15:23:25 ii : local supports DPDv1
14/03/26 15:23:25 ii : local is SHREW SOFT compatible
14/03/26 15:23:25 ii : local is NETSCREEN compatible
14/03/26 15:23:25 ii : local is SIDEWINDER compatible
14/03/26 15:23:25 ii : local is CISCO UNITY compatible
14/03/26 15:23:25 >= : cookies ed576b33c000da7e:0000000000000000
14/03/26 15:23:25 >= : message 00000000
14/03/26 15:23:25 ii : processing phase1 packet ( 440 bytes )
14/03/26 15:23:25 =< : cookies ed576b33c000da7e:bdb0dc6b4f35101c
14/03/26 15:23:25 =< : message 00000000
14/03/26 15:23:25 ii : matched isakmp proposal #1 transform #14
14/03/26 15:23:25 ii : - transform = ike
14/03/26 15:23:25 ii : - cipher type = 3des
14/03/26 15:23:25 ii : - key length = default
14/03/26 15:23:25 ii : - hash type = sha1
14/03/26 15:23:25 ii : - dh group = group2 ( modp-1024 )
14/03/26 15:23:25 ii : - auth type = xauth-initiator-psk
14/03/26 15:23:25 ii : - life seconds = 86400
14/03/26 15:23:25 ii : - life kbytes = 0
14/03/26 15:23:25 ii : phase1 id target is any
14/03/26 15:23:25 ii : phase1 id match
14/03/26 15:23:25 ii : received = ipv4-host 1.2.3.4
14/03/26 15:23:25 ii : peer is CISCO UNITY compatible
14/03/26 15:23:25 ii : peer supports XAUTH
14/03/26 15:23:25 ii : peer supports DPDv1
14/03/26 15:23:25 ii : peer supports nat-t ( draft v02 )
14/03/26 15:23:25 ii : nat discovery - local address is translated
14/03/26 15:23:25 ii : switching to src nat-t udp port 4500
14/03/26 15:23:25 ii : switching to dst nat-t udp port 4500
14/03/26 15:23:25 >= : cookies ed576b33c000da7e:bdb0dc6b4f35101c
14/03/26 15:23:25 >= : message 00000000
14/03/26 15:23:25 ii : phase1 sa established
14/03/26 15:23:25 ii : 1.2.3.4:4500 <-> 192.168.246.115:4500
14/03/26 15:23:25 ii : ed576b33c000da7e:bdb0dc6b4f35101c
14/03/26 15:23:25 ii : sending peer INITIAL-CONTACT notification
14/03/26 15:23:25 ii : - 192.168.246.115:4500 -> 1.2.3.4:4500
14/03/26 15:23:25 ii : - isakmp spi = ed576b33c000da7e:bdb0dc6b4f35101c
14/03/26 15:23:25 ii : - data size 0
14/03/26 15:23:25 >= : cookies ed576b33c000da7e:bdb0dc6b4f35101c
14/03/26 15:23:25 >= : message 09fa64cc
14/03/26 15:23:25 ii : processing config packet ( 76 bytes )
14/03/26 15:23:25 =< : cookies ed576b33c000da7e:bdb0dc6b4f35101c
14/03/26 15:23:25 =< : message a15d44a7
14/03/26 15:23:25 ii : - xauth authentication type
14/03/26 15:23:25 ii : - xauth username
14/03/26 15:23:25 ii : - xauth password
14/03/26 15:23:25 ii : received basic xauth request -
14/03/26 15:23:25 ii : - standard xauth username
14/03/26 15:23:25 ii : - standard xauth password
14/03/26 15:23:25 ii : sending xauth response for back
14/03/26 15:23:25 >= : cookies ed576b33c000da7e:bdb0dc6b4f35101c
14/03/26 15:23:25 >= : message a15d44a7
14/03/26 15:23:25 ii : processing config packet ( 68 bytes )
14/03/26 15:23:25 =< : cookies ed576b33c000da7e:bdb0dc6b4f35101c
14/03/26 15:23:25 =< : message a8ef0bbf
14/03/26 15:23:25 ii : received xauth result -
14/03/26 15:23:25 ii : user back authentication succeeded
14/03/26 15:23:25 ii : sending xauth acknowledge
14/03/26 15:23:25 >= : cookies ed576b33c000da7e:bdb0dc6b4f35101c
14/03/26 15:23:25 >= : message a8ef0bbf
14/03/26 15:23:25 ii : building config attribute list
14/03/26 15:23:25 ii : sending config pull request
14/03/26 15:23:25 >= : cookies ed576b33c000da7e:bdb0dc6b4f35101c
14/03/26 15:23:25 >= : message 9fc87ac5
14/03/26 15:23:25 ii : processing config packet ( 220 bytes )
14/03/26 15:23:25 =< : cookies ed576b33c000da7e:bdb0dc6b4f35101c
14/03/26 15:23:25 =< : message 9fc87ac5
14/03/26 15:23:25 ii : received config pull response
14/03/26 15:23:25 !! : invalid private netmask, defaulting to 255.255.255.0
14/03/26 15:23:25 ii : adapter ROOT\VNET\0000 unavailable, retrying ...
14/03/26 15:23:26 ii : creating NONE INBOUND policy ANY:1.2.3.4:* -> ANY:192.168.246.115:*
14/03/26 15:23:26 ii : creating NONE OUTBOUND policy ANY:192.168.246.115:* -> ANY:1.2.3.4:*
14/03/26 15:23:26 ii : created NONE policy route for 1.2.3.4/32
14/03/26 15:23:26 ii : creating NONE INBOUND policy ANY:192.168.246.1:* -> ANY:192.168.168.5:*
14/03/26 15:23:26 ii : creating NONE OUTBOUND policy ANY:192.168.168.5:* -> ANY:192.168.246.1:*
14/03/26 15:23:26 ii : creating IPSEC INBOUND policy ANY:10.0.0.0/8:* -> ANY:192.168.168.5:*
14/03/26 15:23:26 ii : creating IPSEC OUTBOUND policy ANY:192.168.168.5:* -> ANY:10.0.0.0/8:*
14/03/26 15:23:26 ii : created IPSEC policy route for 10.0.0.0/8
14/03/26 15:23:26 >= : cookies ed576b33c000da7e:bdb0dc6b4f35101c
14/03/26 15:23:26 >= : message 0c659a3f
14/03/26 15:23:26 ii : split DNS is disabled
14/03/26 15:23:29 >= : cookies ed576b33c000da7e:bdb0dc6b4f35101c
14/03/26 15:23:29 >= : message 2a54a656
14/03/26 15:23:31 -> : resend 1 phase2 packet(s) [0/2] 192.168.246.115:4500 -> 1.2.3.4:4500
14/03/26 15:23:33 ii : processing config packet ( 220 bytes )
14/03/26 15:23:33 !! : config packet ignored ( config already mature )
14/03/26 15:23:34 -> : resend 1 phase2 packet(s) [0/2] 192.168.246.115:4500 -> 1.2.3.4:4500
14/03/26 15:23:36 -> : resend 1 phase2 packet(s) [1/2] 192.168.246.115:4500 -> 1.2.3.4:4500
14/03/26 15:23:39 -> : resend 1 phase2 packet(s) [1/2] 192.168.246.115:4500 -> 1.2.3.4:4500
14/03/26 15:23:40 ii : sending peer DPDV1-R-U-THERE notification
14/03/26 15:23:40 ii : - 192.168.246.115:4500 -> 1.2.3.4:4500
14/03/26 15:23:40 ii : - isakmp spi = ed576b33c000da7e:bdb0dc6b4f35101c
14/03/26 15:23:40 ii : - data size 4
14/03/26 15:23:40 >= : cookies ed576b33c000da7e:bdb0dc6b4f35101c
14/03/26 15:23:40 >= : message 1064e267
14/03/26 15:23:41 ii : processing config packet ( 220 bytes )
14/03/26 15:23:41 !! : config packet ignored ( config already mature )
14/03/26 15:23:41 -> : resend 1 phase2 packet(s) [2/2] 192.168.246.115:4500 -> 1.2.3.4:4500
14/03/26 15:23:44 -> : resend 1 phase2 packet(s) [2/2] 192.168.246.115:4500 -> 1.2.3.4:4500
14/03/26 15:23:46 >= : cookies ed576b33c000da7e:bdb0dc6b4f35101c
14/03/26 15:23:46 >= : message 7d536ba4
14/03/26 15:23:46 ii : resend limit exceeded for phase2 exchange
14/03/26 15:23:46 ii : phase2 removal before expire time
14/03/26 15:23:49 ii : processing config packet ( 220 bytes )
14/03/26 15:23:49 !! : config packet ignored ( config already mature )
14/03/26 15:23:49 ii : resend limit exceeded for phase2 exchange
14/03/26 15:23:49 ii : phase2 removal before expire time
14/03/26 15:23:51 -> : resend 1 phase2 packet(s) [0/2] 192.168.246.115:4500 -> 1.2.3.4:4500
14/03/26 15:23:55 ii : sending peer DPDV1-R-U-THERE notification
14/03/26 15:23:55 ii : - 192.168.246.115:4500 -> 1.2.3.4:4500
14/03/26 15:23:55 ii : - isakmp spi = ed576b33c000da7e:bdb0dc6b4f35101c
14/03/26 15:23:55 ii : - data size 4
14/03/26 15:23:55 >= : cookies ed576b33c000da7e:bdb0dc6b4f35101c
14/03/26 15:23:55 >= : message 344d9b88
14/03/26 15:23:56 -> : resend 1 phase2 packet(s) [1/2] 192.168.246.115:4500 -> 1.2.3.4:4500
14/03/26 15:23:57 ii : processing informational packet ( 84 bytes )
14/03/26 15:23:57 =< : cookies ed576b33c000da7e:bdb0dc6b4f35101c
14/03/26 15:23:57 =< : message ebc92a2c
14/03/26 15:23:57 ii : received peer DELETE message
14/03/26 15:23:57 ii : - 1.2.3.4:4500 -> 192.168.246.115:4500
14/03/26 15:23:57 ii : - isakmp spi = ed576b33c000da7e:bdb0dc6b4f35101c
14/03/26 15:23:57 ii : cleanup, marked phase1 ed576b33c000da7e:bdb0dc6b4f35101c for removal
14/03/26 15:23:57 ii : phase1 removal before expire time
14/03/26 15:23:57 ii : removing IPSEC INBOUND policy ANY:10.0.0.0/8:* -> ANY:192.168.168.5:*
14/03/26 15:23:57 ii : removing IPSEC OUTBOUND policy ANY:192.168.168.5:* -> ANY:10.0.0.0/8:*
14/03/26 15:23:57 ii : removed IPSEC policy route for ANY:10.0.0.0/8:*
14/03/26 15:23:57 ii : removing NONE INBOUND policy ANY:192.168.246.1:* -> ANY:192.168.168.5:*
14/03/26 15:23:57 ii : removing NONE OUTBOUND policy ANY:192.168.168.5:* -> ANY:192.168.246.1:*
14/03/26 15:23:57 ii : removing NONE INBOUND policy ANY:1.2.3.4:* -> ANY:192.168.246.115:*
14/03/26 15:23:57 ii : removing NONE OUTBOUND policy ANY:192.168.246.115:* -> ANY:1.2.3.4:*
14/03/26 15:23:57 ii : removed NONE policy route for ANY:1.2.3.4:*
14/03/26 15:23:57 DB : removing tunnel config references
14/03/26 15:23:57 DB : removing tunnel phase2 references
14/03/26 15:23:57 ii : phase2 removal before expire time
14/03/26 15:23:57 DB : removing tunnel phase1 references
14/03/26 15:23:57 DB : removing all peer tunnel references
14/03/26 15:23:57 ii : ipc client process thread exit ...
Hi,

Thanks for the log,

There is Cisco VPN client and Shrew VPN on the same machine ?
You use the lasted VPN release ?

Do you have try other setting for Policy Generation Level ?

Regards,
Post by Nathan Stone
Nathan Stone | Enots IT Solutions | www.enots.com | 541.933.5010
-----Original Message-----
From: prolag at gmail.com [mailto:prolag at gmail.com] On Behalf Of Alexis La Goutte
Sent: Friday, March 21, 2014 6:47 AM
Subject: Re: [vpn-help] Can't connect to Cisco ASA that worked fine yesterday
Hi Nathan,
You need to check the log of Gateway, there is a reason of session
terminated by gateway. (check also Shrew Log).
Regards,
Post by Nathan Stone
I have an issue with Shrewsoft that seems to have happened over night. Connecting to a Cisco ASA 5510. Was working yesterday and now today it connects, but after 33 seconds I get the message "session terminated by gateway"
I am running Windows 8.1, have a remote staff person that uses this all day long and it is doing the same for her. She has Windows 8. As a test I installed the client on a Windows 7 32bit install and I get the same behavior. From a different Windows 7 computer, with the Cisco client I can connect just fine.
I checked Windows updates and nothing has been installed.
Logged in to the ASA. Nothing has changed in months and the last time it was rebooted was almost 200 days ago. I rebooted it anyway to see if that would help, but it doesn't.
I have another client with a Cisco ASA 5505 and I can still connect to their IPSec VPN. So it is something with this particular firewall and ShrewSoft combination. I created another VPN on this firewall and it is doing the same thing.
Here is what shows in the ShrewSoft VPN Connect tab
config loaded for site 'OSM'
attached to key daemon ...
peer configured
iskamp proposal configured
esp proposal configured
client configured
local id configured
remote id configured
pre-shared key configured
bringing up tunnel ...
network device configured
tunnel enabled
session terminated by gateway
tunnel disabled
detached from key daemon
If I switch to the Network tab, under Security Associations it shows Failed - 2.
I am at a loss, anyone have any ideas at all?
Nathan
_______________________________________________
vpn-help mailing list
vpn-help at lists.shrew.net
https://lists.shrew.net/mailman/listinfo/vpn-help
_______________________________________________
vpn-help mailing list
vpn-help at lists.shrew.net
https://lists.shrew.net/mailman/listinfo/vpn-help
Continue reading on narkive:
Search results for '[vpn-help] Can't connect to Cisco ASA that worked fine yesterday' (Questions and Answers)
5
replies
Web server and Exchange server on port 80?
started 2007-11-18 16:33:47 UTC
computer networking
Loading...