04-29-2010 12:20 PM - edited 02-21-2020 04:37 PM
04-29-2010 12:26 PM
Hi,
When you connect your VPN client, the tunnel get established?
Can you confirm that ''sh cry isa sa'' shows QM_IDLE or Active?
If the tunnel establishes, but no traffic is passing through, let's do the following:
1. Check what is the IP given to the VPN client.
2. Include the following commands on the ASA:
management-access inside
crypto isakmp nat-t
sysopt connection permit-vpn
3. Try to PING the inside IP of the PIX from the VPN client.
If still does not work, please post the output of:
sh cry ips sa
Federico.
04-29-2010 12:34 PM
''sh cry isa sa'' shows "There are no isakmp sas"
04-29-2010 12:37 PM
So, we need to go back a little....
The tunnel is not establishing yet.
Please post the output of the ''debug cry isa 127'' from your ASA, when attempting to connect.
Also,
Do you get an error on the client side?
Federico.
04-29-2010 01:41 PM
4te
04-29-2010 01:57 PM
Stephen,
Please let me know if this information is correct...
The IP where the VPN client is coming from is 66.201.46.82
The IP assigned to the VPN client is 10.10.220.236
The group/user is BeneAdmin/slewis
I see the phase 1 getting established:
Apr 29 20:27:01 [IKEv1]: Group = BeneAdmin, Username = slewis, IP = 66.201.46.82, PHASE 1 COMPLETED
And landing on the default SYSTEM_DEFAULT_CRYPTO_MAP
Then, phase 2 also gets established:
Apr 29 20:27:01 [IKEv1]: Group = BeneAdmin, Username = slewis, IP = 66.201.46.82, PHASE 2 COMPLETED (msgid=ca124a13)
So, at this point the tunnel is up.
It also adds a static route back to the client:
Apr 29 20:27:01 [IKEv1]: Group = BeneAdmin, Username = slewis, IP = 66.201.46.82,
Adding static route for client address: 10.10.220.236
But then, the ASA receives an error from the client:
Apr 29 20:27:18 [IKEv1 DEBUG]: Group = BeneAdmin, Username = slewis, IP = 66.201.46.82, Active unit receives a delete event for remote peer 66.201.46.82
Apr 29 20:27:18 [IKEv1]: Group = BeneAdmin, Username = slewis, IP = 66.201.46.82, Session is being torn down. Reason: User Requested
Let's do the following:
The crypto map should only be applied to
no crypto map inside_map interface inside
no crypto isakmp enable inside
Also, I don't know why the VPN client is getting .236 IP, because the pool you have is:
ip local pool Admin 10.10.220.237-10.10.220.238 mask 255.255.255.0
Are you losing Internet connectivity from the client side?
Can you attempt to connect via the VPN client from another location?
What exactly is the local LAN behind the ASA that you want to access and the pool for the VPN clients?
Federico.
04-29-2010 02:21 PM
no
04-29-2010 02:38 PM
Also, thank you Sir for your time helping with this issue.
04-30-2010 10:02 AM
Stephen,
If you could, then try to start from scratch.
Here's the information for VPN:
http://www.cisco.com/en/US/docs/security/asdm/6_2/user/guide/vpn_wiz.html
Then please post your configuration if you have any problem.
Otherwise, we can continue troubleshooting the issue as it is.
Federico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide