topic Re: Cisco ASA - RAVPN IPSEC not working in Network Security

Cisco ASA - RAVPN IPSEC not working

LovejitSingh1313 — Thu, 27 Aug 2020 18:11:06 GMT

Hello Guys, @balaji.bandi @Marvin Rhoads @Rob Ingram @Scott Fella @Vikas Saxena @nkarthikeyan

I configured the RAVPN ikev1 IPsec using an old client on the firewall but it's not working. I tried the same configuration and it works fine.

I get the following error message.
Secure VPN Connection terminated by Peer.
Reason 433. (Reason not specified by peer)

It happens when it accepts user password and start negotiating security policies.

It looks like some policy is interfering with it but I do not know which commands I should run to find out the conflicting policy/ACLs.

Thanks,

Re: Cisco ASA - RAVPN IPSEC not working

balaji.bandi — Thu, 27 Aug 2020 18:16:27 GMT

here is the common problem and solution :

VPN Client Drops Connection Frequently on First Attempt or "Security VPN Connection terminated by peer. Reason 433." or "Secure VPN Connection terminated by Peer Reason 433:(Reason Not Specified by Peer)"

Problem

Cisco VPN client users might receive this error when they attempt the connection with the head end VPN device.

"VPN client drops connection frequently on first attempt" or "Security VPN Connection terminated by peer. Reason 433." or "Secure VPN Connection terminated by Peer Reason 433:(Reason Not Specified by Peer)" or "Attempted to assign network or broadcast IP address, removing (x.x.x.x) from pool"

Solution 1

The problem might be with the IP pool assignment either through ASA/PIX, Radius server, DHCP server or through Radius server acting as DHCP server. Use the debug crypto command in order to verify that the netmask and IP addresses are correct. Also, verify that the pool does not include the network address and the broadcast address. Radius servers must be able to assign the proper IP addresses to the clients.

Solution 2

This issue also occurs due to the failure of extended authentication. You must check the AAA server to troubleshoot this error. Checking the server authentication password on Server and client and reloading the AAA server might resolve this issue.

Solution 3

Another workaround for this issue is to disable the threat detection feature. At times when there are multiple re-transmissions for different incomplete Security Associations (SAs), the ASA with the threat-detection feature enabled thinks that a scanning attack is occuring and the VPN ports are marked as the main offender. Try to disable the threat-detection feature as this can cause a lot of overhead on the processing of ASA. Use these commands in order to disable the threat detection:

no threat-detection basic-threat
no threat-detection scanning-threat shun
no threat-detection statistics
no threat-detection rate

For more information about this feature, refer to Threat Detection.

Note: This can be used as a workaround to verify if this fixes the actual problem. Make sure that disabling the threat detection on the Cisco ASA actually compromises several security features such as mitigating the Scanning Attempts, DoS with Invalid SPI, packets that fail Application Inspection and Incomplete Sessions.

Solution 4

This issue also occurs when a transform set is not properly configured. A proper configuration of the transform set resolves the issue.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/81824-common-ipsec-trouble.html

Re: Cisco ASA - RAVPN IPSEC not working

LovejitSingh1313 — Thu, 27 Aug 2020 18:20:24 GMT

Hello @balaji.bandi

I already followed this article and tried all the options, I did not see the debugs when my VPN client try to connect it. I need help with commands where I can find the ACL or policy which is not allowing the VPN session ?

Thanks

Re: Cisco ASA - RAVPN IPSEC not working

Rob Ingram — Thu, 27 Aug 2020 18:26:19 GMT

Hi,

I am not clear on your comment - "I configured the RAVPN ikev1 IPsec using an old client on the firewall but it's not working. I tried the same configuration and it works fine."

Is it working randomly or did you try the configuration on another device (ASA or computer) and then it worked?

Are you using the old VPN client? some ciphers are depreciated so may no longer be supported.

Provide your configuration and ASA version.

Re: Cisco ASA - RAVPN IPSEC not working

LovejitSingh1313 — Thu, 27 Aug 2020 18:38:43 GMT

Hello Rob,

I installed and old Legacy client 5.0.7.04 on windows 10 PC with help of some registry editing and then I added the Group-policy creds and IP in the client but it is failing while negotiating security policies, I tried the same config on another firewall with same OS version and it worked with that firewall.
I want to find out why the firewall is failing it.

I attached the config. Thanks

Thanks,

Re: Cisco ASA - RAVPN IPSEC not working

Rob Ingram — Thu, 27 Aug 2020 18:48:40 GMT

From which ASA is that configuration from, the working or non working ASA?

From the working ASA, login as a user and then run "show vpn-sessiondb detail anyconnect" and provide the output for review. Also provide the configuration of the other ASA.

The old VPN client does not support the latest ciphers, is there a configuration difference between the 2 ASAs in regard to ikev1 or ssl configuration? The working ASA might be configured to use certain ciphers compared to the other ASA.

Any reason why you cannot use AnyConnect?

Are you using IKEv1 or SSL when connecting?

Re: Cisco ASA - RAVPN IPSEC not working

LovejitSingh1313 — Thu, 27 Aug 2020 18:58:29 GMT

The configuration I attached is for not working ASA. I setup on outside2 interface.

We are using Ikev1 RAVPN over Ipsec, not having license for AnyConnect?

The other firewall where its working, I configured in a same way through the ASDM and I did not encounter any menu where i can choose/see ciphers.

Re: Cisco ASA - RAVPN IPSEC not working

Rob Ingram — Thu, 27 Aug 2020 19:11:38 GMT

Ok. Provide the configuration of the other ASA so we can compare ike/ipsec policies and provide the output of "show vpn-sessiondb detail" of a logged in user so we can determine what ciphers have been negotiated.

Re: Cisco ASA - RAVPN IPSEC not working

LovejitSingh1313 — Thu, 27 Aug 2020 19:24:17 GMT

From the Working Firewall and I am connected with RAVPN client.

ciscoasa# sh vpn-sessiondb detail anyconnect
INFO: There are presently no active sessions of the type specified

Config of working firewall:

ciscoasa# sh run
: Saved

:
: Serial Number: 9AW36TBSXS1
: Hardware: ASAv, 2048 MB RAM, CPU Pentium II 2800 MHz
:
ASA Version 9.12(2)
!
hostname ciscoasa
enable password ***** pbkdf2
names
no mac-address auto
ip local pool RAVPN-pool 192.168.20.1-192.168.20.20 mask 255.255.255.0

!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.2.122 255.255.255.0
!
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.10
vlan 10
nameif inside
security-level 100
ip address 11.11.11.1 255.255.255.0
!
interface GigabitEthernet0/1.20
vlan 20
nameif GuestWIFI
security-level 90
ip address 21.21.21.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
object network vlan10
subnet 11.11.11.0 255.255.255.0
object network vlan20
subnet 21.21.21.0 255.255.255.0
object network Office_1
subnet 10.10.10.0 255.255.255.0
object network Office_2
subnet 11.11.11.0 255.255.255.0
object network Site-A-VPN
subnet 192.168.10.0 255.255.255.0
object network NETWORK_OBJ_192.168.20.0_27
subnet 192.168.20.0 255.255.255.224
object-group network DM_INLINE_NETWORK_1
network-object 11.11.11.0 255.255.255.0
network-object object Office_1
access-list VLAN10 extended permit ip 11.11.11.0 255.255.255.0 any
access-list VLAN20 extended permit ip 21.21.21.0 255.255.255.0 any
access-list VPN-Traffic extended permit ip object Office_2 object Office_1
access-list VPN-SSL-IPSEC extended permit ip object Office_2 object Site-A-VPN
access-list VPN-SSL-IPSEC extended permit ip object Office_2 object Office_1
access-list Remote-VPN_splitTunnelAcl standard permit 11.11.11.0 255.255.255.0
access-list Remote-VPN_splitTunnelAcl standard permit 10.10.10.0 255.255.255.0
pager lines 23
mtu outside 1500
mtu inside 1500
mtu GuestWIFI 1500
no failover
no monitor-interface inside
no monitor-interface GuestWIFI
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any GuestWIFI
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
nat (inside,outside) source static Office_2 Office_2 destination static Office_1 Office_1 no-proxy-arp route-lookup
nat (inside,outside) source static Office_2 Office_2 destination static Site-A-VPN Site-A-VPN no-proxy-arp
nat (inside,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_192.168.20.0_27 NETWORK_OBJ_192.168.20.0_27 no-proxy-arp route-lookup
!
object network vlan10
nat (inside,outside) dynamic interface
object network vlan20
nat (GuestWIFI,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal VPN-Transform
protocol esp encryption aes-256
protocol esp integrity sha-256
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map CRYPTO_MAP 1 match address VPN-SSL-IPSEC
crypto map CRYPTO_MAP 1 set peer 192.168.2.121
crypto map CRYPTO_MAP 1 set ikev2 ipsec-proposal VPN-Transform
crypto map CRYPTO_MAP 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map CRYPTO_MAP interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
auto-import
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 0509
308205b7 3082039f a0030201 02020205 09300d06 092a8648 86f70d01 01050500
3045310b 30090603 55040613 02424d31 19301706 0355040a 13105175 6f566164
6973204c 696d6974 6564311b 30190603 55040313 1251756f 56616469 7320526f
6f742043 41203230 1e170d30 36313132 34313832 3730305a 170d3331 31313234
31383233 33335a30 45310b30 09060355 04061302 424d3119 30170603 55040a13
1051756f 56616469 73204c69 6d697465 64311b30 19060355 04031312 51756f56
61646973 20526f6f 74204341 20323082 0222300d 06092a86 4886f70d 01010105
00038202 0f003082 020a0282 0201009a 18ca4b94 0d002daf 03298af0 0f81c8ae
4c19851d 089fab29 4485f32f 81ad321e 9046bfa3 86261a1e fe7e1c18 3a5c9c60
172a3a74 8333307d 615411cb edabe0e6 d2a27ef5 6b6f18b7 0a0b2dfd e93eef0a
c6b310e9 dcc24617 f85dfda4 daff9e49 5a9ce633 e62496f7 3fba5b2b 1c7a35c2
d667feab 66508b6d 28602bef d760c3c7 93bc8d36 91f37ff8 db1113c4 9c7776c1
aeb7026a 817aa945 83e205e6 b956c194 378f4871 6322ec17 6507958a 4bdf8fc6
5a0ae5b0 e35f5e6b 11ab0cf9 85eb44e9 f80473f2 e9fe5c98 8cf573af 6bb47ecd
d45c022b 4c39e1b2 95952d42 87d7d5b3 9043b76c 13f1dedd f6c4f889 3fd175f5
92c391d5 8a88d090 ecdc6dde 89c26571 968b0d03 fd9cbf5b 16ac92db eafe797c
adebaff7 16cbdbcd 252be51f fb9a9fe2 51cc3a53 0c48e60e bdc9b476 0652e611
13857263 0304e004 362b2019 02e874a7 1fb6c956 66f07525 dc67c10e 616088b3
3ed1a8fc a3da1db0 d1b12354 df44766d ed41d8c1 b222b653 1cdf351d dca1772a
31e42df5 e5e5dbc8 e0ffe580 d70b63a0 ff33a10f ba2c1515 ea97b3d2 a2b5bef2
8c961e1a 8f1d6ca4 6137b986 7333d797 969e237d 82a44c81 e2a1d1ba 675f9507
a32711ee 16107bbc 454a4cb2 04d2abef d5fd0c51 ce506a08 31f991da 0c8f645c
03c33a8b 203f6e8d 673d3ad6 fe7d5b88 c95efbcc 61dc8b33 77d34432 35096204
921610d8 9e2747fb 3b21e3f8 eb1d5b02 03010001 a381b030 81ad300f 0603551d
130101ff 04053003 0101ff30 0b060355 1d0f0404 03020106 301d0603 551d0e04
1604141a 8462bc48 4c332504 d4eed0f6 03c41946 d1946b30 6e060355 1d230467
30658014 1a8462bc 484c3325 04d4eed0 f603c419 46d1946b a149a447 3045310b
30090603 55040613 02424d31 19301706 0355040a 13105175 6f566164 6973204c
696d6974 6564311b 30190603 55040313 1251756f 56616469 7320526f 6f742043
41203282 02050930 0d06092a 864886f7 0d010105 05000382 0201003e 0a164d9f
065ba8ae 715d2f05 2f67e613 4583c436 f6f3c026 0c0db547 645df8b4 72c946a5
03182755 89787d76 ea963480 1720dce7 83f88dfc 07b8da5f 4d2e67b2 84fdd944
fc775081 e67cb4c9 0d0b7253 f8760707 4147960c fbe08226 93558cfe 221f6065
7c5fe726 b3f73290 9850d437 7155f692 2178f795 79faf82d 26876656 3077a637
78335210 58ae3f61 8ef26ab1 ef187e4a 5963ca8d a256d5a7 2fbc561f cf39c1e2
fb0aa815 2c7d4d7a 63c66c97 443cd26f c34a170a f890d257 a21951a5 2d9741da
074fa950 da908d94 46e13ef0 94fd1000 38f53be8 40e1b46e 561a20cc 6f588ded
2e458fd6 e9933fe7 b12cdf3a d6228cdc 84bb226f d0f8e4c6 39e90488 3cc3baeb
557a6d80 9924f56c 01fbf897 b0945beb fdd26ff1 77680d35 6423acb8 55a103d1
4d4219dc f8755956 a3f9a849 79f8af0e b911a07c b76aed34 d0b62662 381a870c
f8e8fd2e d3907f07 912a1dd6 7e5c8583 99b03808 3fe95ef9 3507e4c9 626e577f
a75095f7 bac89be6 8ea201c5 d666bf79 61f33c1c e1b9825c 5da0c3e9 d848bd19
a2111419 6eb2861b 683e4837 1a88b75d 965e9cc7 ef276208 e291195c d2f121dd
ba174282 97718153 31a99ff6 7d62bf72 e1a3931d cc8a265a 0938d0ce d70d8016
b478a53a 874c8d8a a5d54697 f22c10b9 bc5422c0 01506943 9ef4b2ef 6df8ecda
f1e3b1ef df918f54 2a0b25c1 2619c452 100565d5 8210eac2 31cd2e
quit
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 2
prf md5
lifetime seconds 21234567
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
ssh version 1 2
console timeout 0
dhcpd lease 36000
dhcpd domain Lovejit.com
!
dhcpd address 11.11.11.100-11.11.11.200 inside
dhcpd dns 8.8.8.8 1.1.1.1 interface inside
dhcpd enable inside
!
dhcpd address 21.21.21.100-21.21.21.200 GuestWIFI
dhcpd dns 8.8.8.8 1.1.1.1 interface GuestWIFI
dhcpd enable GuestWIFI
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy Remote-VPN internal
group-policy Remote-VPN attributes
dns-server value 8.8.8.8 1.1.1.1
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Remote-VPN_splitTunnelAcl
default-domain value lj.local
dynamic-access-policy-record DfltAccessPolicy
username test password ***** pbkdf2 privilege 0
username test attributes
vpn-group-policy Remote-VPN
username lsingh password ***** pbkdf2
tunnel-group 192.168.2.121 type ipsec-l2l
tunnel-group 192.168.2.121 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group Remote-VPN type remote-access
tunnel-group Remote-VPN general-attributes
address-pool RAVPN-pool
default-group-policy Remote-VPN
tunnel-group Remote-VPN ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
profile License
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination transport-method http
Cryptochecksum:950605f75ab3251a10f97c47ff222761
: end
ciscoasa#

Re: Cisco ASA - RAVPN IPSEC not working

Rob Ingram — Thu, 27 Aug 2020 19:27:14 GMT

"show vpn-sessiondb detail"

Re: Cisco ASA - RAVPN IPSEC not working

LovejitSingh1313 — Thu, 27 Aug 2020 19:28:01 GMT

Hello @Rob Ingram

Output of #sh crypto sa from working firewall

local crypto endpt.: 192.168.2.122/0, remote crypto endpt.: 192.168.2.114/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 7AD39DE2
current inbound spi : AFEE53CD

inbound esp sas:
spi: 0xAFEE53CD (2951631821)
SA State: active
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, IKEv1, }
slot: 0, conn_id: 1, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28376
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x7AD39DE2 (2060688866)
SA State: active
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, IKEv1, }
slot: 0, conn_id: 1, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28376
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

ciscoasa#

Re: Cisco ASA - RAVPN IPSEC not working

LovejitSingh1313 — Thu, 27 Aug 2020 19:32:38 GMT

ciscoasa# sh vpn-sessiondb detail
---------------------------------------------------------------------------
VPN Session Summary
---------------------------------------------------------------------------
Active : Cumulative : Peak Concur : Inactive
----------------------------------------------
IKEv1 IPsec/L2TP IPsec : 1 : 2 : 1
---------------------------------------------------------------------------
Total Active and Inactive : 1 Total Cumulative : 2
Device Total VPN Capacity : 250
Device Load : 0%
---------------------------------------------------------------------------

---------------------------------------------------------------------------
Tunnels Summary
---------------------------------------------------------------------------
Active : Cumulative : Peak Concurrent
----------------------------------------------
IKEv1 : 1 : 2 : 1
IPsec : 1 : 2 : 1
---------------------------------------------------------------------------
Totals : 2 : 4
---------------------------------------------------------------------------

ciscoasa#

Re: Cisco ASA - RAVPN IPSEC not working

Rob Ingram — Thu, 27 Aug 2020 19:48:32 GMT

Sorry output of this command please "show vpn-sessiondb detail ra-ikev1-ipsec" from the working ASA and "show crypto ikev1 sa"

On the non-working ASA, enabled debug "debug crypto ikev1 128" attempt to connect to the VPN and provide the output.

Re: Cisco ASA - RAVPN IPSEC not working

LovejitSingh1313 — Thu, 27 Aug 2020 20:00:58 GMT

Hello @Rob Ingram

ciscoasa# sh crypto ikev1 sa

IKEv1 SAs:

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 192.168.2.114
Type : user Role : responder
Rekey : no State : AM_ACTIVE
ciscoasa#
ciscoasa#
ciscoasa# show vpn-sessiondb detail ra-ikev1-ipsec

Session Type: IKEv1 IPsec Detailed

Username : lsingh Index : 6
Assigned IP : 192.168.20.1 Public IP : 192.168.2.114
Protocol : IKEv1 IPsec
License : Other VPN
Encryption : IKEv1: (1)AES256 IPsec: (1)AES128
Hashing : IKEv1: (1)SHA1 IPsec: (1)SHA1
Bytes Tx : 0 Bytes Rx : 0
Pkts Tx : 0 Pkts Rx : 0
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : Remote-VPN Tunnel Group : Remote-VPN
Login Time : 19:50:09 UTC Thu Aug 27 2020
Duration : 0h:00m:49s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : 0b0b0b01000060005f480e71
Security Grp : none

IKEv1 Tunnels: 1
IPsec Tunnels: 1

IKEv1:
Tunnel ID : 6.1
UDP Src Port : 57492 UDP Dst Port : 500
IKE Neg Mode : Aggressive Auth Mode : preSharedKeys
Encryption : AES256 Hashing : SHA1
Rekey Int (T): 86400 Seconds Rekey Left(T): 86355 Seconds
D/H Group : 2
Filter Name :
Client OS : WinNT Client OS Ver: 5.0.07.0440

IPsec:
Tunnel ID : 6.2
Local Addr : 0.0.0.0/0.0.0.0/0/0
Remote Addr : 192.168.20.1/255.255.255.255/0/0
Encryption : AES128 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 28754 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4608000 K-Bytes
Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes
Bytes Tx : 0 Bytes Rx : 0
Pkts Tx : 0 Pkts Rx : 0

ciscoasa#

Debug from non working Firewall

Aug 27 15:57:09 [IKEv1]IKE Receiver: Packet received on 206.47.141.30:4500 from 99.250.11.11:64664
Aug 27 15:57:09 [IKEv1]IP = 99.250.11.11, IKE_DECODE RECEIVED Message (msgid=d611dc77) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 84
Aug 27 15:57:09 [IKEv1 DEBUG]Group = Test12345, IP = 99.250.11.11, process_attr(): Enter!
Aug 27 15:57:09 [IKEv1 DEBUG]Group = Test12345, IP = 99.250.11.11, Processing MODE_CFG Reply attributes.
Aug 27 15:57:09 [IKEv1 DEBUG]Group = Test12345, Username = lsingh, IP = 99.250.11.11, IKEGetUserAttributes: primary DNS = 172.1.100.110
Aug 27 15:57:09 [IKEv1 DEBUG]Group = Test12345, Username = lsingh, IP = 99.250.11.11, IKEGetUserAttributes: secondary DNS = 172.1.100.101
Aug 27 15:57:09 [IKEv1 DEBUG]Group = Test12345, Username = lsingh, IP = 99.250.11.11, IKEGetUserAttributes: primary WINS = cleared
Aug 27 15:57:09 [IKEv1 DEBUG]Group = Test12345, Username = lsingh, IP = 99.250.11.11, IKEGetUserAttributes: secondary WINS = cleared
Aug 27 15:57:09 [IKEv1 DEBUG]Group = Test12345, Username = lsingh, IP = 99.250.11.11, IKEGetUserAttributes: split tunneling list = Test12345_splitTunnelAcl
Aug 27 15:57:09 [IKEv1 DEBUG]Group = Test12345, Username = lsingh, IP = 99.250.11.11, IKEGetUserAttributes: default domain = kohlandfrisch.com
Aug 27 15:57:09 [IKEv1 DEBUG]Group = Test12345, Username = lsingh, IP = 99.250.11.11, IKEGetUserAttributes: IP Compression = disabled
Aug 27 15:57:09 [IKEv1 DEBUG]Group = Test12345, Username = lsingh, IP = 99.250.11.11, IKEGetUserAttributes: Split Tunneling Policy = Split Network
Aug 27 15:57:09 [IKEv1 DEBUG]Group = Test12345, Username = lsingh, IP = 99.250.11.11, IKEGetUserAttributes: Browser Proxy Setting = no-modify
Aug 27 15:57:09 [IKEv1 DEBUG]Group = Test12345, Username = lsingh, IP = 99.250.11.11, IKEGetUserAttributes: Browser Proxy Bypass Local = disable
Aug 27 15:57:09 [IKEv1]Group = Test12345, Username = lsingh, IP = 99.250.11.11, User (lsingh) authenticated.
Aug 27 15:57:09 [IKEv1 DEBUG]Group = Test12345, Username = lsingh, IP = 99.250.11.11, constructing blank hash payload
Aug 27 15:57:09 [IKEv1 DEBUG]Group = Test12345, Username = lsingh, IP = 99.250.11.11, constructing qm hash payload
Aug 27 15:57:09 [IKEv1]IP = 99.250.11.11, IKE_DECODE SENDING Message (msgid=8d0a8fe) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 60
Aug 27 15:57:09 [IKEv1]IKE Receiver: Packet received on 206.47.141.30:4500 from 99.250.11.11:64664
Aug 27 15:57:09 [IKEv1]IP = 99.250.11.11, IKE_DECODE RECEIVED Message (msgid=8d0a8fe) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 56
Aug 27 15:57:09 [IKEv1 DEBUG]Group = Test12345, Username = lsingh, IP = 99.250.11.11, process_attr(): Enter!
Aug 27 15:57:09 [IKEv1 DEBUG]Group = Test12345, Username = lsingh, IP = 99.250.11.11, Processing cfg ACK attributes
Aug 27 15:57:09 [IKEv1]IKE Receiver: Packet received on 206.47.141.30:4500 from 99.250.11.11:64664
Aug 27 15:57:09 [IKEv1]IP = 99.250.11.11, IKE_DECODE RECEIVED Message (msgid=651dec97) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 172
Aug 27 15:57:09 [IKEv1 DEBUG]Group = Test12345, Username = lsingh, IP = 99.250.11.11, process_attr(): Enter!
Aug 27 15:57:09 [IKEv1 DEBUG]Group = Test12345, Username = lsingh, IP = 99.250.11.11, Processing cfg Request attributes
Aug 27 15:57:09 [IKEv1 DEBUG]Group = Test12345, Username = lsingh, IP = 99.250.11.11, MODE_CFG: Received request for IPV4 address!
Aug 27 15:57:09 [IKEv1 DEBUG]Group = Test12345, Username = lsingh, IP = 99.250.11.11, MODE_CFG: Received request for IPV4 net mask!
Aug 27 15:57:09 [IKEv1 DEBUG]Group = Test12345, Username = lsingh, IP = 99.250.11.11, MODE_CFG: Received request for DNS server address!
Aug 27 15:57:09 [IKEv1 DEBUG]Group = Test12345, Username = lsingh, IP = 99.250.11.11, MODE_CFG: Received request for WINS server address!
Aug 27 15:57:09 [IKEv1]Group = Test12345, Username = lsingh, IP = 99.250.11.11, Received unsupported transaction mode attribute: 5
Aug 27 15:57:09 [IKEv1 DEBUG]Group = Test12345, Username = lsingh, IP = 99.250.11.11, MODE_CFG: Received request for Banner!
Aug 27 15:57:09 [IKEv1 DEBUG]Group = Test12345, Username = lsingh, IP = 99.250.11.11, MODE_CFG: Received request for Save PW setting!
Aug 27 15:57:09 [IKEv1 DEBUG]Group = Test12345, Username = lsingh, IP = 99.250.11.11, MODE_CFG: Received request for Default Domain Name!
Aug 27 15:57:09 [IKEv1 DEBUG]Group = Test12345, Username = lsingh, IP = 99.250.11.11, MODE_CFG: Received request for Split Tunnel List!
Aug 27 15:57:09 [IKEv1 DEBUG]Group = Test12345, Username = lsingh, IP = 99.250.11.11, MODE_CFG: Received request for Split DNS!
Aug 27 15:57:09 [IKEv1 DEBUG]Group = Test12345, Username = lsingh, IP = 99.250.11.11, MODE_CFG: Received request for PFS setting!
Aug 27 15:57:09 [IKEv1 DEBUG]Group = Test12345, Username = lsingh, IP = 99.250.11.11, MODE_CFG: Received request for Client Browser Proxy Setting!
Aug 27 15:57:09 [IKEv1 DEBUG]Group = Test12345, Username = lsingh, IP = 99.250.11.11, MODE_CFG: Received request for backup ip-sec peer list!
Aug 27 15:57:09 [IKEv1 DEBUG]Group = Test12345, Username = lsingh, IP = 99.250.11.11, MODE_CFG: Received request for Client Smartcard Removal Disconnect Setting!
Aug 27 15:57:09 [IKEv1 DEBUG]Group = Test12345, Username = lsingh, IP = 99.250.11.11, MODE_CFG: Received request for Application Version!
Aug 27 15:57:09 [IKEv1]Group = Test12345, Username = lsingh, IP = 99.250.11.11, Client Type: WinNT Client Application Version: 5.0.07.0440
Aug 27 15:57:09 [IKEv1 DEBUG]Group = Test12345, Username = lsingh, IP = 99.250.11.11, MODE_CFG: Received request for FWTYPE!
Aug 27 15:57:09 [IKEv1 DEBUG]Group = Test12345, Username = lsingh, IP = 99.250.11.11, MODE_CFG: Received request for DHCP hostname for DDNS is: LJ_FS1!
Aug 27 15:57:09 [IKEv1 DEBUG]Group = Test12345, Username = lsingh, IP = 99.250.11.11, IKE received response of type [] to a request from the IP address utility
Aug 27 15:57:09 [IKEv1]Group = Test12345, Username = lsingh, IP = 99.250.11.11, Cannot obtain an IP address for remote peer
Aug 27 15:57:09 [IKEv1 DEBUG]Group = Test12345, Username = lsingh, IP = 99.250.11.11, IKE TM V6 FSM error history (struct &0x00007f9f7e928410) <state>, <event>: TM_DONE, EV_ERROR-->TM_BLD_REPLY, EV_IP_FAIL-->TM_BLD_REPLY, NullEvent-->TM_BLD_REPLY, EV_GET_IP-->TM_BLD_REPLY, EV_NEED_IP-->TM_WAIT_REQ, EV_PROC_MSG-->TM_WAIT_REQ, EV_HASH_OK-->TM_WAIT_REQ, NullEvent
Aug 27 15:57:09 [IKEv1 DEBUG]Group = Test12345, Username = lsingh, IP = 99.250.11.11, IKE AM Responder FSM error history (struct &0x00007f9f806237d0) <state>, <event>: AM_DONE, EV_ERROR-->AM_TM_INIT_MODECFG_V6H, EV_TM_FAIL-->AM_TM_INIT_MODECFG_V6H, NullEvent-->AM_TM_INIT_MODECFG, EV_WAIT-->AM_TM_INIT_XAUTH_V6H, EV_CHECK_QM_MSG-->AM_TM_INIT_XAUTH_V6H, EV_TM_XAUTH_OK-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA
Aug 27 15:57:09 [IKEv1 DEBUG]Group = Test12345, Username = lsingh, IP = 99.250.11.11, IKE SA AM:adf8010a terminating: flags 0x0945c001, refcnt 0, tuncnt 0
Aug 27 15:57:09 [IKEv1 DEBUG]Group = Test12345, Username = lsingh, IP = 99.250.11.11, sending delete/delete with reason message
Aug 27 15:57:09 [IKEv1 DEBUG]Group = Test12345, Username = lsingh, IP = 99.250.11.11, constructing blank hash payload
Aug 27 15:57:09 [IKEv1 DEBUG]Group = Test12345, Username = lsingh, IP = 99.250.11.11, constructing IKE delete payload
Aug 27 15:57:09 [IKEv1 DEBUG]Group = Test12345, Username = lsingh, IP = 99.250.11.11, constructing qm hash payload
Aug 27 15:57:09 [IKEv1]IP = 99.250.11.11, IKE_DECODE SENDING Message (msgid=c44c7dea) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76

Re: Cisco ASA - RAVPN IPSEC not working

Rob Ingram — Thu, 27 Aug 2020 20:10:59 GMT

Aug 27 15:57:09 [IKEv1]Group = Test12345, Username = lsingh, IP = 99.250.11.11, Cannot obtain an IP address for remote peer

this error jumps out at me, do you have an IP address pool configured correctly?

Re: Cisco ASA - RAVPN IPSEC not working

LovejitSingh1313 — Thu, 27 Aug 2020 20:23:40 GMT

I tried changing pool but still same logs. its not pool.

Re: Cisco ASA - RAVPN IPSEC not working

Rob Ingram — Thu, 27 Aug 2020 20:33:30 GMT

You've not provided the full configuration for the non-working ASA, please provide the current full configuration after you've made the changing the pool.

Run the debugs again, connect to the VPN and provide the output

What is the name of the tunnel-group you are connecting to?

Re: Cisco ASA - RAVPN IPSEC not working

LovejitSingh1313 — Thu, 27 Aug 2020 21:09:47 GMT

Hello @Rob Ingram

I find that IP assignment was not enabled for Internal and DHCP, I enabled it and it worked after that.

Thanks alot man !

Re: Cisco ASA - RAVPN IPSEC not working

balaji.bandi — Fri, 28 Aug 2020 07:56:55 GMT

Solution 1 - was your issue if you closely look the config -