[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1287
  • Last Modified:

Cisco client on iPhone stopped working

I have been using the cisco client on the iPhone to access my network for the last two years.  I unfortunately had a consultant do some work on my ASA 5510 two weeks ago.  Now the VPN clients on the three iPhones in the office will not connect.  The VPN works fine with the computers.  Is there something in the config that I need to put back?  I have attached a copy of my config.

Here are some errors I found on the ASDM when I try to connect.

3      Apr 20 2011      11:24:42      713902                              Group = group, Username = jtenny, IP = 166.137.140.133, Removing peer from correlator table failed, no match!

3      Apr 20 2011      11:24:42      713902                              Group = group, Username = jtenny, IP = 166.137.140.133, QM FSM error (P2 struct &0xab8608e8, mess id 0xd640b300)!

I really need help quickly.
ASA---Copy
0
jtennyson
Asked:
jtennyson
  • 15
  • 8
  • 2
1 Solution
 
DanJCommented:
use rgrayvpn as group name when you connect.
0
 
jtennysonAuthor Commented:
I am using rgrayvpn as the group name.  Nothing has changed in the client configuration.  It worked before.
0
 
RPPreacherCommented:
Recent upgrades to the iPhone now require the cisco mobility license to connect to VPN.  Please refer to http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data_sheet_c78-527494.html
0
Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

 
DanJCommented:
anyconnect is another story not related to this question.
0
 
RPPreacherCommented:
Except that I have an iPhone 4 and iPad 2 that both stopped working with VPN (not any connect) until we added mobility license.  So I appreciate your opinion, but I speak from experience, not opinion.
0
 
jtennysonAuthor Commented:
These are iPhone 3 and they worked until April 9.  On April 10 the consultant worked on the ASA putting in a site to site VPN for failover.  The iPhones not longer worked after that.
0
 
jtennysonAuthor Commented:
Here is what I found on Cisco's web site relating to the error.  I just don't know what to do with it.

If static and dynamic peers are configured on the same crypto map, the order of the crypto map entries is very important. The sequence number of the dynamic crypto map entry must be higher than all of the other static crypto map entries. If the static entries are numbered higher than the dynamic entry, connections with those peers fail and the debugs as shown appears.

IKEv1]: Group = x.x.x.x, IP = x.x.x.x, QM FSM error (P2 struct &0x49ba5a0, mess id 0xcd600011)!
[IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Removing peer from correlator table failed, no match!Note: Only one Dynamic Crypto-map is allowed for each interface in the Security Appliance.

Here is an example of a properly numbered crypto map that contains a static entry and a dynamic entry. Note that the dynamic entry has the highest sequence number and room has been left to add additional static entries:

crypto dynamic-map cisco 20 set transform-set myset
crypto map mymap 10 match address 100
crypto map mymap 10 set peer 172.16.77.10
crypto map mymap 10 set transform-set myset
crypto map mymap interface outside
crypto map mymap 60000 ipsec-isakmp dynamic cisco
0
 
jtennysonAuthor Commented:
Here is the log when I try to log in



5      Apr 20 2011      20:09:02      713119                              Group = rgrayvpn, Username = jtenny, IP = 166.137.140.21, PHASE 1 COMPLETED

5      Apr 20 2011      20:09:02      713904                              Group = rgrayvpn, Username = jtenny, IP = 166.137.140.21, All IPSec SA proposals found unacceptable!

3      Apr 20 2011      20:09:02      713902                              Group = rgrayvpn, Username = jtenny, IP = 166.137.140.21, QM FSM error (P2 struct &0xac4459d8, mess id 0xd809f748)!

3      Apr 20 2011      20:09:02      713902                              Group = rgrayvpn, Username = jtenny, IP = 166.137.140.21, Removing peer from correlator table failed, no match!

5      Apr 20 2011      20:09:02      713259                              Group = rgrayvpn, Username = jtenny, IP = 166.137.140.21, Session is being torn down. Reason: Phase 2 Mismatch

4      Apr 20 2011      20:09:02      113019                              Group = rgrayvpn, Username = jtenny, IP = 166.137.140.21, Session disconnected. Session Type: IKE, Duration: 0h:00m:19s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch

0
 
DanJCommented:
there is something strange with your config.
The reason- "dyn-map" is applied on the interface and does contain only a dynamic map entry.
There is aloso  map1  that one contains the entries for the site-to-site VPN peers.
On top of that map1 allows for one transform set named set1 for RA esp-aes-256 esp-sha-hmac
while the "dyn-map" has one transform set named "myset" esp-des esp-md5-hmac.  

Here is where I don't understand. map1 has a different encry algorithm (stronger) that dyn-map for the remote-access VPN.
0
 
jtennysonAuthor Commented:
Danj

OK.  What do I do?  I can follow directions to put commands in.   But I don't know enough to know what commands to use to fix it.  I need the iPhones to work and the site to site VPN to work.
0
 
DanJCommented:
you typed faster than me. It does makes sense. The encryption algorithm is unsupported on the iPhone. It looks you have aes 256 on the ASA configured.
You need to add an entry to the dynamic map that allows for the  esp-des esp-md5-hmac.
0
 
jtennysonAuthor Commented:
Sorry to seem stupid.  How do I do this?
0
 
jtennysonAuthor Commented:
I just need to know what the command is to enter.
0
 
jtennysonAuthor Commented:
Or, you could tell me how to do it in the ASDM.
0
 
jtennysonAuthor Commented:
It does not appear you can enter  esp-md5-hmac through the asdm.  The option is not there.  So I will have to do it through the CLI.  I just don't know the exact command.  I don't know what set to put it in.
0
 
DanJCommented:
I am not sure which map is applied on the interface.
To cover all the areas:

1. add one entry to the outside_dyn_map
crypto dynamic-map outside_dyn_map 10 set transform-set myset

2. add one entry to the cisco
crypto dynamic-map cisco 10 set transform-set set1

so that both dynamic maps have the 2 identical transform sets
0
 
jtennysonAuthor Commented:
What is the transform set I am entering?
0
 
DanJCommented:
you already thave the two transform sets defined here (from the config):

crypto ipsec transform-set set1 esp-aes-256 esp-sha-hmac
crypto ipsec transform-set myset esp-des esp-md5-hmac

you just have to add an entry to the dynamic crypto map (the entries are listed in my previous post)
that points to the transform set.

The reason I asked to make 2 changes is that I cannot really say which map is currently applied to the interface.since you have only 2 maps you can add one entry to each map. At the end both dynamic maps have 2 entries one for each transform set. So no matter which one you use the client would be able to get in.
0
 
jtennysonAuthor Commented:
OK.  So do I go in to Global config and type in this?

crypto dynamic-map outside_dyn_map 10 set transform-set myset

crypto ipsec transform-set set1 esp-aes-256 esp-sha-hmac
crypto ipsec transform-set myset esp-des esp-md5-hmac


crypto dynamic-map cisco 10 set transform-set set1

crypto ipsec transform-set set1 esp-aes-256 esp-sha-hmac
crypto ipsec transform-set myset esp-des esp-md5-hmac
0
 
DanJCommented:
these two you already have them
crypto ipsec transform-set set1 esp-aes-256 esp-sha-hmac
crypto ipsec transform-set myset esp-des esp-md5-hmac

it's from the config you attached to this email
ven if you type them it would just say duplicate entries

I just notifced I need a small mistake on the previous post.
you need to type

crypto dynamic-map outside_dyn_map 20 set transform-set myset
crypto dynamic-map cisco 20 set transform-set set1



0
 
jtennysonAuthor Commented:
I'm going to try it right now.
0
 
jtennysonAuthor Commented:
Nope.  Did not work
0
 
DanJCommented:
ok. can you post the output of

sh run | in crypto

to make sure all the commands are in.
if everything is ok here I suggest to remove the crypto map to the interface and then reapply it.
another thing is to check the logs if you get the same error or is something else.
0
 
jtennysonAuthor Commented:
A guy from Cisco said to do this

no crypto map dyn-map interface outside

crypto dynamic-map cisco 1 set transform-set myset set1

crypto map dyn-map interface outside


It worked
0
 
jtennysonAuthor Commented:
Found the answer on Cisco's site
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 15
  • 8
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now