Solved

mac vpn behind cisco firewall

Posted on 2014-11-06
9
172 Views
Last Modified: 2014-11-11
When using an iphone or MacBook to connect to a vpn setup on a remote cisco ASA, it works fine from outside the local ASA, but always shows "negotiation failed" when trying the vpn from behind the local ASA.    I setup debugs on the remote asa and see the connnections coming in, but it always stops at the same point.     I have tried the vpn setup to other remote ASAs and get the same issue.    It appears to be an issue with just the macs, as the cisco vpn client on a pc works fine from behind the firewall.

I have enabled nat traversal on both ASAs.

Not sure if there is a command on the ASA or a setting on the mac that will fix this.

Thanks.
0
Comment
Question by:tiptechs
  • 5
  • 4
9 Comments
 
LVL 91

Expert Comment

by:John Hurst
ID: 40426453
it works fine from outside the local ASA, but always shows "negotiation failed" when trying the vpn from behind the local

Situation Normal in my experience with VPN. You need an arm's length outside connection for VPN to negotiate and work,
0
 

Author Comment

by:tiptechs
ID: 40426588
It is just with the MAC though.  On a Windows PC running the cisco vpn client I have no issues with the vpn connecting.
0
 
LVL 91

Expert Comment

by:John Hurst
ID: 40426609
Perhaps I misunderstand, because I use Windows VPN all the time and you cannot VPN from inside.

Is your Windows "inside" VPN on a different IP or subnet?  That is maybe something to explore here.
0
 

Author Comment

by:tiptechs
ID: 40426739
Everything is the same with the internal network.   Windows PC using the cisco vpn client software works to the same vpn termination point behind the firewall and the mac doesn't.

Got the same results with an iPhone that was connected to the internal wireless behind the firewall.  vpn wouldn't work, but through the cellular it worked with no issues.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 91

Expert Comment

by:John Hurst
ID: 40426760
I am not sure what to say. I have never seen a Windows VPN machine work from inside a network. So I do not know why yours do. That is unique in my experience.
0
 

Author Comment

by:tiptechs
ID: 40426767
I don't think you are understanding the layout.  

This works.

Windows PC (with vpn software terminating to 1.1.1.1 for example) -> Local ASA Firewall -> Internet -> Remote ASA Firewall (1.1.1.1).  

This doesn't work

Mac (builtin vpn terminating to 1.1.1.1) -> Local ASA Firewall -> Internet -> Remote ASA (1.1.1.1)


This does work

Mac (builtin vpn terminating to 1.1.1.1) -> Internet -> Remote ASA (1.1.1.1)


Issue seems to be with just macs when behind the local ASA.
0
 
LVL 91

Expert Comment

by:John Hurst
ID: 40426781
Thank you. That was helpful indeed.

Windows PC (with vpn software terminating to 1.1.1.1 for example) -> Local ASA Firewall -> Internet -> Remote ASA Firewall (1.1.2.1).  

I changed the above to 1.1.2.1 because remote must be on a different subnet than local. I assume the points are on different subnets but you can post back that this is true.

So now replace with MAC and it does not work.  Try uninstalling the MAC VPN software and profile and remake it.

have enabled NAT traversal on both ASAs. <-- Try NAT on one, then other, then both, then not at all.  See if there is a setting for Aggressive mode and try turning that off.
0
 

Accepted Solution

by:
tiptechs earned 0 total points
ID: 40426897
I upgraded the local ASA to 9.x code and it is now working.    It was on 8.4 code.   a reboot of the ASA could have fixed it too, so not sure if the local ASA just needed rebooted or the issue was a bug with 8.4 code.  Either way it is working now with the mac and iphone.
0
 

Author Closing Comment

by:tiptechs
ID: 40434573
upgraded ios and that fixed the issue.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

943 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now