VPN Error

I have been using the built in VPN client in network preferences to connect to various Cisco IPSec VPNs since I purchased my computer. For about the last week any time I try and connect to a Cisco IPSec VPN I get an error message saying "The VPN server did not respond. Verify the server address and try reconnecting." Other Mac users in my company are able to connect using this method and I've double checked to verify we are using the same settings. I am however able to connect to PPTP based VPNs. Does anyone have any idea how to resolve this issue? VPN-error
LVL 1
btg123Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

anoopkmrCommented:
need to see the debug crypto isakmp from ASA at the time you r connecting .

also verify.

1) check the reachablity to  the  ASA  IP  from the laptop/
2) double chek the settings .. expecialy group name and pre-shared key .
3)  is there any buil in firewall running on laptop
0
strungCommented:
If the others are on Snow Leopard, it may be a Lion problem. See:  https://supportforums.cisco.com/thread/2095921
0
btg123Author Commented:
Thanks for the reply.

1) I have verified the reachability of the ASAs. Again, this is an issue that suddenly started with ALL IPSec based connections on my Mac, not just one.
2) I have verified the settings and PSK against the working configurations on other Mac computers in our office.
3) The built-in firewall is disabled. I am running Little Snitch, but it has been disabled for testing with no result change.

I have also run a WireShark on the interface on my laptop while trying to connect. I see packets going outbound to the ASA's IP, as well as a reply back. I tried to run the debug you requested, but the command is not recognized. I've run "debug crypto condition error isakmp" on one of the ASAs I have tried to connect to for you, but received no error output.

Thanks
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

anoopkmrCommented:
kindly provide the debug crypto isakmp 127 output from  ASA .
0
anoopkmrCommented:
sorry ... are using  cisco ASA as VPN server ..
0
btg123Author Commented:
Strung: Thank you for the link but this does not appear to be the same issue I am having. This is with the built in VPN client on the Mac, and other users in my corporation are using Lion as well with the same system updates installed.

anoopkmr: Most of the VPNs I am trying to connect to are using a Cisco ASA 5505/5510 (I work for a Cisco reseller trying to connect to various client's networks). The debug you have asked for output for does not exist in these ASAs. Here are the options I have.

# debug crypto ?

  ca          Set PKI debug levels
  condition   Set IPSec/ISAKMP debug filters
  engine      Set crypto engine debug levels
  ike-common  Set IKE common debug levels
  ikev1       Set IKEV1 debug levels
  ikev2       Set IKEV2 debug levels
  ipsec       Set IPSec debug levels
  vpnclient   Set EasyVPN client debug levels

Thanks again.
0
strungCommented:
Are the other users who can connect successfully trying to connect from the same location as you are? The problem may lie with the location you are trying to connect from, rather than in your laptop.

Some businesses deliberately turn off VPN passthrough on their routers, for instance. Also, it can cause problems if your local LAN uses the same subnet as the remote LAN you are trying to connect to.
0
anoopkmrCommented:
try  debug crypto ike-common ... which ASA OS version are you using ..
0
btg123Author Commented:
Hi strung,
I have 2 MacBooks sitting on the same subnet in my office, using the built in VPN client on the Mac, using the same configuration, connecting to the same ASAs. The other laptop is able to connect to every ASA with no problem. I can also connect to these same VPNs from the laptop I'm having the issues with if I am using the Cisco VPN client in a Windows 7 VM on VMWare Fusion. I've never had a problem connecting to any of these sites until recently. When I started to have an issue with 1, I started having an issue with every connection I've tried.

Thanks again for your continued assistance.
0
btg123Author Commented:
anoopkmr, on the ASA I am testing with I am running 8.4(1). I have run the requested debug for you while trying to connect to the VPN and it did not generate any output. I also tried running a debug crypto ikev1 100 and got the attached output for you.


TEMP-VPN# Oct 05 14:48:57 [IKEv1]IP = 108.9.80.162, Connection landed on tunnel_group QON-REMOTE
Oct 05 14:49:00 [IKEv1]IP = 108.9.80.162, Duplicate first packet detected.  Ignoring packet.
Oct 05 14:49:03 [IKEv1]IP = 108.9.80.162, Duplicate first packet detected.  Ignoring packet.
Oct 05 14:49:06 [IKEv1]IP = 108.9.80.162, Duplicate first packet detected.  Ignoring packet.

Open in new window

0
btg123Author Commented:
Hey guys, I'm still looking for some assistance on this. Thanks in advance for any help.
0
btg123Author Commented:
I found another piece to the puzzle this morning. The VPN will connect just fine if I'm connected via my wired NIC on the Mac. The issue seems to be with the wireless interface. I deleted the /Library/Preferences/SystemConfiguration folder that contains all of the networking preference plist files in it and rebooted. All of my network settings were gone. I reconnected to the wireless network and added the VPN profile back in and had the same issue.
0
strungCommented:
What IP address are you getting using the wireless interface?
What IP address do you get when using the wired connection?
0
btg123Author Commented:
Strung, if you are talking about internal IP from my DHCP server, I have tried to statically assign the same IP to both interfaces, it did not make a difference.
0
strungCommented:
That is what I was talking about. I wanted to make sure the wireless interface was picking up an IP in the same subnet as the wired interface.

By the way, using a static IP address, as you probably know, requires you to assign an address in the the same subnet as the DHCP server, but outside the range served by the DHCP server (to avoid the possibility of duplicate IP addresses.) Also if you are using a static IP, you also have to provide the DNS IP address manually too.
0
btg123Author Commented:
I am aware of all of this, thanks for the info though. I have a feeling the issue has something to do with the interface itself, as this is an issue while trying to connect from other networks outside of my office as well. Do you have any suggestions on how to troubleshoot the configuration of the interface (other than deleting the plist files as I mentioned above) that I might be able to try?

Thanks again for all your help.
0
btg123Author Commented:
Is there any update for this? I am still experiencing this issue.

Any help would be appreciated.
0
btg123Author Commented:
bump
0
btg123Author Commented:
Still ongoing.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btg123Author Commented:
No one answered this correctly
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.