Solved

Cisco VPN connection problems

Posted on 2006-06-27
5
2,282 Views
Last Modified: 2013-11-16
Dear Friends!
I've been running all the net , to find out whats going on with my VPN client not able to connect to ASA5510, so please all ideas are very welcomed,
my running config is:

asdm image disk0:/asdm504.bin
no asdm history enable
: Saved
:
ASA Version 7.0(4)
!
hostname xxxxxxxx
domain-name xxxxxx
enable password xxxxxxxxxxxxxxx encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 172.16.45.6 255.255.255.0
 management-only
!
passwd xxxxxxxxxxxxxx encrypted
!
time-range work-days
 periodic daily 7:00 to 22:59
!
ftp mode passive
dns domain-lookup outside
dns name-server 212.108.200.75
dns name-server 212.108.200.76
access-list outside_access_in extended permit tcp xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq https log time-range work-days
access-list outside_authentication_LOCAL extended permit tcp any interface outside eq https time-range work-days
access-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.128
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.50.0 255.255.255.128
pager lines 24
logging enable
logging trap informational
logging asdm informational
logging host management 172.16.45.100 format emblem
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool mapvpn 192.168.50.1-192.168.50.100 mask 255.255.255.0
ip verify reverse-path interface inside
ip audit name InfoPolicy info action alarm
ip audit name AttackPolicy attack action alarm drop
ip audit interface outside InfoPolicy
ip audit interface outside AttackPolicy
ERROR: Command requires failover license
ERROR: Command requires failover license
asdm image disk0:/asdm504.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) interface 192.168.1.2 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy dfltgrpPolicy internal
group-policy sales internal
group-policy sales attributes
 dns-server value xxx.xxx.xxx.xxx
 default-domain value xxx.xx
 webvpn
username xxxx password xxxxxxxxxxx encrypted privilege 0
username xxxx password xxxxxxx encrypted privilege 3
username xxxxx password xxxxxx encrypted privilege 0
username xxxxxxx attributes
 vpn-group-policy sales
 webvpn
aaa authentication match outside_authentication_LOCAL outside LOCAL
aaa authorization command LOCAL
aaa local authentication attempts max-fail 3
http server enable
http 172.16.45.0 255.255.255.0 management
http 172.16.45.100 255.255.255.255 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal  20
isakmp ipsec-over-tcp port 10000
tunnel-group sales type ipsec-ra
tunnel-group sales general-attributes
 address-pool mapvpn
 default-group-policy sales
tunnel-group sales ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 2
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command vpn-sessiondb
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command uauth
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command vpn-sessiondb
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
Cryptochecksum:1afcd27134081a9f88b2db8047532046
: end

i'm using CiscoVPN Client 4.6.00.0049
this is the log:
Cisco Systems VPN Client Version 4.6.00.0049
Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2

29     10:18:33.340  06/27/06  Sev=Info/4      CM/0x63100002
Begin connection process

30     10:18:33.355  06/27/06  Sev=Info/4      CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully

31     10:18:33.355  06/27/06  Sev=Info/4      CM/0x63100004
Establish secure connection using Ethernet

32     10:18:33.355  06/27/06  Sev=Info/4      CM/0x63100024
Attempt connection with server "xxx.xxx.xxx.xxx"

33     10:18:33.371  06/27/06  Sev=Info/6      IKE/0x6300003B
Attempting to establish a connection with xxx.xxx.xxx.xxx.

34     10:18:33.386  06/27/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to xxx.xxx.xxx.xxx

35     10:18:33.402  06/27/06  Sev=Info/4      IPSEC/0x63700008
IPSec driver successfully started

36     10:18:33.402  06/27/06  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

37     10:18:38.873  06/27/06  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

38     10:18:38.873  06/27/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to xxx.xxx.xxx.xxx

39     10:18:44.359  06/27/06  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

40     10:18:44.359  06/27/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to xxx.xxx.xxx.xxx

41     10:18:49.845  06/27/06  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

42     10:18:49.845  06/27/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to xxx.xxx.xxx.xxx

43     10:18:55.332  06/27/06  Sev=Info/4      IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=70641F0BFE42E645 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

44     10:18:56.329  06/27/06  Sev=Info/4      IKE/0x6300004A
Discarding IKE SA negotiation (I_Cookie=70641F0BFE42E645 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

45     10:18:56.329  06/27/06  Sev=Info/4      CM/0x63100014
Unable to establish Phase 1 SA with server "xxx.xxx.xxx.xxx" because of "DEL_REASON_PEER_NOT_RESPONDING"

46     10:18:56.329  06/27/06  Sev=Info/5      CM/0x63100025
Initializing CVPNDrv

47     10:18:56.376  06/27/06  Sev=Info/4      IKE/0x63000001
IKE received signal to terminate VPN connection

48     10:18:56.391  06/27/06  Sev=Info/4      IKE/0x63000085
Microsoft IPSec Policy Agent service started successfully

49     10:18:56.391  06/27/06  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

50     10:18:56.391  06/27/06  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

51     10:18:56.391  06/27/06  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

52     10:18:56.391  06/27/06  Sev=Info/4      IPSEC/0x6370000A
IPSec driver successfully stopped

please if you have any Idea please let me know.

Jordi
0
Comment
Question by:jordi67
  • 2
5 Comments
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
>crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

Your policy does not match the transform set:
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

Create a new policy to match:
isakmp policy 15 authentication pre-share
isakmp policy 15 encryption 3des
isakmp policy 15 hash sha
isakmp policy 15 group 2
isakmp policy 15 lifetime 86400

>tunnel-group sales ipsec-attributes
 pre-shared-key *
> vpn-group-policy sales
 webvpn

Which is it, webvpn or IPSSEC?
I would remove all references to webvpn and try again. If that fails, use the VPN wizard from the ASDM.
Suggest you update the Cisco client to 4.8  . . .
0
 

Author Comment

by:jordi67
Comment Utility
Hi
I ve tried all options you mentioned above but still nothing , I used ethereal to see what happens, I just don't get reply and somthing strange I nodticed that my machine tries to ask a netbios name for a machine name which is no longer in our network , could be a DNS problem I'm not sure,
I've decided to reinstall the cisco vpn client on another machine which is not in our domain to see.
if you are interested in the ethereal result maybe you can grap somthing from it I can send it

0
 

Author Comment

by:jordi67
Comment Utility
I was able to solve the problem, it came to be that my internal FW(ISA2004)blocked the VPN from establishing, the following line I had to delete:
static (inside,outside) interface 192.168.1.2 netmask 255.255.255.255  and use instead one to one static nat for the 2 services smtp and https

static (inside,outside) tcp interface tcp 192.168.1.2 smtp netmask 255.255.225.255
static (inside,outside) tcp interface tcp 192.168.1.2 https netmask 255.255.225.255

this way the vpn is working perfec.
0
 

Accepted Solution

by:
CetusMOD earned 0 total points
Comment Utility
PAQed with points refunded (500)

CetusMOD
Community Support Moderator
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Suggested Solutions

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This video discusses moving either the default database or any database to a new volume.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now