Avatar of rickyt00
rickyt00 asked on

Cisco asa 5505 vpn issue

I am having a problem trying to connect to our vpn remotely.  I am using the cisco vpn client.  When I turn the logging on I am getting the messages.

9      15:35:31.546  01/23/09  Sev=Info/4      CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

10     15:35:31.546  01/23/09  Sev=Info/5      CM/0x63100025
Initializing CVPNDrv

I have pasted the config below for reference.  I am confused because the connection comes up and prompts for the username and password but then fails after that.  Thanks


: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name xxxxx
enable password fETFvbKeIkX35giv encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.99 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.x.x 255.255.255.252
!
interface Vlan12
 nameif Cad
 security-level 90
 ip address 10.10.10.250 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
 switchport access vlan 12
!
interface Ethernet0/7
 switchport access vlan 12
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name xxxxx
access-list DefaultRAGroup_splitTunnelAcl standard permit any
access-list Cad_access_in remark WFS
access-list Cad_access_in extended permit tcp any 192.168.1.0 255.255.255.0 eq 135
access-list Cad_access_in remark WFS
access-list Cad_access_in extended permit udp any 192.168.1.0 255.255.255.0 eq 135
access-list Cad_access_in remark WFS
access-list Cad_access_in extended permit tcp any 192.168.1.0 255.255.255.0 eq 136
access-list Cad_access_in remark WFS
access-list Cad_access_in extended permit udp any 192.168.1.0 255.255.255.0 eq 136
access-list Cad_access_in remark WFS
access-list Cad_access_in extended permit tcp any 192.168.1.0 255.255.255.0 eq 137
access-list Cad_access_in remark WFS
access-list Cad_access_in extended permit udp any 192.168.1.0 255.255.255.0 eq netbios-ns
access-list Cad_access_in remark WFS
access-list Cad_access_in extended permit tcp any 192.168.1.0 255.255.255.0 eq 138
access-list Cad_access_in remark WFS
access-list Cad_access_in extended permit udp any 192.168.1.0 255.255.255.0 eq netbios-dgm
access-list Cad_access_in remark WFS
access-list Cad_access_in extended permit tcp any 192.168.1.0 255.255.255.0 eq netbios-ssn
access-list Cad_access_in remark WFS
access-list Cad_access_in extended permit udp any 192.168.1.0 255.255.255.0 eq 139
access-list Cad_access_in remark WFS
access-list Cad_access_in extended permit tcp any 192.168.1.0 255.255.255.0 eq 445
access-list Cad_access_in remark WFS
access-list Cad_access_in extended permit udp any 192.168.1.0 255.255.255.0 eq 445
access-list inside_access_in remark WFS
access-list inside_access_in extended permit tcp any 10.10.10.0 255.255.255.0 eq 135
access-list inside_access_in remark WFS
access-list inside_access_in extended permit udp any 10.10.10.0 255.255.255.0 eq 135
access-list inside_access_in remark WFS
access-list inside_access_in extended permit tcp any 10.10.10.0 255.255.255.0 eq 136
access-list inside_access_in remark WFS
access-list inside_access_in extended permit udp any 10.10.10.0 255.255.255.0 eq 136
access-list inside_access_in remark WFS
access-list inside_access_in extended permit tcp any 10.10.10.0 255.255.255.0 eq 137
access-list inside_access_in remark WFS
access-list inside_access_in extended permit udp any 10.10.10.0 255.255.255.0 eq netbios-ns
access-list inside_access_in remark WFS
access-list inside_access_in extended permit tcp any 10.10.10.0 255.255.255.0 eq 138
access-list inside_access_in remark WFS
access-list inside_access_in extended permit udp any 10.10.10.0 255.255.255.0 eq netbios-dgm
access-list inside_access_in remark WFS
access-list inside_access_in extended permit tcp any 10.10.10.0 255.255.255.0 eq netbios-ssn
access-list inside_access_in remark WFS
access-list inside_access_in extended permit udp any 10.10.10.0 255.255.255.0 eq 139
access-list inside_access_in remark WFS
access-list inside_access_in extended permit tcp any 10.10.10.0 255.255.255.0 eq 445
access-list inside_access_in remark WFS
access-list inside_access_in extended permit udp any 10.10.10.0 255.255.255.0 eq 445
access-list inside_access_in extended deny ip any 10.10.10.0 255.255.255.0
access-list inside_access_in remark Permit All other traffic to outside
access-list inside_access_in extended permit ip any any
access-list inside_access_in remark Permit All other traffic to outside
access-list outside_access_in extended permit ip any any
access-list inside_nat0_outbound extended permit ip any 192.168.1.240 255.255.255.248
access-list inside_nat0_outbound extended permit ip any 192.168.1.192 255.255.255.192
pager lines 24
logging enable
logging list Outbound_TCP_Connex message 302014
logging list Outbound_TCP_Connex message 302013
logging trap informational
logging asdm informational
logging from-address
logging facility 16
logging device-id hostname
logging host inside 192.168.1.3
logging class auth trap emergencies
logging class bridge trap emergencies
logging class sys trap emergencies
mtu inside 1500
mtu outside 1500
mtu Cad 1500
ip local pool VPNIP 172.25.1.5-172.25.1.10 mask 255.255.255.0
no failover
monitor-interface inside
monitor-interface outside
monitor-interface Cad
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any Cad
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (Cad) 2 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 4443 192.168.1.1 4443 netmask 255.255.255.255
static (inside,outside) udp interface 4443 192.168.1.1 4443 netmask 255.255.255.255
static (inside,outside) tcp interface 7773 192.168.1.1 7773 netmask 255.255.255.255
static (inside,outside) udp interface 7773 192.168.1.1 7773 netmask 255.255.255.255
static (inside,outside) tcp interface 24255 192.168.1.60 24255 netmask 255.255.255.255
static (inside,outside) udp interface 24255 192.168.1.60 24255 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group Cad_access_in in interface Cad
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route Cad 192.168.100.101 255.255.255.255 10.10.10.200 1
!
router rip
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map outside_dyn_map 60 set pfs group1
crypto dynamic-map outside_dyn_map 60 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map outside_dyn_map 80 set pfs group1
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map inside_dyn_map 20 set pfs group1
crypto dynamic-map inside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map inside_dyn_map 40 set pfs group1
crypto dynamic-map inside_dyn_map 40 set transform-set TRANS_ESP_3DES_SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

!

webvpn
 port 444
 customization DfltCustomization
  title text WebVpn Service
  group-prompt text
  group-prompt style
  logo file disk0:/logo.gif
 group-policy WCVPN internal
group-policy WCVPN attributes
 vpn-tunnel-protocol IPSec
username user1 password okrFkreflx5QlBur encrypted privilege 0
username user1 attributes
 vpn-group-policy WCVPN
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 authentication pap
 authentication ms-chap-v2
tunnel-group WCVPN type ipsec-ra
tunnel-group WCVPN general-attributes
 address-pool VPNIP
 default-group-policy WCVPN
tunnel-group WCVPN ipsec-attributes
 pre-shared-key *
tunnel-group-map default-group WCVPN
!
!
prompt hostname context
Cryptochecksum:82049c07a659a47cd45a89f2130f1f02
: end
asdm image disk0:/asdm-524.bin
no asdm history enable

Networking

Avatar of undefined
Last Comment
MikeKane

8/22/2022 - Mon
MikeKane

I would try the following:

Change:
access-list inside_nat0_outbound extended permit ip any 192.168.1.240 255.255.255.248
access-list inside_nat0_outbound extended permit ip any 192.168.1.192 255.255.255.192

to
access-list inside_nat0_outbound extended permit ip 172.25.1.0 255.255.255.0 192.168.1.240 255.255.255.248
access-list inside_nat0_outbound extended permit ip 172.25.1.0 255.255.255.0 192.168.1.192 255.255.255.192

Try that - see if that does the trick.


ASKER
rickyt00

I changed the line in the config to this, because there are two networks that I would like to get to.  But it still doesn't work even after the change.  

access-list inside_nat0_outbound extended permit ip 172.25.1.0 255.255.255.0 any
MikeKane

Add
access-list Inside_nat0_outbound extended permit ip any 172.25.1.0 255.255.255.0

or substitute the 2 internal networks for the Any instead.  

Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
ASKER
rickyt00

I tried to add that line and I am still getting the same error while trying to connect with the cisco vpn client.

1      08:35:16.117  01/30/09  Sev=Info/4      CM/0x63100002
Begin connection process

2      08:35:16.218  01/30/09  Sev=Info/4      CM/0x63100004
Establish secure connection

3      08:35:16.218  01/30/09  Sev=Info/4      CM/0x63100024
Attempt connection with server "70.62.209.110"

4      08:35:16.565  01/30/09  Sev=Info/4      CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

5      08:35:16.657  01/30/09  Sev=Info/4      CM/0x63100015
Launch xAuth application

6      08:35:20.617  01/30/09  Sev=Info/4      CM/0x63100017
xAuth application returned

7      08:35:20.694  01/30/09  Sev=Info/4      CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

8      08:35:20.802  01/30/09  Sev=Info/4      CM/0x63100019
Mode Config data received

9      08:35:24.156  01/30/09  Sev=Info/4      CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

10     08:35:24.156  01/30/09  Sev=Info/5      CM/0x63100025
Initializing CVPNDrv

11     08:35:24.159  01/30/09  Sev=Info/6      CM/0x63100046
Set tunnel established flag in registry to 0.

I posted my new config again to see if there is anything else that I am missing.  Thanks

hostname ciscoasa

names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.99 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.x.x 255.255.255.252
!
interface Vlan12
 nameif Cad
 security-level 90
 ip address 10.10.10.250 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
 switchport access vlan 12
!
interface Ethernet0/7
 switchport access vlan 12
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
access-list DefaultRAGroup_splitTunnelAcl standard permit any
access-list Cad_access_in remark WFS
access-list Cad_access_in extended permit tcp any 192.168.1.0 255.255.255.0 eq 135
access-list Cad_access_in remark WFS
access-list Cad_access_in extended permit udp any 192.168.1.0 255.255.255.0 eq 135
access-list Cad_access_in remark WFS
access-list Cad_access_in extended permit tcp any 192.168.1.0 255.255.255.0 eq 136
access-list Cad_access_in remark WFS
access-list Cad_access_in extended permit udp any 192.168.1.0 255.255.255.0 eq 136
access-list Cad_access_in remark WFS
access-list Cad_access_in extended permit tcp any 192.168.1.0 255.255.255.0 eq 137
access-list Cad_access_in remark WFS
access-list Cad_access_in extended permit udp any 192.168.1.0 255.255.255.0 eq netbios-ns
access-list Cad_access_in remark WFS
access-list Cad_access_in extended permit tcp any 192.168.1.0 255.255.255.0 eq 138
access-list Cad_access_in remark WFS
access-list Cad_access_in extended permit udp any 192.168.1.0 255.255.255.0 eq netbios-dgm
access-list Cad_access_in remark WFS
access-list Cad_access_in extended permit tcp any 192.168.1.0 255.255.255.0 eq netbios-ssn
access-list Cad_access_in remark WFS
access-list Cad_access_in extended permit udp any 192.168.1.0 255.255.255.0 eq 139
access-list Cad_access_in remark WFS
access-list Cad_access_in extended permit tcp any 192.168.1.0 255.255.255.0 eq 445
access-list Cad_access_in remark WFS
access-list Cad_access_in extended permit udp any 192.168.1.0 255.255.255.0 eq 445
access-list inside_access_in remark WFS
access-list inside_access_in extended permit tcp any 10.10.10.0 255.255.255.0 eq 135
access-list inside_access_in remark WFS
access-list inside_access_in extended permit udp any 10.10.10.0 255.255.255.0 eq 135
access-list inside_access_in remark WFS
access-list inside_access_in extended permit tcp any 10.10.10.0 255.255.255.0 eq 136
access-list inside_access_in remark WFS
access-list inside_access_in extended permit udp any 10.10.10.0 255.255.255.0 eq 136
access-list inside_access_in remark WFS
access-list inside_access_in extended permit tcp any 10.10.10.0 255.255.255.0 eq 137
access-list inside_access_in remark WFS
access-list inside_access_in extended permit udp any 10.10.10.0 255.255.255.0 eq netbios-ns
access-list inside_access_in remark WFS
access-list inside_access_in extended permit tcp any 10.10.10.0 255.255.255.0 eq 138
access-list inside_access_in remark WFS
access-list inside_access_in extended permit udp any 10.10.10.0 255.255.255.0 eq netbios-dgm
access-list inside_access_in remark WFS
access-list inside_access_in extended permit tcp any 10.10.10.0 255.255.255.0 eq netbios-ssn
access-list inside_access_in remark WFS
access-list inside_access_in extended permit udp any 10.10.10.0 255.255.255.0 eq 139
access-list inside_access_in remark WFS
access-list inside_access_in extended permit tcp any 10.10.10.0 255.255.255.0 eq 445
access-list inside_access_in remark WFS
access-list inside_access_in extended permit udp any 10.10.10.0 255.255.255.0 eq 445
access-list inside_access_in extended deny ip any 10.10.10.0 255.255.255.0
access-list inside_access_in remark Permit All other traffic to outside
access-list inside_access_in extended permit ip any any
access-list inside_access_in remark Permit All other traffic to outside
access-list outside_access_in extended permit ip any any
access-list inside_nat0_outbound extended permit ip 172.25.1.0 255.255.255.0 any
access-list Inside_nat0_outbound extended permit ip any 172.25.1.0 255.255.255.0
pager lines 24
logging enable
logging list Outbound_TCP_Connex message 302014
logging list Outbound_TCP_Connex message 302013
logging trap informational
logging asdm informational
logging facility 16
logging device-id hostname
logging host inside 192.168.1.3
logging class auth trap emergencies
logging class bridge trap emergencies
logging class sys trap emergencies
mtu inside 1500
mtu outside 1500
mtu Cad 1500
ip local pool VPNIP 172.25.1.5-172.25.1.10 mask 255.255.255.0
no failover
monitor-interface inside
monitor-interface outside
monitor-interface Cad
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any Cad
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (Cad) 2 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 4443 192.168.1.1 4443 netmask 255.255.255.255
static (inside,outside) udp interface 4443 192.168.1.1 4443 netmask 255.255.255.255
static (inside,outside) tcp interface 7773 192.168.1.1 7773 netmask 255.255.255.255
static (inside,outside) udp interface 7773 192.168.1.1 7773 netmask 255.255.255.255
static (inside,outside) tcp interface 24255 192.168.1.60 24255 netmask 255.255.255.255
static (inside,outside) udp interface 24255 192.168.1.60 24255 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group Cad_access_in in interface Cad
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route Cad 192.168.100.101 255.255.255.255 10.10.10.200 1
!
router rip
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.10.10.0 255.255.255.0 Cad
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map outside_dyn_map 60 set pfs group1
crypto dynamic-map outside_dyn_map 60 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map outside_dyn_map 80 set pfs group1
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map inside_dyn_map 20 set pfs group1
crypto dynamic-map inside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map inside_dyn_map 40 set pfs group1
crypto dynamic-map inside_dyn_map 40 set transform-set TRANS_ESP_3DES_SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.250-192.168.1.251 inside
dhcpd dns 65.24.0.168 65.24.0.169 interface inside
dhcpd lease 691200 interface inside

!

webvpn
 port 444
 customization DfltCustomization
  title text Warren Company WebVpn Service
  group-prompt text
  group-prompt style
  logo file disk0:/logo.gif
 url-list Bosa-Nova "Bosa-Nova" https://192.168.1.1:4443 1
 url-list Bosa-Nova "Bosa-Nova:7773" https://192.168.1.1:7773 2
 url-list Video "Video" https://192.168.1.60:24255 1
group-policy WCVPN internal
group-policy WCVPN attributes
 vpn-tunnel-protocol IPSec
username user1 password okrFkreflx5QlBur encrypted privilege 0
username user1 attributes
 vpn-group-policy WCVPN
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 authentication pap
 authentication ms-chap-v2
tunnel-group WCVPN type ipsec-ra
tunnel-group WCVPN general-attributes
 address-pool VPNIP
 default-group-policy WCVPN
tunnel-group WCVPN ipsec-attributes
 pre-shared-key *
tunnel-group-map default-group WCVPN
!
!
prompt hostname context
Cryptochecksum:996a779eda89811155f16db06b43cd07
: end
asdm image disk0:/asdm-524.bin
no asdm history enable
ASKER CERTIFIED SOLUTION
MikeKane

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question