Solved: LDAP on ASA with attribute-map

guzman.barrio · ‎11-23-2010

Hi all,

I'm having problems configuring VPN clients authentication against an LDAP server. The main problem is when the ASA has to decide a group-policy for the non-compliance users.

I use LDAP attribute-maps in the ASA to map the memberOf parameter to the Cisco Group-policy attribute, then I associate memberOf with the AD group that the user must belong to has VPN access and the rigth group-policy. This works correctly.

But the problem is when the remote user isn't in the correct AD group, I set a default-policy-group with no access to this kind of users. After that, all the users (allowed and not allowed) fall in the same default-group-policy with no VPN access.

There is the ASA configuration:

ldap attribute-map LDAP
map-name memberOf Group-Policy
map-value memberOf "cn=ASA_VPN,ou=ASA_VPN,ou=My Group,dc=xxx,dc=com" RemoteAccess

aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host 10.0.0.3
ldap-base-dn ou="My Group", dc=xxx, dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password ********
ldap-login-dn cn=user, ou="My Group", dc=xxx, dc=com
server-type microsoft
ldap-attribute-map LDAP

group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0

group-policy RemoteAccess internal
group-policy RemoteAccess attributes
dns-server value 10.0.0.3
vpn-tunnel-protocol IPSec
default-domain value xxx.com

tunnel-group RemoteAccess type remote-access
tunnel-group RemoteAccess general-attributes
address-pool POOL
authentication-server-group LDAP
default-group-policy NOACCESS
tunnel-group RemoteAccess ipsec-attributes
pre-shared-key *******

As you can see, I have followed all the examples availables in the web to solve the problem but I can't obtain a good result.

Somebody has an solution for this problem????

Regards,

Guzmán

Herbert Baerten · ‎12-03-2010

Guzman,

this should definitely work, i.e. the deny part is already working ok and the user that has the correct memberOf attribute should definitely get mapped to the Allow-Access policy and so should be allowed in.

I'm thinking of this being a bug as well, but I had a quick look and did not see anything matching, and if this were a bug in 8.2.3. then I would not expect you to be the first customer to experience this, so I'm still more inclined to think it is something in the config that we are overlooking (I know frome experience typo's can sometimes be extremely hard to spot).

Could you get "debug aaa common 255" as well please, maybe that will tell us something.

BTW, just to be sure: you did not configure anything (like vpn-simultaneous-logins) in the DfltGrpPolicy, did you? Just double checking since your Allow-Access policy would then inherit that.

Maybe as another test, explicitly configure a non-zero value for that parameter in the Allow-Access policy, i.e.

group-policy Allow-Access attrib

vpn-simultaneous-logins 10

Herbert

View solution in original post

Herbert Baerten · ‎11-28-2010

Hi Guzmán

can you get the output of "debug ldap 255" when an authorised user tries to connect?

This should show what memberOf attributes are being received from the LDAP server (and normally also which group-policy it is being mapped to).

hth

Herbert

guzman.barrio · ‎11-29-2010

Hi Herbert, thanks for your answer.

I saw the output of the "debug ldap 255" command previously and it was the base to make the config that I've pasted in my previous post.

My problem is when an attribute isn't present in the parameters that the LDAP server pass back to the ASA when authenticate a user, how can I represent these in the ldap attribute-map?

I didn't find documents that explain or shows a configuration to represent values that aren't present in the LDAP attributes pass to the NAS (an ASA in this case).

For example:

I map the group with privileges to remote access to the memberOf attribute in an LDAP attribute-map. All the rest of the groups must be not allowed to access but I doesn't want to make this association for each case in the LDAP attribute-map. There is a way to map a generic attribute with wildrcards for example?

I hope that I was clear now with my problem and someone can help me.

Regards,

Guzmán

Tarik Admani · ‎11-29-2010

Guzman,

Can you please provide an example of what it is that you are trying to accomplish? In your original post I did recreate your issue and was able to get the mapping to successfully work. I would like you make the changes to your map-value under your ldap attribute-map since the behavior seems to be case sensitive.

What attributes is the LDAP server handing back, because for every user that authenticates it would be safe to assume that there all the DN's are being handed back for each of the users that successfully authenticates.

guzman.barrio · ‎11-29-2010

Tarik, thanks for your help. Here is the scenario:

When I try to access the network through the CiscoVPN Client using the user pepe,the access must be allowed. When I'm trying to access using the user cisco, the access must be denied. To check if the user has or no access to the network, I compare the LDAP attribute msNPAllowDialin in the parameters pass from the LDAP server to the ASA. For these case I configure the following LDAP attribute-map:

ldap attribute-map LDAP
map-name msNPAllowDialin Group-Policy
map-value msNPAllowDialin FALSE NOACCESS
map-value msNPAllowDialin TRUE RemoteAccess

FW-XX# debug ldap 255
debug ldap enabled at level 255
FW-XX#
[1023] Session Start
[1023] New request Session, context 0xac31c1a8, reqType = Authentication
[1023] Fiber started
[1023] Creating LDAP context with uri=ldap://10.0.0.3:389
[1023] Connect to LDAP server: ldap://10.0.0.3:389, status = Successful
[1023] supportedLDAPVersion: value = 3
[1023] supportedLDAPVersion: value = 2
[1023] Binding as asa_ldap_auth
[1023] Performing Simple authentication for asa_ldap_auth to 10.0.0.3
[1023] LDAP Search:
        Base DN = [ou="AD Client", dc=client, dc=com, dc=uy]
        Filter = [sAMAccountName=pepe]
        Scope   = [SUBTREE]
[1023] User DN = [CN=pepe,OU=AD Client,DC=client,DC=com,DC=uy]
[1023] Talking to Active Directory server 10.0.0.3
[1023] Reading password policy for pepe, dn:CN=pepe,OU=AD Client,DC=client,DC=com,DC=uy
[1023] Read bad password count 0
[1023] Binding as pepe
[1023] Performing Simple authentication for pepe to 10.0.0.3
[1023] Processing LDAP response for user pepe
[1023] Message (pepe):
[1023] Checking password policy
[1023] Authentication successful for pepe to 10.0.0.3
[1023] Retrieved User Attributes:
[1023] objectClass: value = top
[1023] objectClass: value = person
[1023] objectClass: value = organizationalPerson
[1023] objectClass: value = user
[1023] cn: value = pepe
[1023] givenName: value = pepe
[1023] distinguishedName: value = CN=pepe,OU=AD Client,DC=client,DC=com,DC=uy
[1023] instanceType: value = 4
[1023] whenCreated: value = 20101124125130.0Z
[1023] whenChanged: value = 20101129123829.0Z
[1023] displayName: value = pepe
[1023] uSNCreated: value = 4484415
[1023] memberOf: value = CN=Computacion,OU=Computacion,OU=AD Client,DC=client,DC=com,DC=uy
[1023] uSNChanged: value = 4529614
[1023] name: value = pepe
[1023] objectGUID: value = Y7U. ..@.......K
[1023] userAccountControl: value = 512
[1023] badPwdCount: value = 0
[1023] codePage: value = 0
[1023] countryCode: value = 0
[1023] badPasswordTime: value = 0
[1023] lastLogoff: value = 0
[1023] lastLogon: value = 0
[1023] pwdLastSet: value = 129355079094572938
[1023] primaryGroupID: value = 513
[1023] userParameters: value = m:                    d.
[1023] objectSid: value = ............*.7\..Pz..;+[...
[1023] accountExpires: value = 9223372036854775807
[1023] logonCount: value = 0
[1023] sAMAccountName: value = pepe
[1023] sAMAccountType: value = 805306368
[1023] userPrincipalName: value = pepe@client.com.uy
[1023] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=client,DC=com,DC=uy
[1023] msNPAllowDialin: value = TRUE
[1023]          mapped to Group-Policy: value = RemoteAccess
[1023] lastLogonTimestamp: value = 129355068182940604
[1023] Fiber exit Tx=717 bytes Rx=2354 bytes, status=1
[1023] Session End

[1026] Session Start
[1026] New request Session, context 0xac31c1a8, reqType = Authentication
[1026] Fiber started
[1026] Creating LDAP context with uri=ldap://10.0.0.3:389
[1026] Connect to LDAP server: ldap://10.0.0.3:389, status = Successful
[1026] supportedLDAPVersion: value = 3
[1026] supportedLDAPVersion: value = 2
[1026] Binding as asa_ldap_auth
[1026] Performing Simple authentication for asa_ldap_auth to 10.0.0.3
[1026] LDAP Search:
        Base DN = [ou="AD Client", dc=client, dc=com, dc=uy]
        Filter = [sAMAccountName=cisco]
        Scope   = [SUBTREE]
[1026] User DN = [CN=cisco cisco,OU=Computacion,OU=AD Client,DC=client,DC=com,DC=uy]
[1026] Talking to Active Directory server 10.0.0.3
[1026] Reading password policy for cisco, dn:CN=cisco cisco,OU=Computacion,OU=AD Client,DC=client,DC=com,DC=uy
[1026] Read bad password count 0
[1026] Binding as cisco
[1026] Performing Simple authentication for cisco to 10.0.0.3
[1026] Processing LDAP response for user cisco
[1026] Message (cisco):
[1026] Checking password policy
[1026] Authentication successful for cisco to 10.0.0.3
[1026] Retrieved User Attributes:
[1026] objectClass: value = top
[1026] objectClass: value = person
[1026] objectClass: value = organizationalPerson
[1026] objectClass: value = user
[1026] cn: value = cisco cisco
[1026] sn: value = cisco
[1026] givenName: value = cisco
[1026] distinguishedName: value = CN=cisco cisco,OU=Computacion,OU=AD Client,DC=client,DC=com,DC=uy
[1026] instanceType: value = 4
[1026] whenCreated: value = 20101115105935.0Z
[1026] whenChanged: value = 20101129122027.0Z
[1026] displayName: value = cisco cisc
[1026] uSNCreated: value = 4392339
[1026] memberOf: value = CN=Computacion,OU=Computacion,OU=AD Client,DC=client,DC=com,DC=uy
[1026] uSNChanged: value = 4529311
[1026] name: value = cisco cisco
[1026] objectGUID: value = .._..Y.I..VgqU.p
[1026] userAccountControl: value = 512
[1026] badPwdCount: value = 0
[1026] codePage: value = 0
[1026] countryCode: value = 0
[1026] badPasswordTime: value = 0
[1026] lastLogoff: value = 0
[1026] lastLogon: value = 129350869389142699
[1026] pwdLastSet: value = 129342923756433259
[1026] primaryGroupID: value = 513
[1026] userParameters: value = m:                    d.
[1026] objectSid: value = ............*.7\..Pz..;+J...
[1026] accountExpires: value = 9223372036854775807
[1026] logonCount: value = 15
[1026] sAMAccountName: value = cisco
[1026] sAMAccountType: value = 805306368
[1026] userPrincipalName: value = cisco@client.com.uy
[1026] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=client,DC=com,DC=uy
[1026] msNPAllowDialin: value = FALSE
[1026]          mapped to Group-Policy: value = NOACCESS
[1026] lastLogonTimestamp: value = 129355068276222451
[1026] Fiber exit Tx=763 bytes Rx=2579 bytes, status=1
[1026] Session End

As you can see: the ASA receives the msNPAllowDialin in both cases but If the user in the AD doesn't have explicitly check the Allow or Deny attribute in his AD profile, the ASA doesn't receibe the msNPAllowDialin attribute from the LDAP server and the user is allowed to access the network due to there is no match defined to this case in the attribute-map.

My question is: how can I make a LDAP map attribute to represent an absent value in the parameters send from the LDAP server to the ASA? I want to know if there is a way to configure a wildcard condition under the ldap attribute-map to match everything less an specific condition.

Thanks for your help,

Herbert Baerten · ‎11-30-2010

Hi Guzman,

I think you're on the right track (and your first example should have worked as well, provided that you change the "cn" to "CN" in your attribute map etc as my colleague pointed out).

Since you have:

tunnel-group RemoteAccess general-attributes
default-group-policy NOACCESS

then users that do not get mapped to an existing group-policy, should use the default policy NOACCESS.

Are you saying this is not the case? Or did you change the above config?

Can you get the "debug ldap 255" as well as "debug crypto isakmp 10" for such a user, and also "show vpn-sessiondb remote filter name " when he is connected?

hth

Herbert

guzman.barrio · ‎12-01-2010

Herbert, thanks for your answer.

My problem is that ALL the users are being mapped to the default policy NOACCESS, even the ones that match the ldap correct attribute-map.

I made two tests, in the first case I used the following ASA configuration:

ciscoasa# sh run
: Saved
:
ASA Version 8.2(3)
!
hostname ciscoasa
domain-name test.com.uy
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 200.40.40.40 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.59.1.229 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns server-group DefaultDNS
domain-name hb.com.uy
access-list inside_nat0_outbound extended permit ip any 10.59.2.0 255.255.255.240
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool Prueba_NT 10.59.2.1-10.59.2.14 mask 255.255.255.240
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
ldap attribute-map member
map-name memberOf Group-Policy
map-value memberOf CN=VPN-USERS,CN=Users,DC=test,DC=com,DC=uy Allow-Access
dynamic-access-policy-record DfltAccessPolicy
aaa-server WinNT protocol nt
aaa-server WinNT (inside) host 10.59.1.60
timeout 5
nt-auth-domain-controller waasmobile
aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host 10.59.1.60
ldap-base-dn dc=test, dc=com, dc=uy
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn cn=Administrator, cn=Users, dc=test, dc=com, dc=uy
server-type microsoft
ldap-attribute-map member
aaa authentication serial console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
group-policy DfltGrpPolicy attributes
group-policy Allow-Access internal
group-policy Allow-Access attributes
dns-server value 10.59.1.3 10.1.0.120
vpn-tunnel-protocol IPSec
default-domain value test.com
username admin password eY/fQXw7Ure8Qrz7 encrypted privilege 15
tunnel-group VPN-Access type remote-access
tunnel-group VPN-Access general-attributes
address-pool Prueba_NT
authentication-server-group LDAP
tunnel-group VPN-Access ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:149e7395200967928760ed70af29d548
: end

As you can see, in the "tunnel-group VPN-Access general-attributes" I didn't configure a default policy then the ASA used the DfltGrpPolicy (that allow access to all type of users) when the user isn't in the right LDAP group. And an allowed user access, using the group-policy right properties, where the user is mapped from the correct LDAP group to the Allow-Access group-policy. Here are the debug captures:

Dec 01 12:50:43 [IKEv1]: IP = 200.40.40.61, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 854
Dec 01 12:50:43 [IKEv1 DEBUG]: IP = 200.40.40.61, processing SA payload
Dec 01 12:50:43 [IKEv1 DEBUG]: IP = 200.40.40.61, processing ke payload
Dec 01 12:50:43 [IKEv1 DEBUG]: IP = 200.40.40.61, processing ISA_KE payload
Dec 01 12:50:43 [IKEv1 DEBUG]: IP = 200.40.40.61, processing nonce payload
Dec 01 12:50:43 [IKEv1 DEBUG]: IP = 200.40.40.61, processing ID payload
Dec 01 12:50:43 [IKEv1 DEBUG]: IP = 200.40.40.61, processing VID payload
Dec 01 12:50:43 [IKEv1 DEBUG]: IP = 200.40.40.61, Received xauth V6 VID
Dec 01 12:50:43 [IKEv1 DEBUG]: IP = 200.40.40.61, processing VID payload
Dec 01 12:50:43 [IKEv1 DEBUG]: IP = 200.40.40.61, Received DPD VID
Dec 01 12:50:43 [IKEv1 DEBUG]: IP = 200.40.40.61, processing VID payload
Dec 01 12:50:43 [IKEv1 DEBUG]: IP = 200.40.40.61, Received Fragmentation VID
Dec 01 12:50:43 [IKEv1 DEBUG]: IP = 200.40.40.61, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False
Dec 01 12:50:43 [IKEv1 DEBUG]: IP = 200.40.40.61, processing VID payload
Dec 01 12:50:43 [IKEv1 DEBUG]: IP = 200.40.40.61, Received NAT-Traversal ver 02 VID
Dec 01 12:50:43 [IKEv1 DEBUG]: IP = 200.40.40.61, processing VID payload
Dec 01 12:50:43 [IKEv1 DEBUG]: IP = 200.40.40.61, Received Cisco Unity client VID
Dec 01 12:50:43 [IKEv1]: IP = 200.40.40.61, Connection landed on tunnel_group VPN-Access
Dec 01 12:50:43 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, processing IKE SA payload
Dec 01 12:50:43 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, IKE SA Proposal # 1, Transform # 9 acceptable Matches global IKE entry # 1
Dec 01 12:50:43 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing ISAKMP SA payload
Dec 01 12:50:43 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing ke payload
Dec 01 12:50:43 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing nonce payload
Dec 01 12:50:43 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, Generating keys for Responder...
Dec 01 12:50:43 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing ID payload
Dec 01 12:50:43 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing hash payload
Dec 01 12:50:43 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, Computing hash for ISAKMP
Dec 01 12:50:43 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing Cisco Unity VID payload
Dec 01 12:50:43 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing xauth V6 VID payload
Dec 01 12:50:43 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing dpd vid payload
Dec 01 12:50:43 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing NAT-Traversal VID ver 02 payload
Dec 01 12:50:43 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing NAT-Discovery payload
Dec 01 12:50:43 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, computing NAT Discovery hash
Dec 01 12:50:43 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing NAT-Discovery payload
Dec 01 12:50:43 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, computing NAT Discovery hash
Dec 01 12:50:43 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing Fragmentation VID + extended capabilities payload
Dec 01 12:50:43 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing VID payload
Dec 01 12:50:43 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Dec 01 12:50:43 [IKEv1]: IP = 200.40.40.61, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 440
Dec 01 12:50:43 [IKEv1]: IP = 200.40.40.61, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NOTIFY (11) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
Dec 01 12:50:43 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, processing hash payload
Dec 01 12:50:43 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, Computing hash for ISAKMP
Dec 01 12:50:43 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, processing notify payload
Dec 01 12:50:43 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, processing NAT-Discovery payload
Dec 01 12:50:43 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, computing NAT Discovery hash
Dec 01 12:50:43 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, processing NAT-Discovery payload
Dec 01 12:50:43 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, computing NAT Discovery hash
Dec 01 12:50:43 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, processing VID payload
Dec 01 12:50:43 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000408)
Dec 01 12:50:43 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, processing VID payload
Dec 01 12:50:43 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, Received Cisco Unity client VID
Dec 01 12:50:43 [IKEv1]: Group = VPN-Access, IP = 200.40.40.61, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
Dec 01 12:50:43 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing blank hash payload
Dec 01 12:50:43 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing qm hash payload
Dec 01 12:50:43 [IKEv1]: IP = 200.40.40.61, IKE_DECODE SENDING Message (msgid=d7758d48) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 72
Dec 01 12:50:49 [IKEv1]: IP = 200.40.40.61, IKE_DECODE RECEIVED Message (msgid=d7758d48) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 88
Dec 01 12:50:49 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, process_attr(): Enter!
Dec 01 12:50:49 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, Processing MODE_CFG Reply attributes.

[21] Session Start
[21] New request Session, context 0xd7b91748, reqType = Authentication
[21] Fiber started
[21] Creating LDAP context with uri=ldap://10.59.1.60:389
[21] Connect to LDAP server: ldap://10.59.1.60:389, status = Successful
[21] supportedLDAPVersion: value = 3
[21] supportedLDAPVersion: value = 2
[21] Binding as Administrator
[21] Performing Simple authentication for Administrator to 10.59.1.60
[21] LDAP Search:
        Base DN = [dc=test, dc=com, dc=uy]
        Filter = [sAMAccountName=tecnico2]
        Scope   = [SUBTREE]
[21] User DN = [CN=tecnico2,CN=Users,DC=test,DC=com,DC=uy]
[21] Talking to Active Directory server 10.59.1.60
[21] Reading password policy for tecnico2, dn:CN=tecnico2,CN=Users,DC=test,DC=com,DC=uy
[21] Read bad password count 0
[21] Binding as tecnico2
[21] Performing Simple authentication for tecnico2 to 10.59.1.60
[21] Processing LDAP response for user tecnico2
[21] Message (tecnico2):
[21] Authentication successful for tecnico2 to 10.59.1.60
[21] Retrieved User Attributes:
[21]    objectClass: value = top
[21]    objectClass: value = person
[21]    objectClass: value = organizationalPerson
[21]    objectClass: value = user
[21]    cn: value = tecnico2
[21]    givenName: value = tecnico2
[21]    distinguishedName: value = CN=tecnico2,CN=Users,DC=test,DC=com,DC=uy
[21]    instanceType: value = 4
[21]    whenCreated: value = 20100813180305.0Z
[21]    whenChanged: value = 20101201131638.0Z
[21]    displayName: value = tecnico2
[21]    uSNCreated: value = 28717
[21]    memberOf: value = CN=soporte,DC=test,DC=com,DC=uy
[21]            mapped to Group-Policy: value = CN=soporte,DC=test,DC=com,DC=uy
[21]            mapped to LDAP-Class: value = CN=soporte,DC=test,DC=com,DC=uy
[21]    uSNChanged: value = 94358
[21]    name: value = tecnico2
[21]    objectGUID: value = 8R.:.L.L.\.s....
[21]    userAccountControl: value = 66048
[21]    badPwdCount: value = 0
[21]    codePage: value = 0
[21]    countryCode: value = 0
[21]    badPasswordTime: value = 129344820578485000
[21]    lastLogoff: value = 0
[21]    lastLogon: value = 129344820762703750
[21]    pwdLastSet: value = 129343856087235000
[21]    primaryGroupID: value = 513
[21]    userParameters: value = m:                    d.
[21]    objectSid: value = .............X......\%.8`...
[21]    accountExpires: value = 9223372036854775807
[21]    logonCount: value = 3
[21]    sAMAccountName: value = tecnico2
[21]    sAMAccountType: value = 805306368
[21]    userPrincipalName: value = tecnico2@test.com.uy
[21]    objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=test,DC=com,DC=uy
[21]    msNPAllowDialin: value = FALSE
[21]    lastLogonTimestamp: value = 129356829987391250
[21] Fiber exit Tx=571 bytes Rx=2607 bytes, status=1
[21] Session End
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, IKEGetUserAttributes: primary DNS = cleared
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, IKEGetUserAttributes: secondary DNS = cleared
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, IKEGetUserAttributes: primary WINS = cleared
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, IKEGetUserAttributes: secondary WINS = cleared
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, IKEGetUserAttributes: IP Compression = disabled
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, IKEGetUserAttributes: Split Tunneling Policy = Disabled
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, IKEGetUserAttributes: Browser Proxy Setting = no-modify
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, IKEGetUserAttributes: Browser Proxy Bypass Local = disable
Dec 01 12:50:52 [IKEv1]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, User (tecnico2) authenticated.
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, constructing blank hash payload
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, constructing qm hash payload
Dec 01 12:50:52 [IKEv1]: IP = 200.40.40.61, IKE_DECODE SENDING Message (msgid=9a76dfe6) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 64
Dec 01 12:50:52 [IKEv1]: IP = 200.40.40.61, IKE_DECODE RECEIVED Message (msgid=9a76dfe6) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 60
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, process_attr(): Enter!
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, Processing cfg ACK attributes
Dec 01 12:50:52 [IKEv1]: IP = 200.40.40.61, IKE_DECODE RECEIVED Message (msgid=d77426c6) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 186
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, process_attr(): Enter!
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, Processing cfg Request attributes
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, MODE_CFG: Received request for IPV4 address!
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, MODE_CFG: Received request for IPV4 net mask!
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, MODE_CFG: Received request for DNS server address!
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, MODE_CFG: Received request for WINS server address!
Dec 01 12:50:52 [IKEv1]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, Received unsupported transaction mode attribute: 5
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, MODE_CFG: Received request for Banner!
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, MODE_CFG: Received request for Save PW setting!
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, MODE_CFG: Received request for Default Domain Name!
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, MODE_CFG: Received request for Split Tunnel List!
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, MODE_CFG: Received request for Split DNS!
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, MODE_CFG: Received request for PFS setting!
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, MODE_CFG: Received request for Client Browser Proxy Setting!
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, MODE_CFG: Received request for backup ip-sec peer list!
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, MODE_CFG: Received request for Client Smartcard Removal Disconnect Setting!
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, MODE_CFG: Received request for Application Version!
Dec 01 12:50:52 [IKEv1]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, Client Type: WinNT Client Application Version: 5.0.07.0290
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, MODE_CFG: Received request for FWTYPE!
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, MODE_CFG: Received request for DHCP hostname for DDNS is: test-PC!
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, MODE_CFG: Received request for UDP Port!
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, Obtained IP addr (10.59.2.1) prior to initiating Mode Cfg (XAuth enabled)
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, Sending subnet mask (255.255.255.240) to remote client
Dec 01 12:50:52 [IKEv1]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, Assigned private IP address 10.59.2.1 to remote user
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, constructing blank hash payload
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, Send Client Browser Proxy Attributes!
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, Browser Proxy set to No-Modify. Browser Proxy data will NOT be included in the mode-cfg reply
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, Send Cisco Smartcard Removal Disconnect enable!!
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, constructing qm hash payload
Dec 01 12:50:52 [IKEv1]: IP = 200.40.40.61, IKE_DECODE SENDING Message (msgid=d77426c6) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 174
Dec 01 12:50:52 [IKEv1 DECODE]: IP = 200.40.40.61, IKE Responder starting QM: msg id = e12a0835
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, Delay Quick Mode processing, Cert/Trans Exch/RM DSID in progress
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, Resume Quick Mode processing, Cert/Trans Exch/RM DSID completed
Dec 01 12:50:52 [IKEv1]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, PHASE 1 COMPLETED
Dec 01 12:50:52 [IKEv1]: IP = 200.40.40.61, Keep-alive type for this connection: DPD
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, Starting P1 rekey timer: 82080 seconds.
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, sending notify message
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, constructing blank hash payload
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, constructing qm hash payload
Dec 01 12:50:52 [IKEv1]: IP = 200.40.40.61, IKE_DECODE SENDING Message (msgid=c2242dc9) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 92
Dec 01 12:50:52 [IKEv1]: IP = 200.40.40.61, IKE_DECODE RECEIVED Message (msgid=e12a0835) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 1026
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, processing hash payload
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, processing SA payload
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, processing nonce payload
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, processing ID payload
Dec 01 12:50:52 [IKEv1 DECODE]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, ID_IPV4_ADDR ID received
10.59.2.1
Dec 01 12:50:52 [IKEv1]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, Received remote Proxy Host data in ID Payload: Address 10.59.2.1, Protocol 0, Port 0
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, processing ID payload
Dec 01 12:50:52 [IKEv1 DECODE]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, ID_IPV4_ADDR_SUBNET ID received--0.0.0.0--0.0.0.0
Dec 01 12:50:52 [IKEv1]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, Received local IP Proxy Subnet data in ID Payload:   Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0
Dec 01 12:50:52 [IKEv1]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, QM IsRekeyed old sa not found by addr
Dec 01 12:50:52 [IKEv1]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, IKE Remote Peer configured for crypto map: SYSTEM_DEFAULT_CRYPTO_MAP
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, processing IPSec SA payload
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, IPSec SA Proposal # 8, Transform # 1 acceptable Matches global IPSec SA entry # 65535
Dec 01 12:50:52 [IKEv1]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, IKE: requesting SPI!
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, IKE got SPI from key engine: SPI = 0x1671e4c9
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, oakley constucting quick mode
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, constructing blank hash payload
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, constructing IPSec SA payload
Dec 01 12:50:52 [IKEv1]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, Overriding Initiator's IPSec rekeying duration from 2147483 to 28800 seconds
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, constructing IPSec nonce payload
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, constructing proxy ID
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, Transmitting Proxy Id:
Remote host: 10.59.2.1 Protocol 0 Port 0
Local subnet: 0.0.0.0 mask 0.0.0.0 Protocol 0 Port 0
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, Sending RESPONDER LIFETIME notification to Initiator
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, constructing qm hash payload
Dec 01 12:50:52 [IKEv1 DECODE]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, IKE Responder sending 2nd QM pkt: msg id = e12a0835
Dec 01 12:50:52 [IKEv1]: IP = 200.40.40.61, IKE_DECODE SENDING Message (msgid=e12a0835) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 184
Dec 01 12:50:52 [IKEv1]: IP = 200.40.40.61, IKE_DECODE RECEIVED Message (msgid=e12a0835) with payloads : HDR + HASH (8) + NONE (0) total length : 52
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, processing hash payload
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, loading all IPSEC SAs
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, Generating Quick Mode Key!
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, NP encrypt rule look up for crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 matching ACL Unknown: returned cs_id=d804a6d8; rule=00000000
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, Generating Quick Mode Key!
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, NP encrypt rule look up for crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 matching ACL Unknown: returned cs_id=d804a6d8; rule=00000000
Dec 01 12:50:52 [IKEv1]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, Security negotiation complete for User (tecnico2) Responder, Inbound SPI = 0x1671e4c9, Outbound SPI = 0xd978f3a7
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, IKE got a KEY_ADD msg for SA: SPI = 0xd978f3a7
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, Pitcher: received KEY_UPDATE, spi 0x1671e4c9
Dec 01 12:50:52 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, Starting P2 rekey timer: 27360 seconds.
Dec 01 12:50:52 [IKEv1]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, Adding static route for client address: 10.59.2.1
Dec 01 12:50:52 [IKEv1]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, PHASE 2 COMPLETED (msgid=e12a0835)
Dec 01 12:51:02 [IKEv1]: IP = 200.40.40.61, IKE_DECODE RECEIVED Message (msgid=ee89c5a1) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Dec 01 12:51:02 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, processing hash payload
Dec 01 12:51:02 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, processing notify payload
Dec 01 12:51:02 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, Received keep-alive of type DPD R-U-THERE (seq number 0x4d87eb79)
Dec 01 12:51:02 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x4d87eb79)
Dec 01 12:51:02 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, constructing blank hash payload
Dec 01 12:51:02 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, constructing qm hash payload
Dec 01 12:51:02 [IKEv1]: IP = 200.40.40.61, IKE_DECODE SENDING Message (msgid=ec835364) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

ciscoasa# Dec 01 12:51:12 [IKEv1]: IP = 200.40.40.61, IKE_DECODE RECEIVED Message (msgid=9a7980b9) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Dec 01 12:51:12 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, processing hash payload
Dec 01 12:51:12 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, processing notify payload
Dec 01 12:51:12 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, Received keep-alive of type DPD R-U-THERE (seq number 0x4d87eb7a)
Dec 01 12:51:12 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x4d87eb7a)
Dec 01 12:51:12 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, constructing blank hash payload
Dec 01 12:51:12 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, constructing qm hash payload
Dec 01 12:51:12 [IKEv1]: IP = 200.40.40.61, IKE_DECODE SENDING Message (msgid=24fa2d42) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

ciscoasa# show vpn-sessiondb remote filter name tecnico2

Session Type: IPsec

Username     : tecnico2               Index        : 5
Assigned IP : 10.59.2.1              Public IP    : 200.40.40.61
Protocol     : IKE IPsec
License      : IPsec
Encryption   : 3DES AES128            Hashing      : SHA1
Bytes Tx     : 0                      Bytes Rx     : 28209
Group Policy : DfltGrpPolicy          Tunnel Group : VPN-Access
Login Time   : 12:50:43 UTC Wed Dec 1 2010
Duration     : 0h:00m:35s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

ciscoasa# Dec 01 12:51:23 [IKEv1]: IP = 200.40.40.61, IKE_DECODE RECEIVED Message (msgid=a28ce7b0) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Dec 01 12:51:23 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, processing hash payload
Dec 01 12:51:23 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, processing notify payload
Dec 01 12:51:23 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, Received keep-alive of type DPD R-U-THERE (seq number 0x4d87eb7b)
Dec 01 12:51:23 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x4d87eb7b)
Dec 01 12:51:23 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, constructing blank hash payload
Dec 01 12:51:23 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, constructing qm hash payload
Dec 01 12:51:23 [IKEv1]: IP = 200.40.40.61, IKE_DECODE SENDING Message (msgid=21dce641) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Dec 01 12:51:25 [IKEv1]: IP = 200.40.40.61, IKE_DECODE RECEIVED Message (msgid=81bd3649) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 72
Dec 01 12:51:25 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, processing hash payload
Dec 01 12:51:25 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, processing delete
Dec 01 12:51:25 [IKEv1]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, Connection terminated for peer tecnico2. Reason: Peer Terminate Remote Proxy 10.59.2.1, Local Proxy 0.0.0.0
Dec 01 12:51:25 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, Active unit receives a delete event for remote peer 200.40.40.61.

Dec 01 12:51:25 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, IKE Deleting SA: Remote Proxy 10.59.2.1, Local Proxy 0.0.0.0
Dec 01 12:51:25 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, IKE SA AM:ab2a9fc1 rcv'd Terminate: state AM_ACTIVE flags 0x0861d041, refcnt 1, tuncnt 0
Dec 01 12:51:25 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, IKE SA AM:ab2a9fc1 terminating: flags 0x0961d001, refcnt 0, tuncnt 0
Dec 01 12:51:25 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, sending delete/delete with reason message
Dec 01 12:51:25 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, constructing blank hash payload
Dec 01 12:51:25 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, constructing IKE delete payload
Dec 01 12:51:25 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, constructing qm hash payload
Dec 01 12:51:25 [IKEv1]: IP = 200.40.40.61, IKE_DECODE SENDING Message (msgid=810818ad) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Dec 01 12:51:25 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0x1671e4c9
Dec 01 12:51:25 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0x1671e4c9
Dec 01 12:51:25 [IKEv1]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, Session is being torn down. Reason: User Requested
Dec 01 12:51:25 [IKEv1]: Ignoring msg to mark SA with dsID 20480 dead because SA deleted
Dec 01 12:51:25 [IKEv1]: IP = 200.40.40.61, Received encrypted packet with no matching SA, dropping

ciscoasa# Dec 01 12:51:37 [IKEv1]: IP = 200.40.40.61, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 854
Dec 01 12:51:37 [IKEv1 DEBUG]: IP = 200.40.40.61, processing SA payload
Dec 01 12:51:37 [IKEv1 DEBUG]: IP = 200.40.40.61, processing ke payload
Dec 01 12:51:37 [IKEv1 DEBUG]: IP = 200.40.40.61, processing ISA_KE payload
Dec 01 12:51:37 [IKEv1 DEBUG]: IP = 200.40.40.61, processing nonce payload
Dec 01 12:51:37 [IKEv1 DEBUG]: IP = 200.40.40.61, processing ID payload
Dec 01 12:51:37 [IKEv1 DEBUG]: IP = 200.40.40.61, processing VID payload
Dec 01 12:51:37 [IKEv1 DEBUG]: IP = 200.40.40.61, Received xauth V6 VID
Dec 01 12:51:37 [IKEv1 DEBUG]: IP = 200.40.40.61, processing VID payload
Dec 01 12:51:37 [IKEv1 DEBUG]: IP = 200.40.40.61, Received DPD VID
Dec 01 12:51:37 [IKEv1 DEBUG]: IP = 200.40.40.61, processing VID payload
Dec 01 12:51:37 [IKEv1 DEBUG]: IP = 200.40.40.61, Received Fragmentation VID
Dec 01 12:51:37 [IKEv1 DEBUG]: IP = 200.40.40.61, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False
Dec 01 12:51:37 [IKEv1 DEBUG]: IP = 200.40.40.61, processing VID payload
Dec 01 12:51:37 [IKEv1 DEBUG]: IP = 200.40.40.61, Received NAT-Traversal ver 02 VID
Dec 01 12:51:37 [IKEv1 DEBUG]: IP = 200.40.40.61, processing VID payload
Dec 01 12:51:37 [IKEv1 DEBUG]: IP = 200.40.40.61, Received Cisco Unity client VID
Dec 01 12:51:37 [IKEv1]: IP = 200.40.40.61, Connection landed on tunnel_group VPN-Access
Dec 01 12:51:37 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, processing IKE SA payload
Dec 01 12:51:37 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, IKE SA Proposal # 1, Transform # 9 acceptable Matches global IKE entry # 1
Dec 01 12:51:37 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing ISAKMP SA payload
Dec 01 12:51:37 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing ke payload
Dec 01 12:51:37 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing nonce payload
Dec 01 12:51:37 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, Generating keys for Responder...
Dec 01 12:51:37 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing ID payload
Dec 01 12:51:37 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing hash payload
Dec 01 12:51:37 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, Computing hash for ISAKMP
Dec 01 12:51:37 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing Cisco Unity VID payload
Dec 01 12:51:37 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing xauth V6 VID payload
Dec 01 12:51:37 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing dpd vid payload
Dec 01 12:51:37 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing NAT-Traversal VID ver 02 payload
Dec 01 12:51:37 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing NAT-Discovery payload
Dec 01 12:51:37 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, computing NAT Discovery hash
Dec 01 12:51:37 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing NAT-Discovery payload
Dec 01 12:51:37 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, computing NAT Discovery hash
Dec 01 12:51:37 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing Fragmentation VID + extended capabilities payload
Dec 01 12:51:37 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing VID payload
Dec 01 12:51:37 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Dec 01 12:51:37 [IKEv1]: IP = 200.40.40.61, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 440
Dec 01 12:51:38 [IKEv1]: IP = 200.40.40.61, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NOTIFY (11) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
Dec 01 12:51:38 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, processing hash payload
Dec 01 12:51:38 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, Computing hash for ISAKMP
Dec 01 12:51:38 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, processing notify payload
Dec 01 12:51:38 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, processing NAT-Discovery payload
Dec 01 12:51:38 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, computing NAT Discovery hash
Dec 01 12:51:38 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, processing NAT-Discovery payload
Dec 01 12:51:38 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, computing NAT Discovery hash
Dec 01 12:51:38 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, processing VID payload
Dec 01 12:51:38 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000408)
Dec 01 12:51:38 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, processing VID payload
Dec 01 12:51:38 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, Received Cisco Unity client VID
Dec 01 12:51:38 [IKEv1]: Group = VPN-Access, IP = 200.40.40.61, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
Dec 01 12:51:38 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing blank hash payload
Dec 01 12:51:38 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing qm hash payload
Dec 01 12:51:38 [IKEv1]: IP = 200.40.40.61, IKE_DECODE SENDING Message (msgid=69d30f5f) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 72
Dec 01 12:51:46 [IKEv1]: IP = 200.40.40.61, IKE_DECODE RECEIVED Message (msgid=69d30f5f) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 88
Dec 01 12:51:46 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, process_attr(): Enter!
Dec 01 12:51:46 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, Processing MODE_CFG Reply attributes.

[23] Session Start
[23] New request Session, context 0xd7b91748, reqType = Authentication
[23] Fiber started
[23] Creating LDAP context with uri=ldap://10.59.1.60:389
[23] Connect to LDAP server: ldap://10.59.1.60:389, status = Successful
[23] supportedLDAPVersion: value = 3
[23] supportedLDAPVersion: value = 2
[23] Binding as Administrator
[23] Performing Simple authentication for Administrator to 10.59.1.60
[23] LDAP Search:
        Base DN = [dc=test, dc=com, dc=uy]
        Filter = [sAMAccountName=tecnico1]
        Scope   = [SUBTREE]
[23] User DN = [CN=tecnico1,CN=Users,DC=test,DC=com,DC=uy]
[23] Talking to Active Directory server 10.59.1.60
[23] Reading password policy for tecnico1, dn:CN=tecnico1,CN=Users,DC=test,DC=com,DC=uy
[23] Read bad password count 0
[23] Binding as tecnico1
[23] Performing Simple authentication for tecnico1 to 10.59.1.60
[23] Processing LDAP response for user tecnico1
[23] Message (tecnico1):
[23] Authentication successful for tecnico1 to 10.59.1.60
[23] Retrieved User Attributes:
[23]    objectClass: value = top
[23]    objectClass: value = person
[23]    objectClass: value = organizationalPerson
[23]    objectClass: value = user
[23]    cn: value = tecnico1
[23]    givenName: value = tecnico1
[23]    distinguishedName: value = CN=tecnico1,CN=Users,DC=test,DC=com,DC=uy
[23]    instanceType: value = 4
[23]    whenCreated: value = 20100813180216.0Z
[23]    whenChanged: value = 20101201131651.0Z
[23]    displayName: value = tecnico1
[23]    uSNCreated: value = 28706
[23]    memberOf: value = CN=VPN-USERS,CN=Users,DC=test,DC=com,DC=uy
[23]            mapped to Group-Policy: value = Allow-Access
[23]            mapped to LDAP-Class: value = Allow-Access
[23]    memberOf: value = CN=soporte,DC=test,DC=com,DC=uy
[23]            mapped to Group-Policy: value = CN=soporte,DC=test,DC=com,DC=uy
[23]            mapped to LDAP-Class: value = CN=soporte,DC=test,DC=com,DC=uy
[23]    memberOf: value = CN=Remote Desktop Users,CN=Builtin,DC=test,DC=com,DC=uy
[23]            mapped to Group-Policy: value = CN=Remote Desktop Users,CN=Builtin,DC=test,DC=com,DC=uy
[23]            mapped to LDAP-Class: value = CN=Remote Desktop Users,CN=Builtin,DC=test,DC=com,DC=uy
[23]    uSNChanged: value = 94359
[23]    name: value = tecnico1
[23]    objectGUID: value = ^;>.'..E./T4H...
[23]    userAccountControl: value = 66048
[23]    badPwdCount: value = 0
[23]    codePage: value = 0
[23]    countryCode: value = 0
[23]    badPasswordTime: value = 129343952572078750
[23]    lastLogoff: value = 0
[23]    lastLogon: value = 129343952638172500
[23]    pwdLastSet: value = 129343765648016250
[23]    primaryGroupID: value = 513
[23]    userParameters: value = m:                    d.                        P....CtxCfgPresent..............
[23]    objectSid: value = .............X......\%.8_...
[23]    accountExpires: value = 9223372036854775807
[23]    logonCount: value = 28
[23]    sAMAccountName: value = tecnico1
[23]    sAMAccountType: value = 805306368
[23]    userPrincipalName: value = tecnico1@test.com.uy
[23]    objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=test,DC=com,DC=uy
[23]    msNPAllowDialin: value = TRUE
[23]    dSCorePropagationData: value = 20101117151522.0Z
[23]    dSCorePropagationData: value = 20101117151522.0Z
[23]    dSCorePropagationData: value = 20101117151522.0Z
[23]    dSCorePropagationData: value = 20101116140935.0Z
[23]    dSCorePropagationData: value = 16020131235128.0Z
[23]    lastLogonTimestamp: value = 129356830114110000
[23] Fiber exit Tx=571 bytes Rx=2960 bytes, status=1
[23] Session End
Dec 01 12:51:46 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, IKEGetUserAttributes: primary DNS = 10.59.1.3
Dec 01 12:51:46 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, IKEGetUserAttributes: secondary DNS = 10.1.0.120
Dec 01 12:51:46 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, IKEGetUserAttributes: primary WINS = cleared
Dec 01 12:51:46 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, IKEGetUserAttributes: secondary WINS = cleared
Dec 01 12:51:46 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, IKEGetUserAttributes: default domain = test.com
Dec 01 12:51:46 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, IKEGetUserAttributes: IP Compression = disabled
Dec 01 12:51:46 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, IKEGetUserAttributes: Split Tunneling Policy = Disabled
Dec 01 12:51:46 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, IKEGetUserAttributes: Browser Proxy Setting = no-modify
Dec 01 12:51:46 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, IKEGetUserAttributes: Browser Proxy Bypass Local = disable
Dec 01 12:51:46 [IKEv1]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, User (tecnico1) authenticated.
Dec 01 12:51:46 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, constructing blank hash payload
Dec 01 12:51:46 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, constructing qm hash payload
Dec 01 12:51:46 [IKEv1]: IP = 200.40.40.61, IKE_DECODE SENDING Message (msgid=11f8aede) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 64
Dec 01 12:51:46 [IKEv1]: IP = 200.40.40.61, IKE_DECODE RECEIVED Message (msgid=11f8aede) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 60
Dec 01 12:51:46 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, process_attr(): Enter!
Dec 01 12:51:46 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, Processing cfg ACK attributes
Dec 01 12:51:46 [IKEv1]: IP = 200.40.40.61, IKE_DECODE RECEIVED Message (msgid=a67b0834) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 186
Dec 01 12:51:46 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, process_attr(): Enter!
Dec 01 12:51:46 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, Processing cfg Request attributes
Dec 01 12:51:46 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, MODE_CFG: Received request for IPV4 address!
Dec 01 12:51:46 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, MODE_CFG: Received request for IPV4 net mask!
Dec 01 12:51:46 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, MODE_CFG: Received request for DNS server address!
Dec 01 12:51:46 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, MODE_CFG: Received request for WINS server address!
Dec 01 12:51:46 [IKEv1]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, Received unsupported transaction mode attribute: 5
Dec 01 12:51:46 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, MODE_CFG: Received request for Banner!
Dec 01 12:51:46 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, MODE_CFG: Received request for Save PW setting!
Dec 01 12:51:46 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, MODE_CFG: Received request for Default Domain Name!
Dec 01 12:51:46 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, MODE_CFG: Received request for Split Tunnel List!
Dec 01 12:51:46 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, MODE_CFG: Received request for Split DNS!
Dec 01 12:51:46 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, MODE_CFG: Received request for PFS setting!
Dec 01 12:51:46 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, MODE_CFG: Received request for Client Browser Proxy Setting!
Dec 01 12:51:46 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, MODE_CFG: Received request for backup ip-sec peer list!
Dec 01 12:51:46 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, MODE_CFG: Received request for Client Smartcard Removal Disconnect Setting!
Dec 01 12:51:46 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, MODE_CFG: Received request for Application Version!
Dec 01 12:51:46 [IKEv1]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, Client Type: WinNT Client Application Version: 5.0.07.0290
Dec 01 12:51:46 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, MODE_CFG: Received request for FWTYPE!
Dec 01 12:51:46 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, MODE_CFG: Received request for DHCP hostname for DDNS is: test-PC!
Dec 01 12:51:46 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, MODE_CFG: Received request for UDP Port!
Dec 01 12:51:46 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, Obtained IP addr (10.59.2.1) prior to initiating Mode Cfg (XAuth enabled)
Dec 01 12:51:46 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, Sending subnet mask (255.255.255.240) to remote client
Dec 01 12:51:46 [IKEv1]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, Assigned private IP address 10.59.2.1 to remote user
Dec 01 12:51:46 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, constructing blank hash payload
Dec 01 12:51:46 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, construct_cfg_set: default domain = test.com
Dec 01 12:51:46 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, Send Client Browser Proxy Attributes!
Dec 01 12:51:46 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, Browser Proxy set to No-Modify. Browser Proxy data will NOT be included in the mode-cfg reply
Dec 01 12:51:46 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, Send Cisco Smartcard Removal Disconnect enable!!
Dec 01 12:51:46 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, constructing qm hash payload
Dec 01 12:51:46 [IKEv1]: IP = 200.40.40.61, IKE_DECODE SENDING Message (msgid=a67b0834) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 202
Dec 01 12:51:47 [IKEv1 DECODE]: IP = 200.40.40.61, IKE Responder starting QM: msg id = ecfeeeba
Dec 01 12:51:47 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, Delay Quick Mode processing, Cert/Trans Exch/RM DSID in progress
Dec 01 12:51:47 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, Resume Quick Mode processing, Cert/Trans Exch/RM DSID completed
Dec 01 12:51:47 [IKEv1]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, PHASE 1 COMPLETED
Dec 01 12:51:47 [IKEv1]: IP = 200.40.40.61, Keep-alive type for this connection: DPD
Dec 01 12:51:47 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, Starting P1 rekey timer: 82080 seconds.
Dec 01 12:51:47 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, sending notify message
Dec 01 12:51:47 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, constructing blank hash payload
Dec 01 12:51:47 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, constructing qm hash payload
Dec 01 12:51:47 [IKEv1]: IP = 200.40.40.61, IKE_DECODE SENDING Message (msgid=57b9cfb) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 92
Dec 01 12:51:47 [IKEv1]: IP = 200.40.40.61, IKE_DECODE RECEIVED Message (msgid=ecfeeeba) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 1026
Dec 01 12:51:47 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, processing hash payload
Dec 01 12:51:47 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, processing SA payload
Dec 01 12:51:47 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, processing nonce payload
Dec 01 12:51:47 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, processing ID payload
Dec 01 12:51:47 [IKEv1 DECODE]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, ID_IPV4_ADDR ID received
10.59.2.1
Dec 01 12:51:47 [IKEv1]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, Received remote Proxy Host data in ID Payload: Address 10.59.2.1, Protocol 0, Port 0
Dec 01 12:51:47 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, processing ID payload
Dec 01 12:51:47 [IKEv1 DECODE]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, ID_IPV4_ADDR_SUBNET ID received--0.0.0.0--0.0.0.0
Dec 01 12:51:47 [IKEv1]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, Received local IP Proxy Subnet data in ID Payload:   Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0
Dec 01 12:51:47 [IKEv1]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, QM IsRekeyed old sa not found by addr
Dec 01 12:51:47 [IKEv1]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, IKE Remote Peer configured for crypto map: SYSTEM_DEFAULT_CRYPTO_MAP
Dec 01 12:51:47 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, processing IPSec SA payload
Dec 01 12:51:47 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, IPSec SA Proposal # 8, Transform # 1 acceptable Matches global IPSec SA entry # 65535
Dec 01 12:51:47 [IKEv1]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, IKE: requesting SPI!
Dec 01 12:51:47 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, IKE got SPI from key engine: SPI = 0x6427c16d
Dec 01 12:51:47 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, oakley constucting quick mode
Dec 01 12:51:47 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, constructing blank hash payload
Dec 01 12:51:47 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, constructing IPSec SA payload
Dec 01 12:51:47 [IKEv1]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, Overriding Initiator's IPSec rekeying duration from 2147483 to 28800 seconds
Dec 01 12:51:47 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, constructing IPSec nonce payload
Dec 01 12:51:47 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, constructing proxy ID
Dec 01 12:51:47 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, Transmitting Proxy Id:
Remote host: 10.59.2.1 Protocol 0 Port 0
Local subnet: 0.0.0.0 mask 0.0.0.0 Protocol 0 Port 0
Dec 01 12:51:47 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, Sending RESPONDER LIFETIME notification to Initiator
Dec 01 12:51:47 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, constructing qm hash payload
Dec 01 12:51:47 [IKEv1 DECODE]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, IKE Responder sending 2nd QM pkt: msg id = ecfeeeba
Dec 01 12:51:47 [IKEv1]: IP = 200.40.40.61, IKE_DECODE SENDING Message (msgid=ecfeeeba) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 184
Dec 01 12:51:47 [IKEv1]: IP = 200.40.40.61, IKE_DECODE RECEIVED Message (msgid=ecfeeeba) with payloads : HDR + HASH (8) + NONE (0) total length : 52
Dec 01 12:51:47 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, processing hash payload
Dec 01 12:51:47 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, loading all IPSEC SAs
Dec 01 12:51:47 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, Generating Quick Mode Key!
Dec 01 12:51:47 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, NP encrypt rule look up for crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 matching ACL Unknown: returned cs_id=d804a6d8; rule=00000000
Dec 01 12:51:47 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, Generating Quick Mode Key!
Dec 01 12:51:47 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, NP encrypt rule look up for crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 matching ACL Unknown: returned cs_id=d804a6d8; rule=00000000
Dec 01 12:51:47 [IKEv1]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, Security negotiation complete for User (tecnico1) Responder, Inbound SPI = 0x6427c16d, Outbound SPI = 0x447190ba
Dec 01 12:51:47 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, IKE got a KEY_ADD msg for SA: SPI = 0x447190ba
Dec 01 12:51:47 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, Pitcher: received KEY_UPDATE, spi 0x6427c16d
Dec 01 12:51:47 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, Starting P2 rekey timer: 27360 seconds.
Dec 01 12:51:47 [IKEv1]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, Adding static route for client address: 10.59.2.1
Dec 01 12:51:47 [IKEv1]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, PHASE 2 COMPLETED (msgid=ecfeeeba)
Dec 01 12:51:57 [IKEv1]: IP = 200.40.40.61, IKE_DECODE RECEIVED Message (msgid=1b9e1152) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Dec 01 12:51:57 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, processing hash payload
Dec 01 12:51:57 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, processing notify payload
Dec 01 12:51:57 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, Received keep-alive of type DPD R-U-THERE (seq number 0x8215eda5)
Dec 01 12:51:57 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x8215eda5)
Dec 01 12:51:57 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, constructing blank hash payload
Dec 01 12:51:57 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, constructing qm hash payload
Dec 01 12:51:57 [IKEv1]: IP = 200.40.40.61, IKE_DECODE SENDING Message (msgid=c68fdcb8) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Dec 01 12:52:07 [IKEv1]: IP = 200.40.40.61, IKE_DECODE RECEIVED Message (msgid=6622c9be) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Dec 01 12:52:07 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, processing hash payload
Dec 01 12:52:07 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, processing notify payload
Dec 01 12:52:07 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, Received keep-alive of type DPD R-U-THERE (seq number 0x8215eda6)
Dec 01 12:52:07 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x8215eda6)
Dec 01 12:52:07 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, constructing blank hash payload
Dec 01 12:52:07 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, constructing qm hash payload
Dec 01 12:52:07 [IKEv1]: IP = 200.40.40.61, IKE_DECODE SENDING Message (msgid=36933657) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

ciscoasa# show vpn-sessiondb remote filter name tecnico1

Session Type: IPsec

Username     : tecnico1               Index        : 6
Assigned IP : 10.59.2.1              Public IP    : 200.40.40.61
Protocol     : IKE IPsec
License      : IPsec
Encryption   : 3DES AES128            Hashing      : SHA1
Bytes Tx     : 0                      Bytes Rx     : 27265
Group Policy : Allow-Access           Tunnel Group : VPN-Access
Login Time   : 12:51:38 UTC Wed Dec 1 2010
Duration     : 0h:00m:35s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

ciscoasa# Dec 01 12:52:17 [IKEv1]: IP = 200.40.40.61, IKE_DECODE RECEIVED Message (msgid=b5a6bb7e) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Dec 01 12:52:17 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, processing hash payload
Dec 01 12:52:17 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, processing notify payload
Dec 01 12:52:17 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, Received keep-alive of type DPD R-U-THERE (seq number 0x8215eda7)
Dec 01 12:52:17 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x8215eda7)
Dec 01 12:52:17 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, constructing blank hash payload
Dec 01 12:52:17 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, constructing qm hash payload
Dec 01 12:52:17 [IKEv1]: IP = 200.40.40.61, IKE_DECODE SENDING Message (msgid=326aab25) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Dec 01 12:52:23 [IKEv1]: IP = 200.40.40.61, IKE_DECODE RECEIVED Message (msgid=b227fd3e) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 72
Dec 01 12:52:23 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, processing hash payload
Dec 01 12:52:23 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, processing delete
Dec 01 12:52:23 [IKEv1]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, Connection terminated for peer tecnico1. Reason: Peer Terminate Remote Proxy 10.59.2.1, Local Proxy 0.0.0.0
Dec 01 12:52:23 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, Active unit receives a delete event for remote peer 200.40.40.61.

Dec 01 12:52:23 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, IKE Deleting SA: Remote Proxy 10.59.2.1, Local Proxy 0.0.0.0
Dec 01 12:52:23 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, IKE SA AM:3d7d6b46 rcv'd Terminate: state AM_ACTIVE flags 0x0861d041, refcnt 1, tuncnt 0
Dec 01 12:52:23 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, IKE SA AM:3d7d6b46 terminating: flags 0x0961d001, refcnt 0, tuncnt 0
Dec 01 12:52:23 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, sending delete/delete with reason message
Dec 01 12:52:23 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, constructing blank hash payload
Dec 01 12:52:23 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, constructing IKE delete payload
Dec 01 12:52:23 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, constructing qm hash payload
Dec 01 12:52:23 [IKEv1]: IP = 200.40.40.61, IKE_DECODE SENDING Message (msgid=5988faaf) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Dec 01 12:52:23 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0x6427c16d
Dec 01 12:52:23 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0x6427c16d
Dec 01 12:52:23 [IKEv1]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, Session is being torn down. Reason: User Requested
Dec 01 12:52:23 [IKEv1]: Ignoring msg to mark SA with dsID 24576 dead because SA deleted
Dec 01 12:52:23 [IKEv1]: IP = 200.40.40.61, Received encrypted packet with no matching SA, dropping

In this case both users (tecnico1 and tecnico2) were allowed to access but only tecnico1 must be validated.

If I configure in the "tunnel-group VPN-Access general-attributes" the default group policy NOACCESS, all the users are rejected (even tecnico1 that must be allowed). Here are the captures from the debug commands:

ciscoasa# conf t
ciscoasa(config)# tunnel-group VPN-Access general-attributes
ciscoasa(config-tunnel-general)# def
ciscoasa(config-tunnel-general)# default-group-policy NOACCESS
ciscoasa(config-tunnel-general)#
ciscoasa# Dec 01 12:53:58 [IKEv1]: IP = 200.40.40.61, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 854
Dec 01 12:53:58 [IKEv1 DEBUG]: IP = 200.40.40.61, processing SA payload
Dec 01 12:53:58 [IKEv1 DEBUG]: IP = 200.40.40.61, processing ke payload
Dec 01 12:53:58 [IKEv1 DEBUG]: IP = 200.40.40.61, processing ISA_KE payload
Dec 01 12:53:58 [IKEv1 DEBUG]: IP = 200.40.40.61, processing nonce payload
Dec 01 12:53:58 [IKEv1 DEBUG]: IP = 200.40.40.61, processing ID payload
Dec 01 12:53:58 [IKEv1 DEBUG]: IP = 200.40.40.61, processing VID payload
Dec 01 12:53:58 [IKEv1 DEBUG]: IP = 200.40.40.61, Received xauth V6 VID
Dec 01 12:53:58 [IKEv1 DEBUG]: IP = 200.40.40.61, processing VID payload
Dec 01 12:53:58 [IKEv1 DEBUG]: IP = 200.40.40.61, Received DPD VID
Dec 01 12:53:58 [IKEv1 DEBUG]: IP = 200.40.40.61, processing VID payload
Dec 01 12:53:58 [IKEv1 DEBUG]: IP = 200.40.40.61, Received Fragmentation VID
Dec 01 12:53:58 [IKEv1 DEBUG]: IP = 200.40.40.61, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False
Dec 01 12:53:58 [IKEv1 DEBUG]: IP = 200.40.40.61, processing VID payload
Dec 01 12:53:58 [IKEv1 DEBUG]: IP = 200.40.40.61, Received NAT-Traversal ver 02 VID
Dec 01 12:53:58 [IKEv1 DEBUG]: IP = 200.40.40.61, processing VID payload
Dec 01 12:53:58 [IKEv1 DEBUG]: IP = 200.40.40.61, Received Cisco Unity client VID
Dec 01 12:53:58 [IKEv1]: IP = 200.40.40.61, Connection landed on tunnel_group VPN-Access
Dec 01 12:53:58 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, processing IKE SA payload
Dec 01 12:53:58 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, IKE SA Proposal # 1, Transform # 9 acceptable Matches global IKE entry # 1
Dec 01 12:53:58 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing ISAKMP SA payload
Dec 01 12:53:58 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing ke payload
Dec 01 12:53:58 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing nonce payload
Dec 01 12:53:58 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, Generating keys for Responder...
Dec 01 12:53:58 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing ID payload
Dec 01 12:53:58 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing hash payload
Dec 01 12:53:58 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, Computing hash for ISAKMP
Dec 01 12:53:58 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing Cisco Unity VID payload
Dec 01 12:53:58 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing xauth V6 VID payload
Dec 01 12:53:58 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing dpd vid payload
Dec 01 12:53:58 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing NAT-Traversal VID ver 02 payload
Dec 01 12:53:58 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing NAT-Discovery payload
Dec 01 12:53:58 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, computing NAT Discovery hash
Dec 01 12:53:58 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing NAT-Discovery payload
Dec 01 12:53:58 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, computing NAT Discovery hash
Dec 01 12:53:58 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing Fragmentation VID + extended capabilities payload
Dec 01 12:53:58 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing VID payload
Dec 01 12:53:58 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Dec 01 12:53:58 [IKEv1]: IP = 200.40.40.61, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 440
Dec 01 12:53:58 [IKEv1]: IP = 200.40.40.61, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NOTIFY (11) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
Dec 01 12:53:58 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, processing hash payload
Dec 01 12:53:58 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, Computing hash for ISAKMP
Dec 01 12:53:58 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, processing notify payload
Dec 01 12:53:58 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, processing NAT-Discovery payload
Dec 01 12:53:58 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, computing NAT Discovery hash
Dec 01 12:53:58 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, processing NAT-Discovery payload
Dec 01 12:53:58 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, computing NAT Discovery hash
Dec 01 12:53:58 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, processing VID payload
Dec 01 12:53:58 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000408)
Dec 01 12:53:58 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, processing VID payload
Dec 01 12:53:58 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, Received Cisco Unity client VID
Dec 01 12:53:58 [IKEv1]: Group = VPN-Access, IP = 200.40.40.61, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
Dec 01 12:53:58 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing blank hash payload
Dec 01 12:53:58 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing qm hash payload
Dec 01 12:53:58 [IKEv1]: IP = 200.40.40.61, IKE_DECODE SENDING Message (msgid=fceec8e4) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 72
Dec 01 12:54:02 [IKEv1]: IP = 200.40.40.61, IKE_DECODE RECEIVED Message (msgid=fceec8e4) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 88
Dec 01 12:54:02 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, process_attr(): Enter!
Dec 01 12:54:02 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, Processing MODE_CFG Reply attributes.

[26] Session Start
[26] New request Session, context 0xd7b91748, reqType = Authentication
[26] Fiber started
[26] Creating LDAP context with uri=ldap://10.59.1.60:389
[26] Connect to LDAP server: ldap://10.59.1.60:389, status = Successful
[26] supportedLDAPVersion: value = 3
[26] supportedLDAPVersion: value = 2
[26] Binding as Administrator
[26] Performing Simple authentication for Administrator to 10.59.1.60
[26] LDAP Search:
        Base DN = [dc=test, dc=com, dc=uy]
        Filter = [sAMAccountName=tecnico1]
        Scope   = [SUBTREE]
[26] User DN = [CN=tecnico1,CN=Users,DC=test,DC=com,DC=uy]
[26] Talking to Active Directory server 10.59.1.60
[26] Reading password policy for tecnico1, dn:CN=tecnico1,CN=Users,DC=test,DC=com,DC=uy
[26] Read bad password count 0
[26] Binding as tecnico1
[26] Performing Simple authentication for tecnico1 to 10.59.1.60
[26] Processing LDAP response for user tecnico1
[26] Message (tecnico1):
[26] Authentication successful for tecnico1 to 10.59.1.60
[26] Retrieved User Attributes:
[26]    objectClass: value = top
[26]    objectClass: value = person
[26]    objectClass: value = organizationalPerson
[26]    objectClass: value = user
[26]    cn: value = tecnico1
[26]    givenName: value = tecnico1
[26]    distinguishedName: value = CN=tecnico1,CN=Users,DC=test,DC=com,DC=uy
[26]    instanceType: value = 4
[26]    whenCreated: value = 20100813180216.0Z
[26]    whenChanged: value = 20101201131651.0Z
[26]    displayName: value = tecnico1
[26]    uSNCreated: value = 28706
[26]    memberOf: value = CN=VPN-USERS,CN=Users,DC=test,DC=com,DC=uy
[26]            mapped to Group-Policy: value = Allow-Access
[26]            mapped to LDAP-Class: value = Allow-Access
[26]    memberOf: value = CN=soporte,DC=test,DC=com,DC=uy
[26]            mapped to Group-Policy: value = CN=soporte,DC=test,DC=com,DC=uy
[26]            mapped to LDAP-Class: value = CN=soporte,DC=test,DC=com,DC=uy
[26]    memberOf: value = CN=Remote Desktop Users,CN=Builtin,DC=test,DC=com,DC=uy
[26]            mapped to Group-Policy: value = CN=Remote Desktop Users,CN=Builtin,DC=test,DC=com,DC=uy
[26]            mapped to LDAP-Class: value = CN=Remote Desktop Users,CN=Builtin,DC=test,DC=com,DC=uy
[26]    uSNChanged: value = 94359
[26]    name: value = tecnico1
[26]    objectGUID: value = ^;>.'..E./T4H...
[26]    userAccountControl: value = 66048
[26]    badPwdCount: value = 0
[26]    codePage: value = 0
[26]    countryCode: value = 0
[26]    badPasswordTime: value = 129343952572078750
[26]    lastLogoff: value = 0
[26]    lastLogon: value = 129343952638172500
[26]    pwdLastSet: value = 129343765648016250
[26]    primaryGroupID: value = 513
[26]    userParameters: value = m:                    d.                        P....CtxCfgPresent..............
[26]    objectSid: value = .............X......\%.8_...
[26]    accountExpires: value = 9223372036854775807
[26]    logonCount: value = 28
[26]    sAMAccountName: value = tecnico1
[26]    sAMAccountType: value = 805306368
[26]    userPrincipalName: value = tecnico1@test.com.uy
[26]    objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=test,DC=com,DC=uy
[26]    msNPAllowDialin: value = TRUE
[26]    dSCorePropagationData: value = 20101117151522.0Z
[26]    dSCorePropagationData: value = 20101117151522.0Z
[26]    dSCorePropagationData: value = 20101117151522.0Z
[26]    dSCorePropagationData: value = 20101116140935.0Z
[26]    dSCorePropagationData: value = 16020131235128.0Z
[26]    lastLogonTimestamp: value = 129356830114110000
[26] Fiber exit Tx=571 bytes Rx=2960 bytes, status=1
[26] Session End
Dec 01 12:54:02 [IKEv1]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, Login authentication failed due to max simultaneous-login restriction.
Dec 01 12:54:02 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, constructing blank hash payload
Dec 01 12:54:02 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, constructing qm hash payload
Dec 01 12:54:02 [IKEv1]: IP = 200.40.40.61, IKE_DECODE SENDING Message (msgid=21820a03) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 97

ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa# Dec 01 12:54:15 [IKEv1]: IP = 200.40.40.61, IKE_DECODE RECEIVED Message (msgid=21820a03) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 88
Dec 01 12:54:15 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, process_attr(): Enter!
Dec 01 12:54:15 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, Processing MODE_CFG Reply attributes.

[29] Session Start
[29] New request Session, context 0xd7b91748, reqType = Authentication
[29] Fiber started
[29] Creating LDAP context with uri=ldap://10.59.1.60:389
[29] Connect to LDAP server: ldap://10.59.1.60:389, status = Successful
[29] supportedLDAPVersion: value = 3
[29] supportedLDAPVersion: value = 2
[29] Binding as Administrator
[29] Performing Simple authentication for Administrator to 10.59.1.60
[29] LDAP Search:
        Base DN = [dc=test, dc=com, dc=uy]
        Filter = [sAMAccountName=tecnico2]
        Scope   = [SUBTREE]
[29] User DN = [CN=tecnico2,CN=Users,DC=test,DC=com,DC=uy]
[29] Talking to Active Directory server 10.59.1.60
[29] Reading password policy for tecnico2, dn:CN=tecnico2,CN=Users,DC=test,DC=com,DC=uy
[29] Read bad password count 0
[29] Binding as tecnico2
[29] Performing Simple authentication for tecnico2 to 10.59.1.60
[29] Processing LDAP response for user tecnico2
[29] Message (tecnico2):
[29] Authentication successful for tecnico2 to 10.59.1.60
[29] Retrieved User Attributes:
[29]    objectClass: value = top
[29]    objectClass: value = person
[29]    objectClass: value = organizationalPerson
[29]    objectClass: value = user
[29]    cn: value = tecnico2
[29]    givenName: value = tecnico2
[29]    distinguishedName: value = CN=tecnico2,CN=Users,DC=test,DC=com,DC=uy
[29]    instanceType: value = 4
[29]    whenCreated: value = 20100813180305.0Z
[29]    whenChanged: value = 20101201131638.0Z
[29]    displayName: value = tecnico2
[29]    uSNCreated: value = 28717
[29]    memberOf: value = CN=soporte,DC=test,DC=com,DC=uy
[29]            mapped to Group-Policy: value = CN=soporte,DC=test,DC=com,DC=uy
[29]            mapped to LDAP-Class: value = CN=soporte,DC=test,DC=com,DC=uy
[29]    uSNChanged: value = 94358
[29]    name: value = tecnico2
[29]    objectGUID: value = 8R.:.L.L.\.s....
[29]    userAccountControl: value = 66048
[29]    badPwdCount: value = 0
[29]    codePage: value = 0
[29]    countryCode: value = 0
[29]    badPasswordTime: value = 129344820578485000
[29]    lastLogoff: value = 0
[29]    lastLogon: value = 129344820762703750
[29]    pwdLastSet: value = 129343856087235000
[29]    primaryGroupID: value = 513
[29]    userParameters: value = m:                    d.
[29]    objectSid: value = .............X......\%.8`...
[29]    accountExpires: value = 9223372036854775807
[29]    logonCount: value = 3
[29]    sAMAccountName: value = tecnico2
[29]    sAMAccountType: value = 805306368
[29]    userPrincipalName: value = tecnico2@test.com.uy
[29]    objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=test,DC=com,DC=uy
[29]    msNPAllowDialin: value = FALSE
[29]    lastLogonTimestamp: value = 129356829987391250
[29] Fiber exit Tx=571 bytes Rx=2607 bytes, status=1
[29] Session End
Dec 01 12:54:15 [IKEv1]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, Login authentication failed due to max simultaneous-login restriction.
Dec 01 12:54:15 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, constructing blank hash payload
Dec 01 12:54:15 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, constructing qm hash payload
Dec 01 12:54:15 [IKEv1]: IP = 200.40.40.61, IKE_DECODE SENDING Message (msgid=b26b55ca) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 97
Dec 01 12:54:22 [IKEv1]: IP = 200.40.40.61, IKE_DECODE RECEIVED Message (msgid=b26b55ca) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 68
Dec 01 12:54:22 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, process_attr(): Enter!
Dec 01 12:54:22 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, Processing MODE_CFG Reply attributes.
Dec 01 12:54:22 [IKEv1]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, Error processing payload: Payload ID: 14
Dec 01 12:54:22 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, IKE TM V6 FSM error history (struct &0xd779e1f8) , : TM_DONE, EV_ERROR-->TM_WAIT_REPLY, EV_PROC_MSG-->TM_WAIT_REPLY, EV_HASH_OK-->TM_WAIT_REPLY, NullEvent-->TM_WAIT_REPLY, EV_COMP_HASH-->TM_WAIT_REPLY, EV_VALIDATE_MSG-->TM_WAIT_REPLY, EV_DECRYPT_OK-->TM_WAIT_REPLY, NullEvent
Dec 01 12:54:22 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, IKE AM Responder FSM error history (struct &0xd5f105b0) , : AM_DONE, EV_ERROR-->AM_TM_INIT_XAUTH_V6H, EV_TM_FAIL-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_START_TM-->AM_TM_INIT_XAUTH, EV_START_TM-->AM_PROC_MSG3, EV_TEST_TM_H6
Dec 01 12:54:22 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, IKE SA AM:6a7c6581 terminating: flags 0x0105c001, refcnt 0, tuncnt 0
Dec 01 12:54:22 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, sending delete/delete with reason message
Dec 01 12:54:22 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, constructing blank hash payload
Dec 01 12:54:22 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, constructing IKE delete payload
Dec 01 12:54:22 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, constructing qm hash payload
Dec 01 12:54:22 [IKEv1]: IP = 200.40.40.61, IKE_DECODE SENDING Message (msgid=687f493f) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Dec 01 12:54:22 [IKEv1]: IP = 200.40.40.61, Received encrypted packet with no matching SA, dropping

ciscoasa# sh debug
debug ldap enabled at level 255
debug crypto isakmp enabled at level 10

My conclusion is: that the ASA is mapping the allowed users to the right group-policy (Allow-Access) but isn't applying it to the VPN session because allways use the default-policy-group in the tunnel-group. Can this be solved in any way?

Thanks,

Guzmán

Herbert Baerten · ‎12-01-2010

Hi Guzman,

I think I spotted the problem:

ldap attribute-map member
  map-name  memberOf Group-Policy

should be

ldap attribute-map member
map-name memberOf IETF-Radius-Class

(and so you are right, the default policy was always applied because it was never overridden by the atrribute-map. With the above correction the IETF-Radius-Class will override the default policy)

hth

Herbert

guzman.barrio · ‎12-01-2010

Herbert, I've used the parameter Group-Policy due to I found it in Cisco documentation. I've read that it substitute the old keyword IETF-Radius-Class in versions 8.2 and higher.

Still I've made the configuration change that you suggest and the result is the same that in the previous post:

ciscoasa# sh run ldap
ldap attribute-map member
map-name memberOf IETF-Radius-Class
map-value memberOf CN=VPN-USERS,CN=Users,DC=test,DC=com,DC=uy Allow-Access
ciscoasa# sh deb
ciscoasa# sh debug
debug ldap enabled at level 255
debug crypto isakmp enabled at level 10
ciscoasa# sh run tunn
ciscoasa# sh run tunnel-group
tunnel-group VPN-Access type remote-access
tunnel-group VPN-Access general-attributes
address-pool Prueba_NT
authentication-server-group LDAP
default-group-policy NOACCESS
tunnel-group VPN-Access ipsec-attributes
pre-shared-key *****
ciscoasa# sh run group-po
ciscoasa# sh run group-policy
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
group-policy Allow-Access internal
group-policy Allow-Access attributes
dns-server value 10.59.1.3 10.1.0.120
vpn-tunnel-protocol IPSec
default-domain value test.com
ciscoasa# Dec 01 16:47:05 [IKEv1]: IP = 200.40.40.61, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 854
Dec 01 16:47:05 [IKEv1 DEBUG]: IP = 200.40.40.61, processing SA payload
Dec 01 16:47:05 [IKEv1 DEBUG]: IP = 200.40.40.61, processing ke payload
Dec 01 16:47:05 [IKEv1 DEBUG]: IP = 200.40.40.61, processing ISA_KE payload
Dec 01 16:47:05 [IKEv1 DEBUG]: IP = 200.40.40.61, processing nonce payload
Dec 01 16:47:05 [IKEv1 DEBUG]: IP = 200.40.40.61, processing ID payload
Dec 01 16:47:05 [IKEv1 DEBUG]: IP = 200.40.40.61, processing VID payload
Dec 01 16:47:05 [IKEv1 DEBUG]: IP = 200.40.40.61, Received xauth V6 VID
Dec 01 16:47:05 [IKEv1 DEBUG]: IP = 200.40.40.61, processing VID payload
Dec 01 16:47:05 [IKEv1 DEBUG]: IP = 200.40.40.61, Received DPD VID
Dec 01 16:47:05 [IKEv1 DEBUG]: IP = 200.40.40.61, processing VID payload
Dec 01 16:47:05 [IKEv1 DEBUG]: IP = 200.40.40.61, Received Fragmentation VID
Dec 01 16:47:05 [IKEv1 DEBUG]: IP = 200.40.40.61, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False
Dec 01 16:47:05 [IKEv1 DEBUG]: IP = 200.40.40.61, processing VID payload
Dec 01 16:47:05 [IKEv1 DEBUG]: IP = 200.40.40.61, Received NAT-Traversal ver 02 VID
Dec 01 16:47:05 [IKEv1 DEBUG]: IP = 200.40.40.61, processing VID payload
Dec 01 16:47:05 [IKEv1 DEBUG]: IP = 200.40.40.61, Received Cisco Unity client VID
Dec 01 16:47:05 [IKEv1]: IP = 200.40.40.61, Connection landed on tunnel_group VPN-Access
Dec 01 16:47:05 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, processing IKE SA payload
Dec 01 16:47:05 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, IKE SA Proposal # 1, Transform # 9 acceptable Matches global IKE entry # 1
Dec 01 16:47:05 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing ISAKMP SA payload
Dec 01 16:47:05 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing ke payload
Dec 01 16:47:05 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing nonce payload
Dec 01 16:47:05 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, Generating keys for Responder...
Dec 01 16:47:05 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing ID payload
Dec 01 16:47:05 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing hash payload
Dec 01 16:47:05 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, Computing hash for ISAKMP
Dec 01 16:47:05 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing Cisco Unity VID payload
Dec 01 16:47:05 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing xauth V6 VID payload
Dec 01 16:47:05 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing dpd vid payload
Dec 01 16:47:05 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing NAT-Traversal VID ver 02 payload
Dec 01 16:47:05 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing NAT-Discovery payload
Dec 01 16:47:05 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, computing NAT Discovery hash
Dec 01 16:47:05 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing NAT-Discovery payload
Dec 01 16:47:05 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, computing NAT Discovery hash
Dec 01 16:47:05 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing Fragmentation VID + extended capabilities payload
Dec 01 16:47:05 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing VID payload
Dec 01 16:47:05 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Dec 01 16:47:05 [IKEv1]: IP = 200.40.40.61, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 440
Dec 01 16:47:06 [IKEv1]: IP = 200.40.40.61, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NOTIFY (11) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
Dec 01 16:47:06 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, processing hash payload
Dec 01 16:47:06 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, Computing hash for ISAKMP
Dec 01 16:47:06 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, processing notify payload
Dec 01 16:47:06 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, processing NAT-Discovery payload
Dec 01 16:47:06 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, computing NAT Discovery hash
Dec 01 16:47:06 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, processing NAT-Discovery payload
Dec 01 16:47:06 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, computing NAT Discovery hash
Dec 01 16:47:06 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, processing VID payload
Dec 01 16:47:06 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000408)
Dec 01 16:47:06 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, processing VID payload
Dec 01 16:47:06 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, Received Cisco Unity client VID
Dec 01 16:47:06 [IKEv1]: Group = VPN-Access, IP = 200.40.40.61, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
Dec 01 16:47:06 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing blank hash payload
Dec 01 16:47:06 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing qm hash payload
Dec 01 16:47:06 [IKEv1]: IP = 200.40.40.61, IKE_DECODE SENDING Message (msgid=127c9463) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 72
Dec 01 16:47:12 [IKEv1]: IP = 200.40.40.61, IKE_DECODE RECEIVED Message (msgid=127c9463) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 88
Dec 01 16:47:12 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, process_attr(): Enter!
Dec 01 16:47:12 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, Processing MODE_CFG Reply attributes.

[2] Session Start
[2] New request Session, context 0xd7b91748, reqType = Authentication
[2] Fiber started
[2] Creating LDAP context with uri=ldap://10.59.1.60:389
[2] Connect to LDAP server: ldap://10.59.1.60:389, status = Successful
[2] defaultNamingContext: value = DC=test,DC=com,DC=uy
[2] supportedLDAPVersion: value = 3
[2] supportedLDAPVersion: value = 2
[2] supportedSASLMechanisms: value = GSSAPI
[2] supportedSASLMechanisms: value = GSS-SPNEGO
[2] supportedSASLMechanisms: value = EXTERNAL
[2] supportedSASLMechanisms: value = DIGEST-MD5
[2] Binding as Administrator
[2] Performing Simple authentication for Administrator to 10.59.1.60
[2] LDAP Search:
        Base DN = [dc=test, dc=com, dc=uy]
        Filter = [sAMAccountName=tecnico2]
        Scope   = [SUBTREE]
[2] User DN = [CN=tecnico2,CN=Users,DC=test,DC=com,DC=uy]
[2] Talking to Active Directory server 10.59.1.60
[2] Reading password policy for tecnico2, dn:CN=tecnico2,CN=Users,DC=test,DC=com,DC=uy
[2] Read bad password count 0
[2] Binding as tecnico2
[2] Performing Simple authentication for tecnico2 to 10.59.1.60
[2] Processing LDAP response for user tecnico2
[2] Message (tecnico2):
[2] Authentication successful for tecnico2 to 10.59.1.60
[2] Retrieved User Attributes:
[2]     objectClass: value = top
[2]     objectClass: value = person
[2]     objectClass: value = organizationalPerson
[2]     objectClass: value = user
[2]     cn: value = tecnico2
[2]     givenName: value = tecnico2
[2]     distinguishedName: value = CN=tecnico2,CN=Users,DC=test,DC=com,DC=uy
[2]     instanceType: value = 4
[2]     whenCreated: value = 20100813180305.0Z
[2]     whenChanged: value = 20101201131638.0Z
[2]     displayName: value = tecnico2
[2]     uSNCreated: value = 28717
[2]     memberOf: value = CN=soporte,DC=test,DC=com,DC=uy
[2]             mapped to IETF-Radius-Class: value = CN=soporte,DC=test,DC=com,DC=uy
[2]             mapped to LDAP-Class: value = CN=soporte,DC=test,DC=com,DC=uy
[2]     uSNChanged: value = 94358
[2]     name: value = tecnico2
[2]     objectGUID: value = 8R.:.L.L.\.s....
[2]     userAccountControl: value = 66048
[2]     badPwdCount: value = 0
[2]     codePage: value = 0
[2]     countryCode: value = 0
[2]     badPasswordTime: value = 129344820578485000
[2]     lastLogoff: value = 0
[2]     lastLogon: value = 129344820762703750
[2]     pwdLastSet: value = 129343856087235000
[2]     primaryGroupID: value = 513
[2]     userParameters: value = m:                    d.
[2]     objectSid: value = .............X......\%.8`...
[2]     accountExpires: value = 9223372036854775807
[2]     logonCount: value = 3
[2]     sAMAccountName: value = tecnico2
[2]     sAMAccountType: value = 805306368
[2]     userPrincipalName: value = tecnico2@test.com.uy
[2]     objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=test,DC=com,DC=uy
[2]     msNPAllowDialin: value = FALSE
[2]     lastLogonTimestamp: value = 129356829987391250
[2] Fiber exit Tx=571 bytes Rx=2607 bytes, status=1
[2] Session End
Dec 01 16:47:14 [IKEv1]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, Login authentication failed due to max simultaneous-login restriction.
Dec 01 16:47:14 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, constructing blank hash payload
Dec 01 16:47:14 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, constructing qm hash payload
Dec 01 16:47:14 [IKEv1]: IP = 200.40.40.61, IKE_DECODE SENDING Message (msgid=c262c842) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 97

ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa# Dec 01 16:47:30 [IKEv1]: IP = 200.40.40.61, IKE_DECODE RECEIVED Message (msgid=c262c842) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 88
Dec 01 16:47:30 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, process_attr(): Enter!
Dec 01 16:47:30 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico2, IP = 200.40.40.61, Processing MODE_CFG Reply attributes.

[4] Session Start
[4] New request Session, context 0xd7b91748, reqType = Authentication
[4] Fiber started
[4] Creating LDAP context with uri=ldap://10.59.1.60:389
[4] Connect to LDAP server: ldap://10.59.1.60:389, status = Successful
[4] supportedLDAPVersion: value = 3
[4] supportedLDAPVersion: value = 2
[4] Binding as Administrator
[4] Performing Simple authentication for Administrator to 10.59.1.60
[4] LDAP Search:
        Base DN = [dc=test, dc=com, dc=uy]
        Filter = [sAMAccountName=tecnico1]
        Scope   = [SUBTREE]
[4] User DN = [CN=tecnico1,CN=Users,DC=test,DC=com,DC=uy]
[4] Talking to Active Directory server 10.59.1.60
[4] Reading password policy for tecnico1, dn:CN=tecnico1,CN=Users,DC=test,DC=com,DC=uy
[4] Read bad password count 0
[4] Binding as tecnico1
[4] Performing Simple authentication for tecnico1 to 10.59.1.60
[4] Processing LDAP response for user tecnico1
[4] Message (tecnico1):
[4] Authentication successful for tecnico1 to 10.59.1.60
[4] Retrieved User Attributes:
[4]     objectClass: value = top
[4]     objectClass: value = person
[4]     objectClass: value = organizationalPerson
[4]     objectClass: value = user
[4]     cn: value = tecnico1
[4]     givenName: value = tecnico1
[4]     distinguishedName: value = CN=tecnico1,CN=Users,DC=test,DC=com,DC=uy
[4]     instanceType: value = 4
[4]     whenCreated: value = 20100813180216.0Z
[4]     whenChanged: value = 20101201131651.0Z
[4]     displayName: value = tecnico1
[4]     uSNCreated: value = 28706
[4]     memberOf: value = CN=VPN-USERS,CN=Users,DC=test,DC=com,DC=uy
[4]             mapped to IETF-Radius-Class: value = Allow-Access
[4]             mapped to LDAP-Class: value = Allow-Access
[4]     memberOf: value = CN=soporte,DC=test,DC=com,DC=uy
[4]             mapped to IETF-Radius-Class: value = CN=soporte,DC=test,DC=com,DC=uy
[4]             mapped to LDAP-Class: value = CN=soporte,DC=test,DC=com,DC=uy
[4]     memberOf: value = CN=Remote Desktop Users,CN=Builtin,DC=test,DC=com,DC=uy
[4]             mapped to IETF-Radius-Class: value = CN=Remote Desktop Users,CN=Builtin,DC=test,DC=com,DC=uy
[4]             mapped to LDAP-Class: value = CN=Remote Desktop Users,CN=Builtin,DC=test,DC=com,DC=uy
[4]     uSNChanged: value = 94359
[4]     name: value = tecnico1
[4]     objectGUID: value = ^;>.'..E./T4H...
[4]     userAccountControl: value = 66048
[4]     badPwdCount: value = 0
[4]     codePage: value = 0
[4]     countryCode: value = 0
[4]     badPasswordTime: value = 129343952572078750
[4]     lastLogoff: value = 0
[4]     lastLogon: value = 129343952638172500
[4]     pwdLastSet: value = 129343765648016250
[4]     primaryGroupID: value = 513
[4]     userParameters: value = m:                    d.                        P....CtxCfgPresent..............
[4]     objectSid: value = .............X......\%.8_...
[4]     accountExpires: value = 9223372036854775807
[4]     logonCount: value = 28
[4]     sAMAccountName: value = tecnico1
[4]     sAMAccountType: value = 805306368
[4]     userPrincipalName: value = tecnico1@test.com.uy
[4]     objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=test,DC=com,DC=uy
[4]     msNPAllowDialin: value = TRUE
[4]     dSCorePropagationData: value = 20101117151522.0Z
[4]     dSCorePropagationData: value = 20101117151522.0Z
[4]     dSCorePropagationData: value = 20101117151522.0Z
[4]     dSCorePropagationData: value = 20101116140935.0Z
[4]     dSCorePropagationData: value = 16020131235128.0Z
[4]     lastLogonTimestamp: value = 129356830114110000
[4] Fiber exit Tx=571 bytes Rx=2960 bytes, status=1
[4] Session End
Dec 01 16:47:30 [IKEv1]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, Login authentication failed due to max simultaneous-login restriction.
Dec 01 16:47:30 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, constructing blank hash payload
Dec 01 16:47:30 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, constructing qm hash payload
Dec 01 16:47:30 [IKEv1]: IP = 200.40.40.61, IKE_DECODE SENDING Message (msgid=ff57eafb) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 97
Dec 01 16:47:37 [IKEv1]: IP = 200.40.40.61, IKE_DECODE RECEIVED Message (msgid=ff57eafb) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 68
Dec 01 16:47:37 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, process_attr(): Enter!
Dec 01 16:47:37 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, Processing MODE_CFG Reply attributes.
Dec 01 16:47:37 [IKEv1]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, Error processing payload: Payload ID: 14
Dec 01 16:47:37 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, IKE TM V6 FSM error history (struct &0xd7b558b0) , : TM_DONE, EV_ERROR-->TM_WAIT_REPLY, EV_PROC_MSG-->TM_WAIT_REPLY, EV_HASH_OK-->TM_WAIT_REPLY, NullEvent-->TM_WAIT_REPLY, EV_COMP_HASH-->TM_WAIT_REPLY, EV_VALIDATE_MSG-->TM_WAIT_REPLY, EV_DECRYPT_OK-->TM_WAIT_REPLY, NullEvent
Dec 01 16:47:37 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, IKE AM Responder FSM error history (struct &0xd8195508) , : AM_DONE, EV_ERROR-->AM_TM_INIT_XAUTH_V6H, EV_TM_FAIL-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_START_TM-->AM_TM_INIT_XAUTH, EV_START_TM-->AM_PROC_MSG3, EV_TEST_TM_H6
Dec 01 16:47:37 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, IKE SA AM:a35671e3 terminating: flags 0x0105c001, refcnt 0, tuncnt 0
Dec 01 16:47:37 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, sending delete/delete with reason message
Dec 01 16:47:37 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, constructing blank hash payload
Dec 01 16:47:37 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, constructing IKE delete payload
Dec 01 16:47:37 [IKEv1 DEBUG]: Group = VPN-Access, Username = tecnico1, IP = 200.40.40.61, constructing qm hash payload
Dec 01 16:47:37 [IKEv1]: IP = 200.40.40.61, IKE_DECODE SENDING Message (msgid=35e2539e) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Dec 01 16:47:37 [IKEv1]: IP = 200.40.40.61, Received encrypted packet with no matching SA, dropping

You can see in this output that the problem is exactly the same with the new keyword. I'm thinking about a bug or a functionality limitation in the ASA.

Regards,

Guzmán

Herbert Baerten · ‎12-01-2010

I'm wondering if this is because the user is part of more than one AD group. Normally this should work if the first group returned by the LDAP server is the one used in the attribute map. But just to be sure could you remove the test user (or create another test user) from the soporte and "Remote Desktop Users" groups and see if that makes any difference?

guzman.barrio · ‎12-02-2010

Hi Herbert,

I've probed your suggestion and the result is the same, all the users fall to the default-policy NOACCESS. Here is the debug output:

ciscoasa# sh run ldap
ldap attribute-map member
map-name memberOf Group-Policy
map-value memberOf CN=VPN-USERS,CN=Users,DC=test,DC=com,DC=uy Allow-Access
ciscoasa# sh run tunn
ciscoasa# sh run tunnel-group
tunnel-group VPN-Access type remote-access
tunnel-group VPN-Access general-attributes
address-pool Prueba_NT
authentication-server-group LDAP
default-group-policy NOACCESS
tunnel-group VPN-Access ipsec-attributes
pre-shared-key *****
ciscoasa# sh run group-pol
ciscoasa# sh run group-policy
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
group-policy Allow-Access internal
group-policy Allow-Access attributes
dns-server value 10.59.1.3 10.1.0.120
vpn-tunnel-protocol IPSec
default-domain value test.com
ciscoasa#
ciscoasa# debug ldap 255
debug ldap enabled at level 255
ciscoasa# debug cry isa 10
ciscoasa# sh debug
debug ldap enabled at level 255
debug crypto isakmp enabled at level 10
ciscoasa# Dec 02 12:11:01 [IKEv1]: IP = 200.40.40.61, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 854
Dec 02 12:11:01 [IKEv1 DEBUG]: IP = 200.40.40.61, processing SA payload
Dec 02 12:11:01 [IKEv1 DEBUG]: IP = 200.40.40.61, processing ke payload
Dec 02 12:11:01 [IKEv1 DEBUG]: IP = 200.40.40.61, processing ISA_KE payload
Dec 02 12:11:01 [IKEv1 DEBUG]: IP = 200.40.40.61, processing nonce payload
Dec 02 12:11:01 [IKEv1 DEBUG]: IP = 200.40.40.61, processing ID payload
Dec 02 12:11:01 [IKEv1 DEBUG]: IP = 200.40.40.61, processing VID payload
Dec 02 12:11:01 [IKEv1 DEBUG]: IP = 200.40.40.61, Received xauth V6 VID
Dec 02 12:11:01 [IKEv1 DEBUG]: IP = 200.40.40.61, processing VID payload
Dec 02 12:11:01 [IKEv1 DEBUG]: IP = 200.40.40.61, Received DPD VID
Dec 02 12:11:01 [IKEv1 DEBUG]: IP = 200.40.40.61, processing VID payload
Dec 02 12:11:01 [IKEv1 DEBUG]: IP = 200.40.40.61, Received Fragmentation VID
Dec 02 12:11:01 [IKEv1 DEBUG]: IP = 200.40.40.61, IKE Peer included IKE fragmentation capability flags: Main Mode:        True Aggressive Mode: False
Dec 02 12:11:01 [IKEv1 DEBUG]: IP = 200.40.40.61, processing VID payload
Dec 02 12:11:01 [IKEv1 DEBUG]: IP = 200.40.40.61, Received NAT-Traversal ver 02 VID
Dec 02 12:11:01 [IKEv1 DEBUG]: IP = 200.40.40.61, processing VID payload
Dec 02 12:11:01 [IKEv1 DEBUG]: IP = 200.40.40.61, Received Cisco Unity client VID
Dec 02 12:11:01 [IKEv1]: IP = 200.40.40.61, Connection landed on tunnel_group VPN-Access
Dec 02 12:11:01 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, processing IKE SA payload
Dec 02 12:11:01 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, IKE SA Proposal # 1, Transform # 9 acceptable Matches global IKE entry # 1
Dec 02 12:11:01 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing ISAKMP SA payload
Dec 02 12:11:01 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing ke payload
Dec 02 12:11:01 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing nonce payload
Dec 02 12:11:01 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, Generating keys for Responder...
Dec 02 12:11:01 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing ID payload
Dec 02 12:11:01 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing hash payload
Dec 02 12:11:01 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, Computing hash for ISAKMP
Dec 02 12:11:01 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing Cisco Unity VID payload
Dec 02 12:11:01 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing xauth V6 VID payload
Dec 02 12:11:01 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing dpd vid payload
Dec 02 12:11:01 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing NAT-Traversal VID ver 02 payload
Dec 02 12:11:01 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing NAT-Discovery payload
Dec 02 12:11:01 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, computing NAT Discovery hash
Dec 02 12:11:01 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing NAT-Discovery payload
Dec 02 12:11:01 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, computing NAT Discovery hash
Dec 02 12:11:01 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing Fragmentation VID + extended capabilities payload
Dec 02 12:11:01 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing VID payload
Dec 02 12:11:01 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Dec 02 12:11:01 [IKEv1]: IP = 200.40.40.61, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 440
Dec 02 12:11:01 [IKEv1]: IP = 200.40.40.61, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NOTIFY (11) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
Dec 02 12:11:01 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, processing hash payload
Dec 02 12:11:01 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, Computing hash for ISAKMP
Dec 02 12:11:01 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, processing notify payload
Dec 02 12:11:01 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, processing NAT-Discovery payload
Dec 02 12:11:01 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, computing NAT Discovery hash
Dec 02 12:11:01 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, processing NAT-Discovery payload
Dec 02 12:11:01 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, computing NAT Discovery hash
Dec 02 12:11:01 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, processing VID payload
Dec 02 12:11:01 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000408)
Dec 02 12:11:01 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, processing VID payload
Dec 02 12:11:01 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, Received Cisco Unity client VID
Dec 02 12:11:01 [IKEv1]: Group = VPN-Access, IP = 200.40.40.61, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device
Dec 02 12:11:01 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing blank hash payload
Dec 02 12:11:01 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, constructing qm hash payload
Dec 02 12:11:01 [IKEv1]: IP = 200.40.40.61, IKE_DECODE SENDING Message (msgid=56761fbb) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 72
Dec 02 12:11:11 [IKEv1]: IP = 200.40.40.61, IKE_DECODE RECEIVED Message (msgid=56761fbb) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 85
Dec 02 12:11:11 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, process_attr(): Enter!
Dec 02 12:11:11 [IKEv1 DEBUG]: Group = VPN-Access, IP = 200.40.40.61, Processing MODE_CFG Reply attributes.

[2] Session Start
[2] New request Session, context 0xd7b91768, reqType = Authentication
[2] Fiber started
[2] Creating LDAP context with uri=ldap://10.59.1.60:389
[2] Connect to LDAP server: ldap://10.59.1.60:389, status = Successful
[2] defaultNamingContext: value = DC=test,DC=com,DC=uy
[2] supportedLDAPVersion: value = 3
[2] supportedLDAPVersion: value = 2
[2] supportedSASLMechanisms: value = GSSAPI
[2] supportedSASLMechanisms: value = GSS-SPNEGO
[2] supportedSASLMechanisms: value = EXTERNAL
[2] supportedSASLMechanisms: value = DIGEST-MD5
[2] Binding as Administrator
[2] Performing Simple authentication for Administrator to 10.59.1.60
[2] LDAP Search:
        Base DN = [dc=test, dc=com, dc=uy]
        Filter = [sAMAccountName=test1]
        Scope   = [SUBTREE]
[2] User DN = [CN=test1,CN=Users,DC=test,DC=com,DC=uy]
[2] Talking to Active Directory server 10.59.1.60
[2] Reading password policy for test1, dn:CN=test1,CN=Users,DC=test,DC=com,DC=uy
[2] Read bad password count 0
[2] Binding as test1
[2] Performing Simple authentication for test1 to 10.59.1.60
[2] Processing LDAP response for user test1
[2] Message (test1):
[2] Authentication successful for test1 to 10.59.1.60
[2] Retrieved User Attributes:
[2]     objectClass: value = top
[2]     objectClass: value = person
[2]     objectClass: value = organizationalPerson
[2]     objectClass: value = user
[2]     cn: value = test1
[2]     givenName: value = test1
[2]     distinguishedName: value = CN=test1,CN=Users,DC=test,DC=com,DC=uy
[2]     instanceType: value = 4
[2]     whenCreated: value = 20101202122728.0Z
[2]     whenChanged: value = 20101202122728.0Z
[2]     displayName: value = test1
[2]     uSNCreated: value = 94365
[2]     memberOf: value = CN=VPN-USERS,CN=Users,DC=test,DC=com,DC=uy
[2]             mapped to Group-Policy: value = Allow-Access
[2]             mapped to LDAP-Class: value = Allow-Access
[2]     uSNChanged: value = 94371
[2]     name: value = test1
[2]     objectGUID: value = q}...u5H..t...%.
[2]     userAccountControl: value = 66048
[2]     badPwdCount: value = 0
[2]     codePage: value = 0
[2]     countryCode: value = 0
[2]     badPasswordTime: value = 0
[2]     lastLogoff: value = 0
[2]     lastLogon: value = 0
[2]     pwdLastSet: value = 129357664485985000
[2]     primaryGroupID: value = 513
[2]     objectSid: value = .............X......\%.8u...
[2]     accountExpires: value = 9223372036854775807
[2]     logonCount: value = 0
[2]     sAMAccountName: value = test1
[2]     sAMAccountType: value = 805306368
[2]     userPrincipalName: value = test1@test.com.uy
[2]     objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=test,DC=com,DC=uy
[2] Fiber exit Tx=562 bytes Rx=2391 bytes, status=1
[2] Session End
Dec 02 12:11:12 [IKEv1]: Group = VPN-Access, Username = test1, IP = 200.40.40.61, Login authentication failed due to max simultaneous-login restriction.
Dec 02 12:11:12 [IKEv1 DEBUG]: Group = VPN-Access, Username = test1, IP = 200.40.40.61, constructing blank hash payload
Dec 02 12:11:12 [IKEv1 DEBUG]: Group = VPN-Access, Username = test1, IP = 200.40.40.61, constructing qm hash payload
Dec 02 12:11:12 [IKEv1]: IP = 200.40.40.61, IKE_DECODE SENDING Message (msgid=bd364d8) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 97
Dec 02 12:11:24 [IKEv1]: IP = 200.40.40.61, IKE_DECODE RECEIVED Message (msgid=bd364d8) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 85
Dec 02 12:11:24 [IKEv1 DEBUG]: Group = VPN-Access, Username = test1, IP = 200.40.40.61, process_attr(): Enter!
Dec 02 12:11:24 [IKEv1 DEBUG]: Group = VPN-Access, Username = test1, IP = 200.40.40.61, Processing MODE_CFG Reply attributes.

[5] Session Start
[5] New request Session, context 0xd7b91768, reqType = Authentication
[5] Fiber started
[5] Creating LDAP context with uri=ldap://10.59.1.60:389
[5] Connect to LDAP server: ldap://10.59.1.60:389, status = Successful
[5] supportedLDAPVersion: value = 3
[5] supportedLDAPVersion: value = 2
[5] Binding as Administrator
[5] Performing Simple authentication for Administrator to 10.59.1.60
[5] LDAP Search:
        Base DN = [dc=test, dc=com, dc=uy]
        Filter = [sAMAccountName=test2]
        Scope   = [SUBTREE]
[5] User DN = [CN=test2,CN=Users,DC=test,DC=com,DC=uy]
[5] Talking to Active Directory server 10.59.1.60
[5] Reading password policy for test2, dn:CN=test2,CN=Users,DC=test,DC=com,DC=uy
[5] Read bad password count 0
[5] Binding as test2
[5] Performing Simple authentication for test2 to 10.59.1.60
[5] Processing LDAP response for user test2
[5] Message (test2):
[5] Authentication successful for test2 to 10.59.1.60
[5] Retrieved User Attributes:
[5]     objectClass: value = top
[5]     objectClass: value = person
[5]     objectClass: value = organizationalPerson
[5]     objectClass: value = user
[5]     cn: value = test2
[5]     givenName: value = test2
[5]     distinguishedName: value = CN=test2,CN=Users,DC=test,DC=com,DC=uy
[5]     instanceType: value = 4
[5]     whenCreated: value = 20101202122755.0Z
[5]     whenChanged: value = 20101202122755.0Z
[5]     displayName: value = test2
[5]     uSNCreated: value = 94373
[5]     uSNChanged: value = 94379
[5]     name: value = test2
[5]     objectGUID: value = F.2.2..C.|.R}Z.1
[5]     userAccountControl: value = 66048
[5]     badPwdCount: value = 0
[5]     codePage: value = 0
[5]     countryCode: value = 0
[5]     badPasswordTime: value = 0
[5]     lastLogoff: value = 0
[5]     lastLogon: value = 0
[5]     pwdLastSet: value = 129357664759735000
[5]     primaryGroupID: value = 513
[5]     objectSid: value = .............X......\%.8v...
[5]     accountExpires: value = 9223372036854775807
[5]     logonCount: value = 0
[5]     sAMAccountName: value = test2
[5]     sAMAccountType: value = 805306368
[5]     userPrincipalName: value = test2@test.com.uy
[5]     objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=test,DC=com,DC=uy
[5] Fiber exit Tx=562 bytes Rx=2320 bytes, status=1
[5] Session End
Dec 02 12:11:24 [IKEv1]: Group = VPN-Access, Username = test2, IP = 200.40.40.61, Login authentication failed due to max simultaneous-login restriction.
Dec 02 12:11:24 [IKEv1 DEBUG]: Group = VPN-Access, Username = test2, IP = 200.40.40.61, constructing blank hash payload
Dec 02 12:11:24 [IKEv1 DEBUG]: Group = VPN-Access, Username = test2, IP = 200.40.40.61, constructing qm hash payload
Dec 02 12:11:24 [IKEv1]: IP = 200.40.40.61, IKE_DECODE SENDING Message (msgid=d6fed3c0) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 97
Dec 02 12:11:31 [IKEv1]: IP = 200.40.40.61, IKE_DECODE RECEIVED Message (msgid=d6fed3c0) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 68
Dec 02 12:11:31 [IKEv1 DEBUG]: Group = VPN-Access, Username = test2, IP = 200.40.40.61, process_attr(): Enter!
Dec 02 12:11:31 [IKEv1 DEBUG]: Group = VPN-Access, Username = test2, IP = 200.40.40.61, Processing MODE_CFG Reply attributes.
Dec 02 12:11:31 [IKEv1]: Group = VPN-Access, Username = test2, IP = 200.40.40.61, Error processing payload: Payload ID: 14
Dec 02 12:11:31 [IKEv1 DEBUG]: Group = VPN-Access, Username = test2, IP = 200.40.40.61, IKE TM V6 FSM error history (struct &0xd5eab788) , : TM_DONE, EV_ERROR-->TM_WAIT_REPLY, EV_PROC_MSG-->TM_WAIT_REPLY, EV_HASH_OK-->TM_WAIT_REPLY, NullEvent-->TM_WAIT_REPLY, EV_COMP_HASH-->TM_WAIT_REPLY, EV_VALIDATE_MSG-->TM_WAIT_REPLY, EV_DECRYPT_OK-->TM_WAIT_REPLY, NullEvent
Dec 02 12:11:31 [IKEv1 DEBUG]: Group = VPN-Access, Username = test2, IP = 200.40.40.61, IKE AM Responder FSM error history (struct &0xd5eab228) , : AM_DONE, EV_ERROR-->AM_TM_INIT_XAUTH_V6H, EV_TM_FAIL-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_START_TM-->AM_TM_INIT_XAUTH, EV_START_TM-->AM_PROC_MSG3, EV_TEST_TM_H6
Dec 02 12:11:31 [IKEv1 DEBUG]: Group = VPN-Access, Username = test2, IP = 200.40.40.61, IKE SA AM:c9d01986 terminating: flags 0x0105c001, refcnt 0, tuncnt 0
Dec 02 12:11:31 [IKEv1 DEBUG]: Group = VPN-Access, Username = test2, IP = 200.40.40.61, sending delete/delete with reason message
Dec 02 12:11:31 [IKEv1 DEBUG]: Group = VPN-Access, Username = test2, IP = 200.40.40.61, constructing blank hash payload
Dec 02 12:11:31 [IKEv1 DEBUG]: Group = VPN-Access, Username = test2, IP = 200.40.40.61, constructing IKE delete payload
Dec 02 12:11:31 [IKEv1 DEBUG]: Group = VPN-Access, Username = test2, IP = 200.40.40.61, constructing qm hash payload
Dec 02 12:11:31 [IKEv1]: IP = 200.40.40.61, IKE_DECODE SENDING Message (msgid=9c639b38) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Dec 02 12:11:31 [IKEv1]: IP = 200.40.40.61, Received encrypted packet with no matching SA, dropping

I think that this works only if you have configured both conditions (allow and deny) and parameters to match in the answer from the LDAP server.

Regards,

Guzmán

Herbert Baerten · ‎12-03-2010

Guzman,

this should definitely work, i.e. the deny part is already working ok and the user that has the correct memberOf attribute should definitely get mapped to the Allow-Access policy and so should be allowed in.

I'm thinking of this being a bug as well, but I had a quick look and did not see anything matching, and if this were a bug in 8.2.3. then I would not expect you to be the first customer to experience this, so I'm still more inclined to think it is something in the config that we are overlooking (I know frome experience typo's can sometimes be extremely hard to spot).

Could you get "debug aaa common 255" as well please, maybe that will tell us something.

BTW, just to be sure: you did not configure anything (like vpn-simultaneous-logins) in the DfltGrpPolicy, did you? Just double checking since your Allow-Access policy would then inherit that.

Maybe as another test, explicitly configure a non-zero value for that parameter in the Allow-Access policy, i.e.

group-policy Allow-Access attrib

vpn-simultaneous-logins 10

Herbert

guzman.barrio · ‎12-03-2010

Hi Herbert,

It finaly works!!! You gave me the key to solve the problem.

There isn't a bug, is a configuration issue. You need to specify in the group-policy the amount of concurrent vpn sessions allowed to the clients. By default this paramenter isn't set in the new group-policy, then the ASA assumes a zero limit connection and rejects the users login.

When you set a value with the command vpn-simultaneous-logins to a number higher than 0 the solution starts to work and the correct users are allowed to access the network.

Thanks for your help in this case. I suppose this information must be published in the configuration guides to help another people with the same problem.

See you soon with another AAA issue .

Best regards,

Guzmán

Herbert Baerten · ‎12-08-2010

Hi Guzman,

thanks, I'm glad this helped. Just to be sure I double-checked, and this is indeed expected behavior.

I.e. attributes are taken from (in this order):

- the DAP policy

- user attributes pushed by the AAA server

- group-policy pushed by the AAA server

- group-policy defined in the tunnel-group

- DfltGrpPolicy

Looking forward to your next issue ;-)

cheers

Herbert

lus · ‎02-18-2011

Hello

This saved my day

group-policy Allow-Access attrib

vpn-simultaneous-logins 10

I was trying for days to get this working, this should really go in the config guide.

Thanks.

Lukas