VPN Error

need to see the debug crypto isakmp from ASA at the time you r connecting .

also verify.

1) check the reachablity to  the  ASA  IP  from the laptop/
2) double chek the settings .. expecialy group name and pre-shared key .
3)  is there any buil in firewall running on laptop

If the others are on Snow Leopard, it may be a Lion problem. See:  https://supportforums.cisco.com/thread/2095921

Thanks for the reply.

1) I have verified the reachability of the ASAs. Again, this is an issue that suddenly started with ALL IPSec based connections on my Mac, not just one.
2) I have verified the settings and PSK against the working configurations on other Mac computers in our office.
3) The built-in firewall is disabled. I am running Little Snitch, but it has been disabled for testing with no result change.

I have also run a WireShark on the interface on my laptop while trying to connect. I see packets going outbound to the ASA's IP, as well as a reply back. I tried to run the debug you requested, but the command is not recognized. I've run "debug crypto condition error isakmp" on one of the ASAs I have tried to connect to for you, but received no error output.

Thanks

kindly provide the debug crypto isakmp 127 output from  ASA .

sorry ... are using  cisco ASA as VPN server ..

Strung: Thank you for the link but this does not appear to be the same issue I am having. This is with the built in VPN client on the Mac, and other users in my corporation are using Lion as well with the same system updates installed.

anoopkmr: Most of the VPNs I am trying to connect to are using a Cisco ASA 5505/5510 (I work for a Cisco reseller trying to connect to various client's networks). The debug you have asked for output for does not exist in these ASAs. Here are the options I have.

# debug crypto ?

  ca          Set PKI debug levels
  condition   Set IPSec/ISAKMP debug filters
  engine      Set crypto engine debug levels
  ike-common  Set IKE common debug levels
  ikev1       Set IKEV1 debug levels
  ikev2       Set IKEV2 debug levels
  ipsec       Set IPSec debug levels
  vpnclient   Set EasyVPN client debug levels

Thanks again.

Are the other users who can connect successfully trying to connect from the same location as you are? The problem may lie with the location you are trying to connect from, rather than in your laptop.

Some businesses deliberately turn off VPN passthrough on their routers, for instance. Also, it can cause problems if your local LAN uses the same subnet as the remote LAN you are trying to connect to.

try  debug crypto ike-common ... which ASA OS version are you using ..

Hi strung,
I have 2 MacBooks sitting on the same subnet in my office, using the built in VPN client on the Mac, using the same configuration, connecting to the same ASAs. The other laptop is able to connect to every ASA with no problem. I can also connect to these same VPNs from the laptop I'm having the issues with if I am using the Cisco VPN client in a Windows 7 VM on VMWare Fusion. I've never had a problem connecting to any of these sites until recently. When I started to have an issue with 1, I started having an issue with every connection I've tried.

Thanks again for your continued assistance.

anoopkmr, on the ASA I am testing with I am running 8.4(1). I have run the requested debug for you while trying to connect to the VPN and it did not generate any output. I also tried running a debug crypto ikev1 100 and got the attached output for you.

TEMP-VPN# Oct 05 14:48:57 [IKEv1]IP = 108.9.80.162, Connection landed on tunnel_group QON-REMOTE
Oct 05 14:49:00 [IKEv1]IP = 108.9.80.162, Duplicate first packet detected.  Ignoring packet.
Oct 05 14:49:03 [IKEv1]IP = 108.9.80.162, Duplicate first packet detected.  Ignoring packet.
Oct 05 14:49:06 [IKEv1]IP = 108.9.80.162, Duplicate first packet detected.  Ignoring packet.

Select allOpen in new window

Hey guys, I'm still looking for some assistance on this. Thanks in advance for any help.

I found another piece to the puzzle this morning. The VPN will connect just fine if I'm connected via my wired NIC on the Mac. The issue seems to be with the wireless interface. I deleted the /Library/Preferences/SystemConfiguration folder that contains all of the networking preference plist files in it and rebooted. All of my network settings were gone. I reconnected to the wireless network and added the VPN profile back in and had the same issue.

What IP address are you getting using the wireless interface?
What IP address do you get when using the wired connection?

Strung, if you are talking about internal IP from my DHCP server, I have tried to statically assign the same IP to both interfaces, it did not make a difference.

That is what I was talking about. I wanted to make sure the wireless interface was picking up an IP in the same subnet as the wired interface.

By the way, using a static IP address, as you probably know, requires you to assign an address in the the same subnet as the DHCP server, but outside the range served by the DHCP server (to avoid the possibility of duplicate IP addresses.) Also if you are using a static IP, you also have to provide the DNS IP address manually too.

I am aware of all of this, thanks for the info though. I have a feeling the issue has something to do with the interface itself, as this is an issue while trying to connect from other networks outside of my office as well. Do you have any suggestions on how to troubleshoot the configuration of the interface (other than deleting the plist files as I mentioned above) that I might be able to try?

Thanks again for all your help.

Is there any update for this? I am still experiencing this issue.

Any help would be appreciated.

bump

No one answered this correctly