cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2793
Views
0
Helpful
11
Replies

ASA5505 RA VPN Problems

Steven Tolzmann
Level 1
Level 1

(EDIT: Sorry for the double post)

Hi all,

I recently re-configured our central ASA5505, and re-setup the Remote Access VPN Configuration, and I am having difficulty passing traffic. Some background -- We have 1 central site, that connects to 2 spokes (Simple Hub & spoke topology), and they are connected with L2L tunnels and all 3 sites can pass traffic OK on the L2L tunnels.

Site 1 (Hub) is 192.168.9.0/24

Site 2 (spoke) is 192.168.12.0/24

Site 3 (spoke) is 192.168.14.0/24

RA Vpn pool is 192.168.99.0/25

Here's the problem -- I can get the Cisco VPN Client on my remote PC to connect OK, and statistics shows that packets are being encrypted AND bypassed (split tunneling is setup), but NOTHING is being decrypted!! I need to figure out why. I had one other person try connect, and they get the same thing.

Hub Config:::

ASA Version 8.0(2)
!
hostname xxxx-HUB
domain-name xxxxxx
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.9.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xx.xx.xx.xx 255.255.255.248
!
interface Vlan3
nameif inet
security-level 50
ip address 10.10.0.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
description TO ACCESS POINT
switchport trunk allowed vlan 1,3
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.9.2
name-server 192.168.12.2
name-server 8.8.8.8
domain-name xxxxx
same-security-traffic permit intra-interface
access-list to_spoke1 extended permit ip 192.168.0.0 255.255.0.0 192.168.12.0 255.255.255.0
access-list 101 extended permit icmp any any
access-list split standard permit 192.168.0.0 255.255.0.0
access-list to_spoke2 extended permit ip 192.168.0.0 255.255.0.0 192.168.14.0 255.255.255.0
access-list RTP extended permit udp any any range 10000 20000
access-list RTP extended permit tcp any any range 10000 20000
access-list sip extended permit tcp any any range sip 5061
access-list sip extended permit udp any any range sip 5061
access-list sip extended permit udp any any eq 3000
access-list sip extended permit tcp any any eq 3000
access-list nonat extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
pager lines 24
logging enable
logging monitor debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu inet 1500
ip local pool RA-Pool 192.168.99.1-192.168.99.126 mask 255.255.255.128
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-61551.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (inet) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto dynamic-map dyn1 1 set transform-set ESP-AES-SHA
crypto dynamic-map dyn1 1 set reverse-route
crypto map outside_map 10 match address to_spoke1
crypto map outside_map 10 set peer xx.xx.xx.xx
crypto map outside_map 10 set transform-set ESP-AES-SHA
crypto map outside_map 11 match address to_spoke2
crypto map outside_map 11 set peer xx.xx.xx.xx
crypto map outside_map 11 set transform-set ESP-AES-SHA
crypto map outside_map 999 ipsec-isakmp dynamic dyn1
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.0.0 255.255.0.0 inside
ssh xx.xx.xx.xx 255.255.255.255 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.9.101-192.168.9.199 inside
dhcpd dns 192.168.9.2 192.168.12.2 interface inside
dhcpd lease 20000 interface inside
dhcpd domain xxxxx interface inside
dhcpd enable inside
!
dhcpd address 10.10.0.100-10.10.0.199 inet
dhcpd dns 208.67.222.222 8.8.8.8 interface inet
dhcpd enable inet
!
priority-queue inside
tx-ring-limit 256
priority-queue outside
tx-ring-limit 256
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
class-map voice
match access-list sip
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect sip default_sip
parameters
max-forwards-validation action drop log
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect rtsp
inspect sip default_sip
inspect icmp
policy-map qos
class voice
priority
!
service-policy global_policy global
service-policy qos interface inside
service-policy qos interface outside
webvpn
group-policy Company-RA internal
group-policy Company-RA attributes
dns-server value 192.168.9.2 192.168.12.2
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value xxxxxxx
address-pools value RA-Pool
username vpnuser1 password xxxxxxx encrypted privilege 3
username vpnuser1 attributes
vpn-group-policy Company-RA
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username vpnuser2 password xxxxxx encrypted privilege 15
username vpnuser2 attributes
vpn-group-policy Company-RA
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
password-storage disable
group-lock none
username admin password xxxxxxxx encrypted privilege 15
username admin attributes
service-type admin
username steve password xxxxxx encrypted privilege 3 <<< Account being used to test
username steve attributes
vpn-group-policy Company-RA
tunnel-group xx.xx.xx.xx type ipsec-l2l
tunnel-group xx.xx.xx.xx ipsec-attributes
pre-shared-key *
tunnel-group xx.xx.xx.xx type ipsec-l2l
tunnel-group xx.xx.xx.xx ipsec-attributes
pre-shared-key *
tunnel-group Company-RA type remote-access
tunnel-group Company-RA general-attributes
address-pool RA-Pool
default-group-policy Company-RA
tunnel-group Company-RA ipsec-attributes
pre-shared-key *
prompt hostname context

I realize the other spoke configs may be relevant, but at this time I am just trying to pass traffic to the 192.168.9.0/24 (Hub) Network, which I am unable to do so far. Any help is greatly appreciated!

Thanks!

11 Replies 11

Pedro Lereno
Level 1
Level 1

Hi Steven,

Are you trying with a windows 7/8/10 pc? Cisco does not support Cisco vpn client anymore, for Windows you will need ssl vpn or l2tp-ipsec vpn.

I had the same symptoms with Windows 8, only traffic in one direction.

If you want to check the configuration on the ASA, try with a mac, linux (vpnc) or ios/android device. These devices do not have this kind of problems.

Regards,

Pedro Lereno

Thanks for the reply-

I am using Windows 10 64 Bit, however I was able to use this successfully on another ASA configuration, so I am pretty sure it should be able to work. SSL Vpn is limited to 2 connections correct? Also L2TP-Ipsec VPN, which client does that use?

I'm still curious if anyone else can find a problem in my config... It looks good to me?

Thanks,

Steve

UPDATE: I set it up on my Iphone 6 (ipsec option), and I am able to connect no problem, but I cannot ping devices on the 192.168.9.0/24 subnet. ICMP is not  blocked and functions OK on all of the L2L Tunnels. I think there is something else wrong aside from the VPN Client. 

Also -- anyconnect appears to be a licensed feature...? i am able to do

webvpn
enable outside

But I cannot enter any anyconnect commands. What is the best program/method for me to setup VPN access? I would ideally like to use the Cisco VPN client that may no longer be supported.

I am confident that your immediate problem is the lack of support in the traditional IPsec VPN client for Windows 10. I have seen some description of workarounds/registry hacks which claim that they get the client to work with Win 10. That may be what you experienced before when the VPN client worked. I am not sure what is involved with that and would not recommend that approach. My opinion is that by the time you get to Win 10 you should give up on the old non-supported IPsec client and use AnyConnect.

You are correct that when you transition to AnyConnect that there are licensing issues. The ASA by default has licenses for 2 AnyConnect sessions. It is sufficient to allow you to do some testing and to get used to how AnyConnect works. But it is not sufficient for a production implementation. You will need to purchase AnyConnect licenses when you start to use it as your production client.

HTH

Rick

HTH

Rick

I started trying AnyConnect, and I got it to work (despite certificate error popups), but then tweaked it and now it wont work at all....

Wish someone could figure out why my original code didnt work with the vpn client (it worked before)....

I've given up on Microsoft VPN with ipsec/l2tp , maybe ill give AnyConnect another stab tomorrow... 

EDIT: I tried disabling webvpn on outside interface, then re-enabled, can connect once again. However after 5 minutes i get login failed again... Weird.

Where are you at this point? Still trying AnyConnect? Assuming that your ASA has a self signed certificate then the pop ups warning about untrusted server at to be expected. In fact the default behavior of AnyConnect is to not connect to an untrusted server/self signed certificate. Once you get the AnyConnect client loaded on your PC there is an option you can change that will allow connection using a self signed certificate.

If you are still having problems then it might help to post a copy of the current config of your ASA and a fresh statement of what works and what does not work.

HTH

Rick

HTH

Rick

Hi Steven,

I do not see any misconfiguration on your config. Please, make sure that your inside hosts have route to the remote access clients 192.168.99.1-126 and is not blocked by any acl.

For the windows with vpn-client in some situations we managed access, but most of the times the traffic was only in one direction.

If you can not afford  AnyConnect you can try l2tp-ipsec, using the native windows client.

An example config on te ASA:

tunnel-group DefaultRAGroup general-attributes  // windows client must use DefaultRAGroup 
address-pool RAPOOL
authentication-server-group RAradius /// (1)
default-group-policy DefaultRAGroup
password-management
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2

(1) in case of local authentication:
username vpn password XXXXXXX nt-encrypted ///  nt-encrypted is needed for MS-CHAP

On Windows, in powershell cli:

powershell -command Add-VpnConnection -Name "VPN" -AllUserConnection -ServerAddress "ASA-OUTSIDE-IP-ADDRESS" -TunnelType "L2tp" -EncryptionLevel "Required" -AuthenticationMethod "MSChapv2" -L2tpPsk "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" -Force

Regards,

Pedro Lereno

Thank you, this is very helpful and I will try it and report back.

Another IT user tried connecting from a Windows 7 machine and also couldn't pass traffic.. Which is odd. My config/acls all look good to me also so it makes little sense. Hopefully the l2tp/IPSec solution just works :)

Edit: When you say "routes" to the .99 network what do you mean? Reverse route on the dynamic crypto map should take care of that right?

OK so I tried using L2TP/IPSEC and did not get very far. I did as Pedro suggested and used some of his configs, as well as some other suggestions I found on the web. When I try to connect it is stuck on connecting for a while, and then i receive the following error:

OS: Windows 10 64 Bit

"The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer."

show isa sa

on the asa gives me MM_WAIT_MSG5, stuck on Phase 1 ... Then the connection disappears entirely after 5-10 seconds.

Relevant config changes below:

ASA Version 8.0(2)
access-list to_spoke1 extended permit ip 192.168.0.0 255.255.0.0 192.168.12.0 255.255.255.0
access-list split standard permit 192.168.0.0 255.255.0.0
access-list to_spoke2 extended permit ip 192.168.0.0 255.255.0.0 192.168.14.0 255.255.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
!
ip local pool RA-Pool 192.168.99.1-192.168.99.126 mask 255.255.255.128
!
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (inet) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
!
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES256-SHA-TRANS mode transport
crypto dynamic-map dyn_outside 10000 set transform-set ESP-AES-SHA-TRANS ESP-AES256-SHA-TRANS
crypto map outside_map 10 match address to_spoke1
crypto map outside_map 10 set peer xx.xx.xx.xx
crypto map outside_map 10 set transform-set ESP-AES-SHA
crypto map outside_map 11 match address to_spoke2
crypto map outside_map 11 set peer xx.xx.xx.xx
crypto map outside_map 11 set transform-set ESP-AES-SHA
crypto map outside_map 10000 ipsec-isakmp dynamic dyn_outside
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 99
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
!
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.9.2 192.168.12.2
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value xxxxxxx
address-pools value RA-Pool
!
!
username steve password xxxxxxxxxxxx nt-encrypted
username steve attributes
vpn-group-policy DefaultRAGroup
!
tunnel-group DefaultRAGroup general-attributes
address-pool RA-Pool
default-group-policy DefaultRAGroup
password-management
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group xx.xx.xx.xx type ipsec-l2l
tunnel-group xx.xx.xx.xx ipsec-attributes
pre-shared-key *
tunnel-group xx.xx.xx.xx type ipsec-l2l
tunnel-group xx.xx.xx.xx ipsec-attributes
pre-shared-key *
prompt hostname context

Attached is my Windows VPN Client Configuration.

Any suggestions?

Update -- Here is the Debug Cry Isa output when attempting to connect:

Jan 20 15:20:36 [IKEv1]: IP = xx.xx.xx.xx, IKE_DECODE RECEIVED Mess age (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NON E (0) total length : 408
Jan 20 15:20:36 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing SA payload
Jan 20 15:20:36 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Oakley proposal is acceptable
Jan 20 15:20:36 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing VID payload
Jan 20 15:20:36 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing VID payload
Jan 20 15:20:36 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing VID payload
Jan 20 15:20:36 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Received NAT-Traversal RFC VID
Jan 20 15:20:36 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing VID payload
Jan 20 15:20:36 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Received NAT-Traversal ver 02 VID
Jan 20 15:20:36 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing VID payload
Jan 20 15:20:36 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Received Fragmentation VID
Jan 20 15:20:36 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing VID payload
Jan 20 15:20:36 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing VID payload
Jan 20 15:20:36 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing VID payload
Jan 20 15:20:36 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing IKE SA payload
Jan 20 15:20:36 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, IKE SA Proposal # 1, Transform # 5 acceptable Matches global IKE entry # 4
Jan 20 15:20:36 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing ISAKMP SA payload
Jan 20 15:20:36 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing NAT-Traversal VID ver 02 payload
Jan 20 15:20:36 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing Fragmentation VID + extended capabilities payload
Jan 20 15:20:36 [IKEv1]: IP = xx.xx.xx.xx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total lengt h : 124
Jan 20 15:20:36 [IKEv1]: IP = xx.xx.xx.xx, IKE_DECODE RECEIVED Message (msgid=0 ) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (130) + NAT-D (130) + NONE ( 0) total length : 260
Jan 20 15:20:36 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing ke payload
Jan 20 15:20:36 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing ISA_KE payload
Jan 20 15:20:36 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing nonce payload
Jan 20 15:20:36 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing NAT-Discovery paylo ad
Jan 20 15:20:36 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, computing NAT Discovery hash
Jan 20 15:20:36 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing NAT-Discovery paylo ad
Jan 20 15:20:36 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, computing NAT Discovery hash
Jan 20 15:20:36 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing ke payload
Jan 20 15:20:36 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing nonce payload
Jan 20 15:20:36 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing Cisco Unity VID p ayload
Jan 20 15:20:36 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing xauth V6 VID payl oad
Jan 20 15:20:36 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Send IOS VID
Jan 20 15:20:36 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jan 20 15:20:36 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing VID payload
Jan 20 15:20:36 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Send Altiga/Cisco VPN3000/Cisc o ASA GW VID
Jan 20 15:20:36 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing NAT-Discovery pay load
Jan 20 15:20:36 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, computing NAT Discovery hash
Jan 20 15:20:36 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing NAT-Discovery pay load
Jan 20 15:20:36 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, computing NAT Discovery hash
Jan 20 15:20:36 [IKEv1]: IP = xx.xx.xx.xx, Connection landed on tunnel_group De faultRAGroup
Jan 20 15:20:36 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xx.xx.xx, Genera ting keys for Responder...
Jan 20 15:20:36 [IKEv1]: IP = xx.xx.xx.xx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 304
Jan 20 15:20:36 [IKEv1]: Group = DefaultRAGroup, IP = xx.xx.xx.xx, Received enc rypted Oakley Main Mode packet with invalid payloads, MessID = 0
Jan 20 15:20:36 [IKEv1]: Group = DefaultRAGroup, IP = xx.xx.xx.xx, WARNING, had problems decrypting packet, probably due to mismatched pre-shared key. Switchi ng user to tunnel-group: DefaultL2LGroup
Jan 20 15:20:36 [IKEv1]: Group = DefaultL2LGroup, IP = xx.xx.xx.xx, ERROR, had problems decrypting packet, probably due to mismatched pre-shared key. Aborting
Jan 20 15:20:37 [IKEv1]: Group = DefaultL2LGroup, IP = xx.xx.xx.xx, Duplicate P hase 1 packet detected. Retransmitting last packet.
Jan 20 15:20:37 [IKEv1]: Group = DefaultL2LGroup, IP = xx.xx.xx.xx, P1 Retransm it msg dispatched to MM FSM
Jan 20 15:20:38 [IKEv1]: Group = DefaultL2LGroup, IP = xx.xx.xx.xx, Duplicate P hase 1 packet detected. Retransmitting last packet.
Jan 20 15:20:38 [IKEv1]: Group = DefaultL2LGroup, IP = xx.xx.xx.xx, P1 Retransm it msg dispatched to MM FSM
Jan 20 15:20:41 [IKEv1]: Group = DefaultL2LGroup, IP = xx.xx.xx.xx, Duplicate P hase 1 packet detected. Retransmitting last packet.
Jan 20 15:20:41 [IKEv1]: Group = DefaultL2LGroup, IP = xx.xx.xx.xx, P1 Retransm it msg dispatched to MM FSM
Jan 20 15:20:44 [IKEv1]: Group = DefaultL2LGroup, IP = xx.xx.xx.xx, Duplicate P hase 1 packet detected. Retransmitting last packet.
Jan 20 15:20:44 [IKEv1]: Group = DefaultL2LGroup, IP = xx.xx.xx.xx, P1 Retransm it msg dispatched to MM FSM
Jan 20 15:20:44 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = xx.xx.xx.xx, IKE M M Responder FSM error history (struct &0xd820f670) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG5, EV_RESEND_MSG-->MM_WAIT_MSG5, NullEvent-->MM_SND_MSG4, EV_CRYPTO_ACTIVE-->MM_SND_MSG4, EV_SND_MSG-->MM_SND_MSG4, EV_START_TMR-->MM_SND_ MSG4, EV_RESEND_MSG-->MM_WAIT_MSG5, EV_RESEND_MSG
Jan 20 15:20:44 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = xx.xx.xx.xx, IKE S A MM:f4bd483a terminating: flags 0x01000002, refcnt 0, tuncnt 0
Jan 20 15:20:44 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = xx.xx.xx.xx, sendi ng delete/delete with reason message
Jan 20 15:20:44 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = xx.xx.xx.xx, const ructing blank hash payload
Jan 20 15:20:44 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = xx.xx.xx.xx, const ructing IKE delete payload
Jan 20 15:20:44 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = xx.xx.xx.xx, const ructing qm hash payload
Jan 20 15:20:44 [IKEv1]: IP = xx.xx.xx.xx, IKE_DECODE SENDING Message (msgid=cd 90ac82) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 8 0
Jan 20 15:20:44 [IKEv1]: Group = DefaultL2LGroup, IP = xx.xx.xx.xx, Removing pe er from peer table failed, no match!
Jan 20 15:20:44 [IKEv1]: Group = DefaultL2LGroup, IP = xx.xx.xx.xx, Error: Unab le to remove PeerTblEntry
Jan 20 15:20:47 [IKEv1]: IP = xx.xx.xx.xx, Received encrypted packet with no ma tching SA, dropping
Jan 20 15:20:50 [IKEv1]: IP = xx.xx.xx.xx, Received encrypted packet with no ma tching SA, dropping

Had a mismatched PSK after all, double checked it once, guess I missed it.

I can now connect, but having trouble getting Split Tunneling to work properly... Investigatiing.

Went into IPV4 Settings > Advanced on Client, and unchecked Use Default Gateway on remote network, I can still connect and my internet connection doesn't go away, but now I am unable to ping devices on 192.168.9.0/24 network -- it was working before.

Also was going to try full tunneling, but now i can't get DNS to resolve at all!!!

Why are there all these hoops to jump through? Please help

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco