Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- :
- About baskervi
11-23-2018
Stats
Member since
11-18-2002
233
Posts
0
Helpful
0
Solutions
Created by
baskervi
in VPN and AnyConnect
in VPN and AnyConnect
11-16-2018
02:44 PM
11-16-2018
02:44 PM
I'm going to take this as a solution. I'm suspecting you are correct in this. Thanks
... View more
Created by
baskervi
in VPN and AnyConnect
in VPN and AnyConnect
11-16-2018
01:47 PM
11-16-2018
01:47 PM
I am just about to add a route-based VPN onto an ASA that already has several policy-based VPNs. I presume this won't be a problem, but I couldn't find any documentation on Cisco's web site for any limitations of two types of VPNs on the same device. Is anyone aware of a problem? Thanks
... View more
Labels:
Created by
baskervi
in VPN and AnyConnect
in VPN and AnyConnect
08-14-2018
10:11 PM
08-14-2018
10:11 PM
First, thanks for any suggestions. I'm stumped at this point.
"debug crypto ips 127" yields the following, and it continues repeating over an over. The only thing that seem important is the message "IPSEC DEBUG: Received a DELETE PFKey message from IKE for an inbound SA".
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=172.16.9.198, sport=256, daddr=172.50.1.5, dport=256 IPSEC(crypto_map_check)-5: Checking crypto map CRYPTOMAP 5: skipping because 5-tuple does not match ACL ACL5 ...
IPSEC(crypto_map_check)-5: Checking crypto map CRYPTOMAP 99: skipping because 5-tuple does not match ACL ACL99 IPSEC(crypto_map_check)-3: Checking crypto map CRYPTOMAP 150: matched. IPSEC DEBUG: Received a DELETE PFKey message from IKE for an inbound SA (SPI 0xC995E875)
IPSEC DEBUG: Inbound SA (SPI 0xC995E875) destroy started, state embryonic IPSEC DEBUG: Inbound SA (SPI 0xC995E875) free started, state embryonic IPSEC DEBUG: Inbound SA (SPI 0xC995E875) free completed IPSEC DEBUG: Inbound SA (SPI 0xC995E875) destroy completed ... <continues repeating the above> ...
Packet-tracer yield the following. I found few hits on Google, but I did see https://community.cisco.com/t5/vpn-and-anyconnect/site-to-site-vpn-between-asa-9-9-1-and-bintec-router/m-p/3230693. I put the nat statement for this tunnel at the very top of the list, but it didn't help. The parameters in phase 13 look good, but the ASA drops the packets. Any clue as to what is going on?
Phase: 1 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0x2aaad7f32cd0, priority=1, domain=permit, deny=false hits=13878009971, user_data=0x0, cs_id=0x0, l3_type=0x8 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0100.0000.0000 input_ifc=inside, output_ifc=any
Phase: 2 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 1.1.1.1 using egress ifc outside
Phase: 3 Type: UN-NAT Subtype: static Result: ALLOW Config: nat (inside,outside) source static LOCALSITE LOCALSITE destination static AZR-VNET AZR-VNET no-proxy-arp route-lookup Additional Information: NAT divert to egress interface outside Untranslate 172.50.1.5/443 to 172.50.1.5/443
Phase: 4 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 172.16.9.198 using egress ifc inside
Phase: 5 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group INSIDE in interface inside access-list INSIDE remark Permit all other traffic from inside interface access-list INSIDE extended permit ip any4 any4 Additional Information: Forward Flow based lookup yields rule: in id=0x2aaad873c690, priority=13, domain=permit, deny=false hits=45569604, user_data=0x2aaacdad3540, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=inside, output_ifc=any
Phase: 6 Type: NAT Subtype: Result: ALLOW Config: nat (inside,outside) source static LOCALSITE LOCALSITE destination static AZR-VNET AZR-VNET no-proxy-arp route-lookup Additional Information: Static translate 172.16.9.198/50000 to 172.16.9.198/50000 Forward Flow based lookup yields rule: in id=0x2aaadad6bc80, priority=6, domain=nat, deny=false hits=26433, user_data=0x2aaadaace9a0, cs_id=0x0, flags=0x0, protocol=0 src ip/id=172.16.0.0, mask=255.255.0.0, port=0, tag=any dst ip/id=172.50.0.0, mask=255.255.0.0, port=0, tag=any, dscp=0x0 input_ifc=inside, output_ifc=outside
Phase: 7 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x2aaac927a3c0, priority=1, domain=nat-per-session, deny=true hits=168128170, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=any
Phase: 8 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x2aaad7f3bb00, priority=0, domain=inspect-ip-options, deny=true hits=56989875, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=inside, output_ifc=any
Phase: 9 Type: SFR Subtype: Result: ALLOW Config: class-map sfr match access-list sfr-redirect policy-map global_policy class sfr sfr fail-open monitor-only service-policy global_policy global Additional Information: Forward Flow based lookup yields rule: in id=0x2aaadb037b30, priority=71, domain=sfr, deny=false hits=50429730, user_data=0x2aaada45d390, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=inside, output_ifc=any
Phase: 10 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: class-map class_http match port tcp eq https policy-map global_policy class class_http inspect http service-policy global_policy global Additional Information: Forward Flow based lookup yields rule: in id=0x2aaada452cf0, priority=70, domain=inspect-http, deny=false hits=39394070, user_data=0x2aaada451590, cs_id=0x0, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=443, tag=any, dscp=0x0 input_ifc=inside, output_ifc=any
Phase: 11 Type: FOVER Subtype: standby-update Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x2aaad848c460, priority=20, domain=lu, deny=false hits=44831731, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=inside, output_ifc=any
Phase: 12 Type: VPN Subtype: ipsec-tunnel-flow Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x2aaada31b840, priority=13, domain=ipsec-tunnel-flow, deny=true hits=50528167, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=inside, output_ifc=any
Phase: 13 Type: VPN Subtype: encrypt Result: DROP Config: Additional Information: Forward Flow based lookup yields rule: out id=0x2aaadaeb7220, priority=70, domain=encrypt, deny=false hits=213, user_data=0x0, cs_id=0x2aaada27ddd0, reverse, flags=0x0, protocol=0 src ip/id=172.16.0.0, mask=255.255.0.0, port=0, tag=any dst ip/id=172.50.0.0, mask=255.255.0.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=outside
Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
... View more
- Tags:
- VPN Azure
Labels:
04-26-2018
07:51 AM
I agree that these are responses for dns and snmp, and inspection is enabled for both of these. That was my concern - during the inspection process, ASA properly detects most responses but not all. I'm concerned that something may be going on that I need to investigate further, but I'm not able to find anything strange going on between or within the systems.
... View more
04-26-2018
07:41 AM
Thanks for the response, Dennis. I'm getting about 5 hits on the access list over a 48 hour period, so very low level traffic. I'm remote, but they'll be able to spin up a machine to capture and filter the information on. Take care.
... View more
04-24-2018
08:31 AM
We're in the process of restricting the lines in one of our access lists, and I've run across some interesting hits that seem strange. The UDP timeout is set for 2 minutes, but we have some traffic I wasn't expecting - it seems to me as if the UDP timer times out, because what's being matched on appears to me to be return traffic. We have more entries similar to the following with the destination port gt 50000, and I also have a "permit udp any any" after these entries. If I take out these entries with the source ports lt 1024 and the destination ports gt 50000, the "permit udp any any" will start incrementing again.
access-list MYACL line 13 extended permit udp 172.20.0.0 255.255.248.0 eq domain 172.16.16.0 255.255.248.0 gt 50000 (hitcnt=109) 0x934d4385
access-list MYACL line 19 extended permit udp 172.20.0.0 255.255.248.0 eq snmp 172.16.16.0 255.255.248.0 gt 50000 (hitcnt=409) 0x5e40e624
I remember crafting packets in the 80's with source port of 53 to get around the stateless ACLs on routers for UDP traffic, so I'm a little paranoid about permitting traffic that could potentially be a problem. I'd appreciate any thoughts here.
... View more
Labels:
04-13-2018
12:47 PM
I'm helping out a customer who is trying to make some firewall changes based on the results of a PCI audit. They have several "permit ip network1 network2" statements, and they need to restrict these to ports. I've been doing packet captures, but there is too much data through the interfaces. I'd like to match on SYN packets to decrease the amount of information I see. I've not been able to find any information on various forums that can help me out. Is this possible? Thanks
... View more
Labels:
Created by
baskervi
in VPN and AnyConnect
in VPN and AnyConnect
09-22-2017
10:12 AM
09-22-2017
10:12 AM
Great information. This is just what I needed. Thank you.
... View more
Created by
baskervi
in VPN and AnyConnect
in VPN and AnyConnect
09-19-2017
07:17 PM
09-19-2017
07:17 PM
I may have just figured this out. Under Windows and the TCP/IPv4 settings, I had unchecked "Use default gateway on remote network." If I check this box, I can get to the network behind the firewall but not to the Internet. From what I've read tonight, L2TP/IPSec doesn't support split tunnels. This will work.
... View more
Created by
baskervi
in VPN and AnyConnect
in VPN and AnyConnect
09-19-2017
07:05 PM
09-19-2017
07:05 PM
Francesco, thanks for the reply. I rebooted the ASA a bit ago, and I am now able to connect two AnyConnect clients. I'll watch this and see if it occurs again.
... View more
Created by
baskervi
in VPN and AnyConnect
in VPN and AnyConnect
09-19-2017
06:59 PM
09-19-2017
06:59 PM
Let me add in I can connect to the same ASA with AnyConnect and the route installs just fine. We need additional VPN clients, hence the reason to use L2TP Windows clients.
... View more
Created by
baskervi
in VPN and AnyConnect
in VPN and AnyConnect
09-19-2017
06:53 PM
09-19-2017
06:53 PM
I've configured a L2TP/IPSec VPN on an ASA running 9.1(7)19, and I can connect just fine, but I cannot reach the remote end. If I type "netstat -rn" the route is not installed. I've turned on debugging, and no where do I see any information on the remote network, and in the Windows logs, all I see is information regarding the IP address that was handed out. Can any assist? Thanks Here is the ASA VPN configuration: ip local pool VPNPOOL 192.168.34.1-192.168.34.32 object network obj-192.168.0.0 subnet 192.168.0.0 255.255.255.0 object network obj-192.168.34.0 subnet 192.168.34.0 255.255.255.0 access-list SPLIT-TUNNEL standard permit 192.168.0.0 255.255.255.0 nat (inside,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.34.0 obj-192.168.34.0 no-proxy-arp route-lookup crypto ipsec ikev1 transform-set ESP-3DES-SHA-CLI esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA-CLI mode transport crypto dynamic-map outside_dyn_map 10 set ikev1 transform-set ESP-3DES-SHA-CLI crypto map VPN-MAP 65535 ipsec-isakmp dynamic outside_dyn_map crypto map VPN-MAP interface outside crypto isakmp identity hostname crypto ikev1 enable outside crypto ikev1 policy 10 authentication pre-share encryption aes hash sha group 2 lifetime 86400 group-policy L2TP-VPN internal group-policy L2TP-VPN attributes dns-server value 192.168.0.16 vpn-tunnel-protocol l2tp-ipsec split-tunnel-policy tunnelspecified split-tunnel-network-list value SPLIT-TUNNEL default-domain value domain.local tunnel-group DefaultRAGroup general-attributes address-pool VPNPOOL default-group-policy L2TP-VPN tunnel-group DefaultRAGroup ipsec-attributes ikev1 pre-shared-key ***** tunnel-group DefaultRAGroup ppp-attributes no authentication chap authentication ms-chap-v2
... View more
Labels:
09-19-2017
05:04 PM
I've never in my life seen this, but I have a customer using anyconnect, and only recently did they need more than one concurrent user. After some troubleshooting of the second user failing, I realize that authentication is failing because of too many anyconnect users. However, "sh vpn-sessiondb anyconnect" shows only a single connection. Any thoughts? We don't have smartnet on this.
... View more
Labels:
01-31-2017
05:13 PM
I put later firmware on the ASA earlier today, but I was concerned that if there was a hardware problem, I'd be out of luck since the site is over 2 hours away. I just rebooted, and it came up fine with 9.1(7.12). Thanks for everyone's input.
... View more
01-31-2017
04:54 PM
SORD-asa# sh ssh Timeout: 30 minutes Version allowed: 2 172.31.1.0 255.255.255.0 inside x.x.x.x 255.255.255.255 outside
I'm not sure if asdm is affected. The software isn't installed at this point.
Regarding the logs, here is the only entry:
Jan 31 2017 02:09:39: %ASA-6-315011: SSH session from x.x.x.x on interface outside for user "" disconnected by SSH server, reason: "Internal error" (0x00)
I should have thought of debugging this, but here is the output:
SSH2 0: DH shared secret computation failed, status 255SSH0: Session disconnected by SSH server - error 0x00 "Internal error"
There is a recent bug reported for 8.4(0.2), but it's a little different from this:
https://supportforums.cisco.com/discussion/10791491/cannot-access-asdm-and-ssh
... View more
Created by
baskervi
in VPN and AnyConnect
11-16-2018
11-16-2018
I'm going to take this as a solution. I'm suspecting you are correct in
this. Thanks
Created by
baskervi
in VPN and AnyConnect
11-16-2018
11-16-2018
I am just about to add a route-based VPN onto an ASA that already has
several policy-based VPNs. I p...
08-14-2018
First, thanks for any suggestions. I'm stumped at this point. "debug
crypto ips 127" yields the foll...
04-26-2018
I agree that these are responses for dns and snmp, and inspection is
enabled for both of these. That...
04-24-2018
We're in the process of restricting the lines in one of our access
lists, and I've run across some i...
Created by
baskervi
in VPN and AnyConnect
09-22-2017
09-22-2017
Great information. This is just what I needed. Thank you.
Created by
baskervi
in VPN and AnyConnect
09-19-2017
09-19-2017
I may have just figured this out. Under Windows and the TCP/IPv4
settings, I had unchecked "Use defa...
09-19-2017
Francesco, thanks for the reply. I rebooted the ASA a bit ago, and I am
now able to connect two AnyC...
Created by
baskervi
in VPN and AnyConnect
09-19-2017
09-19-2017
Let me add in I can connect to the same ASA with AnyConnect and the
route installs just fine. We nee...
Created by
baskervi
in VPN and AnyConnect
09-19-2017
09-19-2017
I've configured a L2TP/IPSec VPN on an ASA running 9.1(7)19, and I can
connect just fine, but I cann...
09-19-2017
I've never in my life seen this, but I have a customer using anyconnect,
and only recently did they ...
01-31-2017
I put later firmware on the ASA earlier today, but I was concerned that
if there was a hardware prob...
Public Statistics
| Date Registered | 11-18-2002 10:11 PM |
| Date Last Visited | 11-23-2018 01:51 PM |
| Total Messages Posted | 233 |
