jordi67
asked on
Cisco VPN connection problems
Dear Friends!
I've been running all the net , to find out whats going on with my VPN client not able to connect to ASA5510, so please all ideas are very welcomed,
my running config is:
asdm image disk0:/asdm504.bin
no asdm history enable
: Saved
:
ASA Version 7.0(4)
!
hostname xxxxxxxx
domain-name xxxxxx
enable password xxxxxxxxxxxxxxx encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 172.16.45.6 255.255.255.0
management-only
!
passwd xxxxxxxxxxxxxx encrypted
!
time-range work-days
periodic daily 7:00 to 22:59
!
ftp mode passive
dns domain-lookup outside
dns name-server 212.108.200.75
dns name-server 212.108.200.76
access-list outside_access_in extended permit tcp xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq https log time-range work-days
access-list outside_authentication_LOC
access-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.128
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.50.0 255.255.255.128
pager lines 24
logging enable
logging trap informational
logging asdm informational
logging host management 172.16.45.100 format emblem
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool mapvpn 192.168.50.1-192.168.50.10
ip verify reverse-path interface inside
ip audit name InfoPolicy info action alarm
ip audit name AttackPolicy attack action alarm drop
ip audit interface outside InfoPolicy
ip audit interface outside AttackPolicy
ERROR: Command requires failover license
ERROR: Command requires failover license
asdm image disk0:/asdm504.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) interface 192.168.1.2 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy dfltgrpPolicy internal
group-policy sales internal
group-policy sales attributes
dns-server value xxx.xxx.xxx.xxx
default-domain value xxx.xx
webvpn
username xxxx password xxxxxxxxxxx encrypted privilege 0
username xxxx password xxxxxxx encrypted privilege 3
username xxxxx password xxxxxx encrypted privilege 0
username xxxxxxx attributes
vpn-group-policy sales
webvpn
aaa authentication match outside_authentication_LOC
aaa authorization command LOCAL
aaa local authentication attempts max-fail 3
http server enable
http 172.16.45.0 255.255.255.0 management
http 172.16.45.100 255.255.255.255 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal 20
isakmp ipsec-over-tcp port 10000
tunnel-group sales type ipsec-ra
tunnel-group sales general-attributes
address-pool mapvpn
default-group-policy sales
tunnel-group sales ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command vpn-sessiondb
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command uauth
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command vpn-sessiondb
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
Cryptochecksum:1afcd271340
: end
i'm using CiscoVPN Client 4.6.00.0049
this is the log:
Cisco Systems VPN Client Version 4.6.00.0049
Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
29 10:18:33.340 06/27/06 Sev=Info/4 CM/0x63100002
Begin connection process
30 10:18:33.355 06/27/06 Sev=Info/4 CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully
31 10:18:33.355 06/27/06 Sev=Info/4 CM/0x63100004
Establish secure connection using Ethernet
32 10:18:33.355 06/27/06 Sev=Info/4 CM/0x63100024
Attempt connection with server "xxx.xxx.xxx.xxx"
33 10:18:33.371 06/27/06 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with xxx.xxx.xxx.xxx.
34 10:18:33.386 06/27/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to xxx.xxx.xxx.xxx
35 10:18:33.402 06/27/06 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
36 10:18:33.402 06/27/06 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
37 10:18:38.873 06/27/06 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
38 10:18:38.873 06/27/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to xxx.xxx.xxx.xxx
39 10:18:44.359 06/27/06 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
40 10:18:44.359 06/27/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to xxx.xxx.xxx.xxx
41 10:18:49.845 06/27/06 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
42 10:18:49.845 06/27/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to xxx.xxx.xxx.xxx
43 10:18:55.332 06/27/06 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=70641F0BFE42E645
44 10:18:56.329 06/27/06 Sev=Info/4 IKE/0x6300004A
Discarding IKE SA negotiation (I_Cookie=70641F0BFE42E645
45 10:18:56.329 06/27/06 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "xxx.xxx.xxx.xxx" because of "DEL_REASON_PEER_NOT_RESPO
46 10:18:56.329 06/27/06 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
47 10:18:56.376 06/27/06 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
48 10:18:56.391 06/27/06 Sev=Info/4 IKE/0x63000085
Microsoft IPSec Policy Agent service started successfully
49 10:18:56.391 06/27/06 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
50 10:18:56.391 06/27/06 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
51 10:18:56.391 06/27/06 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
52 10:18:56.391 06/27/06 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
please if you have any Idea please let me know.
Jordi
I've been running all the net , to find out whats going on with my VPN client not able to connect to ASA5510, so please all ideas are very welcomed,
my running config is:
asdm image disk0:/asdm504.bin
no asdm history enable
: Saved
:
ASA Version 7.0(4)
!
hostname xxxxxxxx
domain-name xxxxxx
enable password xxxxxxxxxxxxxxx encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 172.16.45.6 255.255.255.0
management-only
!
passwd xxxxxxxxxxxxxx encrypted
!
time-range work-days
periodic daily 7:00 to 22:59
!
ftp mode passive
dns domain-lookup outside
dns name-server 212.108.200.75
dns name-server 212.108.200.76
access-list outside_access_in extended permit tcp xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq https log time-range work-days
access-list outside_authentication_LOC
access-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.128
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.50.0 255.255.255.128
pager lines 24
logging enable
logging trap informational
logging asdm informational
logging host management 172.16.45.100 format emblem
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool mapvpn 192.168.50.1-192.168.50.10
ip verify reverse-path interface inside
ip audit name InfoPolicy info action alarm
ip audit name AttackPolicy attack action alarm drop
ip audit interface outside InfoPolicy
ip audit interface outside AttackPolicy
ERROR: Command requires failover license
ERROR: Command requires failover license
asdm image disk0:/asdm504.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) interface 192.168.1.2 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy dfltgrpPolicy internal
group-policy sales internal
group-policy sales attributes
dns-server value xxx.xxx.xxx.xxx
default-domain value xxx.xx
webvpn
username xxxx password xxxxxxxxxxx encrypted privilege 0
username xxxx password xxxxxxx encrypted privilege 3
username xxxxx password xxxxxx encrypted privilege 0
username xxxxxxx attributes
vpn-group-policy sales
webvpn
aaa authentication match outside_authentication_LOC
aaa authorization command LOCAL
aaa local authentication attempts max-fail 3
http server enable
http 172.16.45.0 255.255.255.0 management
http 172.16.45.100 255.255.255.255 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal 20
isakmp ipsec-over-tcp port 10000
tunnel-group sales type ipsec-ra
tunnel-group sales general-attributes
address-pool mapvpn
default-group-policy sales
tunnel-group sales ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command vpn-sessiondb
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command uauth
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command vpn-sessiondb
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
Cryptochecksum:1afcd271340
: end
i'm using CiscoVPN Client 4.6.00.0049
this is the log:
Cisco Systems VPN Client Version 4.6.00.0049
Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
29 10:18:33.340 06/27/06 Sev=Info/4 CM/0x63100002
Begin connection process
30 10:18:33.355 06/27/06 Sev=Info/4 CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully
31 10:18:33.355 06/27/06 Sev=Info/4 CM/0x63100004
Establish secure connection using Ethernet
32 10:18:33.355 06/27/06 Sev=Info/4 CM/0x63100024
Attempt connection with server "xxx.xxx.xxx.xxx"
33 10:18:33.371 06/27/06 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with xxx.xxx.xxx.xxx.
34 10:18:33.386 06/27/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to xxx.xxx.xxx.xxx
35 10:18:33.402 06/27/06 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
36 10:18:33.402 06/27/06 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
37 10:18:38.873 06/27/06 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
38 10:18:38.873 06/27/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to xxx.xxx.xxx.xxx
39 10:18:44.359 06/27/06 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
40 10:18:44.359 06/27/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to xxx.xxx.xxx.xxx
41 10:18:49.845 06/27/06 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
42 10:18:49.845 06/27/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to xxx.xxx.xxx.xxx
43 10:18:55.332 06/27/06 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=70641F0BFE42E645
44 10:18:56.329 06/27/06 Sev=Info/4 IKE/0x6300004A
Discarding IKE SA negotiation (I_Cookie=70641F0BFE42E645
45 10:18:56.329 06/27/06 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "xxx.xxx.xxx.xxx" because of "DEL_REASON_PEER_NOT_RESPO
46 10:18:56.329 06/27/06 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
47 10:18:56.376 06/27/06 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
48 10:18:56.391 06/27/06 Sev=Info/4 IKE/0x63000085
Microsoft IPSec Policy Agent service started successfully
49 10:18:56.391 06/27/06 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
50 10:18:56.391 06/27/06 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
51 10:18:56.391 06/27/06 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
52 10:18:56.391 06/27/06 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
please if you have any Idea please let me know.
Jordi
ASKER
Hi
I ve tried all options you mentioned above but still nothing , I used ethereal to see what happens, I just don't get reply and somthing strange I nodticed that my machine tries to ask a netbios name for a machine name which is no longer in our network , could be a DNS problem I'm not sure,
I've decided to reinstall the cisco vpn client on another machine which is not in our domain to see.
if you are interested in the ethereal result maybe you can grap somthing from it I can send it
I ve tried all options you mentioned above but still nothing , I used ethereal to see what happens, I just don't get reply and somthing strange I nodticed that my machine tries to ask a netbios name for a machine name which is no longer in our network , could be a DNS problem I'm not sure,
I've decided to reinstall the cisco vpn client on another machine which is not in our domain to see.
if you are interested in the ethereal result maybe you can grap somthing from it I can send it
ASKER
I was able to solve the problem, it came to be that my internal FW(ISA2004)blocked the VPN from establishing, the following line I had to delete:
static (inside,outside) interface 192.168.1.2 netmask 255.255.255.255 and use instead one to one static nat for the 2 services smtp and https
static (inside,outside) tcp interface tcp 192.168.1.2 smtp netmask 255.255.225.255
static (inside,outside) tcp interface tcp 192.168.1.2 https netmask 255.255.225.255
this way the vpn is working perfec.
static (inside,outside) interface 192.168.1.2 netmask 255.255.255.255 and use instead one to one static nat for the 2 services smtp and https
static (inside,outside) tcp interface tcp 192.168.1.2 smtp netmask 255.255.225.255
static (inside,outside) tcp interface tcp 192.168.1.2 https netmask 255.255.225.255
this way the vpn is working perfec.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Your policy does not match the transform set:
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
Create a new policy to match:
isakmp policy 15 authentication pre-share
isakmp policy 15 encryption 3des
isakmp policy 15 hash sha
isakmp policy 15 group 2
isakmp policy 15 lifetime 86400
>tunnel-group sales ipsec-attributes
pre-shared-key *
> vpn-group-policy sales
webvpn
Which is it, webvpn or IPSSEC?
I would remove all references to webvpn and try again. If that fails, use the VPN wizard from the ASDM.
Suggest you update the Cisco client to 4.8 . . .