?
Solved

VPN Error

Posted on 2011-10-05
20
Medium Priority
?
1,828 Views
Last Modified: 2013-05-24
I have been using the built in VPN client in network preferences to connect to various Cisco IPSec VPNs since I purchased my computer. For about the last week any time I try and connect to a Cisco IPSec VPN I get an error message saying "The VPN server did not respond. Verify the server address and try reconnecting." Other Mac users in my company are able to connect using this method and I've double checked to verify we are using the same settings. I am however able to connect to PPTP based VPNs. Does anyone have any idea how to resolve this issue? VPN-error
0
Comment
Question by:btg123
  • 12
  • 4
  • 4
20 Comments
 
LVL 14

Expert Comment

by:anoopkmr
ID: 36917424
need to see the debug crypto isakmp from ASA at the time you r connecting .

also verify.

1) check the reachablity to  the  ASA  IP  from the laptop/
2) double chek the settings .. expecialy group name and pre-shared key .
3)  is there any buil in firewall running on laptop
0
 
LVL 53

Expert Comment

by:strung
ID: 36917985
If the others are on Snow Leopard, it may be a Lion problem. See:  https://supportforums.cisco.com/thread/2095921
0
 
LVL 1

Author Comment

by:btg123
ID: 36918352
Thanks for the reply.

1) I have verified the reachability of the ASAs. Again, this is an issue that suddenly started with ALL IPSec based connections on my Mac, not just one.
2) I have verified the settings and PSK against the working configurations on other Mac computers in our office.
3) The built-in firewall is disabled. I am running Little Snitch, but it has been disabled for testing with no result change.

I have also run a WireShark on the interface on my laptop while trying to connect. I see packets going outbound to the ASA's IP, as well as a reply back. I tried to run the debug you requested, but the command is not recognized. I've run "debug crypto condition error isakmp" on one of the ASAs I have tried to connect to for you, but received no error output.

Thanks
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 14

Expert Comment

by:anoopkmr
ID: 36918880
kindly provide the debug crypto isakmp 127 output from  ASA .
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 36918901
sorry ... are using  cisco ASA as VPN server ..
0
 
LVL 1

Author Comment

by:btg123
ID: 36919388
Strung: Thank you for the link but this does not appear to be the same issue I am having. This is with the built in VPN client on the Mac, and other users in my corporation are using Lion as well with the same system updates installed.

anoopkmr: Most of the VPNs I am trying to connect to are using a Cisco ASA 5505/5510 (I work for a Cisco reseller trying to connect to various client's networks). The debug you have asked for output for does not exist in these ASAs. Here are the options I have.

# debug crypto ?

  ca          Set PKI debug levels
  condition   Set IPSec/ISAKMP debug filters
  engine      Set crypto engine debug levels
  ike-common  Set IKE common debug levels
  ikev1       Set IKEV1 debug levels
  ikev2       Set IKEV2 debug levels
  ipsec       Set IPSec debug levels
  vpnclient   Set EasyVPN client debug levels

Thanks again.
0
 
LVL 53

Expert Comment

by:strung
ID: 36919433
Are the other users who can connect successfully trying to connect from the same location as you are? The problem may lie with the location you are trying to connect from, rather than in your laptop.

Some businesses deliberately turn off VPN passthrough on their routers, for instance. Also, it can cause problems if your local LAN uses the same subnet as the remote LAN you are trying to connect to.
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 36919469
try  debug crypto ike-common ... which ASA OS version are you using ..
0
 
LVL 1

Author Comment

by:btg123
ID: 36919513
Hi strung,
I have 2 MacBooks sitting on the same subnet in my office, using the built in VPN client on the Mac, using the same configuration, connecting to the same ASAs. The other laptop is able to connect to every ASA with no problem. I can also connect to these same VPNs from the laptop I'm having the issues with if I am using the Cisco VPN client in a Windows 7 VM on VMWare Fusion. I've never had a problem connecting to any of these sites until recently. When I started to have an issue with 1, I started having an issue with every connection I've tried.

Thanks again for your continued assistance.
0
 
LVL 1

Author Comment

by:btg123
ID: 36919747
anoopkmr, on the ASA I am testing with I am running 8.4(1). I have run the requested debug for you while trying to connect to the VPN and it did not generate any output. I also tried running a debug crypto ikev1 100 and got the attached output for you.


TEMP-VPN# Oct 05 14:48:57 [IKEv1]IP = 108.9.80.162, Connection landed on tunnel_group QON-REMOTE
Oct 05 14:49:00 [IKEv1]IP = 108.9.80.162, Duplicate first packet detected.  Ignoring packet.
Oct 05 14:49:03 [IKEv1]IP = 108.9.80.162, Duplicate first packet detected.  Ignoring packet.
Oct 05 14:49:06 [IKEv1]IP = 108.9.80.162, Duplicate first packet detected.  Ignoring packet.

Open in new window

0
 
LVL 1

Author Comment

by:btg123
ID: 36942870
Hey guys, I'm still looking for some assistance on this. Thanks in advance for any help.
0
 
LVL 1

Author Comment

by:btg123
ID: 36949595
I found another piece to the puzzle this morning. The VPN will connect just fine if I'm connected via my wired NIC on the Mac. The issue seems to be with the wireless interface. I deleted the /Library/Preferences/SystemConfiguration folder that contains all of the networking preference plist files in it and rebooted. All of my network settings were gone. I reconnected to the wireless network and added the VPN profile back in and had the same issue.
0
 
LVL 53

Expert Comment

by:strung
ID: 36949646
What IP address are you getting using the wireless interface?
What IP address do you get when using the wired connection?
0
 
LVL 1

Author Comment

by:btg123
ID: 36949674
Strung, if you are talking about internal IP from my DHCP server, I have tried to statically assign the same IP to both interfaces, it did not make a difference.
0
 
LVL 53

Expert Comment

by:strung
ID: 36949792
That is what I was talking about. I wanted to make sure the wireless interface was picking up an IP in the same subnet as the wired interface.

By the way, using a static IP address, as you probably know, requires you to assign an address in the the same subnet as the DHCP server, but outside the range served by the DHCP server (to avoid the possibility of duplicate IP addresses.) Also if you are using a static IP, you also have to provide the DNS IP address manually too.
0
 
LVL 1

Author Comment

by:btg123
ID: 36950328
I am aware of all of this, thanks for the info though. I have a feeling the issue has something to do with the interface itself, as this is an issue while trying to connect from other networks outside of my office as well. Do you have any suggestions on how to troubleshoot the configuration of the interface (other than deleting the plist files as I mentioned above) that I might be able to try?

Thanks again for all your help.
0
 
LVL 1

Author Comment

by:btg123
ID: 36988964
Is there any update for this? I am still experiencing this issue.

Any help would be appreciated.
0
 
LVL 1

Author Comment

by:btg123
ID: 37073914
bump
0
 
LVL 1

Accepted Solution

by:
btg123 earned 0 total points
ID: 38234069
Still ongoing.
0
 
LVL 1

Author Closing Comment

by:btg123
ID: 39193733
No one answered this correctly
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A professional opinion on which Apple product to buy, and a tidbit about the WWDC.
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question