cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1226
Views
0
Helpful
4
Replies

ASA5506 Not calling vpn_remove_uauth: not IPv4! error

xidasd
Level 1
Level 1

I know it is about address assigning problem, but I don't know why it occurs, it was able to connect normally 3 months ago.  I tried all solutions in internet search, ICS disabled ASA5506 version upgrade, applying all permitted ACL, and connecting client to ASA5506 directly without any things between ASA and client. Could you advise me? I'm using Cisco Adaptive Security Appliance Software Version 9.14(1)10 , System image file is "disk0:/asa9-14-1-10-lfbff-k8.SPA

 

: Saved

:
: Serial Number: JAD222707HT
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.14(1)10

!
hostname ADV-FW
enable password $sha512$5000$p5SEOXWMorNUa+zXWQACvQ==$Y397A2/EhECQvdxW1NPTJA== pbkdf2
names
no mac-address auto
ip local pool REMOTE 172.16.1.10-172.16.1.20 mask 255.255.255.0

!
interface GigabitEthernet1/1
nameif Client
security-level 70
ip address 192.168.0.254 255.255.255.128
!
interface GigabitEthernet1/2
nameif DMZ
security-level 50
ip address 192.168.0.125 255.255.255.128
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone KST 9
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network PAT
subnet 172.16.1.0 255.255.255.0
access-list test extended permit ip any any
access-list ACL extended permit ip 172.16.1.0 255.255.255.0 any4
pager lines 24
mtu Client 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (DMZ,DMZ) source dynamic PAT interface
access-group test in interface Client
access-group ACL in interface DMZ
access-group test out interface DMZ
access-group test global
router ospf 1
network 192.168.0.0 255.255.255.128 area 0
network 192.168.0.128 255.255.255.128 area 0
log-adj-changes
!
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
aaa-server RAD protocol radius
aaa-server RAD (DMZ) host 192.168.0.1
key *****
authentication-port 1812
user-identity default-domain LOCAL
aaa authentication serial console RAD LOCAL
aaa authorization exec authentication-server auto-enable
aaa authentication login-history
no snmp-server location
no snmp-server contact
no service password-recovery
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint vpn
enrollment protocol scep url http://192.168.0.126:80
fqdn vpn.advshow.com
subject-name cn=vpn.advshow.com
keypair vpn
crl configure
crypto ca trustpool policy
crypto ca certificate chain vpn
certificate ca 01
308201f3 3082015c a0030201 02020101 300d0609 2a864886 f70d0101 04050030
0d310b30 09060355 04031302 4341301e 170d3231 30313236 30373238 32315a17
0d323430 31323630 37323832 315a300d 310b3009 06035504 03130243 4130819f
300d0609 2a864886 f70d0101 01050003 818d0030 81890281 8100c1c5 7d8d92f8
d50aa725 70b41a6c 7faa8338 bf5bd952 41bcb5b0 a4bb916c eab45aa8 072c1f1b
2888f4b4 068451de e3f921ca e5d93795 1ec9d9cd 94b70ccb f458667a 472304cc
ff94bed3 cad9e20e 2f14470f 9c68801e cd2fe19e a319d4d7 14f95628 6eeca3d9
11446190 543f4502 9c3b9a63 7a334f7f 39755f0e fbff1e64 230f0203 010001a3
63306130 0f060355 1d130101 ff040530 030101ff 300e0603 551d0f01 01ff0404
03020186 301f0603 551d2304 18301680 14c04d5d bdda75f1 626cb42b f635e41d
8e366bbe 79301d06 03551d0e 04160414 c04d5dbd da75f162 6cb42bf6 35e41d8e
366bbe79 300d0609 2a864886 f70d0101 04050003 81810045 15a5037b f56856bf
eb93fedc 1ab897cc 5fbf60f3 9cfa55b9 a6823023 80259618 99b55b97 1f382849
d6e3b002 9030c85b 5874bc3b 5c700630 5512bc76 38c33284 1b692a8e 077c8f41
832be7df 31b72d1f 381c6811 01181a53 6ff6e5bd 582e2540 c684cb8d 230ce58a
2dcb4c9a 929e68e4 2416d37a 37224051 a450469a f85894
quit
certificate 06
308202af 30820218 a0030201 02020106 300d0609 2a864886 f70d0101 04050030
0d310b30 09060355 04031302 4341301e 170d3231 30313238 31303430 34395a17
0d323230 31323831 30343034 395a303a 31183016 06035504 03130f76 706e2e61
64767368 6f772e63 6f6d311e 301c0609 2a864886 f70d0109 02160f76 706e2e61
64767368 6f772e63 6f6d3082 0122300d 06092a86 4886f70d 01010105 00038201
0f003082 010a0282 010100c1 18c99af7 c82a5a82 396ca7fd 81dad227 237e4473
ba40c42d c37bb4cb 7f7f54fc 7c11f18c 70decf8d 132a6a62 f93c0830 a9d12c98
2a0a063a eaa0b249 8574a748 cf70dc24 e1c0407c 00d3b9d5 0f6c0a2e 36b59f3b
8f5576bb 638c05a2 d7b18dbf 12f6a233 d3130f6f 7b26aa87 d91c83f4 b29ec7e0
90929680 a35075c3 e860fd4b e3c9ac2f 013a30e4 5f1f73dc 060d53e0 feb5034f
3f5275e2 f597ddcd 083424cf 694772fd 3b1bc075 40f6f78f 78c6d9ae b5261186
1640c68b 19af2a76 0d44f642 c423ef3a 4cb9b313 9403229a 8c82971c d669cc39
8cff3dfb 6ab7c55a dc7df681 944da3ea 4309111a 061ace0d f9bec942 9c35cb7a
e76c52c3 68ba9b8f 05466302 03010001 a36e306c 301a0603 551d1104 13301182
0f76706e 2e616476 73686f77 2e636f6d 300e0603 551d0f01 01ff0404 030205a0
301f0603 551d2304 18301680 14c04d5d bdda75f1 626cb42b f635e41d 8e366bbe
79301d06 03551d0e 04160414 1b9ac04e 79c69a68 1065d45b 9109a09f 51552a95
300d0609 2a864886 f70d0101 04050003 81810000 d29a089b f7be17de 30db2d40
7ff9078c 045b1ebb cf87e233 05c6f472 382b15c2 bcb1bd11 625fb3a5 5b790646
023c118b 5467feca 548937cf fa41ad05 a99a4f4e 3d6e6652 4fe6ed80 a508100a
869ae8b1 9b269b4a ef853ae8 4a6e871b 3a237151 0a3d07d3 c97a0608 b18a45c1
6d8a6020 c5bea597 f13dfe11 34d903e6 af1897
quit
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcprelay server 192.168.0.1 DMZ
dhcprelay enable Client
dhcprelay timeout 60
dhcprelay information trust-all
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point vpn
ssl trust-point vpn DMZ
webvpn
enable DMZ
hsts
enable
max-age 31536000
include-sub-domains
no preload
anyconnect image disk0:/anyconnect-win-4.8.01090-webdeploy-k9.pkg 1
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy REMOTE internal
group-policy REMOTE attributes
dns-server value 192.168.0.1
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
address-pools value REMOTE
dynamic-access-policy-record DfltAccessPolicy
username cisco password $sha512$5000$RZCNUED7UX3SrQi1c7xbIw==$zpZdrYjDF3f78xoqc94wJQ== pbkdf2
username itnsa password $sha512$5000$ADg1H2bGDIuTB8TobuQ+zg==$2fDH+gT1PyMj80rO6lrudA== pbkdf2 privilege 15
tunnel-group REMOTE type remote-access
tunnel-group REMOTE general-attributes
default-group-policy REMOTE
tunnel-group REMOTE webvpn-attributes
group-alias GROUP enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
inspect icmp
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 1
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:c7a2f74261b959a2023ae10f707f206b
: end
ADV-FW# show run | include service-policy
service-policy global_policy global
ADV-FW# conf t
ADV-FW(config)# no service-poli
ADV-FW(config)# no service-policy global_policy global
ADV-FW(config)# service-policy global_policy global
ADV-FW(config)#
ADV-FW(config)#
ADV-FW(config)# debug
ADV-FW(config)# debug webvpn an
ADV-FW(config)# debug webvpn anyconnect 255
INFO: debug webvpn anyconnect enabled at level 255.
ADV-FW(config)#
ADV-FW(config)#
ADV-FW(config)# Not calling vpn_remove_uauth: not IPv4!
webvpn_svc_np_tear_down: no IPv6 ACL

ADV-FW(config)# show acc
ADV-FW(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list test; 1 elements; name hash: 0xcb4257a3
access-list test line 1 extended permit ip any any (hitcnt=87) 0xe9e23c89
access-list ACL; 1 elements; name hash: 0xdd71d952
access-list ACL line 1 extended permit ip 172.16.1.0 255.255.255.0 any4 (hitcnt=0) 0x1c97bc79
ADV-FW(config)# Not calling vpn_remove_uauth: not IPv4!
webvpn_svc_np_tear_down: no IPv6 ACL
Not calling vpn_remove_uauth: not IPv4!
webvpn_svc_np_tear_down: no IPv6 ACL

ADV-FW(config)#
ADV-FW(config)#
ADV-FW(config)# no ssl
ADV-FW(config)# no ssl trust-poin
ADV-FW(config)# no ssl trust-point vpn DMZ
ADV-FW(config)# Not calling vpn_remove_uauth: not IPv4!
webvpn_svc_np_tear_down: no IPv6 ACL
Not calling vpn_remove_uauth: not IPv4!
webvpn_svc_np_tear_down: no IPv6 ACL

ADV-FW(config)#
ADV-FW(config)#
ADV-FW(config)# show run
: Saved

:
: Serial Number: JAD222707HT
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.8(4)15
!
hostname ADV-FW
enable password $sha512$5000$p5SEOXWMorNUa+zXWQACvQ==$Y397A2/EhECQvdxW1NPTJA== pbkdf2
names
no mac-address auto
ip local pool REMOTE 172.16.1.10-172.16.1.20 mask 255.255.255.0

!
interface GigabitEthernet1/1
nameif Client
security-level 70
ip address 192.168.0.254 255.255.255.128
!
interface GigabitEthernet1/2
nameif DMZ
security-level 50
ip address 192.168.0.125 255.255.255.128
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone KST 9
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network PAT
subnet 172.16.1.0 255.255.255.0
access-list test extended permit ip any any
access-list ACL extended permit ip 172.16.1.0 255.255.255.0 any4
pager lines 24
mtu Client 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (DMZ,DMZ) source dynamic PAT interface
access-group test in interface Client
access-group ACL in interface DMZ
access-group test out interface DMZ
access-group test global
router ospf 1
network 192.168.0.0 255.255.255.128 area 0
network 192.168.0.128 255.255.255.128 area 0
log-adj-changes
!
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
aaa-server RAD protocol radius
aaa-server RAD (DMZ) host 192.168.0.1
key *****
authentication-port 1812
user-identity default-domain LOCAL
aaa authentication serial console RAD LOCAL
aaa authorization exec authentication-server auto-enable
aaa authentication login-history
no snmp-server location
no snmp-server contact
no service password-recovery
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint vpn
enrollment protocol scep url http://192.168.0.126:80
fqdn vpn.advshow.com
subject-name cn=vpn.advshow.com
keypair vpn
crl configure
crypto ca trustpool policy
crypto ca certificate chain vpn
certificate ca 01
308201f3 3082015c a0030201 02020101 300d0609 2a864886 f70d0101 04050030
0d310b30 09060355 04031302 4341301e 170d3231 30313236 30373238 32315a17
0d323430 31323630 37323832 315a300d 310b3009 06035504 03130243 4130819f
300d0609 2a864886 f70d0101 01050003 818d0030 81890281 8100c1c5 7d8d92f8
d50aa725 70b41a6c 7faa8338 bf5bd952 41bcb5b0 a4bb916c eab45aa8 072c1f1b
2888f4b4 068451de e3f921ca e5d93795 1ec9d9cd 94b70ccb f458667a 472304cc
ff94bed3 cad9e20e 2f14470f 9c68801e cd2fe19e a319d4d7 14f95628 6eeca3d9
11446190 543f4502 9c3b9a63 7a334f7f 39755f0e fbff1e64 230f0203 010001a3
63306130 0f060355 1d130101 ff040530 030101ff 300e0603 551d0f01 01ff0404
03020186 301f0603 551d2304 18301680 14c04d5d bdda75f1 626cb42b f635e41d
8e366bbe 79301d06 03551d0e 04160414 c04d5dbd da75f162 6cb42bf6 35e41d8e
366bbe79 300d0609 2a864886 f70d0101 04050003 81810045 15a5037b f56856bf
eb93fedc 1ab897cc 5fbf60f3 9cfa55b9 a6823023 80259618 99b55b97 1f382849
d6e3b002 9030c85b 5874bc3b 5c700630 5512bc76 38c33284 1b692a8e 077c8f41
832be7df 31b72d1f 381c6811 01181a53 6ff6e5bd 582e2540 c684cb8d 230ce58a
2dcb4c9a 929e68e4 2416d37a 37224051 a450469a f85894
quit
certificate 06
308202af 30820218 a0030201 02020106 300d0609 2a864886 f70d0101 04050030
0d310b30 09060355 04031302 4341301e 170d3231 30313238 31303430 34395a17
0d323230 31323831 30343034 395a303a 31183016 06035504 03130f76 706e2e61
64767368 6f772e63 6f6d311e 301c0609 2a864886 f70d0109 02160f76 706e2e61
64767368 6f772e63 6f6d3082 0122300d 06092a86 4886f70d 01010105 00038201
0f003082 010a0282 010100c1 18c99af7 c82a5a82 396ca7fd 81dad227 237e4473
ba40c42d c37bb4cb 7f7f54fc 7c11f18c 70decf8d 132a6a62 f93c0830 a9d12c98
2a0a063a eaa0b249 8574a748 cf70dc24 e1c0407c 00d3b9d5 0f6c0a2e 36b59f3b
8f5576bb 638c05a2 d7b18dbf 12f6a233 d3130f6f 7b26aa87 d91c83f4 b29ec7e0
90929680 a35075c3 e860fd4b e3c9ac2f 013a30e4 5f1f73dc 060d53e0 feb5034f
3f5275e2 f597ddcd 083424cf 694772fd 3b1bc075 40f6f78f 78c6d9ae b5261186
1640c68b 19af2a76 0d44f642 c423ef3a 4cb9b313 9403229a 8c82971c d669cc39
8cff3dfb 6ab7c55a dc7df681 944da3ea 4309111a 061ace0d f9bec942 9c35cb7a
e76c52c3 68ba9b8f 05466302 03010001 a36e306c 301a0603 551d1104 13301182
0f76706e 2e616476 73686f77 2e636f6d 300e0603 551d0f01 01ff0404 030205a0
301f0603 551d2304 18301680 14c04d5d bdda75f1 626cb42b f635e41d 8e366bbe
79301d06 03551d0e 04160414 1b9ac04e 79c69a68 1065d45b 9109a09f 51552a95
300d0609 2a864886 f70d0101 04050003 81810000 d29a089b f7be17de 30db2d40
7ff9078c 045b1ebb cf87e233 05c6f472 382b15c2 bcb1bd11 625fb3a5 5b790646
023c118b 5467feca 548937cf fa41ad05 a99a4f4e 3d6e6652 4fe6ed80 a508100a
869ae8b1 9b269b4a ef853ae8 4a6e871b 3a237151 0a3d07d3 c97a0608 b18a45c1
6d8a6020 c5bea597 f13dfe11 34d903e6 af1897
quit
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcprelay server 192.168.0.1 DMZ
dhcprelay enable Client
dhcprelay timeout 60
dhcprelay information trust-all
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point vpn
webvpn
enable DMZ
hsts
enable
max-age 31536000
include-sub-domains
no preload
anyconnect image disk0:/anyconnect-win-4.8.01090-webdeploy-k9.pkg 1
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy REMOTE internal
group-policy REMOTE attributes
dns-server value 192.168.0.1
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
address-pools value REMOTE
dynamic-access-policy-record DfltAccessPolicy
username cisco password $sha512$5000$RZCNUED7UX3SrQi1c7xbIw==$zpZdrYjDF3f78xoqc94wJQ== pbkdf2
username itnsa password $sha512$5000$ADg1H2bGDIuTB8TobuQ+zg==$2fDH+gT1PyMj80rO6lrudA== pbkdf2 privilege 15
tunnel-group REMOTE type remote-access
tunnel-group REMOTE general-attributes
default-group-policy REMOTE
tunnel-group REMOTE webvpn-attributes
group-alias GROUP enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
inspect icmp
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 1
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:0e6ba793254cf18fa49199f7a4efcf07
: end

4 Replies 4

why you config webvpn with DMZ not Outside interface ?

Because its test lab not a production environment. Does anyconnect enabled on DMZ have effect?

the Anyconnect client must reachable the interface use for ASA webvpn.

Yes, Anyconnect client can reach to interface, and client connect to interface directly as point to point.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: