A Little Troubleshooting Never Hurt Anyone (Part 1)

VN:F [1.9.6_1107]
Rating: 5.0/5 (1 vote cast)
By Brandon Carroll on April 21st, 2010

Troubleshooting is essential for a CCIE candidate.  So here is a little installment of troubleshooting for all you security candidates.  To make this really easy (or not) I’m going to provide you with a configuration as well as a debug output.  It’s you job, nay..duty, to figure out why this VPN is not establishing.  Assume that all supporting devices are configured properly and that the client is properly configured with full reachability.  So, here goes.

The Problem:

We have a prebuilt IOS EasyVPN configuration that will not establish.  We cannot modify the configuration by removing anything, we can only add to the configuration is something is missing.

The configuration:

R5#sh run | sec crypto
crypto isakmp policy 10
encr aes
authentication pre-share
group 5
crypto isakmp policy 20
encr aes
authentication pre-share
group 2
crypto isakmp key CC!E4EVER? address 1.1.1.1
crypto isakmp client configuration group R5-EZVPN
key cisco
domain ipexpert.com
pool R5_Loopback0
acl INTERNAL
group-lock
netmask 255.255.255.0
banner ^C
crypto isakmp profile EZVPN
match identity group R5-EZVPN
client authentication list xauth
isakmp authorization list xauth
client configuration address respond
virtual-template 5
crypto ipsec transform-set RA esp-3des esp-md5-hmac
crypto ipsec profile EZ
set transform-set RA
set isakmp-profile EZVPN
crypto gdoi group GET
identity number 2456
server address ipv4 1.1.1.1
crypto map GET 10 gdoi
set group GET
match address LOCAL_GET
crypto map GET
R5#sh run | in aaa
aaa new-model
aaa authentication login default none
aaa authentication login xauth group radius
aaa session-id common
R5#sh run | sec interface Virtual
interface Virtual-Template5 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile EZ
R5#

And the debug output:

R5#

*Mar 22 03:33:39.405: ISAKMP (0): received packet from 192.1.49.100 dport 500 sport 1470 Global (N) NEW SA

*Mar 22 03:33:39.405: ISAKMP: Created a peer struct for 192.1.49.100, peer port 1470

*Mar 22 03:33:39.405: ISAKMP: New peer created peer = 0x48267A10 peer_handle = 0x80000018

*Mar 22 03:33:39.405: ISAKMP: Locking peer struct 0x48267A10, refcount 1 for crypto_isakmp_process_block

*Mar 22 03:33:39.405: ISAKMP: local port 500, remote port 1470

*Mar 22 03:33:39.405: ISAKMP:(0):insert sa successfully sa = 49DC34B8

*Mar 22 03:33:39.405: ISAKMP:(0): processing SA payload. message ID = 0

*Mar 22 03:33:39.405: ISAKMP:(0): processing ID payload. message ID = 0

*Mar 22 03:33:39.409: ISAKMP (0): ID payload 

        next-payload : 13

        type         : 11 

        group id     : R5-EZVPN 

        protocol     : 17 

        port         : 500 

        length       : 16

*Mar 22 03:33:39.409: ISAKMP:(0):: peer matches EZVPN profile

*Mar 22 03:33:39.409: ISAKMP:(0):Setting client config settings 4820AFCC

*Mar 22 03

R5#:33:39.409: ISAKMP:(0):(Re)Setting client xauth list  and state

*Mar 22 03:33:39.409: ISAKMP/xauth: initializing AAA request

*Mar 22 03:33:39.409: ISAKMP:(0): processing vendor id payload

*Mar 22 03:33:39.409: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch

*Mar 22 03:33:39.413: ISAKMP:(0): vendor ID is XAUTH

*Mar 22 03:33:39.413: ISAKMP:(0): processing vendor id payload

*Mar 22 03:33:39.413: ISAKMP:(0): vendor ID is DPD

*Mar 22 03:33:39.413: ISAKMP:(0): processing vendor id payload

*Mar 22 03:33:39.413: ISAKMP:(0): processing IKE frag vendor id payload

*Mar 22 03:33:39.413: ISAKMP:(0):Support for IKE Fragmentation not enabled

*Mar 22 03:33:39.413: ISAKMP:(0): processing vendor id payload

*Mar 22 03:33:39.413: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

*Mar 22 03:33:39.413: ISAKMP:(0): vendor ID is NAT-T v2

*Mar 22 03:33:39.413: ISAKMP:(0): processing vendor id payload

*Mar 22 03:33:39.413: ISAKMP:(0): vendor ID is Unity

*Mar 22 03:33:39.413: ISAKMP:(0): Authentication by xauth preshared

*Mar 22 03:33:39.413: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy

*Mar 22 03:33:39.413: ISAKMP:      encryption AES-CBC

*Mar 22 03:33:39.413: ISAKMP:      hash SHA

*Mar 22 03:33:39.413: ISAKMP:      default group 2

*Mar 22 03:33:39.413: ISAKMP:      auth XAUTHInitPreShared

*Mar 22 03:33:39.413: ISAKMP:      life type in seconds

*Mar 22 03:33:39.413: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B 

*Mar 22 03:33:39.413: ISAKMP:      keylength of 256

*Mar 22 03:33:39.413: ISAKMP:(0):Proposed key length does not match policy

*Mar 22 03:33:39.413: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Mar 22 03:33:39.413: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy

*Mar 22 03:33:39.413: ISAKMP:      encryption AES-CBC

*Mar 22 03:33:39.413: ISAKMP:      hash MD5

*Mar 22 03:33:39.413: ISAKMP:      default group 2

*Mar 22 03:33:39.413: ISAKMP:      auth XAUTHInitPreShared

*Mar 22 03:33:39.413: ISAKMP:      life type in seconds

*Mar 22 03:33:39.413: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B 

*Mar 22 03:33:39.413: ISAKMP:      keylength of 256

*Mar 22 03:33:39.413: ISAKMP:(0):Hash algorithm offered does not match policy!

*Mar 22 03:33:39.413: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Mar 22 03:33:39.413: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy

*Mar 22 03:33:39.413: ISAKMP:      encryption AES-CBC

*Mar 22 03:33:39.413: ISAKMP:      hash SHA

*Mar 22 03:33:39.413: ISAKMP:      default group 2

*Mar 22 03:33:39.413: ISAKMP:      auth pre-share

*Mar 22 03:33:39.413: ISAKMP:      life type in seconds

*Mar 22 03:33:39.413: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B 

*Mar 22 03:33:39.413: ISAKMP:      keylength of 256

*Mar 22 03:33:39.417: ISAKMP:(0):Proposed key length does not match policy

*Mar 22 03:33:39.417: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Mar 22 03:33:39.417: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10 policy

*Mar 22 03:33:39.417: ISAKMP:      encryption AES-CBC

*Mar 22 03:33:39.417: ISAKMP:      hash MD5

*Mar 22 03:33:39.417: ISAKMP:      default group 2

*Mar 22 03:33:39.417: ISAKMP:      auth pre-share

*Mar 22 03:33:39.417: ISAKMP:      life type in seconds

*Mar 22 03:33:39.417: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B 

*Mar 22 03:33:39.417: ISAKMP:      keylength of 256

*Mar 22 03:33:39.417: ISAKMP:(0):Hash algorithm offered does not match policy!

*Mar 22 03:33:39.417: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Mar 22 03:33:39.417: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy

*Mar 22 03:33:39.417: ISAKMP:      encryption AES-CBC

*Mar 22 03:33:39.417: ISAKMP:      hash SHA

*Mar 22 03:33:39.417: ISAKMP:      default group 2

*Mar 22 03:33:39.417: ISAKMP:      auth XAUTHInitPreShared

*Mar 22 03:33:39.417: ISAKMP:      life type in seconds

*Mar 22 03:33:39.417: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B 

*Mar 22 03:33:39.417: ISAKMP:      keylength of 128

*Mar 22 03:33:39.417: ISAKMP:(0):Diffie-Hellman group offered does not match policy!

*Mar 22 03:33:39.417: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Mar 22 03:33:39.417: ISAKMP:(0):Checking ISAKMP transform 6 against priority 10 policy

*Mar 22 03:33:39.417: ISAKMP:      encryption AES-CBC

*Mar 22 03:33:39.417: ISAKMP:      hash MD5

*Mar 22 03:33:39.417: ISAKMP:      default group 2

*Mar 22 03:33:39.417: ISAKMP:      auth XAUTHInitPreShared

*Mar 22 03:33:39.417: ISAKMP:      life type in seconds

*Mar 22 03:33:39.417: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B 

*Mar 22 03:33:39.417: ISAKMP:      keylength of 128

*Mar 22 03:33:39.417: ISAKMP:(0):Hash algorithm offered does not match policy!

*Mar 22 03:33:39.417: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Mar 22 03:33:39.417: ISAKMP:(0):Checking ISAKMP transform 7 against priority 10 policy

*Mar 22 03:33:39.417: ISAKMP:      encryption AES-CBC

*Mar 22 03:33:39.417: ISAKMP:      hash SHA

*Mar 22 03:33:39.417: ISAKMP:      default group 2

*Mar 22 03:33:39.417: ISAKMP:      auth pre-share

*Mar 22 03:33:39.417: ISAKMP:      life type in seconds

*Mar 22 03:33:39.417: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B 

*Mar 22 03:33:39.417: ISAKMP:      keylength of 128

*Mar 22 03:33:39.417: ISAKMP:(0):Diffie-Hellman group offered does not match policy!

*Mar 22 03:33:39.417: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Mar 22 03:33:39.417: ISAKMP:(0):Checking ISAKMP transform 8 against priority 10 policy

*Mar 22 03:33:39.417: ISAKMP:      encryption AES-CBC

*Mar 22 03:33:39.417: ISAKMP:      hash MD5

*Mar 22 03:33:39.417: ISAKMP:      default group 2

*Mar 22 03:33:39.417: ISAKMP:      auth pre-share

*Mar 22 03:33:39.417: ISAKMP:      life type in seconds

*Mar 22 03:33:39.417: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B 

*Mar 22 03:33:39.417: ISAKMP:      keylength of 128

*Mar 22 03:33:39.417: ISAKMP:(0):Hash algorithm offered does not match policy!

*Mar 22 03:33:39.417: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Mar 22 03:33:39.417: ISAKMP:(0):Checking ISAKMP transform 9 against priority 10 policy

*Mar 22 03:33:39.421: ISAKMP:      encryption 3DES-CBC

*Mar 22 03:33:39.421: ISAKMP:      hash SHA

*Mar 22 03:33:39.421: ISAKMP:      default group 2

*Mar 22 03:33:39.421: ISAKMP:      auth XAUTHInitPreShared

*Mar 22 03:33:39.421: ISAKMP:      life type in seconds

*Mar 22 03:33:39.421: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B 

*Mar 22 03:33:39.421: ISAKMP:(0):Encryption algorithm offered does not match policy!

*Mar 22 03:33:39.421: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Mar 22 03:33:39.421: ISAKMP:(0):Checking ISAKMP transform 10 against priority 10 policy

*Mar 22 03:33:39.421: ISAKMP:      encryption 3DES-CBC

*Mar 22 03:33:39.421: ISAKMP:      hash MD5

*Mar 22 03:33:39.421: ISAKMP:      default group 2

*Mar 22 03:33:39.421: ISAKMP:      auth XAUTHInitPreShared

*Mar 22 03:33:39.421: ISAKMP:      life type in seconds

*Mar 22 03:33:39.421: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B 

*Mar 22 03:33:39.421: ISAKMP:(0):Encryption algorithm offered does not match policy!

*Mar 22 03:33:39.421: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Mar 22 03:33:39.421: ISAKMP:(0):Checking ISAKMP transform 11 against priority 10 policy

*Mar 22 03:33:39.421: ISAKMP:      encryption 3DES-CBC

*Mar 22 03:33:39.421: ISAKMP:      hash SHA

*Mar 22 03:33:39.421: ISAKMP:      default group 2

*Mar 22 03:33:39.421: ISAKMP:      auth pre-share

*Mar 22 03:33:39.421: ISAKMP:      life type in seconds

*Mar 22 03:33:39.421: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B 

*Mar 22 03:33:39.421: ISAKMP:(0):Encryption algorithm offered does not match policy!

*Mar 22 03:33:39.421: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Mar 22 03:33:39.421: ISAKMP:(0):Checking ISAKMP transform 12 against priority 10 policy

*Mar 22 03:33:39.421: ISAKMP:      encryption 3DES-CBC

*Mar 22 03:33:39.421: ISAKMP:      hash MD5

*Mar 22 03:33:39.421: ISAKMP:      default group 2

*Mar 22 03:33:39.421: ISAKMP:      auth pre-share

*Mar 22 03:33:39.421: ISAKMP:      life type in seconds

*Mar 22 03:33:39.421: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B 

*Mar 22 03:33:39.421: ISAKMP:(0):Encryption algorithm offered does not match policy!

*Mar 22 03:33:39.421: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Mar 22 03:33:39.421: ISAKMP:(0):Checking ISAKMP transform 13 against priority 10 policy

*Mar 22 03:33:39.421: ISAKMP:      encryption DES-CBC

*Mar 22 03:33:39.421: ISAKMP:      hash MD5

*Mar 22 03:33:39.421: ISAKMP:      default group 2

*Mar 22 03:33:39.421: ISAKMP:      auth XAUTHInitPreShared

*Mar 22 03:33:39.421: ISAKMP:      life type in seconds

*Mar 22 03:33:39.421: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B 

*Mar 22 03:33:39.421: ISAKMP:(0):Encryption algorithm offered does not match policy!

*Mar 22 03:33:39.421: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Mar 22 03:33:39.421: ISAKMP:(0):Checking ISAKMP transform 14 against priority 10 policy

*Mar 22 03:33:39.421: ISAKMP:      encryption DES-CBC

*Mar 22 03:33:39.421: ISAKMP:      hash MD5

*Mar 22 03:33:39.421: ISAKMP:      default group 2

*Mar 22 03:33:39.421: ISAKMP:      auth pre-share

*Mar 22 03:33:39.421: ISAKMP:      life type in seconds

*Mar 22 03:33:39.421: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B 

*Mar 22 03:33:39.421: ISAKMP:(0):Encryption algorithm offered does not match policy!

*Mar 22 03:33:39.425: ISAKMP:(0):atts are not acceptable. Next payload is 0

*Mar 22 03:33:39.425: ISAKMP:(0):Checking ISAKMP transform 1 against priority 20 policy

*Mar 22 03:33:39.425: ISAKMP:      encryption AES-CBC

*Mar 22 03:33:39.425: ISAKMP:      hash SHA

*Mar 22 03:33:39.425: ISAKMP:      default group 2

*Mar 22 03:33:39.425: ISAKMP:      auth XAUTHInitPreShared

*Mar 22 03:33:39.425: ISAKMP:      life type in seconds

*Mar 22 03:33:39.425: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B 

*Mar 22 03:33:39.425: ISAKMP:      keylength of 256

*Mar 22 03:33:39.425: ISAKMP:(0):Proposed key length does not match policy

*Mar 22 03:33:39.425: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Mar 22 03:33:39.425: ISAKMP:(0):Checking ISAKMP transform 2 against priority 20 policy

*Mar 22 03:33:39.425: ISAKMP:      encryption AES-CBC

*Mar 22 03:33:39.425: ISAKMP:      hash MD5

*Mar 22 03:33:39.425: ISAKMP:      default group 2

*Mar 22 03:33:39.425: ISAKMP:      auth XAUTHInitPreShared

*Mar 22 03:33:39.425: ISAKMP:      life type in seconds

*Mar 22 03:33:39.425: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B 

*Mar 22 03:33:39.425: ISAKMP:      keylength of 256

*Mar 22 03:33:39.425: ISAKMP:(0):Hash algorithm offered does not match policy!

*Mar 22 03:33:39.425: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Mar 22 03:33:39.425: ISAKMP:(0):Checking ISAKMP transform 3 against priority 20 policy

*Mar 22 03:33:39.425: ISAKMP:      encryption AES-CBC

*Mar 22 03:33:39.425: ISAKMP:      hash SHA

*Mar 22 03:33:39.425: ISAKMP:      default group 2

*Mar 22 03:33:39.425: ISAKMP:      auth pre-share

*Mar 22 03:33:39.425: ISAKMP:      life type in seconds

*Mar 22 03:33:39.425: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B 

*Mar 22 03:33:39.425: ISAKMP:      keylength of 256

*Mar 22 03:33:39.425: ISAKMP:(0):Proposed key length does not match policy

*Mar 22 03:33:39.425: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Mar 22 03:33:39.425: ISAKMP:(0):Checking ISAKMP transform 4 against priority 20 policy

*Mar 22 03:33:39.425: ISAKMP:      encryption AES-CBC

*Mar 22 03:33:39.425: ISAKMP:      hash MD5

*Mar 22 03:33:39.425: ISAKMP:      default group 2

*Mar 22 03:33:39.425: ISAKMP:      auth pre-share

*Mar 22 03:33:39.425: ISAKMP:      life type in seconds

*Mar 22 03:33:39.425: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B 

*Mar 22 03:33:39.425: ISAKMP:      keylength of 256

*Mar 22 03:33:39.425: ISAKMP:(0):Hash algorithm offered does not match policy!

*Mar 22 03:33:39.425: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Mar 22 03:33:39.425: ISAKMP:(0):Checking ISAKMP transform 5 against priority 20 policy

*Mar 22 03:33:39.425: ISAKMP:      encryption AES-CBC

*Mar 22 03:33:39.425: ISAKMP:      hash SHA

*Mar 22 03:33:39.425: ISAKMP:      default group 2

*Mar 22 03:33:39.425: ISAKMP:      auth XAUTHInitPreShared

*Mar 22 03:33:39.425: ISAKMP:      life type in seconds

*Mar 22 03:33:39.425: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B 

*Mar 22 03:33:39.429: ISAKMP:      keylength of 128

*Mar 22 03:33:39.429: ISAKMP:(0):atts are acceptable. Next payload is 3

*Mar 22 03:33:39.429: ISAKMP:(0):Acceptable atts:actual life: 86400

*Mar 22 03:33:39.429: ISAKMP:(0):Acceptable atts:life: 0

*Mar 22 03:33:39.429: ISAKMP:(0):Fill atts in sa vpi_length:4

*Mar 22 03:33:39.429: ISAKMP:(0):Fill atts in sa life_in_seconds:2147483

*Mar 22 03:33:39.429: ISAKMP:(0):Returning Actual lifetime: 86400

*Mar 22 03:33:39.429: ISAKMP:(0)::Started lifetime timer: 86400.

*Mar 22 03:33:39.465: ISAKMP:(0): processing KE payload. message ID = 0

*Mar 22 03:33:39.517: ISAKMP:(0): processing NONCE payload. message ID = 0

*Mar 22 03:33:39.517: ISAKMP:(0): vendor ID is NAT-T v2

*Mar 22 03:33:39.517: ISAKMP:(0):peer does not do paranoid keepalives.

*Mar 22 03:33:39.517: ISAKMP:(0):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) AG_NO_STATE (peer 192.1.49.100)

*Mar 22 03:33:39.517: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH:  state = IKE_READY

*Mar 22 03:33:39.517: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH

*Mar 22 03:33:39.517: ISAKMP:(0):Old State = IKE_READY  New State = IKE_READY 

*Mar 22 03:33:39.517: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 192.1.49.100

*Mar 22 03:33:39.517: ISAKMP:(0):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) AG_NO_STATE (peer 192.1.49.100) 

*Mar 22 03:33:39.521: ISAKMP: Unlocking peer struct 0x48267A10 for isadb_mark_sa_deleted(), count 0

*Mar 22 03:33:39.521: ISAKMP: Deleting peer node by peer_reap for 192.1.49.100: 48267A10

*Mar 22 03:33:39.521: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*Mar 22 03:33:39.521: ISAKMP:(0):Old State = IKE_READY  New State = IKE_DEST_SA 

*Mar 22 03:33:44.633: ISAKMP (0): received packet from 192.1.49.100 dport 500 sport 1470 Global (R) MM_NO_STATE

*Mar 22 03:33:49.593: ISAKMP (0): received packet from 192.1.49.100 dport 500 sport 1470 Global (R) MM_NO_STATE

*Mar 22 03:33:54.597: ISAKMP (0): received packet from 192.1.49.100 dport 500 sport 1470 Global (R) MM_NO_STATE

R5#

The cliffhanger:

In the next post I’ll tell you the solution, but you can post your answer in the comments section below. Happy hunting!

-Regards

Brandon Carroll – CCIE #23837

Senior Technical Instructor – IPExpert

Mailto: bcarroll@ipexpert.com
Telephone: +1.810.326.1444
Fax: +1.810.454.0130

A Little Troubleshooting Never Hurt Anyone (Part 1), 5.0 out of 5 based on 1 rating
Share and Enjoy:
  • RSS
  • Twitter
  • Facebook
  • Google Bookmarks
  • Digg
  • Print
  • Technorati
  • Slashdot
  • LinkedIn
  • del.icio.us
  • Reddit
  • Sphinn
  • Mixx
  • Blogplay
  • Netvibes
  • NewsVine
  • Live
  • Ping.fm
  • MySpace
  • Yahoo! Bookmarks
  • Yahoo! Buzz

Tags: , ,

This entry was posted on Wednesday, April 21st, 2010 at 8:02 am and is filed under Ask the Expert, CCIE, Security, Strategy, Techtorials. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

4 Responses to “A Little Troubleshooting Never Hurt Anyone (Part 1)”

  1. Jimmy Larsson says:
    April 21, 2010 at 9:16 am

    Hi

    You seem to be missing your aaa authorization network-command…

    /Jimmy

    VA:F [1.9.6_1107]
    Rating: 0.0/5 (0 votes cast)
    Reply
  2. Amplebrain says:
    April 21, 2010 at 9:33 am

    Hi,
    I’m not sure if its the only issue, but I cant find command
    “aaa authorization network xauth [radius|local]“

    VA:F [1.9.6_1107]
    Rating: 0.0/5 (0 votes cast)
    Reply
  3. Ryan Schuett says:
    April 21, 2010 at 4:33 pm

    I agree with Jimmy, not having authorization for the network service requests will give you these debug messages. As well, the radius server needs to be defined in this configuration for phase 1.5 – xauth to proceed next. Finally, the aaa authentication list for xauth needs to be defined as it is in the isakmp profile but not in aaa.

    Ryan

    VA:F [1.9.6_1107]
    Rating: 0.0/5 (0 votes cast)
    Reply
  4. Beauty says:
    April 25, 2010 at 1:07 pm

    There is no network authorisation set to local , so the group-policy will not kick in.

    VA:F [1.9.6_1107]
    Rating: 0.0/5 (0 votes cast)
    Reply

Leave a Reply