10-27-2012 06:46 PM - edited 03-11-2019 05:15 PM
Hello All,
I have a test ASA behind an edge firewall (Checkpoint), and I'm trying to set up the ASA for remote VPN access only. The ports being forwarded are UDP/500, UDP/4500 and UDP/TCP/10000. I'd prefer to encapsulate the sessions into TCP/10000. There's two networks that the ASA is connected to. The DMZ (10.11.12.0/24) and an internal segment (10.10.1.0/24), where the external remote client will connect to the DMZ interface and the goal is to access the internal subnet. The pool I want to set up is 10.11.12.150-200. I have upgraded the ASA to the most current IOS [8.4(4)1] / ASDM [6.4(9)] images. Here's what I've come up with, but unfortuantely the client fails to connect. I have messed around several times with settings using the ASDM, but ultimately I cannot get the client to connect. Here's my config:
[code]
hostname RemoteVPNASA
domain-name Domain.local
enable password ---------------- encrypted
passwd ---------------- encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.1.76 255.255.255.0
!
interface Vlan2
nameif DMZ
security-level 0
ip address 10.11.12.2 255.255.255.0
!
banner motd
banner motd +----------------------------------------------------+
banner motd | |
banner motd | *** Unauthorized Use or Access Prohibited *** |
banner motd | |
banner motd | For Authorized Official Use Only |
banner motd | You must have explicit permission to access or |
banner motd | configure this device. All activities performed |
banner motd | on this device may be logged, and violations of |
banner motd | this policy may result in disciplinary action, and |
banner motd | may be reported to law enforcement authorities. |
banner motd | |
banner motd | There is no right to privacy on this device. |
banner motd | |
banner motd +----------------------------------------------------+
banner motd
ftp mode passive
dns server-group DefaultDNS
domain-name Domain.local
object network Network-10.11.12.0
subnet 10.11.12.0 255.255.255.0
object-group icmp-type DefaultICMP
description Default ICMP Types permitted
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
object-group network DM_INLINE_NETWORK_1
network-object 10.10.1.0 255.255.255.0
network-object 10.11.12.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object 10.10.1.0 255.255.255.0
network-object 10.11.12.0 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
access-list vpn_SplitTunnel remark ACL for VPN Split Tunnel
access-list vpn_SplitTunnel standard permit 10.10.1.0 255.255.255.0
access-list nonat remark ACL for Nat Bypass
access-list nonat extended permit object-group DM_INLINE_PROTOCOL_1 object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2
access-list acl_DMZ extended permit icmp any any object-group DefaultICMP
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu DMZ 1500
ip local pool IPPool 10.11.12.150-10.11.12.200
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,DMZ) source static any any destination static Network-10.11.12.0 Network-10.11.12.0
access-group acl_DMZ in interface DMZ
route DMZ 0.0.0.0 0.0.0.0 10.11.12.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 10.10.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set FirstSet esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map DynamicMap 1 set ikev1 transform-set FirstSet
crypto dynamic-map DynamicMap 1 set reverse-route
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map NetMap 1 ipsec-isakmp dynamic DynamicMap
crypto map NetMap interface DMZ
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto isakmp identity address
crypto ikev1 enable inside
crypto ikev1 enable DMZ
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto ikev1 policy 11
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.10.1.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy Network internal
group-policy Network attributes
vpn-idle-timeout 120
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_SplitTunnel
username user password ---------------- encrypted privilege 15
tunnel-group NetworkRA type remote-access
tunnel-group NetworkRA general-attributes
address-pool IPPool
default-group-policy Network
tunnel-group NetworkRA ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d6e568acfb0bed9dc9979dc1a980f24f
: end
[/code]
Any help would be greatly appreciated!
Solved! Go to Solution.
10-30-2012 10:15 AM
Go to New
Connection entry : Just how you want to name it
host: DMZ ip address
Group authentication
Name: Tunnel-group of the ASA (NetworkRA)
Password: Preshared key
Remember to rate all of the helpful posts, If you do not know how to do it just let me know and I will show you
Regards,
Julio
10-27-2012 11:23 PM
Hello Nathan,
Can you run some debugs and let us have the outputs, what does the ASA logs say when you attemtp to connect?
Also can you change the following:
no crypto map NetMap 1 ipsec-isakmp dynamic DynamicMap
crypto map NetMap 1 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
Let me know the result,
Regards,
Julio
10-29-2012 05:36 AM
Thanks for that Julio!
I made the change of that command and here's the logging/debug for a connection attempt:
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: level debugging, 1566 messages logged
Monitor logging: disabled
Buffer logging: level debugging, 1568 messages logged
Trap logging: disabled
Permit-hostdown logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: level informational, 1663 messages logged
%ASA-5-111008: User 'enable_15' executed the 'clear logging buffer' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.10.1.23, executed 'clear logging buffer'
%ASA-7-111009: User 'enable_15' executed cmd: show logging
%ASA-7-609001: Built local-host DMZ:74.125.227.20
%ASA-7-609001: Built local-host identity:10.11.12.2
%ASA-6-302013: Built inbound TCP connection 371 for DMZ:74.125.227.20/46673 (74.125.227.20/46673) to identity:10.11.12.2/10000 (10.11.12.2/10000)
%ASA-6-302015: Built inbound UDP connection 372 for DMZ:74.125.227.20/46673 (74.125.227.20/46673) to identity:10.11.12.2/500 (10.11.12.2/500)
%ASA-7-713236: IP = 74.125.227.20, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 829
%ASA-7-713906: IP = 74.125.227.20, Responder: IPSec over TCP encapsulation is used local TCP port: 10000 peer TCP port: 46673
%ASA-7-715047: IP = 74.125.227.20, processing SA payload
%ASA-7-715047: IP = 74.125.227.20, processing ke payload
%ASA-7-715047: IP = 74.125.227.20, processing ISA_KE payload
%ASA-7-715047: IP = 74.125.227.20, processing nonce payload
%ASA-7-715047: IP = 74.125.227.20, processing ID payload
%ASA-7-715047: IP = 74.125.227.20, processing VID payload
%ASA-7-715049: IP = 74.125.227.20, Received xauth V6 VID
%ASA-7-715047: IP = 74.125.227.20, processing VID payload
%ASA-7-715049: IP = 74.125.227.20, Received DPD VID
%ASA-7-715047: IP = 74.125.227.20, processing VID payload
%ASA-7-715049: IP = 74.125.227.20, Received Fragmentation VID
%ASA-7-715064: IP = 74.125.227.20, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False
%ASA-7-715047: IP = 74.125.227.20, processing VID payload
%ASA-7-715049: IP = 74.125.227.20, Received Cisco Unity client VID
%ASA-4-713255: IP = 74.125.227.20, Received ISAKMP Aggressive Mode message 1 with unknown tunnel group name 'user'.
%ASA-7-715047: Group = DefaultRAGroup, IP = 74.125.227.20, processing IKE SA payload
%ASA-7-715028: Group = DefaultRAGroup, IP = 74.125.227.20, IKE SA Proposal # 1, Transform # 9 acceptable Matches global IKE entry # 1
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ISAKMP SA payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ke payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing nonce payload
%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, Generating keys for Responder...
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ID payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing hash payload
%ASA-7-715076: Group = DefaultRAGroup, IP = 74.125.227.20, Computing hash for ISAKMP
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing Cisco Unity VID payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing xauth V6 VID payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing dpd vid payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing Fragmentation VID + extended capabilities payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing VID payload
%ASA-7-715048: Group = DefaultRAGroup, IP = 74.125.227.20, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
%ASA-7-713236: IP = 74.125.227.20, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 372
%ASA-7-715065: Group = DefaultRAGroup, IP = 74.125.227.20, IKE AM Responder FSM error history (struct &0xcc051860)
%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, IKE SA AM:8642b183 terminating: flags 0x0104c001, refcnt 0, tuncnt 0
%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, sending delete/delete with reason message
%ASA-6-302014: Teardown TCP connection 371 for DMZ:74.125.227.20/46673 to identity:10.11.12.2/10000 duration 0:00:00 bytes 396 Flow closed by inspection
Let me know when you can.
Thanks!
10-29-2012 09:34 AM
Hello Nathan,
This is our problem:
%ASA-6-302014: Teardown TCP connection 371 for DMZ:74.125.227.20/46673 to identity:10.11.12.2/10000 duration 0:00:00 bytes 396 Flow closed by inspection.
Can you add the following commands and try it one more time
Sysopt connection preserve-vpn-flows
Sysopt connection reclassify-vpn
Can I have the show run nat and show run policy-map
Regards,
10-29-2012 10:43 AM
Here ya go (it still does not connect):
RemoteVPNASA# sh run nat
nat (inside,DMZ) source static any any destination static Network-10.11.12.0 Network-10.11.12.0
RemoteVPNASA# sh run policy-map
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: level debugging, 2534 messages logged
Monitor logging: disabled
Buffer logging: level debugging, 2536 messages logged
Trap logging: disabled
Permit-hostdown logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: level informational, 2066 messages logged
%ASA-7-111009: User 'enable_15' executed cmd: show logging
%ASA-6-302013: Built inbound TCP connection 380 for DMZ:74.125.227.20/20486 (74.125.227.20/20486) to identity:10.11.12.2/10000 (10.11.12.2/10000)
%ASA-6-302015: Built inbound UDP connection 381 for DMZ:74.125.227.20/20486 (74.125.227.20/20486) to identity:10.11.12.2/500 (10.11.12.2/500)
%ASA-7-713236: IP = 74.125.227.20, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 829
%ASA-7-713906: IP = 74.125.227.20, Responder: IPSec over TCP encapsulation is used local TCP port: 10000 peer TCP port: 20486
%ASA-7-715047: IP = 74.125.227.20, processing SA payload
%ASA-7-715047: IP = 74.125.227.20, processing ke payload
%ASA-7-715047: IP = 74.125.227.20, processing ISA_KE payload
%ASA-7-715047: IP = 74.125.227.20, processing nonce payload
%ASA-7-715047: IP = 74.125.227.20, processing ID payload
%ASA-7-715047: IP = 74.125.227.20, processing VID payload
%ASA-7-715049: IP = 74.125.227.20, Received xauth V6 VID
%ASA-7-715047: IP = 74.125.227.20, processing VID payload
%ASA-7-715049: IP = 74.125.227.20, Received DPD VID
%ASA-7-715047: IP = 74.125.227.20, processing VID payload
%ASA-7-715049: IP = 74.125.227.20, Received Fragmentation VID
%ASA-7-715064: IP = 74.125.227.20, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False
%ASA-7-715047: IP = 74.125.227.20, processing VID payload
%ASA-7-715049: IP = 74.125.227.20, Received Cisco Unity client VID
%ASA-4-713255: IP = 74.125.227.20, Received ISAKMP Aggressive Mode message 1 with unknown tunnel group name 'user'.
%ASA-7-715047: Group = DefaultRAGroup, IP = 74.125.227.20, processing IKE SA payload
%ASA-7-715028: Group = DefaultRAGroup, IP = 74.125.227.20, IKE SA Proposal # 1, Transform # 9 acceptable Matches global IKE entry # 1
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ISAKMP SA payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ke payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing nonce payload
%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, Generating keys for Responder...
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ID payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing hash payload
%ASA-7-715076: Group = DefaultRAGroup, IP = 74.125.227.20, Computing hash for ISAKMP
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing Cisco Unity VID payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing xauth V6 VID payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing dpd vid payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing Fragmentation VID + extended capabilities payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing VID payload
%ASA-7-715048: Group = DefaultRAGroup, IP = 74.125.227.20, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
%ASA-7-713236: IP = 74.125.227.20, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 372
%ASA-7-715065: Group = DefaultRAGroup, IP = 74.125.227.20, IKE AM Responder FSM error history (struct &0xcbf25fe0)
%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, IKE SA AM:7d9c0b7a terminating: flags 0x0104c001, refcnt 0, tuncnt 0
%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, sending delete/delete with reason message
%ASA-6-302014: Teardown TCP connection 380 for DMZ:74.125.227.20/20486 to identity:10.11.12.2/10000 duration 0:00:00 bytes 396 Flow closed by inspection
10-29-2012 10:58 AM
Hello Nathan,
Here are the interesting facts from the debugs:
%ASA-7-715065: Group = DefaultRAGroup, IP = 74.125.227.20, IKE AM Responder FSM error history (struct &0xcbf25fe0)
%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, IKE SA AM:7d9c0b7a terminating: flags 0x0104c001, refcnt 0, tuncnt 0
%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, sending delete/delete with reason message
Can you share the show crypto isakmp sa while you try to connect and share the output you get ( try to do it several times so we can see where it gets stuck)
Regards,
Julio
10-29-2012 11:30 AM
I get the following after and during each connection attempt:
RemoteVPNASA(config)# show crypto isakmp sa
There are no IKEv1 SAs
There are no IKEv2 SAs
Here's the log from the attempts:
%ASA-5-111008: User 'enable_15' executed the 'clear logging buffer' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.10.1.23, executed 'clear logging buffer'
%ASA-7-111009: User 'enable_15' executed cmd: show logging
%ASA-7-111009: User 'enable_15' executed cmd: show crypto isakmp sa
%ASA-7-609001: Built local-host DMZ:74.125.227.20
%ASA-7-609001: Built local-host identity:10.11.12.2
%ASA-6-302013: Built inbound TCP connection 401 for DMZ:74.125.227.20/59541 (74.125.227.20/59541) to identity:10.11.12.2/10000 (10.11.12.2/10000)
%ASA-6-302015: Built inbound UDP connection 402 for DMZ:74.125.227.20/59541 (74.125.227.20/59541) to identity:10.11.12.2/500 (10.11.12.2/500)
%ASA-7-713236: IP = 74.125.227.20, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 829
%ASA-7-713906: IP = 74.125.227.20, Responder: IPSec over TCP encapsulation is used local TCP port: 10000 peer TCP port: 59541
%ASA-7-715047: IP = 74.125.227.20, processing SA payload
%ASA-7-715047: IP = 74.125.227.20, processing ke payload
%ASA-7-715047: IP = 74.125.227.20, processing ISA_KE payload
%ASA-7-715047: IP = 74.125.227.20, processing nonce payload
%ASA-7-715047: IP = 74.125.227.20, processing ID payload
%ASA-7-715047: IP = 74.125.227.20, processing VID payload
%ASA-7-715049: IP = 74.125.227.20, Received xauth V6 VID
%ASA-7-715047: IP = 74.125.227.20, processing VID payload
%ASA-7-715049: IP = 74.125.227.20, Received DPD VID
%ASA-7-715047: IP = 74.125.227.20, processing VID payload
%ASA-7-715049: IP = 74.125.227.20, Received Fragmentation VID
%ASA-7-715064: IP = 74.125.227.20, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False
%ASA-7-715047: IP = 74.125.227.20, processing VID payload
%ASA-7-715049: IP = 74.125.227.20, Received Cisco Unity client VID
%ASA-4-713255: IP = 74.125.227.20, Received ISAKMP Aggressive Mode message 1 with unknown tunnel group name 'user'.
%ASA-7-715047: Group = DefaultRAGroup, IP = 74.125.227.20, processing IKE SA payload
%ASA-7-715028: Group = DefaultRAGroup, IP = 74.125.227.20, IKE SA Proposal # 1, Transform # 9 acceptable Matches global IKE entry # 1
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ISAKMP SA payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ke payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing nonce payload
%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, Generating keys for Responder...
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ID payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing hash payload
%ASA-7-715076: Group = DefaultRAGroup, IP = 74.125.227.20, Computing hash for ISAKMP
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing Cisco Unity VID payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing xauth V6 VID payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing dpd vid payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing Fragmentation VID + extended capabilities payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing VID payload
%ASA-7-715048: Group = DefaultRAGroup, IP = 74.125.227.20, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
%ASA-7-713236: IP = 74.125.227.20, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 372
%ASA-7-715065: Group = DefaultRAGroup, IP = 74.125.227.20, IKE AM Responder FSM error history (struct &0xcb64b900)
%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, IKE SA AM:4448d481 terminating: flags 0x0104c001, refcnt 0, tuncnt 0
%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, sending delete/delete with reason message
%ASA-6-302014: Teardown TCP connection 401 for DMZ:74.125.227.20/59541 to identity:10.11.12.2/10000 duration 0:00:00 bytes 396 Flow closed by inspection
%ASA-7-111009: User 'enable_15' executed cmd: show crypto isakmp sa
%ASA-6-302013: Built inbound TCP connection 403 for DMZ:74.125.227.20/59702 (74.125.227.20/59702) to identity:10.11.12.2/10000 (10.11.12.2/10000)
%ASA-6-302015: Built inbound UDP connection 404 for DMZ:74.125.227.20/59702 (74.125.227.20/59702) to identity:10.11.12.2/500 (10.11.12.2/500)
%ASA-7-713236: IP = 74.125.227.20, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 829
%ASA-7-713906: IP = 74.125.227.20, Responder: IPSec over TCP encapsulation is used local TCP port: 10000 peer TCP port: 59702
%ASA-7-715047: IP = 74.125.227.20, processing SA payload
%ASA-7-715047: IP = 74.125.227.20, processing ke payload
%ASA-7-715047: IP = 74.125.227.20, processing ISA_KE payload
%ASA-7-715047: IP = 74.125.227.20, processing nonce payload
%ASA-7-715047: IP = 74.125.227.20, processing ID payload
%ASA-7-715047: IP = 74.125.227.20, processing VID payload
%ASA-7-715049: IP = 74.125.227.20, Received xauth V6 VID
%ASA-7-715047: IP = 74.125.227.20, processing VID payload
%ASA-7-715049: IP = 74.125.227.20, Received DPD VID
%ASA-7-715047: IP = 74.125.227.20, processing VID payload
%ASA-7-715049: IP = 74.125.227.20, Received Fragmentation VID
%ASA-7-715064: IP = 74.125.227.20, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False
%ASA-7-715047: IP = 74.125.227.20, processing VID payload
%ASA-7-715049: IP = 74.125.227.20, Received Cisco Unity client VID
%ASA-4-713255: IP = 74.125.227.20, Received ISAKMP Aggressive Mode message 1 with unknown tunnel group name 'user'.
%ASA-7-715047: Group = DefaultRAGroup, IP = 74.125.227.20, processing IKE SA payload
%ASA-7-715028: Group = DefaultRAGroup, IP = 74.125.227.20, IKE SA Proposal # 1, Transform # 9 acceptable Matches global IKE entry # 1
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ISAKMP SA payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ke payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing nonce payload
%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, Generating keys for Responder...
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ID payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing hash payload
%ASA-7-715076: Group = DefaultRAGroup, IP = 74.125.227.20, Computing hash for ISAKMP
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing Cisco Unity VID payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing xauth V6 VID payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing dpd vid payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing Fragmentation VID + extended capabilities payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing VID payload
%ASA-7-715048: Group = DefaultRAGroup, IP = 74.125.227.20, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
%ASA-7-713236: IP = 74.125.227.20, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 372
%ASA-7-715065: Group = DefaultRAGroup, IP = 74.125.227.20, IKE AM Responder FSM error history (struct &0xcb64bc80)
%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, IKE SA AM:29c8051d terminating: flags 0x0104c001, refcnt 0, tuncnt 0
%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, sending delete/delete with reason message
%ASA-6-302014: Teardown TCP connection 403 for DMZ:74.125.227.20/59702 to identity:10.11.12.2/10000 duration 0:00:01 bytes 396 Flow closed by inspection
%ASA-6-302013: Built inbound TCP connection 405 for DMZ:74.125.227.20/59774 (74.125.227.20/59774) to identity:10.11.12.2/10000 (10.11.12.2/10000)
%ASA-6-302015: Built inbound UDP connection 406 for DMZ:74.125.227.20/59774 (74.125.227.20/59774) to identity:10.11.12.2/500 (10.11.12.2/500)
%ASA-7-713236: IP = 74.125.227.20, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 829
%ASA-7-713906: IP = 74.125.227.20, Responder: IPSec over TCP encapsulation is used local TCP port: 10000 peer TCP port: 59774
%ASA-7-715047: IP = 74.125.227.20, processing SA payload
%ASA-7-715047: IP = 74.125.227.20, processing ke payload
%ASA-7-715047: IP = 74.125.227.20, processing ISA_KE payload
%ASA-7-715047: IP = 74.125.227.20, processing nonce payload
%ASA-7-715047: IP = 74.125.227.20, processing ID payload
%ASA-7-715047: IP = 74.125.227.20, processing VID payload
%ASA-7-715049: IP = 74.125.227.20, Received xauth V6 VID
%ASA-7-715047: IP = 74.125.227.20, processing VID payload
%ASA-7-715049: IP = 74.125.227.20, Received DPD VID
%ASA-7-715047: IP = 74.125.227.20, processing VID payload
%ASA-7-715049: IP = 74.125.227.20, Received Fragmentation VID
%ASA-7-715064: IP = 74.125.227.20, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False
%ASA-7-715047: IP = 74.125.227.20, processing VID payload
%ASA-7-715049: IP = 74.125.227.20, Received Cisco Unity client VID
%ASA-4-713255: IP = 74.125.227.20, Received ISAKMP Aggressive Mode message 1 with unknown tunnel group name 'user'.
%ASA-7-715047: Group = DefaultRAGroup, IP = 74.125.227.20, processing IKE SA payload
%ASA-7-715028: Group = DefaultRAGroup, IP = 74.125.227.20, IKE SA Proposal # 1, Transform # 9 acceptable Matches global IKE entry # 1
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ISAKMP SA payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ke payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing nonce payload
%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, Generating keys for Responder...
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ID payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing hash payload
%ASA-7-715076: Group = DefaultRAGroup, IP = 74.125.227.20, Computing hash for ISAKMP
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing Cisco Unity VID payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing xauth V6 VID payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing dpd vid payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing Fragmentation VID + extended capabilities payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing VID payload
%ASA-7-715048: Group = DefaultRAGroup, IP = 74.125.227.20, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
%ASA-7-713236: IP = 74.125.227.20, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 372
%ASA-7-715065: Group = DefaultRAGroup, IP = 74.125.227.20, IKE AM Responder FSM error history (struct &0xcb64bc80)
%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, IKE SA AM:67fd2fff terminating: flags 0x0104c001, refcnt 0, tuncnt 0
%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, sending delete/delete with reason message
%ASA-6-302014: Teardown TCP connection 405 for DMZ:74.125.227.20/59774 to identity:10.11.12.2/10000 duration 0:00:01 bytes 396 Flow closed by inspection
%ASA-6-302013: Built inbound TCP connection 407 for DMZ:74.125.227.20/59889 (74.125.227.20/59889) to identity:10.11.12.2/10000 (10.11.12.2/10000)
%ASA-6-302015: Built inbound UDP connection 408 for DMZ:74.125.227.20/59889 (74.125.227.20/59889) to identity:10.11.12.2/500 (10.11.12.2/500)
%ASA-7-713236: IP = 74.125.227.20, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 829
%ASA-7-713906: IP = 74.125.227.20, Responder: IPSec over TCP encapsulation is used local TCP port: 10000 peer TCP port: 59889
%ASA-7-715047: IP = 74.125.227.20, processing SA payload
%ASA-7-715047: IP = 74.125.227.20, processing ke payload
%ASA-7-715047: IP = 74.125.227.20, processing ISA_KE payload
%ASA-7-715047: IP = 74.125.227.20, processing nonce payload
%ASA-7-715047: IP = 74.125.227.20, processing ID payload
%ASA-7-715047: IP = 74.125.227.20, processing VID payload
%ASA-7-715049: IP = 74.125.227.20, Received xauth V6 VID
%ASA-7-715047: IP = 74.125.227.20, processing VID payload
%ASA-7-715049: IP = 74.125.227.20, Received DPD VID
%ASA-7-715047: IP = 74.125.227.20, processing VID payload
%ASA-7-715049: IP = 74.125.227.20, Received Fragmentation VID
%ASA-7-715064: IP = 74.125.227.20, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False
%ASA-7-715047: IP = 74.125.227.20, processing VID payload
%ASA-7-715049: IP = 74.125.227.20, Received Cisco Unity client VID
%ASA-4-713255: IP = 74.125.227.20, Received ISAKMP Aggressive Mode message 1 with unknown tunnel group name 'user'.
%ASA-7-715047: Group = DefaultRAGroup, IP = 74.125.227.20, processing IKE SA payload
%ASA-7-715028: Group = DefaultRAGroup, IP = 74.125.227.20, IKE SA Proposal # 1, Transform # 9 acceptable Matches global IKE entry # 1
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ISAKMP SA payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ke payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing nonce payload
%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, Generating keys for Responder...
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ID payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing hash payload
%ASA-7-715076: Group = DefaultRAGroup, IP = 74.125.227.20, Computing hash for ISAKMP
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing Cisco Unity VID payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing xauth V6 VID payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing dpd vid payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing Fragmentation VID + extended capabilities payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing VID payload
%ASA-7-715048: Group = DefaultRAGroup, IP = 74.125.227.20, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
%ASA-7-713236: IP = 74.125.227.20, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 372
%ASA-7-715065: Group = DefaultRAGroup, IP = 74.125.227.20, IKE AM Responder FSM error history (struct &0xcb64bc80)
%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, IKE SA AM:e5c37c1d terminating: flags 0x0104c001, refcnt 0, tuncnt 0
%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, sending delete/delete with reason message
%ASA-6-302014: Teardown TCP connection 407 for DMZ:74.125.227.20/59889 to identity:10.11.12.2/10000 duration 0:00:00 bytes 396 Flow closed by inspection
%ASA-7-111009: User 'enable_15' executed cmd: show crypto isakmp sa
%ASA-7-111009: User 'enable_15' executed cmd: show crypto isakmp sa
%ASA-6-302016: Teardown UDP connection 402 for DMZ:74.125.227.20/59541 to identity:10.11.12.2/500 duration 0:02:01 bytes 845
%ASA-6-302016: Teardown UDP connection 404 for DMZ:74.125.227.20/59702 to identity:10.11.12.2/500 duration 0:02:01 bytes 845
%ASA-6-302016: Teardown UDP connection 406 for DMZ:74.125.227.20/59774 to identity:10.11.12.2/500 duration 0:02:02 bytes 845
%ASA-6-302016: Teardown UDP connection 408 for DMZ:74.125.227.20/59889 to identity:10.11.12.2/500 duration 0:02:01 bytes 845
%ASA-7-609002: Teardown local-host DMZ:74.125.227.20 duration 0:02:16
%ASA-7-609002: Teardown local-host identity:10.11.12.2 duration 0:02:16
10-29-2012 11:48 AM
Hello Nathan,
Can you share the updated configuration?
Also if you take out the crypto ikev1 ipsec-over-tcp port 10000, does it work over UDP?
Regards,
10-29-2012 12:56 PM
Here's the current cofig:
hostname RemoteVPNASA
domain-name Domain.local
enable password EknDlaH/tYor46kT encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.1.76 255.255.255.0
!
interface Vlan2
nameif DMZ
security-level 0
ip address 10.11.12.2 255.255.255.0
!
banner motd
banner motd +----------------------------------------------------+
banner motd | |
banner motd | *** Unauthorized Use or Access Prohibited *** |
banner motd | |
banner motd | For Authorized Official Use Only |
banner motd | You must have explicit permission to access or |
banner motd | configure this device. All activities performed |
banner motd | on this device may be logged, and violations of |
banner motd | this policy may result in disciplinary action, and |
banner motd | may be reported to law enforcement authorities. |
banner motd | |
banner motd | There is no right to privacy on this device. |
banner motd | |
banner motd +----------------------------------------------------+
banner motd
ftp mode passive
dns server-group DefaultDNS
domain-name Domain.local
object network Network-10.11.12.0
subnet 10.11.12.0 255.255.255.0
object-group icmp-type DefaultICMP
description Default ICMP Types permitted
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
object-group network DM_INLINE_NETWORK_1
network-object 10.10.1.0 255.255.255.0
network-object 10.11.12.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object 10.10.1.0 255.255.255.0
network-object 10.11.12.0 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
access-list vpn_SplitTunnel remark ACL for VPN Split Tunnel
access-list vpn_SplitTunnel standard permit 10.10.1.0 255.255.255.0
access-list vpn_SplitTunnel standard permit 192.168.1.0 255.255.255.0
access-list vpn_SplitTunnel standard permit 10.11.12.0 255.255.255.0
access-list vpn_SplitTunnel standard permit 5.5.0.0 255.255.255.192
access-list vpn_SplitTunnel standard permit 5.5.16.0 255.255.255.192
access-list nonat remark ACL for Nat Bypass
access-list nonat extended permit object-group DM_INLINE_PROTOCOL_1 object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2
access-list acl_DMZ extended permit icmp any any object-group DefaultICMP
pager lines 24
logging enable
logging buffer-size 524288
logging asdm-buffer-size 200
logging console debugging
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu DMZ 1500
ip local pool IPPool 10.11.12.150-10.11.12.200
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,DMZ) source static any any destination static Network-10.11.12.0 Network-10.11.12.0
access-group acl_DMZ in interface DMZ
route DMZ 0.0.0.0 0.0.0.0 10.11.12.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 10.10.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sysopt connection preserve-vpn-flows
crypto ipsec ikev1 transform-set FirstSet esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map DynamicMap 1 set ikev1 transform-set FirstSet
crypto dynamic-map DynamicMap 1 set reverse-route
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map NetMap 1 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map NetMap interface DMZ
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto isakmp identity address
crypto ikev1 enable inside
crypto ikev1 enable DMZ
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto ikev1 policy 11
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.10.1.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy Network internal
group-policy Network attributes
vpn-idle-timeout 120
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_SplitTunnel
username user password HTfNe5Yf7OKVfTLO encrypted privilege 15
tunnel-group NetworkRA type remote-access
tunnel-group NetworkRA general-attributes
address-pool IPPool
default-group-policy Network
tunnel-group NetworkRA ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:84afd7a2bcd6a7bc321dcf16f1376e85
: end
The result (no connection) is the same if I check UDP on the client. I'd prefer to keep it TCP tho.
10-29-2012 04:14 PM
Hello Nathan,
To make the configuration more clear and readable can we take out the Inside interface from the VPN perspective:
no crypto map inside_map interface inside
no crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
no crypto ikev1 enable inside
I do not see anything wrong on the configuration, pretty interesting but on the debugs we are going to the default-group.
%ASA-4-713255: IP = 74.125.227.20, Received ISAKMP Aggressive Mode message 1 with unknown tunnel group name 'user'.
%ASA-7-715047: Group = DefaultRAGroup, IP = 74.125.227.20, processing IKE SA payload
That unknown tunnel group I do not like it!
Can you paste an screenshot about where are you trying to connect.
You should set on your VPN client
NetworkRA
Preshared-key
Let me know!
10-30-2012 07:21 AM
Yeah...the internal stuff I did through the ASDM in order to troubleshoot. Its all removed now. My VPN client is the Cisco VPN client - Version 5.0.07.0440
There isnt anywhere to set the Preshared-Key for NetworkRA. Please explain.
Thanks!
10-30-2012 10:15 AM
Go to New
Connection entry : Just how you want to name it
host: DMZ ip address
Group authentication
Name: Tunnel-group of the ASA (NetworkRA)
Password: Preshared key
Remember to rate all of the helpful posts, If you do not know how to do it just let me know and I will show you
Regards,
Julio
10-31-2012 05:10 AM
Hey Julio,
Well I clicked correct answer too quickly...The client connects now, but I cannot access anything on the internal network 10.10.1.0/24... So what should I look at now?
10-31-2012 10:25 AM
Hello Nathan,
Well we can connect now That is really good!
Now you cannot access anything on your internal network!
Lets start from there:
object network internal_subnet
networ 10.10.1.0 255.255.255.0
nat (inside,dmz) source static internal_subnet internal_subnet destination Network-10.11.12.0 Network-10.11.12.0
no nat (inside,DMZ) source static any any destination static Network-10.11.12.0 Network-10.11.12.0
Let me know,
Regards
11-01-2012 06:01 AM
Yes - I very much agree that the client can connect is a very big step to getting this to work. I applied the changes you listed and I am still not able to connect here's the log:
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: level debugging, 61342 messages logged
Monitor logging: disabled
Buffer logging: level debugging, 61344 messages logged
Trap logging: disabled
Permit-hostdown logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: level informational, 5469 messages logged
%ASA-5-111008: User 'enable_15' executed the 'clear logging buffer' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.10.1.23, executed 'clear logging buffer'
%ASA-7-111009: User 'enable_15' executed cmd: show logging
%ASA-5-611103: User logged out: Uname: user
%ASA-6-315011: SSH session from 10.10.1.23 on interface inside for user "user" terminated normally
%ASA-6-302014: Teardown TCP connection 468 for inside:10.10.1.23/43355 to identity:10.10.1.76/22 duration 0:02:30 bytes 105260 TCP Reset-O
%ASA-7-609002: Teardown local-host inside:10.10.1.23 duration 0:02:30
%ASA-7-609002: Teardown local-host identity:10.10.1.76 duration 0:02:30
%ASA-6-106015: Deny TCP (no connection) from 10.10.1.23/43355 to 10.10.1.76/22 flags FIN PSH ACK on interface inside
%ASA-7-710005: TCP request discarded from 10.10.1.23/43355 to inside:10.10.1.76/22
%ASA-7-609001: Built local-host DMZ:76.199.251.254
%ASA-7-609001: Built local-host identity:10.11.12.2
%ASA-6-302013: Built inbound TCP connection 469 for DMZ:76.199.251.254/25283 (76.199.251.254/25283) to identity:10.11.12.2/10000 (10.11.12.2/10000)
%ASA-6-302015: Built inbound UDP connection 470 for DMZ:76.199.251.254/25283 (76.199.251.254/25283) to identity:10.11.12.2/500 (10.11.12.2/500)
%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 832
%ASA-7-713906: IP = 76.199.251.254, Responder: IPSec over TCP encapsulation is used local TCP port: 10000 peer TCP port: 25283
%ASA-7-715047: IP = 76.199.251.254, processing SA payload
%ASA-7-715047: IP = 76.199.251.254, processing ke payload
%ASA-7-715047: IP = 76.199.251.254, processing ISA_KE payload
%ASA-7-715047: IP = 76.199.251.254, processing nonce payload
%ASA-7-715047: IP = 76.199.251.254, processing ID payload
%ASA-7-715047: IP = 76.199.251.254, processing VID payload
%ASA-7-715049: IP = 76.199.251.254, Received xauth V6 VID
%ASA-7-715047: IP = 76.199.251.254, processing VID payload
%ASA-7-715049: IP = 76.199.251.254, Received DPD VID
%ASA-7-715047: IP = 76.199.251.254, processing VID payload
%ASA-7-715049: IP = 76.199.251.254, Received Fragmentation VID
%ASA-7-715064: IP = 76.199.251.254, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False
%ASA-7-715047: IP = 76.199.251.254, processing VID payload
%ASA-7-715049: IP = 76.199.251.254, Received Cisco Unity client VID
%ASA-7-713906: IP = 76.199.251.254, Connection landed on tunnel_group NetworkRA
%ASA-7-715047: Group = NetworkRA, IP = 76.199.251.254, processing IKE SA payload
%ASA-7-715028: Group = NetworkRA, IP = 76.199.251.254, IKE SA Proposal # 1, Transform # 9 acceptable Matches global IKE entry # 1
%ASA-7-715046: Group = NetworkRA, IP = 76.199.251.254, constructing ISAKMP SA payload
%ASA-7-715046: Group = NetworkRA, IP = 76.199.251.254, constructing ke payload
%ASA-7-715046: Group = NetworkRA, IP = 76.199.251.254, constructing nonce payload
%ASA-7-713906: Group = NetworkRA, IP = 76.199.251.254, Generating keys for Responder...
%ASA-7-715046: Group = NetworkRA, IP = 76.199.251.254, constructing ID payload
%ASA-7-715046: Group = NetworkRA, IP = 76.199.251.254, constructing hash payload
%ASA-7-715076: Group = NetworkRA, IP = 76.199.251.254, Computing hash for ISAKMP
%ASA-7-715046: Group = NetworkRA, IP = 76.199.251.254, constructing Cisco Unity VID payload
%ASA-7-715046: Group = NetworkRA, IP = 76.199.251.254, constructing xauth V6 VID payload
%ASA-7-715046: Group = NetworkRA, IP = 76.199.251.254, constructing dpd vid payload
%ASA-7-715046: Group = NetworkRA, IP = 76.199.251.254, constructing Fragmentation VID + extended capabilities payload
%ASA-7-715046: Group = NetworkRA, IP = 76.199.251.254, constructing VID payload
%ASA-7-715048: Group = NetworkRA, IP = 76.199.251.254, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 372
%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NOTIFY (11) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 120
%ASA-7-715047: Group = NetworkRA, IP = 76.199.251.254, processing hash payload
%ASA-7-715076: Group = NetworkRA, IP = 76.199.251.254, Computing hash for ISAKMP
%ASA-7-715047: Group = NetworkRA, IP = 76.199.251.254, processing notify payload
%ASA-7-715047: Group = NetworkRA, IP = 76.199.251.254, processing VID payload
%ASA-7-715038: Group = NetworkRA, IP = 76.199.251.254, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000408)
%ASA-7-715047: Group = NetworkRA, IP = 76.199.251.254, processing VID payload
%ASA-7-715049: Group = NetworkRA, IP = 76.199.251.254, Received Cisco Unity client VID
%ASA-7-715046: Group = NetworkRA, IP = 76.199.251.254, constructing blank hash payload
%ASA-7-715046: Group = NetworkRA, IP = 76.199.251.254, constructing qm hash payload
%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE SENDING Message (msgid=b5dd0950) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 72
%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE RECEIVED Message (msgid=b5dd0950) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 82
%ASA-7-715001: Group = NetworkRA, IP = 76.199.251.254, process_attr(): Enter!
%ASA-7-715001: Group = NetworkRA, IP = 76.199.251.254, Processing MODE_CFG Reply attributes.
%ASA-6-113012: AAA user authentication Successful : local database : user = user
%ASA-6-113009: AAA retrieved default group policy (Network) for user = user
%ASA-6-113008: AAA transaction status ACCEPT : user = user
%ASA-7-715019: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKEGetUserAttributes: primary DNS = cleared
%ASA-7-715019: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKEGetUserAttributes: secondary DNS = cleared
%ASA-7-715019: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKEGetUserAttributes: primary WINS = cleared
%ASA-7-715019: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKEGetUserAttributes: secondary WINS = cleared
%ASA-7-715019: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKEGetUserAttributes: split tunneling list = vpn_SplitTunnel
%ASA-7-715019: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKEGetUserAttributes: IP Compression = disabled
%ASA-7-715019: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKEGetUserAttributes: Split Tunneling Policy = Split Network
%ASA-7-715019: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKEGetUserAttributes: Browser Proxy Setting = no-modify
%ASA-7-715019: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKEGetUserAttributes: Browser Proxy Bypass Local = disable
%ASA-7-734003: DAP: User user, Addr 76.199.251.254: Session Attribute aaa.cisco.grouppolicy = Network
%ASA-7-734003: DAP: User user, Addr 76.199.251.254: Session Attribute aaa.cisco.username = user
%ASA-7-734003: DAP: User user, Addr 76.199.251.254: Session Attribute aaa.cisco.username1 = user
%ASA-7-734003: DAP: User user, Addr 76.199.251.254: Session Attribute aaa.cisco.username2 =
%ASA-7-734003: DAP: User user, Addr 76.199.251.254: Session Attribute aaa.cisco.tunnelgroup = NetworkRA
%ASA-6-734001: DAP: User user, Addr 76.199.251.254, Connection IPSec: The following DAP records were selected for this connection: DfltAccessPolicy
%ASA-7-713052: Group = NetworkRA, Username = user, IP = 76.199.251.254, User (user) authenticated.
%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing blank hash payload
%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing qm hash payload
%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE SENDING Message (msgid=e90be37a) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 64
%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE RECEIVED Message (msgid=e90be37a) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 60
%ASA-7-715001: Group = NetworkRA, Username = user, IP = 76.199.251.254, process_attr(): Enter!
%ASA-7-715001: Group = NetworkRA, Username = user, IP = 76.199.251.254, Processing cfg ACK attributes
%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE RECEIVED Message (msgid=588dc5a2) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 174
%ASA-7-715001: Group = NetworkRA, Username = user, IP = 76.199.251.254, process_attr(): Enter!
%ASA-7-715001: Group = NetworkRA, Username = user, IP = 76.199.251.254, Processing cfg Request attributes
%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for IPV4 address!
%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for IPV4 net mask!
%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for DNS server address!
%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for WINS server address!
%ASA-5-713130: Group = NetworkRA, Username = user, IP = 76.199.251.254, Received unsupported transaction mode attribute: 5
%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for Banner!
%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for Save PW setting!
%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for Default Domain Name!
%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for Split Tunnel List!
%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for Split DNS!
%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for PFS setting!
%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for Client Browser Proxy Setting!
%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for backup ip-sec peer list!
%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for Client Smartcard Removal Disconnect Setting!
%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for Application Version!
%ASA-6-713184: Group = NetworkRA, Username = user, IP = 76.199.251.254, Client Type: WinNT Client Application Version: 5.0.07.0440
%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for FWTYPE!
%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for DHCP hostname for DDNS is: MARS!
%ASA-7-737001: IPAA: Received message 'UTL_IP_[IKE_]ADDR_REQ'
%ASA-5-737003: IPAA: DHCP configured, no viable servers found for tunnel-group 'NetworkRA'
%ASA-6-737026: IPAA: Client assigned 10.11.12.150 from local pool
%ASA-6-737006: IPAA: Local pool request succeeded for tunnel-group 'NetworkRA'
%ASA-7-713906: Group = NetworkRA, Username = user, IP = 76.199.251.254, Obtained IP addr (10.11.12.150) prior to initiating Mode Cfg (XAuth enabled)
%ASA-6-713228: Group = NetworkRA, Username = user, IP = 76.199.251.254, Assigned private IP address 10.11.12.150 to remote user
%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing blank hash payload
%ASA-7-715055: Group = NetworkRA, Username = user, IP = 76.199.251.254, Send Client Browser Proxy Attributes!
%ASA-7-715001: Group = NetworkRA, Username = user, IP = 76.199.251.254, Browser Proxy set to No-Modify. Browser Proxy data will NOT be included in the mode-cfg reply
%ASA-7-715055: Group = NetworkRA, Username = user, IP = 76.199.251.254, Send Cisco Smartcard Removal Disconnect enable!!
%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing qm hash payload
%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE SENDING Message (msgid=588dc5a2) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 241
%ASA-7-714003: IP = 76.199.251.254, IKE Responder starting QM: msg id = 9db6fb00
%ASA-7-715021: Group = NetworkRA, Username = user, IP = 76.199.251.254, Delay Quick Mode processing, Cert/Trans Exch/RM DSID in progress
%ASA-6-713905: Group = NetworkRA, Username = user, IP = 76.199.251.254, Gratuitous ARP sent for 10.11.12.150
%ASA-7-746012: user-identity: Add IP-User mapping 10.11.12.150 - LOCAL\user Succeeded - VPN user
%ASA-7-746012: user-identity: Add IP-User mapping 76.199.251.254 - LOCAL\user Succeeded - VPN user
%ASA-7-746012: user-identity: Add IP-User mapping 76.199.251.254 - LOCAL\user Succeeded - VPN user
%ASA-7-715022: Group = NetworkRA, Username = user, IP = 76.199.251.254, Resume Quick Mode processing, Cert/Trans Exch/RM DSID completed
%ASA-5-713119: Group = NetworkRA, Username = user, IP = 76.199.251.254, PHASE 1 COMPLETED
%ASA-7-713121: IP = 76.199.251.254, Keep-alive type for this connection: DPD
%ASA-7-715080: Group = NetworkRA, Username = user, IP = 76.199.251.254, Starting P1 rekey timer: 41040 seconds.
%ASA-7-746012: user-identity: Add IP-User mapping 76.199.251.254 - LOCAL\user Succeeded - VPN user
%ASA-7-713906: Group = NetworkRA, Username = user, IP = 76.199.251.254, sending notify message
%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing blank hash payload
%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing qm hash payload
%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE SENDING Message (msgid=22ab08a8) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 88
%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE RECEIVED Message (msgid=9db6fb00) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 1026
%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing hash payload
%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing SA payload
%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing nonce payload
%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing ID payload
%ASA-7-714011: Group = NetworkRA, Username = user, IP = 76.199.251.254, ID_IPV4_ADDR ID received
10.11.12.150
%ASA-7-713025: Group = NetworkRA, Username = user, IP = 76.199.251.254, Received remote Proxy Host data in ID Payload: Address 10.11.12.150, Protocol 0, Port 0
%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing ID payload
%ASA-7-714011: Group = NetworkRA, Username = user, IP = 76.199.251.254, ID_IPV4_ADDR_SUBNET ID received--0.0.0.0--0.0.0.0
%ASA-7-713034: Group = NetworkRA, Username = user, IP = 76.199.251.254, Received local IP Proxy Subnet data in ID Payload: Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0
%ASA-7-713906: Group = NetworkRA, Username = user, IP = 76.199.251.254, QM IsRekeyed old sa not found by addr
%ASA-7-713066: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKE Remote Peer configured for crypto map: SYSTEM_DEFAULT_CRYPTO_MAP
%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing IPSec SA payload
%ASA-7-715027: Group = NetworkRA, Username = user, IP = 76.199.251.254, IPSec SA Proposal # 8, Transform # 1 acceptable Matches global IPSec SA entry # 65535
%ASA-7-713906: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKE: requesting SPI!
%ASA-7-715006: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKE got SPI from key engine: SPI = 0x2a9e7c0a
%ASA-7-713906: Group = NetworkRA, Username = user, IP = 76.199.251.254, oakley constucting quick mode
%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing blank hash payload
%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing IPSec SA payload
%ASA-5-713075: Group = NetworkRA, Username = user, IP = 76.199.251.254, Overriding Initiator's IPSec rekeying duration from 2147483 to 28800 seconds
%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing IPSec nonce payload
%ASA-7-715001: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing proxy ID
%ASA-7-713906: Group = NetworkRA, Username = user, IP = 76.199.251.254, Transmitting Proxy Id:
Remote host: 10.11.12.150 Protocol 0 Port 0
Local subnet: 0.0.0.0 mask 0.0.0.0 Protocol 0 Port 0
%ASA-7-713906: Group = NetworkRA, Username = user, IP = 76.199.251.254, Sending RESPONDER LIFETIME notification to Initiator
%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing qm hash payload
%ASA-7-714005: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKE Responder sending 2nd QM pkt: msg id = 9db6fb00
%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE SENDING Message (msgid=9db6fb00) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 184
%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE RECEIVED Message (msgid=9db6fb00) with payloads : HDR + HASH (8) + NONE (0) total length : 52
%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing hash payload
%ASA-7-713906: Group = NetworkRA, Username = user, IP = 76.199.251.254, loading all IPSEC SAs
%ASA-7-715001: Group = NetworkRA, Username = user, IP = 76.199.251.254, Generating Quick Mode Key!
%ASA-7-715001: Group = NetworkRA, Username = user, IP = 76.199.251.254, Generating Quick Mode Key!
%ASA-5-713049: Group = NetworkRA, Username = user, IP = 76.199.251.254, Security negotiation complete for User (user) Responder, Inbound SPI = 0x2a9e7c0a, Outbound SPI = 0x5bb276fb
%ASA-6-602303: IPSEC: An outbound remote access SA (SPI= 0x5BB276FB) between 10.11.12.2 and 76.199.251.254 (user= user) has been created.
%ASA-7-715007: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKE got a KEY_ADD msg for SA: SPI = 0x5bb276fb
%ASA-7-746012: user-identity: Add IP-User mapping 76.199.251.254 - LOCAL\user Succeeded - VPN user
%ASA-7-609001: Built local-host DMZ:10.11.12.150
%ASA-6-602303: IPSEC: An inbound remote access SA (SPI= 0x2A9E7C0A) between 10.11.12.2 and 76.199.251.254 (user= user) has been created.
%ASA-7-715077: Group = NetworkRA, Username = user, IP = 76.199.251.254, Pitcher: received KEY_UPDATE, spi 0x2a9e7c0a
%ASA-7-715080: Group = NetworkRA, Username = user, IP = 76.199.251.254, Starting P2 rekey timer: 27360 seconds.
%ASA-7-713204: Group = NetworkRA, Username = user, IP = 76.199.251.254, Adding static route for client address: 10.11.12.150
%ASA-5-713120: Group = NetworkRA, Username = user, IP = 76.199.251.254, PHASE 2 COMPLETED (msgid=9db6fb00)
%ASA-7-746012: user-identity: Add IP-User mapping 76.199.251.254 - LOCAL\user Succeeded - VPN user
%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE RECEIVED Message (msgid=74c94d21) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing hash payload
%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing notify payload
%ASA-7-715075: Group = NetworkRA, Username = user, IP = 76.199.251.254, Received keep-alive of type DPD R-U-THERE (seq number 0x4e4417ba)
%ASA-7-715036: Group = NetworkRA, Username = user, IP = 76.199.251.254, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x4e4417ba)
%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing blank hash payload
%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing qm hash payload
%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE SENDING Message (msgid=eda5977f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-609001: Built local-host inside:10.10.1.44
%ASA-6-302015: Built inbound UDP connection 472 for DMZ:10.11.12.150/427 (10.11.12.150/427)(LOCAL\user) to inside:10.10.1.44/427 (10.10.1.44/427) (user)
%ASA-7-609001: Built local-host inside:10.10.1.76
%ASA-6-302013: Built inbound TCP connection 473 for DMZ:10.11.12.150/43618 (10.11.12.150/43618)(LOCAL\user) to inside:10.10.1.76/22 (10.10.1.76/22) (user)
%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE RECEIVED Message (msgid=c168a18) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing hash payload
%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing notify payload
%ASA-7-715075: Group = NetworkRA, Username = user, IP = 76.199.251.254, Received keep-alive of type DPD R-U-THERE (seq number 0x4e4417bb)
%ASA-7-715036: Group = NetworkRA, Username = user, IP = 76.199.251.254, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x4e4417bb)
%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing blank hash payload
%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing qm hash payload
%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE SENDING Message (msgid=50284dae) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-609001: Built local-host inside:10.10.1.26
%ASA-6-302020: Built inbound ICMP connection for faddr 10.11.12.150/1(LOCAL\user) gaddr 10.10.1.26/0 laddr 10.10.1.26/0 (user)
%ASA-6-302021: Teardown ICMP connection for faddr 10.11.12.150/1(LOCAL\user) gaddr 10.10.1.26/0 laddr 10.10.1.26/0 (user)
%ASA-7-609002: Teardown local-host inside:10.10.1.26 duration 0:00:02
%ASA-7-609001: Built local-host inside:10.10.1.26
%ASA-6-302020: Built inbound ICMP connection for faddr 10.11.12.150/1(LOCAL\user) gaddr 10.10.1.26/0 laddr 10.10.1.26/0 (user)
%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE RECEIVED Message (msgid=29354099) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing hash payload
%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing notify payload
%ASA-7-715075: Group = NetworkRA, Username = user, IP = 76.199.251.254, Received keep-alive of type DPD R-U-THERE (seq number 0x4e4417bc)
%ASA-7-715036: Group = NetworkRA, Username = user, IP = 76.199.251.254, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x4e4417bc)
%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing blank hash payload
%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing qm hash payload
%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE SENDING Message (msgid=1bca2b2) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-6-302021: Teardown ICMP connection for faddr 10.11.12.150/1(LOCAL\user) gaddr 10.10.1.26/0 laddr 10.10.1.26/0 (user)
%ASA-7-609002: Teardown local-host inside:10.10.1.26 duration 0:00:02
%ASA-7-609001: Built local-host inside:10.10.1.26
%ASA-6-302020: Built inbound ICMP connection for faddr 10.11.12.150/1(LOCAL\user) gaddr 10.10.1.26/0 laddr 10.10.1.26/0 (user)
%ASA-6-302021: Teardown ICMP connection for faddr 10.11.12.150/1(LOCAL\user) gaddr 10.10.1.26/0 laddr 10.10.1.26/0 (user)
%ASA-7-609002: Teardown local-host inside:10.10.1.26 duration 0:00:02
%ASA-7-609001: Built local-host inside:10.10.1.26
%ASA-6-302020: Built inbound ICMP connection for faddr 10.11.12.150/1(LOCAL\user) gaddr 10.10.1.26/0 laddr 10.10.1.26/0 (user)
%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE RECEIVED Message (msgid=a6c91f9d) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing hash payload
%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing notify payload
%ASA-7-715075: Group = NetworkRA, Username = user, IP = 76.199.251.254, Received keep-alive of type DPD R-U-THERE (seq number 0x4e4417bd)
%ASA-7-715036: Group = NetworkRA, Username = user, IP = 76.199.251.254, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x4e4417bd)
%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing blank hash payload
%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing qm hash payload
%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE SENDING Message (msgid=83836fa9) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-6-302021: Teardown ICMP connection for faddr 10.11.12.150/1(LOCAL\user) gaddr 10.10.1.26/0 laddr 10.10.1.26/0 (user)
%ASA-7-609002: Teardown local-host inside:10.10.1.26 duration 0:00:02
%ASA-6-302014: Teardown TCP connection 473 for DMZ:10.11.12.150/43618(LOCAL\user) to inside:10.10.1.76/22 duration 0:00:30 bytes 0 SYN Timeout (user)
%ASA-7-609002: Teardown local-host inside:10.10.1.76 duration 0:00:30
%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE RECEIVED Message (msgid=2a7b85a0) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 72
%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing hash payload
%ASA-7-713906: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing delete
%ASA-5-713050: Group = NetworkRA, Username = user, IP = 76.199.251.254, Connection terminated for peer user. Reason: Peer Terminate Remote Proxy 10.11.12.150, Local Proxy 0.0.0.0
%ASA-7-713906: Group = NetworkRA, Username = user, IP = 76.199.251.254, Active unit receives a delete event for remote peer 76.199.251.254.
%ASA-7-715009: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKE Deleting SA: Remote Proxy 10.11.12.150, Local Proxy 0.0.0.0
%ASA-7-713906: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKE SA AM:68e753d7 rcv'd Terminate: state AM_ACTIVE flags 0x2861d041, refcnt 1, tuncnt 0
%ASA-7-713906: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKE SA AM:68e753d7 terminating: flags 0x2961d001, refcnt 0, tuncnt 0
%ASA-7-713906: Group = NetworkRA, Username = user, IP = 76.199.251.254, sending delete/delete with reason message
%ASA-6-602304: IPSEC: An outbound remote access SA (SPI= 0x5BB276FB) between 10.11.12.2 and 76.199.251.254 (user= user) has been deleted.
%ASA-6-602304: IPSEC: An inbound remote access SA (SPI= 0x2A9E7C0A) between 76.199.251.254 and 10.11.12.2 (user= user) has been deleted.
%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing blank hash payload
%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing IKE delete payload
%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing qm hash payload
%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE SENDING Message (msgid=a9a78dd5) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
%ASA-7-715077: Pitcher: received key delete msg, spi 0x2a9e7c0a
%ASA-7-715077: Pitcher: received key delete msg, spi 0x2a9e7c0a
%ASA-5-713259: Group = NetworkRA, Username = user, IP = 76.199.251.254, Session is being torn down. Reason: User Requested
%ASA-6-713273: Group = NetworkRA, Username = user, IP = 76.199.251.254, Deleting static route for client address: 10.11.12.150
%ASA-7-746013: user-identity: Delete IP-User mapping 76.199.251.254 - LOCAL\user Failed - VPN user logout
%ASA-7-746013: user-identity: Delete IP-User mapping 10.11.12.150 - LOCAL\user Succeeded - VPN user logout
%ASA-4-113019: Group = NetworkRA, Username = user, IP = 76.199.251.254, Session disconnected. Session Type: IPsecOverTCP, Duration: 0h:00m:52s, Bytes xmt: 0, Bytes rcv: 536, Reason: User Requested
%ASA-7-713906: Ignoring msg to mark SA with dsID 45056 dead because SA deleted
%ASA-6-302014: Teardown TCP connection 469 for DMZ:76.199.251.254/25283 to identity:10.11.12.2/10000 duration 0:00:53 bytes 1724 Flow closed by inspection
%ASA-6-106015: Deny TCP (no connection) from 76.199.251.254/25283 to 10.11.12.2/10000 flags ACK on interface DMZ
%ASA-7-710005: TCP request discarded from 76.199.251.254/25283 to DMZ:10.11.12.2/10000
%ASA-6-737016: IPAA: Freeing local pool address 10.11.12.150
%ASA-7-609001: Built local-host inside:10.10.1.23
%ASA-7-609001: Built local-host identity:10.10.1.76
%ASA-6-302013: Built inbound TCP connection 478 for inside:10.10.1.23/43785 (10.10.1.23/43785) to identity:10.10.1.76/22 (10.10.1.76/22)
%ASA-6-113012: AAA user authentication Successful : local database : user = user
%ASA-6-113008: AAA transaction status ACCEPT : user = user
%ASA-6-611101: User authentication succeeded: Uname: user
%ASA-6-611101: User authentication succeeded: Uname: user
%ASA-6-605005: Login permitted from 10.10.1.23/43785 to inside:10.10.1.76/ssh for user "user"
%ASA-5-502103: User priv level changed: Uname: enable_15 From: 1 To: 15
%ASA-5-111008: User 'user' executed the 'enable' command.
Let me know what you think.
Thanks!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: