Solved

Using the PDM VPN Wizzard, I am unable to get a response from the PIX on the VPN Client 4.0.5

Posted on 2007-12-03
15
2,251 Views
Last Modified: 2010-04-21
I am new to the PIX and this is an existing running firewall that I am trying to enable client VPN.  I have experience with Raptor, Watchguard, firewalls. The error: Reason 412 - The remote Peer is no longer responding. I originally set up a dhcp client range or 192.168.33.210-230 and there was a note when I completed the wizzard that this overlapped with an existing internal network, which is true - however those ranges are not being used nor was  the CISCO DHCP been previously enabled. Neverthless I changed the DHCP range to 192.168.34.210-230 which is a different unused network. I am also confused by the access list outside crypto mapped address 192.168.33.192  in the config  I have cleanned and attached my current non-working config
asdm image flash:/asdm-521.bin

no asdm history enable

: Saved

:

PIX Version 7.2(1) 

!

hostname pix

domain-name default.domain.invalid

enable password xxx

names

!

interface Ethernet0

 nameif outside

 security-level 0

 ip address xxx 255.255.255.224 

!

interface Ethernet1

 nameif inside

 security-level 100

 ip address 192.168.33.1 255.255.255.0 

!

interface Ethernet2

 shutdown

 no nameif

 no security-level

 no ip address

!

passwd xxx encrypted

ftp mode passive

dns server-group DefaultDNS

 domain-name default.domain.invalid
 

 

access-list ras_splitTunnelAcl standard permit any 

access-list outside_cryptomap extended permit ip any 192.168.33.192 255.255.255.192 

access-list inside_nat0_outbound extended permit ip any 192.168.33.192 255.255.255.192 

pager lines 12

mtu outside 1500

mtu inside 1500

ip local pool vpn 192.168.34.210-192.168.34.230 mask 255.255.255.0

asdm image flash:/asdm-521.bin

no asdm history enable

arp timeout 14400

nat (inside) 0 access-list inside_nat0_outbound
 

route outside 0.0.0.0 0.0.0.0 xxx 1

!

router rip

!

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

group-policy ras internal

group-policy ras attributes

 dns-server value 192.168.33.6

 vpn-tunnel-protocol IPSec 

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value ras_splitTunnelAcl

username XXXX password XXXX encrypted privilege 0

username XXXX attributes

 vpn-group-policy ras

http server enable

http xxx 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto isakmp nat-traversal  20

crypto isakmp am-disable

tunnel-group ras type ipsec-ra

tunnel-group ras general-attributes

 address-pool (inside) vpn

 address-pool vpn

 default-group-policy ras

tunnel-group ras ipsec-attributes

 pre-shared-key *

vpn-sessiondb max-session-limit 10

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect netbios 

  inspect rsh 

  inspect rtsp 

  inspect skinny 

  inspect esmtp 

  inspect sqlnet 

  inspect sunrpc 

  inspect tftp 

  inspect sip 

  inspect xdmcp 

!

service-policy global_policy global

prompt hostname context 

Cryptochecksum:xxx

: end

Open in new window

0
Comment
Question by:pmaynardxpert
  • 8
  • 7
15 Comments
 
LVL 28

Expert Comment

by:batry_boy
ID: 20400492
That is a really old VPN client version.  The latest is 5.0.02.0090...try upgrading to that first and see if you get the same result or not...
0
 

Author Comment

by:pmaynardxpert
ID: 20403267
Since I have no support agreement, originally I called cisco sales and they gave me a part # that had ver 4.0 and 4.8. I originally installed 4.8, then I tried 4.0. Since your answer I tried 5.0.0.0600 and 5.0.02.0090 which I found on blogs. Seems the same result. The client connection log attached (logging turned up full).
 Where can I find 5.0.02.0090 ?
Cisco Systems VPN Client Version 5.0.01.0600

Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 5.1.2600 Service Pack 2

Config file directory: C:\Program Files\Cisco Systems\VPN Client
 

Cisco Systems VPN Client Version 5.0.01.0600

Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 5.1.2600 Service Pack 2

Config file directory: C:\Program Files\Cisco Systems\VPN Client
 

1      09:29:25.750  12/04/07  Sev=Info/4	PPP/0x63200015

Processing enumerate phone book entries command
 

2      09:30:15.015  12/04/07  Sev=Info/4	PPP/0x63200015

Processing enumerate phone book entries command
 

3      09:30:23.015  12/04/07  Sev=Info/4	CM/0x63100002

Begin connection process
 

4      09:30:23.046  12/04/07  Sev=Info/4	CM/0x63100004

Establish secure connection
 

5      09:30:23.062  12/04/07  Sev=Info/4	CM/0x63100024

Attempt connection with server "xxx.xxx.xxx.xxx"
 

6      09:30:23.062  12/04/07  Sev=Info/6	IKE/0x6300003B

Attempting to establish a connection with xxx.xxx.xxx.xxx.
 

7      09:30:23.218  12/04/07  Sev=Info/4	IKE/0x63000013

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to xxx.xxx.xxx.xxx
 

8      09:30:23.375  12/04/07  Sev=Info/4	IPSEC/0x63700008

IPSec driver successfully started
 

9      09:30:23.375  12/04/07  Sev=Info/4	IPSEC/0x63700014

Deleted all keys
 

10     09:30:28.375  12/04/07  Sev=Info/4	IKE/0x63000021

Retransmitting last packet!
 

11     09:30:28.375  12/04/07  Sev=Info/4	IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to xxx.xxx.xxx.xxx
 

12     09:30:33.390  12/04/07  Sev=Info/4	IKE/0x63000021

Retransmitting last packet!
 

13     09:30:33.390  12/04/07  Sev=Info/4	IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to xxx.xxx.xxx.xxx
 

14     09:30:38.390  12/04/07  Sev=Info/4	IKE/0x63000021

Retransmitting last packet!
 

15     09:30:38.390  12/04/07  Sev=Info/4	IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to xxx.xxx.xxx.xxx
 

16     09:30:43.390  12/04/07  Sev=Info/4	IKE/0x63000017

Marking IKE SA for deletion  (I_Cookie=C1E89293A8382F05 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
 

17     09:30:43.890  12/04/07  Sev=Info/4	IKE/0x6300004B

Discarding IKE SA negotiation (I_Cookie=C1E89293A8382F05 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
 

18     09:30:43.890  12/04/07  Sev=Info/4	CM/0x63100014

Unable to establish Phase 1 SA with server "xxx.xxx.xxx.xxx" because of "DEL_REASON_PEER_NOT_RESPONDING"
 

19     09:30:43.890  12/04/07  Sev=Info/5	CM/0x63100025

Initializing CVPNDrv
 

20     09:30:43.890  12/04/07  Sev=Info/6	CM/0x63100046

Set tunnel established flag in registry to 0.
 

21     09:30:43.890  12/04/07  Sev=Info/4	IKE/0x63000001

IKE received signal to terminate VPN connection
 

22     09:30:43.906  12/04/07  Sev=Info/4	IPSEC/0x63700014

Deleted all keys
 

23     09:30:43.906  12/04/07  Sev=Info/4	IPSEC/0x63700014

Deleted all keys
 

24     09:30:43.906  12/04/07  Sev=Info/4	IPSEC/0x63700014

Deleted all keys
 

25     09:30:43.906  12/04/07  Sev=Info/4	IPSEC/0x6370000A

IPSec driver successfully stopped

Open in new window

0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20403293
You have to download it from Cisco and have a valid SmartNet maintenance contract in place which entitles you to software updates.

Try issuing this command from the CLI:

no crypto isakmp am-disable

See if enabling the ability of the firewall to try aggressive mode negotiation helps...
0
 

Author Comment

by:pmaynardxpert
ID: 20404738
If I enable agressive mode the whole transaction occurs much more quickly, the connection log is attached

I see in the log  "Hash verification failed... may be configured with invalid group password."

I only have the PSK and I have created a local user with a password, but the error says group not user?


139    12:44:01.428  12/04/07  Sev=Info/4	IKE/0x63000013

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to xxx.xxx.xxx.xxx
 

140    12:44:01.756  12/04/07  Sev=Info/5	IKE/0x6300002F

Received ISAKMP packet: peer = xxx.xxx.xxx.xxx
 

141    12:44:01.756  12/04/07  Sev=Info/4	IKE/0x63000014

RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from xxx.xxx.xxx.xxx
 

142    12:44:01.756  12/04/07  Sev=Info/5	IKE/0x63000001

Peer is a Cisco-Unity compliant peer
 

143    12:44:01.756  12/04/07  Sev=Info/5	IKE/0x63000001

Peer supports XAUTH
 

144    12:44:01.756  12/04/07  Sev=Info/5	IKE/0x63000001

Peer supports NAT-T
 

145    12:44:01.756  12/04/07  Sev=Info/5	IKE/0x63000001

Peer supports IKE fragmentation payloads
 

146    12:44:01.772  12/04/07  Sev=Warning/3	IKE/0xE3000057

The received HASH payload cannot be verified
 

147    12:44:01.772  12/04/07  Sev=Warning/2	IKE/0xE300007E

Hash verification failed... may be configured with invalid group password.
 

148    12:44:01.772  12/04/07  Sev=Warning/2	IKE/0xE300009B

Failed to authenticate peer (Navigator:904)
 

149    12:44:01.772  12/04/07  Sev=Info/4	IKE/0x63000013

SENDING >>> ISAKMP OAK INFO (NOTIFY:INVALID_HASH_INFO) to xxx.xxx.xxx.xxx
 

150    12:44:01.772  12/04/07  Sev=Info/4	IKE/0x63000013

SENDING >>> ISAKMP OAK INFO (NOTIFY:AUTH_FAILED) to xxx.xxx.xxx.xxx
 

151    12:44:01.772  12/04/07  Sev=Warning/2	IKE/0xE30000A7

Unexpected SW error occurred while processing Aggressive Mode negotiator:(Navigator:2238)
 

152    12:44:01.772  12/04/07  Sev=Info/4	IKE/0x63000017

Marking IKE SA for deletion  (I_Cookie=4D17CCCD40B008C6 R_Cookie=B5E48EB8DC87367A) reason = DEL_REASON_IKE_NEG_FAILED
 

153    12:44:02.334  12/04/07  Sev=Info/4	IPSEC/0x63700008

IPSec driver successfully started
 

154    12:44:02.334  12/04/07  Sev=Info/4	IPSEC/0x63700014

Deleted all keys
 

155    12:44:02.334  12/04/07  Sev=Info/4	IKE/0x6300004B

Discarding IKE SA negotiation (I_Cookie=4D17CCCD40B008C6 R_Cookie=B5E48EB8DC87367A) reason = DEL_REASON_IKE_NEG_FAILED
 

156    12:44:02.334  12/04/07  Sev=Info/4	CM/0x63100014

Unable to establish Phase 1 SA with server "xxx.xxx.xxx.xxx" because of "DEL_REASON_IKE_NEG_FAILED"
 

157    12:44:02.334  12/04/07  Sev=Info/5	CM/0x63100025

Initializing CVPNDrv
 

158    12:44:02.334  12/04/07  Sev=Info/6	CM/0x63100046

Set tunnel established flag in registry to 0.
 

159    12:44:02.334  12/04/07  Sev=Info/4	IKE/0x63000001

IKE received signal to terminate VPN connection
 

160    12:44:02.834  12/04/07  Sev=Info/4	IPSEC/0x63700014

Deleted all keys
 

161    12:44:02.834  12/04/07  Sev=Info/4	IPSEC/0x63700014

Deleted all keys
 

162    12:44:02.834  12/04/07  Sev=Info/4	IPSEC/0x63700014

Deleted all keys
 

163    12:44:02.834  12/04/07  Sev=Info/4	IPSEC/0x6370000A

IPSec driver successfully stopped

Open in new window

0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20405262
From your log:

Hash verification failed... may be configured with invalid group password.

The PSK and the group password referenced above are the same thing.  The following two lines of code reference the PSK/group password you currently have configured on the ASA:

tunnel-group ras ipsec-attributes
 pre-shared-key *

I would try resetting the PSK on the ASA and then doing the same in your VPN client software and try again.
0
 

Author Comment

by:pmaynardxpert
ID: 20406325
Maybe I'm doing something really stupid, I have the psk in the pix group and then I have a user and password created that is assigned to that group.

On the client I only have a user and password fields, there is no psk field, - so how could/does that work?
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20406442
In the VPN client, if you select the connection entry that you have and then click the "Modify" button the toolbar at the top, you should be looking at the "Authentication" tab for that connection entry.  In the middle of the screen, there is a section named "Group Authentication" and then there are fields for "Name", "Password" and "Confirm Password".  The "Password" field (and the "Confirm Password" field for that matter) is where you put the PSK.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:pmaynardxpert
ID: 20410875
OK that helped, I'm getting further in now before failure, I've entered the group name and psk into the client and then when I connect, then I get a user and password prompt (which I never got before), I then enter the user and password and then it dies. Also if I disable agressive negotion I do not get a user prompt - it just a 412 error. I am using the client with no firewall - I thought that might be the issue, however the logs are exactly the same even if I deselect inheritance in the group policy/client firewall and specify "no firewall"

The error now seems marked by PEER_DELETE-IKE_DELETE_UNSPECIFIED searching that, seems to indicate auth? or ip address, - it's not clear to me where the problem lies.
Cisco Systems VPN Client Version 5.0.01.0600

Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 5.1.2600 Service Pack 2
 

151    07:39:52.566  12/05/07  Sev=Info/4	CM/0x63100002

Begin connection process
 

152    07:39:52.566  12/05/07  Sev=Info/4	CM/0x63100004

Establish secure connection
 

153    07:39:52.566  12/05/07  Sev=Info/4	CM/0x63100024

Attempt connection with server "xxx.xxx.xxx.xxx"
 

154    07:39:52.566  12/05/07  Sev=Info/6	IKE/0x6300003B

Attempting to establish a connection with xxx.xxx.xxx.xxx.
 

155    07:39:52.581  12/05/07  Sev=Info/4	IKE/0x63000013

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to xxx.xxx.xxx.xxx
 

156    07:39:52.909  12/05/07  Sev=Info/5	IKE/0x6300002F

Received ISAKMP packet: peer = xxx.xxx.xxx.xxx
 

157    07:39:52.909  12/05/07  Sev=Info/4	IKE/0x63000014

RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from xxx.xxx.xxx.xxx
 

158    07:39:52.909  12/05/07  Sev=Info/5	IKE/0x63000001

Peer is a Cisco-Unity compliant peer
 

159    07:39:52.909  12/05/07  Sev=Info/5	IKE/0x63000001

Peer supports XAUTH
 

160    07:39:52.909  12/05/07  Sev=Info/5	IKE/0x63000001

Peer supports DPD
 

161    07:39:52.909  12/05/07  Sev=Info/5	IKE/0x63000001

Peer supports NAT-T
 

162    07:39:52.909  12/05/07  Sev=Info/5	IKE/0x63000001

Peer supports IKE fragmentation payloads
 

163    07:39:52.925  12/05/07  Sev=Info/6	IKE/0x63000001

IOS Vendor ID Contruction successful
 

164    07:39:52.925  12/05/07  Sev=Info/4	IKE/0x63000013

SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to xxx.xxx.xxx.xxx
 

165    07:39:52.925  12/05/07  Sev=Info/6	IKE/0x63000055

Sent a keepalive on the IPSec SA
 

166    07:39:52.925  12/05/07  Sev=Info/4	IKE/0x63000083

IKE Port in use - Local Port =  0x12CF, Remote Port = 0x1194
 

167    07:39:52.925  12/05/07  Sev=Info/5	IKE/0x63000072

Automatic NAT Detection Status:

   Remote end is NOT behind a NAT device

   This   end IS behind a NAT device
 

168    07:39:52.925  12/05/07  Sev=Info/4	CM/0x6310000E

Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
 

169    07:39:52.972  12/05/07  Sev=Info/5	IKE/0x6300002F

Received ISAKMP packet: peer = xxx.xxx.xxx.xxx
 

170    07:39:52.972  12/05/07  Sev=Info/4	IKE/0x63000014

RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from xxx.xxx.xxx.xxx
 

171    07:39:52.972  12/05/07  Sev=Info/4	CM/0x63100015

Launch xAuth application
 

172    07:39:52.987  12/05/07  Sev=Info/4	IPSEC/0x63700008

IPSec driver successfully started
 

173    07:39:52.987  12/05/07  Sev=Info/4	IPSEC/0x63700014

Deleted all keys
 

174    07:40:02.988  12/05/07  Sev=Info/6	IKE/0x63000055

Sent a keepalive on the IPSec SA
 

175    07:40:04.644  12/05/07  Sev=Info/4	CM/0x63100017

xAuth application returned
 

176    07:40:04.644  12/05/07  Sev=Info/4	IKE/0x63000013

SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to xxx.xxx.xxx.xxx
 

177    07:40:04.675  12/05/07  Sev=Info/5	IKE/0x6300002F

Received ISAKMP packet: peer = xxx.xxx.xxx.xxx
 

178    07:40:04.675  12/05/07  Sev=Info/4	IKE/0x63000014

RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from xxx.xxx.xxx.xxx
 

179    07:40:04.675  12/05/07  Sev=Info/4	IKE/0x63000013

SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to xxx.xxx.xxx.xxx
 

180    07:40:04.675  12/05/07  Sev=Info/4	CM/0x6310000E

Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
 

181    07:40:04.691  12/05/07  Sev=Info/5	IKE/0x6300005E

Client sending a firewall request to concentrator
 

182    07:40:04.691  12/05/07  Sev=Info/5	IKE/0x6300005D

Firewall Policy: Product=Cisco Systems Integrated Client Firewall, Capability= (Centralized Protection Policy).
 

183    07:40:04.691  12/05/07  Sev=Info/4	IKE/0x63000013

SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to xxx.xxx.xxx.xxx
 

184    07:40:04.738  12/05/07  Sev=Info/5	IKE/0x6300002F

Received ISAKMP packet: peer = xxx.xxx.xxx.xxx
 

185    07:40:04.738  12/05/07  Sev=Info/4	IKE/0x63000014

RECEIVING <<< ISAKMP OAK INFO *(HASH, DEL) from xxx.xxx.xxx.xxx
 

186    07:40:04.738  12/05/07  Sev=Info/5	IKE/0x6300003C

Received a DELETE payload for IKE SA with Cookies:  I_Cookie=0DB62140C5437ED2 R_Cookie=410225FDEE12CF1E
 

187    07:40:04.738  12/05/07  Sev=Info/4	IKE/0x63000017

Marking IKE SA for deletion  (I_Cookie=0DB62140C5437ED2 R_Cookie=410225FDEE12CF1E) reason = PEER_DELETE-IKE_DELETE_UNSPECIFIED
 

188    07:40:05.488  12/05/07  Sev=Info/4	IKE/0x6300004B

Discarding IKE SA negotiation (I_Cookie=0DB62140C5437ED2 R_Cookie=410225FDEE12CF1E) reason = PEER_DELETE-IKE_DELETE_UNSPECIFIED
 

189    07:40:05.488  12/05/07  Sev=Info/4	CM/0x6310000F

Phase 1 SA deleted before Mode Config is completed cause by "PEER_DELETE-IKE_DELETE_UNSPECIFIED".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
 

190    07:40:05.488  12/05/07  Sev=Info/5	CM/0x63100025

Initializing CVPNDrv
 

191    07:40:05.488  12/05/07  Sev=Info/6	CM/0x63100046

Set tunnel established flag in registry to 0.
 

192    07:40:05.488  12/05/07  Sev=Info/4	IKE/0x63000001

IKE received signal to terminate VPN connection
 

193    07:40:05.488  12/05/07  Sev=Info/4	IPSEC/0x63700014

Deleted all keys
 

194    07:40:05.488  12/05/07  Sev=Info/4	IPSEC/0x63700014

Deleted all keys
 

195    07:40:05.488  12/05/07  Sev=Info/4	IPSEC/0x63700014

Deleted all keys
 

196    07:40:05.488  12/05/07  Sev=Info/4	IPSEC/0x6370000A

IPSec driver successfully stopped

Open in new window

0
 

Author Comment

by:pmaynardxpert
ID: 20411106
and in the PDM manager, Monitoring/VPN/VPN Statistics/Global IKE-IPSec Stats, the "Responder Fails" increments by 1 for each connection attempt
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20411108
Please repost your current PIX config so we can see what it looks like after your mods.
0
 

Author Comment

by:pmaynardxpert
ID: 20411371
posted below
asdm image flash:/asdm-521.bin

no asdm history enable

: Saved

:

PIX Version 7.2(1) 

!

hostname pix

domain-name default.domain.invalid

enable password xxxx encrypted

names

!

interface Ethernet0

 nameif outside

 security-level 0

 ip address xxxx 

!

interface Ethernet1

 nameif inside

 security-level 100

 ip address 192.168.33.1 255.255.255.0 

!

interface Ethernet2

 shutdown

 no nameif

 no security-level

 no ip address

!

passwd xxxx

ftp mode passive

dns server-group DefaultDNS

 domain-name default.domain.invalid
 

********************************
 

 

access-list ras_splitTunnelAcl standard permit any 

access-list outside_cryptomap extended permit ip any 192.168.33.192 255.255.255.192 

access-list inside_nat0_outbound extended permit ip any 192.168.33.192 255.255.255.192 

access-list inside_nat0_outbound extended permit ip any 192.168.34.192 255.255.255.192 

access-list outside_cryptomap_1 extended permit ip any 192.168.34.192 255.255.255.192 

access-list DefaultRAGroup_splitTunnelAcl standard permit any 

access-list outside_cryptomap_2 extended permit ip any 192.168.34.192 255.255.255.192 

access-list outside_cryptomap_3 extended permit ip any 192.168.34.192 255.255.255.192 

pager lines 12

mtu outside 1500

mtu inside 1500

ip local pool vpn 192.168.34.210-192.168.34.230 mask 255.255.255.192

asdm image flash:/asdm-521.bin

no asdm history enable

arp timeout 14400

nat (inside) 0 access-list inside_nat0_outbound
 

*********************************
 

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

!

router rip

!

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

 vpn-tunnel-protocol l2tp-ipsec 

group-policy ras internal

group-policy ras attributes

 dns-server value 192.168.33.25 192.168.33.26

 vpn-tunnel-protocol IPSec 

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl

username user1 password xxx encrypted privilege 0

username user1 attributes

 vpn-group-policy ras

http server enable

http 192.168.33.55 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 set transform-set TRANS_ESP_3DES_SHA

crypto dynamic-map outside_dyn_map 60 set transform-set TRANS_ESP_3DES_SHA

crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA

crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto isakmp nat-traversal  20

tunnel-group DefaultL2LGroup ipsec-attributes

tunnel-group DefaultRAGroup general-attributes

 authorization-server-group LOCAL

 default-group-policy DefaultRAGroup

 authorization-required

tunnel-group DefaultRAGroup ppp-attributes

 authentication ms-chap-v2

tunnel-group ras type ipsec-ra

tunnel-group ras general-attributes

 address-pool (inside) vpn

 address-pool vpn

 default-group-policy ras

tunnel-group ras ipsec-attributes

 pre-shared-key *

vpn-sessiondb max-session-limit 10

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect netbios 

  inspect rsh 

  inspect rtsp 

  inspect skinny 

  inspect esmtp 

  inspect sqlnet 

  inspect sunrpc 

  inspect tftp 

  inspect sip 

  inspect xdmcp 

!

service-policy global_policy global

prompt hostname context 

Cryptochecksum:xxx

: end

Open in new window

0
 
LVL 28

Accepted Solution

by:
batry_boy earned 125 total points
ID: 20411811
It looks like you've tried to configure PPTP, L2TP and IPSEC tunneling protocols on the ASA.  I think I would start over by going through the VPN Wizard to create a new remote access type VPN tunnel and specify a new group and put in all the values as appropriate.  You can leave in the existing "ras" group if you wish, but I would start over and see what you get.  Once done, reconfigure your VPN client to use the new group name and PSK and try again.

There are several commands I see in your config that are non-standard but none that I can definitely point to that I would say is causing your issue, so we either start fresh with a new RA VPN group or we do the trial and error method of taking one command out at a time (or modifying one command at a time) which would be on the tedious side.
0
 

Author Comment

by:pmaynardxpert
ID: 20413645
Yes I did try and configure pptp.

I have cleaned most of it out without reloading, (I have not been saving any of the VPN config to flash).

Comparing my current config to the pre VPN config I still have the entries shown below (and the first entry "no sysopt... " I have not seen before I deleted the crypto-map entries from CL - which was the only way I could get them out).

This is OK to start fresh with?
no sysopt connection permit-vpn
 

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
 

tunnel-group DefaultL2LGroup ipsec-attributes

Open in new window

0
 

Author Closing Comment

by:pmaynardxpert
ID: 31412501
batry boy's clarification for psk's and direction to restart with a fresh config were the keys to success  
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20414684
Glad that helped...
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now