greenbeanx81
asked on
Cisco Firewall / VPN issue - Can not connect to Firewall using Cisco VPN client software 5.0. Debug crypto isakmp shows error
Hello All,
I am receiving error when I am trying to connect to a CISCO ASA using Cisco VPN client 5.0 o Windows Vista. Strange thing is the VPN was working fine. Tried rebooting Vista, no luck. I tried a reboot the ASA and I am still getting that same error. I've seen this error on other threads due to a configuration change. The ASA configuration as not changed at all. Any help or suggestions. Thank you :-)
The debug crypto isakmp shows the following error:
Jul 26 23:12:21 [IKEv1]: Group = BARODA, IP = x.x.x.224, Removing peer from peer table failed, no match!
Jul 26 23:12:21 [IKEv1]: Group = BARODA, IP = x.x.x.224, Error: Unable to remove PeerTblEntry
sh crypto isakmp sa shows:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: x.x.x.224
Type : user Role : responder
Rekey : no State : AM_WAIT_MSG3
Here is my ASA config:
The ASA 7.0
!
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.2 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.28.5.20 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
security-level 100
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
passwd OLwrzN2..uVF.NHM encrypted
ftp mode passive
access-list 100 extended permit icmp any any
access-list 100 extended permit udp any any eq isakmp
access-list 100 extended permit esp any any
access-list 100 extended permit ip any host x.x.x.50
access-list 100 extended permit tcp any host x.x.x.10 eq 3389
access-list 100 extended permit ip any host x.x.x.3
access-list NONAT extended permit ip 10.1.3.0 255.255.255.0 10.1.10.0 255.255.255.0
access-list NONAT extended permit ip 10.1.3.0 255.255.255.0 10.1.19.0 255.255.255.0
access-list NONAT extended permit ip 10.1.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list NONAT extended permit ip 10.1.3.0 255.255.255.0 10.1.5.0 255.255.255.0
access-list NONAT extended permit ip 10.1.3.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list NONAT extended permit ip 10.1.3.0 255.255.255.0 10.1.20.0 255.255.255.0
access-list NONAT extended permit ip 10.1.3.0 255.255.255.0 10.1.4.0 255.255.255.0
access-list VPNCLIENT extended permit ip 10.1.3.0 255.255.255.0 10.1.19.0 255.255.255.0
access-list BARODA extended permit ip 10.1.3.0 255.255.255.0 10.1.10.0 255.255.255.0
access-list BARODA extended permit ip 10.1.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list BARODA extended permit ip 10.1.3.0 255.255.255.0 10.1.20.0 255.255.255.0
access-list BARODA extended permit ip 10.1.3.0 255.255.255.0 10.1.4.0 255.255.255.0
access-list Acacia extended permit ip 10.1.3.0 255.255.255.0 10.1.5.0 255.255.255.0
access-list ROXBURY extended permit ip 10.1.3.0 255.255.255.0 10.1.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool vpnclientpool 10.1.19.50-10.1.19.254
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) x.x.x.50 10.1.3.50 netmask 255.255.255.255
static (inside,outside) x.x.x.10 10.1.3.10 netmask 255.255.255.255
static (inside,outside) x.x.x.3 10.1.3.250 netmask 255.255.255.255
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.1 1
route inside 10.0.0.0 255.0.0.0 10.28.5.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server partnerauth protocol radius
aaa-server partnerauth host 10.1.3.10
timeout 5
key *****
group-policy BARODA internal
group-policy BARODA attributes
wins-server value 10.1.3.10
dns-server value 10.1.3.10
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNCLIENT
default-domain value barodaventures.local
webvpn
http server enable
http 192.168.1.0 255.255.255.0 inside
snmp-server location Baroda Ventures
snmp-server contact emailaddress@mycompany.com
snmp-server community 9ice411
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetinbound
service resetoutside
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map VPNmap 100 match address BARODA
crypto map VPNmap 100 set pfs
crypto map VPNmap 100 set peer x.x.x.10
crypto map VPNmap 100 set transform-set ESP-3DES-MD5
crypto map VPNmap 200 match address ROXBURY
crypto map VPNmap 200 set pfs
crypto map VPNmap 200 set peer x.x.x.2
crypto map VPNmap 200 set transform-set ESP-3DES-MD5
crypto map VPNmap 300 match address Acacia
crypto map VPNmap 300 set pfs
crypto map VPNmap 300 set peer x.x.x.196
crypto map VPNmap 300 set transform-set ESP-3DES-MD5
crypto map VPNmap 800 ipsec-isakmp dynamic outside_dyn_map
crypto map VPNmap interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
isakmp nat-traversal 20
tunnel-group DefaultRAGroup general-attributes
authentication-server-grou
tunnel-group x.x.x.196 type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.10 type ipsec-l2l
tunnel-group x.x.x.10 ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.2 type ipsec-l2l
tunnel-group x.x.x.2 ipsec-attributes
pre-shared-key *
tunnel-group BARODA type ipsec-ra
tunnel-group BARODA general-attributes
address-pool vpnclientpool
authentication-server-grou
default-group-policy BARODA
tunnel-group BARODA ipsec-attributes
pre-shared-key *
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
ssl encryption des-sha1 rc4-md5
I am receiving error when I am trying to connect to a CISCO ASA using Cisco VPN client 5.0 o Windows Vista. Strange thing is the VPN was working fine. Tried rebooting Vista, no luck. I tried a reboot the ASA and I am still getting that same error. I've seen this error on other threads due to a configuration change. The ASA configuration as not changed at all. Any help or suggestions. Thank you :-)
The debug crypto isakmp shows the following error:
Jul 26 23:12:21 [IKEv1]: Group = BARODA, IP = x.x.x.224, Removing peer from peer table failed, no match!
Jul 26 23:12:21 [IKEv1]: Group = BARODA, IP = x.x.x.224, Error: Unable to remove PeerTblEntry
sh crypto isakmp sa shows:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: x.x.x.224
Type : user Role : responder
Rekey : no State : AM_WAIT_MSG3
Here is my ASA config:
The ASA 7.0
!
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.2 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.28.5.20 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
security-level 100
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
passwd OLwrzN2..uVF.NHM encrypted
ftp mode passive
access-list 100 extended permit icmp any any
access-list 100 extended permit udp any any eq isakmp
access-list 100 extended permit esp any any
access-list 100 extended permit ip any host x.x.x.50
access-list 100 extended permit tcp any host x.x.x.10 eq 3389
access-list 100 extended permit ip any host x.x.x.3
access-list NONAT extended permit ip 10.1.3.0 255.255.255.0 10.1.10.0 255.255.255.0
access-list NONAT extended permit ip 10.1.3.0 255.255.255.0 10.1.19.0 255.255.255.0
access-list NONAT extended permit ip 10.1.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list NONAT extended permit ip 10.1.3.0 255.255.255.0 10.1.5.0 255.255.255.0
access-list NONAT extended permit ip 10.1.3.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list NONAT extended permit ip 10.1.3.0 255.255.255.0 10.1.20.0 255.255.255.0
access-list NONAT extended permit ip 10.1.3.0 255.255.255.0 10.1.4.0 255.255.255.0
access-list VPNCLIENT extended permit ip 10.1.3.0 255.255.255.0 10.1.19.0 255.255.255.0
access-list BARODA extended permit ip 10.1.3.0 255.255.255.0 10.1.10.0 255.255.255.0
access-list BARODA extended permit ip 10.1.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list BARODA extended permit ip 10.1.3.0 255.255.255.0 10.1.20.0 255.255.255.0
access-list BARODA extended permit ip 10.1.3.0 255.255.255.0 10.1.4.0 255.255.255.0
access-list Acacia extended permit ip 10.1.3.0 255.255.255.0 10.1.5.0 255.255.255.0
access-list ROXBURY extended permit ip 10.1.3.0 255.255.255.0 10.1.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool vpnclientpool 10.1.19.50-10.1.19.254
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) x.x.x.50 10.1.3.50 netmask 255.255.255.255
static (inside,outside) x.x.x.10 10.1.3.10 netmask 255.255.255.255
static (inside,outside) x.x.x.3 10.1.3.250 netmask 255.255.255.255
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.1 1
route inside 10.0.0.0 255.0.0.0 10.28.5.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server partnerauth protocol radius
aaa-server partnerauth host 10.1.3.10
timeout 5
key *****
group-policy BARODA internal
group-policy BARODA attributes
wins-server value 10.1.3.10
dns-server value 10.1.3.10
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNCLIENT
default-domain value barodaventures.local
webvpn
http server enable
http 192.168.1.0 255.255.255.0 inside
snmp-server location Baroda Ventures
snmp-server contact emailaddress@mycompany.com
snmp-server community 9ice411
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetinbound
service resetoutside
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map VPNmap 100 match address BARODA
crypto map VPNmap 100 set pfs
crypto map VPNmap 100 set peer x.x.x.10
crypto map VPNmap 100 set transform-set ESP-3DES-MD5
crypto map VPNmap 200 match address ROXBURY
crypto map VPNmap 200 set pfs
crypto map VPNmap 200 set peer x.x.x.2
crypto map VPNmap 200 set transform-set ESP-3DES-MD5
crypto map VPNmap 300 match address Acacia
crypto map VPNmap 300 set pfs
crypto map VPNmap 300 set peer x.x.x.196
crypto map VPNmap 300 set transform-set ESP-3DES-MD5
crypto map VPNmap 800 ipsec-isakmp dynamic outside_dyn_map
crypto map VPNmap interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
isakmp nat-traversal 20
tunnel-group DefaultRAGroup general-attributes
authentication-server-grou
tunnel-group x.x.x.196 type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.10 type ipsec-l2l
tunnel-group x.x.x.10 ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.2 type ipsec-l2l
tunnel-group x.x.x.2 ipsec-attributes
pre-shared-key *
tunnel-group BARODA type ipsec-ra
tunnel-group BARODA general-attributes
address-pool vpnclientpool
authentication-server-grou
default-group-policy BARODA
tunnel-group BARODA ipsec-attributes
pre-shared-key *
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
ssl encryption des-sha1 rc4-md5
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I ran a crypto debug level 15. Here is the output. What concerns me is the duplicate phase 1 packets. Any thoughts?
Jul 27 01:15:16 [IKEv1]: IP = x.x.x.181, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 850
Jul 27 01:15:16 [IKEv1 DEBUG]: IP = x.x.x.181, processing SA payload
Jul 27 01:15:16 [IKEv1 DEBUG]: IP = x.x.x.181, processing ke payload
Jul 27 01:15:16 [IKEv1 DEBUG]: IP = x.x.x.181, processing ISA_KE payload
Jul 27 01:15:16 [IKEv1 DEBUG]: IP = x.x.x.181, processing nonce payload
Jul 27 01:15:16 [IKEv1 DEBUG]: IP = x.x.x.181, processing ID payload
Jul 27 01:15:16 [IKEv1 DEBUG]: IP = x.x.x.181, processing VID payload
Jul 27 01:15:16 [IKEv1 DEBUG]: IP = x.x.x.181, Received xauth V6 VID
Jul 27 01:15:16 [IKEv1 DEBUG]: IP = x.x.x.181, processing VID payload
Jul 27 01:15:16 [IKEv1 DEBUG]: IP = x.x.x.181, Received DPD VID
Jul 27 01:15:16 [IKEv1 DEBUG]: IP = x.x.x.181, processing VID payload
Jul 27 01:15:16 [IKEv1 DEBUG]: IP = x.x.x.181, Received Fragmentation VID
Jul 27 01:15:16 [IKEv1 DEBUG]: IP = x.x.x.181, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False
Jul 27 01:15:16 [IKEv1 DEBUG]: IP = x.x.x.181, processing VID payload
Jul 27 01:15:16 [IKEv1 DEBUG]: IP = x.x.x.181, Received NAT-Traversal ver 02 VID
Jul 27 01:15:16 [IKEv1 DEBUG]: IP = x.x.x.181, processing VID payload
Jul 27 01:15:16 [IKEv1 DEBUG]: IP = x.x.x.181, Received Cisco Unity client VID
Jul 27 01:15:16 [IKEv1]: IP = x.x.x.181, Connection landed on tunnel_group BARODA
Jul 27 01:15:16 [IKEv1 DEBUG]: Group = BARODA, IP = x.x.x.181, processing IKE SA payload
Jul 27 01:15:16 [IKEv1 DEBUG]: Group = BARODA, IP = x.x.x.181, IKE SA Proposal # 1, Transform # 13 acceptable Matches global IKE entry # 1
Jul 27 01:15:16 [IKEv1 DEBUG]: Group = BARODA, IP = x.x.x.181, constructing ISAKMP SA payload
Jul 27 01:15:16 [IKEv1 DEBUG]: Group = BARODA, IP = x.x.x.181, constructing ke payload
Jul 27 01:15:16 [IKEv1 DEBUG]: Group = BARODA, IP = x.x.x.181, constructing nonce payload
Jul 27 01:15:16 [IKEv1 DEBUG]: Group = BARODA, IP = x.x.x.181, Generating keys for Responder...
Jul 27 01:15:16 [IKEv1 DEBUG]: Group = BARODA, IP = x.x.x.181, constructing ID payload
Jul 27 01:15:16 [IKEv1 DEBUG]: Group = BARODA, IP = x.x.x.181, constructing hash payload
Jul 27 01:15:16 [IKEv1 DEBUG]: Group = BARODA, IP = x.x.x.181, Computing hash for ISAKMP
Jul 27 01:15:16 [IKEv1 DEBUG]: Group = BARODA, IP = x.x.x.181, constructing Cisco Unity VID payload
Jul 27 01:15:16 [IKEv1 DEBUG]: Group = BARODA, IP = x.x.x.181, constructing xauth V6 VID payload
Jul 27 01:15:16 [IKEv1 DEBUG]: Group = BARODA, IP = x.x.x.181, constructing dpd vid payload
Jul 27 01:15:16 [IKEv1 DEBUG]: Group = BARODA, IP = x.x.x.181, constructing NAT-Traversal VID ver 02 payload
Jul 27 01:15:16 [IKEv1 DEBUG]: Group = BARODA, IP = x.x.x.181, constructing NAT-Discovery payload
Jul 27 01:15:16 [IKEv1 DEBUG]: Group = BARODA, IP = x.x.x.181, computing NAT Discovery hash
Jul 27 01:15:16 [IKEv1 DEBUG]: Group = BARODA, IP = x.x.x.181, constructing NAT-Discovery payload
Jul 27 01:15:16 [IKEv1 DEBUG]: Group = BARODA, IP = x.x.x.181, computing NAT Discovery hash
Jul 27 01:15:16 [IKEv1 DEBUG]: Group = BARODA, IP = x.x.x.181, constructing Fragmentation VID + extended capabilities payload
Jul 27 01:15:16 [IKEv1 DEBUG]: Group = BARODA, IP = x.x.x.181, constructing VID payload
Jul 27 01:15:16 [IKEv1 DEBUG]: Group = BARODA, IP = x.x.x.181, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jul 27 01:15:16 [IKEv1]: IP = x.x.x.181, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 428
Jul 27 01:15:21 [IKEv1]: Group = BARODA, IP = x.x.x.181, Duplicate Phase 1 packet detected. Retransmitting last packet.
Jul 27 01:15:21 [IKEv1]: Group = BARODA, IP = x.x.x.181, P1 Retransmit msg dispatched to AM FSM
Jul 27 01:15:26 [IKEv1]: Group = BARODA, IP = x.x.x.181, Duplicate Phase 1 packet detected. Retransmitting last packet.
Jul 27 01:15:26 [IKEv1]: Group = BARODA, IP = x.x.x.181, P1 Retransmit msg dispatched to AM FSM
Jul 27 01:15:31 [IKEv1]: Group = BARODA, IP = x.x.x.181, Duplicate Phase 1 packet detected. Retransmitting last packet.
Jul 27 01:15:31 [IKEv1]: Group = BARODA, IP = x.x.x.181, P1 Retransmit msg dispatched to AM FSM
Jul 27 01:15:39 [IKEv1 DEBUG]: Group = BARODA, IP = x.x.x.181, IKE AM Responder FSM error history (struct &0x35fbd08) <state>, <event>: AM_DONE, EV_ERROR-->AM_WAIT_MSG3, EV_PROB_AUTH_FAIL-->AM_WAI
Jul 27 01:15:39 [IKEv1 DEBUG]: Group = BARODA, IP = x.x.x.181, IKE SA AM:9e37833d terminating: flags 0x0104c001, refcnt 0, tuncnt 0
Jul 27 01:15:39 [IKEv1 DEBUG]: Group = BARODA, IP = x.x.x.181, sending delete/delete with reason message
Jul 27 01:15:39 [IKEv1 DEBUG]: Group = BARODA, IP = x.x.x.181, constructing blank hash payload
Jul 27 01:15:39 [IKEv1 DEBUG]: Group = BARODA, IP = x.x.x.181, constructing IKE delete payload
Jul 27 01:15:39 [IKEv1 DEBUG]: Group = BARODA, IP = x.x.x.181, constructing qm hash payload
Jul 27 01:15:39 [IKEv1]: IP = x.x.x.181, IKE_DECODE SENDING Message (msgid=c4edb2e1) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
Jul 27 01:15:39 [IKEv1]: Group = BARODA, IP = x.x.x.181, Removing peer from peer table failed, no match!
Jul 27 01:15:39 [IKEv1]: Group = BARODA, IP = x.x.x.181, Error: Unable to remove PeerTblEntry