Solved

mac vpn behind cisco firewall

Posted on 2014-11-06
9
174 Views
Last Modified: 2014-11-11
When using an iphone or MacBook to connect to a vpn setup on a remote cisco ASA, it works fine from outside the local ASA, but always shows "negotiation failed" when trying the vpn from behind the local ASA.    I setup debugs on the remote asa and see the connnections coming in, but it always stops at the same point.     I have tried the vpn setup to other remote ASAs and get the same issue.    It appears to be an issue with just the macs, as the cisco vpn client on a pc works fine from behind the firewall.

I have enabled nat traversal on both ASAs.

Not sure if there is a command on the ASA or a setting on the mac that will fix this.

Thanks.
0
Comment
Question by:tiptechs
  • 5
  • 4
9 Comments
 
LVL 93

Expert Comment

by:John Hurst
ID: 40426453
it works fine from outside the local ASA, but always shows "negotiation failed" when trying the vpn from behind the local

Situation Normal in my experience with VPN. You need an arm's length outside connection for VPN to negotiate and work,
0
 

Author Comment

by:tiptechs
ID: 40426588
It is just with the MAC though.  On a Windows PC running the cisco vpn client I have no issues with the vpn connecting.
0
 
LVL 93

Expert Comment

by:John Hurst
ID: 40426609
Perhaps I misunderstand, because I use Windows VPN all the time and you cannot VPN from inside.

Is your Windows "inside" VPN on a different IP or subnet?  That is maybe something to explore here.
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 

Author Comment

by:tiptechs
ID: 40426739
Everything is the same with the internal network.   Windows PC using the cisco vpn client software works to the same vpn termination point behind the firewall and the mac doesn't.

Got the same results with an iPhone that was connected to the internal wireless behind the firewall.  vpn wouldn't work, but through the cellular it worked with no issues.
0
 
LVL 93

Expert Comment

by:John Hurst
ID: 40426760
I am not sure what to say. I have never seen a Windows VPN machine work from inside a network. So I do not know why yours do. That is unique in my experience.
0
 

Author Comment

by:tiptechs
ID: 40426767
I don't think you are understanding the layout.  

This works.

Windows PC (with vpn software terminating to 1.1.1.1 for example) -> Local ASA Firewall -> Internet -> Remote ASA Firewall (1.1.1.1).  

This doesn't work

Mac (builtin vpn terminating to 1.1.1.1) -> Local ASA Firewall -> Internet -> Remote ASA (1.1.1.1)


This does work

Mac (builtin vpn terminating to 1.1.1.1) -> Internet -> Remote ASA (1.1.1.1)


Issue seems to be with just macs when behind the local ASA.
0
 
LVL 93

Expert Comment

by:John Hurst
ID: 40426781
Thank you. That was helpful indeed.

Windows PC (with vpn software terminating to 1.1.1.1 for example) -> Local ASA Firewall -> Internet -> Remote ASA Firewall (1.1.2.1).  

I changed the above to 1.1.2.1 because remote must be on a different subnet than local. I assume the points are on different subnets but you can post back that this is true.

So now replace with MAC and it does not work.  Try uninstalling the MAC VPN software and profile and remake it.

have enabled NAT traversal on both ASAs. <-- Try NAT on one, then other, then both, then not at all.  See if there is a setting for Aggressive mode and try turning that off.
0
 

Accepted Solution

by:
tiptechs earned 0 total points
ID: 40426897
I upgraded the local ASA to 9.x code and it is now working.    It was on 8.4 code.   a reboot of the ASA could have fixed it too, so not sure if the local ASA just needed rebooted or the issue was a bug with 8.4 code.  Either way it is working now with the mac and iphone.
0
 

Author Closing Comment

by:tiptechs
ID: 40434573
upgraded ios and that fixed the issue.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
We could spend the next millennium discussing the differences of the Mac and Windows platforms. The next century will continue to have fanatics on both side of the equation and neither side will win the war. However, that’s not why we are here. W…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question