Showing results for 
Search instead for 
Did you mean: 

ASA5505 RA VPN Problems

Steven Tolzmann

(EDIT: Sorry for the double post)

Hi all,

I recently re-configured our central ASA5505, and re-setup the Remote Access VPN Configuration, and I am having difficulty passing traffic. Some background -- We have 1 central site, that connects to 2 spokes (Simple Hub & spoke topology), and they are connected with L2L tunnels and all 3 sites can pass traffic OK on the L2L tunnels.

Site 1 (Hub) is

Site 2 (spoke) is

Site 3 (spoke) is

RA Vpn pool is

Here's the problem -- I can get the Cisco VPN Client on my remote PC to connect OK, and statistics shows that packets are being encrypted AND bypassed (split tunneling is setup), but NOTHING is being decrypted!! I need to figure out why. I had one other person try connect, and they get the same thing.

Hub Config:::

ASA Version 8.0(2)
hostname xxxx-HUB
domain-name xxxxxx
interface Vlan1
nameif inside
security-level 100
ip address
interface Vlan2
nameif outside
security-level 0
ip address xx.xx.xx.xx
interface Vlan3
nameif inet
security-level 50
ip address
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
description TO ACCESS POINT
switchport trunk allowed vlan 1,3
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
domain-name xxxxx
same-security-traffic permit intra-interface
access-list to_spoke1 extended permit ip
access-list 101 extended permit icmp any any
access-list split standard permit
access-list to_spoke2 extended permit ip
access-list RTP extended permit udp any any range 10000 20000
access-list RTP extended permit tcp any any range 10000 20000
access-list sip extended permit tcp any any range sip 5061
access-list sip extended permit udp any any range sip 5061
access-list sip extended permit udp any any eq 3000
access-list sip extended permit tcp any any eq 3000
access-list nonat extended permit ip
pager lines 24
logging enable
logging monitor debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu inet 1500
ip local pool RA-Pool mask
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-61551.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1
nat (inet) 1
route outside xx.xx.xx.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto dynamic-map dyn1 1 set transform-set ESP-AES-SHA
crypto dynamic-map dyn1 1 set reverse-route
crypto map outside_map 10 match address to_spoke1
crypto map outside_map 10 set peer xx.xx.xx.xx
crypto map outside_map 10 set transform-set ESP-AES-SHA
crypto map outside_map 11 match address to_spoke2
crypto map outside_map 11 set peer xx.xx.xx.xx
crypto map outside_map 11 set transform-set ESP-AES-SHA
crypto map outside_map 999 ipsec-isakmp dynamic dyn1
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh inside
ssh xx.xx.xx.xx outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
dhcpd address inside
dhcpd dns interface inside
dhcpd lease 20000 interface inside
dhcpd domain xxxxx interface inside
dhcpd enable inside
dhcpd address inet
dhcpd dns interface inet
dhcpd enable inet
priority-queue inside
tx-ring-limit 256
priority-queue outside
tx-ring-limit 256
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
class-map inspection_default
match default-inspection-traffic
class-map voice
match access-list sip
policy-map type inspect dns preset_dns_map
message-length maximum 512
policy-map type inspect sip default_sip
max-forwards-validation action drop log
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect rtsp
inspect sip default_sip
inspect icmp
policy-map qos
class voice
service-policy global_policy global
service-policy qos interface inside
service-policy qos interface outside
group-policy Company-RA internal
group-policy Company-RA attributes
dns-server value
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value xxxxxxx
address-pools value RA-Pool
username vpnuser1 password xxxxxxx encrypted privilege 3
username vpnuser1 attributes
vpn-group-policy Company-RA
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username vpnuser2 password xxxxxx encrypted privilege 15
username vpnuser2 attributes
vpn-group-policy Company-RA
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
password-storage disable
group-lock none
username admin password xxxxxxxx encrypted privilege 15
username admin attributes
service-type admin
username steve password xxxxxx encrypted privilege 3 <<< Account being used to test
username steve attributes
vpn-group-policy Company-RA
tunnel-group xx.xx.xx.xx type ipsec-l2l
tunnel-group xx.xx.xx.xx ipsec-attributes
pre-shared-key *
tunnel-group xx.xx.xx.xx type ipsec-l2l
tunnel-group xx.xx.xx.xx ipsec-attributes
pre-shared-key *
tunnel-group Company-RA type remote-access
tunnel-group Company-RA general-attributes
address-pool RA-Pool
default-group-policy Company-RA
tunnel-group Company-RA ipsec-attributes
pre-shared-key *
prompt hostname context

I realize the other spoke configs may be relevant, but at this time I am just trying to pass traffic to the (Hub) Network, which I am unable to do so far. Any help is greatly appreciated!