ASA 5505 remote access vpn after 8.3

Pcfreek14 · ‎01-16-2011

Hello,

I have two Cisco ASA 5505s on two different ISPs and neither of them will connect with IPSec remote clients

both firewalls have L2L VPNs established and working with no problems. But for some reason after I upgraded to 8.3 the RA VPNs will not establish. I even tried erasing all crypto and using ASDM wizard to make the VPN config, but I still expirence the same issue. The only error given by the VPN client is that the ASA didnt respond to the request and the debuging ISAKMP and IPSec shows nothing on the asa.

Here is the config for one of the firewalls. I have removed some of the network objects and access-lists that are not relevant to attempt to shorten my post. The VPN group I am talking about is "STTPvpnusers". Any ideas are greatly appreciated!!! Thanks!!!

ASA Version 8.3(2)
!
hostname Parish-ASA01
names
!
interface Vlan1
shutdown
nameif inside
security-level 0
no ip address
!
interface Vlan2
shutdown
no nameif
security-level 0
no ip address
!
interface Vlan4
nameif Parish-Data
security-level 100
ip address 10.9.80.254 255.255.255.0
!
interface Vlan10
nameif voice
security-level 90
ip address 10.9.60.254 255.255.255.0
!
interface Vlan150
nameif Network-Mgt
security-level 50
ip address 172.21.150.254 255.255.255.0
!
interface Vlan990
nameif PSASA
security-level 100
ip address 172.21.160.2 255.255.255.0
!
interface Vlan999
description Comcast - Using IP 5
nameif outside
security-level 0
ip address 1.1.1.5 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 999
!
interface Ethernet0/1
switchport access vlan 4
!
interface Ethernet0/2
switchport access vlan 10
!
interface Ethernet0/3
switchport access vlan 150
!
interface Ethernet0/4
switchport access vlan 990
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa832-k8.bin
boot system disk0:/asa831-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

access-list Parish-Data_best-effort-35 extended permit tcp any any eq smtp
access-list Parish-Data_best-effort-4 extended permit ip any any
access-list outside_best-effort-4 extended permit ip any any
access-list inbound-best-effort-4 extended permit ip any object-group STTHOMASNETWORK
access-list inbound-best-effort-4 extended permit ip any object-group ComcastStaticSubnet
access-list outbound-best-effort-4 extended permit ip object-group STTHOMASNETWORK any
pager lines 24
logging asdm informational
mtu inside 1500
mtu Parish-Data 1500
mtu voice 1500
mtu Network-Mgt 1500
mtu PSASA 1500
mtu outside 1500
ip local pool STTPvpnusersippool 10.100.80.1-10.100.80.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit host 208.67.222.222 echo outside
icmp permit host 208.67.222.222 echo-reply outside
icmp deny any outside
asdm image disk0:/asdm-635.bin
no asdm history enable
arp timeout 14400
nat (Parish-Data,outside) source static obj-Parish-Data_VPNMATCH obj-Parish-Data_VPNMATCH destination static obj-Cesten_LAN_VPNMATCH obj-Cesten_LAN_VPNMATCH
nat (Parish-Data,outside) source static obj-Parish-Data_VPNMATCH obj-Parish-Data_VPNMATCH destination static obj-STTPvpnusers_VPNMATCH obj-STTPvpnusers_VPNMATCH
nat (voice,outside) source static obj-Voice_VPNMATCH obj-Voice_VPNMATCH destination static obj-Cesten_LAN_VPNMATCH obj-Cesten_LAN_VPNMATCH
nat (Parish-Data,PSASA) source static obj-10.9.80.0-subnet obj-10.9.80.0-subnet destination static obj_any obj_any
nat (voice,outside) source static obj-Voice_Subnet obj-Voice_Subnet destination static obj-Oak-Private_VPNMATCH obj-Oak-Private_VPNMATCH
nat (Parish-Data,outside) source static obj-Parish-Data_VPNMATCH obj-Parish-Data_VPNMATCH destination static obj-Oak-Private_VPNMATCH obj-Oak-Private_VPNMATCH
!
object network obj-10.9.80.0-PAT
nat (Parish-Data,outside) dynamic interface
object network obj-DC01-RDP
nat (Parish-Data,outside) static 1.1.1.2 service tcp 3389 3389
object network obj-EXC02-SMTP
nat (Parish-Data,outside) static 1.1.1.2 service tcp smtp smtp
object network obj-EXC02-HTTPS
nat (Parish-Data,outside) static 1.1.1.2 service tcp https https
object network obj-Untangle01-HTTPS
nat (Parish-Data,outside) static interface service tcp https https
object network obj-10.9.60.0-PAT
nat (voice,outside) dynamic interface
object network ojb-172.21.150.0-PAT
nat (Network-Mgt,outside) dynamic interface
object network obj-Parish-PBX01-NAT
nat (voice,outside) static 1.1.1.3
object network obj-10.9.80.11-PAT
nat (Parish-Data,outside) dynamic 1.1.1.2
object network obj-10.9.80.13-PAT
nat (Parish-Data,outside) dynamic 1.1.1.2
object network obj-10.9.70.0-PAT
nat (PSASA,outside) dynamic 1.1.1.4
object network obj-10.9.70.3-WWW
nat (PSASA,outside) static 1.1.1.4 service tcp www www
object network 10.9.70.3-RDP
nat (PSASA,outside) static 1.1.1.4 service tcp 3389 3389
object network obj-School-ASA01-NAT
nat (PSASA,outside) static 1.1.1.1
access-group parish-data_in in interface Parish-Data
access-group voice_in in interface voice
access-group Network-Mgt_in in interface Network-Mgt
access-group PSASA_in in interface PSASA
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.6 20 track 1
route PSASA 10.9.70.0 255.255.255.0 172.21.160.1 10
route PSASA 10.9.90.0 255.255.255.0 172.21.160.1 10
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server vpn protocol radius
aaa-server vpn (inside) host 10.9.80.11
key *****
aaa authentication ssh console LOCAL
http server enable
http 10.9.80.0 255.255.255.0 Parish-Data
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
sla monitor 123
type echo protocol ipIcmpEcho 208.67.222.222 interface outside
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 50 set pfs
crypto dynamic-map outside_dyn_map 50 set transform-set ESP-AES-256-SHA
crypto map outside-map 10 match address parish-cesten-vpn
crypto map outside-map 10 set pfs
crypto map outside-map 10 set peer X.X.X.X
crypto map outside-map 10 set transform-set ESP-AES-SHA
crypto map outside-map 10 set security-association lifetime seconds 86400
crypto map outside-map 10 set security-association lifetime kilobytes 4608000
crypto map outside-map 20 match address parish-oak-vpn
crypto map outside-map 20 set pfs
crypto map outside-map 20 set connection-type answer-only
crypto map outside-map 20 set peer X.X.X.X
crypto map outside-map 20 set transform-set ESP-AES-SHA
crypto map outside-map 20 set security-association lifetime seconds 86400
crypto map outside-map 20 set security-association lifetime kilobytes 4608000
crypto map outside-map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside-map interface outside
crypto map PSASA-map 21 match address parish-oak-vpn
crypto map PSASA-map 21 set pfs
crypto map PSASA-map 21 set connection-type answer-only
crypto map PSASA-map 21 set peer X.X.X.X
crypto map PSASA-map 21 set transform-set ESP-AES-SHA
crypto map PSASA-map 21 set security-association lifetime seconds 86400
crypto map PSASA-map 21 set security-association lifetime kilobytes 4608000
crypto map PSASA-map interface PSASA
crypto isakmp identity address
crypto isakmp enable PSASA
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
!
track 1 rtr 123 reachability
telnet timeout 5
ssh 10.9.80.0 255.255.255.0 Parish-Data
ssh timeout 30
ssh version 2
console timeout 0

priority-queue voice
priority-queue outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy STTPvpnusers internal
group-policy STTPvpnusers attributes
dns-server value 10.9.80.11 10.9.80.13
vpn-tunnel-protocol IPSec
default-domain value stthomaschurch.com

tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
pre-shared-key *****
tunnel-group STTPvpnusers type remote-access
tunnel-group STTPvpnusers general-attributes
address-pool STTPvpnusersippool
default-group-policy STTPvpnusers
tunnel-group STTPvpnusers ipsec-attributes
pre-shared-key *****
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
pre-shared-key *****
!
class-map RTP_PORTS
match access-list RTP_PORTS
class-map outbound-best-effort-4
match access-list outbound-best-effort-4
class-map outside-best-effort-4
match access-list outside_best-effort-4
class-map inbound-best-effort-4
match access-list inbound-best-effort-4
class-map Parish-Data_best-effort-35
match access-list Parish-Data_best-effort-35
class-map Parish-Data-best-effort-4
match access-list Parish-Data_best-effort-4
!
!
policy-map QOS_voice
class RTP_PORTS
priority
policy-map QOS_outside
class RTP_PORTS
priority
class outbound-best-effort-4
police output 4000000
policy-map QOS_Parish-Data
class Parish-Data_best-effort-35
police input 3500000
class Parish-Data-best-effort-4
police output 18000000
!
service-policy QOS_Parish-Data interface Parish-Data
service-policy QOS_voice interface voice
service-policy QOS_outside interface outside
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:a0eeca46d29065739cdc15f26c685d0c
: end

Federico Coto Fajardo · ‎01-16-2011

Hi,

Not sure that you need this line for the VPN clients:

crypto dynamic-map outside_dyn_map 50 set pfs

Can you post the output of ''debug cry isa 127'' and ''debug cry ipsec 127'' when attempting the VPN client connection?

Federico.

Pcfreek14 · ‎01-16-2011

I removed the line you mentioned. I am testing this from 71.194.53.99

ISAKMP

Parish-ASA01(config)# Jan 16 17:27:44 [IKEv1]: IP = 71.194.53.99, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 712

Jan 16 17:27:44 [IKEv1 DEBUG]: IP = 71.194.53.99, processing SA payload

Jan 16 17:27:44 [IKEv1 DEBUG]: IP = 71.194.53.99, processing ke payload

Jan 16 17:27:44 [IKEv1 DEBUG]: IP = 71.194.53.99, processing ISA_KE payload

Jan 16 17:27:44 [IKEv1 DEBUG]: IP = 71.194.53.99, processing nonce payload

Jan 16 17:27:44 [IKEv1 DEBUG]: IP = 71.194.53.99, processing ID payload

Jan 16 17:27:44 [IKEv1 DEBUG]: IP = 71.194.53.99, processing VID payload

Jan 16 17:27:44 [IKEv1 DEBUG]: IP = 71.194.53.99, Received NAT-Traversal RFC VID

Jan 16 17:27:44 [IKEv1 DEBUG]: IP = 71.194.53.99, processing VID payload

Jan 16 17:27:44 [IKEv1 DEBUG]: IP = 71.194.53.99, Received NAT-Traversal ver 03 VID

Jan 16 17:27:44 [IKEv1 DEBUG]: IP = 71.194.53.99, processing VID payload

Jan 16 17:27:44 [IKEv1 DEBUG]: IP = 71.194.53.99, Received NAT-Traversal ver 02 VID

Jan 16 17:27:44 [IKEv1 DEBUG]: IP = 71.194.53.99, processing VID payload

Jan 16 17:27:44 [IKEv1 DEBUG]: IP = 71.194.53.99, Received DPD VID

Jan 16 17:27:44 [IKEv1]: IP = 71.194.53.99, Connection landed on tunnel_group STTPvpnusers

Jan 16 17:27:44 [IKEv1 DEBUG]: Group = STTPvpnusers, IP = 71.194.53.99, processing IKE SA payload

Jan 16 17:27:44 [IKEv1 DEBUG]: Group = STTPvpnusers, IP = 71.194.53.99, IKE SA Proposal # 1, Transform # 1 acceptable Match es global IKE entry # 1

Jan 16 17:27:44 [IKEv1 DEBUG]: Group = STTPvpnusers, IP = 71.194.53.99, constructing ISAKMP SA payload

Jan 16 17:27:44 [IKEv1 DEBUG]: Group = STTPvpnusers, IP = 71.194.53.99, constructing ke payload

Jan 16 17:27:44 [IKEv1 DEBUG]: Group = STTPvpnusers, IP = 71.194.53.99, constructing nonce payload

Jan 16 17:27:44 [IKEv1 DEBUG]: Group = STTPvpnusers, IP = 71.194.53.99, Generating keys for Responder...

Jan 16 17:27:44 [IKEv1 DEBUG]: Group = STTPvpnusers, IP = 71.194.53.99, constructing ID payload

Jan 16 17:27:44 [IKEv1 DEBUG]: Group = STTPvpnusers, IP = 71.194.53.99, constructing hash payload

Jan 16 17:27:44 [IKEv1 DEBUG]: Group = STTPvpnusers, IP = 71.194.53.99, Computing hash for ISAKMP

Jan 16 17:27:44 [IKEv1 DEBUG]: Group = STTPvpnusers, IP = 71.194.53.99, constructing Cisco Unity VID payload

Jan 16 17:27:44 [IKEv1 DEBUG]: Group = STTPvpnusers, IP = 71.194.53.99, constructing xauth V6 VID payload

Jan 16 17:27:44 [IKEv1 DEBUG]: Group = STTPvpnusers, IP = 71.194.53.99, constructing dpd vid payload

Jan 16 17:27:44 [IKEv1 DEBUG]: Group = STTPvpnusers, IP = 71.194.53.99, constructing NAT-Traversal VID ver 02 payload

Jan 16 17:27:44 [IKEv1 DEBUG]: Group = STTPvpnusers, IP = 71.194.53.99, constructing NAT-Discovery payload

Jan 16 17:27:44 [IKEv1 DEBUG]: Group = STTPvpnusers, IP = 71.194.53.99, computing NAT Discovery hash

Jan 16 17:27:44 [IKEv1 DEBUG]: Group = STTPvpnusers, IP = 71.194.53.99, constructing NAT-Discovery payload

Jan 16 17:27:44 [IKEv1 DEBUG]: Group = STTPvpnusers, IP = 71.194.53.99, computing NAT Discovery hash

Jan 16 17:27:44 [IKEv1 DEBUG]: Group = STTPvpnusers, IP = 71.194.53.99, constructing Fragmentation VID + extended capabiliti es payload

Jan 16 17:27:44 [IKEv1 DEBUG]: Group = STTPvpnusers, IP = 71.194.53.99, constructing VID payload

Jan 16 17:27:44 [IKEv1 DEBUG]: Group = STTPvpnusers, IP = 71.194.53.99, Send Altiga/Cisco VPN3000/Cisco ASA GW VID

Jan 16 17:27:44 [IKEv1]: IP = 71.194.53.99, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NON CE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13 ) + VENDOR (13) + NONE (0) total length : 440

Jan 16 17:27:46 [IKEv1]: IP = 108.83.136.149, IKE_DECODE RECEIVED Message (msgid=bcf194fa) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

Jan 16 17:27:46 [IKEv1 DEBUG]: Group = 108.83.136.149, IP = 108.83.136.149, processing hash payload

Jan 16 17:27:46 [IKEv1 DEBUG]: Group = 108.83.136.149, IP = 108.83.136.149, processing notify payload

Jan 16 17:27:46 [IKEv1 DEBUG]: Group = 108.83.136.149, IP = 108.83.136.149, Received keep-alive of type DPD R-U-THERE (seq n umber 0x41fb3ff4)

Jan 16 17:27:46 [IKEv1 DEBUG]: Group = 108.83.136.149, IP = 108.83.136.149, Sending keep-alive of type DPD R-U-THERE-ACK (se q number 0x41fb3ff4)

Jan 16 17:27:46 [IKEv1 DEBUG]: Group = 108.83.136.149, IP = 108.83.136.149, constructing blank hash payload

Jan 16 17:27:46 [IKEv1 DEBUG]: Group = 108.83.136.149, IP = 108.83.136.149, constructing qm hash payload

Jan 16 17:27:46 [IKEv1]: IP = 108.83.136.149, IKE_DECODE SENDING Message (msgid=8465ca07) with payloads : HDR + HASH (8) + N OTIFY (11) + NONE (0) total length : 84

Jan 16 17:27:47 [IKEv1]: IP = 71.194.53.99, Duplicate first packet detected. Ignoring packet.

Jan 16 17:27:50 [IKEv1]: IP = 71.194.53.99, Duplicate first packet detected. Ignoring packet.

Jan 16 17:27:53 [IKEv1]: IP = 71.194.53.99, Duplicate first packet detected. Ignoring packet.

Jan 16 17:27:56 [IKEv1]: IP = 108.83.136.149, IKE_DECODE RECEIVED Message (msgid=20c18c59) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

Jan 16 17:27:56 [IKEv1 DEBUG]: Group = 108.83.136.149, IP = 108.83.136.149, processing hash payload

Jan 16 17:27:56 [IKEv1 DEBUG]: Group = 108.83.136.149, IP = 108.83.136.149, processing notify payload

Jan 16 17:27:56 [IKEv1 DEBUG]: Group = 108.83.136.149, IP = 108.83.136.149, Received keep-alive of type DPD R-U-THERE (seq n umber 0x41fb3ff5)

Jan 16 17:27:56 [IKEv1 DEBUG]: Group = 108.83.136.149, IP = 108.83.136.149, Sending keep-alive of type DPD R-U-THERE-ACK (se q number 0x41fb3ff5)

Jan 16 17:27:56 [IKEv1 DEBUG]: Group = 108.83.136.149, IP = 108.83.136.149, constructing blank hash payload

Jan 16 17:27:56 [IKEv1 DEBUG]: Group = 108.83.136.149, IP = 108.83.136.149, constructing qm hash payload

Jan 16 17:27:56 [IKEv1]: IP = 108.83.136.149, IKE_DECODE SENDING Message (msgid=6c7d2e88) with payloads : HDR + HASH (8) + N OTIFY (11) + NONE (0) total length : 84

Jan 16 17:28:06 [IKEv1]: IP = 108.83.136.149, IKE_DECODE RECEIVED Message (msgid=cfd37f96) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

Jan 16 17:28:06 [IKEv1 DEBUG]: Group = 108.83.136.149, IP = 108.83.136.149, processing hash payload

Jan 16 17:28:06 [IKEv1 DEBUG]: Group = 108.83.136.149, IP = 108.83.136.149, processing notify payload

Jan 16 17:28:06 [IKEv1 DEBUG]: Group = 108.83.136.149, IP = 108.83.136.149, Received keep-alive of type DPD R-U-THERE (seq number 0x41fb3ff6)

Jan 16 17:28:06 [IKEv1 DEBUG]: Group = 108.83.136.149, IP = 108.83.136.149, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x41fb3ff6)

Jan 16 17:28:06 [IKEv1 DEBUG]: Group = 108.83.136.149, IP = 108.83.136.149, constructing blank hash payload

Jan 16 17:28:06 [IKEv1 DEBUG]: Group = 108.83.136.149, IP = 108.83.136.149, constructing qm hash payload

Jan 16 17:28:06 [IKEv1]: IP = 108.83.136.149, IKE_DECODE SENDING Message (msgid=d9b2641f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

Jan 16 17:28:16 [IKEv1 DEBUG]: Group = STTPvpnusers, IP = 71.194.53.99, IKE AM Responder FSM error history (struct &0xc9f99d78) , : AM_DONE, EV_ERROR-->AM_WAIT_MSG3, EV_PROB_AUTH_FAIL-->AM_WAIT_MSG3, EV_TIMEOUT-->AM_WAIT_MSG3, NullEvent-->AM_SND_MSG2, EV_CRYPTO_ACTIVE-->AM_SND_MSG2, EV_SND_MSG-->AM_SND_MSG2, EV_START_TMR-->AM_SND_MSG2, EV_RESEND_MSG

Jan 16 17:28:16 [IKEv1 DEBUG]: Group = STTPvpnusers, IP = 71.194.53.99, IKE SA AM:a780d977 terminating: flags 0x03000001, refcnt 0, tuncnt 0

Jan 16 17:28:16 [IKEv1 DEBUG]: Group = STTPvpnusers, IP = 71.194.53.99, sending delete/delete with reason message

Jan 16 17:28:16 [IKEv1 DEBUG]: Group = STTPvpnusers, IP = 71.194.53.99, constructing blank hash payload

Jan 16 17:28:16 [IKEv1 DEBUG]: Group = STTPvpnusers, IP = 71.194.53.99, constructing IKE delete payload

Jan 16 17:28:16 [IKEv1 DEBUG]: Group = STTPvpnusers, IP = 71.194.53.99, constructing qm hash payload

Jan 16 17:28:16 [IKEv1]: IP = 71.194.53.99, IKE_DECODE SENDING Message (msgid=7cfa5058) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80

IPsec debug shows nothing.....

I can see from the ISAKMP debug that the ASA is not acking anything sent from the VPN client because the VPN client is retrying to connect..

Jan 16 17:27:47 [IKEv1]: IP = 71.194.53.99, Duplicate first packet detected. Ignoring packet.

Jan 16 17:27:50 [IKEv1]: IP = 71.194.53.99, Duplicate first packet detected. Ignoring packet.

Jan 16 17:27:53 [IKEv1]: IP = 71.194.53.99, Duplicate first packet detected. Ignoring packet.

Federico Coto Fajardo · ‎01-16-2011

Ok, the problem is that you're using DH group 5 for ISAKMP phase 1.

Group 5 only works with Digital Certificates not with pre-shared keys (you're using pre-shared keys).

Change the DH to group 2 and try again please.

Federico.

Pcfreek14 · ‎01-16-2011

I caught that just before I posted the debug. That has already been changed and the debug was generated after I changed it.

Federico Coto Fajardo · ‎01-16-2011

Ok, you're using group 2 for phase 1 now?

The VPN connection is landing on STTPvpnusers group on the outside interface.

Questions:

Are you using NAT-T on the client side?

You don't even get prompted to authenticate the user? (XAUTH)

We're not getting past phase 1, what's the output of ''sh cry isa sa'' when connecting?

Federico.

Pcfreek14 · ‎01-16-2011

I am currently using the built in MacOSX client for cisco... I assume it is using nat-t but I cannot verify that from any preferences. I have also tested this on a windows machine with cisco vpn client 5.0 and it give me the same error.. "server did not respond"

no, I do not get prompted to authenticate

during a connection attempt...

IKE Peer: 71.194.53.99

Type : user Role : responder

Rekey : no State : AM_WAIT_MSG3

Federico Coto Fajardo · ‎01-16-2011

Brad,

Can you do a quick test?

Let's try if IPsec/TCP makes a difference:

On ASA:

crypto isakmp ipsec-over-tcp port 10000

On VPN Client:

Modify the connection, under the transport tab select IPsec over TCP 10000

Federico.

Pcfreek14 · ‎01-16-2011

After that test I was prompted for authentication credentials and was able to connect!! And just for fun I set it back to UDP and it works with that as well..... go figure. Both windows and native mac osx clients are able to connect.

Thank you so much for your help!!

Why do you think enabling TCP fixed the issue? I cannot imagine why that helped considering I am able to connect using UDP

Federico Coto Fajardo · ‎01-16-2011

Honestly enabling IPsec/TCP is only in scenarios where UDP is being blocked either on the client or server side... seems not to be the case here :-)

Unfortunately I don't have a good answer as to why it was not working before... I guess it was just one of those things (and of course something we did... haha)

I am glad it's working fine now and please consider rating the thread if you found it helpful :-)

Thank you Brad,

Federico.