[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5057
  • Last Modified:

Cisco VPN client can't stay connected to ASA 5505.

I have inherited this network and am now having issues with my VPN. We have a static outside (public) IP address block. As far as I know the ASA 5505 configuration has not changed (my motto is "if it ain't broke, don't fix it."). I am running Mac OS X and Windows XP Pro SP3 with all patches. The VPN client is the Cisco software for both platforms.

On the client side I receive the error message:

Secure VPN Connection terminated locally by the Client.
Reason 422: Lost contact with the security gateway. Check your network connection.

I have looked up the error messages for the ASA side and each one is an informational message such as:

Group = allied-vpn, Username = david, IP = xxx.xxx.xxx.xxx, Received unsupported transaction mode attribute: 5

IPAA: DHCP configured, no viable servers found for tunnel-group 'allied-vpn'

Group = allied-vpn, Username = david, IP = xxx.xxx.xxx.xxx, Connection terminated for peer david.  Reason: Peer Terminate  Remote Proxy 192.168.xxx.xxx, Local Proxy 0.0.0.0

I have included the ASA 5505 current running config.

Any help would be much appreciated.

Thank you,
GmanPsycho
AESS-Pix-Running-Conf-for-Expert.doc
0
gmanpsycho
Asked:
gmanpsycho
  • 18
  • 9
2 Solutions
 
MikeKaneCommented:
IS this only on your client, or network wide?  

": Lost contact with the security gateway"  usually means the client is having communication troubles, which is why my 1st question is about the number of people with the issue.  

I'd be curious to see what the syslog or console log has to report when the error happens.  
0
 
gmanpsychoAuthor Commented:
I have recently found out that one of the VPN clients are able to connect. I have checked her VPN profile on the firewall and have not been able to see any difference with my profile. SO that really confuses me....
0
 
MikeKaneCommented:
So we know that the Firewall has no issue.   On your machine, have you installed any other VPN client package.   Cisco client has issues when installed alongside other vpn clients.      

If this is the VPN client (not the anyconnect client), then the end users settings are kept in the pcf file in the cisco directory.   You can backup your pcf file, copy in the working one from the other machine, and then try connecting again.    

Most importantly, try your connection from another internet connection and make sure that your drop isn't the cause of the issue (ISP problem , modem sync' etc...).  

0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
gmanpsychoAuthor Commented:
I have used two different connections to troubleshoot the ISP angle of the issue. I still have the same problem.

The Cisco VPN client is the only one installed on the system.

I will however copy the PCF file from the one working machine and try it on mine. I had forgotten about that little piece of information. I'll update tomorrow.


Thanks for your help so far.

Gman
0
 
MikeKaneCommented:
Update me in the morning - thanks
0
 
gmanpsychoAuthor Commented:
Update... The individual who's connection is working did not bring the laptop to work.... go figure. I'll update as soon as I get the PCF file. Sorry for the delay.
0
 
gmanpsychoAuthor Commented:
I receieved the PCF file and was able to import that file into the VPN software. However I am still not able to hold the connection. It will connect for about 5 seconds then I get disconnected with the message that the client terminated the connection.

I looked @ the PCF file with notepad and found that the path does not work with the Mac OS X (i.e. it states that it's found @ c:\program files\cisco\vpn software ... etc).

Where does OS X keep the PCF file? I know Linux keeps it in a hidden directory under the user's login folder. Maybe I'm not looking in the correct spot.

Thanks again for your patience and help,
Gman
0
 
MikeKaneCommented:
I'm not much of a MAC person, but here is Cisco's how to on installing the client with a preconfigured PCF into a MAC

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_user_guide_chapter09186a008015cffe.html

Hopefully that will help you out.  

0
 
gmanpsychoAuthor Commented:
OK... I was able to find the PCF file on the Mac that is working and import it into my VPN client. Result... no go.

Same condition still exists... after about 5 seconds I get disconnected from the VPN. THe other clients are not experiencing this issue...

Could it be my VPN Group access membership in the ASA 5505?

Thanks,

Gman
0
 
MikeKaneCommented:
Are you using the same group as a person that stays connected?   To test this, just sign in with your credentials using another person's system.   That will quickly eliminate your ID and the ASA config.   If you can sign in anywhere else without issue, then it's the system you are using.   Something there is causing your drop condition I would say.  
0
 
gmanpsychoAuthor Commented:
OK... here's an update.  I checked the Group Access membership and I have access to the ASA and the other clients have none. I have access to the CLI and they do not.

I did check something else out and it could be Verizon killing the connection and also my firewall config @ my house.

I went to a totally different site and they have DSL with AT&T and the VPN connection worked. I left it running for more than 10 minutes and it still did not drop the connection. Must be ISP or firewall related @ home.

What ports should be open on my firewall @ home(I have RoadRunner for an ISP)?
0
 
MikeKaneCommented:
Good.  

Lets start with turning off the windows firewall on your system (or any others you may have installed i.e. comodo etc...)    This is just for testing.  

By default, your outbound connections would not normally be blocking ports unless you specifically went in there and did it.       More likely, your router at home will need to pass ipsec.   Check your model and then make sure you are running the lastest BIOS from the manufacturer.  I had an older model linksys that would not pass vpn traffic properly until I got the update.  

-or-  you can eliminate the router completely, just plug your roadrunner conenction into your system, configure it up and connect to the ISP .    Then test the VPN.   This will potentially eliminate the ISP as the point of failure.   Then we can concentrate on the router which would seem to be the culprit.  



0
 
gmanpsychoAuthor Commented:
I've never used the Windows firewall (personally, I don't think it's very useful anyway).

I have a Cisco ASA 5505, just like the one @ the office.

I'll verify the software versions between them and make sure they are the same. I'll update you tonight.


Thanks again for your time and patience,

Gman
0
 
MikeKaneCommented:
the cisco 5505 has some nice debugging, and, as a business firewall, not a consumer firewall, what I said about the default outbound behavior is not correct.  

Try connecting the system directly, if it works, then send me the code from your 5505 and I'll check for outbound port blocking.  

0
 
gmanpsychoAuthor Commented:
OK... I'll still compare the versions of software and update tonight.
0
 
gmanpsychoAuthor Commented:
OK... I am uploading my current ASA 5505 config that I use @ my house.
I see where it mentions IPSEC but I can not tell if it is being passed through to my network.

Thanks,

Gman
ASA-5505-Config-5-14-09.doc
0
 
gmanpsychoAuthor Commented:
MikeKane,

Have you had a chance to look at my config to see if I have everything in order? Please let me know. I still do not have a VPN connection to the office network from my home.

Thanks,
Gman
0
 
MikeKaneCommented:
Sorry,   I just looked at it.   There's nothing in this config that I can see that would prevent your PC from establishing an outbound connection.   Your code is pretty clean and simple.

Everything is allowed from inside to outside.  

The IPSEC's you see have nothing to do with this issue.  

Do you run a syslog at the office firewall?  If so, attempt a connection from your home, then open the log at the office and lets see if the log is catching anything odd.    If possible, have the log set to Informational or debug just for the test.  

You could also consider running a syslog at the home ASA (or log to the ASA console/or monitor) to see if its catching anything as well.  

0
 
gmanpsychoAuthor Commented:
OK. I'll look @ the syslog on the ASA at the office. I don't think it is setup to dump to a server so it will be viewed from the monitor. I'll try to get back with you by the end of the week... I just started back to school (University of Phoenix) and my days are getting a bit crowded... so bare with me.

Thanks,
Gman
0
 
gmanpsychoAuthor Commented:
I have found out that it is my firewall at home that is killing the connection. I disconnected my firewall from the cable modem and connected my Mac directly to the modem. After a reboot of the modem, I tried the VPN connection and it worked like a charm.

I am including the syslog from my firewall when I reconnected everything back. Let me know what is going on. As for me, it looks like my VPN connection is trying to hit my web-server (not sure why - DNS maybe?).

Thanks,

Gman
Home-ASA-Syslog-5-29-09
0
 
gmanpsychoAuthor Commented:
Bump....

Any ideas from anybody?
0
 
gmanpsychoAuthor Commented:
I have changed the awarded points to 500. Hopefully to attract more input.
0
 
Ken BooneNetwork ConsultantCommented:
Try adding this line.  This allows an ipsec session to flow through a NAT device - such as your firewall.

crypto isakmp nat-traversal 120

0
 
gmanpsychoAuthor Commented:
Will do. I'll have an update tomorrow. Thanks for your response.

Gman
0
 
gmanpsychoAuthor Commented:
I tried your suggestion but it did not work.

I did go back and look @ my NAT statements and changed this originial statement:
nat (inside) 0 access-list inside_nat0_outbound

to this new one:
nat (inside) 0 access-list inside_nat0_outbound outside

Afterwards I tried the Cisco VPN and it gave me the userID and Password prompt. Nice!

As far as rewarding the points MikeKane helped me out a lot but was unable to actually resolve the issue. kenboonejr had me try further commands that also did not work. I guess it would be up to the moderator to decide.

Thanks again for everyone's help.

Gman
0
 
MikeKaneCommented:
Glad its working.    To close out the question, you can split points between the 2 experts and/or assign a lower grade for the resolution.    Thanks.
0
 
gmanpsychoAuthor Commented:
Although the answers given did not solve the issue they were very helpful in pointing me in the right direction. MikeKane and kenboonejr did an admiral job in helping me resolve the issue. Thanks.
0
 
gmanpsychoAuthor Commented:
Thanks to both of you for your help.

Thanks,

Gman
0

Featured Post

[Webinar] Improve your customer journey

A positive customer journey is important in attracting and retaining business. To improve this experience, you can use Google Maps APIs to increase checkout conversions, boost user engagement, and optimize order fulfillment. Learn how in this webinar presented by Dito.

  • 18
  • 9
Tackle projects and never again get stuck behind a technical roadblock.
Join Now