05-07-2012 04:32 PM - edited 02-21-2020 06:02 PM
I have setup a ASA and everything but ipsec seems to be working. I was able to use the clientless ssl but I need ipsec working. I'm at a loss. here are logs thanks for any help. config is a little sloppy and i will be cleaning it up but would like to get this working first.
Cisco Systems VPN Client Version 5.0.07.0290
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7601 Service Pack 1
Config file directory: C:\Program Files (x86)\Cisco Systems\VPN Client\
1 16:20:19.503 05/07/12 Sev=Info/6 CERT/0x63600026
Attempting to find a Certificate using Serial Hash.
2 16:20:19.503 05/07/12 Sev=Info/6 CERT/0x63600027
Found a Certificate using Serial Hash.
3 16:20:21.563 05/07/12 Sev=Info/4 CM/0x63100002
Begin connection process
4 16:20:21.582 05/07/12 Sev=Info/4 CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully
5 16:20:21.582 05/07/12 Sev=Info/4 CM/0x63100004
Establish secure connection
6 16:20:21.582 05/07/12 Sev=Info/4 CM/0x63100024
Attempt connection with server "x.x.x.x"
7 16:20:21.587 05/07/12 Sev=Info/6 CM/0x6310002F
Allocated local TCP port 50657 for TCP connection.
8 16:20:21.899 05/07/12 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
9 16:20:21.899 05/07/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
10 16:20:21.899 05/07/12 Sev=Info/6 IPSEC/0x63700020
TCP SYN sent to x.x.x.x src port 50657, dst port 10000
11 16:20:22.414 05/07/12 Sev=Info/6 IPSEC/0x6370001C
TCP SYN-ACK received from x.x.x.x, src port 10000, dst port 50657
12 16:20:22.414 05/07/12 Sev=Info/6 IPSEC/0x63700021
TCP ACK sent to x.x.x.x, src port 50657, dst port 10000
13 16:20:22.414 05/07/12 Sev=Info/4 CM/0x63100029
TCP connection established on port 10000 with server "x.x.x.x"
14 16:20:22.913 05/07/12 Sev=Info/4 CM/0x63100024
Attempt connection with server "x.x.x.x"
15 16:20:22.913 05/07/12 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with x.x.x.x
16 16:20:22.929 05/07/12 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation
17 16:20:22.944 05/07/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Unity)) to x.x.x.x
18 16:20:23.334 05/07/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer =x.x.x.x
19 16:20:23.334 05/07/12 Sev=Info/4 IKE/0x63000014
RECEIVING >> ISAKMP OAK INFO (NOTIFY:INVALID_HASH_INFO) to 38.126.163.131
28 16:20:23.334 05/07/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO (NOTIFY:AUTH_FAILED) to 38.126.163.131
29 16:20:23.334 05/07/12 Sev=Warning/2 IKE/0xE30000A7
Unexpected SW error occurred while processing Aggressive Mode negotiator:(Navigator:2263)
30 16:20:23.334 05/07/12 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=E95184AFAA9A0764 R_Cookie=B6FE2B608767A7F1) reason = DEL_REASON_IKE_NEG_FAILED
31 16:20:23.334 05/07/12 Sev=Info/6 IPSEC/0x6370001D
TCP RST received from x.x.x.x, src port 10000, dst port 50657
32 16:20:23.934 05/07/12 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=E95184AFAA9A0764 R_Cookie=B6FE2B608767A7F1) reason = DEL_REASON_IKE_NEG_FAILED
33 16:20:23.934 05/07/12 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "x.x.x.x" because of "DEL_REASON_IKE_NEG_FAILED"
34 16:20:23.934 05/07/12 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
35 16:20:23.950 05/07/12 Sev=Info/4 CM/0x6310002D
Resetting TCP connection on port 10000
36 16:20:23.950 05/07/12 Sev=Info/6 CM/0x63100030
Removed local TCP port 50657 for TCP connection.
37 16:20:23.950 05/07/12 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
38 16:20:23.950 05/07/12 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
39 16:20:23.965 05/07/12 Sev=Info/4 IKE/0x63000086
Microsoft IPSec Policy Agent service started successfully
40 16:20:23.965 05/07/12 Sev=Info/6 IPSEC/0x63700023
TCP RST sent to x.x.x.x, src port 50657, dst port 10000
41 16:20:23.965 05/07/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
42 16:20:23.965 05/07/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
43 16:20:23.965 05/07/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
44 16:20:23.965 05/07/12 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
current running config.
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.30.41.4 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.248
!
ftp mode passive
access-list VPN_splitTunnelAcl standard permit 10.30.41.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.30.41.0 255.255.255
30.41.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.30.41.0 255.255
access-list VPN_splitTunnelAcl_1 standard permit 10.30.41.0 255.255.255.0
access-list VPN_splitTunnelAcl_2 standard permit 10.30.41.0 255.255.255.0
access-list SeletiveTV_splitTunnelAcl standard permit 10.30.41.0 255.255.2
access-list outside_access_in extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN 10.30.41.250-10.30.41.253 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:0
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.30.41.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-A
-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-A
-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MA
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
telnet 10.30.41.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.30.41.240-10.30.41.245 inside
dhcpd dns 8.8.4.4 4.4.4.2 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc enable
internal-password enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec svc webvpn
webvpn
svc ask enable
group-policy SelectiveTV internal
group-policy SelectiveTV attributes
dns-server value 8.8.4.4 4.4.4.2
vpn-tunnel-protocol IPSec webvpn
webvpn
svc ask enable default webvpn
username xxxxxx password xxxxxxxx encrypted privilege 15
username xxxxxx attributes
vpn-group-policy SelectiveTV
username test password Wan6jhc8ovZ1.beY encrypted privilege 0
username test attributes
vpn-group-policy SelectiveTV
username xxxx password xxxxxxxxxxxxxxxxxx encrypted privilege 15
username xxxxx attributes
vpn-group-policy SelectiveTV
webvpn
svc ask enable default webvpn timeout 90
tunnel-group SelectiveTV type remote-access
tunnel-group SelectiveTV general-attributes
address-pool (inside) VPN
address-pool VPN
authentication-server-group (inside) LOCAL
authorization-server-group LOCAL
authorization-server-group (inside) LOCAL
default-group-policy SelectiveTV
dhcp-server 10.30.41.4
authorization-required
username-from-certificate use-entire-name
tunnel-group SelectiveTV ipsec-attributes
pre-shared-key *****
peer-id-validate nocheck
isakmp keepalive disable
isakmp ikev1-user-authentication none
tunnel-group SSL type remote-access
tunnel-group SSL general-attributes
address-pool VPN
tunnel-group SSL webvpn-attributes
group-alias uts enable
group-url »x.x.x.x/xxxx enable
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:9ce31724c6f0874dea15deee4eed7ab2
: end
First time using a ASA. I set this up via GUI.
thanks for any help.
05-08-2012 12:36 AM
I can see an
"Unexpected SW error" in your log, why don't you try to update your vpn client software?
05-08-2012 12:53 AM
Check client properties
about hash and auth
19 16:20:23.334 05/07/12 Sev=Info/4 IKE/0x63000014
RECEIVING >> ISAKMP OAK INFO (NOTIFY:INVALID_HASH_INFO) to 38.126.163.131
28 16:20:23.334 05/07/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO (NOTIFY:AUTH_FAILED) to 38.126.163.131
05-08-2012 07:43 AM
Ok that seemed to be it. must of fat fingered the group pwd. Last thing how do i give access to local ip resources? i.e want them to be able to connect to anything on the 10.30.41.0 network. thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide