jtennyson
asked on
Cisco client on iPhone stopped working
I have been using the cisco client on the iPhone to access my network for the last two years. I unfortunately had a consultant do some work on my ASA 5510 two weeks ago. Now the VPN clients on the three iPhones in the office will not connect. The VPN works fine with the computers. Is there something in the config that I need to put back? I have attached a copy of my config.
Here are some errors I found on the ASDM when I try to connect.
3 Apr 20 2011 11:24:42 713902 Group = group, Username = jtenny, IP = 166.137.140.133, Removing peer from correlator table failed, no match!
3 Apr 20 2011 11:24:42 713902 Group = group, Username = jtenny, IP = 166.137.140.133, QM FSM error (P2 struct &0xab8608e8, mess id 0xd640b300)!
I really need help quickly.
ASA---Copy
Here are some errors I found on the ASDM when I try to connect.
3 Apr 20 2011 11:24:42 713902 Group = group, Username = jtenny, IP = 166.137.140.133, Removing peer from correlator table failed, no match!
3 Apr 20 2011 11:24:42 713902 Group = group, Username = jtenny, IP = 166.137.140.133, QM FSM error (P2 struct &0xab8608e8, mess id 0xd640b300)!
I really need help quickly.
ASA---Copy
use rgrayvpn as group name when you connect.
ASKER
I am using rgrayvpn as the group name. Nothing has changed in the client configuration. It worked before.
Recent upgrades to the iPhone now require the cisco mobility license to connect to VPN. Please refer to http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data_sheet_c78-527494.html
anyconnect is another story not related to this question.
Except that I have an iPhone 4 and iPad 2 that both stopped working with VPN (not any connect) until we added mobility license. So I appreciate your opinion, but I speak from experience, not opinion.
ASKER
These are iPhone 3 and they worked until April 9. On April 10 the consultant worked on the ASA putting in a site to site VPN for failover. The iPhones not longer worked after that.
ASKER
Here is what I found on Cisco's web site relating to the error. I just don't know what to do with it.
If static and dynamic peers are configured on the same crypto map, the order of the crypto map entries is very important. The sequence number of the dynamic crypto map entry must be higher than all of the other static crypto map entries. If the static entries are numbered higher than the dynamic entry, connections with those peers fail and the debugs as shown appears.
IKEv1]: Group = x.x.x.x, IP = x.x.x.x, QM FSM error (P2 struct &0x49ba5a0, mess id 0xcd600011)!
[IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Removing peer from correlator table failed, no match!Note: Only one Dynamic Crypto-map is allowed for each interface in the Security Appliance.
Here is an example of a properly numbered crypto map that contains a static entry and a dynamic entry. Note that the dynamic entry has the highest sequence number and room has been left to add additional static entries:
crypto dynamic-map cisco 20 set transform-set myset
crypto map mymap 10 match address 100
crypto map mymap 10 set peer 172.16.77.10
crypto map mymap 10 set transform-set myset
crypto map mymap interface outside
crypto map mymap 60000 ipsec-isakmp dynamic cisco
If static and dynamic peers are configured on the same crypto map, the order of the crypto map entries is very important. The sequence number of the dynamic crypto map entry must be higher than all of the other static crypto map entries. If the static entries are numbered higher than the dynamic entry, connections with those peers fail and the debugs as shown appears.
IKEv1]: Group = x.x.x.x, IP = x.x.x.x, QM FSM error (P2 struct &0x49ba5a0, mess id 0xcd600011)!
[IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Removing peer from correlator table failed, no match!Note: Only one Dynamic Crypto-map is allowed for each interface in the Security Appliance.
Here is an example of a properly numbered crypto map that contains a static entry and a dynamic entry. Note that the dynamic entry has the highest sequence number and room has been left to add additional static entries:
crypto dynamic-map cisco 20 set transform-set myset
crypto map mymap 10 match address 100
crypto map mymap 10 set peer 172.16.77.10
crypto map mymap 10 set transform-set myset
crypto map mymap interface outside
crypto map mymap 60000 ipsec-isakmp dynamic cisco
ASKER
Here is the log when I try to log in
5 Apr 20 2011 20:09:02 713119 Group = rgrayvpn, Username = jtenny, IP = 166.137.140.21, PHASE 1 COMPLETED
5 Apr 20 2011 20:09:02 713904 Group = rgrayvpn, Username = jtenny, IP = 166.137.140.21, All IPSec SA proposals found unacceptable!
3 Apr 20 2011 20:09:02 713902 Group = rgrayvpn, Username = jtenny, IP = 166.137.140.21, QM FSM error (P2 struct &0xac4459d8, mess id 0xd809f748)!
3 Apr 20 2011 20:09:02 713902 Group = rgrayvpn, Username = jtenny, IP = 166.137.140.21, Removing peer from correlator table failed, no match!
5 Apr 20 2011 20:09:02 713259 Group = rgrayvpn, Username = jtenny, IP = 166.137.140.21, Session is being torn down. Reason: Phase 2 Mismatch
4 Apr 20 2011 20:09:02 113019 Group = rgrayvpn, Username = jtenny, IP = 166.137.140.21, Session disconnected. Session Type: IKE, Duration: 0h:00m:19s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
5 Apr 20 2011 20:09:02 713119 Group = rgrayvpn, Username = jtenny, IP = 166.137.140.21, PHASE 1 COMPLETED
5 Apr 20 2011 20:09:02 713904 Group = rgrayvpn, Username = jtenny, IP = 166.137.140.21, All IPSec SA proposals found unacceptable!
3 Apr 20 2011 20:09:02 713902 Group = rgrayvpn, Username = jtenny, IP = 166.137.140.21, QM FSM error (P2 struct &0xac4459d8, mess id 0xd809f748)!
3 Apr 20 2011 20:09:02 713902 Group = rgrayvpn, Username = jtenny, IP = 166.137.140.21, Removing peer from correlator table failed, no match!
5 Apr 20 2011 20:09:02 713259 Group = rgrayvpn, Username = jtenny, IP = 166.137.140.21, Session is being torn down. Reason: Phase 2 Mismatch
4 Apr 20 2011 20:09:02 113019 Group = rgrayvpn, Username = jtenny, IP = 166.137.140.21, Session disconnected. Session Type: IKE, Duration: 0h:00m:19s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
there is something strange with your config.
The reason- "dyn-map" is applied on the interface and does contain only a dynamic map entry.
There is aloso map1 that one contains the entries for the site-to-site VPN peers.
On top of that map1 allows for one transform set named set1 for RA esp-aes-256 esp-sha-hmac
while the "dyn-map" has one transform set named "myset" esp-des esp-md5-hmac.
Here is where I don't understand. map1 has a different encry algorithm (stronger) that dyn-map for the remote-access VPN.
The reason- "dyn-map" is applied on the interface and does contain only a dynamic map entry.
There is aloso map1 that one contains the entries for the site-to-site VPN peers.
On top of that map1 allows for one transform set named set1 for RA esp-aes-256 esp-sha-hmac
while the "dyn-map" has one transform set named "myset" esp-des esp-md5-hmac.
Here is where I don't understand. map1 has a different encry algorithm (stronger) that dyn-map for the remote-access VPN.
ASKER
Danj
OK. What do I do? I can follow directions to put commands in. But I don't know enough to know what commands to use to fix it. I need the iPhones to work and the site to site VPN to work.
OK. What do I do? I can follow directions to put commands in. But I don't know enough to know what commands to use to fix it. I need the iPhones to work and the site to site VPN to work.
you typed faster than me. It does makes sense. The encryption algorithm is unsupported on the iPhone. It looks you have aes 256 on the ASA configured.
You need to add an entry to the dynamic map that allows for the esp-des esp-md5-hmac.
You need to add an entry to the dynamic map that allows for the esp-des esp-md5-hmac.
ASKER
Sorry to seem stupid. How do I do this?
ASKER
I just need to know what the command is to enter.
ASKER
Or, you could tell me how to do it in the ASDM.
ASKER
It does not appear you can enter esp-md5-hmac through the asdm. The option is not there. So I will have to do it through the CLI. I just don't know the exact command. I don't know what set to put it in.
I am not sure which map is applied on the interface.
To cover all the areas:
1. add one entry to the outside_dyn_map
crypto dynamic-map outside_dyn_map 10 set transform-set myset
2. add one entry to the cisco
crypto dynamic-map cisco 10 set transform-set set1
so that both dynamic maps have the 2 identical transform sets
To cover all the areas:
1. add one entry to the outside_dyn_map
crypto dynamic-map outside_dyn_map 10 set transform-set myset
2. add one entry to the cisco
crypto dynamic-map cisco 10 set transform-set set1
so that both dynamic maps have the 2 identical transform sets
ASKER
What is the transform set I am entering?
you already thave the two transform sets defined here (from the config):
crypto ipsec transform-set set1 esp-aes-256 esp-sha-hmac
crypto ipsec transform-set myset esp-des esp-md5-hmac
you just have to add an entry to the dynamic crypto map (the entries are listed in my previous post)
that points to the transform set.
The reason I asked to make 2 changes is that I cannot really say which map is currently applied to the interface.since you have only 2 maps you can add one entry to each map. At the end both dynamic maps have 2 entries one for each transform set. So no matter which one you use the client would be able to get in.
crypto ipsec transform-set set1 esp-aes-256 esp-sha-hmac
crypto ipsec transform-set myset esp-des esp-md5-hmac
you just have to add an entry to the dynamic crypto map (the entries are listed in my previous post)
that points to the transform set.
The reason I asked to make 2 changes is that I cannot really say which map is currently applied to the interface.since you have only 2 maps you can add one entry to each map. At the end both dynamic maps have 2 entries one for each transform set. So no matter which one you use the client would be able to get in.
ASKER
OK. So do I go in to Global config and type in this?
crypto dynamic-map outside_dyn_map 10 set transform-set myset
crypto ipsec transform-set set1 esp-aes-256 esp-sha-hmac
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map cisco 10 set transform-set set1
crypto ipsec transform-set set1 esp-aes-256 esp-sha-hmac
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set myset
crypto ipsec transform-set set1 esp-aes-256 esp-sha-hmac
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map cisco 10 set transform-set set1
crypto ipsec transform-set set1 esp-aes-256 esp-sha-hmac
crypto ipsec transform-set myset esp-des esp-md5-hmac
these two you already have them
crypto ipsec transform-set set1 esp-aes-256 esp-sha-hmac
crypto ipsec transform-set myset esp-des esp-md5-hmac
it's from the config you attached to this email
ven if you type them it would just say duplicate entries
I just notifced I need a small mistake on the previous post.
you need to type
crypto dynamic-map outside_dyn_map 20 set transform-set myset
crypto dynamic-map cisco 20 set transform-set set1
crypto ipsec transform-set set1 esp-aes-256 esp-sha-hmac
crypto ipsec transform-set myset esp-des esp-md5-hmac
it's from the config you attached to this email
ven if you type them it would just say duplicate entries
I just notifced I need a small mistake on the previous post.
you need to type
crypto dynamic-map outside_dyn_map 20 set transform-set myset
crypto dynamic-map cisco 20 set transform-set set1
ASKER
I'm going to try it right now.
ASKER
Nope. Did not work
ok. can you post the output of
sh run | in crypto
to make sure all the commands are in.
if everything is ok here I suggest to remove the crypto map to the interface and then reapply it.
another thing is to check the logs if you get the same error or is something else.
sh run | in crypto
to make sure all the commands are in.
if everything is ok here I suggest to remove the crypto map to the interface and then reapply it.
another thing is to check the logs if you get the same error or is something else.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Found the answer on Cisco's site