Unable to establish Phase 1 SA DEL_REASON_IKE_NEG_FAILED

[blin]

My situation,

I have a client who is using a Pix 501, 50 User license. Until a
few days ago all worked fine.....no issues.

Pix version 6.3(5)
Cisco VPN Client 4.6.00.0049

Recently the company had a power outage prior to replacing a dead
battery on a UPS.....they have a spare on order now.

When the system came back up, there was a network IP conflict between
a work station and the file server attached to the dead power supply.

I fixed that, replaced the battery for the UPS, and decided to change
the dhcpd address range to take the server and file server's static IP
addresses out of the pool. Server is 10.0.0.2 and file server is
10.0.0.3

I ssh'd in to the Pix.
My commands were as follows:

no dchpd address 10.0.0.2-10.0.0.129 inside
dchpd address 10.0.0.4-10.0.0.129 inside
write memory
clear xlate

Rebooted the Pix to be sure. Then verified the change went through.

The issue I have is the VPN is now broken....no small issue. And I
can't imagine the commands I issued above would have an effect.

When I tested the VPN from the client machine, the error log shows the
following:

>
>1 20:50:09.210 07/21/06 Sev=Info/4 CM/0x63100002
>Begin connection process
>
>2 20:50:09.390 07/21/06 Sev=Info/4 CM/0x63100004
>Establish secure connection using Ethernet
>
>3 20:50:09.390 07/21/06 Sev=Info/4 CM/0x63100024
>Attempt connection with server "x.x.x.x"
>
>4 20:50:10.414 07/21/06 Sev=Info/6 IKE/0x6300003B
>Attempting to establish a connection with x.x.x.x.
>
>5 20:50:10.434 07/21/06 Sev=Info/4 IKE/0x63000013
>SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to x.x.x.x
>
>6 20:50:10.445 07/21/06 Sev=Info/4 IPSEC/0x63700008
>IPSec driver successfully started
>
>7 20:50:10.445 07/21/06 Sev=Info/4 IPSEC/0x63700014
>Deleted all keys
>
>8 20:50:10.445 07/21/06 Sev=Info/6 IPSEC/0x6370002B
>Sent 8 packets, 0 were fragmented.
>
>9 20:50:11.599 07/21/06 Sev=Info/5 IKE/0x6300002F
>Received ISAKMP packet: peer = x.x.x.x
>
>10 20:50:11.599 07/21/06 Sev=Info/4 IKE/0x63000014
>RECEIVING <<< ISAKMP OAK AG (SA, VID(Xauth), VID(dpd), VID(Unity), VID(?), KE, ID, NON, VID(?), VID(Nat-T), NAT-D, NAT-D, HASH) from x.x.x.x
>
>11 20:50:11.599 07/21/06 Sev=Info/5 IKE/0x63000001
>Peer supports XAUTH
>
>12 20:50:11.599 07/21/06 Sev=Info/5 IKE/0x63000001
>Peer supports DPD
>
>13 20:50:11.599 07/21/06 Sev=Info/5 IKE/0x63000001
>Peer is a Cisco-Unity compliant peer
>
>14 20:50:11.599 07/21/06 Sev=Info/5 IKE/0x63000081
>Received IOS Vendor ID with unknown capabilities flag 0x000000A5
>
>15 20:50:11.599 07/21/06 Sev=Info/5 IKE/0x63000001
>Peer supports NAT-T
>
>16 20:50:11.619 07/21/06 Sev=Warning/3 IKE/0xE3000056
>The received HASH payload cannot be verified
>
>17 20:50:11.619 07/21/06 Sev=Warning/2 IKE/0xE300007D
>Hash verification failed... may be configured with invalid group password.
>
>18 20:50:11.619 07/21/06 Sev=Warning/2 IKE/0xE3000099
>Failed to authenticate peer (Navigator:904)
>
>19 20:50:11.619 07/21/06 Sev=Info/4 IKE/0x63000013
>SENDING >>> ISAKMP OAK INFO (NOTIFY:INVALID_HASH_INFO) to x.x.x.x
>
>20 20:50:11.619 07/21/06 Sev=Info/4 IKE/0x63000013
>SENDING >>> ISAKMP OAK INFO (NOTIFY:AUTH_FAILED) to x.x.x.x
>
>21 20:50:11.619 07/21/06 Sev=Warning/2 IKE/0xE30000A5
>Unexpected SW error occurred while processing Aggressive Mode negotiatorNavigator:2202)
>
>22 20:50:11.619 07/21/06 Sev=Info/4 IKE/0x63000017
>Marking IKE SA for deletion (I_Cookie=8DF5FF3D9390C28F R_Cookie=840483716085DE3B) reason = DEL_REASON_IKE_NEG_FAILED
>
>23 20:50:12.523 07/21/06 Sev=Info/4 IKE/0x6300004A
>Discarding IKE SA negotiation (I_Cookie=8DF5FF3D9390C28F R_Cookie=840483716085DE3B) reason = DEL_REASON_IKE_NEG_FAILED
>
>24 20:50:12.523 07/21/06 Sev=Info/4 CM/0x63100014
>Unable to establish Phase 1 SA with server "x.x.x.x" because of "DEL_REASON_IKE_NEG_FAILED"
>
>25 20:50:12.523 07/21/06 Sev=Info/5 CM/0x63100025
>Initializing CVPNDrv
>
>26 20:50:12.543 07/21/06 Sev=Info/4 IKE/0x63000001
>IKE received signal to terminate VPN connection
>
>27 20:50:12.553 07/21/06 Sev=Info/4 IKE/0x63000085
>Microsoft IPSec Policy Agent service started successfully
>
>28 20:50:12.553 07/21/06 Sev=Info/4 IPSEC/0x63700014
>Deleted all keys
>
>29 20:50:12.553 07/21/06 Sev=Info/4 IPSEC/0x63700014
>Deleted all keys
>
>30 20:50:12.553 07/21/06 Sev=Info/4 IPSEC/0x63700014
>Deleted all keys
>
>31 20:50:12.553 07/21/06 Sev=Info/4 IPSEC/0x6370000A
>IPSec driver successfully stopped
>

I've Googled the error messages from items 16, 17, and 18 above with
no solutions to my problem.

I've verified the password is correct on the client.

I've even changed the dhcpd address to reflect the original pool of
10.0.0.2-10.0.0.129 with no success.

I'm going to the office this weekend to "poke around" for a solution.
I'll verify the password is correct on the Pix. If that doesn't work,
I suspect a corrupt configuration file.
Before I blow away the config file and rebuild it if the verification
of the password doesn't solve the problem, what additional advice can
you provide to help troubleshoot the issue?

I'll provide more information if needed.

Thank you in advance for any and all suggestions

[blin]

vpngroup vpnclient address-pool ippool
vpngroup vpnclient split-tunnel 120
vpngroup vpnclient idle-time 1800
vpngroup vpnclient password ********

verify the profile created on the vpn client software. the username
should be "vpnclient" and the password should be "********" the value
you put in with the last command above.

a popup window will appear for username and password after double click
to start connecting. enter the one created by username command.

[blin]

vpngroup vpnclient address-pool ippool
vpngroup vpnclient split-tunnel 120
vpngroup vpnclient idle-time 1800
vpngroup vpnclient password ********

verify the profile created on the vpn client software. the username
should be "vpnclient" and the password should be "********" the value
you put in with the last command above.

a popup window will appear for username and password after double click
to start connecting. enter the one created by username command.

[blin]

To Update:

I reset the password on the pix and all is okay.

Makes one wonder how the password was changed/corrupted on the pix in
the first place..?

[blin]

that the group/password are not setup correctly on the client

15 18:51:53.888 05/10/05 Sev=Warning/3 IKE/0xE3000056
The received HASH payload cannot be verified

16 18:51:53.888 05/10/05 Sev=Warning/2 IKE/0xE300007D
Hash verification failed... may be configured with invalid group password.

17 18:51:53.888 05/10/05 Sev=Warning/2 IKE/0xE3000099
Failed to authenticate peer (Navigator:904)

[chicagotech]

I had 3 cases. 1. Upgrade the Cisco VPN client from v4 to v5. 2. Reset group name and password. 3. Copy a profile from one working machine to the problematic machine.