cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2757
Views
10
Helpful
6
Replies

Is this a bug? IPSec VPN Client Problem with ASA 5525-X version 9.1 and above

limlayhin
Level 1
Level 1

I had encountered problem on IPSec VPN Client with ASA 5525-X version 9.1 and above. 

Cisco ASA 5525-X was setup as VPN Gateway. I was using Cisco IPSec VPN Client, version 5.0.07.5410. 

I could successfully login to VPN. After login to VPN, I was not able to access Internet, for example http://www.google.com.sg, http://www.yahoo.com.sg. Split tunneling was disabled. 

I also could not SSH or RDP to my devices in Internet. 

I tested version 9.1.1, 9.1.2 and 9.1.4, all these versions encountered the same problem. 

When I downgrade version to 8.6.1, the problem disappeared.

While ASA on 8.6.1, after I login to VPN, with the same IPSec VPN Client, I was able to access Internet and SSH/RDP to my devices. 

No configuration changed on ASA, only ASA version changed. 

 

My Configuration as below (I masked off my internal and production IP): 

: Saved
:
ASA Version 9.1(4) 
!
hostname MYVPNGW
names
ip local pool myvpn-vpnpool 10.10.9.65 mask 255.255.255.255
!
interface GigabitEthernet0/0
 speed 1000
 duplex full
 nameif OUTSIDE
 security-level 0
 ip address xx.xx.102.173 255.255.255.240
 ospf cost 10
!
interface GigabitEthernet0/1
 speed 1000
 duplex full
 nameif DMZ-1
 security-level 50
 no ip address
!
interface GigabitEthernet0/2
 speed 1000
 duplex full
 nameif DMZ-2
 security-level 50
 no ip address
!
interface GigabitEthernet0/3
 speed 1000
 duplex full
 nameif INTERNAL-NW
 security-level 70
 no ip address
!
interface GigabitEthernet0/4
 speed 1000
 duplex full
 nameif Inside-Management
 security-level 100
 ip address 10.10.10.254 255.255.255.0 
 ipv6 enable
!
interface GigabitEthernet0/5
 speed 1000
 duplex full
 nameif MGT
 security-level 90
 no ip address
!
interface GigabitEthernet0/6
 speed 1000
 duplex full
 shutdown
 no nameif
 security-level 70
 no ip address
!
interface GigabitEthernet0/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
boot system disk0:/asa914-smp-k8.bin
boot system disk0:/asa912-smp-k8.bin
ftp mode passive
clock timezone SGT 8
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network MYVPN-SET1-USR-NAT-PUB
 host 10.10.9.65
object network MYVPN-SET1-PUB
 host xx.xx.101.65
pager lines 24
logging enable
logging timestamp
logging emblem
logging monitor debugging
logging buffered debugging
logging trap debugging
logging asdm informational
logging facility 23
logging host Inside-Management 10.10.10.21
logging class auth trap debugging 
logging class vpn trap notifications 
mtu OUTSIDE 1500
mtu DMZ-1 1500
mtu DMZ-2 1500
mtu INTERNAL-NW 1500
mtu Inside-Management 1500
mtu MGT 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-715-100.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network MYVPN-SET1-USR-NAT-PUB
 nat (OUTSIDE,OUTSIDE) static MYVPN-SET1-PUB
route OUTSIDE 0.0.0.0 0.0.0.0 xx.xx.102.169 1 
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL 
aaa authentication ssh console LOCAL 
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.10.10.21 255.255.255.255 Inside-Management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OUTSIDE_map interface OUTSIDE
crypto ca trustpool policy
crypto ikev1 enable OUTSIDE
crypto ikev1 policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 10.10.10.21 255.255.255.255 Inside-Management
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 30
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 anyconnect-essentials
group-policy DfltGrpPolicy attributes
 dns-server value xx.xx.161.12 xx.xx.175.14
 vpn-tunnel-protocol ikev1 ikev2 ssl-clientless
 ip-comp enable
 group-lock value DefaultRAGroup
 pfs enable
group-policy MYVPN-SET1 internal
group-policy MYVPN-SET1 attributes
 wins-server none
 dns-server value xx.xx.161.12 xx.xx.175.14
 vpn-tunnel-protocol ikev1 
 group-lock value MYVPN-SET1
 default-domain value myvpn.com
username layhin password 75w5MOAm7JLzTbCk encrypted privilege 15
tunnel-group DefaultRAGroup ppp-attributes
 authentication pap
 authentication ms-chap-v2
tunnel-group MYVPN-SET1 type remote-access
tunnel-group MYVPN-SET1 general-attributes
 address-pool myvpn-vpnpool
 default-group-policy MYVPN-SET1
tunnel-group MYVPN-SET1 ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group MYVPN-SET1 ppp-attributes
 authentication pap
 authentication ms-chap-v2
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:37cd3f85f75511730ce518576dced5de
: end
asdm image disk0:/asdm-715-100.bin
no asdm history enable

 

 

1 Accepted Solution

Accepted Solutions

I did open a TAC case and here was our resolution:

ASA(config)# group-policy DfltGrpPolicy attributes

ASA(config-group-policy)# no ip-comp enable

Disabling IP Compression on the default group policy worked for us. It was part of the configs on the 5520s but does not work so well on the 5525s. Hopes this helps.

View solution in original post

6 Replies 6

bbagnall
Level 1
Level 1

Any resolution to this issue?

I am trying to get in touch with Cisco.

 

If you can open a TAC case with Cisco, please do so.

 

Hopefully with more people reporting the issue to them, Cisco will look into it.

Thanks...

I did open a TAC case and here was our resolution:

ASA(config)# group-policy DfltGrpPolicy attributes

ASA(config-group-policy)# no ip-comp enable

Disabling IP Compression on the default group policy worked for us. It was part of the configs on the 5520s but does not work so well on the 5525s. Hopes this helps.

Thanks bbagnall, you save my life. 

 

It works in my test setup also. I am going to deploy it on my production environment in my next maintenance window. 

Glad to Hear. Good luck!

Lance Wendel
Level 1
Level 1

Hi limlayhin,

 

my customer faces the same issue, do you happen to have the bugID? as you stated this was on a 5520,

he also is on 5520, disabling the Ip-Comp is just a workaround if I am correct. Do you happen to know whether this issue going to get fixed. if you could provide me the bugID I would be able to find this out.

thanks in advance

Lance

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: