?
Solved

Cisco ASA remote access VPN one way traffic NCP client

Posted on 2011-10-11
17
Medium Priority
?
2,292 Views
Last Modified: 2012-08-13
Hi,

We have a Cisco ASA 5510 with a site-to-site VPN and remote access VPN.
We have a new laptop that needs to connect which is Windows 7 64bit so we are using NCP client.

The VPN connects but traffic only goes one way and internet access on the PC also stops which it did not in the past on a previous version of windows and NCP client.

Can anyone please advise?

0
Comment
Question by:CTEC
  • 7
  • 7
  • 2
  • +1
17 Comments
 
LVL 5

Expert Comment

by:Prashant Shrivastava
ID: 36947171
are you using correct default gateway for the IP you have got and Access rule is defined properly - Means anything has changed in the system the way it was configured before? Which direction it is blocking traffic?
0
 
LVL 10

Expert Comment

by:ienaxxx
ID: 36947195
please post:
show access-list

and double-check the configuration on the NCP about gateways to use while connected.

HTH
Bye.
0
 

Author Comment

by:CTEC
ID: 36947244
Thanks,

Traffic only sends bytes and receives nothing

access-list nonat; 4 elements
access-list nonat line 1 extended permit ip object-group local-lan object-group vpn-client
access-list nonat line 1 extended permit ip 192.168.2.0 255.255.255.0 192.168.2.0 255.255.255.128
access-list nonat line 2 extended permit ip 192.168.2.0 255.255.255.0 192.168.2.0 255.255.255.128
access-list nonat line 3 extended permit ip 192.168.2.0 255.255.255.0 81.145.63.64 255.255.255.224
access-list nonat line 4 extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0

IPSec: Final Tunnel EndPoint is:***.***.***.070
Ike: RECV_MSG4_MAIN - VPN1
Ike: XMIT_MSG5_MAIN - VPN1
Ike: RECV_MSG6_MAIN - VPN1
Ike: IkeSa negotiated with the following properties -
Authentication=XAUTH_INIT_PSK,Encryption=AES,Hash=SHA,DHGroup=5,KeyLen=128
Ike: Turning on DPD mode - VPN1
Ike: phase1:name(VPN1) - connected
SUCCESS: IKE phase 1 ready
IPSec: Phase1 is Ready,AdapterIndex=205,IkeIndex=18,LocTepIpAdr=192.168.0.4,AltRekey=1
IkeXauth: RECV_XAUTH_REQUEST
IkeXauth: XMIT_XAUTH_REPLY
IkeXauth: RECV_XAUTH_SET
IkeXauth: XMIT_XAUTH_ACK
IkeCfg: name <VPN1> - IkeXauth: enter state open
SUCCESS: Ike Extended Authentication is ready
IkeCfg: XMIT_IKECFG_REQUEST - VPN1
IkeCfg: RECV_IKECFG_REPLY - VPN1
IkeCfg: name <VPN1> - enter state open
SUCCESS: IkeCfg ready
IPSec: Quick Mode is Ready: IkeIndex = 00000012 , VpnSrcPort = 10952
IPSec: Assigned IP Address: 192.168.2.61
IPSec: IkeCfg Tunnel Network=192.168.2.0,Tunnel Mask=255.255.255.0,Tunnel Proto=0,Tunnel SrcPort=0,Tunnel DstPort=0
IkeQuick: XMIT_MSG1_QUICK - VPN1
IkeQuick: XMIT_MSG3_QUICK - VPN1
IkeQuick: phase2:name(VPN1) - connected
SUCCESS: Ike phase 2 (quick mode) ready
IPSec: Created an IPSEC SA with the following characteristics -
IpSrcRange=[192.168.2.61-192.168.2.61],IpDstRange=[0.0.0.0-255.255.255.255],IpProt=0,SrcPort=0,DstPort=0
IPSec: connected: LifeDuration in Seconds = 20160 and in KiloBytes = 0
IPSec: Connected to VPN1 on channel 1.
PPP(Ipcp): connected to VPN1 with IP Address: 192.168.2.61
SUCCESS: IpSec connection ready
SUCCESS: Link -> <VPN1> IP address assigned to IP stack - link is operational.
Ike: NOTIFY : VPN1 : SENT : NOTIFY_MSG_R_U_HERE : 36136
Ike: NOTIFY : VPN1 : RECEIVED : NOTIFY_MSG_R_U_HERE_ACK : 36137
Ike: NOTIFY : VPN1 : SENT : NOTIFY_MSG_R_U_HERE : 36136
Ike: NOTIFY : VPN1 : RECEIVED : NOTIFY_MSG_R_U_HERE_ACK : 36137
Ike: NOTIFY : VPN1 : SENT : NOTIFY_MSG_R_U_HERE : 36136
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36947763
At first glance it seems you hve an overlap in the networks (lan, vpn range).
Try tto separate those first.
0
 

Author Comment

by:CTEC
ID: 36947776
Thanks,

this worked last week on a different machine and nothing has changed on the firewall.

The only difference is a new laptop on W7 64bit with a newer version of NCP client.
The old laptop has gone for repair so we cannot check the set-up from that.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36947872
Perhaps the newer version is more aware of this issue?
Did you try it with the same version?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36947942
That is, if you know what version that was of course......
0
 

Author Comment

by:CTEC
ID: 36947994
the same version that it worked on does not support 64bit windows
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36948127
I still have the idea it's related to the overlap.
Is anything showing in the log of the ASA when that client connects?
0
 

Author Comment

by:CTEC
ID: 36950216
Nothing in the PIX log.
How would i fix the overlap?


Thanks,
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36951279
Well I assume you have a ip pool set up in the ASA to give the VPN clients an address which is now overlapping with the inside addresses.
So change that pool to another range which you don't use on your lan and (of course) change the access lists for the nat exempt (nonat) and the interesting traffic (normally two separate lists) to match the new range.
I can't asses your level of knowledge from here, so if you need more info, let me know :)
0
 

Author Comment

by:CTEC
ID: 36951655
Thank you,

I will give it a go when i get to the office tomorrow and let you know.
0
 
LVL 10

Accepted Solution

by:
ienaxxx earned 1500 total points
ID: 36956859
192.168.2.0 255.255.255.0 is the LAN network?
192.168.2.0 255.255.255.128 is the VPN pool?

if so it can't work properly cause the second IP ranges are INCLUDED in the first network.

Not only the firewall can't know where to send packets, but also the network host are trying to reach the VPN clients without asking for a gateway.

configuring overlapped networks produces unpredictable behaviour... :-)

HTH
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36960589
@CTEC: Had any luck (time) yet?
0
 

Author Comment

by:CTEC
ID: 36985994
Hi,

I have changed the overlap but still the same issue.
When i changed some setting on the Crypto map it worked but the LAN lost its outside internet access.

Can you help with how the Crypto maps should be setup?


Thanks,
0
 

Author Comment

by:CTEC
ID: 36987669
This is what is now in the LOG on the ASA

3 - Group = DefaultRAGroup, Username = ******, IP = ***.***.***.33, Removing peer from correlator table failed, no match!

This is what is on the NCP client log

18/10/2011 18:09:35  Ike: NOTIFY : VPN : RECEIVED : INVALID_ID_INFORMATION : 18
18/10/2011 18:09:35  Ike: phase1:name(VPN) - ERROR - Delete indication received
18/10/2011 18:09:35  IkeQuick: phase2:name(VPN) - error - cleared by phase1
18/10/2011 18:09:35  ERROR - 4037: IKE(phase2):Waiting for message2, cleared by phase1 - VPN.

0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37029695
Could you post a sanitized config for us to have a look at?
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question