cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4587
Views
40
Helpful
20
Replies

Remote Access IKEv1 VPN DMZ ASA

Nathan Hawkins
Level 1
Level 1

Hello All,

I have a test ASA behind an edge firewall (Checkpoint), and I'm trying to set up the ASA for remote VPN access only. The ports being forwarded are UDP/500, UDP/4500 and UDP/TCP/10000. I'd prefer to encapsulate the sessions into TCP/10000. There's two networks that the ASA is connected to. The DMZ (10.11.12.0/24) and an internal segment (10.10.1.0/24), where the external remote client will connect to the DMZ interface and the goal is to access the internal subnet. The pool I want to set up is 10.11.12.150-200. I have upgraded the ASA to the most current IOS [8.4(4)1] / ASDM [6.4(9)] images. Here's what I've come up with, but unfortuantely the client fails to connect. I have messed around several times with settings using the ASDM, but ultimately I cannot get the client to connect. Here's my config:

[code]

hostname RemoteVPNASA

domain-name Domain.local

enable password ---------------- encrypted

passwd ---------------- encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown    

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

interface Vlan1

nameif inside

security-level 100

ip address 10.10.1.76 255.255.255.0

!

interface Vlan2

nameif DMZ

security-level 0

ip address 10.11.12.2 255.255.255.0

!

banner motd

banner motd +----------------------------------------------------+

banner motd |                                                    |

banner motd |   *** Unauthorized Use or Access Prohibited ***    |

banner motd |                                                    |

banner motd |        For Authorized Official Use Only            |

banner motd |   You must have explicit permission to access or   |

banner motd |  configure this device. All activities performed   |

banner motd |  on this device may be logged, and violations of   |

banner motd | this policy may result in disciplinary action, and |

banner motd |  may be reported to law enforcement authorities.   |

banner motd |                                                    |

banner motd |   There is no right to privacy on this device.     |

banner motd |                                                    |

banner motd +----------------------------------------------------+

banner motd

ftp mode passive

dns server-group DefaultDNS

domain-name Domain.local

object network Network-10.11.12.0

subnet 10.11.12.0 255.255.255.0

object-group icmp-type DefaultICMP

description Default ICMP Types permitted

icmp-object echo-reply

icmp-object unreachable

icmp-object time-exceeded

object-group network DM_INLINE_NETWORK_1

network-object 10.10.1.0 255.255.255.0

network-object 10.11.12.0 255.255.255.0

object-group network DM_INLINE_NETWORK_2

network-object 10.10.1.0 255.255.255.0

network-object 10.11.12.0 255.255.255.0

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

protocol-object icmp

access-list vpn_SplitTunnel remark ACL for VPN Split Tunnel

access-list vpn_SplitTunnel standard permit 10.10.1.0 255.255.255.0

access-list nonat remark ACL for Nat Bypass

access-list nonat extended permit object-group DM_INLINE_PROTOCOL_1 object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2

access-list acl_DMZ extended permit icmp any any object-group DefaultICMP

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu DMZ 1500

ip local pool IPPool 10.11.12.150-10.11.12.200

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,DMZ) source static any any destination static Network-10.11.12.0 Network-10.11.12.0

access-group acl_DMZ in interface DMZ

route DMZ 0.0.0.0 0.0.0.0 10.11.12.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http 10.10.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set FirstSet esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto dynamic-map DynamicMap 1 set ikev1 transform-set FirstSet

crypto dynamic-map DynamicMap 1 set reverse-route

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map NetMap 1 ipsec-isakmp dynamic DynamicMap

crypto map NetMap interface DMZ

crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map inside_map interface inside

crypto isakmp identity address

crypto ikev1 enable inside

crypto ikev1 enable DMZ

crypto ikev1 ipsec-over-tcp port 10000

crypto ikev1 policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

crypto ikev1 policy 11

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto ikev1 policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 10.10.1.0 255.255.255.0 inside

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy Network internal

group-policy Network attributes

vpn-idle-timeout 120

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value vpn_SplitTunnel

username user password ---------------- encrypted privilege 15

tunnel-group NetworkRA type remote-access

tunnel-group NetworkRA general-attributes

address-pool IPPool

default-group-policy Network

tunnel-group NetworkRA ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:d6e568acfb0bed9dc9979dc1a980f24f

: end

[/code]

Any help would be greatly appreciated!

1 Accepted Solution

Accepted Solutions

Go to New

Connection entry : Just how you want to name it

host: DMZ ip address

Group authentication

Name: Tunnel-group of the ASA (NetworkRA)

Password: Preshared key

Remember to rate all of the helpful posts, If you do not know how to do it just let me know and I will show you

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

20 Replies 20

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Nathan,

Can you run some debugs and let us have the outputs, what does the ASA logs say when you attemtp to connect?

Also can you change the following:

no crypto map NetMap 1 ipsec-isakmp dynamic DynamicMap

crypto map NetMap 1  ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

Let me know the result,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thanks for that Julio!

I made the change of that command and here's the logging/debug for a connection attempt:

Syslog logging: enabled

    Facility: 20

    Timestamp logging: disabled

    Standby logging: disabled

    Debug-trace logging: disabled

    Console logging: level debugging, 1566 messages logged

    Monitor logging: disabled

    Buffer logging: level debugging, 1568 messages logged

    Trap logging: disabled

    Permit-hostdown logging: disabled

    History logging: disabled

    Device ID: disabled

    Mail logging: disabled

    ASDM logging: level informational, 1663 messages logged

%ASA-5-111008: User 'enable_15' executed the 'clear logging buffer' command.

%ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.10.1.23, executed 'clear logging buffer'

%ASA-7-111009: User 'enable_15' executed cmd: show logging

%ASA-7-609001: Built local-host DMZ:74.125.227.20

%ASA-7-609001: Built local-host identity:10.11.12.2

%ASA-6-302013: Built inbound TCP connection 371 for DMZ:74.125.227.20/46673 (74.125.227.20/46673) to identity:10.11.12.2/10000 (10.11.12.2/10000)

%ASA-6-302015: Built inbound UDP connection 372 for DMZ:74.125.227.20/46673 (74.125.227.20/46673) to identity:10.11.12.2/500 (10.11.12.2/500)

%ASA-7-713236: IP = 74.125.227.20, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 829

%ASA-7-713906: IP = 74.125.227.20, Responder: IPSec over TCP encapsulation is used    local TCP port: 10000    peer TCP port:  46673 

%ASA-7-715047: IP = 74.125.227.20, processing SA payload

%ASA-7-715047: IP = 74.125.227.20, processing ke payload

%ASA-7-715047: IP = 74.125.227.20, processing ISA_KE payload

%ASA-7-715047: IP = 74.125.227.20, processing nonce payload

%ASA-7-715047: IP = 74.125.227.20, processing ID payload

%ASA-7-715047: IP = 74.125.227.20, processing VID payload

%ASA-7-715049: IP = 74.125.227.20, Received xauth V6 VID

%ASA-7-715047: IP = 74.125.227.20, processing VID payload

%ASA-7-715049: IP = 74.125.227.20, Received DPD VID

%ASA-7-715047: IP = 74.125.227.20, processing VID payload

%ASA-7-715049: IP = 74.125.227.20, Received Fragmentation VID

%ASA-7-715064: IP = 74.125.227.20, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  False

%ASA-7-715047: IP = 74.125.227.20, processing VID payload

%ASA-7-715049: IP = 74.125.227.20, Received Cisco Unity client VID

%ASA-4-713255: IP = 74.125.227.20, Received ISAKMP Aggressive Mode message 1 with unknown tunnel group name 'user'.

%ASA-7-715047: Group = DefaultRAGroup, IP = 74.125.227.20, processing IKE SA payload

%ASA-7-715028: Group = DefaultRAGroup, IP = 74.125.227.20, IKE SA Proposal # 1, Transform # 9 acceptable  Matches global IKE entry # 1

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ISAKMP SA payload

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ke payload

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing nonce payload

%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, Generating keys for Responder...

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ID payload

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing hash payload

%ASA-7-715076: Group = DefaultRAGroup, IP = 74.125.227.20, Computing hash for ISAKMP

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing Cisco Unity VID payload

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing xauth V6 VID payload

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing dpd vid payload

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing Fragmentation VID + extended capabilities payload

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing VID payload

%ASA-7-715048: Group = DefaultRAGroup, IP = 74.125.227.20, Send Altiga/Cisco VPN3000/Cisco ASA GW VID

%ASA-7-713236: IP = 74.125.227.20, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 372

%ASA-7-715065: Group = DefaultRAGroup, IP = 74.125.227.20, IKE AM Responder FSM error history (struct &0xcc051860)  , :  AM_DONE, EV_ERROR-->AM_SND_MSG2, EV_SND_MSG-->AM_SND_MSG2, EV_START_TMR-->AM_BLD_MSG2, EV_BLD_MSG2_TRL-->AM_BLD_MSG2, EV_SKEYID_OK-->AM_BLD_MSG2, NullEvent-->AM_BLD_MSG2, EV_GEN_SKEYID-->AM_BLD_MSG2, EV_BLD_MSG2_HDR

%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, IKE SA AM:8642b183 terminating:  flags 0x0104c001, refcnt 0, tuncnt 0

%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, sending delete/delete with reason message

%ASA-6-302014: Teardown TCP connection 371 for DMZ:74.125.227.20/46673 to identity:10.11.12.2/10000 duration 0:00:00 bytes 396 Flow closed by inspection

Let me know when you can.

Thanks!

Hello Nathan,

This is our problem:

%ASA-6-302014: Teardown TCP connection 371 for DMZ:74.125.227.20/46673 to identity:10.11.12.2/10000 duration 0:00:00 bytes 396 Flow closed by inspection.

Can you add the following commands and try it one more time

Sysopt connection preserve-vpn-flows

Sysopt connection reclassify-vpn

Can I have the show run nat and show run policy-map

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Here ya go (it still does not connect):

RemoteVPNASA# sh run nat

nat (inside,DMZ) source static any any destination static Network-10.11.12.0 Network-10.11.12.0

RemoteVPNASA# sh run policy-map

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

!

Syslog logging: enabled

    Facility: 20

    Timestamp logging: disabled

    Standby logging: disabled

    Debug-trace logging: disabled

    Console logging: level debugging, 2534 messages logged

    Monitor logging: disabled

    Buffer logging: level debugging, 2536 messages logged

    Trap logging: disabled

    Permit-hostdown logging: disabled

    History logging: disabled

    Device ID: disabled

    Mail logging: disabled

    ASDM logging: level informational, 2066 messages logged

%ASA-7-111009: User 'enable_15' executed cmd: show logging

%ASA-6-302013: Built inbound TCP connection 380 for DMZ:74.125.227.20/20486 (74.125.227.20/20486) to identity:10.11.12.2/10000 (10.11.12.2/10000)

%ASA-6-302015: Built inbound UDP connection 381 for DMZ:74.125.227.20/20486 (74.125.227.20/20486) to identity:10.11.12.2/500 (10.11.12.2/500)

%ASA-7-713236: IP = 74.125.227.20, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 829

%ASA-7-713906: IP = 74.125.227.20, Responder: IPSec over TCP encapsulation is used    local TCP port: 10000    peer TCP port:  20486 

%ASA-7-715047: IP = 74.125.227.20, processing SA payload

%ASA-7-715047: IP = 74.125.227.20, processing ke payload

%ASA-7-715047: IP = 74.125.227.20, processing ISA_KE payload

%ASA-7-715047: IP = 74.125.227.20, processing nonce payload

%ASA-7-715047: IP = 74.125.227.20, processing ID payload

%ASA-7-715047: IP = 74.125.227.20, processing VID payload

%ASA-7-715049: IP = 74.125.227.20, Received xauth V6 VID

%ASA-7-715047: IP = 74.125.227.20, processing VID payload

%ASA-7-715049: IP = 74.125.227.20, Received DPD VID

%ASA-7-715047: IP = 74.125.227.20, processing VID payload

%ASA-7-715049: IP = 74.125.227.20, Received Fragmentation VID

%ASA-7-715064: IP = 74.125.227.20, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  False

%ASA-7-715047: IP = 74.125.227.20, processing VID payload

%ASA-7-715049: IP = 74.125.227.20, Received Cisco Unity client VID

%ASA-4-713255: IP = 74.125.227.20, Received ISAKMP Aggressive Mode message 1 with unknown tunnel group name 'user'.

%ASA-7-715047: Group = DefaultRAGroup, IP = 74.125.227.20, processing IKE SA payload

%ASA-7-715028: Group = DefaultRAGroup, IP = 74.125.227.20, IKE SA Proposal # 1, Transform # 9 acceptable  Matches global IKE entry # 1

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ISAKMP SA payload

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ke payload

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing nonce payload

%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, Generating keys for Responder...

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ID payload

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing hash payload

%ASA-7-715076: Group = DefaultRAGroup, IP = 74.125.227.20, Computing hash for ISAKMP

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing Cisco Unity VID payload

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing xauth V6 VID payload

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing dpd vid payload

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing Fragmentation VID + extended capabilities payload

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing VID payload

%ASA-7-715048: Group = DefaultRAGroup, IP = 74.125.227.20, Send Altiga/Cisco VPN3000/Cisco ASA GW VID

%ASA-7-713236: IP = 74.125.227.20, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 372

%ASA-7-715065: Group = DefaultRAGroup, IP = 74.125.227.20, IKE AM Responder FSM error history (struct &0xcbf25fe0)  , :  AM_DONE, EV_ERROR-->AM_SND_MSG2, EV_SND_MSG-->AM_SND_MSG2, EV_START_TMR-->AM_BLD_MSG2, EV_BLD_MSG2_TRL-->AM_BLD_MSG2, EV_SKEYID_OK-->AM_BLD_MSG2, NullEvent-->AM_BLD_MSG2, EV_GEN_SKEYID-->AM_BLD_MSG2, EV_BLD_MSG2_HDR

%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, IKE SA AM:7d9c0b7a terminating:  flags 0x0104c001, refcnt 0, tuncnt 0

%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, sending delete/delete with reason message

%ASA-6-302014: Teardown TCP connection 380 for DMZ:74.125.227.20/20486 to identity:10.11.12.2/10000 duration 0:00:00 bytes 396 Flow closed by inspection

Hello Nathan,

Here are the interesting facts from the debugs:

%ASA-7-715065: Group = DefaultRAGroup, IP = 74.125.227.20, IKE AM Responder FSM error history (struct &0xcbf25fe0)  , :  AM_DONE, EV_ERROR-->AM_SND_MSG2, EV_SND_MSG-->AM_SND_MSG2, EV_START_TMR-->AM_BLD_MSG2, EV_BLD_MSG2_TRL-->AM_BLD_MSG2, EV_SKEYID_OK-->AM_BLD_MSG2, NullEvent-->AM_BLD_MSG2, EV_GEN_SKEYID-->AM_BLD_MSG2, EV_BLD_MSG2_HDR

%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, IKE SA AM:7d9c0b7a terminating:  flags 0x0104c001, refcnt 0, tuncnt 0

%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, sending delete/delete with reason message

Can you share the show crypto isakmp sa while you try to connect and share the output you get ( try to do it several times so we can see where it gets stuck)

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

I get the following after and during each connection attempt:

RemoteVPNASA(config)# show crypto isakmp sa

There are no IKEv1 SAs

There are no IKEv2 SAs

Here's the log from the attempts:

%ASA-5-111008: User 'enable_15' executed the 'clear logging buffer' command.

%ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.10.1.23, executed 'clear logging buffer'

%ASA-7-111009: User 'enable_15' executed cmd: show logging

%ASA-7-111009: User 'enable_15' executed cmd: show crypto isakmp sa

%ASA-7-609001: Built local-host DMZ:74.125.227.20

%ASA-7-609001: Built local-host identity:10.11.12.2

%ASA-6-302013: Built inbound TCP connection 401 for DMZ:74.125.227.20/59541 (74.125.227.20/59541) to identity:10.11.12.2/10000 (10.11.12.2/10000)

%ASA-6-302015: Built inbound UDP connection 402 for DMZ:74.125.227.20/59541 (74.125.227.20/59541) to identity:10.11.12.2/500 (10.11.12.2/500)

%ASA-7-713236: IP = 74.125.227.20, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 829

%ASA-7-713906: IP = 74.125.227.20, Responder: IPSec over TCP encapsulation is used    local TCP port: 10000    peer TCP port:  59541 

%ASA-7-715047: IP = 74.125.227.20, processing SA payload

%ASA-7-715047: IP = 74.125.227.20, processing ke payload

%ASA-7-715047: IP = 74.125.227.20, processing ISA_KE payload

%ASA-7-715047: IP = 74.125.227.20, processing nonce payload

%ASA-7-715047: IP = 74.125.227.20, processing ID payload

%ASA-7-715047: IP = 74.125.227.20, processing VID payload

%ASA-7-715049: IP = 74.125.227.20, Received xauth V6 VID

%ASA-7-715047: IP = 74.125.227.20, processing VID payload

%ASA-7-715049: IP = 74.125.227.20, Received DPD VID

%ASA-7-715047: IP = 74.125.227.20, processing VID payload

%ASA-7-715049: IP = 74.125.227.20, Received Fragmentation VID

%ASA-7-715064: IP = 74.125.227.20, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  False

%ASA-7-715047: IP = 74.125.227.20, processing VID payload

%ASA-7-715049: IP = 74.125.227.20, Received Cisco Unity client VID

%ASA-4-713255: IP = 74.125.227.20, Received ISAKMP Aggressive Mode message 1 with unknown tunnel group name 'user'.

%ASA-7-715047: Group = DefaultRAGroup, IP = 74.125.227.20, processing IKE SA payload

%ASA-7-715028: Group = DefaultRAGroup, IP = 74.125.227.20, IKE SA Proposal # 1, Transform # 9 acceptable  Matches global IKE entry # 1

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ISAKMP SA payload

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ke payload

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing nonce payload

%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, Generating keys for Responder...

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ID payload

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing hash payload

%ASA-7-715076: Group = DefaultRAGroup, IP = 74.125.227.20, Computing hash for ISAKMP

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing Cisco Unity VID payload

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing xauth V6 VID payload

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing dpd vid payload

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing Fragmentation VID + extended capabilities payload

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing VID payload

%ASA-7-715048: Group = DefaultRAGroup, IP = 74.125.227.20, Send Altiga/Cisco VPN3000/Cisco ASA GW VID

%ASA-7-713236: IP = 74.125.227.20, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 372

%ASA-7-715065: Group = DefaultRAGroup, IP = 74.125.227.20, IKE AM Responder FSM error history (struct &0xcb64b900)  , :  AM_DONE, EV_ERROR-->AM_SND_MSG2, EV_SND_MSG-->AM_SND_MSG2, EV_START_TMR-->AM_BLD_MSG2, EV_BLD_MSG2_TRL-->AM_BLD_MSG2, EV_SKEYID_OK-->AM_BLD_MSG2, NullEvent-->AM_BLD_MSG2, EV_GEN_SKEYID-->AM_BLD_MSG2, EV_BLD_MSG2_HDR

%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, IKE SA AM:4448d481 terminating:  flags 0x0104c001, refcnt 0, tuncnt 0

%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, sending delete/delete with reason message

%ASA-6-302014: Teardown TCP connection 401 for DMZ:74.125.227.20/59541 to identity:10.11.12.2/10000 duration 0:00:00 bytes 396 Flow closed by inspection

%ASA-7-111009: User 'enable_15' executed cmd: show crypto isakmp sa

%ASA-6-302013: Built inbound TCP connection 403 for DMZ:74.125.227.20/59702 (74.125.227.20/59702) to identity:10.11.12.2/10000 (10.11.12.2/10000)

%ASA-6-302015: Built inbound UDP connection 404 for DMZ:74.125.227.20/59702 (74.125.227.20/59702) to identity:10.11.12.2/500 (10.11.12.2/500)

%ASA-7-713236: IP = 74.125.227.20, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 829

%ASA-7-713906: IP = 74.125.227.20, Responder: IPSec over TCP encapsulation is used    local TCP port: 10000    peer TCP port:  59702 

%ASA-7-715047: IP = 74.125.227.20, processing SA payload

%ASA-7-715047: IP = 74.125.227.20, processing ke payload

%ASA-7-715047: IP = 74.125.227.20, processing ISA_KE payload

%ASA-7-715047: IP = 74.125.227.20, processing nonce payload

%ASA-7-715047: IP = 74.125.227.20, processing ID payload

%ASA-7-715047: IP = 74.125.227.20, processing VID payload

%ASA-7-715049: IP = 74.125.227.20, Received xauth V6 VID

%ASA-7-715047: IP = 74.125.227.20, processing VID payload

%ASA-7-715049: IP = 74.125.227.20, Received DPD VID

%ASA-7-715047: IP = 74.125.227.20, processing VID payload

%ASA-7-715049: IP = 74.125.227.20, Received Fragmentation VID

%ASA-7-715064: IP = 74.125.227.20, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  False

%ASA-7-715047: IP = 74.125.227.20, processing VID payload

%ASA-7-715049: IP = 74.125.227.20, Received Cisco Unity client VID

%ASA-4-713255: IP = 74.125.227.20, Received ISAKMP Aggressive Mode message 1 with unknown tunnel group name 'user'.

%ASA-7-715047: Group = DefaultRAGroup, IP = 74.125.227.20, processing IKE SA payload

%ASA-7-715028: Group = DefaultRAGroup, IP = 74.125.227.20, IKE SA Proposal # 1, Transform # 9 acceptable  Matches global IKE entry # 1

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ISAKMP SA payload

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ke payload

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing nonce payload

%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, Generating keys for Responder...

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ID payload

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing hash payload

%ASA-7-715076: Group = DefaultRAGroup, IP = 74.125.227.20, Computing hash for ISAKMP

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing Cisco Unity VID payload

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing xauth V6 VID payload

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing dpd vid payload

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing Fragmentation VID + extended capabilities payload

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing VID payload

%ASA-7-715048: Group = DefaultRAGroup, IP = 74.125.227.20, Send Altiga/Cisco VPN3000/Cisco ASA GW VID

%ASA-7-713236: IP = 74.125.227.20, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 372

%ASA-7-715065: Group = DefaultRAGroup, IP = 74.125.227.20, IKE AM Responder FSM error history (struct &0xcb64bc80)  , :  AM_DONE, EV_ERROR-->AM_SND_MSG2, EV_SND_MSG-->AM_SND_MSG2, EV_START_TMR-->AM_BLD_MSG2, EV_BLD_MSG2_TRL-->AM_BLD_MSG2, EV_SKEYID_OK-->AM_BLD_MSG2, NullEvent-->AM_BLD_MSG2, EV_GEN_SKEYID-->AM_BLD_MSG2, EV_BLD_MSG2_HDR

%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, IKE SA AM:29c8051d terminating:  flags 0x0104c001, refcnt 0, tuncnt 0

%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, sending delete/delete with reason message

%ASA-6-302014: Teardown TCP connection 403 for DMZ:74.125.227.20/59702 to identity:10.11.12.2/10000 duration 0:00:01 bytes 396 Flow closed by inspection

%ASA-6-302013: Built inbound TCP connection 405 for DMZ:74.125.227.20/59774 (74.125.227.20/59774) to identity:10.11.12.2/10000 (10.11.12.2/10000)

%ASA-6-302015: Built inbound UDP connection 406 for DMZ:74.125.227.20/59774 (74.125.227.20/59774) to identity:10.11.12.2/500 (10.11.12.2/500)

%ASA-7-713236: IP = 74.125.227.20, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 829

%ASA-7-713906: IP = 74.125.227.20, Responder: IPSec over TCP encapsulation is used    local TCP port: 10000    peer TCP port:  59774 

%ASA-7-715047: IP = 74.125.227.20, processing SA payload

%ASA-7-715047: IP = 74.125.227.20, processing ke payload

%ASA-7-715047: IP = 74.125.227.20, processing ISA_KE payload

%ASA-7-715047: IP = 74.125.227.20, processing nonce payload

%ASA-7-715047: IP = 74.125.227.20, processing ID payload

%ASA-7-715047: IP = 74.125.227.20, processing VID payload

%ASA-7-715049: IP = 74.125.227.20, Received xauth V6 VID

%ASA-7-715047: IP = 74.125.227.20, processing VID payload

%ASA-7-715049: IP = 74.125.227.20, Received DPD VID

%ASA-7-715047: IP = 74.125.227.20, processing VID payload

%ASA-7-715049: IP = 74.125.227.20, Received Fragmentation VID

%ASA-7-715064: IP = 74.125.227.20, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  False

%ASA-7-715047: IP = 74.125.227.20, processing VID payload

%ASA-7-715049: IP = 74.125.227.20, Received Cisco Unity client VID

%ASA-4-713255: IP = 74.125.227.20, Received ISAKMP Aggressive Mode message 1 with unknown tunnel group name 'user'.

%ASA-7-715047: Group = DefaultRAGroup, IP = 74.125.227.20, processing IKE SA payload

%ASA-7-715028: Group = DefaultRAGroup, IP = 74.125.227.20, IKE SA Proposal # 1, Transform # 9 acceptable  Matches global IKE entry # 1

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ISAKMP SA payload

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ke payload

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing nonce payload

%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, Generating keys for Responder...

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ID payload

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing hash payload

%ASA-7-715076: Group = DefaultRAGroup, IP = 74.125.227.20, Computing hash for ISAKMP

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing Cisco Unity VID payload

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing xauth V6 VID payload

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing dpd vid payload

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing Fragmentation VID + extended capabilities payload

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing VID payload

%ASA-7-715048: Group = DefaultRAGroup, IP = 74.125.227.20, Send Altiga/Cisco VPN3000/Cisco ASA GW VID

%ASA-7-713236: IP = 74.125.227.20, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 372

%ASA-7-715065: Group = DefaultRAGroup, IP = 74.125.227.20, IKE AM Responder FSM error history (struct &0xcb64bc80)  , :  AM_DONE, EV_ERROR-->AM_SND_MSG2, EV_SND_MSG-->AM_SND_MSG2, EV_START_TMR-->AM_BLD_MSG2, EV_BLD_MSG2_TRL-->AM_BLD_MSG2, EV_SKEYID_OK-->AM_BLD_MSG2, NullEvent-->AM_BLD_MSG2, EV_GEN_SKEYID-->AM_BLD_MSG2, EV_BLD_MSG2_HDR

%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, IKE SA AM:67fd2fff terminating:  flags 0x0104c001, refcnt 0, tuncnt 0

%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, sending delete/delete with reason message

%ASA-6-302014: Teardown TCP connection 405 for DMZ:74.125.227.20/59774 to identity:10.11.12.2/10000 duration 0:00:01 bytes 396 Flow closed by inspection

%ASA-6-302013: Built inbound TCP connection 407 for DMZ:74.125.227.20/59889 (74.125.227.20/59889) to identity:10.11.12.2/10000 (10.11.12.2/10000)

%ASA-6-302015: Built inbound UDP connection 408 for DMZ:74.125.227.20/59889 (74.125.227.20/59889) to identity:10.11.12.2/500 (10.11.12.2/500)

%ASA-7-713236: IP = 74.125.227.20, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 829

%ASA-7-713906: IP = 74.125.227.20, Responder: IPSec over TCP encapsulation is used    local TCP port: 10000    peer TCP port:  59889 

%ASA-7-715047: IP = 74.125.227.20, processing SA payload

%ASA-7-715047: IP = 74.125.227.20, processing ke payload

%ASA-7-715047: IP = 74.125.227.20, processing ISA_KE payload

%ASA-7-715047: IP = 74.125.227.20, processing nonce payload

%ASA-7-715047: IP = 74.125.227.20, processing ID payload

%ASA-7-715047: IP = 74.125.227.20, processing VID payload

%ASA-7-715049: IP = 74.125.227.20, Received xauth V6 VID

%ASA-7-715047: IP = 74.125.227.20, processing VID payload

%ASA-7-715049: IP = 74.125.227.20, Received DPD VID

%ASA-7-715047: IP = 74.125.227.20, processing VID payload

%ASA-7-715049: IP = 74.125.227.20, Received Fragmentation VID

%ASA-7-715064: IP = 74.125.227.20, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  False

%ASA-7-715047: IP = 74.125.227.20, processing VID payload

%ASA-7-715049: IP = 74.125.227.20, Received Cisco Unity client VID

%ASA-4-713255: IP = 74.125.227.20, Received ISAKMP Aggressive Mode message 1 with unknown tunnel group name 'user'.

%ASA-7-715047: Group = DefaultRAGroup, IP = 74.125.227.20, processing IKE SA payload

%ASA-7-715028: Group = DefaultRAGroup, IP = 74.125.227.20, IKE SA Proposal # 1, Transform # 9 acceptable  Matches global IKE entry # 1

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ISAKMP SA payload

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ke payload

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing nonce payload

%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, Generating keys for Responder...

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ID payload

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing hash payload

%ASA-7-715076: Group = DefaultRAGroup, IP = 74.125.227.20, Computing hash for ISAKMP

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing Cisco Unity VID payload

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing xauth V6 VID payload

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing dpd vid payload

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing Fragmentation VID + extended capabilities payload

%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing VID payload

%ASA-7-715048: Group = DefaultRAGroup, IP = 74.125.227.20, Send Altiga/Cisco VPN3000/Cisco ASA GW VID

%ASA-7-713236: IP = 74.125.227.20, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 372

%ASA-7-715065: Group = DefaultRAGroup, IP = 74.125.227.20, IKE AM Responder FSM error history (struct &0xcb64bc80)  , :  AM_DONE, EV_ERROR-->AM_SND_MSG2, EV_SND_MSG-->AM_SND_MSG2, EV_START_TMR-->AM_BLD_MSG2, EV_BLD_MSG2_TRL-->AM_BLD_MSG2, EV_SKEYID_OK-->AM_BLD_MSG2, NullEvent-->AM_BLD_MSG2, EV_GEN_SKEYID-->AM_BLD_MSG2, EV_BLD_MSG2_HDR

%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, IKE SA AM:e5c37c1d terminating:  flags 0x0104c001, refcnt 0, tuncnt 0

%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, sending delete/delete with reason message

%ASA-6-302014: Teardown TCP connection 407 for DMZ:74.125.227.20/59889 to identity:10.11.12.2/10000 duration 0:00:00 bytes 396 Flow closed by inspection

%ASA-7-111009: User 'enable_15' executed cmd: show crypto isakmp sa

%ASA-7-111009: User 'enable_15' executed cmd: show crypto isakmp sa

%ASA-6-302016: Teardown UDP connection 402 for DMZ:74.125.227.20/59541 to identity:10.11.12.2/500 duration 0:02:01 bytes 845

%ASA-6-302016: Teardown UDP connection 404 for DMZ:74.125.227.20/59702 to identity:10.11.12.2/500 duration 0:02:01 bytes 845

%ASA-6-302016: Teardown UDP connection 406 for DMZ:74.125.227.20/59774 to identity:10.11.12.2/500 duration 0:02:02 bytes 845

%ASA-6-302016: Teardown UDP connection 408 for DMZ:74.125.227.20/59889 to identity:10.11.12.2/500 duration 0:02:01 bytes 845

%ASA-7-609002: Teardown local-host DMZ:74.125.227.20 duration 0:02:16

%ASA-7-609002: Teardown local-host identity:10.11.12.2 duration 0:02:16

Hello Nathan,

Can you share the updated configuration?

Also if you take out the crypto ikev1 ipsec-over-tcp port 10000, does it work over UDP?

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Here's the current cofig:

hostname RemoteVPNASA

domain-name Domain.local

enable password EknDlaH/tYor46kT encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown    

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

interface Vlan1

nameif inside

security-level 100

ip address 10.10.1.76 255.255.255.0

!

interface Vlan2

nameif DMZ

security-level 0

ip address 10.11.12.2 255.255.255.0

!

banner motd

banner motd +----------------------------------------------------+

banner motd |                                                    |

banner motd |   *** Unauthorized Use or Access Prohibited ***    |

banner motd |                                                    |

banner motd |        For Authorized Official Use Only            |

banner motd |   You must have explicit permission to access or   |

banner motd |  configure this device. All activities performed   |

banner motd |  on this device may be logged, and violations of   |

banner motd | this policy may result in disciplinary action, and |

banner motd |  may be reported to law enforcement authorities.   |

banner motd |                                                    |

banner motd |   There is no right to privacy on this device.     |

banner motd |                                                    |

banner motd +----------------------------------------------------+

banner motd

ftp mode passive

dns server-group DefaultDNS

domain-name Domain.local

object network Network-10.11.12.0

subnet 10.11.12.0 255.255.255.0

object-group icmp-type DefaultICMP

description Default ICMP Types permitted

icmp-object echo-reply

icmp-object unreachable

icmp-object time-exceeded

object-group network DM_INLINE_NETWORK_1

network-object 10.10.1.0 255.255.255.0

network-object 10.11.12.0 255.255.255.0

object-group network DM_INLINE_NETWORK_2

network-object 10.10.1.0 255.255.255.0

network-object 10.11.12.0 255.255.255.0

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

protocol-object icmp

access-list vpn_SplitTunnel remark ACL for VPN Split Tunnel

access-list vpn_SplitTunnel standard permit 10.10.1.0 255.255.255.0

access-list vpn_SplitTunnel standard permit 192.168.1.0 255.255.255.0

access-list vpn_SplitTunnel standard permit 10.11.12.0 255.255.255.0

access-list vpn_SplitTunnel standard permit 5.5.0.0 255.255.255.192

access-list vpn_SplitTunnel standard permit 5.5.16.0 255.255.255.192

access-list nonat remark ACL for Nat Bypass

access-list nonat extended permit object-group DM_INLINE_PROTOCOL_1 object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2

access-list acl_DMZ extended permit icmp any any object-group DefaultICMP

pager lines 24

logging enable

logging buffer-size 524288

logging asdm-buffer-size 200

logging console debugging

logging buffered debugging

logging asdm informational

mtu inside 1500

mtu DMZ 1500

ip local pool IPPool 10.11.12.150-10.11.12.200

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,DMZ) source static any any destination static Network-10.11.12.0 Network-10.11.12.0

access-group acl_DMZ in interface DMZ

route DMZ 0.0.0.0 0.0.0.0 10.11.12.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http 10.10.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

sysopt connection preserve-vpn-flows

crypto ipsec ikev1 transform-set FirstSet esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto dynamic-map DynamicMap 1 set ikev1 transform-set FirstSet

crypto dynamic-map DynamicMap 1 set reverse-route

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map NetMap 1 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map NetMap interface DMZ

crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map inside_map interface inside

crypto isakmp identity address

crypto ikev1 enable inside

crypto ikev1 enable DMZ

crypto ikev1 ipsec-over-tcp port 10000

crypto ikev1 policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

crypto ikev1 policy 11

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto ikev1 policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 10.10.1.0 255.255.255.0 inside

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy Network internal

group-policy Network attributes

vpn-idle-timeout 120

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value vpn_SplitTunnel

username user password HTfNe5Yf7OKVfTLO encrypted privilege 15

tunnel-group NetworkRA type remote-access

tunnel-group NetworkRA general-attributes

address-pool IPPool

default-group-policy Network

tunnel-group NetworkRA ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:84afd7a2bcd6a7bc321dcf16f1376e85

: end

The result (no connection) is the same if I check UDP on the client. I'd prefer to keep it TCP tho.

Hello Nathan,

To make the configuration more clear and readable can we take out the Inside interface from the VPN perspective:

no crypto map inside_map interface inside

no crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

no crypto ikev1 enable inside

I do not see anything wrong on the configuration, pretty interesting but on the debugs we are going to the default-group.

%ASA-4-713255: IP = 74.125.227.20, Received ISAKMP Aggressive Mode message 1 with unknown tunnel group name 'user'.

%ASA-7-715047: Group = DefaultRAGroup, IP = 74.125.227.20, processing IKE SA payload

That unknown tunnel group I do not like it!

Can you paste an screenshot about where are you trying to connect.

You should set on your VPN client

NetworkRA

Preshared-key

Let me know!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Yeah...the internal stuff I did through the ASDM in order to troubleshoot. Its all removed now. My VPN client is the Cisco VPN client - Version 5.0.07.0440

There isnt anywhere to set the Preshared-Key for NetworkRA. Please explain.

Thanks!

Go to New

Connection entry : Just how you want to name it

host: DMZ ip address

Group authentication

Name: Tunnel-group of the ASA (NetworkRA)

Password: Preshared key

Remember to rate all of the helpful posts, If you do not know how to do it just let me know and I will show you

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hey Julio,

Well I clicked correct answer too quickly...The client connects now, but I cannot access anything on the internal network 10.10.1.0/24... So what should I look at now?

Hello Nathan,

Well we can connect now That is really good!

Now you cannot access anything on your internal network!

Lets start from there:

object network internal_subnet

networ 10.10.1.0 255.255.255.0

nat (inside,dmz) source static internal_subnet  internal_subnet destination Network-10.11.12.0  Network-10.11.12.0

no nat (inside,DMZ) source static any any destination static Network-10.11.12.0 Network-10.11.12.0

Let me know,

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Yes - I very much agree that the client can connect is a very big step to getting this to work. I applied the changes you listed and I am still not able to connect here's the log:

Syslog logging: enabled

    Facility: 20

    Timestamp logging: disabled

    Standby logging: disabled

    Debug-trace logging: disabled

    Console logging: level debugging, 61342 messages logged

    Monitor logging: disabled

    Buffer logging: level debugging, 61344 messages logged

    Trap logging: disabled

    Permit-hostdown logging: disabled

    History logging: disabled

    Device ID: disabled

    Mail logging: disabled

    ASDM logging: level informational, 5469 messages logged

%ASA-5-111008: User 'enable_15' executed the 'clear logging buffer' command.

%ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.10.1.23, executed 'clear logging buffer'

%ASA-7-111009: User 'enable_15' executed cmd: show logging

%ASA-5-611103: User logged out: Uname: user

%ASA-6-315011: SSH session from 10.10.1.23 on interface inside for user "user" terminated normally

%ASA-6-302014: Teardown TCP connection 468 for inside:10.10.1.23/43355 to identity:10.10.1.76/22 duration 0:02:30 bytes 105260 TCP Reset-O

%ASA-7-609002: Teardown local-host inside:10.10.1.23 duration 0:02:30

%ASA-7-609002: Teardown local-host identity:10.10.1.76 duration 0:02:30

%ASA-6-106015: Deny TCP (no connection) from 10.10.1.23/43355 to 10.10.1.76/22 flags FIN PSH ACK  on interface inside

%ASA-7-710005: TCP request discarded from 10.10.1.23/43355 to inside:10.10.1.76/22

%ASA-7-609001: Built local-host DMZ:76.199.251.254

%ASA-7-609001: Built local-host identity:10.11.12.2

%ASA-6-302013: Built inbound TCP connection 469 for DMZ:76.199.251.254/25283 (76.199.251.254/25283) to identity:10.11.12.2/10000 (10.11.12.2/10000)

%ASA-6-302015: Built inbound UDP connection 470 for DMZ:76.199.251.254/25283 (76.199.251.254/25283) to identity:10.11.12.2/500 (10.11.12.2/500)

%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 832

%ASA-7-713906: IP = 76.199.251.254, Responder: IPSec over TCP encapsulation is used    local TCP port: 10000    peer TCP port:  25283 

%ASA-7-715047: IP = 76.199.251.254, processing SA payload

%ASA-7-715047: IP = 76.199.251.254, processing ke payload

%ASA-7-715047: IP = 76.199.251.254, processing ISA_KE payload

%ASA-7-715047: IP = 76.199.251.254, processing nonce payload

%ASA-7-715047: IP = 76.199.251.254, processing ID payload

%ASA-7-715047: IP = 76.199.251.254, processing VID payload

%ASA-7-715049: IP = 76.199.251.254, Received xauth V6 VID

%ASA-7-715047: IP = 76.199.251.254, processing VID payload

%ASA-7-715049: IP = 76.199.251.254, Received DPD VID

%ASA-7-715047: IP = 76.199.251.254, processing VID payload

%ASA-7-715049: IP = 76.199.251.254, Received Fragmentation VID

%ASA-7-715064: IP = 76.199.251.254, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  False

%ASA-7-715047: IP = 76.199.251.254, processing VID payload

%ASA-7-715049: IP = 76.199.251.254, Received Cisco Unity client VID

%ASA-7-713906: IP = 76.199.251.254, Connection landed on tunnel_group NetworkRA

%ASA-7-715047: Group = NetworkRA, IP = 76.199.251.254, processing IKE SA payload

%ASA-7-715028: Group = NetworkRA, IP = 76.199.251.254, IKE SA Proposal # 1, Transform # 9 acceptable  Matches global IKE entry # 1

%ASA-7-715046: Group = NetworkRA, IP = 76.199.251.254, constructing ISAKMP SA payload

%ASA-7-715046: Group = NetworkRA, IP = 76.199.251.254, constructing ke payload

%ASA-7-715046: Group = NetworkRA, IP = 76.199.251.254, constructing nonce payload

%ASA-7-713906: Group = NetworkRA, IP = 76.199.251.254, Generating keys for Responder...

%ASA-7-715046: Group = NetworkRA, IP = 76.199.251.254, constructing ID payload

%ASA-7-715046: Group = NetworkRA, IP = 76.199.251.254, constructing hash payload

%ASA-7-715076: Group = NetworkRA, IP = 76.199.251.254, Computing hash for ISAKMP

%ASA-7-715046: Group = NetworkRA, IP = 76.199.251.254, constructing Cisco Unity VID payload

%ASA-7-715046: Group = NetworkRA, IP = 76.199.251.254, constructing xauth V6 VID payload

%ASA-7-715046: Group = NetworkRA, IP = 76.199.251.254, constructing dpd vid payload

%ASA-7-715046: Group = NetworkRA, IP = 76.199.251.254, constructing Fragmentation VID + extended capabilities payload

%ASA-7-715046: Group = NetworkRA, IP = 76.199.251.254, constructing VID payload

%ASA-7-715048: Group = NetworkRA, IP = 76.199.251.254, Send Altiga/Cisco VPN3000/Cisco ASA GW VID

%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 372

%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NOTIFY (11) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 120

%ASA-7-715047: Group = NetworkRA, IP = 76.199.251.254, processing hash payload

%ASA-7-715076: Group = NetworkRA, IP = 76.199.251.254, Computing hash for ISAKMP

%ASA-7-715047: Group = NetworkRA, IP = 76.199.251.254, processing notify payload

%ASA-7-715047: Group = NetworkRA, IP = 76.199.251.254, processing VID payload

%ASA-7-715038: Group = NetworkRA, IP = 76.199.251.254, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000408)

%ASA-7-715047: Group = NetworkRA, IP = 76.199.251.254, processing VID payload

%ASA-7-715049: Group = NetworkRA, IP = 76.199.251.254, Received Cisco Unity client VID

%ASA-7-715046: Group = NetworkRA, IP = 76.199.251.254, constructing blank hash payload

%ASA-7-715046: Group = NetworkRA, IP = 76.199.251.254, constructing qm hash payload

%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE SENDING Message (msgid=b5dd0950) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 72

%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE RECEIVED Message (msgid=b5dd0950) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 82

%ASA-7-715001: Group = NetworkRA, IP = 76.199.251.254, process_attr(): Enter!

%ASA-7-715001: Group = NetworkRA, IP = 76.199.251.254, Processing MODE_CFG Reply attributes.

%ASA-6-113012: AAA user authentication Successful : local database : user = user

%ASA-6-113009: AAA retrieved default group policy (Network) for user = user

%ASA-6-113008: AAA transaction status ACCEPT : user = user

%ASA-7-715019: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKEGetUserAttributes: primary DNS = cleared

%ASA-7-715019: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKEGetUserAttributes: secondary DNS = cleared

%ASA-7-715019: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKEGetUserAttributes: primary WINS = cleared

%ASA-7-715019: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKEGetUserAttributes: secondary WINS = cleared

%ASA-7-715019: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKEGetUserAttributes: split tunneling list = vpn_SplitTunnel

%ASA-7-715019: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKEGetUserAttributes: IP Compression = disabled

%ASA-7-715019: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKEGetUserAttributes: Split Tunneling Policy = Split Network

%ASA-7-715019: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKEGetUserAttributes: Browser Proxy Setting = no-modify

%ASA-7-715019: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKEGetUserAttributes: Browser Proxy Bypass Local = disable

%ASA-7-734003: DAP: User user, Addr 76.199.251.254: Session Attribute aaa.cisco.grouppolicy = Network

%ASA-7-734003: DAP: User user, Addr 76.199.251.254: Session Attribute aaa.cisco.username = user

%ASA-7-734003: DAP: User user, Addr 76.199.251.254: Session Attribute aaa.cisco.username1 = user

%ASA-7-734003: DAP: User user, Addr 76.199.251.254: Session Attribute aaa.cisco.username2 =

%ASA-7-734003: DAP: User user, Addr 76.199.251.254: Session Attribute aaa.cisco.tunnelgroup = NetworkRA

%ASA-6-734001: DAP: User user, Addr 76.199.251.254, Connection IPSec: The following DAP records were selected for this connection: DfltAccessPolicy

%ASA-7-713052: Group = NetworkRA, Username = user, IP = 76.199.251.254, User (user) authenticated.

%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing blank hash payload

%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing qm hash payload

%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE SENDING Message (msgid=e90be37a) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 64

%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE RECEIVED Message (msgid=e90be37a) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 60

%ASA-7-715001: Group = NetworkRA, Username = user, IP = 76.199.251.254, process_attr(): Enter!

%ASA-7-715001: Group = NetworkRA, Username = user, IP = 76.199.251.254, Processing cfg ACK attributes

%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE RECEIVED Message (msgid=588dc5a2) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 174

%ASA-7-715001: Group = NetworkRA, Username = user, IP = 76.199.251.254, process_attr(): Enter!

%ASA-7-715001: Group = NetworkRA, Username = user, IP = 76.199.251.254, Processing cfg Request attributes

%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for IPV4 address!

%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for IPV4 net mask!

%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for DNS server address!

%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for WINS server address!

%ASA-5-713130: Group = NetworkRA, Username = user, IP = 76.199.251.254, Received unsupported transaction mode attribute: 5

%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for Banner!

%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for Save PW setting!

%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for Default Domain Name!

%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for Split Tunnel List!

%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for Split DNS!

%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for PFS setting!

%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for Client Browser Proxy Setting!

%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for backup ip-sec peer list!

%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for Client Smartcard Removal Disconnect Setting!

%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for Application Version!

%ASA-6-713184: Group = NetworkRA, Username = user, IP = 76.199.251.254, Client Type: WinNT  Client Application Version: 5.0.07.0440

%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for FWTYPE!

%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for DHCP hostname for DDNS is: MARS!

%ASA-7-737001: IPAA: Received message 'UTL_IP_[IKE_]ADDR_REQ'

%ASA-5-737003: IPAA: DHCP configured, no viable servers found for tunnel-group 'NetworkRA'

%ASA-6-737026: IPAA: Client assigned 10.11.12.150 from local pool

%ASA-6-737006: IPAA: Local pool request succeeded for tunnel-group 'NetworkRA'

%ASA-7-713906: Group = NetworkRA, Username = user, IP = 76.199.251.254, Obtained IP addr (10.11.12.150) prior to initiating Mode Cfg (XAuth enabled)

%ASA-6-713228: Group = NetworkRA, Username = user, IP = 76.199.251.254, Assigned private IP address 10.11.12.150 to remote user

%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing blank hash payload

%ASA-7-715055: Group = NetworkRA, Username = user, IP = 76.199.251.254, Send Client Browser Proxy Attributes!

%ASA-7-715001: Group = NetworkRA, Username = user, IP = 76.199.251.254, Browser Proxy set to No-Modify. Browser Proxy data will NOT be included in the mode-cfg reply

%ASA-7-715055: Group = NetworkRA, Username = user, IP = 76.199.251.254, Send Cisco Smartcard Removal Disconnect enable!!

%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing qm hash payload

%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE SENDING Message (msgid=588dc5a2) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 241

%ASA-7-714003: IP = 76.199.251.254, IKE Responder starting QM: msg id = 9db6fb00

%ASA-7-715021: Group = NetworkRA, Username = user, IP = 76.199.251.254, Delay Quick Mode processing, Cert/Trans Exch/RM DSID in progress

%ASA-6-713905: Group = NetworkRA, Username = user, IP = 76.199.251.254, Gratuitous ARP sent for 10.11.12.150

%ASA-7-746012: user-identity: Add IP-User mapping 10.11.12.150 - LOCAL\user Succeeded - VPN user

%ASA-7-746012: user-identity: Add IP-User mapping 76.199.251.254 - LOCAL\user Succeeded - VPN user

%ASA-7-746012: user-identity: Add IP-User mapping 76.199.251.254 - LOCAL\user Succeeded - VPN user

%ASA-7-715022: Group = NetworkRA, Username = user, IP = 76.199.251.254, Resume Quick Mode processing, Cert/Trans Exch/RM DSID completed

%ASA-5-713119: Group = NetworkRA, Username = user, IP = 76.199.251.254, PHASE 1 COMPLETED

%ASA-7-713121: IP = 76.199.251.254, Keep-alive type for this connection: DPD

%ASA-7-715080: Group = NetworkRA, Username = user, IP = 76.199.251.254, Starting P1 rekey timer: 41040 seconds.

%ASA-7-746012: user-identity: Add IP-User mapping 76.199.251.254 - LOCAL\user Succeeded - VPN user

%ASA-7-713906: Group = NetworkRA, Username = user, IP = 76.199.251.254, sending notify message

%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing blank hash payload

%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing qm hash payload

%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE SENDING Message (msgid=22ab08a8) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 88

%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE RECEIVED Message (msgid=9db6fb00) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 1026

%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing hash payload

%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing SA payload

%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing nonce payload

%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing ID payload

%ASA-7-714011: Group = NetworkRA, Username = user, IP = 76.199.251.254, ID_IPV4_ADDR ID received

10.11.12.150

%ASA-7-713025: Group = NetworkRA, Username = user, IP = 76.199.251.254, Received remote Proxy Host data in ID Payload:  Address 10.11.12.150, Protocol 0, Port 0

%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing ID payload

%ASA-7-714011: Group = NetworkRA, Username = user, IP = 76.199.251.254, ID_IPV4_ADDR_SUBNET ID received--0.0.0.0--0.0.0.0

%ASA-7-713034: Group = NetworkRA, Username = user, IP = 76.199.251.254, Received local IP Proxy Subnet data in ID Payload:   Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0

%ASA-7-713906: Group = NetworkRA, Username = user, IP = 76.199.251.254, QM IsRekeyed old sa not found by addr

%ASA-7-713066: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKE Remote Peer configured for crypto map: SYSTEM_DEFAULT_CRYPTO_MAP

%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing IPSec SA payload

%ASA-7-715027: Group = NetworkRA, Username = user, IP = 76.199.251.254, IPSec SA Proposal # 8, Transform # 1 acceptable  Matches global IPSec SA entry # 65535

%ASA-7-713906: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKE: requesting SPI!

%ASA-7-715006: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKE got SPI from key engine: SPI = 0x2a9e7c0a

%ASA-7-713906: Group = NetworkRA, Username = user, IP = 76.199.251.254, oakley constucting quick mode

%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing blank hash payload

%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing IPSec SA payload

%ASA-5-713075: Group = NetworkRA, Username = user, IP = 76.199.251.254, Overriding Initiator's IPSec rekeying duration from 2147483 to 28800 seconds

%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing IPSec nonce payload

%ASA-7-715001: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing proxy ID

%ASA-7-713906: Group = NetworkRA, Username = user, IP = 76.199.251.254, Transmitting Proxy Id:

  Remote host: 10.11.12.150  Protocol 0  Port 0

  Local subnet:  0.0.0.0  mask 0.0.0.0 Protocol 0  Port 0

%ASA-7-713906: Group = NetworkRA, Username = user, IP = 76.199.251.254, Sending RESPONDER LIFETIME notification to Initiator

%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing qm hash payload

%ASA-7-714005: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKE Responder sending 2nd QM pkt: msg id = 9db6fb00

%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE SENDING Message (msgid=9db6fb00) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 184

%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE RECEIVED Message (msgid=9db6fb00) with payloads : HDR + HASH (8) + NONE (0) total length : 52

%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing hash payload

%ASA-7-713906: Group = NetworkRA, Username = user, IP = 76.199.251.254, loading all IPSEC SAs

%ASA-7-715001: Group = NetworkRA, Username = user, IP = 76.199.251.254, Generating Quick Mode Key!

%ASA-7-715001: Group = NetworkRA, Username = user, IP = 76.199.251.254, Generating Quick Mode Key!

%ASA-5-713049: Group = NetworkRA, Username = user, IP = 76.199.251.254, Security negotiation complete for User (user)  Responder, Inbound SPI = 0x2a9e7c0a, Outbound SPI = 0x5bb276fb

%ASA-6-602303: IPSEC: An outbound remote access SA (SPI= 0x5BB276FB) between 10.11.12.2 and 76.199.251.254 (user= user) has been created.

%ASA-7-715007: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKE got a KEY_ADD msg for SA: SPI = 0x5bb276fb

%ASA-7-746012: user-identity: Add IP-User mapping 76.199.251.254 - LOCAL\user Succeeded - VPN user

%ASA-7-609001: Built local-host DMZ:10.11.12.150

%ASA-6-602303: IPSEC: An inbound remote access SA (SPI= 0x2A9E7C0A) between 10.11.12.2 and 76.199.251.254 (user= user) has been created.

%ASA-7-715077: Group = NetworkRA, Username = user, IP = 76.199.251.254, Pitcher: received KEY_UPDATE, spi 0x2a9e7c0a

%ASA-7-715080: Group = NetworkRA, Username = user, IP = 76.199.251.254, Starting P2 rekey timer: 27360 seconds.

%ASA-7-713204: Group = NetworkRA, Username = user, IP = 76.199.251.254, Adding static route for client address: 10.11.12.150

%ASA-5-713120: Group = NetworkRA, Username = user, IP = 76.199.251.254, PHASE 2 COMPLETED (msgid=9db6fb00)

%ASA-7-746012: user-identity: Add IP-User mapping 76.199.251.254 - LOCAL\user Succeeded - VPN user

%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE RECEIVED Message (msgid=74c94d21) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing hash payload

%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing notify payload

%ASA-7-715075: Group = NetworkRA, Username = user, IP = 76.199.251.254, Received keep-alive of type DPD R-U-THERE (seq number 0x4e4417ba)

%ASA-7-715036: Group = NetworkRA, Username = user, IP = 76.199.251.254, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x4e4417ba)

%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing blank hash payload

%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing qm hash payload

%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE SENDING Message (msgid=eda5977f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

%ASA-7-609001: Built local-host inside:10.10.1.44

%ASA-6-302015: Built inbound UDP connection 472 for DMZ:10.11.12.150/427 (10.11.12.150/427)(LOCAL\user) to inside:10.10.1.44/427 (10.10.1.44/427) (user)

%ASA-7-609001: Built local-host inside:10.10.1.76

%ASA-6-302013: Built inbound TCP connection 473 for DMZ:10.11.12.150/43618 (10.11.12.150/43618)(LOCAL\user) to inside:10.10.1.76/22 (10.10.1.76/22) (user)

%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE RECEIVED Message (msgid=c168a18) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing hash payload

%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing notify payload

%ASA-7-715075: Group = NetworkRA, Username = user, IP = 76.199.251.254, Received keep-alive of type DPD R-U-THERE (seq number 0x4e4417bb)

%ASA-7-715036: Group = NetworkRA, Username = user, IP = 76.199.251.254, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x4e4417bb)

%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing blank hash payload

%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing qm hash payload

%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE SENDING Message (msgid=50284dae) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

%ASA-7-609001: Built local-host inside:10.10.1.26

%ASA-6-302020: Built inbound ICMP connection for faddr 10.11.12.150/1(LOCAL\user) gaddr 10.10.1.26/0 laddr 10.10.1.26/0 (user)

%ASA-6-302021: Teardown ICMP connection for faddr 10.11.12.150/1(LOCAL\user) gaddr 10.10.1.26/0 laddr 10.10.1.26/0 (user)

%ASA-7-609002: Teardown local-host inside:10.10.1.26 duration 0:00:02

%ASA-7-609001: Built local-host inside:10.10.1.26

%ASA-6-302020: Built inbound ICMP connection for faddr 10.11.12.150/1(LOCAL\user) gaddr 10.10.1.26/0 laddr 10.10.1.26/0 (user)

%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE RECEIVED Message (msgid=29354099) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing hash payload

%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing notify payload

%ASA-7-715075: Group = NetworkRA, Username = user, IP = 76.199.251.254, Received keep-alive of type DPD R-U-THERE (seq number 0x4e4417bc)

%ASA-7-715036: Group = NetworkRA, Username = user, IP = 76.199.251.254, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x4e4417bc)

%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing blank hash payload

%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing qm hash payload

%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE SENDING Message (msgid=1bca2b2) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

%ASA-6-302021: Teardown ICMP connection for faddr 10.11.12.150/1(LOCAL\user) gaddr 10.10.1.26/0 laddr 10.10.1.26/0 (user)

%ASA-7-609002: Teardown local-host inside:10.10.1.26 duration 0:00:02

%ASA-7-609001: Built local-host inside:10.10.1.26

%ASA-6-302020: Built inbound ICMP connection for faddr 10.11.12.150/1(LOCAL\user) gaddr 10.10.1.26/0 laddr 10.10.1.26/0 (user)

%ASA-6-302021: Teardown ICMP connection for faddr 10.11.12.150/1(LOCAL\user) gaddr 10.10.1.26/0 laddr 10.10.1.26/0 (user)

%ASA-7-609002: Teardown local-host inside:10.10.1.26 duration 0:00:02

%ASA-7-609001: Built local-host inside:10.10.1.26

%ASA-6-302020: Built inbound ICMP connection for faddr 10.11.12.150/1(LOCAL\user) gaddr 10.10.1.26/0 laddr 10.10.1.26/0 (user)

%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE RECEIVED Message (msgid=a6c91f9d) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing hash payload

%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing notify payload

%ASA-7-715075: Group = NetworkRA, Username = user, IP = 76.199.251.254, Received keep-alive of type DPD R-U-THERE (seq number 0x4e4417bd)

%ASA-7-715036: Group = NetworkRA, Username = user, IP = 76.199.251.254, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x4e4417bd)

%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing blank hash payload

%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing qm hash payload

%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE SENDING Message (msgid=83836fa9) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

%ASA-6-302021: Teardown ICMP connection for faddr 10.11.12.150/1(LOCAL\user) gaddr 10.10.1.26/0 laddr 10.10.1.26/0 (user)

%ASA-7-609002: Teardown local-host inside:10.10.1.26 duration 0:00:02

%ASA-6-302014: Teardown TCP connection 473 for DMZ:10.11.12.150/43618(LOCAL\user) to inside:10.10.1.76/22 duration 0:00:30 bytes 0 SYN Timeout (user)

%ASA-7-609002: Teardown local-host inside:10.10.1.76 duration 0:00:30

%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE RECEIVED Message (msgid=2a7b85a0) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 72

%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing hash payload

%ASA-7-713906: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing delete

%ASA-5-713050: Group = NetworkRA, Username = user, IP = 76.199.251.254, Connection terminated for peer user.  Reason: Peer Terminate  Remote Proxy 10.11.12.150, Local Proxy 0.0.0.0

%ASA-7-713906: Group = NetworkRA, Username = user, IP = 76.199.251.254, Active unit receives a delete event for remote peer 76.199.251.254.

%ASA-7-715009: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKE Deleting SA: Remote Proxy 10.11.12.150, Local Proxy 0.0.0.0

%ASA-7-713906: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKE SA AM:68e753d7 rcv'd Terminate: state AM_ACTIVE  flags 0x2861d041, refcnt 1, tuncnt 0

%ASA-7-713906: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKE SA AM:68e753d7 terminating:  flags 0x2961d001, refcnt 0, tuncnt 0

%ASA-7-713906: Group = NetworkRA, Username = user, IP = 76.199.251.254, sending delete/delete with reason message

%ASA-6-602304: IPSEC: An outbound remote access SA (SPI= 0x5BB276FB) between 10.11.12.2 and 76.199.251.254 (user= user) has been deleted.

%ASA-6-602304: IPSEC: An inbound remote access SA (SPI= 0x2A9E7C0A) between 76.199.251.254 and 10.11.12.2 (user= user) has been deleted.

%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing blank hash payload

%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing IKE delete payload

%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing qm hash payload

%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE SENDING Message (msgid=a9a78dd5) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80

%ASA-7-715077: Pitcher: received key delete msg, spi 0x2a9e7c0a

%ASA-7-715077: Pitcher: received key delete msg, spi 0x2a9e7c0a

%ASA-5-713259: Group = NetworkRA, Username = user, IP = 76.199.251.254, Session is being torn down. Reason: User Requested

%ASA-6-713273: Group = NetworkRA, Username = user, IP = 76.199.251.254, Deleting static route for client address: 10.11.12.150

%ASA-7-746013: user-identity: Delete IP-User mapping 76.199.251.254 - LOCAL\user Failed - VPN user logout

%ASA-7-746013: user-identity: Delete IP-User mapping 10.11.12.150 - LOCAL\user Succeeded - VPN user logout

%ASA-4-113019: Group = NetworkRA, Username = user, IP = 76.199.251.254, Session disconnected. Session Type: IPsecOverTCP, Duration: 0h:00m:52s, Bytes xmt: 0, Bytes rcv: 536, Reason: User Requested

%ASA-7-713906: Ignoring msg to mark SA with dsID 45056 dead because SA deleted

%ASA-6-302014: Teardown TCP connection 469 for DMZ:76.199.251.254/25283 to identity:10.11.12.2/10000 duration 0:00:53 bytes 1724 Flow closed by inspection

%ASA-6-106015: Deny TCP (no connection) from 76.199.251.254/25283 to 10.11.12.2/10000 flags ACK  on interface DMZ

%ASA-7-710005: TCP request discarded from 76.199.251.254/25283 to DMZ:10.11.12.2/10000

%ASA-6-737016: IPAA: Freeing local pool address 10.11.12.150

%ASA-7-609001: Built local-host inside:10.10.1.23

%ASA-7-609001: Built local-host identity:10.10.1.76

%ASA-6-302013: Built inbound TCP connection 478 for inside:10.10.1.23/43785 (10.10.1.23/43785) to identity:10.10.1.76/22 (10.10.1.76/22)

%ASA-6-113012: AAA user authentication Successful : local database : user = user

%ASA-6-113008: AAA transaction status ACCEPT : user = user

%ASA-6-611101: User authentication succeeded: Uname: user

%ASA-6-611101: User authentication succeeded: Uname: user

%ASA-6-605005: Login permitted from 10.10.1.23/43785 to inside:10.10.1.76/ssh for user "user"

%ASA-5-502103: User priv level changed: Uname: enable_15 From: 1 To: 15

%ASA-5-111008: User 'user' executed the 'enable' command.

Let me know what you think.

Thanks!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: