Remote VPN Connection Terminated

Hi Usman,

Is it possible to upload a "show run"?

Also if you go into the ASDM, and turn on console logging with warning events or debug  events do you see the clients hitting the ASA when trying to terminate the VPN connection?

Also are you using the VPN Client or the SSL Anyconnect client?

Travis.

Hi,

Dyndns not wotkink properly on ASA, so that caused the issue. You need to configre it on a host behind the ASA.

Best regards,
Istvan

ikalmar - the ASA's do support DDNS

Here is the info from Cisco on how to configure if needed:
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/dhcp.html#wp1091527

8.4 code level is out - so it's been working since 7.2...

Thanks

Dear Travis,

I am using Cisco VPN client 5.0. Please find below the sh run:

ASA Version 8.4(2)
!
hostname
domain-name
enable password  encrypted
passwd  encrypted
names
name 192.168.25.0
ddns update method vpn.dyndns.org
 ddns both
!
!
interface Ethernet0/0
 description ADSL
 nameif Outside
 security-level 0
 ddns update hostname vpn.dyndns.org
 ddns update vpn.dyndns.org
 pppoe client vpdn group
 ip address pppoe setroute
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.5.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
boot system disk0:/asa842-k8i.bin
ftp mode passive
clock timezone GST 4
dns server-group DefaultDNS
 domain-name
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_192.168.25.0_24
 subnet 192.168.25.0 255.255.255.0
object network
 subnet 192.168.25.0 255.255.255.0
object-group network Infrastructure
 network-object 192.168.10.0 255.255.255.0
access-list VPN_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0
access-list VPN_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list Outside_access_in extended deny ip any any
pager lines 24
logging enable
logging asdm-buffer-size 512
logging asdm informational
mtu Outside 1500
mtu inside 1500
mtu management 1500
ip local pool Pool 192.168.25.1-192.168.25.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,Outside) source static any any destination static VPN remote-VPN
!
object network obj_any
 nat (inside,Outside) dynamic interface
access-group Outside_access_in in interface Outside
access-group inside_access_in in interface inside
route inside 192.168.0.0 255.255.0.0 192.168.5.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
ldap attribute-map LDAP_memberOf
  map-name  memberOf Group-Policy
  map-value memberOf "CN=VPN User,CN=Users,DC=,DC=com" RemoteAccess_VPN
dynamic-access-policy-record DfltAccessPolicy
aaa-server protocol nt
aaa-server (inside) host 192.168.10.32
 server-port 389
 nt-auth-domain-controller 192.168.10.32
aaa-server (inside) host 192.168.10.33
 server-port 339
 nt-auth-domain-controller 192.168.10.33
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.10.0 255.255.255.0 inside
http 192.168.20.0 255.255.255.0 inside
http 192.168.30.0 255.255.255.0 inside
http 192.168.40.0 255.255.255.0 inside
http 192.168.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-A
ES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-A
ES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES2
56 AES192 AES 3DES DES
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable Outside client-services port 443
crypto ikev1 enable Outside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 192.168.10.0 255.255.255.0 inside
telnet 192.168.50.0 255.255.255.0 inside
telnet 192.168.40.0 255.255.255.0 inside
telnet 192.168.30.0 255.255.255.0 inside
telnet 192.168.20.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
vpdn group request dialout pppoe
vpdn group localname
vpdn group ppp authentication pap
vpdn username password store-local
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
dhcp-client update dns server both
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable Outside
 tunnel-group-list enable
group-policy  internal
group-policy  attributes
 dns-server value 192.168.10.33 192.168.10.32
 vpn-tunnel-protocol ikev1 ikev2 ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value _splitTunnelAcl
 default-domain value

tunnel-group  type remote-access
tunnel-group  general-attributes
 address-pool
 authentication-server-group
 default-group-policy
tunnel-group  webvpn-attributes
 group-alias  enable
tunnel-group  ipsec-attributes
 ikev1 pre-shared-key
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
 class class-default
  user-statistics accounting
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:5c4c2bf8e9eec1198df9d0264c25d403
: end

Dear Istvan,

How to do that? Before a week everything was working just fine. Can you please put more light on this?

Tks.

Thanks for posting the config - can you also try to establish the vpn connection from a client and while you are attempting to connect capture the logs on either the ASDM via the console log or via a debug capture via the CLI? If you need assistance on either just let me know.

Travis.

Dear Travis,

Find below the logs that I captured from ASDM:

translation from inside:192.168.20.101/64310 to Outside:2.50.15.172/64685
6|Jan 03 2012|13:11:20|302013|192.168.20.99|63309|69.63.190.18|80|Built outbound TCP connection 3146960 for Outside:69.63.190.18/80 (69.63.190.18/80) to inside:192.168.20.99/63309 (2.50.15.172/50874)
6|Jan 03 2012|13:11:20|305011|192.168.20.99|63309|2.50.15.172|50874|Built dynamic TCP translation from inside:192.168.20.99/63309 to Outside:2.50.15.172/50874
6|Jan 03 2012|13:11:20|302015|192.168.20.99|18502|66.87.0.125|42876|Built outbound UDP connection 3146959 for Outside:66.87.0.125/42876 (66.87.0.125/42876) to inside:192.168.20.99/18502 (2.50.15.172/49937)
6|Jan 03 2012|13:11:20|302015|192.168.20.99|18502|59.66.203.24|32817|Built outbound UDP connection 3146958 for Outside:59.66.203.24/32817 (59.66.203.24/32817) to inside:192.168.20.99/18502 (2.50.15.172/49937)
6|Jan 03 2012|13:11:20|302015|192.168.20.99|18502|88.194.255.87|39850|Built outbound UDP connection 3146957 for Outside:88.194.255.87/39850 (88.194.255.87/39850) to inside:192.168.20.99/18502 (2.50.15.172/49937)
6|Jan 03 2012|13:11:20|302015|192.168.20.99|18502|31.8.211.177|20869|Built outbound UDP connection 3146956 for Outside:31.8.211.177/20869 (31.8.211.177/20869) to inside:192.168.20.99/18502 (2.50.15.172/49937)
6|Jan 03 2012|13:11:20|302015|192.168.20.99|18502|109.151.85.253|15353|Built outbound UDP connection 3146955 for Outside:109.151.85.253/15353 (109.151.85.253/15353) to inside:192.168.20.99/18502 (2.50.15.172/49937)
4|Jan 03 2012|13:11:20|106023|178.94.107.210||192.168.20.99||Deny icmp src Outside:178.94.107.210 dst inside:192.168.20.99 (type 3, code 3) by access-group "Outside_access_in" [0xde833d65, 0x0]
6|Jan 03 2012|13:11:20|302015|192.168.20.99|18502|116.71.214.77|10024|Built outbound UDP connection 3146954 for Outside:116.71.214.77/10024 (116.71.214.77/10024) to inside:192.168.20.99/18502 (2.50.15.172/49937)
6|Jan 03 2012|13:11:20|302015|192.168.20.99|18502|178.94.107.210|35691|Built outbound UDP connection 3146953 for Outside:178.94.107.210/35691 (178.94.107.210/35691) to inside:192.168.20.99/18502 (2.50.15.172/49937)
6|Jan 03 2012|13:11:20|302015|192.168.20.99|18502|217.216.121.241|41804|Built outbound UDP connection 3146952 for Outside:217.216.121.241/41804 (217.216.121.241/41804) to inside:192.168.20.99/18502 (2.50.15.172/49937)
6|Jan 03 2012|13:11:20|305012|192.168.20.101|64285|2.50.15.172|36304|Teardown dynamic TCP translation from inside:192.168.20.101/64285 to Outside:2.50.15.172/36304 duration 0:00:30
6|Jan 03 2012|13:11:20|302015|192.168.20.99|18502|119.155.25.2|20888|Built outbound UDP connection 3146951 for Outside:119.155.25.2/20888 (119.155.25.2/20888) to inside:192.168.20.99/18502 (2.50.15.172/49937)
6|Jan 03 2012|13:11:20|302015|192.168.20.99|18502|83.5.236.30|16864|Built outbound UDP connection 3146950 for Outside:83.5.236.30/16864 (83.5.236.30/16864) to inside:192.168.20.99/18502 (2.50.15.172/49937)
6|Jan 03 2012|13:11:20|302015|192.168.20.99|18502|86.130.210.174|27164|Built outbound UDP connection 3146949 for Outside:86.130.210.174/27164 (86.130.210.174/27164) to inside:192.168.20.99/18502 (2.50.15.172/49937)
6|Jan 03 2012|13:11:19|302015|192.168.20.99|18502|71.20.229.36|29446|Built outbound UDP connection 3146948 for Outside:71.20.229.36/29446 (71.20.229.36/29446) to inside:192.168.20.99/18502 (2.50.15.172/49937)
4|Jan 03 2012|13:11:19|106023|219.110.140.191||192.168.20.99||Deny icmp src Outside:219.110.140.191 dst inside:192.168.20.99 (type 3, code 3) by access-group "Outside_access_in" [0xde833d65, 0x0]
6|Jan 03 2012|13:11:19|302015|192.168.20.99|18502|115.86.96.64|52873|Built outbound UDP connection 3146947 for Outside:115.86.96.64/52873 (115.86.96.64/52873) to inside:192.168.20.99/18502 (2.50.15.172/49937)
6|Jan 03 2012|13:11:19|302015|192.168.20.99|18502|91.88.160.134|14965|Built outbound UDP connection 3146946 for Outside:91.88.160.134/14965 (91.88.160.134/14965) to inside:192.168.20.99/18502 (2.50.15.172/49937)
6|Jan 03 2012|13:11:19|302015|192.168.20.99|18502|94.180.4.116|38730|Built outbound UDP connection 3146945 for Outside:94.180.4.116/38730 (94.180.4.116/38730) to inside:192.168.20.99/18502 (2.50.15.172/49937)
6|Jan 03 2012|13:11:19|302013|192.168.20.101|64309|74.205.31.224|443|Built outbound TCP connection 3146944 for Outside:74.205.31.224/443 (74.205.31.224/443) to inside:192.168.20.101/64309 (2.50.15.172/13747)
6|Jan 03 2012|13:11:19|305011|192.168.20.101|64309|2.50.15.172|13747|Built dynamic TCP translation from inside:192.168.20.101/64309 to Outside:2.50.15.172/13747
6|Jan 03 2012|13:11:19|302015|192.168.20.99|18502|58.97.221.228|60543|Built outbound UDP connection 3146943 for Outside:58.97.221.228/60543 (58.97.221.228/60543) to inside:192.168.20.99/18502 (2.50.15.172/49937)
6|Jan 03 2012|13:11:19|302014|74.205.31.224|443|192.168.20.101|64308|Teardown TCP connection 3146928 for Outside:74.205.31.224/443 to inside:192.168.20.101/64308 duration 0:00:01 bytes 4684 TCP Reset-I
6|Jan 03 2012|13:11:19|302014|74.205.31.224|443|192.168.20.101|64307|Teardown TCP connection 3146922 for Outside:74.205.31.224/443 to inside:192.168.20.101/64307 duration 0:00:02 bytes 4668 TCP Reset-I
6|Jan 03 2012|13:11:19|302015|192.168.20.99|18502|212.195.166.178|22350|Built outbound UDP connection 3146942 for Outside:212.195.166.178/22350 (212.195.166.178/22350) to inside:192.168.20.99/18502 (2.50.15.172/49937)
6|Jan 03 2012|13:11:19|302015|192.168.20.99|18502|95.25.80.44|44822|Built outbound UDP connection 3146941 for Outside:95.25.80.44/44822 (95.25.80.44/44822) to inside:192.168.20.99/18502 (2.50.15.172/49937)
6|Jan 03 2012|13:11:19|302015|192.168.20.99|18502|201.13.215.231|11814|Built outbound UDP connection 3146940 for Outside:201.13.215.231/11814 (201.13.215.231/11814) to inside:192.168.20.99/18502 (2.50.15.172/49937)
6|Jan 03 2012|13:11:19|302015|192.168.20.99|18502|88.91.124.22|14555|Built outbound UDP connection 3146939 for Outside:88.91.124.22/14555 (88.91.124.22/14555) to inside:192.168.20.99/18502 (2.50.15.172/49937)
6|Jan 03 2012|13:11:19|302015|192.168.20.99|18502|124.120.125.165|21232|Built outbound UDP connection 3146938 for Outside:124.120.125.165/21232 (124.120.125.165/21232) to inside:192.168.20.99/18502 (2.50.15.172/49937)
6|Jan 03 2012|13:11:19|302015|192.168.20.99|18502|217.66.146.189|22519|Built outbound UDP connection 3146937 for Outside:217.66.146.189/22519 (217.66.146.189/22519) to inside:192.168.20.99/18502 (2.50.15.172/49937)
6|Jan 03 2012|13:11:19|302015|192.168.20.99|18502|123.243.253.70|40184|Built outbound UDP connection 3146936 for Outside:123.243.253.70/40184 (123.243.253.70/40184) to inside:192.168.20.99/18502 (2.50.15.172/49937)
6|Jan 03 2012|13:11:19|302015|192.168.20.99|18502|219.110.140.191|34912|Built outbound UDP connection 3146935 for Outside:219.110.140.191/34912 (219.110.140.191/34912) to inside:192.168.20.99/18502 (2.50.15.172/49937)
6|Jan 03 2012|13:11:19|302015|192.168.20.99|18502|112.119.41.126|22568|Built outbound UDP connection 3146934 for Outside:112.119.41.126/22568 (112.119.41.126/22568) to inside:192.168.20.99/18502 (2.50.15.172/49937)
4|Jan 03 2012|13:11:19|106023|210.220.113.16||192.168.20.99||Deny icmp src Outside:210.220.113.16 dst inside:192.168.20.99 (type 3, code 3) by access-group "Outside_access_in" [0xde833d65, 0x0]
6|Jan 03 2012|13:11:19|305012|192.168.20.101|64284|2.50.15.172|63537|Teardown dynamic TCP translation from inside:192.168.20.101/64284 to Outside:2.50.15.172/63537 duration 0:00:30
6|Jan 03 2012|13:11:18|302015|192.168.20.99|18502|210.220.113.16|55588|Built outbound UDP connection 3146933 for Outside:210.220.113.16/55588 (210.220.113.16/55588) to inside:192.168.20.99/18502 (2.50.15.172/49937)
6|Jan 03 2012|13:11:18|305012|192.168.40.101|53583|2.50.15.172|37550|Teardown dynamic TCP translation from inside:192.168.40.101/53583 to Outside:2.50.15.172/37550 duration 0:00:30
6|Jan 03 2012|13:11:18|305012|192.168.10.32|57544|2.50.15.172|59333|Teardown dynamic UDP translation from inside:192.168.10.32/57544 to Outside:2.50.15.172/59333 duration 0:00:30
6|Jan 03 2012|13:11:18|302015|192.168.20.99|18502|93.159.243.50|56865|Built outbound UDP connection 3146932 for Outside:93.159.243.50/56865 (93.159.243.50/56865) to inside:192.168.20.99/18502 (2.50.15.172/49937)
6|Jan 03 2012|13:11:18|302015|192.168.20.99|18502|76.10.173.4|64267|Built outbound UDP connection 3146931 for Outside:76.10.173.4/64267 (76.10.173.4/64267) to inside:192.168.20.99/18502 (2.50.15.172/49937)
6|Jan 03 2012|13:11:18|302015|192.168.20.99|18502|193.95.84.205|15543|Built outbound UDP connection 3146930 for Outside:193.95.84.205/15543 (193.95.84.205/15543) to inside:192.168.20.99/18502 (2.50.15.172/49937)
6|Jan 03 2012|13:11:18|302015|192.168.20.99|18502|83.156.245.202|51413|Built outbound UDP connection 3146929 for Outside:83.156.245.202/51413 (83.156.245.202/51413) to inside:192.168.20.99/18502 (2.50.15.172/49937)
6|Jan 03 2012|13:11:18|302013|192.168.20.101|64308|74.205.31.224|443|Built outbound TCP connection 3146928 for Outside:74.205.31.224/443 (74.205.31.224/443) to inside:192.168.20.101/64308 (2.50.15.172/24936)
6|Jan 03 2012|13:11:18|305011|192.168.20.101|64308|2.50.15.172|24936|Built dynamic TCP translation from inside:192.168.20.101/64308 to Outside:2.50.15.172/24936
6|Jan 03 2012|13:11:17|302014|192.168.40.101|53582|192.168.100.12|139|Teardown TCP connection 3146722 for inside:192.168.40.101/53582 to inside:192.168.100.12/139 duration 0:00:30 bytes 0 SYN Timeout
6|Jan 03 2012|13:11:17|302015|192.168.20.99|18502|218.145.163.13|59915|Built outbound UDP connection 3146927 for Outside:218.145.163.13/59915 (218.145.163.13/59915) to inside:192.168.20.99/18502 (2.50.15.172/49937)
6|Jan 03 2012|13:11:17|302015|192.168.20.99|18502|46.241.117.193|25250|Built outbound UDP connection 3146926 for Outside:46.241.117.193/25250 (46.241.117.193/25250) to inside:192.168.20.99/18502 (2.50.15.172/49937)

I need urgent help to resolve this problem.

Hi,
on the remote client you need to stop/disable ICS (Internet Connection Sharing) service. Then start the vpn client, i believe it will work

max

Max,

It is already disabled in the connection setting of VPN network connection.

what do you mean ?
max

Max,

in the network connection settings of VPN network adapter there is no check mark enabled for ICS.

2012|16:50:12|106015|168.187.137.179|52432|2.50.15.172|10000|Deny TCP (no connection) from 168.187.137.179/52432 to 2.50.15.172/10000 flags ACK  on interface Outside

I found the above logs in ASDM.

above logs are generated in ASDM when I tried connectiong to remote VPN using the client.

it is a matter of operating system, you need to cahnge the setting i inidicated in previous post on the PC:
go to services.msc and stop/disable ICS

max

Max,

When I am trying the remote VPN the ICS is not started. Anyway I disabled it but still cannot connect.

Port 10000 is blocked.....
Is the client trying to use IPSec over TCP?

I tried that and enable IPsec over TCP 1000. but it is also not working.

Right now it is configured with UDP/NAT. Do you think that a restart will do anything?

Well it's a kind of MS solution ;)
But it sometimes works for me. It wouldn't hurt to give it a try.

Been thinking, can the clients ping the ASA? And does it resolve to the correct IP?

Yes ping to the Host which i generated with DynDNS and which is pointing to the firewall IP address is working. I receive the replyies.

Mmm, ok.
Then let's try the pragmatic approach and give a reload to see what happens.

I reloaded the firewall but still the same. Same error.

When connecting with UDP/NAT, do you see any denies in the log?
For example port 500?

Also when you issue a 'deb cryp ips sa' and 'deb cryp is sa' on the ASA, do you see anything happening?

'deb cry isa', and 'deb cry ips' tell what is the problem.... plese show the output....

midwestgurus: ASA not supporting properly Dyndns, the is no oppurtunity to set username and password....

@ikalmar: crosspost :) And btw, happy new year!

@usmanshaikh: ikalmar has got a point, Dyndns and ASA are not always working quite as it should I'm afraid.

So what should be my final steps. Shall i enable IPsec over TCP and allow 1000 port on outside network?

See if that works so we get the vpns up again.
Anything on the debugging?

Perhaps a long shot, but did the provider change anything (like blocking ports/protocols)?

I have no idea about that but found more logs for you guys from ASDM:

6|Jan 03 2012|18:23:59|302016|168.187.24.114|51962|192.168.20.99|56735|Teardown UDP connection 7042 for Outside:168.187.24.114/51962 to inside:192.168.20.99/56735 duration 0:02:01 bytes 176
6|Jan 03 2012|18:23:59|302016|168.187.24.114|51963|192.168.20.99|56735|Teardown UDP connection 7043 for Outside:168.187.24.114/51963 to inside:192.168.20.99/56735 duration 0:02:01 bytes 176
6|Jan 03 2012|18:23:59|302016|168.187.24.114|51964|192.168.20.99|56735|Teardown UDP connection 7044 for Outside:168.187.24.114/51964 to inside:192.168.20.99/56735 duration 0:02:01 bytes 176
6|Jan 03 2012|18:23:59|302016|168.187.24.114|51965|192.168.20.99|56735|Teardown UDP connection 7045 for Outside:168.187.24.114/51965 to inside:192.168.20.99/56735 duration 0:02:01 bytes 176
6|Jan 03 2012|18:23:59|302016|168.187.24.114|51966|192.168.20.99|56735|Teardown UDP connection 7046 for Outside:168.187.24.114/51966 to inside:192.168.20.99/56735 duration 0:02:01 bytes 176
6|Jan 03 2012|18:23:59|302016|168.187.24.114|51967|192.168.20.99|56735|Teardown UDP connection 7047 for Outside:168.187.24.114/51967 to inside:192.168.20.99/56735 duration 0:02:01 bytes 176
6|Jan 03 2012|18:23:59|302016|168.187.24.114|51968|192.168.20.99|56735|Teardown UDP connection 7048 for Outside:168.187.24.114/51968 to inside:192.168.20.99/56735 duration 0:02:01 bytes 176
6|Jan 03 2012|18:23:59|302016|168.187.24.114|51969|192.168.20.99|56735|Teardown UDP connection 7049 for Outside:168.187.24.114/51969 to inside:192.168.20.99/56735 duration 0:02:01 bytes 176
6|Jan 03 2012|18:23:59|302016|168.187.24.114|51970|192.168.20.99|56735|Teardown UDP connection 7050 for Outside:168.187.24.114/51970 to inside:192.168.20.99/56735 duration 0:02:01 bytes 176
6|Jan 03 2012|18:23:59|302016|168.187.24.114|51971|192.168.20.99|56735|Teardown UDP connection 7051 for Outside:168.187.24.114/51971 to inside:192.168.20.99/56735 duration 0:02:01 bytes 176
6|Jan 03 2012|18:23:59|302016|168.187.24.114|51972|192.168.20.99|56735|Teardown UDP connection 7052 for Outside:168.187.24.114/51972 to inside:192.168.20.99/56735 duration 0:02:01 bytes 176
6|Jan 03 2012|18:23:59|302016|168.187.24.114|51973|192.168.20.99|56735|Teardown UDP connection 7053 for Outside:168.187.24.114/51973 to inside:192.168.20.99/56735 duration 0:02:01 bytes 176
6|Jan 03 2012|18:23:59|302016|168.187.24.114|51974|192.168.20.99|56735|Teardown UDP connection 7054 for Outside:168.187.24.114/51974 to inside:192.168.20.99/56735 duration 0:02:01 bytes 176
6|Jan 03 2012|18:23:59|302016|168.187.24.114|51960|192.168.20.99|56735|Teardown UDP connection 7036 for Outside:168.187.24.114/51960 to inside:192.168.20.99/56735 duration 0:02:01 bytes 176
6|Jan 03 2012|18:23:59|302016|168.187.24.114|51961|192.168.20.99|56735|Teardown UDP connection 7037 for Outside:168.187.24.114/51961 to inside:192.168.20.99/56735 duration 0:02:01 bytes 176
2012|18:23:59|302016|168.187.24.114|51956|192.168.20.99|56735|Teardown UDP connection 7032 for Outside:168.187.24.114/51956 to inside:192.168.20.99/56735 duration 0:02:01 bytes 176

@erniebeek: Happy new year


@usmanshaikh:: there is no log for IPSEC:(

Man can you provide me remote access?

I am really stuck and not understanding the issue because seems like the TCP traffic is reaching up to the FW.

Hey usmanshaikh,

Sorry for the delay getting back with you.. needed to catch some shut-eye..

Can you send me some more info on the setup?

What is the external IP address one of the VPN clients is coming from?
What is the current external IP address of the ASA as well as the dyn-dns name used?

You mentioned that you see the traffic reaching the ASA - so I want to get the above info from you so I can look into the problem a little more.

Thanks,
Travis.

In my DNS cpn.dyndns-org shows 93.21.208.121

External IP: 168.187.137.179, 168.187.24.114

Cisco ASA current IP: 2.50.15.172
DNS Name: qib-vpn.dyndns.org

Do me a favor - on one of the clients say 168.187.137.179 change the Cisco VPN client profile to point to the actually IP currently assigned to the outside interface of the ASA (2.50.15.172) and see if it connects for me.

Thanks.

Dear Guru,

I tried that earlier with the IP but no benefit. I can ping the hostname as well the IP BTW.

Try to set up the debugging (from a console connection). With a bit of luck this might tell us more.

can you tell me wht it is and how to configure it?

Hi again,

So we know at this point then that dynamic DNS is not to blame on the problem since using the actual IP doesn't work either..

Since you have the ASDM let's make sure the logging filter is set correctly to capture the info needed - I attached a screenshot. Once this setting is made go to your home screen and what the latest ADSM syslog messages and look for the client at 168.187.137.179 trying to connect - you can stop the logs from scrolling once you see something.. please post the results.

Thanks Usman -


This link is just for your info:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml
 

Now a new thing, I enabled the logging as recommended and now I cannot see any Traffic coming to my firewall from that IP address. I started the Ping from the client machine and I can successfully see the ICMP traffic:

Jan 03 2012      21:54:04            168.187.24.114      53276      2.50.15.172.0 Teardown ICMP connection for faddr 168.187.24.114/53276 gaddr 2.50.15.172/0 laddr 2.50.15.172/0

6      Jan 03 2012      21:54:04            168.187.24.114      53276      2.50.15.172      0      Built inbound ICMP connection for faddr 168.187.24.114/53276 gaddr 2.50.15.172/0 laddr 2.50.15.172/0

I see - so you don't see the 168.187.24.114 trying to setup a VPN session?

Are you still getting 412 on the client side? Also is the 2.50.15.172 IP address that is on the ASA in the USA? Just want to make sure that is really your outside address.

Can you do me another favor? - go to a client machine that is behind the ASA and go out to http://www.ipchicken.com - I want to see what the IP that site says your coming from, we need to be 100% it's 2.50.15.172..

Thanks - below is a lookup on that address as the first octect "2" threw me off a little.

WHOIS - 2.50.15.172

Location: United Arab Emirates [City: Dubai, Dubai]

[Note: Using 2.0.0.0 instead of 2.50.15.172, to save time and bandwidth]
ARIN says that this IP belongs to RIPE; I'm looking it up there.


% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Information related to '2.50.12.0 - 2.50.19.255'

inetnum:        2.50.12.0 - 2.50.19.255
netname:        ETISALATADSL-EMIRNET
descr:          Emirates Telecommunications Corporation
descr:          P O Box 1150, Dubai, UAE
country:        AE
admin-c:        AK915-RIPE
tech-c:         AK915-RIPE
status:         ASSIGNED PA
mnt-by:         ETISALAT-MNT
mnt-lower:      ETISALAT-MNT
mnt-routes:     ETISALAT-MNT
changed:        ***@nic.ae 20100928
source:         RIPE

person:         Arif Khalid
address:        Emirates Telecommunications Corporation
address:        P O Box 1150, Dubai, UAE
phone:          +971 800 6100
fax-no:         +971 4 2959876
e-mail:         ***@nic.ae
remarks:        For any kind of abuse orignating from our network please
remarks:        email *****@emirates.net.ae
nic-hdl:        AK915-RIPE
mnt-by:         ETISALAT-MNT
changed:        ***@nic.ae 20080619
source:         RIPE


[The following lines added by www.dnsstuff.com per requirement by RIPE]
This service is subject to the terms and conditions stated in the RIPE NCC Database Copyright Notice.
Contact dnsstuff.com's 'info2@' address to report problems regarding the functionality of the service

I am sure that this the correct IP my firewall is connected to. Here is the result from http://www.ipchicken.com/

2.50.15.172

I dont see the 168.187.24.114 trying to establish VPN connection and still I am facing 412 error message.

I am located in dubai.

I am thinking now to recreate the VPN tunnel. Delete the old one and create everything from scratch.

If you want to us tcp/10000 for remote vpn you need:

crypto isakmp ipsec-over-tcp port 10000

I think there is a problem with the von endpoint settings.....

Thanks for the verification - I'm thinking it could be something from client end, but a good test would be try it from a different location/remote site. if you don't have another site to test from, I can try to initiate a test from my end and see if you can find my address in the logs -- I would need the PCF file if you wanted to go that option..

The fact that you don't see any VPN connection trying to be made from the ASA means the client isn't getting their.. on your last test were you using the IP vs. the DYNDNS name?

----

One of the problems with using the older VPN Client is that some firewalls will block IPSEC and you have to enable an IPSEC pass-through option... Just for future reference check out AnyConnect, all you need is an AnyConnect Essentials license and you can support SSL VPN and not have to worry about firewalls from the remote side..  

Dear Gurus,

I tried it from 2 different locations and it is giving me the same error message. My users are also banging at my door. Yes my last try was with IP vs DynDNS. I have no issue sending you the PCF file but unfortunately i deleted the VPN tunnel and working to create it again as fresh.

Thanks for the recommendations, will try that as well.

Okay good to know - I would agree with you then on trying to re-create the VPN setup. After you finished configuring again and if it still doesn't work - just post the "sh run" again. I'll take a fine tooth comb to it :)

Thanks,

Thanks all. Will update you if succeeded.

Glad it's working!

Hope it stays working for you!! :)

Nice working with you - take care.
Travis.

Good!!

As said above: glad it's working. If any troubles arise again, we'll be here :)

I fixed the problem myself but anyway I would like to thank the experts for their help.