Solved

Using the PDM VPN Wizzard, I am unable to get a response from the PIX on the VPN Client 4.0.5

Posted on 2007-12-03
15
2,258 Views
Last Modified: 2010-04-21
I am new to the PIX and this is an existing running firewall that I am trying to enable client VPN.  I have experience with Raptor, Watchguard, firewalls. The error: Reason 412 - The remote Peer is no longer responding. I originally set up a dhcp client range or 192.168.33.210-230 and there was a note when I completed the wizzard that this overlapped with an existing internal network, which is true - however those ranges are not being used nor was  the CISCO DHCP been previously enabled. Neverthless I changed the DHCP range to 192.168.34.210-230 which is a different unused network. I am also confused by the access list outside crypto mapped address 192.168.33.192  in the config  I have cleanned and attached my current non-working config
asdm image flash:/asdm-521.bin
no asdm history enable
: Saved
:
PIX Version 7.2(1) 
!
hostname pix
domain-name default.domain.invalid
enable password xxx
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address xxx 255.255.255.224 
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.33.1 255.255.255.0 
!
interface Ethernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd xxx encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
 
 
access-list ras_splitTunnelAcl standard permit any 
access-list outside_cryptomap extended permit ip any 192.168.33.192 255.255.255.192 
access-list inside_nat0_outbound extended permit ip any 192.168.33.192 255.255.255.192 
pager lines 12
mtu outside 1500
mtu inside 1500
ip local pool vpn 192.168.34.210-192.168.34.230 mask 255.255.255.0
asdm image flash:/asdm-521.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
 
route outside 0.0.0.0 0.0.0.0 xxx 1
!
router rip
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy ras internal
group-policy ras attributes
 dns-server value 192.168.33.6
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ras_splitTunnelAcl
username XXXX password XXXX encrypted privilege 0
username XXXX attributes
 vpn-group-policy ras
http server enable
http xxx 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
crypto isakmp am-disable
tunnel-group ras type ipsec-ra
tunnel-group ras general-attributes
 address-pool (inside) vpn
 address-pool vpn
 default-group-policy ras
tunnel-group ras ipsec-attributes
 pre-shared-key *
vpn-sessiondb max-session-limit 10
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny 
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip 
  inspect xdmcp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:xxx
: end

Open in new window

0
Comment
Question by:pmaynardxpert
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 7
15 Comments
 
LVL 28

Expert Comment

by:batry_boy
ID: 20400492
That is a really old VPN client version.  The latest is 5.0.02.0090...try upgrading to that first and see if you get the same result or not...
0
 

Author Comment

by:pmaynardxpert
ID: 20403267
Since I have no support agreement, originally I called cisco sales and they gave me a part # that had ver 4.0 and 4.8. I originally installed 4.8, then I tried 4.0. Since your answer I tried 5.0.0.0600 and 5.0.02.0090 which I found on blogs. Seems the same result. The client connection log attached (logging turned up full).
 Where can I find 5.0.02.0090 ?
Cisco Systems VPN Client Version 5.0.01.0600
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
Config file directory: C:\Program Files\Cisco Systems\VPN Client
 
Cisco Systems VPN Client Version 5.0.01.0600
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
Config file directory: C:\Program Files\Cisco Systems\VPN Client
 
1      09:29:25.750  12/04/07  Sev=Info/4	PPP/0x63200015
Processing enumerate phone book entries command
 
2      09:30:15.015  12/04/07  Sev=Info/4	PPP/0x63200015
Processing enumerate phone book entries command
 
3      09:30:23.015  12/04/07  Sev=Info/4	CM/0x63100002
Begin connection process
 
4      09:30:23.046  12/04/07  Sev=Info/4	CM/0x63100004
Establish secure connection
 
5      09:30:23.062  12/04/07  Sev=Info/4	CM/0x63100024
Attempt connection with server "xxx.xxx.xxx.xxx"
 
6      09:30:23.062  12/04/07  Sev=Info/6	IKE/0x6300003B
Attempting to establish a connection with xxx.xxx.xxx.xxx.
 
7      09:30:23.218  12/04/07  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to xxx.xxx.xxx.xxx
 
8      09:30:23.375  12/04/07  Sev=Info/4	IPSEC/0x63700008
IPSec driver successfully started
 
9      09:30:23.375  12/04/07  Sev=Info/4	IPSEC/0x63700014
Deleted all keys
 
10     09:30:28.375  12/04/07  Sev=Info/4	IKE/0x63000021
Retransmitting last packet!
 
11     09:30:28.375  12/04/07  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to xxx.xxx.xxx.xxx
 
12     09:30:33.390  12/04/07  Sev=Info/4	IKE/0x63000021
Retransmitting last packet!
 
13     09:30:33.390  12/04/07  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to xxx.xxx.xxx.xxx
 
14     09:30:38.390  12/04/07  Sev=Info/4	IKE/0x63000021
Retransmitting last packet!
 
15     09:30:38.390  12/04/07  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to xxx.xxx.xxx.xxx
 
16     09:30:43.390  12/04/07  Sev=Info/4	IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=C1E89293A8382F05 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
 
17     09:30:43.890  12/04/07  Sev=Info/4	IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=C1E89293A8382F05 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
 
18     09:30:43.890  12/04/07  Sev=Info/4	CM/0x63100014
Unable to establish Phase 1 SA with server "xxx.xxx.xxx.xxx" because of "DEL_REASON_PEER_NOT_RESPONDING"
 
19     09:30:43.890  12/04/07  Sev=Info/5	CM/0x63100025
Initializing CVPNDrv
 
20     09:30:43.890  12/04/07  Sev=Info/6	CM/0x63100046
Set tunnel established flag in registry to 0.
 
21     09:30:43.890  12/04/07  Sev=Info/4	IKE/0x63000001
IKE received signal to terminate VPN connection
 
22     09:30:43.906  12/04/07  Sev=Info/4	IPSEC/0x63700014
Deleted all keys
 
23     09:30:43.906  12/04/07  Sev=Info/4	IPSEC/0x63700014
Deleted all keys
 
24     09:30:43.906  12/04/07  Sev=Info/4	IPSEC/0x63700014
Deleted all keys
 
25     09:30:43.906  12/04/07  Sev=Info/4	IPSEC/0x6370000A
IPSec driver successfully stopped

Open in new window

0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20403293
You have to download it from Cisco and have a valid SmartNet maintenance contract in place which entitles you to software updates.

Try issuing this command from the CLI:

no crypto isakmp am-disable

See if enabling the ability of the firewall to try aggressive mode negotiation helps...
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:pmaynardxpert
ID: 20404738
If I enable agressive mode the whole transaction occurs much more quickly, the connection log is attached

I see in the log  "Hash verification failed... may be configured with invalid group password."

I only have the PSK and I have created a local user with a password, but the error says group not user?

139    12:44:01.428  12/04/07  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to xxx.xxx.xxx.xxx
 
140    12:44:01.756  12/04/07  Sev=Info/5	IKE/0x6300002F
Received ISAKMP packet: peer = xxx.xxx.xxx.xxx
 
141    12:44:01.756  12/04/07  Sev=Info/4	IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from xxx.xxx.xxx.xxx
 
142    12:44:01.756  12/04/07  Sev=Info/5	IKE/0x63000001
Peer is a Cisco-Unity compliant peer
 
143    12:44:01.756  12/04/07  Sev=Info/5	IKE/0x63000001
Peer supports XAUTH
 
144    12:44:01.756  12/04/07  Sev=Info/5	IKE/0x63000001
Peer supports NAT-T
 
145    12:44:01.756  12/04/07  Sev=Info/5	IKE/0x63000001
Peer supports IKE fragmentation payloads
 
146    12:44:01.772  12/04/07  Sev=Warning/3	IKE/0xE3000057
The received HASH payload cannot be verified
 
147    12:44:01.772  12/04/07  Sev=Warning/2	IKE/0xE300007E
Hash verification failed... may be configured with invalid group password.
 
148    12:44:01.772  12/04/07  Sev=Warning/2	IKE/0xE300009B
Failed to authenticate peer (Navigator:904)
 
149    12:44:01.772  12/04/07  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK INFO (NOTIFY:INVALID_HASH_INFO) to xxx.xxx.xxx.xxx
 
150    12:44:01.772  12/04/07  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK INFO (NOTIFY:AUTH_FAILED) to xxx.xxx.xxx.xxx
 
151    12:44:01.772  12/04/07  Sev=Warning/2	IKE/0xE30000A7
Unexpected SW error occurred while processing Aggressive Mode negotiator:(Navigator:2238)
 
152    12:44:01.772  12/04/07  Sev=Info/4	IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=4D17CCCD40B008C6 R_Cookie=B5E48EB8DC87367A) reason = DEL_REASON_IKE_NEG_FAILED
 
153    12:44:02.334  12/04/07  Sev=Info/4	IPSEC/0x63700008
IPSec driver successfully started
 
154    12:44:02.334  12/04/07  Sev=Info/4	IPSEC/0x63700014
Deleted all keys
 
155    12:44:02.334  12/04/07  Sev=Info/4	IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=4D17CCCD40B008C6 R_Cookie=B5E48EB8DC87367A) reason = DEL_REASON_IKE_NEG_FAILED
 
156    12:44:02.334  12/04/07  Sev=Info/4	CM/0x63100014
Unable to establish Phase 1 SA with server "xxx.xxx.xxx.xxx" because of "DEL_REASON_IKE_NEG_FAILED"
 
157    12:44:02.334  12/04/07  Sev=Info/5	CM/0x63100025
Initializing CVPNDrv
 
158    12:44:02.334  12/04/07  Sev=Info/6	CM/0x63100046
Set tunnel established flag in registry to 0.
 
159    12:44:02.334  12/04/07  Sev=Info/4	IKE/0x63000001
IKE received signal to terminate VPN connection
 
160    12:44:02.834  12/04/07  Sev=Info/4	IPSEC/0x63700014
Deleted all keys
 
161    12:44:02.834  12/04/07  Sev=Info/4	IPSEC/0x63700014
Deleted all keys
 
162    12:44:02.834  12/04/07  Sev=Info/4	IPSEC/0x63700014
Deleted all keys
 
163    12:44:02.834  12/04/07  Sev=Info/4	IPSEC/0x6370000A
IPSec driver successfully stopped

Open in new window

0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20405262
From your log:

Hash verification failed... may be configured with invalid group password.

The PSK and the group password referenced above are the same thing.  The following two lines of code reference the PSK/group password you currently have configured on the ASA:

tunnel-group ras ipsec-attributes
 pre-shared-key *

I would try resetting the PSK on the ASA and then doing the same in your VPN client software and try again.
0
 

Author Comment

by:pmaynardxpert
ID: 20406325
Maybe I'm doing something really stupid, I have the psk in the pix group and then I have a user and password created that is assigned to that group.

On the client I only have a user and password fields, there is no psk field, - so how could/does that work?
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20406442
In the VPN client, if you select the connection entry that you have and then click the "Modify" button the toolbar at the top, you should be looking at the "Authentication" tab for that connection entry.  In the middle of the screen, there is a section named "Group Authentication" and then there are fields for "Name", "Password" and "Confirm Password".  The "Password" field (and the "Confirm Password" field for that matter) is where you put the PSK.
0
 

Author Comment

by:pmaynardxpert
ID: 20410875
OK that helped, I'm getting further in now before failure, I've entered the group name and psk into the client and then when I connect, then I get a user and password prompt (which I never got before), I then enter the user and password and then it dies. Also if I disable agressive negotion I do not get a user prompt - it just a 412 error. I am using the client with no firewall - I thought that might be the issue, however the logs are exactly the same even if I deselect inheritance in the group policy/client firewall and specify "no firewall"

The error now seems marked by PEER_DELETE-IKE_DELETE_UNSPECIFIED searching that, seems to indicate auth? or ip address, - it's not clear to me where the problem lies.
Cisco Systems VPN Client Version 5.0.01.0600
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
 
151    07:39:52.566  12/05/07  Sev=Info/4	CM/0x63100002
Begin connection process
 
152    07:39:52.566  12/05/07  Sev=Info/4	CM/0x63100004
Establish secure connection
 
153    07:39:52.566  12/05/07  Sev=Info/4	CM/0x63100024
Attempt connection with server "xxx.xxx.xxx.xxx"
 
154    07:39:52.566  12/05/07  Sev=Info/6	IKE/0x6300003B
Attempting to establish a connection with xxx.xxx.xxx.xxx.
 
155    07:39:52.581  12/05/07  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to xxx.xxx.xxx.xxx
 
156    07:39:52.909  12/05/07  Sev=Info/5	IKE/0x6300002F
Received ISAKMP packet: peer = xxx.xxx.xxx.xxx
 
157    07:39:52.909  12/05/07  Sev=Info/4	IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from xxx.xxx.xxx.xxx
 
158    07:39:52.909  12/05/07  Sev=Info/5	IKE/0x63000001
Peer is a Cisco-Unity compliant peer
 
159    07:39:52.909  12/05/07  Sev=Info/5	IKE/0x63000001
Peer supports XAUTH
 
160    07:39:52.909  12/05/07  Sev=Info/5	IKE/0x63000001
Peer supports DPD
 
161    07:39:52.909  12/05/07  Sev=Info/5	IKE/0x63000001
Peer supports NAT-T
 
162    07:39:52.909  12/05/07  Sev=Info/5	IKE/0x63000001
Peer supports IKE fragmentation payloads
 
163    07:39:52.925  12/05/07  Sev=Info/6	IKE/0x63000001
IOS Vendor ID Contruction successful
 
164    07:39:52.925  12/05/07  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to xxx.xxx.xxx.xxx
 
165    07:39:52.925  12/05/07  Sev=Info/6	IKE/0x63000055
Sent a keepalive on the IPSec SA
 
166    07:39:52.925  12/05/07  Sev=Info/4	IKE/0x63000083
IKE Port in use - Local Port =  0x12CF, Remote Port = 0x1194
 
167    07:39:52.925  12/05/07  Sev=Info/5	IKE/0x63000072
Automatic NAT Detection Status:
   Remote end is NOT behind a NAT device
   This   end IS behind a NAT device
 
168    07:39:52.925  12/05/07  Sev=Info/4	CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
 
169    07:39:52.972  12/05/07  Sev=Info/5	IKE/0x6300002F
Received ISAKMP packet: peer = xxx.xxx.xxx.xxx
 
170    07:39:52.972  12/05/07  Sev=Info/4	IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from xxx.xxx.xxx.xxx
 
171    07:39:52.972  12/05/07  Sev=Info/4	CM/0x63100015
Launch xAuth application
 
172    07:39:52.987  12/05/07  Sev=Info/4	IPSEC/0x63700008
IPSec driver successfully started
 
173    07:39:52.987  12/05/07  Sev=Info/4	IPSEC/0x63700014
Deleted all keys
 
174    07:40:02.988  12/05/07  Sev=Info/6	IKE/0x63000055
Sent a keepalive on the IPSec SA
 
175    07:40:04.644  12/05/07  Sev=Info/4	CM/0x63100017
xAuth application returned
 
176    07:40:04.644  12/05/07  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to xxx.xxx.xxx.xxx
 
177    07:40:04.675  12/05/07  Sev=Info/5	IKE/0x6300002F
Received ISAKMP packet: peer = xxx.xxx.xxx.xxx
 
178    07:40:04.675  12/05/07  Sev=Info/4	IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from xxx.xxx.xxx.xxx
 
179    07:40:04.675  12/05/07  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to xxx.xxx.xxx.xxx
 
180    07:40:04.675  12/05/07  Sev=Info/4	CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
 
181    07:40:04.691  12/05/07  Sev=Info/5	IKE/0x6300005E
Client sending a firewall request to concentrator
 
182    07:40:04.691  12/05/07  Sev=Info/5	IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client Firewall, Capability= (Centralized Protection Policy).
 
183    07:40:04.691  12/05/07  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to xxx.xxx.xxx.xxx
 
184    07:40:04.738  12/05/07  Sev=Info/5	IKE/0x6300002F
Received ISAKMP packet: peer = xxx.xxx.xxx.xxx
 
185    07:40:04.738  12/05/07  Sev=Info/4	IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, DEL) from xxx.xxx.xxx.xxx
 
186    07:40:04.738  12/05/07  Sev=Info/5	IKE/0x6300003C
Received a DELETE payload for IKE SA with Cookies:  I_Cookie=0DB62140C5437ED2 R_Cookie=410225FDEE12CF1E
 
187    07:40:04.738  12/05/07  Sev=Info/4	IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=0DB62140C5437ED2 R_Cookie=410225FDEE12CF1E) reason = PEER_DELETE-IKE_DELETE_UNSPECIFIED
 
188    07:40:05.488  12/05/07  Sev=Info/4	IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=0DB62140C5437ED2 R_Cookie=410225FDEE12CF1E) reason = PEER_DELETE-IKE_DELETE_UNSPECIFIED
 
189    07:40:05.488  12/05/07  Sev=Info/4	CM/0x6310000F
Phase 1 SA deleted before Mode Config is completed cause by "PEER_DELETE-IKE_DELETE_UNSPECIFIED".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
 
190    07:40:05.488  12/05/07  Sev=Info/5	CM/0x63100025
Initializing CVPNDrv
 
191    07:40:05.488  12/05/07  Sev=Info/6	CM/0x63100046
Set tunnel established flag in registry to 0.
 
192    07:40:05.488  12/05/07  Sev=Info/4	IKE/0x63000001
IKE received signal to terminate VPN connection
 
193    07:40:05.488  12/05/07  Sev=Info/4	IPSEC/0x63700014
Deleted all keys
 
194    07:40:05.488  12/05/07  Sev=Info/4	IPSEC/0x63700014
Deleted all keys
 
195    07:40:05.488  12/05/07  Sev=Info/4	IPSEC/0x63700014
Deleted all keys
 
196    07:40:05.488  12/05/07  Sev=Info/4	IPSEC/0x6370000A
IPSec driver successfully stopped

Open in new window

0
 

Author Comment

by:pmaynardxpert
ID: 20411106
and in the PDM manager, Monitoring/VPN/VPN Statistics/Global IKE-IPSec Stats, the "Responder Fails" increments by 1 for each connection attempt
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20411108
Please repost your current PIX config so we can see what it looks like after your mods.
0
 

Author Comment

by:pmaynardxpert
ID: 20411371
posted below
asdm image flash:/asdm-521.bin
no asdm history enable
: Saved
:
PIX Version 7.2(1) 
!
hostname pix
domain-name default.domain.invalid
enable password xxxx encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address xxxx 
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.33.1 255.255.255.0 
!
interface Ethernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd xxxx
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
 
********************************
 
 
access-list ras_splitTunnelAcl standard permit any 
access-list outside_cryptomap extended permit ip any 192.168.33.192 255.255.255.192 
access-list inside_nat0_outbound extended permit ip any 192.168.33.192 255.255.255.192 
access-list inside_nat0_outbound extended permit ip any 192.168.34.192 255.255.255.192 
access-list outside_cryptomap_1 extended permit ip any 192.168.34.192 255.255.255.192 
access-list DefaultRAGroup_splitTunnelAcl standard permit any 
access-list outside_cryptomap_2 extended permit ip any 192.168.34.192 255.255.255.192 
access-list outside_cryptomap_3 extended permit ip any 192.168.34.192 255.255.255.192 
pager lines 12
mtu outside 1500
mtu inside 1500
ip local pool vpn 192.168.34.210-192.168.34.230 mask 255.255.255.192
asdm image flash:/asdm-521.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
 
*********************************
 
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
!
router rip
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 vpn-tunnel-protocol l2tp-ipsec 
group-policy ras internal
group-policy ras attributes
 dns-server value 192.168.33.25 192.168.33.26
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
username user1 password xxx encrypted privilege 0
username user1 attributes
 vpn-group-policy ras
http server enable
http 192.168.33.55 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map outside_dyn_map 60 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group DefaultL2LGroup ipsec-attributes
tunnel-group DefaultRAGroup general-attributes
 authorization-server-group LOCAL
 default-group-policy DefaultRAGroup
 authorization-required
tunnel-group DefaultRAGroup ppp-attributes
 authentication ms-chap-v2
tunnel-group ras type ipsec-ra
tunnel-group ras general-attributes
 address-pool (inside) vpn
 address-pool vpn
 default-group-policy ras
tunnel-group ras ipsec-attributes
 pre-shared-key *
vpn-sessiondb max-session-limit 10
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny 
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip 
  inspect xdmcp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:xxx
: end

Open in new window

0
 
LVL 28

Accepted Solution

by:
batry_boy earned 125 total points
ID: 20411811
It looks like you've tried to configure PPTP, L2TP and IPSEC tunneling protocols on the ASA.  I think I would start over by going through the VPN Wizard to create a new remote access type VPN tunnel and specify a new group and put in all the values as appropriate.  You can leave in the existing "ras" group if you wish, but I would start over and see what you get.  Once done, reconfigure your VPN client to use the new group name and PSK and try again.

There are several commands I see in your config that are non-standard but none that I can definitely point to that I would say is causing your issue, so we either start fresh with a new RA VPN group or we do the trial and error method of taking one command out at a time (or modifying one command at a time) which would be on the tedious side.
0
 

Author Comment

by:pmaynardxpert
ID: 20413645
Yes I did try and configure pptp.

I have cleaned most of it out without reloading, (I have not been saving any of the VPN config to flash).

Comparing my current config to the pre VPN config I still have the entries shown below (and the first entry "no sysopt... " I have not seen before I deleted the crypto-map entries from CL - which was the only way I could get them out).

This is OK to start fresh with?
no sysopt connection permit-vpn
 
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
 
tunnel-group DefaultL2LGroup ipsec-attributes

Open in new window

0
 

Author Closing Comment

by:pmaynardxpert
ID: 31412501
batry boy's clarification for psk's and direction to restart with a fresh config were the keys to success  
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20414684
Glad that helped...
0

Featured Post

Veeam gives away 10 full conference passes

Veeam is a VMworld 2017 US & Europe Platinum Sponsor. Enter the raffle to get the full conference pass. Pass includes the admission to all general and breakout sessions, VMware Hands-On Labs, Solutions Exchange, exclusive giveaways and the great VMworld Customer Appreciation Part

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month3 days, 23 hours left to enroll

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question