Solved

Cisco VPN client can't stay connected to ASA 5505.

Posted on 2009-05-04
28
4,401 Views
Last Modified: 2013-11-16
I have inherited this network and am now having issues with my VPN. We have a static outside (public) IP address block. As far as I know the ASA 5505 configuration has not changed (my motto is "if it ain't broke, don't fix it."). I am running Mac OS X and Windows XP Pro SP3 with all patches. The VPN client is the Cisco software for both platforms.

On the client side I receive the error message:

Secure VPN Connection terminated locally by the Client.
Reason 422: Lost contact with the security gateway. Check your network connection.

I have looked up the error messages for the ASA side and each one is an informational message such as:

Group = allied-vpn, Username = david, IP = xxx.xxx.xxx.xxx, Received unsupported transaction mode attribute: 5

IPAA: DHCP configured, no viable servers found for tunnel-group 'allied-vpn'

Group = allied-vpn, Username = david, IP = xxx.xxx.xxx.xxx, Connection terminated for peer david.  Reason: Peer Terminate  Remote Proxy 192.168.xxx.xxx, Local Proxy 0.0.0.0

I have included the ASA 5505 current running config.

Any help would be much appreciated.

Thank you,
GmanPsycho
AESS-Pix-Running-Conf-for-Expert.doc
0
Comment
Question by:gmanpsycho
  • 18
  • 9
28 Comments
 
LVL 33

Expert Comment

by:MikeKane
Comment Utility
IS this only on your client, or network wide?  

": Lost contact with the security gateway"  usually means the client is having communication troubles, which is why my 1st question is about the number of people with the issue.  

I'd be curious to see what the syslog or console log has to report when the error happens.  
0
 

Author Comment

by:gmanpsycho
Comment Utility
I have recently found out that one of the VPN clients are able to connect. I have checked her VPN profile on the firewall and have not been able to see any difference with my profile. SO that really confuses me....
0
 
LVL 33

Expert Comment

by:MikeKane
Comment Utility
So we know that the Firewall has no issue.   On your machine, have you installed any other VPN client package.   Cisco client has issues when installed alongside other vpn clients.      

If this is the VPN client (not the anyconnect client), then the end users settings are kept in the pcf file in the cisco directory.   You can backup your pcf file, copy in the working one from the other machine, and then try connecting again.    

Most importantly, try your connection from another internet connection and make sure that your drop isn't the cause of the issue (ISP problem , modem sync' etc...).  

0
 

Author Comment

by:gmanpsycho
Comment Utility
I have used two different connections to troubleshoot the ISP angle of the issue. I still have the same problem.

The Cisco VPN client is the only one installed on the system.

I will however copy the PCF file from the one working machine and try it on mine. I had forgotten about that little piece of information. I'll update tomorrow.


Thanks for your help so far.

Gman
0
 
LVL 33

Expert Comment

by:MikeKane
Comment Utility
Update me in the morning - thanks
0
 

Author Comment

by:gmanpsycho
Comment Utility
Update... The individual who's connection is working did not bring the laptop to work.... go figure. I'll update as soon as I get the PCF file. Sorry for the delay.
0
 

Author Comment

by:gmanpsycho
Comment Utility
I receieved the PCF file and was able to import that file into the VPN software. However I am still not able to hold the connection. It will connect for about 5 seconds then I get disconnected with the message that the client terminated the connection.

I looked @ the PCF file with notepad and found that the path does not work with the Mac OS X (i.e. it states that it's found @ c:\program files\cisco\vpn software ... etc).

Where does OS X keep the PCF file? I know Linux keeps it in a hidden directory under the user's login folder. Maybe I'm not looking in the correct spot.

Thanks again for your patience and help,
Gman
0
 
LVL 33

Expert Comment

by:MikeKane
Comment Utility
I'm not much of a MAC person, but here is Cisco's how to on installing the client with a preconfigured PCF into a MAC

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_user_guide_chapter09186a008015cffe.html

Hopefully that will help you out.  

0
 

Author Comment

by:gmanpsycho
Comment Utility
OK... I was able to find the PCF file on the Mac that is working and import it into my VPN client. Result... no go.

Same condition still exists... after about 5 seconds I get disconnected from the VPN. THe other clients are not experiencing this issue...

Could it be my VPN Group access membership in the ASA 5505?

Thanks,

Gman
0
 
LVL 33

Expert Comment

by:MikeKane
Comment Utility
Are you using the same group as a person that stays connected?   To test this, just sign in with your credentials using another person's system.   That will quickly eliminate your ID and the ASA config.   If you can sign in anywhere else without issue, then it's the system you are using.   Something there is causing your drop condition I would say.  
0
 

Author Comment

by:gmanpsycho
Comment Utility
OK... here's an update.  I checked the Group Access membership and I have access to the ASA and the other clients have none. I have access to the CLI and they do not.

I did check something else out and it could be Verizon killing the connection and also my firewall config @ my house.

I went to a totally different site and they have DSL with AT&T and the VPN connection worked. I left it running for more than 10 minutes and it still did not drop the connection. Must be ISP or firewall related @ home.

What ports should be open on my firewall @ home(I have RoadRunner for an ISP)?
0
 
LVL 33

Accepted Solution

by:
MikeKane earned 400 total points
Comment Utility
Good.  

Lets start with turning off the windows firewall on your system (or any others you may have installed i.e. comodo etc...)    This is just for testing.  

By default, your outbound connections would not normally be blocking ports unless you specifically went in there and did it.       More likely, your router at home will need to pass ipsec.   Check your model and then make sure you are running the lastest BIOS from the manufacturer.  I had an older model linksys that would not pass vpn traffic properly until I got the update.  

-or-  you can eliminate the router completely, just plug your roadrunner conenction into your system, configure it up and connect to the ISP .    Then test the VPN.   This will potentially eliminate the ISP as the point of failure.   Then we can concentrate on the router which would seem to be the culprit.  



0
 

Author Comment

by:gmanpsycho
Comment Utility
I've never used the Windows firewall (personally, I don't think it's very useful anyway).

I have a Cisco ASA 5505, just like the one @ the office.

I'll verify the software versions between them and make sure they are the same. I'll update you tonight.


Thanks again for your time and patience,

Gman
0
 
LVL 33

Expert Comment

by:MikeKane
Comment Utility
the cisco 5505 has some nice debugging, and, as a business firewall, not a consumer firewall, what I said about the default outbound behavior is not correct.  

Try connecting the system directly, if it works, then send me the code from your 5505 and I'll check for outbound port blocking.  

0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:gmanpsycho
Comment Utility
OK... I'll still compare the versions of software and update tonight.
0
 

Author Comment

by:gmanpsycho
Comment Utility
OK... I am uploading my current ASA 5505 config that I use @ my house.
I see where it mentions IPSEC but I can not tell if it is being passed through to my network.

Thanks,

Gman
ASA-5505-Config-5-14-09.doc
0
 

Author Comment

by:gmanpsycho
Comment Utility
MikeKane,

Have you had a chance to look at my config to see if I have everything in order? Please let me know. I still do not have a VPN connection to the office network from my home.

Thanks,
Gman
0
 
LVL 33

Expert Comment

by:MikeKane
Comment Utility
Sorry,   I just looked at it.   There's nothing in this config that I can see that would prevent your PC from establishing an outbound connection.   Your code is pretty clean and simple.

Everything is allowed from inside to outside.  

The IPSEC's you see have nothing to do with this issue.  

Do you run a syslog at the office firewall?  If so, attempt a connection from your home, then open the log at the office and lets see if the log is catching anything odd.    If possible, have the log set to Informational or debug just for the test.  

You could also consider running a syslog at the home ASA (or log to the ASA console/or monitor) to see if its catching anything as well.  

0
 

Author Comment

by:gmanpsycho
Comment Utility
OK. I'll look @ the syslog on the ASA at the office. I don't think it is setup to dump to a server so it will be viewed from the monitor. I'll try to get back with you by the end of the week... I just started back to school (University of Phoenix) and my days are getting a bit crowded... so bare with me.

Thanks,
Gman
0
 

Author Comment

by:gmanpsycho
Comment Utility
I have found out that it is my firewall at home that is killing the connection. I disconnected my firewall from the cable modem and connected my Mac directly to the modem. After a reboot of the modem, I tried the VPN connection and it worked like a charm.

I am including the syslog from my firewall when I reconnected everything back. Let me know what is going on. As for me, it looks like my VPN connection is trying to hit my web-server (not sure why - DNS maybe?).

Thanks,

Gman
Home-ASA-Syslog-5-29-09
0
 

Author Comment

by:gmanpsycho
Comment Utility
Bump....

Any ideas from anybody?
0
 

Author Comment

by:gmanpsycho
Comment Utility
I have changed the awarded points to 500. Hopefully to attract more input.
0
 
LVL 24

Assisted Solution

by:Ken Boone
Ken Boone earned 100 total points
Comment Utility
Try adding this line.  This allows an ipsec session to flow through a NAT device - such as your firewall.

crypto isakmp nat-traversal 120

0
 

Author Comment

by:gmanpsycho
Comment Utility
Will do. I'll have an update tomorrow. Thanks for your response.

Gman
0
 

Author Comment

by:gmanpsycho
Comment Utility
I tried your suggestion but it did not work.

I did go back and look @ my NAT statements and changed this originial statement:
nat (inside) 0 access-list inside_nat0_outbound

to this new one:
nat (inside) 0 access-list inside_nat0_outbound outside

Afterwards I tried the Cisco VPN and it gave me the userID and Password prompt. Nice!

As far as rewarding the points MikeKane helped me out a lot but was unable to actually resolve the issue. kenboonejr had me try further commands that also did not work. I guess it would be up to the moderator to decide.

Thanks again for everyone's help.

Gman
0
 
LVL 33

Expert Comment

by:MikeKane
Comment Utility
Glad its working.    To close out the question, you can split points between the 2 experts and/or assign a lower grade for the resolution.    Thanks.
0
 

Author Closing Comment

by:gmanpsycho
Comment Utility
Although the answers given did not solve the issue they were very helpful in pointing me in the right direction. MikeKane and kenboonejr did an admiral job in helping me resolve the issue. Thanks.
0
 

Author Comment

by:gmanpsycho
Comment Utility
Thanks to both of you for your help.

Thanks,

Gman
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

One of the Top 10  common Cisco VPN problems are not-matching shared keys. This is an easy one to fix, but not always easy to notice, see the case below. A simple IPsec tunnel between fast Ethernet interfaces of routers SW1 (f1/1) and R1(f0/0). …
Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now