Cisco Community
English
Register
Register
cancel
turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
baskervi
‎08-15-2018
baskervi
Member since ‎11-18-2002
Beginner
231
Posts
0
Helpful
0
Solutions
Recent Badges
50 Replies
20 Replies
10 Replies
5 Replies
View All
Recent Badges
Awards

Problem with ASA VPN to Azure "Received...

Created by baskervi Beginner in VPN and AnyConnect
‎08-14-2018 10:11 PM
‎08-14-2018 10:11 PM
First, thanks for any suggestions. I'm stumped at this point.   "debug crypto ips 127" yields the following, and it continues repeating over an over. The only thing that seem important is the message "IPSEC DEBUG: Received a DELETE PFKey message from IKE for an inbound SA".    IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=172.16.9.198, sport=256, daddr=172.50.1.5, dport=256 IPSEC(crypto_map_check)-5: Checking crypto map CRYPTOMAP 5: skipping because 5-tuple does not match ACL ACL5 ... IPSEC(crypto_map_check)-5: Checking crypto map CRYPTOMAP 99: skipping because 5-tuple does not match ACL ACL99 IPSEC(crypto_map_check)-3: Checking crypto map CRYPTOMAP 150: matched. IPSEC DEBUG: Received a DELETE PFKey message from IKE for an inbound SA (SPI 0xC995E875) IPSEC DEBUG: Inbound SA (SPI 0xC995E875) destroy started, state embryonic IPSEC DEBUG: Inbound SA (SPI 0xC995E875) free started, state embryonic IPSEC DEBUG: Inbound SA (SPI 0xC995E875) free completed IPSEC DEBUG: Inbound SA (SPI 0xC995E875) destroy completed ... <continues repeating the above> ...   Packet-tracer yield the following. I found few hits on Google, but I did see https://community.cisco.com/t5/vpn-and-anyconnect/site-to-site-vpn-between-asa-9-9-1-and-bintec-router/m-p/3230693. I put the nat statement for this tunnel at the very top of the list, but it didn't help. The parameters in phase 13 look good, but the ASA drops the packets. Any clue as to what is going on? Phase: 1 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0x2aaad7f32cd0, priority=1, domain=permit, deny=false hits=13878009971, user_data=0x0, cs_id=0x0, l3_type=0x8 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0100.0000.0000 input_ifc=inside, output_ifc=any Phase: 2 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 1.1.1.1 using egress ifc outside Phase: 3 Type: UN-NAT Subtype: static Result: ALLOW Config: nat (inside,outside) source static LOCALSITE LOCALSITE destination static AZR-VNET AZR-VNET no-proxy-arp route-lookup Additional Information: NAT divert to egress interface outside Untranslate 172.50.1.5/443 to 172.50.1.5/443 Phase: 4 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 172.16.9.198 using egress ifc inside Phase: 5 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group INSIDE in interface inside access-list INSIDE remark Permit all other traffic from inside interface access-list INSIDE extended permit ip any4 any4 Additional Information: Forward Flow based lookup yields rule: in id=0x2aaad873c690, priority=13, domain=permit, deny=false hits=45569604, user_data=0x2aaacdad3540, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=inside, output_ifc=any Phase: 6 Type: NAT Subtype: Result: ALLOW Config: nat (inside,outside) source static LOCALSITE LOCALSITE destination static AZR-VNET AZR-VNET no-proxy-arp route-lookup Additional Information: Static translate 172.16.9.198/50000 to 172.16.9.198/50000 Forward Flow based lookup yields rule: in id=0x2aaadad6bc80, priority=6, domain=nat, deny=false hits=26433, user_data=0x2aaadaace9a0, cs_id=0x0, flags=0x0, protocol=0 src ip/id=172.16.0.0, mask=255.255.0.0, port=0, tag=any dst ip/id=172.50.0.0, mask=255.255.0.0, port=0, tag=any, dscp=0x0 input_ifc=inside, output_ifc=outside Phase: 7 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x2aaac927a3c0, priority=1, domain=nat-per-session, deny=true hits=168128170, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=any Phase: 8 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x2aaad7f3bb00, priority=0, domain=inspect-ip-options, deny=true hits=56989875, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=inside, output_ifc=any Phase: 9 Type: SFR Subtype: Result: ALLOW Config: class-map sfr match access-list sfr-redirect policy-map global_policy class sfr sfr fail-open monitor-only service-policy global_policy global Additional Information: Forward Flow based lookup yields rule: in id=0x2aaadb037b30, priority=71, domain=sfr, deny=false hits=50429730, user_data=0x2aaada45d390, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=inside, output_ifc=any Phase: 10 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: class-map class_http match port tcp eq https policy-map global_policy class class_http inspect http service-policy global_policy global Additional Information: Forward Flow based lookup yields rule: in id=0x2aaada452cf0, priority=70, domain=inspect-http, deny=false hits=39394070, user_data=0x2aaada451590, cs_id=0x0, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=443, tag=any, dscp=0x0 input_ifc=inside, output_ifc=any Phase: 11 Type: FOVER Subtype: standby-update Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x2aaad848c460, priority=20, domain=lu, deny=false hits=44831731, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=inside, output_ifc=any Phase: 12 Type: VPN Subtype: ipsec-tunnel-flow Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x2aaada31b840, priority=13, domain=ipsec-tunnel-flow, deny=true hits=50528167, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=inside, output_ifc=any Phase: 13 Type: VPN Subtype: encrypt Result: DROP Config: Additional Information: Forward Flow based lookup yields rule: out id=0x2aaadaeb7220, priority=70, domain=encrypt, deny=false hits=213, user_data=0x0, cs_id=0x2aaada27ddd0, reverse, flags=0x0, protocol=0 src ip/id=172.16.0.0, mask=255.255.0.0, port=0, tag=any dst ip/id=172.50.0.0, mask=255.255.0.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=outside Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule ... View more
Labels:

Re: Odd traffic through ASA

Created by baskervi Beginner in Firewalls
‎04-26-2018 07:51 AM
‎04-26-2018 07:51 AM
I agree that these are responses for dns and snmp, and inspection is enabled for both of these. That was my concern - during the inspection process, ASA properly detects most responses but not all. I'm concerned that something may be going on that I need to investigate further, but I'm not able to find anything strange going on between or within the systems.   ... View more

Re: Create ACL on ASA that matches on S...

Created by baskervi Beginner in Firewalls
‎04-26-2018 07:41 AM
‎04-26-2018 07:41 AM
Thanks for the response, Dennis. I'm getting about 5 hits on the access list over a 48 hour period, so very low level traffic. I'm remote, but they'll be able to spin up a machine to capture and filter the information on.  Take care. ... View more

Odd traffic through ASA

Created by baskervi Beginner in Firewalls
‎04-24-2018 08:31 AM
‎04-24-2018 08:31 AM
We're in the process of restricting the lines in one of our access lists, and I've run across some interesting hits that seem strange. The UDP timeout is set for 2 minutes, but we  have some traffic I wasn't expecting - it seems to me as if the UDP timer times out, because what's being matched on appears to me to be return traffic. We have more entries similar to the following with the destination port gt 50000, and I also have a "permit udp any any" after these entries. If I take out these entries with the source ports lt 1024 and the destination ports gt 50000, the "permit udp any any" will start incrementing again.    access-list   MYACL  line 13 extended permit udp  172.20.0.0 255.255.248.0   eq domain 172.16.16.0 255.255.248.0 gt 50000 (hitcnt=109) 0x934d4385 access-list MYACL line 19 extended permit udp   172.20.0.0  255.255.248.0  eq snmp 172.16.16.0 255.255.248.0 gt 50000 (hitcnt=409) 0x5e40e624   I remember crafting packets in the 80's with source port of 53 to get around the stateless ACLs on routers for UDP traffic, so I'm a little paranoid about permitting traffic that could potentially be a problem. I'd appreciate any thoughts here. ... View more

Create ACL on ASA that matches on SYN f...

Created by baskervi Beginner in Firewalls
‎04-13-2018 12:47 PM
‎04-13-2018 12:47 PM
I'm helping out a customer who is trying to make some firewall changes based on the results of a PCI audit. They have several "permit ip network1 network2" statements, and they need to restrict these to ports. I've been doing packet captures, but there is too much data through the interfaces. I'd like to match on SYN packets to decrease the amount of information I see. I've not been able to find any information on various forums that can help me out. Is this possible? Thanks ... View more

Re: Problem with L2TP - Win7 machines w...

Created by baskervi Beginner in VPN and AnyConnect
‎09-22-2017 10:12 AM
‎09-22-2017 10:12 AM
Great information. This is just what I needed. Thank you. ... View more

Re: Problem with L2TP - Win7 machines w...

Created by baskervi Beginner in VPN and AnyConnect
‎09-19-2017 07:17 PM
‎09-19-2017 07:17 PM
I may have just figured this out. Under Windows and the TCP/IPv4 settings, I had unchecked "Use default gateway on remote network." If I check this box, I can get to the network behind the firewall but not to the Internet. From what I've read tonight, L2TP/IPSec doesn't support split tunnels. This will work. ... View more

Re: ASA allows only 1 AnyConnect user

Created by baskervi Beginner in VPN and AnyConnect
‎09-19-2017 07:05 PM
‎09-19-2017 07:05 PM
Francesco, thanks for the reply. I rebooted the ASA a bit ago, and I am now able to connect two AnyConnect clients. I'll watch this and see if it occurs again. ... View more

Re: Problem with L2TP - Win7 machines w...

Created by baskervi Beginner in VPN and AnyConnect
‎09-19-2017 06:59 PM
‎09-19-2017 06:59 PM
Let me add in I can connect to the same ASA with AnyConnect and the route installs just fine. We need additional VPN clients, hence the reason to use L2TP Windows clients. ... View more

Problem with L2TP - Win7 machines won't...

Created by baskervi Beginner in VPN and AnyConnect
‎09-19-2017 06:53 PM
‎09-19-2017 06:53 PM
I've configured a L2TP/IPSec VPN on an ASA running 9.1(7)19, and I can connect just fine, but I cannot reach the remote end. If I type "netstat -rn" the route is not installed. I've turned on debugging, and no where do I see any information on the remote network, and in the Windows logs, all I see is information regarding the IP address that was handed out. Can any assist? Thanks   Here is the ASA VPN configuration:   ip local pool VPNPOOL 192.168.34.1-192.168.34.32 object network obj-192.168.0.0 subnet 192.168.0.0 255.255.255.0 object network obj-192.168.34.0 subnet 192.168.34.0 255.255.255.0 access-list SPLIT-TUNNEL standard permit 192.168.0.0 255.255.255.0 nat (inside,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.34.0 obj-192.168.34.0 no-proxy-arp route-lookup crypto ipsec ikev1 transform-set ESP-3DES-SHA-CLI esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA-CLI mode transport crypto dynamic-map outside_dyn_map 10 set ikev1 transform-set ESP-3DES-SHA-CLI crypto map VPN-MAP 65535 ipsec-isakmp dynamic outside_dyn_map crypto map VPN-MAP interface outside crypto isakmp identity hostname crypto ikev1 enable outside crypto ikev1 policy 10 authentication pre-share encryption aes hash sha group 2 lifetime 86400 group-policy L2TP-VPN internal group-policy L2TP-VPN attributes dns-server value 192.168.0.16 vpn-tunnel-protocol l2tp-ipsec split-tunnel-policy tunnelspecified split-tunnel-network-list value SPLIT-TUNNEL default-domain value domain.local tunnel-group DefaultRAGroup general-attributes address-pool VPNPOOL default-group-policy L2TP-VPN tunnel-group DefaultRAGroup ipsec-attributes ikev1 pre-shared-key ***** tunnel-group DefaultRAGroup ppp-attributes no authentication chap authentication ms-chap-v2 ... View more

ASA allows only 1 AnyConnect user

Created by baskervi Beginner in VPN and AnyConnect
‎09-19-2017 05:04 PM
‎09-19-2017 05:04 PM
I've never in my life seen this, but I have a customer using anyconnect, and only recently did they need more than one concurrent user. After some troubleshooting of the second user failing, I realize that authentication is failing because of too many anyconnect users. However, "sh vpn-sessiondb anyconnect" shows only a single connection. Any thoughts? We don't have smartnet on this. ... View more

I put later firmware on the

Created by baskervi Beginner in Firewalls
‎01-31-2017 05:13 PM
‎01-31-2017 05:13 PM
I put later firmware on the ASA earlier today, but I was concerned that if there was a hardware problem, I'd be out of luck since the site is over 2 hours away. I just rebooted, and it came up fine with 9.1(7.12). Thanks for everyone's input. ... View more

SORD-asa# sh sshTimeout: 30

Created by baskervi Beginner in Firewalls
‎01-31-2017 04:54 PM
‎01-31-2017 04:54 PM
SORD-asa# sh ssh Timeout: 30 minutes Version allowed: 2 172.31.1.0 255.255.255.0 inside x.x.x.x 255.255.255.255 outside I'm not sure if asdm is affected. The software isn't installed at this point. Regarding the logs, here is the only entry: Jan 31 2017 02:09:39: %ASA-6-315011: SSH session from x.x.x.x on interface outside for user "" disconnected by SSH server, reason: "Internal error" (0x00) I should have thought of debugging this, but here is the output: SSH2 0: DH shared secret computation failed, status 255SSH0: Session disconnected by SSH server - error 0x00 "Internal error" There is a recent bug reported for 8.4(0.2), but it's a little different from this:  https://supportforums.cisco.com/discussion/10791491/cannot-access-asdm-and-ssh ... View more

Philip, thanks very much for

Created by baskervi Beginner in Firewalls
‎01-31-2017 06:22 AM
‎01-31-2017 06:22 AM
Philip, thanks very much for the reply. The first thing I tried was to regenerate the keys but that didn't help. I rebooted the ASA, which didn't help the problem, and the ssh key-exchange command isn't available on this version of software. I'll update the software today and see if that helps. Take care. ... View more

Sudden problem with SSH into ASA-5505 w...

Created by baskervi Beginner in Firewalls
‎01-30-2017 01:39 PM
‎01-30-2017 01:39 PM
A customer of mine has an ASA-5505 running 8.2(5)59, and it's been configured for at least a couple years as SSH version 2. I provide this customer with remote support, and SSH has always been restricted to specific IP addresses. About 2 or 3 weeks ago, all of a sudden I couldn't log in with SSH using putty remotely, so I VPN and connect to the internal servers, and the SSH client won't connect either. Given I'm 2.25 hours away, I had telnet opened up internally, so I at least have a way to access it. When I telnet to port 22, the ASA responds with "SSH-2.0-Cisco-1.25". Using putty or any other SSH client, the SSH client responds instantly with something along the lines of "Server unexpectedly closed network connection." I can't even attempt to login. If I change SSH to version 1, it works just fine. Does anyone have any thoughts on this? Thanks ... View more
Labels:
Public Statistics
Date Registered ‎11-18-2002 10:11 PM
Date Last Visited ‎08-15-2018 02:19 AM
Total Messages Posted 231
Helpful Votes Given To
View All