10-27-2012 06:46 PM - edited 03-11-2019 05:15 PM
Hello All,
I have a test ASA behind an edge firewall (Checkpoint), and I'm trying to set up the ASA for remote VPN access only. The ports being forwarded are UDP/500, UDP/4500 and UDP/TCP/10000. I'd prefer to encapsulate the sessions into TCP/10000. There's two networks that the ASA is connected to. The DMZ (10.11.12.0/24) and an internal segment (10.10.1.0/24), where the external remote client will connect to the DMZ interface and the goal is to access the internal subnet. The pool I want to set up is 10.11.12.150-200. I have upgraded the ASA to the most current IOS [8.4(4)1] / ASDM [6.4(9)] images. Here's what I've come up with, but unfortuantely the client fails to connect. I have messed around several times with settings using the ASDM, but ultimately I cannot get the client to connect. Here's my config:
[code]
hostname RemoteVPNASA
domain-name Domain.local
enable password ---------------- encrypted
passwd ---------------- encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.1.76 255.255.255.0
!
interface Vlan2
nameif DMZ
security-level 0
ip address 10.11.12.2 255.255.255.0
!
banner motd
banner motd +----------------------------------------------------+
banner motd | |
banner motd | *** Unauthorized Use or Access Prohibited *** |
banner motd | |
banner motd | For Authorized Official Use Only |
banner motd | You must have explicit permission to access or |
banner motd | configure this device. All activities performed |
banner motd | on this device may be logged, and violations of |
banner motd | this policy may result in disciplinary action, and |
banner motd | may be reported to law enforcement authorities. |
banner motd | |
banner motd | There is no right to privacy on this device. |
banner motd | |
banner motd +----------------------------------------------------+
banner motd
ftp mode passive
dns server-group DefaultDNS
domain-name Domain.local
object network Network-10.11.12.0
subnet 10.11.12.0 255.255.255.0
object-group icmp-type DefaultICMP
description Default ICMP Types permitted
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
object-group network DM_INLINE_NETWORK_1
network-object 10.10.1.0 255.255.255.0
network-object 10.11.12.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object 10.10.1.0 255.255.255.0
network-object 10.11.12.0 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
access-list vpn_SplitTunnel remark ACL for VPN Split Tunnel
access-list vpn_SplitTunnel standard permit 10.10.1.0 255.255.255.0
access-list nonat remark ACL for Nat Bypass
access-list nonat extended permit object-group DM_INLINE_PROTOCOL_1 object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2
access-list acl_DMZ extended permit icmp any any object-group DefaultICMP
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu DMZ 1500
ip local pool IPPool 10.11.12.150-10.11.12.200
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,DMZ) source static any any destination static Network-10.11.12.0 Network-10.11.12.0
access-group acl_DMZ in interface DMZ
route DMZ 0.0.0.0 0.0.0.0 10.11.12.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 10.10.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set FirstSet esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map DynamicMap 1 set ikev1 transform-set FirstSet
crypto dynamic-map DynamicMap 1 set reverse-route
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map NetMap 1 ipsec-isakmp dynamic DynamicMap
crypto map NetMap interface DMZ
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto isakmp identity address
crypto ikev1 enable inside
crypto ikev1 enable DMZ
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto ikev1 policy 11
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.10.1.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy Network internal
group-policy Network attributes
vpn-idle-timeout 120
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_SplitTunnel
username user password ---------------- encrypted privilege 15
tunnel-group NetworkRA type remote-access
tunnel-group NetworkRA general-attributes
address-pool IPPool
default-group-policy Network
tunnel-group NetworkRA ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d6e568acfb0bed9dc9979dc1a980f24f
: end
[/code]
Any help would be greatly appreciated!
Solved! Go to Solution.
10-30-2012 10:15 AM
Go to New
Connection entry : Just how you want to name it
host: DMZ ip address
Group authentication
Name: Tunnel-group of the ASA (NetworkRA)
Password: Preshared key
Remember to rate all of the helpful posts, If you do not know how to do it just let me know and I will show you
Regards,
Julio
10-27-2012 11:23 PM
Hello Nathan,
Can you run some debugs and let us have the outputs, what does the ASA logs say when you attemtp to connect?
Also can you change the following:
no crypto map NetMap 1 ipsec-isakmp dynamic DynamicMap
crypto map NetMap 1 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
Let me know the result,
Regards,
Julio
10-29-2012 05:36 AM
Thanks for that Julio!
I made the change of that command and here's the logging/debug for a connection attempt:
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: level debugging, 1566 messages logged
Monitor logging: disabled
Buffer logging: level debugging, 1568 messages logged
Trap logging: disabled
Permit-hostdown logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: level informational, 1663 messages logged
%ASA-5-111008: User 'enable_15' executed the 'clear logging buffer' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.10.1.23, executed 'clear logging buffer'
%ASA-7-111009: User 'enable_15' executed cmd: show logging
%ASA-7-609001: Built local-host DMZ:74.125.227.20
%ASA-7-609001: Built local-host identity:10.11.12.2
%ASA-6-302013: Built inbound TCP connection 371 for DMZ:74.125.227.20/46673 (74.125.227.20/46673) to identity:10.11.12.2/10000 (10.11.12.2/10000)
%ASA-6-302015: Built inbound UDP connection 372 for DMZ:74.125.227.20/46673 (74.125.227.20/46673) to identity:10.11.12.2/500 (10.11.12.2/500)
%ASA-7-713236: IP = 74.125.227.20, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 829
%ASA-7-713906: IP = 74.125.227.20, Responder: IPSec over TCP encapsulation is used local TCP port: 10000 peer TCP port: 46673
%ASA-7-715047: IP = 74.125.227.20, processing SA payload
%ASA-7-715047: IP = 74.125.227.20, processing ke payload
%ASA-7-715047: IP = 74.125.227.20, processing ISA_KE payload
%ASA-7-715047: IP = 74.125.227.20, processing nonce payload
%ASA-7-715047: IP = 74.125.227.20, processing ID payload
%ASA-7-715047: IP = 74.125.227.20, processing VID payload
%ASA-7-715049: IP = 74.125.227.20, Received xauth V6 VID
%ASA-7-715047: IP = 74.125.227.20, processing VID payload
%ASA-7-715049: IP = 74.125.227.20, Received DPD VID
%ASA-7-715047: IP = 74.125.227.20, processing VID payload
%ASA-7-715049: IP = 74.125.227.20, Received Fragmentation VID
%ASA-7-715064: IP = 74.125.227.20, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False
%ASA-7-715047: IP = 74.125.227.20, processing VID payload
%ASA-7-715049: IP = 74.125.227.20, Received Cisco Unity client VID
%ASA-4-713255: IP = 74.125.227.20, Received ISAKMP Aggressive Mode message 1 with unknown tunnel group name 'user'.
%ASA-7-715047: Group = DefaultRAGroup, IP = 74.125.227.20, processing IKE SA payload
%ASA-7-715028: Group = DefaultRAGroup, IP = 74.125.227.20, IKE SA Proposal # 1, Transform # 9 acceptable Matches global IKE entry # 1
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ISAKMP SA payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ke payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing nonce payload
%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, Generating keys for Responder...
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ID payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing hash payload
%ASA-7-715076: Group = DefaultRAGroup, IP = 74.125.227.20, Computing hash for ISAKMP
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing Cisco Unity VID payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing xauth V6 VID payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing dpd vid payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing Fragmentation VID + extended capabilities payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing VID payload
%ASA-7-715048: Group = DefaultRAGroup, IP = 74.125.227.20, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
%ASA-7-713236: IP = 74.125.227.20, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 372
%ASA-7-715065: Group = DefaultRAGroup, IP = 74.125.227.20, IKE AM Responder FSM error history (struct &0xcc051860)
%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, IKE SA AM:8642b183 terminating: flags 0x0104c001, refcnt 0, tuncnt 0
%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, sending delete/delete with reason message
%ASA-6-302014: Teardown TCP connection 371 for DMZ:74.125.227.20/46673 to identity:10.11.12.2/10000 duration 0:00:00 bytes 396 Flow closed by inspection
Let me know when you can.
Thanks!
10-29-2012 09:34 AM
Hello Nathan,
This is our problem:
%ASA-6-302014: Teardown TCP connection 371 for DMZ:74.125.227.20/46673 to identity:10.11.12.2/10000 duration 0:00:00 bytes 396 Flow closed by inspection.
Can you add the following commands and try it one more time
Sysopt connection preserve-vpn-flows
Sysopt connection reclassify-vpn
Can I have the show run nat and show run policy-map
Regards,
10-29-2012 10:43 AM
Here ya go (it still does not connect):
RemoteVPNASA# sh run nat
nat (inside,DMZ) source static any any destination static Network-10.11.12.0 Network-10.11.12.0
RemoteVPNASA# sh run policy-map
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: level debugging, 2534 messages logged
Monitor logging: disabled
Buffer logging: level debugging, 2536 messages logged
Trap logging: disabled
Permit-hostdown logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: level informational, 2066 messages logged
%ASA-7-111009: User 'enable_15' executed cmd: show logging
%ASA-6-302013: Built inbound TCP connection 380 for DMZ:74.125.227.20/20486 (74.125.227.20/20486) to identity:10.11.12.2/10000 (10.11.12.2/10000)
%ASA-6-302015: Built inbound UDP connection 381 for DMZ:74.125.227.20/20486 (74.125.227.20/20486) to identity:10.11.12.2/500 (10.11.12.2/500)
%ASA-7-713236: IP = 74.125.227.20, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 829
%ASA-7-713906: IP = 74.125.227.20, Responder: IPSec over TCP encapsulation is used local TCP port: 10000 peer TCP port: 20486
%ASA-7-715047: IP = 74.125.227.20, processing SA payload
%ASA-7-715047: IP = 74.125.227.20, processing ke payload
%ASA-7-715047: IP = 74.125.227.20, processing ISA_KE payload
%ASA-7-715047: IP = 74.125.227.20, processing nonce payload
%ASA-7-715047: IP = 74.125.227.20, processing ID payload
%ASA-7-715047: IP = 74.125.227.20, processing VID payload
%ASA-7-715049: IP = 74.125.227.20, Received xauth V6 VID
%ASA-7-715047: IP = 74.125.227.20, processing VID payload
%ASA-7-715049: IP = 74.125.227.20, Received DPD VID
%ASA-7-715047: IP = 74.125.227.20, processing VID payload
%ASA-7-715049: IP = 74.125.227.20, Received Fragmentation VID
%ASA-7-715064: IP = 74.125.227.20, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False
%ASA-7-715047: IP = 74.125.227.20, processing VID payload
%ASA-7-715049: IP = 74.125.227.20, Received Cisco Unity client VID
%ASA-4-713255: IP = 74.125.227.20, Received ISAKMP Aggressive Mode message 1 with unknown tunnel group name 'user'.
%ASA-7-715047: Group = DefaultRAGroup, IP = 74.125.227.20, processing IKE SA payload
%ASA-7-715028: Group = DefaultRAGroup, IP = 74.125.227.20, IKE SA Proposal # 1, Transform # 9 acceptable Matches global IKE entry # 1
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ISAKMP SA payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ke payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing nonce payload
%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, Generating keys for Responder...
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ID payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing hash payload
%ASA-7-715076: Group = DefaultRAGroup, IP = 74.125.227.20, Computing hash for ISAKMP
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing Cisco Unity VID payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing xauth V6 VID payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing dpd vid payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing Fragmentation VID + extended capabilities payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing VID payload
%ASA-7-715048: Group = DefaultRAGroup, IP = 74.125.227.20, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
%ASA-7-713236: IP = 74.125.227.20, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 372
%ASA-7-715065: Group = DefaultRAGroup, IP = 74.125.227.20, IKE AM Responder FSM error history (struct &0xcbf25fe0)
%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, IKE SA AM:7d9c0b7a terminating: flags 0x0104c001, refcnt 0, tuncnt 0
%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, sending delete/delete with reason message
%ASA-6-302014: Teardown TCP connection 380 for DMZ:74.125.227.20/20486 to identity:10.11.12.2/10000 duration 0:00:00 bytes 396 Flow closed by inspection
10-29-2012 10:58 AM
Hello Nathan,
Here are the interesting facts from the debugs:
%ASA-7-715065: Group = DefaultRAGroup, IP = 74.125.227.20, IKE AM Responder FSM error history (struct &0xcbf25fe0)
%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, IKE SA AM:7d9c0b7a terminating: flags 0x0104c001, refcnt 0, tuncnt 0
%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, sending delete/delete with reason message
Can you share the show crypto isakmp sa while you try to connect and share the output you get ( try to do it several times so we can see where it gets stuck)
Regards,
Julio
10-29-2012 11:30 AM
I get the following after and during each connection attempt:
RemoteVPNASA(config)# show crypto isakmp sa
There are no IKEv1 SAs
There are no IKEv2 SAs
Here's the log from the attempts:
%ASA-5-111008: User 'enable_15' executed the 'clear logging buffer' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.10.1.23, executed 'clear logging buffer'
%ASA-7-111009: User 'enable_15' executed cmd: show logging
%ASA-7-111009: User 'enable_15' executed cmd: show crypto isakmp sa
%ASA-7-609001: Built local-host DMZ:74.125.227.20
%ASA-7-609001: Built local-host identity:10.11.12.2
%ASA-6-302013: Built inbound TCP connection 401 for DMZ:74.125.227.20/59541 (74.125.227.20/59541) to identity:10.11.12.2/10000 (10.11.12.2/10000)
%ASA-6-302015: Built inbound UDP connection 402 for DMZ:74.125.227.20/59541 (74.125.227.20/59541) to identity:10.11.12.2/500 (10.11.12.2/500)
%ASA-7-713236: IP = 74.125.227.20, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 829
%ASA-7-713906: IP = 74.125.227.20, Responder: IPSec over TCP encapsulation is used local TCP port: 10000 peer TCP port: 59541
%ASA-7-715047: IP = 74.125.227.20, processing SA payload
%ASA-7-715047: IP = 74.125.227.20, processing ke payload
%ASA-7-715047: IP = 74.125.227.20, processing ISA_KE payload
%ASA-7-715047: IP = 74.125.227.20, processing nonce payload
%ASA-7-715047: IP = 74.125.227.20, processing ID payload
%ASA-7-715047: IP = 74.125.227.20, processing VID payload
%ASA-7-715049: IP = 74.125.227.20, Received xauth V6 VID
%ASA-7-715047: IP = 74.125.227.20, processing VID payload
%ASA-7-715049: IP = 74.125.227.20, Received DPD VID
%ASA-7-715047: IP = 74.125.227.20, processing VID payload
%ASA-7-715049: IP = 74.125.227.20, Received Fragmentation VID
%ASA-7-715064: IP = 74.125.227.20, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False
%ASA-7-715047: IP = 74.125.227.20, processing VID payload
%ASA-7-715049: IP = 74.125.227.20, Received Cisco Unity client VID
%ASA-4-713255: IP = 74.125.227.20, Received ISAKMP Aggressive Mode message 1 with unknown tunnel group name 'user'.
%ASA-7-715047: Group = DefaultRAGroup, IP = 74.125.227.20, processing IKE SA payload
%ASA-7-715028: Group = DefaultRAGroup, IP = 74.125.227.20, IKE SA Proposal # 1, Transform # 9 acceptable Matches global IKE entry # 1
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ISAKMP SA payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ke payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing nonce payload
%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, Generating keys for Responder...
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ID payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing hash payload
%ASA-7-715076: Group = DefaultRAGroup, IP = 74.125.227.20, Computing hash for ISAKMP
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing Cisco Unity VID payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing xauth V6 VID payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing dpd vid payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing Fragmentation VID + extended capabilities payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing VID payload
%ASA-7-715048: Group = DefaultRAGroup, IP = 74.125.227.20, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
%ASA-7-713236: IP = 74.125.227.20, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 372
%ASA-7-715065: Group = DefaultRAGroup, IP = 74.125.227.20, IKE AM Responder FSM error history (struct &0xcb64b900)
%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, IKE SA AM:4448d481 terminating: flags 0x0104c001, refcnt 0, tuncnt 0
%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, sending delete/delete with reason message
%ASA-6-302014: Teardown TCP connection 401 for DMZ:74.125.227.20/59541 to identity:10.11.12.2/10000 duration 0:00:00 bytes 396 Flow closed by inspection
%ASA-7-111009: User 'enable_15' executed cmd: show crypto isakmp sa
%ASA-6-302013: Built inbound TCP connection 403 for DMZ:74.125.227.20/59702 (74.125.227.20/59702) to identity:10.11.12.2/10000 (10.11.12.2/10000)
%ASA-6-302015: Built inbound UDP connection 404 for DMZ:74.125.227.20/59702 (74.125.227.20/59702) to identity:10.11.12.2/500 (10.11.12.2/500)
%ASA-7-713236: IP = 74.125.227.20, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 829
%ASA-7-713906: IP = 74.125.227.20, Responder: IPSec over TCP encapsulation is used local TCP port: 10000 peer TCP port: 59702
%ASA-7-715047: IP = 74.125.227.20, processing SA payload
%ASA-7-715047: IP = 74.125.227.20, processing ke payload
%ASA-7-715047: IP = 74.125.227.20, processing ISA_KE payload
%ASA-7-715047: IP = 74.125.227.20, processing nonce payload
%ASA-7-715047: IP = 74.125.227.20, processing ID payload
%ASA-7-715047: IP = 74.125.227.20, processing VID payload
%ASA-7-715049: IP = 74.125.227.20, Received xauth V6 VID
%ASA-7-715047: IP = 74.125.227.20, processing VID payload
%ASA-7-715049: IP = 74.125.227.20, Received DPD VID
%ASA-7-715047: IP = 74.125.227.20, processing VID payload
%ASA-7-715049: IP = 74.125.227.20, Received Fragmentation VID
%ASA-7-715064: IP = 74.125.227.20, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False
%ASA-7-715047: IP = 74.125.227.20, processing VID payload
%ASA-7-715049: IP = 74.125.227.20, Received Cisco Unity client VID
%ASA-4-713255: IP = 74.125.227.20, Received ISAKMP Aggressive Mode message 1 with unknown tunnel group name 'user'.
%ASA-7-715047: Group = DefaultRAGroup, IP = 74.125.227.20, processing IKE SA payload
%ASA-7-715028: Group = DefaultRAGroup, IP = 74.125.227.20, IKE SA Proposal # 1, Transform # 9 acceptable Matches global IKE entry # 1
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ISAKMP SA payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ke payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing nonce payload
%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, Generating keys for Responder...
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ID payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing hash payload
%ASA-7-715076: Group = DefaultRAGroup, IP = 74.125.227.20, Computing hash for ISAKMP
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing Cisco Unity VID payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing xauth V6 VID payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing dpd vid payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing Fragmentation VID + extended capabilities payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing VID payload
%ASA-7-715048: Group = DefaultRAGroup, IP = 74.125.227.20, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
%ASA-7-713236: IP = 74.125.227.20, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 372
%ASA-7-715065: Group = DefaultRAGroup, IP = 74.125.227.20, IKE AM Responder FSM error history (struct &0xcb64bc80)
%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, IKE SA AM:29c8051d terminating: flags 0x0104c001, refcnt 0, tuncnt 0
%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, sending delete/delete with reason message
%ASA-6-302014: Teardown TCP connection 403 for DMZ:74.125.227.20/59702 to identity:10.11.12.2/10000 duration 0:00:01 bytes 396 Flow closed by inspection
%ASA-6-302013: Built inbound TCP connection 405 for DMZ:74.125.227.20/59774 (74.125.227.20/59774) to identity:10.11.12.2/10000 (10.11.12.2/10000)
%ASA-6-302015: Built inbound UDP connection 406 for DMZ:74.125.227.20/59774 (74.125.227.20/59774) to identity:10.11.12.2/500 (10.11.12.2/500)
%ASA-7-713236: IP = 74.125.227.20, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 829
%ASA-7-713906: IP = 74.125.227.20, Responder: IPSec over TCP encapsulation is used local TCP port: 10000 peer TCP port: 59774
%ASA-7-715047: IP = 74.125.227.20, processing SA payload
%ASA-7-715047: IP = 74.125.227.20, processing ke payload
%ASA-7-715047: IP = 74.125.227.20, processing ISA_KE payload
%ASA-7-715047: IP = 74.125.227.20, processing nonce payload
%ASA-7-715047: IP = 74.125.227.20, processing ID payload
%ASA-7-715047: IP = 74.125.227.20, processing VID payload
%ASA-7-715049: IP = 74.125.227.20, Received xauth V6 VID
%ASA-7-715047: IP = 74.125.227.20, processing VID payload
%ASA-7-715049: IP = 74.125.227.20, Received DPD VID
%ASA-7-715047: IP = 74.125.227.20, processing VID payload
%ASA-7-715049: IP = 74.125.227.20, Received Fragmentation VID
%ASA-7-715064: IP = 74.125.227.20, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False
%ASA-7-715047: IP = 74.125.227.20, processing VID payload
%ASA-7-715049: IP = 74.125.227.20, Received Cisco Unity client VID
%ASA-4-713255: IP = 74.125.227.20, Received ISAKMP Aggressive Mode message 1 with unknown tunnel group name 'user'.
%ASA-7-715047: Group = DefaultRAGroup, IP = 74.125.227.20, processing IKE SA payload
%ASA-7-715028: Group = DefaultRAGroup, IP = 74.125.227.20, IKE SA Proposal # 1, Transform # 9 acceptable Matches global IKE entry # 1
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ISAKMP SA payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ke payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing nonce payload
%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, Generating keys for Responder...
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ID payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing hash payload
%ASA-7-715076: Group = DefaultRAGroup, IP = 74.125.227.20, Computing hash for ISAKMP
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing Cisco Unity VID payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing xauth V6 VID payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing dpd vid payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing Fragmentation VID + extended capabilities payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing VID payload
%ASA-7-715048: Group = DefaultRAGroup, IP = 74.125.227.20, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
%ASA-7-713236: IP = 74.125.227.20, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 372
%ASA-7-715065: Group = DefaultRAGroup, IP = 74.125.227.20, IKE AM Responder FSM error history (struct &0xcb64bc80)
%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, IKE SA AM:67fd2fff terminating: flags 0x0104c001, refcnt 0, tuncnt 0
%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, sending delete/delete with reason message
%ASA-6-302014: Teardown TCP connection 405 for DMZ:74.125.227.20/59774 to identity:10.11.12.2/10000 duration 0:00:01 bytes 396 Flow closed by inspection
%ASA-6-302013: Built inbound TCP connection 407 for DMZ:74.125.227.20/59889 (74.125.227.20/59889) to identity:10.11.12.2/10000 (10.11.12.2/10000)
%ASA-6-302015: Built inbound UDP connection 408 for DMZ:74.125.227.20/59889 (74.125.227.20/59889) to identity:10.11.12.2/500 (10.11.12.2/500)
%ASA-7-713236: IP = 74.125.227.20, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 829
%ASA-7-713906: IP = 74.125.227.20, Responder: IPSec over TCP encapsulation is used local TCP port: 10000 peer TCP port: 59889
%ASA-7-715047: IP = 74.125.227.20, processing SA payload
%ASA-7-715047: IP = 74.125.227.20, processing ke payload
%ASA-7-715047: IP = 74.125.227.20, processing ISA_KE payload
%ASA-7-715047: IP = 74.125.227.20, processing nonce payload
%ASA-7-715047: IP = 74.125.227.20, processing ID payload
%ASA-7-715047: IP = 74.125.227.20, processing VID payload
%ASA-7-715049: IP = 74.125.227.20, Received xauth V6 VID
%ASA-7-715047: IP = 74.125.227.20, processing VID payload
%ASA-7-715049: IP = 74.125.227.20, Received DPD VID
%ASA-7-715047: IP = 74.125.227.20, processing VID payload
%ASA-7-715049: IP = 74.125.227.20, Received Fragmentation VID
%ASA-7-715064: IP = 74.125.227.20, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False
%ASA-7-715047: IP = 74.125.227.20, processing VID payload
%ASA-7-715049: IP = 74.125.227.20, Received Cisco Unity client VID
%ASA-4-713255: IP = 74.125.227.20, Received ISAKMP Aggressive Mode message 1 with unknown tunnel group name 'user'.
%ASA-7-715047: Group = DefaultRAGroup, IP = 74.125.227.20, processing IKE SA payload
%ASA-7-715028: Group = DefaultRAGroup, IP = 74.125.227.20, IKE SA Proposal # 1, Transform # 9 acceptable Matches global IKE entry # 1
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ISAKMP SA payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ke payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing nonce payload
%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, Generating keys for Responder...
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing ID payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing hash payload
%ASA-7-715076: Group = DefaultRAGroup, IP = 74.125.227.20, Computing hash for ISAKMP
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing Cisco Unity VID payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing xauth V6 VID payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing dpd vid payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing Fragmentation VID + extended capabilities payload
%ASA-7-715046: Group = DefaultRAGroup, IP = 74.125.227.20, constructing VID payload
%ASA-7-715048: Group = DefaultRAGroup, IP = 74.125.227.20, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
%ASA-7-713236: IP = 74.125.227.20, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 372
%ASA-7-715065: Group = DefaultRAGroup, IP = 74.125.227.20, IKE AM Responder FSM error history (struct &0xcb64bc80)
%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, IKE SA AM:e5c37c1d terminating: flags 0x0104c001, refcnt 0, tuncnt 0
%ASA-7-713906: Group = DefaultRAGroup, IP = 74.125.227.20, sending delete/delete with reason message
%ASA-6-302014: Teardown TCP connection 407 for DMZ:74.125.227.20/59889 to identity:10.11.12.2/10000 duration 0:00:00 bytes 396 Flow closed by inspection
%ASA-7-111009: User 'enable_15' executed cmd: show crypto isakmp sa
%ASA-7-111009: User 'enable_15' executed cmd: show crypto isakmp sa
%ASA-6-302016: Teardown UDP connection 402 for DMZ:74.125.227.20/59541 to identity:10.11.12.2/500 duration 0:02:01 bytes 845
%ASA-6-302016: Teardown UDP connection 404 for DMZ:74.125.227.20/59702 to identity:10.11.12.2/500 duration 0:02:01 bytes 845
%ASA-6-302016: Teardown UDP connection 406 for DMZ:74.125.227.20/59774 to identity:10.11.12.2/500 duration 0:02:02 bytes 845
%ASA-6-302016: Teardown UDP connection 408 for DMZ:74.125.227.20/59889 to identity:10.11.12.2/500 duration 0:02:01 bytes 845
%ASA-7-609002: Teardown local-host DMZ:74.125.227.20 duration 0:02:16
%ASA-7-609002: Teardown local-host identity:10.11.12.2 duration 0:02:16
10-29-2012 11:48 AM
Hello Nathan,
Can you share the updated configuration?
Also if you take out the crypto ikev1 ipsec-over-tcp port 10000, does it work over UDP?
Regards,
10-29-2012 12:56 PM
Here's the current cofig:
hostname RemoteVPNASA
domain-name Domain.local
enable password EknDlaH/tYor46kT encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.1.76 255.255.255.0
!
interface Vlan2
nameif DMZ
security-level 0
ip address 10.11.12.2 255.255.255.0
!
banner motd
banner motd +----------------------------------------------------+
banner motd | |
banner motd | *** Unauthorized Use or Access Prohibited *** |
banner motd | |
banner motd | For Authorized Official Use Only |
banner motd | You must have explicit permission to access or |
banner motd | configure this device. All activities performed |
banner motd | on this device may be logged, and violations of |
banner motd | this policy may result in disciplinary action, and |
banner motd | may be reported to law enforcement authorities. |
banner motd | |
banner motd | There is no right to privacy on this device. |
banner motd | |
banner motd +----------------------------------------------------+
banner motd
ftp mode passive
dns server-group DefaultDNS
domain-name Domain.local
object network Network-10.11.12.0
subnet 10.11.12.0 255.255.255.0
object-group icmp-type DefaultICMP
description Default ICMP Types permitted
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
object-group network DM_INLINE_NETWORK_1
network-object 10.10.1.0 255.255.255.0
network-object 10.11.12.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object 10.10.1.0 255.255.255.0
network-object 10.11.12.0 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
access-list vpn_SplitTunnel remark ACL for VPN Split Tunnel
access-list vpn_SplitTunnel standard permit 10.10.1.0 255.255.255.0
access-list vpn_SplitTunnel standard permit 192.168.1.0 255.255.255.0
access-list vpn_SplitTunnel standard permit 10.11.12.0 255.255.255.0
access-list vpn_SplitTunnel standard permit 5.5.0.0 255.255.255.192
access-list vpn_SplitTunnel standard permit 5.5.16.0 255.255.255.192
access-list nonat remark ACL for Nat Bypass
access-list nonat extended permit object-group DM_INLINE_PROTOCOL_1 object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2
access-list acl_DMZ extended permit icmp any any object-group DefaultICMP
pager lines 24
logging enable
logging buffer-size 524288
logging asdm-buffer-size 200
logging console debugging
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu DMZ 1500
ip local pool IPPool 10.11.12.150-10.11.12.200
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,DMZ) source static any any destination static Network-10.11.12.0 Network-10.11.12.0
access-group acl_DMZ in interface DMZ
route DMZ 0.0.0.0 0.0.0.0 10.11.12.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 10.10.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sysopt connection preserve-vpn-flows
crypto ipsec ikev1 transform-set FirstSet esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map DynamicMap 1 set ikev1 transform-set FirstSet
crypto dynamic-map DynamicMap 1 set reverse-route
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map NetMap 1 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map NetMap interface DMZ
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto isakmp identity address
crypto ikev1 enable inside
crypto ikev1 enable DMZ
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto ikev1 policy 11
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.10.1.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy Network internal
group-policy Network attributes
vpn-idle-timeout 120
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_SplitTunnel
username user password HTfNe5Yf7OKVfTLO encrypted privilege 15
tunnel-group NetworkRA type remote-access
tunnel-group NetworkRA general-attributes
address-pool IPPool
default-group-policy Network
tunnel-group NetworkRA ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:84afd7a2bcd6a7bc321dcf16f1376e85
: end
The result (no connection) is the same if I check UDP on the client. I'd prefer to keep it TCP tho.
10-29-2012 04:14 PM
Hello Nathan,
To make the configuration more clear and readable can we take out the Inside interface from the VPN perspective:
no crypto map inside_map interface inside
no crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
no crypto ikev1 enable inside
I do not see anything wrong on the configuration, pretty interesting but on the debugs we are going to the default-group.
%ASA-4-713255: IP = 74.125.227.20, Received ISAKMP Aggressive Mode message 1 with unknown tunnel group name 'user'.
%ASA-7-715047: Group = DefaultRAGroup, IP = 74.125.227.20, processing IKE SA payload
That unknown tunnel group I do not like it!
Can you paste an screenshot about where are you trying to connect.
You should set on your VPN client
NetworkRA
Preshared-key
Let me know!
10-30-2012 07:21 AM
Yeah...the internal stuff I did through the ASDM in order to troubleshoot. Its all removed now. My VPN client is the Cisco VPN client - Version 5.0.07.0440
There isnt anywhere to set the Preshared-Key for NetworkRA. Please explain.
Thanks!
10-30-2012 10:15 AM
Go to New
Connection entry : Just how you want to name it
host: DMZ ip address
Group authentication
Name: Tunnel-group of the ASA (NetworkRA)
Password: Preshared key
Remember to rate all of the helpful posts, If you do not know how to do it just let me know and I will show you
Regards,
Julio
10-31-2012 05:10 AM
Hey Julio,
Well I clicked correct answer too quickly...The client connects now, but I cannot access anything on the internal network 10.10.1.0/24... So what should I look at now?
10-31-2012 10:25 AM
Hello Nathan,
Well we can connect now That is really good!
Now you cannot access anything on your internal network!
Lets start from there:
object network internal_subnet
networ 10.10.1.0 255.255.255.0
nat (inside,dmz) source static internal_subnet internal_subnet destination Network-10.11.12.0 Network-10.11.12.0
no nat (inside,DMZ) source static any any destination static Network-10.11.12.0 Network-10.11.12.0
Let me know,
Regards
11-01-2012 06:01 AM
Yes - I very much agree that the client can connect is a very big step to getting this to work. I applied the changes you listed and I am still not able to connect here's the log:
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: level debugging, 61342 messages logged
Monitor logging: disabled
Buffer logging: level debugging, 61344 messages logged
Trap logging: disabled
Permit-hostdown logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: level informational, 5469 messages logged
%ASA-5-111008: User 'enable_15' executed the 'clear logging buffer' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.10.1.23, executed 'clear logging buffer'
%ASA-7-111009: User 'enable_15' executed cmd: show logging
%ASA-5-611103: User logged out: Uname: user
%ASA-6-315011: SSH session from 10.10.1.23 on interface inside for user "user" terminated normally
%ASA-6-302014: Teardown TCP connection 468 for inside:10.10.1.23/43355 to identity:10.10.1.76/22 duration 0:02:30 bytes 105260 TCP Reset-O
%ASA-7-609002: Teardown local-host inside:10.10.1.23 duration 0:02:30
%ASA-7-609002: Teardown local-host identity:10.10.1.76 duration 0:02:30
%ASA-6-106015: Deny TCP (no connection) from 10.10.1.23/43355 to 10.10.1.76/22 flags FIN PSH ACK on interface inside
%ASA-7-710005: TCP request discarded from 10.10.1.23/43355 to inside:10.10.1.76/22
%ASA-7-609001: Built local-host DMZ:76.199.251.254
%ASA-7-609001: Built local-host identity:10.11.12.2
%ASA-6-302013: Built inbound TCP connection 469 for DMZ:76.199.251.254/25283 (76.199.251.254/25283) to identity:10.11.12.2/10000 (10.11.12.2/10000)
%ASA-6-302015: Built inbound UDP connection 470 for DMZ:76.199.251.254/25283 (76.199.251.254/25283) to identity:10.11.12.2/500 (10.11.12.2/500)
%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 832
%ASA-7-713906: IP = 76.199.251.254, Responder: IPSec over TCP encapsulation is used local TCP port: 10000 peer TCP port: 25283
%ASA-7-715047: IP = 76.199.251.254, processing SA payload
%ASA-7-715047: IP = 76.199.251.254, processing ke payload
%ASA-7-715047: IP = 76.199.251.254, processing ISA_KE payload
%ASA-7-715047: IP = 76.199.251.254, processing nonce payload
%ASA-7-715047: IP = 76.199.251.254, processing ID payload
%ASA-7-715047: IP = 76.199.251.254, processing VID payload
%ASA-7-715049: IP = 76.199.251.254, Received xauth V6 VID
%ASA-7-715047: IP = 76.199.251.254, processing VID payload
%ASA-7-715049: IP = 76.199.251.254, Received DPD VID
%ASA-7-715047: IP = 76.199.251.254, processing VID payload
%ASA-7-715049: IP = 76.199.251.254, Received Fragmentation VID
%ASA-7-715064: IP = 76.199.251.254, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False
%ASA-7-715047: IP = 76.199.251.254, processing VID payload
%ASA-7-715049: IP = 76.199.251.254, Received Cisco Unity client VID
%ASA-7-713906: IP = 76.199.251.254, Connection landed on tunnel_group NetworkRA
%ASA-7-715047: Group = NetworkRA, IP = 76.199.251.254, processing IKE SA payload
%ASA-7-715028: Group = NetworkRA, IP = 76.199.251.254, IKE SA Proposal # 1, Transform # 9 acceptable Matches global IKE entry # 1
%ASA-7-715046: Group = NetworkRA, IP = 76.199.251.254, constructing ISAKMP SA payload
%ASA-7-715046: Group = NetworkRA, IP = 76.199.251.254, constructing ke payload
%ASA-7-715046: Group = NetworkRA, IP = 76.199.251.254, constructing nonce payload
%ASA-7-713906: Group = NetworkRA, IP = 76.199.251.254, Generating keys for Responder...
%ASA-7-715046: Group = NetworkRA, IP = 76.199.251.254, constructing ID payload
%ASA-7-715046: Group = NetworkRA, IP = 76.199.251.254, constructing hash payload
%ASA-7-715076: Group = NetworkRA, IP = 76.199.251.254, Computing hash for ISAKMP
%ASA-7-715046: Group = NetworkRA, IP = 76.199.251.254, constructing Cisco Unity VID payload
%ASA-7-715046: Group = NetworkRA, IP = 76.199.251.254, constructing xauth V6 VID payload
%ASA-7-715046: Group = NetworkRA, IP = 76.199.251.254, constructing dpd vid payload
%ASA-7-715046: Group = NetworkRA, IP = 76.199.251.254, constructing Fragmentation VID + extended capabilities payload
%ASA-7-715046: Group = NetworkRA, IP = 76.199.251.254, constructing VID payload
%ASA-7-715048: Group = NetworkRA, IP = 76.199.251.254, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 372
%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NOTIFY (11) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 120
%ASA-7-715047: Group = NetworkRA, IP = 76.199.251.254, processing hash payload
%ASA-7-715076: Group = NetworkRA, IP = 76.199.251.254, Computing hash for ISAKMP
%ASA-7-715047: Group = NetworkRA, IP = 76.199.251.254, processing notify payload
%ASA-7-715047: Group = NetworkRA, IP = 76.199.251.254, processing VID payload
%ASA-7-715038: Group = NetworkRA, IP = 76.199.251.254, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000408)
%ASA-7-715047: Group = NetworkRA, IP = 76.199.251.254, processing VID payload
%ASA-7-715049: Group = NetworkRA, IP = 76.199.251.254, Received Cisco Unity client VID
%ASA-7-715046: Group = NetworkRA, IP = 76.199.251.254, constructing blank hash payload
%ASA-7-715046: Group = NetworkRA, IP = 76.199.251.254, constructing qm hash payload
%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE SENDING Message (msgid=b5dd0950) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 72
%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE RECEIVED Message (msgid=b5dd0950) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 82
%ASA-7-715001: Group = NetworkRA, IP = 76.199.251.254, process_attr(): Enter!
%ASA-7-715001: Group = NetworkRA, IP = 76.199.251.254, Processing MODE_CFG Reply attributes.
%ASA-6-113012: AAA user authentication Successful : local database : user = user
%ASA-6-113009: AAA retrieved default group policy (Network) for user = user
%ASA-6-113008: AAA transaction status ACCEPT : user = user
%ASA-7-715019: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKEGetUserAttributes: primary DNS = cleared
%ASA-7-715019: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKEGetUserAttributes: secondary DNS = cleared
%ASA-7-715019: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKEGetUserAttributes: primary WINS = cleared
%ASA-7-715019: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKEGetUserAttributes: secondary WINS = cleared
%ASA-7-715019: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKEGetUserAttributes: split tunneling list = vpn_SplitTunnel
%ASA-7-715019: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKEGetUserAttributes: IP Compression = disabled
%ASA-7-715019: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKEGetUserAttributes: Split Tunneling Policy = Split Network
%ASA-7-715019: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKEGetUserAttributes: Browser Proxy Setting = no-modify
%ASA-7-715019: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKEGetUserAttributes: Browser Proxy Bypass Local = disable
%ASA-7-734003: DAP: User user, Addr 76.199.251.254: Session Attribute aaa.cisco.grouppolicy = Network
%ASA-7-734003: DAP: User user, Addr 76.199.251.254: Session Attribute aaa.cisco.username = user
%ASA-7-734003: DAP: User user, Addr 76.199.251.254: Session Attribute aaa.cisco.username1 = user
%ASA-7-734003: DAP: User user, Addr 76.199.251.254: Session Attribute aaa.cisco.username2 =
%ASA-7-734003: DAP: User user, Addr 76.199.251.254: Session Attribute aaa.cisco.tunnelgroup = NetworkRA
%ASA-6-734001: DAP: User user, Addr 76.199.251.254, Connection IPSec: The following DAP records were selected for this connection: DfltAccessPolicy
%ASA-7-713052: Group = NetworkRA, Username = user, IP = 76.199.251.254, User (user) authenticated.
%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing blank hash payload
%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing qm hash payload
%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE SENDING Message (msgid=e90be37a) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 64
%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE RECEIVED Message (msgid=e90be37a) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 60
%ASA-7-715001: Group = NetworkRA, Username = user, IP = 76.199.251.254, process_attr(): Enter!
%ASA-7-715001: Group = NetworkRA, Username = user, IP = 76.199.251.254, Processing cfg ACK attributes
%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE RECEIVED Message (msgid=588dc5a2) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 174
%ASA-7-715001: Group = NetworkRA, Username = user, IP = 76.199.251.254, process_attr(): Enter!
%ASA-7-715001: Group = NetworkRA, Username = user, IP = 76.199.251.254, Processing cfg Request attributes
%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for IPV4 address!
%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for IPV4 net mask!
%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for DNS server address!
%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for WINS server address!
%ASA-5-713130: Group = NetworkRA, Username = user, IP = 76.199.251.254, Received unsupported transaction mode attribute: 5
%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for Banner!
%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for Save PW setting!
%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for Default Domain Name!
%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for Split Tunnel List!
%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for Split DNS!
%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for PFS setting!
%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for Client Browser Proxy Setting!
%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for backup ip-sec peer list!
%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for Client Smartcard Removal Disconnect Setting!
%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for Application Version!
%ASA-6-713184: Group = NetworkRA, Username = user, IP = 76.199.251.254, Client Type: WinNT Client Application Version: 5.0.07.0440
%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for FWTYPE!
%ASA-7-715053: Group = NetworkRA, Username = user, IP = 76.199.251.254, MODE_CFG: Received request for DHCP hostname for DDNS is: MARS!
%ASA-7-737001: IPAA: Received message 'UTL_IP_[IKE_]ADDR_REQ'
%ASA-5-737003: IPAA: DHCP configured, no viable servers found for tunnel-group 'NetworkRA'
%ASA-6-737026: IPAA: Client assigned 10.11.12.150 from local pool
%ASA-6-737006: IPAA: Local pool request succeeded for tunnel-group 'NetworkRA'
%ASA-7-713906: Group = NetworkRA, Username = user, IP = 76.199.251.254, Obtained IP addr (10.11.12.150) prior to initiating Mode Cfg (XAuth enabled)
%ASA-6-713228: Group = NetworkRA, Username = user, IP = 76.199.251.254, Assigned private IP address 10.11.12.150 to remote user
%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing blank hash payload
%ASA-7-715055: Group = NetworkRA, Username = user, IP = 76.199.251.254, Send Client Browser Proxy Attributes!
%ASA-7-715001: Group = NetworkRA, Username = user, IP = 76.199.251.254, Browser Proxy set to No-Modify. Browser Proxy data will NOT be included in the mode-cfg reply
%ASA-7-715055: Group = NetworkRA, Username = user, IP = 76.199.251.254, Send Cisco Smartcard Removal Disconnect enable!!
%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing qm hash payload
%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE SENDING Message (msgid=588dc5a2) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 241
%ASA-7-714003: IP = 76.199.251.254, IKE Responder starting QM: msg id = 9db6fb00
%ASA-7-715021: Group = NetworkRA, Username = user, IP = 76.199.251.254, Delay Quick Mode processing, Cert/Trans Exch/RM DSID in progress
%ASA-6-713905: Group = NetworkRA, Username = user, IP = 76.199.251.254, Gratuitous ARP sent for 10.11.12.150
%ASA-7-746012: user-identity: Add IP-User mapping 10.11.12.150 - LOCAL\user Succeeded - VPN user
%ASA-7-746012: user-identity: Add IP-User mapping 76.199.251.254 - LOCAL\user Succeeded - VPN user
%ASA-7-746012: user-identity: Add IP-User mapping 76.199.251.254 - LOCAL\user Succeeded - VPN user
%ASA-7-715022: Group = NetworkRA, Username = user, IP = 76.199.251.254, Resume Quick Mode processing, Cert/Trans Exch/RM DSID completed
%ASA-5-713119: Group = NetworkRA, Username = user, IP = 76.199.251.254, PHASE 1 COMPLETED
%ASA-7-713121: IP = 76.199.251.254, Keep-alive type for this connection: DPD
%ASA-7-715080: Group = NetworkRA, Username = user, IP = 76.199.251.254, Starting P1 rekey timer: 41040 seconds.
%ASA-7-746012: user-identity: Add IP-User mapping 76.199.251.254 - LOCAL\user Succeeded - VPN user
%ASA-7-713906: Group = NetworkRA, Username = user, IP = 76.199.251.254, sending notify message
%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing blank hash payload
%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing qm hash payload
%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE SENDING Message (msgid=22ab08a8) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 88
%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE RECEIVED Message (msgid=9db6fb00) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 1026
%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing hash payload
%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing SA payload
%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing nonce payload
%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing ID payload
%ASA-7-714011: Group = NetworkRA, Username = user, IP = 76.199.251.254, ID_IPV4_ADDR ID received
10.11.12.150
%ASA-7-713025: Group = NetworkRA, Username = user, IP = 76.199.251.254, Received remote Proxy Host data in ID Payload: Address 10.11.12.150, Protocol 0, Port 0
%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing ID payload
%ASA-7-714011: Group = NetworkRA, Username = user, IP = 76.199.251.254, ID_IPV4_ADDR_SUBNET ID received--0.0.0.0--0.0.0.0
%ASA-7-713034: Group = NetworkRA, Username = user, IP = 76.199.251.254, Received local IP Proxy Subnet data in ID Payload: Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0
%ASA-7-713906: Group = NetworkRA, Username = user, IP = 76.199.251.254, QM IsRekeyed old sa not found by addr
%ASA-7-713066: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKE Remote Peer configured for crypto map: SYSTEM_DEFAULT_CRYPTO_MAP
%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing IPSec SA payload
%ASA-7-715027: Group = NetworkRA, Username = user, IP = 76.199.251.254, IPSec SA Proposal # 8, Transform # 1 acceptable Matches global IPSec SA entry # 65535
%ASA-7-713906: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKE: requesting SPI!
%ASA-7-715006: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKE got SPI from key engine: SPI = 0x2a9e7c0a
%ASA-7-713906: Group = NetworkRA, Username = user, IP = 76.199.251.254, oakley constucting quick mode
%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing blank hash payload
%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing IPSec SA payload
%ASA-5-713075: Group = NetworkRA, Username = user, IP = 76.199.251.254, Overriding Initiator's IPSec rekeying duration from 2147483 to 28800 seconds
%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing IPSec nonce payload
%ASA-7-715001: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing proxy ID
%ASA-7-713906: Group = NetworkRA, Username = user, IP = 76.199.251.254, Transmitting Proxy Id:
Remote host: 10.11.12.150 Protocol 0 Port 0
Local subnet: 0.0.0.0 mask 0.0.0.0 Protocol 0 Port 0
%ASA-7-713906: Group = NetworkRA, Username = user, IP = 76.199.251.254, Sending RESPONDER LIFETIME notification to Initiator
%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing qm hash payload
%ASA-7-714005: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKE Responder sending 2nd QM pkt: msg id = 9db6fb00
%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE SENDING Message (msgid=9db6fb00) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 184
%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE RECEIVED Message (msgid=9db6fb00) with payloads : HDR + HASH (8) + NONE (0) total length : 52
%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing hash payload
%ASA-7-713906: Group = NetworkRA, Username = user, IP = 76.199.251.254, loading all IPSEC SAs
%ASA-7-715001: Group = NetworkRA, Username = user, IP = 76.199.251.254, Generating Quick Mode Key!
%ASA-7-715001: Group = NetworkRA, Username = user, IP = 76.199.251.254, Generating Quick Mode Key!
%ASA-5-713049: Group = NetworkRA, Username = user, IP = 76.199.251.254, Security negotiation complete for User (user) Responder, Inbound SPI = 0x2a9e7c0a, Outbound SPI = 0x5bb276fb
%ASA-6-602303: IPSEC: An outbound remote access SA (SPI= 0x5BB276FB) between 10.11.12.2 and 76.199.251.254 (user= user) has been created.
%ASA-7-715007: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKE got a KEY_ADD msg for SA: SPI = 0x5bb276fb
%ASA-7-746012: user-identity: Add IP-User mapping 76.199.251.254 - LOCAL\user Succeeded - VPN user
%ASA-7-609001: Built local-host DMZ:10.11.12.150
%ASA-6-602303: IPSEC: An inbound remote access SA (SPI= 0x2A9E7C0A) between 10.11.12.2 and 76.199.251.254 (user= user) has been created.
%ASA-7-715077: Group = NetworkRA, Username = user, IP = 76.199.251.254, Pitcher: received KEY_UPDATE, spi 0x2a9e7c0a
%ASA-7-715080: Group = NetworkRA, Username = user, IP = 76.199.251.254, Starting P2 rekey timer: 27360 seconds.
%ASA-7-713204: Group = NetworkRA, Username = user, IP = 76.199.251.254, Adding static route for client address: 10.11.12.150
%ASA-5-713120: Group = NetworkRA, Username = user, IP = 76.199.251.254, PHASE 2 COMPLETED (msgid=9db6fb00)
%ASA-7-746012: user-identity: Add IP-User mapping 76.199.251.254 - LOCAL\user Succeeded - VPN user
%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE RECEIVED Message (msgid=74c94d21) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing hash payload
%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing notify payload
%ASA-7-715075: Group = NetworkRA, Username = user, IP = 76.199.251.254, Received keep-alive of type DPD R-U-THERE (seq number 0x4e4417ba)
%ASA-7-715036: Group = NetworkRA, Username = user, IP = 76.199.251.254, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x4e4417ba)
%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing blank hash payload
%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing qm hash payload
%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE SENDING Message (msgid=eda5977f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-609001: Built local-host inside:10.10.1.44
%ASA-6-302015: Built inbound UDP connection 472 for DMZ:10.11.12.150/427 (10.11.12.150/427)(LOCAL\user) to inside:10.10.1.44/427 (10.10.1.44/427) (user)
%ASA-7-609001: Built local-host inside:10.10.1.76
%ASA-6-302013: Built inbound TCP connection 473 for DMZ:10.11.12.150/43618 (10.11.12.150/43618)(LOCAL\user) to inside:10.10.1.76/22 (10.10.1.76/22) (user)
%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE RECEIVED Message (msgid=c168a18) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing hash payload
%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing notify payload
%ASA-7-715075: Group = NetworkRA, Username = user, IP = 76.199.251.254, Received keep-alive of type DPD R-U-THERE (seq number 0x4e4417bb)
%ASA-7-715036: Group = NetworkRA, Username = user, IP = 76.199.251.254, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x4e4417bb)
%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing blank hash payload
%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing qm hash payload
%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE SENDING Message (msgid=50284dae) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-609001: Built local-host inside:10.10.1.26
%ASA-6-302020: Built inbound ICMP connection for faddr 10.11.12.150/1(LOCAL\user) gaddr 10.10.1.26/0 laddr 10.10.1.26/0 (user)
%ASA-6-302021: Teardown ICMP connection for faddr 10.11.12.150/1(LOCAL\user) gaddr 10.10.1.26/0 laddr 10.10.1.26/0 (user)
%ASA-7-609002: Teardown local-host inside:10.10.1.26 duration 0:00:02
%ASA-7-609001: Built local-host inside:10.10.1.26
%ASA-6-302020: Built inbound ICMP connection for faddr 10.11.12.150/1(LOCAL\user) gaddr 10.10.1.26/0 laddr 10.10.1.26/0 (user)
%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE RECEIVED Message (msgid=29354099) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing hash payload
%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing notify payload
%ASA-7-715075: Group = NetworkRA, Username = user, IP = 76.199.251.254, Received keep-alive of type DPD R-U-THERE (seq number 0x4e4417bc)
%ASA-7-715036: Group = NetworkRA, Username = user, IP = 76.199.251.254, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x4e4417bc)
%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing blank hash payload
%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing qm hash payload
%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE SENDING Message (msgid=1bca2b2) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-6-302021: Teardown ICMP connection for faddr 10.11.12.150/1(LOCAL\user) gaddr 10.10.1.26/0 laddr 10.10.1.26/0 (user)
%ASA-7-609002: Teardown local-host inside:10.10.1.26 duration 0:00:02
%ASA-7-609001: Built local-host inside:10.10.1.26
%ASA-6-302020: Built inbound ICMP connection for faddr 10.11.12.150/1(LOCAL\user) gaddr 10.10.1.26/0 laddr 10.10.1.26/0 (user)
%ASA-6-302021: Teardown ICMP connection for faddr 10.11.12.150/1(LOCAL\user) gaddr 10.10.1.26/0 laddr 10.10.1.26/0 (user)
%ASA-7-609002: Teardown local-host inside:10.10.1.26 duration 0:00:02
%ASA-7-609001: Built local-host inside:10.10.1.26
%ASA-6-302020: Built inbound ICMP connection for faddr 10.11.12.150/1(LOCAL\user) gaddr 10.10.1.26/0 laddr 10.10.1.26/0 (user)
%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE RECEIVED Message (msgid=a6c91f9d) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing hash payload
%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing notify payload
%ASA-7-715075: Group = NetworkRA, Username = user, IP = 76.199.251.254, Received keep-alive of type DPD R-U-THERE (seq number 0x4e4417bd)
%ASA-7-715036: Group = NetworkRA, Username = user, IP = 76.199.251.254, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x4e4417bd)
%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing blank hash payload
%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing qm hash payload
%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE SENDING Message (msgid=83836fa9) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-6-302021: Teardown ICMP connection for faddr 10.11.12.150/1(LOCAL\user) gaddr 10.10.1.26/0 laddr 10.10.1.26/0 (user)
%ASA-7-609002: Teardown local-host inside:10.10.1.26 duration 0:00:02
%ASA-6-302014: Teardown TCP connection 473 for DMZ:10.11.12.150/43618(LOCAL\user) to inside:10.10.1.76/22 duration 0:00:30 bytes 0 SYN Timeout (user)
%ASA-7-609002: Teardown local-host inside:10.10.1.76 duration 0:00:30
%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE RECEIVED Message (msgid=2a7b85a0) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 72
%ASA-7-715047: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing hash payload
%ASA-7-713906: Group = NetworkRA, Username = user, IP = 76.199.251.254, processing delete
%ASA-5-713050: Group = NetworkRA, Username = user, IP = 76.199.251.254, Connection terminated for peer user. Reason: Peer Terminate Remote Proxy 10.11.12.150, Local Proxy 0.0.0.0
%ASA-7-713906: Group = NetworkRA, Username = user, IP = 76.199.251.254, Active unit receives a delete event for remote peer 76.199.251.254.
%ASA-7-715009: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKE Deleting SA: Remote Proxy 10.11.12.150, Local Proxy 0.0.0.0
%ASA-7-713906: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKE SA AM:68e753d7 rcv'd Terminate: state AM_ACTIVE flags 0x2861d041, refcnt 1, tuncnt 0
%ASA-7-713906: Group = NetworkRA, Username = user, IP = 76.199.251.254, IKE SA AM:68e753d7 terminating: flags 0x2961d001, refcnt 0, tuncnt 0
%ASA-7-713906: Group = NetworkRA, Username = user, IP = 76.199.251.254, sending delete/delete with reason message
%ASA-6-602304: IPSEC: An outbound remote access SA (SPI= 0x5BB276FB) between 10.11.12.2 and 76.199.251.254 (user= user) has been deleted.
%ASA-6-602304: IPSEC: An inbound remote access SA (SPI= 0x2A9E7C0A) between 76.199.251.254 and 10.11.12.2 (user= user) has been deleted.
%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing blank hash payload
%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing IKE delete payload
%ASA-7-715046: Group = NetworkRA, Username = user, IP = 76.199.251.254, constructing qm hash payload
%ASA-7-713236: IP = 76.199.251.254, IKE_DECODE SENDING Message (msgid=a9a78dd5) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
%ASA-7-715077: Pitcher: received key delete msg, spi 0x2a9e7c0a
%ASA-7-715077: Pitcher: received key delete msg, spi 0x2a9e7c0a
%ASA-5-713259: Group = NetworkRA, Username = user, IP = 76.199.251.254, Session is being torn down. Reason: User Requested
%ASA-6-713273: Group = NetworkRA, Username = user, IP = 76.199.251.254, Deleting static route for client address: 10.11.12.150
%ASA-7-746013: user-identity: Delete IP-User mapping 76.199.251.254 - LOCAL\user Failed - VPN user logout
%ASA-7-746013: user-identity: Delete IP-User mapping 10.11.12.150 - LOCAL\user Succeeded - VPN user logout
%ASA-4-113019: Group = NetworkRA, Username = user, IP = 76.199.251.254, Session disconnected. Session Type: IPsecOverTCP, Duration: 0h:00m:52s, Bytes xmt: 0, Bytes rcv: 536, Reason: User Requested
%ASA-7-713906: Ignoring msg to mark SA with dsID 45056 dead because SA deleted
%ASA-6-302014: Teardown TCP connection 469 for DMZ:76.199.251.254/25283 to identity:10.11.12.2/10000 duration 0:00:53 bytes 1724 Flow closed by inspection
%ASA-6-106015: Deny TCP (no connection) from 76.199.251.254/25283 to 10.11.12.2/10000 flags ACK on interface DMZ
%ASA-7-710005: TCP request discarded from 76.199.251.254/25283 to DMZ:10.11.12.2/10000
%ASA-6-737016: IPAA: Freeing local pool address 10.11.12.150
%ASA-7-609001: Built local-host inside:10.10.1.23
%ASA-7-609001: Built local-host identity:10.10.1.76
%ASA-6-302013: Built inbound TCP connection 478 for inside:10.10.1.23/43785 (10.10.1.23/43785) to identity:10.10.1.76/22 (10.10.1.76/22)
%ASA-6-113012: AAA user authentication Successful : local database : user = user
%ASA-6-113008: AAA transaction status ACCEPT : user = user
%ASA-6-611101: User authentication succeeded: Uname: user
%ASA-6-611101: User authentication succeeded: Uname: user
%ASA-6-605005: Login permitted from 10.10.1.23/43785 to inside:10.10.1.76/ssh for user "user"
%ASA-5-502103: User priv level changed: Uname: enable_15 From: 1 To: 15
%ASA-5-111008: User 'user' executed the 'enable' command.
Let me know what you think.
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide