Cisco ASA remote access VPN one way traffic NCP client

Hi,

We have a Cisco ASA 5510 with a site-to-site VPN and remote access VPN.
We have a new laptop that needs to connect which is Windows 7 64bit so we are using NCP client.

The VPN connects but traffic only goes one way and internet access on the PC also stops which it did not in the past on a previous version of windows and NCP client.

Can anyone please advise?

CTECAsked:
Who is Participating?
 
ienaxxxConnect With a Mentor Commented:
192.168.2.0 255.255.255.0 is the LAN network?
192.168.2.0 255.255.255.128 is the VPN pool?

if so it can't work properly cause the second IP ranges are INCLUDED in the first network.

Not only the firewall can't know where to send packets, but also the network host are trying to reach the VPN clients without asking for a gateway.

configuring overlapped networks produces unpredictable behaviour... :-)

HTH
0
 
Prashant ShrivastavaConsultantCommented:
are you using correct default gateway for the IP you have got and Access rule is defined properly - Means anything has changed in the system the way it was configured before? Which direction it is blocking traffic?
0
 
ienaxxxCommented:
please post:
show access-list

and double-check the configuration on the NCP about gateways to use while connected.

HTH
Bye.
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
CTECAuthor Commented:
Thanks,

Traffic only sends bytes and receives nothing

access-list nonat; 4 elements
access-list nonat line 1 extended permit ip object-group local-lan object-group vpn-client
access-list nonat line 1 extended permit ip 192.168.2.0 255.255.255.0 192.168.2.0 255.255.255.128
access-list nonat line 2 extended permit ip 192.168.2.0 255.255.255.0 192.168.2.0 255.255.255.128
access-list nonat line 3 extended permit ip 192.168.2.0 255.255.255.0 81.145.63.64 255.255.255.224
access-list nonat line 4 extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0

IPSec: Final Tunnel EndPoint is:***.***.***.070
Ike: RECV_MSG4_MAIN - VPN1
Ike: XMIT_MSG5_MAIN - VPN1
Ike: RECV_MSG6_MAIN - VPN1
Ike: IkeSa negotiated with the following properties -
Authentication=XAUTH_INIT_PSK,Encryption=AES,Hash=SHA,DHGroup=5,KeyLen=128
Ike: Turning on DPD mode - VPN1
Ike: phase1:name(VPN1) - connected
SUCCESS: IKE phase 1 ready
IPSec: Phase1 is Ready,AdapterIndex=205,IkeIndex=18,LocTepIpAdr=192.168.0.4,AltRekey=1
IkeXauth: RECV_XAUTH_REQUEST
IkeXauth: XMIT_XAUTH_REPLY
IkeXauth: RECV_XAUTH_SET
IkeXauth: XMIT_XAUTH_ACK
IkeCfg: name <VPN1> - IkeXauth: enter state open
SUCCESS: Ike Extended Authentication is ready
IkeCfg: XMIT_IKECFG_REQUEST - VPN1
IkeCfg: RECV_IKECFG_REPLY - VPN1
IkeCfg: name <VPN1> - enter state open
SUCCESS: IkeCfg ready
IPSec: Quick Mode is Ready: IkeIndex = 00000012 , VpnSrcPort = 10952
IPSec: Assigned IP Address: 192.168.2.61
IPSec: IkeCfg Tunnel Network=192.168.2.0,Tunnel Mask=255.255.255.0,Tunnel Proto=0,Tunnel SrcPort=0,Tunnel DstPort=0
IkeQuick: XMIT_MSG1_QUICK - VPN1
IkeQuick: XMIT_MSG3_QUICK - VPN1
IkeQuick: phase2:name(VPN1) - connected
SUCCESS: Ike phase 2 (quick mode) ready
IPSec: Created an IPSEC SA with the following characteristics -
IpSrcRange=[192.168.2.61-192.168.2.61],IpDstRange=[0.0.0.0-255.255.255.255],IpProt=0,SrcPort=0,DstPort=0
IPSec: connected: LifeDuration in Seconds = 20160 and in KiloBytes = 0
IPSec: Connected to VPN1 on channel 1.
PPP(Ipcp): connected to VPN1 with IP Address: 192.168.2.61
SUCCESS: IpSec connection ready
SUCCESS: Link -> <VPN1> IP address assigned to IP stack - link is operational.
Ike: NOTIFY : VPN1 : SENT : NOTIFY_MSG_R_U_HERE : 36136
Ike: NOTIFY : VPN1 : RECEIVED : NOTIFY_MSG_R_U_HERE_ACK : 36137
Ike: NOTIFY : VPN1 : SENT : NOTIFY_MSG_R_U_HERE : 36136
Ike: NOTIFY : VPN1 : RECEIVED : NOTIFY_MSG_R_U_HERE_ACK : 36137
Ike: NOTIFY : VPN1 : SENT : NOTIFY_MSG_R_U_HERE : 36136
0
 
Ernie BeekExpertCommented:
At first glance it seems you hve an overlap in the networks (lan, vpn range).
Try tto separate those first.
0
 
CTECAuthor Commented:
Thanks,

this worked last week on a different machine and nothing has changed on the firewall.

The only difference is a new laptop on W7 64bit with a newer version of NCP client.
The old laptop has gone for repair so we cannot check the set-up from that.
0
 
Ernie BeekExpertCommented:
Perhaps the newer version is more aware of this issue?
Did you try it with the same version?
0
 
Ernie BeekExpertCommented:
That is, if you know what version that was of course......
0
 
CTECAuthor Commented:
the same version that it worked on does not support 64bit windows
0
 
Ernie BeekExpertCommented:
I still have the idea it's related to the overlap.
Is anything showing in the log of the ASA when that client connects?
0
 
CTECAuthor Commented:
Nothing in the PIX log.
How would i fix the overlap?


Thanks,
0
 
Ernie BeekExpertCommented:
Well I assume you have a ip pool set up in the ASA to give the VPN clients an address which is now overlapping with the inside addresses.
So change that pool to another range which you don't use on your lan and (of course) change the access lists for the nat exempt (nonat) and the interesting traffic (normally two separate lists) to match the new range.
I can't asses your level of knowledge from here, so if you need more info, let me know :)
0
 
CTECAuthor Commented:
Thank you,

I will give it a go when i get to the office tomorrow and let you know.
0
 
Ernie BeekExpertCommented:
@CTEC: Had any luck (time) yet?
0
 
CTECAuthor Commented:
Hi,

I have changed the overlap but still the same issue.
When i changed some setting on the Crypto map it worked but the LAN lost its outside internet access.

Can you help with how the Crypto maps should be setup?


Thanks,
0
 
CTECAuthor Commented:
This is what is now in the LOG on the ASA

3 - Group = DefaultRAGroup, Username = ******, IP = ***.***.***.33, Removing peer from correlator table failed, no match!

This is what is on the NCP client log

18/10/2011 18:09:35  Ike: NOTIFY : VPN : RECEIVED : INVALID_ID_INFORMATION : 18
18/10/2011 18:09:35  Ike: phase1:name(VPN) - ERROR - Delete indication received
18/10/2011 18:09:35  IkeQuick: phase2:name(VPN) - error - cleared by phase1
18/10/2011 18:09:35  ERROR - 4037: IKE(phase2):Waiting for message2, cleared by phase1 - VPN.

0
 
Ernie BeekExpertCommented:
Could you post a sanitized config for us to have a look at?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.