I was finally able to get back and grab some logs from both the ASA and the Shrew Client. I sanitized the External IP and the VPN Group information otherwise everything is intact. I am not sure exactly what I am looking for or how to discipher everything. Would anyone else be willing to spend a few minutes looking this over and seeing if anything jumps out at you?
Logs from the ASA when ShrewSoft client tries to connect (reads from bottom to top). Same results with Windows 7 and 8. 4|Mar 26 2014|14:23:39|113019|Group = , Username = , IP = 0.0.0.0, Session disconnected. Session Type: , Duration: 0h:00m:32s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown 4|Mar 26 2014|14:23:39|713903|Group = XXXXXXXX, Username = back, IP = 173.164.82.61, Error: Unable to remove PeerTblEntry 3|Mar 26 2014|14:23:39|713902|Group = XXXXXXXX, Username = back, IP = 173.164.82.61, Removing peer from peer table failed, no match! 6|Mar 26 2014|14:23:07|713228|Group = XXXXXXXX, Username = back, IP = 173.164.82.61, Assigned private IP address 192.168.168.5 to remote user 6|Mar 26 2014|14:23:07|713184|Group = XXXXXXXX, Username = back, IP = 173.164.82.61, Client Type: WinNT Client Application Version: 4.8.01.0300 5|Mar 26 2014|14:23:07|713130|Group = XXXXXXXX, Username = back, IP = 173.164.82.61, Received unsupported transaction mode attribute: 5 Windows 7 using Cisco VPN client. Connects fine. 5|Mar 26 2014|14:35:43|713120|Group = XXXXXXXX, Username = Back, IP = 173.164.82.61, PHASE 2 COMPLETED (msgid=ccf3064a) 6|Mar 26 2014|14:35:43|602303|IPSEC: An inbound remote access SA (SPI= 0x07ABBAA7) between outside-interface and 173.164.82.61 (user= back) has been created. 5|Mar 26 2014|14:35:43|713049|Group = XXXXXXXX, Username = Back, IP = 173.164.82.61, Security negotiation complete for User (back) Responder, Inbound SPI = 0x07abbaa7, Outbound SPI = 0xd76b1221 6|Mar 26 2014|14:35:43|602303|IPSEC: An outbound remote access SA (SPI= 0xD76B1221) between outside-interface and 173.164.82.61 (user= back) has been created. 5|Mar 26 2014|14:35:43|713075|Group = XXXXXXXX, Username = Back, IP = 173.164.82.61, Overriding Initiator's IPSec rekeying duration from 2147483 to 28800 seconds 5|Mar 26 2014|14:35:43|713119|Group = XXXXXXXX, Username = Back, IP = 173.164.82.61, PHASE 1 COMPLETED 6|Mar 26 2014|14:35:43|713228|Group = XXXXXXXX, Username = Back, IP = 173.164.82.61, Assigned private IP address 192.168.168.5 to remote user 6|Mar 26 2014|14:35:43|713184|Group = XXXXXXXX, Username = Back, IP = 173.164.82.61, Client Type: WinNT Client Application Version: 5.0.07.0440 5|Mar 26 2014|14:35:43|713130|Group = XXXXXXXX, Username = Back, IP = 173.164.82.61, Received unsupported transaction mode attribute: 5 Logs from ShrewSoft VPN Trace - IKE Service (Level output = Errors) 10 May 2012 14/03/26 15:02:18 !! : unable to connect to pfkey interface 14/03/26 15:02:24 !! : invalid private netmask, defaulting to 255.255.255.0 14/03/26 15:02:32 !! : config packet ignored ( config already mature ) 14/03/26 15:02:40 !! : config packet ignored ( config already mature ) 14/03/26 15:02:48 !! : config packet ignored ( config already mature ) Logs from ShrewSoft VPN Trace - IKE Service (Level output = Informational) 14/03/26 15:23:18 ## : IKE Daemon, ver 2.2.2 14/03/26 15:23:18 ## : Copyright 2013 Shrew Soft Inc. 14/03/26 15:23:18 ## : This product linked OpenSSL 1.0.1c 10 May 2012 14/03/26 15:23:18 ii : opened 'C:\Program Files\ShrewSoft\VPN Client\debug\iked.log' 14/03/26 15:23:18 ii : rebuilding vnet device list ... 14/03/26 15:23:18 ii : device ROOT\VNET\0000 disabled 14/03/26 15:23:18 ii : network process thread begin ... 14/03/26 15:23:18 ii : pfkey process thread begin ... 14/03/26 15:23:18 ii : ipc server process thread begin ... 14/03/26 15:23:25 ii : ipc client process thread begin ... 14/03/26 15:23:25 <A : peer config add message 14/03/26 15:23:25 <A : proposal config message 14/03/26 15:23:25 <A : proposal config message 14/03/26 15:23:25 <A : client config message 14/03/26 15:23:25 <A : xauth username message 14/03/26 15:23:25 <A : xauth password message 14/03/26 15:23:25 <A : local id 'XXXXXX' message 14/03/26 15:23:25 <A : preshared key message 14/03/26 15:23:25 <A : peer tunnel enable message 14/03/26 15:23:25 ii : local supports XAUTH 14/03/26 15:23:25 ii : local supports nat-t ( draft v00 ) 14/03/26 15:23:25 ii : local supports nat-t ( draft v01 ) 14/03/26 15:23:25 ii : local supports nat-t ( draft v02 ) 14/03/26 15:23:25 ii : local supports nat-t ( draft v03 ) 14/03/26 15:23:25 ii : local supports nat-t ( rfc ) 14/03/26 15:23:25 ii : local supports DPDv1 14/03/26 15:23:25 ii : local is SHREW SOFT compatible 14/03/26 15:23:25 ii : local is NETSCREEN compatible 14/03/26 15:23:25 ii : local is SIDEWINDER compatible 14/03/26 15:23:25 ii : local is CISCO UNITY compatible 14/03/26 15:23:25 >= : cookies ed576b33c000da7e:0000000000000000 14/03/26 15:23:25 >= : message 00000000 14/03/26 15:23:25 ii : processing phase1 packet ( 440 bytes ) 14/03/26 15:23:25 =< : cookies ed576b33c000da7e:bdb0dc6b4f35101c 14/03/26 15:23:25 =< : message 00000000 14/03/26 15:23:25 ii : matched isakmp proposal #1 transform #14 14/03/26 15:23:25 ii : - transform = ike 14/03/26 15:23:25 ii : - cipher type = 3des 14/03/26 15:23:25 ii : - key length = default 14/03/26 15:23:25 ii : - hash type = sha1 14/03/26 15:23:25 ii : - dh group = group2 ( modp-1024 ) 14/03/26 15:23:25 ii : - auth type = xauth-initiator-psk 14/03/26 15:23:25 ii : - life seconds = 86400 14/03/26 15:23:25 ii : - life kbytes = 0 14/03/26 15:23:25 ii : phase1 id target is any 14/03/26 15:23:25 ii : phase1 id match 14/03/26 15:23:25 ii : received = ipv4-host 1.2.3.4 14/03/26 15:23:25 ii : peer is CISCO UNITY compatible 14/03/26 15:23:25 ii : peer supports XAUTH 14/03/26 15:23:25 ii : peer supports DPDv1 14/03/26 15:23:25 ii : peer supports nat-t ( draft v02 ) 14/03/26 15:23:25 ii : nat discovery - local address is translated 14/03/26 15:23:25 ii : switching to src nat-t udp port 4500 14/03/26 15:23:25 ii : switching to dst nat-t udp port 4500 14/03/26 15:23:25 >= : cookies ed576b33c000da7e:bdb0dc6b4f35101c 14/03/26 15:23:25 >= : message 00000000 14/03/26 15:23:25 ii : phase1 sa established 14/03/26 15:23:25 ii : 1.2.3.4:4500 <-> 192.168.246.115:4500 14/03/26 15:23:25 ii : ed576b33c000da7e:bdb0dc6b4f35101c 14/03/26 15:23:25 ii : sending peer INITIAL-CONTACT notification 14/03/26 15:23:25 ii : - 192.168.246.115:4500 -> 1.2.3.4:4500 14/03/26 15:23:25 ii : - isakmp spi = ed576b33c000da7e:bdb0dc6b4f35101c 14/03/26 15:23:25 ii : - data size 0 14/03/26 15:23:25 >= : cookies ed576b33c000da7e:bdb0dc6b4f35101c 14/03/26 15:23:25 >= : message 09fa64cc 14/03/26 15:23:25 ii : processing config packet ( 76 bytes ) 14/03/26 15:23:25 =< : cookies ed576b33c000da7e:bdb0dc6b4f35101c 14/03/26 15:23:25 =< : message a15d44a7 14/03/26 15:23:25 ii : - xauth authentication type 14/03/26 15:23:25 ii : - xauth username 14/03/26 15:23:25 ii : - xauth password 14/03/26 15:23:25 ii : received basic xauth request - 14/03/26 15:23:25 ii : - standard xauth username 14/03/26 15:23:25 ii : - standard xauth password 14/03/26 15:23:25 ii : sending xauth response for back 14/03/26 15:23:25 >= : cookies ed576b33c000da7e:bdb0dc6b4f35101c 14/03/26 15:23:25 >= : message a15d44a7 14/03/26 15:23:25 ii : processing config packet ( 68 bytes ) 14/03/26 15:23:25 =< : cookies ed576b33c000da7e:bdb0dc6b4f35101c 14/03/26 15:23:25 =< : message a8ef0bbf 14/03/26 15:23:25 ii : received xauth result - 14/03/26 15:23:25 ii : user back authentication succeeded 14/03/26 15:23:25 ii : sending xauth acknowledge 14/03/26 15:23:25 >= : cookies ed576b33c000da7e:bdb0dc6b4f35101c 14/03/26 15:23:25 >= : message a8ef0bbf 14/03/26 15:23:25 ii : building config attribute list 14/03/26 15:23:25 ii : sending config pull request 14/03/26 15:23:25 >= : cookies ed576b33c000da7e:bdb0dc6b4f35101c 14/03/26 15:23:25 >= : message 9fc87ac5 14/03/26 15:23:25 ii : processing config packet ( 220 bytes ) 14/03/26 15:23:25 =< : cookies ed576b33c000da7e:bdb0dc6b4f35101c 14/03/26 15:23:25 =< : message 9fc87ac5 14/03/26 15:23:25 ii : received config pull response 14/03/26 15:23:25 !! : invalid private netmask, defaulting to 255.255.255.0 14/03/26 15:23:25 ii : adapter ROOT\VNET\0000 unavailable, retrying ... 14/03/26 15:23:26 ii : creating NONE INBOUND policy ANY:1.2.3.4:* -> ANY:192.168.246.115:* 14/03/26 15:23:26 ii : creating NONE OUTBOUND policy ANY:192.168.246.115:* -> ANY:1.2.3.4:* 14/03/26 15:23:26 ii : created NONE policy route for 1.2.3.4/32 14/03/26 15:23:26 ii : creating NONE INBOUND policy ANY:192.168.246.1:* -> ANY:192.168.168.5:* 14/03/26 15:23:26 ii : creating NONE OUTBOUND policy ANY:192.168.168.5:* -> ANY:192.168.246.1:* 14/03/26 15:23:26 ii : creating IPSEC INBOUND policy ANY:10.0.0.0/8:* -> ANY:192.168.168.5:* 14/03/26 15:23:26 ii : creating IPSEC OUTBOUND policy ANY:192.168.168.5:* -> ANY:10.0.0.0/8:* 14/03/26 15:23:26 ii : created IPSEC policy route for 10.0.0.0/8 14/03/26 15:23:26 >= : cookies ed576b33c000da7e:bdb0dc6b4f35101c 14/03/26 15:23:26 >= : message 0c659a3f 14/03/26 15:23:26 ii : split DNS is disabled 14/03/26 15:23:29 >= : cookies ed576b33c000da7e:bdb0dc6b4f35101c 14/03/26 15:23:29 >= : message 2a54a656 14/03/26 15:23:31 -> : resend 1 phase2 packet(s) [0/2] 192.168.246.115:4500 -> 1.2.3.4:4500 14/03/26 15:23:33 ii : processing config packet ( 220 bytes ) 14/03/26 15:23:33 !! : config packet ignored ( config already mature ) 14/03/26 15:23:34 -> : resend 1 phase2 packet(s) [0/2] 192.168.246.115:4500 -> 1.2.3.4:4500 14/03/26 15:23:36 -> : resend 1 phase2 packet(s) [1/2] 192.168.246.115:4500 -> 1.2.3.4:4500 14/03/26 15:23:39 -> : resend 1 phase2 packet(s) [1/2] 192.168.246.115:4500 -> 1.2.3.4:4500 14/03/26 15:23:40 ii : sending peer DPDV1-R-U-THERE notification 14/03/26 15:23:40 ii : - 192.168.246.115:4500 -> 1.2.3.4:4500 14/03/26 15:23:40 ii : - isakmp spi = ed576b33c000da7e:bdb0dc6b4f35101c 14/03/26 15:23:40 ii : - data size 4 14/03/26 15:23:40 >= : cookies ed576b33c000da7e:bdb0dc6b4f35101c 14/03/26 15:23:40 >= : message 1064e267 14/03/26 15:23:41 ii : processing config packet ( 220 bytes ) 14/03/26 15:23:41 !! : config packet ignored ( config already mature ) 14/03/26 15:23:41 -> : resend 1 phase2 packet(s) [2/2] 192.168.246.115:4500 -> 1.2.3.4:4500 14/03/26 15:23:44 -> : resend 1 phase2 packet(s) [2/2] 192.168.246.115:4500 -> 1.2.3.4:4500 14/03/26 15:23:46 >= : cookies ed576b33c000da7e:bdb0dc6b4f35101c 14/03/26 15:23:46 >= : message 7d536ba4 14/03/26 15:23:46 ii : resend limit exceeded for phase2 exchange 14/03/26 15:23:46 ii : phase2 removal before expire time 14/03/26 15:23:49 ii : processing config packet ( 220 bytes ) 14/03/26 15:23:49 !! : config packet ignored ( config already mature ) 14/03/26 15:23:49 ii : resend limit exceeded for phase2 exchange 14/03/26 15:23:49 ii : phase2 removal before expire time 14/03/26 15:23:51 -> : resend 1 phase2 packet(s) [0/2] 192.168.246.115:4500 -> 1.2.3.4:4500 14/03/26 15:23:55 ii : sending peer DPDV1-R-U-THERE notification 14/03/26 15:23:55 ii : - 192.168.246.115:4500 -> 1.2.3.4:4500 14/03/26 15:23:55 ii : - isakmp spi = ed576b33c000da7e:bdb0dc6b4f35101c 14/03/26 15:23:55 ii : - data size 4 14/03/26 15:23:55 >= : cookies ed576b33c000da7e:bdb0dc6b4f35101c 14/03/26 15:23:55 >= : message 344d9b88 14/03/26 15:23:56 -> : resend 1 phase2 packet(s) [1/2] 192.168.246.115:4500 -> 1.2.3.4:4500 14/03/26 15:23:57 ii : processing informational packet ( 84 bytes ) 14/03/26 15:23:57 =< : cookies ed576b33c000da7e:bdb0dc6b4f35101c 14/03/26 15:23:57 =< : message ebc92a2c 14/03/26 15:23:57 ii : received peer DELETE message 14/03/26 15:23:57 ii : - 1.2.3.4:4500 -> 192.168.246.115:4500 14/03/26 15:23:57 ii : - isakmp spi = ed576b33c000da7e:bdb0dc6b4f35101c 14/03/26 15:23:57 ii : cleanup, marked phase1 ed576b33c000da7e:bdb0dc6b4f35101c for removal 14/03/26 15:23:57 ii : phase1 removal before expire time 14/03/26 15:23:57 ii : removing IPSEC INBOUND policy ANY:10.0.0.0/8:* -> ANY:192.168.168.5:* 14/03/26 15:23:57 ii : removing IPSEC OUTBOUND policy ANY:192.168.168.5:* -> ANY:10.0.0.0/8:* 14/03/26 15:23:57 ii : removed IPSEC policy route for ANY:10.0.0.0/8:* 14/03/26 15:23:57 ii : removing NONE INBOUND policy ANY:192.168.246.1:* -> ANY:192.168.168.5:* 14/03/26 15:23:57 ii : removing NONE OUTBOUND policy ANY:192.168.168.5:* -> ANY:192.168.246.1:* 14/03/26 15:23:57 ii : removing NONE INBOUND policy ANY:1.2.3.4:* -> ANY:192.168.246.115:* 14/03/26 15:23:57 ii : removing NONE OUTBOUND policy ANY:192.168.246.115:* -> ANY:1.2.3.4:* 14/03/26 15:23:57 ii : removed NONE policy route for ANY:1.2.3.4:* 14/03/26 15:23:57 DB : removing tunnel config references 14/03/26 15:23:57 DB : removing tunnel phase2 references 14/03/26 15:23:57 ii : phase2 removal before expire time 14/03/26 15:23:57 DB : removing tunnel phase1 references 14/03/26 15:23:57 DB : removing all peer tunnel references 14/03/26 15:23:57 ii : ipc client process thread exit ... Nathan Stone | Enots IT Solutions | www.enots.com | 541.933.5010 -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Alexis La Goutte Sent: Friday, March 21, 2014 6:47 AM Subject: Re: [vpn-help] Can't connect to Cisco ASA that worked fine yesterday Hi Nathan, You need to check the log of Gateway, there is a reason of session terminated by gateway. (check also Shrew Log). Regards, On Thu, Mar 20, 2014 at 9:59 PM, Nathan Stone <[email protected]> wrote: > I have an issue with Shrewsoft that seems to have happened over night. > Connecting to a Cisco ASA 5510. Was working yesterday and now today it > connects, but after 33 seconds I get the message "session terminated by > gateway" > > I am running Windows 8.1, have a remote staff person that uses this all day > long and it is doing the same for her. She has Windows 8. As a test I > installed the client on a Windows 7 32bit install and I get the same > behavior. From a different Windows 7 computer, with the Cisco client I can > connect just fine. > > I checked Windows updates and nothing has been installed. > > Logged in to the ASA. Nothing has changed in months and the last time it was > rebooted was almost 200 days ago. I rebooted it anyway to see if that would > help, but it doesn't. > > I have another client with a Cisco ASA 5505 and I can still connect to their > IPSec VPN. So it is something with this particular firewall and ShrewSoft > combination. I created another VPN on this firewall and it is doing the same > thing. > > Here is what shows in the ShrewSoft VPN Connect tab > > config loaded for site 'OSM' > attached to key daemon ... > peer configured > iskamp proposal configured > esp proposal configured > client configured > local id configured > remote id configured > pre-shared key configured > bringing up tunnel ... > network device configured > tunnel enabled > session terminated by gateway > tunnel disabled > detached from key daemon > > > If I switch to the Network tab, under Security Associations it shows Failed - > 2. > > I am at a loss, anyone have any ideas at all? > > Nathan > > _______________________________________________ > vpn-help mailing list > [email protected] > https://lists.shrew.net/mailman/listinfo/vpn-help _______________________________________________ vpn-help mailing list [email protected] https://lists.shrew.net/mailman/listinfo/vpn-help
