Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
661
Views
0
Helpful
7
Replies

ASA5505 VPN Conection Problem

Philipp Hoeffker
Level 1
Level 1

‎11-16-2010 05:39 AM

After a hardware issue we have to change the ASA to a new one but the same Model. The old flashcard works without a Problem. But the VPN Conection work not correct. I change the Base LIcens to Security Plus but without any chnage in the Problem. Can some one say me where the Problem could be.

Labels:
75344-16.11.2010-ASA.txt.zip
75351-Debug VPN ASA5505.txt.zip
0 Helpful
7 Replies 7

apothula
Level 1
Level 1

‎11-17-2010 01:40 AM

Can you ping the outside IP or name of your ASA ??

Also, please provide us the output of show route.

Cheers,


Nash.

0 Helpful

praprama
Cisco Employee
Cisco Employee
In response to apothula

‎11-17-2010 08:17 AM

Hi,

I noticed your dynamic crypto map has no transform set defined. Please add the below command and see if it helps.

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA

Let me know if this helps!!

Thanks and Regards,

Prapanch

0 Helpful

Philipp Hoeffker
Level 1
Level 1
In response to praprama

‎11-18-2010 07:31 AM

Yes the VPN works now with the correct statement. Now we have the same problem before we lost our asa due to water ...... The Exchange Server cannot be connectet......

0 Helpful

praprama
Cisco Employee
Cisco Employee
In response to Philipp Hoeffker

‎11-18-2010 07:52 AM

Hi Phillip,

Could you please elaborate about the Exchange server issue you were facing?

Regards,

Prapanch

0 Helpful

Philipp Hoeffker
Level 1
Level 1
In response to praprama

‎11-18-2010 09:59 AM

Last time we have this Problem this was an IP-address conflict with the Small Business Server. The DHCP Pool from the ASA was in trouble with the DHCP Pool of the SBS. We exclude the leasing range from 192.168.10.120 - 192.168.10.149 in the DHCP and give the VPN this Range. From that Day it works fine. Now the same issue with my Boss IPhone,  (BIG TOY !! nothing more BB is much better:-) ) but the last solution not work.

0 Helpful

praprama
Cisco Employee
Cisco Employee
In response to Philipp Hoeffker

‎11-19-2010 09:34 PM

Hey Phil,

I am still not sure i got the problem. Could you please post a topology as well?

Cheers,

Prapanch

0 Helpful

Philipp Hoeffker
Level 1
Level 1
In response to praprama

‎11-23-2010 02:16 AM

Problem solved.

1. MS SBS Server is the DHCP Server

2. ASA5505 give any VPN Connection a IP-Address

     2.1 Over the DHCP - Server

     2.2 Over a Range Profile

     2.3 Over a direct IP-Address in the VPN User Profile.

Here was the Problem. I gave the Tunnelgroup the DHCP Server and the Range. But on the DHCP Server this Range was excluded. So the ASA give every Client a Address of the given Pool. But this Pool was blocked on the DHCP - Server. Due to Luck sometimes the Client had a connection sometimes not.

The Solution:

1. open the IP- Address Pool on the DHCP Server

2. no entry of DHCP - Server in the Tunnelgroup

3. use the Address Pool of the ASA

I Think the ASA leased a Address from the Server in the given Pool. The Server has a Rule that not allowed this Range and so the problem occurred.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents