?
Solved

ASA vpn client configuration

Posted on 2007-09-27
8
Medium Priority
?
3,112 Views
Last Modified: 2011-10-03
I am setting up a new ASA 5520. I am having a little bit of trouble getting the vpn connection up and going I tried both CLI and ASDM VPN wizard with no luck. So I removed everything and tried again from CLI still no luck. Hopefully someone can point out what I am missing. Here is what I currently have for the VPN config. Right now I don't care about split-tunnel so I have left it out.


access-list no-nat extended permit ip any 10.10.100.0 255.255.255.0
ip local pool tech 10.10.100.1-10.10.100.254 mask 255.255.255.0
group-policy vpngroup internal
group-policy vpngroup attributes
 ipsec-udp enable
crypto ipsec transform-set 3DES/MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set AES/MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set DES/MD5 esp-des esp-md5-hmac
crypto ipsec transform-set 3DES/SHA esp-3des esp-sha-hmac
crypto ipsec transform-set AES/256 esp-aes-256 esp-sha-hmac
crypto dynamic-map dynmap 20 set transform-set 3DES/SHA
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp identity address
isakmp enable outside
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption 3des
isakmp policy 2 hash sha
isakmp policy 2 group 2
isakmp policy 2 lifetime 86400
isakmp nat-traversal  20
isakmp am-disable
tunnel-group tech type ipsec-ra
tunnel-group tech general-attributes
 address-pool tech
 default-group-policy vpngroup
tunnel-group tech ipsec-attributes
 pre-shared-key *
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
0
Comment
Question by:wilsj
  • 5
  • 3
8 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 19976454
How are you testing, and what are your symptoms.
Are you testing from actually outside the firewall?
What version client are you using?
Do you get connected at all? If not, what error messages do you get?
0
 
LVL 5

Author Comment

by:wilsj
ID: 19978641
I am trying to connect from outside the network with cisco vpn client version 4.800.0.440. I don't get any error messages the client just tries to connec and eventually stops trying and says not connected.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 19978794
Can you ping the public IP of the ASA from the client PC?
Open the log window on the client when you try to connect and post the result.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 5

Author Comment

by:wilsj
ID: 19978897
I can ping the ASA's outside interface. Here is what the log says


1      20:21:00.466  09/03/01  Sev=Info/4      CM/0x63100002
Begin connection process

2      20:21:00.486  09/03/01  Sev=Info/4      CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully

3      20:21:00.486  09/03/01  Sev=Info/4      CM/0x63100004
Establish secure connection using Ethernet

4      20:21:00.486  09/03/01  Sev=Info/4      CM/0x63100024
Attempt connection with server "74.222.42.178"

5      20:21:01.527  09/03/01  Sev=Info/6      IKE/0x6300003B
Attempting to establish a connection with 74.222.42.178.

6      20:21:01.547  09/03/01  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 74.222.42.178

7      20:21:01.557  09/03/01  Sev=Info/4      IPSEC/0x63700008
IPSec driver successfully started

8      20:21:01.557  09/03/01  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

9      20:21:06.615  09/03/01  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

10     20:21:06.615  09/03/01  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 74.222.42.178

11     20:21:11.622  09/03/01  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

12     20:21:11.622  09/03/01  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 74.222.42.178

13     20:21:16.629  09/03/01  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

14     20:21:16.629  09/03/01  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 74.222.42.178

15     20:21:21.636  09/03/01  Sev=Info/4      IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=49EB544214EF4382 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

16     20:21:22.147  09/03/01  Sev=Info/4      IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=49EB544214EF4382 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

17     20:21:22.147  09/03/01  Sev=Info/4      CM/0x63100014
Unable to establish Phase 1 SA with server "74.222.42.178" because of "DEL_REASON_PEER_NOT_RESPONDING"

18     20:21:22.157  09/03/01  Sev=Info/5      CM/0x63100025
Initializing CVPNDrv

19     20:21:22.167  09/03/01  Sev=Info/4      IKE/0x63000001
IKE received signal to terminate VPN connection

20     20:21:22.187  09/03/01  Sev=Info/4      IKE/0x63000086
Microsoft IPSec Policy Agent service started successfully

21     20:21:22.668  09/03/01  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

22     20:21:22.668  09/03/01  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

23     20:21:22.668  09/03/01  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

24     20:21:22.668  09/03/01  Sev=Info/4      IPSEC/0x6370000A
IPSec driver successfully stopped

0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 19978959
Try this:
  no isakmp am-disable
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 19978970
Do you have any acls on the router in front of this ASA? I'm assuming this is followup to an earlier thread with same configuration?
0
 
LVL 5

Author Comment

by:wilsj
ID: 19978984
lol i just took out the isakmp am-disable and it worked. Thanks again for your help.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 19979007
Woo hoo!
0

Featured Post

Rewarding opportunities for women in IT

Across the nation, technology jobs are vacant because there aren’t enough qualified professionals to fill them. With a degree from WGU, you can get the credentials it takes to become an in-demand IT professional. Plus, WGU’s IT programs include industry certifications.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month14 days, 22 hours left to enroll

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question