cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
815
Views
10
Helpful
7
Replies

Remote Access VPN is not connectin

Dear All,

We configured remote access VPN on the ASA, it works perfectly till yesterday. Suddenly this issue is started and we are unable to connect the VPN. I attached the debud logs from the firewall. Please suggest me how to resolve this issue.

Regards

Krish

7 Replies 7

Markus Thun
Level 1
Level 1

I think that we need more information, like the debug output or the config file.

Regards

Markus

Hi Markus,

Debug file is already attached.

Regards,

Krish

Hi Krishna,

Your debug doesn't have much information. however one thing is sure that even phase 1 is not coming up.

Please take the following debug:

debug cry isakmp 125

debug cry ipsec 125

if possible send me the following configuration:

sh run tunnel-group CSTEP

sh run cry dynamic-map

sh run cry ipsec

sh run cry isakmp

if you paste the debugs here, email me.

You said it was working fine then were there any recent hardware or software changes.

Thanks

Jeet Kumar

Hi Jeet,

Sometimes it is connecting. Just now i tested again and able to connect it. But servers are not accessible. I am sharing the latest logs.

CenterForStudy# sh run tunnel-group CSTEP

tunnel-group CSTEP type remote-access

tunnel-group CSTEP general-attributes

address-pool REMOTE-POOL

tunnel-group CSTEP ipsec-attributes

pre-shared-key *

CenterForStudy# sh run cry dynamic-map

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

CenterForStudy# sh run cry ipsec

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

CenterForStudy# sh run cry isakmp

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

I didn't find any issue with your configuration.

So you saying it is intermittent and doesn't happen all the time.

The debugs that you have attached are all DPD's.

Next time when the issue occur please take the following output:

Debug crypto condition peer x.x.x.x (x.x.x.x is the Public IP of the machine from where you are connecting the VPN client).

Debug crypto ipsec 125

debug crypto isakmp 125

sh vpn-sessiondb summary

Please take this output and email me.

Thanks

Jeet Kumar

Hi Krishna ,

                 Your debug message is not holding complete infromation for IKE Phase 1 , you have stopped captured during Aggressive message 2 . Look into below URL for your better understanding .

kindly let us with complete debug information .

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bcfda6.shtml

HTH

Regards
Santhosh Saravanan

HTH Regards Santhosh Saravanan

Markus Thun
Level 1
Level 1

Hi Krishna,

which kind of device ist it? Can you post the Interface and vpn configuration?

Regards

Markus

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: