Solved

mac vpn behind cisco firewall

Posted on 2014-11-06
9
167 Views
Last Modified: 2014-11-11
When using an iphone or MacBook to connect to a vpn setup on a remote cisco ASA, it works fine from outside the local ASA, but always shows "negotiation failed" when trying the vpn from behind the local ASA.    I setup debugs on the remote asa and see the connnections coming in, but it always stops at the same point.     I have tried the vpn setup to other remote ASAs and get the same issue.    It appears to be an issue with just the macs, as the cisco vpn client on a pc works fine from behind the firewall.

I have enabled nat traversal on both ASAs.

Not sure if there is a command on the ASA or a setting on the mac that will fix this.

Thanks.
0
Comment
Question by:tiptechs
  • 5
  • 4
9 Comments
 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
it works fine from outside the local ASA, but always shows "negotiation failed" when trying the vpn from behind the local

Situation Normal in my experience with VPN. You need an arm's length outside connection for VPN to negotiate and work,
0
 

Author Comment

by:tiptechs
Comment Utility
It is just with the MAC though.  On a Windows PC running the cisco vpn client I have no issues with the vpn connecting.
0
 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
Perhaps I misunderstand, because I use Windows VPN all the time and you cannot VPN from inside.

Is your Windows "inside" VPN on a different IP or subnet?  That is maybe something to explore here.
0
 

Author Comment

by:tiptechs
Comment Utility
Everything is the same with the internal network.   Windows PC using the cisco vpn client software works to the same vpn termination point behind the firewall and the mac doesn't.

Got the same results with an iPhone that was connected to the internal wireless behind the firewall.  vpn wouldn't work, but through the cellular it worked with no issues.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
I am not sure what to say. I have never seen a Windows VPN machine work from inside a network. So I do not know why yours do. That is unique in my experience.
0
 

Author Comment

by:tiptechs
Comment Utility
I don't think you are understanding the layout.  

This works.

Windows PC (with vpn software terminating to 1.1.1.1 for example) -> Local ASA Firewall -> Internet -> Remote ASA Firewall (1.1.1.1).  

This doesn't work

Mac (builtin vpn terminating to 1.1.1.1) -> Local ASA Firewall -> Internet -> Remote ASA (1.1.1.1)


This does work

Mac (builtin vpn terminating to 1.1.1.1) -> Internet -> Remote ASA (1.1.1.1)


Issue seems to be with just macs when behind the local ASA.
0
 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
Thank you. That was helpful indeed.

Windows PC (with vpn software terminating to 1.1.1.1 for example) -> Local ASA Firewall -> Internet -> Remote ASA Firewall (1.1.2.1).  

I changed the above to 1.1.2.1 because remote must be on a different subnet than local. I assume the points are on different subnets but you can post back that this is true.

So now replace with MAC and it does not work.  Try uninstalling the MAC VPN software and profile and remake it.

have enabled NAT traversal on both ASAs. <-- Try NAT on one, then other, then both, then not at all.  See if there is a setting for Aggressive mode and try turning that off.
0
 

Accepted Solution

by:
tiptechs earned 0 total points
Comment Utility
I upgraded the local ASA to 9.x code and it is now working.    It was on 8.4 code.   a reboot of the ASA could have fixed it too, so not sure if the local ASA just needed rebooted or the issue was a bug with 8.4 code.  Either way it is working now with the mac and iphone.
0
 

Author Closing Comment

by:tiptechs
Comment Utility
upgraded ios and that fixed the issue.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Deploystudio is a system which can be used to deploy OSX clients and servers within the small/medium or large business environments. The system is built ontop of the OSX Server NetBoot system and uses images & workflows as its core assets. Although …
Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now