?
Solved

mac vpn behind cisco firewall

Posted on 2014-11-06
9
Medium Priority
?
179 Views
Last Modified: 2014-11-11
When using an iphone or MacBook to connect to a vpn setup on a remote cisco ASA, it works fine from outside the local ASA, but always shows "negotiation failed" when trying the vpn from behind the local ASA.    I setup debugs on the remote asa and see the connnections coming in, but it always stops at the same point.     I have tried the vpn setup to other remote ASAs and get the same issue.    It appears to be an issue with just the macs, as the cisco vpn client on a pc works fine from behind the firewall.

I have enabled nat traversal on both ASAs.

Not sure if there is a command on the ASA or a setting on the mac that will fix this.

Thanks.
0
Comment
Question by:tiptechs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 97

Expert Comment

by:Experienced Member
ID: 40426453
it works fine from outside the local ASA, but always shows "negotiation failed" when trying the vpn from behind the local

Situation Normal in my experience with VPN. You need an arm's length outside connection for VPN to negotiate and work,
0
 

Author Comment

by:tiptechs
ID: 40426588
It is just with the MAC though.  On a Windows PC running the cisco vpn client I have no issues with the vpn connecting.
0
 
LVL 97

Expert Comment

by:Experienced Member
ID: 40426609
Perhaps I misunderstand, because I use Windows VPN all the time and you cannot VPN from inside.

Is your Windows "inside" VPN on a different IP or subnet?  That is maybe something to explore here.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:tiptechs
ID: 40426739
Everything is the same with the internal network.   Windows PC using the cisco vpn client software works to the same vpn termination point behind the firewall and the mac doesn't.

Got the same results with an iPhone that was connected to the internal wireless behind the firewall.  vpn wouldn't work, but through the cellular it worked with no issues.
0
 
LVL 97

Expert Comment

by:Experienced Member
ID: 40426760
I am not sure what to say. I have never seen a Windows VPN machine work from inside a network. So I do not know why yours do. That is unique in my experience.
0
 

Author Comment

by:tiptechs
ID: 40426767
I don't think you are understanding the layout.  

This works.

Windows PC (with vpn software terminating to 1.1.1.1 for example) -> Local ASA Firewall -> Internet -> Remote ASA Firewall (1.1.1.1).  

This doesn't work

Mac (builtin vpn terminating to 1.1.1.1) -> Local ASA Firewall -> Internet -> Remote ASA (1.1.1.1)


This does work

Mac (builtin vpn terminating to 1.1.1.1) -> Internet -> Remote ASA (1.1.1.1)


Issue seems to be with just macs when behind the local ASA.
0
 
LVL 97

Expert Comment

by:Experienced Member
ID: 40426781
Thank you. That was helpful indeed.

Windows PC (with vpn software terminating to 1.1.1.1 for example) -> Local ASA Firewall -> Internet -> Remote ASA Firewall (1.1.2.1).  

I changed the above to 1.1.2.1 because remote must be on a different subnet than local. I assume the points are on different subnets but you can post back that this is true.

So now replace with MAC and it does not work.  Try uninstalling the MAC VPN software and profile and remake it.

have enabled NAT traversal on both ASAs. <-- Try NAT on one, then other, then both, then not at all.  See if there is a setting for Aggressive mode and try turning that off.
0
 

Accepted Solution

by:
tiptechs earned 0 total points
ID: 40426897
I upgraded the local ASA to 9.x code and it is now working.    It was on 8.4 code.   a reboot of the ASA could have fixed it too, so not sure if the local ASA just needed rebooted or the issue was a bug with 8.4 code.  Either way it is working now with the mac and iphone.
0
 

Author Closing Comment

by:tiptechs
ID: 40434573
upgraded ios and that fixed the issue.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question