I'm attempting to create a VPN for a Cisco 7962. The phone says VPN Authentication Failed when attempting to connect. I downloaded console logs and I think this is relevant information bolded: 918: NOT 02:57:09.836553 VPNC: cert_vfy_cb: depth:1 of 1, subject:</unstructuredName=phonevpn.<DOMAIN>/C=US/ST=<MY STATE>/L=<MY CITY>/O=<MY COMPANY>/OU=Information Services/CN=phonevpn.<DOMAIN>/emailAddress=security@<DOMAIN> 919: NOT 02:57:09.837247 VPNC: cert_vfy_cb: depth:1 of 1, pre_err: 20 (unable to get local issuer certificate) 920: NOT 02:57:09.841202 VPNC: cert_vfy_cb: peer cert saved: /tmp/leaf.crt 921: NOT 02:57:09.852051 SECD: Leaf cert hash = 88F299CB82310A79F0770150CFC7D787FE8F2B9C 922: ERR 02:57:09.853266 SECD: EROR:secLoadFile: file not found </tmp/issuer.crt> 923: ERR 02:57:09.853819 SECD: Unable to open file /tmp/issuer.crt 924: ERR 02:57:09.890189 VPNC: VPN cert chain verification failed, issuer certificate not found and leaf not trusted 925: ERR 02:57:09.891888 VPNC: ssl_state_cb: TLSv1: write: alert: fatal:unknown CA 926: ERR 02:57:09.892710 VPNC: alert_err: SSL write alert: code 48, unknown CA 927: ERR 02:57:09.893991 VPNC: create_ssl_connection: SSL_connect ret -1 error 1 928: ERR 02:57:09.894790 VPNC: SSL: SSL_connect: SSL_ERROR_SSL (error 1) 929: ERR 02:57:09.895495 VPNC: SSL: SSL_connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 930: ERR 02:57:09.896286 VPNC: create_ssl_connection: SSL setup failure 931: ERR 02:57:09.897881 VPNC: do_login: create_ssl_connection failed 932: NOT 02:57:09.898603 VPNC: vpn_stop: de-activating vpn 933: NOT 02:57:09.899348 VPNC: vpn_set_auto: auto -> auto 934: NOT 02:57:09.899829 VPNC: vpn_set_active: activated -> de-activated Here is what I believe is the relevant config on the ASA. If I'm missing something please let me know: ip local pool IPPOOL 10.69.69.10-10.69.69.254 mask 255.255.255.0 interface GigabitEthernet0/0 nameif inside security-level 100 ip address 10.242.69.69 255.255.0.0 ! interface GigabitEthernet0/1 nameif outside security-level 0 ip address 10.243.69.69 255.255.0.0 route outside 0.0.0.0 0.0.0.0 10.243.0.1 1 route inside 10.201.14.0 255.255.255.0 10.242.0.1 1 route inside 192.168.30.0 255.255.255.0 10.242.0.1 1 crypto ca trustpoint CALLMANAGER enrollment terminal no ca-check crl configure crypto ca trustpoint CISCO_MANUFACTURING_CA enrollment terminal no ca-check crl configure crypto ca trustpoint CAPF enrollment terminal no ca-check crl configure crypto ca trustpoint PHONE_VPN enrollment terminal fqdn phonevpn.<MY DOMAIN> subject-name CN=phonevpn.<MY DOMAIN>,OU=Information Services,O=<MY COMPANY>,C=US,St=<MY STATE>,L=<MY CITY>,EA=security@<MY DOMAIN> keypair KEY no ca-check crl configure webvpn enable outside anyconnect image disk0:/anyconnect.pkg 1 anyconnect enable tunnel-group-list enable cache disable error-recovery disable group-policy CLIENTPOLICY internal group-policy CLIENTPOLICY attributes dns-server value 10.175.254.10 vpn-simultaneous-logins 3 vpn-idle-timeout none vpn-session-timeout none vpn-filter none vpn-tunnel-protocol ssl-client group-lock value TUNNELPROF split-tunnel-policy tunnelall default-domain value <MY DOMAIN> address-pools value IPPOOL dynamic-access-policy-record DfltAccessPolicy vpn-group-policy CLIENTPOLICY service-type remote-access tunnel-group TUNNELPROF type remote-access tunnel-group TUNNELPROF general-attributes default-group-policy CLIENTPOLICY tunnel-group TUNNELPROF webvpn-attributes authentication certificate group-url https://phonevpn.<MY DOMAIN>/TUNNELPROF enable group-url https://phonevpn.<MY DOMAIN>/phonevpn enable without-csd I've uploaded the identity certificate into CUCM that was generated on the ASA. I've configured the VPN Gateway and groups in CUCM. I almost feel like CUCM isn't sending the certificate down to the phone. I do a debug on the ASA and when the phone attempts to connect to the ASA, I see no messages.It almost appears as the phone is not even trying. I did get the VPN working with username and password on a laptop. This work is being done inside our network and once I get it working, I'll get external DNS and NAT setup and do a final test.
... View more
Windows Firewall was off. About a week after installing this virtual ASA, we started having some issues on a couple of our hosts not being able to access storage. We eventually deleted the ASA VM and reinstalled it and now things work. I'm able to connect and ping to the laptop and from the laptop to the network. I have no idea why the original ASA was possessed but it seems all my config was correct because I didn't change any of it. I appreciate everyones help and marked all your posts helpful, thank you for trying to work through this with me. I can now get the phone part up tomorrow and finally complete this POC and move on with life. Thanks all!!!
... View more
Hello! I'm troubleshooting an issue and I found something interesting. I have the same MAC address on two different interfaces and VLANs. See below: Displaying entries from active supervisor: vlan mac address type learn age ports ----+----+---------------+-------+-----+----------+----------------------------- * 17 0050.569a.1915 dynamic Yes 0 Te5/5 * 16 0050.569a.1915 dynamic Yes 5 Po31 I understand that when a switch learns a MAC, it will either delete the old entry if it's on a different port or VLAN or only update the timestamp if on the same interface or VLAN. However, this is no what I am seeing here. One of these VLANs is an UNTRUST VLAN and one is a TRUST VLAN. There is a PaloAlto in the middle doing a vWire which I understand is just stitching together VLAN 16 and 17. I'm not sure why it was setup like this originally. Why would I see the same MAC on two different interfaces and VLANs? My L3 device shows this: IP ARP Table Total number of entries: 1 Address Age MAC Address Interface 172.30.15.4 00:00:21 0050.569a.1915 Vlan17 That MAC is then learned on: * 17 0050.569a.1915 dynamic ~~~ F F Eth5/9 This goes to a L2 switch which has the two MACs learned. Are my devices drunk?!
... View more
My next step was a Packet Tracer using IP and the Result shows Input Interface: UNKNOWN and Output Interface: UNKNOWN Any idea why that is? It passes all the Phases and the result says RESULT - The packet is allowed. Route lookup says it knows to take next hop Outside interface which is expected behavior.
... View more
Hi Marvin, I believe that ICMP falls under IP but just to check your hypothesis, I added rules on Inside and Outside interfaces stating allow any any ICMP both ingress and egress and I still cannot ping the VPN client. I've also created a global rule allow any any IP and ICMP. I believe that should allow on any interface ingress or egress. This is strange because I can send ICMP echo FROM the client and I get REPLY, but, I cannot send ICMP echo to the client, the ASA drops it.
... View more
Thank you for the explanation, Rahul. Running the packet tracer still shows that the ASA will drop the traffic due to the ACCESS-LIST while using the Inside interface IP. B6A-DC-THOMPSON-VOIP-ASA# packet-tracer input Inside icmp 10.177.69.69 8 0 10.$ Phase: 1 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 10.69.69.10 using egress ifc Outside Phase: 2 Type: ACCESS-LIST Subtype: Result: DROP Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0x7faa4eb8e880, priority=501, domain=permit, deny=true hits=0, user_data=0x7, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=10.177.69.69, mask=255.255.255.255, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=Inside, output_ifc=any Result: input-interface: Inside input-status: up input-line-status: up output-interface: Outside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule B6A-DC-THOMPSON-VOIP-ASA# If I use a different IP, the resulting action says allow. I still cannot successfully ping the VPN client though. B6A-DC-THOMPSON-VOIP-ASA# packet-tracer input Inside icmp 10.201.10.10 8 0 10.$ (OUTPUT SHORTENED) Result: input-interface: Inside input-status: up input-line-status: up output-interface: Outside output-status: up output-line-status: up Action: allow B6A-DC-THOMPSON-VOIP-ASA# However, I am able to successfully ping from the VPN client into the internal network but I'm not able to ping from the internal network to the VPN client. I have zero NAT rules and an allow ANY ANY firewall rule. I'm quite confused now.
... View more
Thanks for the reply Rahul. I have applied those commands and attempted ping inside as you suggested. A few things to add: The route to 10.69.69.10 is a host route and shows Outside interface. I assume you meant ping Outside but I tried both and neither worked. I applied the same-security command and it did not help. I found this Cisco ASDM Packet Tracer on accident. 😃 I thought I’d try it out and I find that the route lookup is successful, the access list lookup is successful but the Action is DROP. However, I have an allow any any for a FW rule. Hopefully the screen shots work with email replies. I guess I’m about to find out. Okay, pictures uploaded. We see hits on the Inside interface but I'm not seeing hits on the implicit deny all rule. Confused.
... View more
I'm including some troubleshooting steps I've done. debug on ICMP: B6A-DC-THOMPSON-VOIP-ASA# ping 10.69.69.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.69.69.10, timeout is 2 seconds: ICMP echo request from 10.176.69.69 to 10.69.69.10 ID=4373 seq=51841 len=72 ?ICMP echo request from 10.176.69.69 to 10.69.69.10 ID=4374 seq=51841 len=72 ?ICMP echo request from 10.176.69.69 to 10.69.69.10 ID=4375 seq=51841 len=72 ?ICMP echo request from 10.176.69.69 to 10.69.69.10 ID=4376 seq=51841 len=72 ?ICMP echo request from 10.176.69.69 to 10.69.69.10 ID=4377 seq=51841 len=72 ? Success rate is 0 percent (0/5) Host route in RIB: V 10.69.69.10 255.255.255.255 connected by VPN (advertised), Outside
... View more
Good Morning, I'm working on a POC for Cisco Phones to VPN for remote agents. I've never done anything like this before but I think I'm close. I am able to get a laptop to connect to the ASA via AnyConnect and obtain an IP from a local pool. However, I cannot ping the laptop from the ASA. I have posted my config below. I'm wondering if there is some sort of NAT or routing issue but the config looks the same as an AnyConnect VPN we currently have that is working. B6A-DC-THOMPSON-VOIP-ASA# sh run : Saved : : Serial Number: 9A0MVFHS3WT : Hardware: ASAv, 1536 MB RAM, CPU Xeon 8100 series 2200 MHz : ASA Version 9.10(1)17 ! hostname B6A-DC-THOMPSON-VOIP-ASA enable password ***** pbkdf2 ! license smart feature tier standard throughput level 100M names no mac-address auto ip local pool POOLCRAP 10.69.69.10-10.69.69.254 mask 255.255.255.0 ! interface GigabitEthernet0/0 nameif Outside security-level 100 ip address 10.176.69.69 255.255.0.0 ! interface GigabitEthernet0/1 nameif Inside security-level 100 ip address 10.177.69.69 255.255.0.0 ! interface GigabitEthernet0/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/3 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/5 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/6 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/7 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/8 shutdown no nameif no security-level no ip address ! interface Management0/0 nameif management security-level 0 ip address 10.175.69.69 255.255.0.0 ! ftp mode passive dns domain-lookup management dns server-group DefaultDNS name-server 10.175.254.10 access-list NO_NAT extended permit ip 10.69.69.0 255.255.255.0 10.0.0.0 255.0.0.0 access-list Inside_access_in extended permit ip any any access-list Outside_access_in extended permit ip any any pager lines 23 mtu management 1500 mtu Outside 1500 mtu Inside 1500 no failover no monitor-interface service-module icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected arp rate-limit 8192 access-group Outside_access_in in interface Outside access-group Inside_access_in in interface Inside route Outside 0.0.0.0 0.0.0.0 10.176.0.1 1 route Inside 10.0.0.0 255.0.0.0 10.177.0.1 1 route management 10.201.0.0 255.255.0.0 10.175.0.1 1 route Outside 10.201.22.0 255.255.255.0 10.176.0.1 1 route management 192.168.0.0 255.255.0.0 10.175.0.1 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 timeout conn-holddown 0:00:15 timeout igp stale-route 0:01:10 user-identity default-domain LOCAL aaa authentication ssh console LOCAL aaa authentication login-history http server enable http 0.0.0.0 0.0.0.0 management no snmp-server location no snmp-server contact crypto ipsec security-association pmtu-aging infinite crypto ca trustpoint _SmartCallHome_ServerCA no validation-usage crl configure crypto ca trustpoint VOIPCRAP enrollment self fqdn voipcrap.mydomain.com subject-name CN=voipcrap.mydomain.com keypair PHONEVPNCRAP crl configure crypto ca trustpool policy auto-import crypto ca certificate chain _SmartCallHome_ServerCA certificate ca 0509 quit crypto ca certificate chain VOIPCRAP certificate 0ecfc95c quit telnet timeout 5 ssh stricthostkeycheck ssh 0.0.0.0 0.0.0.0 management ssh 0.0.0.0 0.0.0.0 Inside ssh timeout 60 ssh version 2 ssh key-exchange group dh-group1-sha1 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ssl trust-point VOIPCRAP Outside webvpn enable Outside anyconnect image disk0:/anyconnect-win-3.1.00495-k9.pkg 1 anyconnect enable tunnel-group-list enable cache disable error-recovery disable group-policy POLICYCRAP internal group-policy POLICYCRAP attributes dns-server value 10.175.254.10 vpn-tunnel-protocol ssl-client default-domain value mydomain.com address-pools value POOLCRAP webvpn anyconnect ask enable dynamic-access-policy-record DfltAccessPolicy username TEST password ***** pbkdf2 username TEST attributes service-type remote-access username admin password ***** pbkdf2 privilege 15 tunnel-group TUNNELGROUPCRAP type remote-access tunnel-group TUNNELGROUPCRAP general-attributes default-group-policy POLICYCRAP tunnel-group TUNNELGROUPCRAP webvpn-attributes group-alias TUNNELGROUPCRAP$ enable ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 no tcp-inspection policy-map global_policy class inspection_default inspect ip-options inspect netbios inspect rtsp inspect sunrpc inspect tftp inspect xdmcp inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect esmtp inspect sqlnet inspect sip inspect skinny policy-map type inspect dns migrated_dns_map_2 parameters message-length maximum client auto message-length maximum 512 no tcp-inspection policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum client auto message-length maximum 512 no tcp-inspection ! service-policy global_policy global prompt hostname context no call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email firstname.lastname@example.org destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily profile License destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination transport-method http Cryptochecksum:38e44706c3d8d2a82 : end I've looked at some online configuration guides and I believe I have everything correct. Obviously, I'm missing something though.
... View more
I found this link and basically copied it exactly and now it seems to be working. I guess I need this server-private ... anyway, maybe someone else will stumble across this post one day and see how to resolve the issue...
<--- Enable AAA ---> aaa new-model <--- Create a AAA TACACS server goup ---> aaa group server tacacs+ [ACS_GROUP] server-private [TACACS_SERVER1] timeout 3 key [TACACS_KEY] server-private [TACACS_SERVER2] timeout 3 key [TACACS_KEY] ip vrf forwarding Mgmt-vrf ip tacacs source-interface GigabitEthernet0/0 aaa authentication login default group [ACS_GROUP] local aaa authentication login console group [ACS_GROUP] local aaa authorization console aaa authorization exec default group [ACS_GROUP] aaa accounting exec default start-stop group [ACS_GROUP] aaa accounting commands 1 default start-stop group [ACS_GROUP] aaa accounting commands 15 default start-stop group [ACS_GROUP] aaa accounting connection default start-stop group [ACS_GROUP] aaa accounting system default start-stop group [ACS_GROUP] <--- Send TACACS traffic to the Mgmt interface ---> ip tacacs source-interface GigabitEthernet0/0
... View more
I'm having a really difficult time getting TACACS working on a new ASR1001x.
I have the device cabled on the management interface and I can ping the TACACS server. Management interface is in the Mgmt-intf VRF. Here is a copy of my config, where am I wrong? I can SSH to the device and use local creds to gain access.
aaa new-model ! ! aaa group server tacacs+ TACACS1 server name DV-ACS-1 ! aaa authentication login default group TACACS1 local aaa authorization exec default group TACACS1 local none aaa authorization commands 15 default group TACACS1 local none aaa accounting exec default start-stop group TACACS1 aaa accounting commands 15 default start-stop group TACACS1
interface GigabitEthernet0 vrf forwarding Mgmt-intf ip address 10.206.40.95 255.255.255.0 negotiation auto
tacacs server DV-ACS-1 address ipv4 10.162.0.11 key <key> timeout 5
ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 10.206.40.1 ip tacacs source-interface GigabitEthernet0
line vty 0 4 session-timeout 120 exec-timeout 120 0 transport input ssh line vty 5 15 exec-timeout 120 0 privilege level 15 transport input ssh
... View more
I think you are more asking about a default route or a default gateway. In your simple topology, the WAN interface is your public IP and that router is also the default gateway for your LAN. Let's take a look at what the IP headers will look like if you were to ping Google DNS from your PC using the private address of 192.168.10.1:
1st packet from PC:
ip src: 192.168.10.1 | ip dst: 22.214.171.124
Packet hits router (default gateway) and NAT takes place:
ip src: 126.96.36.199 | ip dst: 188.8.131.52
Packet returns from Google into your router:
ip src: 184.108.40.206 | ip dst: 220.127.116.11
router performs NAT and sends on to your PC:
ip src: 18.104.22.168 | ip dst: 192.168.10.1
In your simple topology and with a home router, the NAT device will not NAT to another public IP, it will NAT between public and private IP. The router then has a default gateway (port labeled "Internet") and it's configured to 0/0 all traffic with that egress interface.
... View more
I've simplified this, we're in the process of some cleanup and this isn't really using DMVPN... This was configured previously and we're inheriting. I shutdown the old tunnels and just built point to point leaving DMVPN off since it's really not needed. It seems the issue lies in the crypto. When I leave tunnel protection off the tunnels, EIGRP comes up. As soon as I put tunnel protection on, EIGRP flaps on one and never comes up on the other. Same issue as explained above where one side isn't receiving HELLO packets.
A bit more about the topology:
Site A, the public IP is assigned right on the router.
Site B, the public IP is on an ISP router and we're receiving DHCP from that device. That ISP router is then doing NAT and sending stuff off to the internet. I've done some reading and found that NAT-T is automatic sensing on IOS devices so that ruled an issue with that out. So here it is, the config on both devices for the site to site tunnels including crypto commands.
interface Tunnel69 description YK-DC-VRT1 to Tradeshow bandwidth 100000 ip address 10.100.12.13 255.255.255.252 no ip proxy-arp ip mtu 1300 ip tcp adjust-mss 1260 load-interval 30 tunnel source GigabitEthernet0/0/2 tunnel destination <x.x.x.x> tunnel key <key> tunnel path-mtu-discovery tunnel protection ipsec profile dmvpnprof shared end
JP-TradeShow#sh run int tun 69 Building configuration...
Current configuration : 362 bytes ! interface Tunnel69 description VPN Tunnel to YK-DC-VRT2 bandwidth 100000 ip address 10.100.12.14 255.255.255.252 no ip proxy-arp ip mtu 1300 ip tcp adjust-mss 1260 load-interval 30 tunnel source GigabitEthernet0/0/1 tunnel destination <y.y.y.y> tunnel key <key> tunnel path-mtu-discovery tunnel protection ipsec profile dmvpnprof shared end
Crypto at Site A & B:
crypto isakmp policy 1 encr 3des authentication pre-share group 2
crypto isakmp key <key> address 0.0.0.0 crypto isakmp invalid-spi-recovery crypto isakmp keepalive 60 10 crypto isakmp nat keepalive 3600 ! crypto ipsec security-association lifetime seconds 86400 ! crypto ipsec transform-set dmvpnset esp-3des esp-sha-hmac mode transport
crypto ipsec profile dmvpnprof set transform-set dmvpnset
... View more