cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2543
Views
0
Helpful
13
Replies

Cannot connect using VPN client

Safwan Hashan
Level 1
Level 1

Hi, I have a problem configuring my CISCO ASA 5515-x for VPN client. I succesfully configure AnyConnect and SSL VPN but when client using VPN Client software, they cannot establish the VPN connection. This is my configuration and attached is the error occured when connecting to the firewall. Can anyone help me solve this problem?

: Saved

:

ASA Version 9.1(1)

!

hostname ciscoasa

domain-name g

ip local pool vpn_client 192.168.2.200-192.168.2.254 mask 255.255.255.0

ip local pool vpn_250 192.168.3.1-192.168.3.254 mask 255.255.255.0

!

interface GigabitEthernet0/0

nameif DIGI

security-level 0

ip address 210.48.*.* 255.255.255.0

!

interface GigabitEthernet0/1

nameif LAN

security-level 0

ip address 192.168.2.5 255.255.255.0

!

interface GigabitEthernet0/2

nameif Pone

security-level 0

ip address dhcp setroute

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

management-only

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

!

ftp mode passive

clock timezone MYT 8

dns domain-lookup DIGI

dns server-group DefaultDNS

name-server 8.8.8.8

domain-name g

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network NETWORK_OBJ_113.20.*.*_24

subnet 113.20.*.* 255.255.255.0

object network NETWORK_OBJ_210.48.*.*_24

subnet 210.48.*.* 255.255.255.0

object network CsHiew

host 192.168.2.9

object network ERPServer

host 192.168.2.2

object network Giap

host 192.168.2.126

object network Jennifer

host 192.168.2.31

object network KCTan

host 192.168.2.130

object network KCTan-NB

host 192.168.2.77

object network MailServer

host 192.168.2.6

object network YHKhoo

host 192.168.2.172

object network Aslina

host 192.168.2.59

object network Law

host 192.168.2.38

object network Nurul

host 192.168.2.127

object network Laylee

host 192.168.2.17

object network Ms_Pan

host 192.168.2.188

object network Peck_Ling

host 192.168.2.248

object network Pok_Leng

host 192.168.2.36

object network UBS

host 192.168.2.21

object network Ainie

host 192.168.2.11

object network Angie

host 192.168.2.116

object network Carol

host 192.168.2.106

object network ChunKit

host 192.168.2.72

object network KKPoong

host 192.168.2.121

object network Ben

host 192.168.2.147

object network Eva

host 192.168.2.37

object network Jacklyn

host 192.168.2.135

object network Siew_Peng

host 192.168.2.149

object network Suki

host 192.168.2.61

object network Yeow

host 192.168.2.50

object network Danny

host 192.168.2.40

object network Frankie

host 192.168.2.101

object network Jamal

host 192.168.2.114

object network OcLim

host 192.168.2.177

object network Charles

host 192.168.2.210

object network Ho

host 192.168.2.81

object network YLChow

host 192.168.2.68

object network Low

host 192.168.2.58

object network Sfgan

host 192.168.2.15

object network Joey

host 192.168.2.75

object network Rizal

host 192.168.2.79

object network 190

host 192.168.2.190

object network 191

host 192.168.2.191

object network 192

host 192.168.2.192

object network 193

host 192.168.2.193

object network 194

host 192.168.2.194

object network 199

host 192.168.2.199

object network 201

host 192.168.2.201

object network 203

host 192.168.2.203

object network 204

host 192.168.2.204

object network 205

host 192.168.2.205

object network CNC214

host 192.168.2.214

object network Liyana

host 192.168.2.16

object network Aipin

host 192.168.2.22

object network Annie

host 192.168.2.140

object network Ikah

host 192.168.2.54

object network Sue

host 192.168.2.113

object network Zaidah

host 192.168.2.32

object network CKWong

host 192.168.2.33

object network KhooSC

host 192.168.2.47

object network Neexon-PC

host 192.168.2.179

object network Neexon_NB

host 192.168.2.102

object network kc

host 192.168.2.130

object network P1

subnet 192.168.2.0 255.255.255.0

object network NETWORK_OBJ_192.168.2.0_24

subnet 192.168.2.0 255.255.255.0

object network NETWORK_OBJ_192.168.2.192_26

subnet 192.168.2.192 255.255.255.192

object network NETWORK_OBJ_192.168.10.192_26

subnet 192.168.10.192 255.255.255.192

object network VPN

subnet 192.68.3.0 255.255.255.0

object network NETWORK_OBJ_192.168.3.0_24

subnet 192.168.3.0 255.255.255.0

object-group network HPTM_DIGI

network-object object CsHiew

network-object object ERPServer

network-object object Giap

network-object object Jennifer

network-object object KCTan

network-object object KCTan-NB

network-object object MailServer

network-object object YHKhoo

object-group network Inventory

network-object object Aslina

network-object object Law

network-object object Nurul

object-group network Account

network-object object Laylee

network-object object Ms_Pan

network-object object Peck_Ling

network-object object Pok_Leng

network-object object UBS

object-group network HR

network-object object Ainie

network-object object Angie

object-group network Heeroz

network-object object Carol

network-object object ChunKit

network-object object KKPoong

object-group network Sales

network-object object Ben

network-object object Eva

network-object object Jacklyn

network-object object Siew_Peng

network-object object Suki

network-object object Yeow

object-group network Production

network-object object Danny

network-object object Frankie

network-object object Jamal

network-object object OcLim

object-group network Engineering

network-object object Charles

network-object object Ho

network-object object YLChow

network-object object Joey

network-object object Rizal

object-group network Purchasing

network-object object Low

network-object object Sfgan

object-group network Wireless

network-object object 190

network-object object 191

network-object object 192

network-object object 193

network-object object 194

network-object object 199

network-object object 201

network-object object 203

network-object object 204

network-object object 205

object-group network IT

network-object object CNC214

network-object object Liyana

object-group network Skype

network-object object Aipin

network-object object Annie

network-object object Ikah

network-object object Sue

network-object object Zaidah

object-group network HPTM-P1

network-object object CKWong

network-object object KhooSC

network-object object Neexon-PC

network-object object Neexon_NB

object-group service DM_INLINE_SERVICE_1

service-object tcp-udp destination eq www

service-object tcp destination eq https

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service DM_INLINE_SERVICE_2

service-object tcp-udp destination eq www

service-object tcp destination eq https

access-list DIGI_access_in extended permit ip any any

access-list DIGI_access_in extended permit icmp any any echo

access-list LAN_access_in extended deny object-group DM_INLINE_SERVICE_2 object-group Skype any

access-list LAN_access_in extended deny object-group DM_INLINE_SERVICE_1 object 205 any

access-list LAN_access_in extended permit ip any any

access-list DIGI_cryptomap extended permit ip object VPN 113.20.*.* 255.255.255.0

access-list Pq_access_in extended permit ip any any

access-list splittun-vpngroup1 extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list nonat extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

logging recipient-address aaa@***.com level errors

mtu DIGI 1500

mtu LAN 1500

mtu Pone 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-711(1).bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (DIGI,LAN) source static any interface

nat (Pone,LAN) source static any interface

nat (DIGI,DIGI) source static NETWORK_OBJ_210.48.*.*_24 NETWORK_OBJ_210.48.*.*_24 destination static NETWORK_OBJ_113.20.*.*_24 NETWORK_OBJ_113.20.*.*_24 no-proxy-arp route-lookup

nat (LAN,DIGI) source static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 destination static NETWORK_OBJ_192.168.2.192_26 NETWORK_OBJ_192.168.2.192_26 no-proxy-arp route-lookup

nat (LAN,DIGI) source static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 destination static NETWORK_OBJ_192.168.10.192_26 NETWORK_OBJ_192.168.10.192_26 no-proxy-arp route-lookup

nat (LAN,any) source static any any destination static VPN VPN

nat (LAN,DIGI) source static any any destination static NETWORK_OBJ_192.168.3.0_24 NETWORK_OBJ_192.168.3.0_24 no-proxy-arp route-lookup

nat (LAN,DIGI) source static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 destination static NETWORK_OBJ_192.168.3.0_24 NETWORK_OBJ_192.168.3.0_24 no-proxy-arp route-lookup

!

object network VPN

nat (any,DIGI) dynamic interface

!

nat (LAN,Pone) after-auto source dynamic any interface dns

nat (LAN,DIGI) after-auto source dynamic any interface dns

access-group DIGI_access_in in interface DIGI

access-group LAN_access_in in interface LAN

access-group Pq_access_in in interface Pone

route Pone 0.0.0.0 0.0.0.0 10.1.*.* 2

route DIGI 0.0.0.0 0.0.0.0 210.48..*.* 3

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.2.0 255.255.255.0 LAN

http 0.0.0.0 0.0.0.0 DIGI

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto dynamic-map DIGI_access_in 20 set ikev1 transform-set ESP-3DES-SHA

crypto map DIGI_map 65535 ipsec-isakmp dynamic DIGI_access_in

crypto map DIGI_map interface DIGI

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

fqdn sslvpn.cisco.com

subject-name CN=sslvpn.cisco.com

keypair hpmtkeypair

crl configure

crypto ca trustpool policy

crypto ca certificate chain ASDM_TrustPoint0

certificate ed15c051

    308201ef 30820158 a0030201 020204ed 15c05130 0d06092a 864886f7 0d010105

    0500303c 31193017 06035504 03131073 736c7670 6e2e6369 73636f2e 636f6d31

    1f301d06 092a8648 86f70d01 09021610 73736c76 706e2e63 6973636f 2e636f6d

    301e170d 31333036 32313038 30343438 5a170d32 33303631 39303830 3434385a

    303c3119 30170603 55040313 1073736c 76706e2e 63697363 6f2e636f 6d311f30

    1d06092a 864886f7 0d010902 16107373 6c76706e 2e636973 636f2e63 6f6d3081

    9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100a9 7715ca9e

    4d63204e 66e6517b 9a560be8 188603cc 90bb39a7 c61ef0d8 cd74bf19 8ec33146

    5176547f f43615a2 b8917a03 3a5a9dd6 e087a78a 74bf3a8e 6d7cfad2 0678253d

    b03a677a 52e9ebc0 8e044353 e9fe2055 3cafafa3 3ec74ef9 45eaf8d6 8e554879

    db9bf2fb ebcdb5c3 011bf61f 8c139ed1 a00d300a 8fe4784f 173c7702 03010001

    300d0609 2a864886 f70d0101 05050003 81810046 d32b20a6 a1efb0b5 29c7ed00

    11c0ce87 c58228c9 aae96197 eb275f9a f9da57a1 fc895faf 09a24c0c af43772b

    2818ec29 0a56eb33 c0e56696 dd1fa3bb 151ee0e4 18d27366 92177a31 b2f7842b

    4f5145b9 942fbc49 c785f925 3a909c17 2593efcc 2e410b5c d3026fe1 f48d93c1

    744333e2 c377e5d3 62eebb63 abca4109 d57bb0

  quit

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable DIGI client-services port 443

crypto ikev2 remote-access trustpoint ASDM_TrustPoint0

crypto ikev1 enable DIGI

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

!

track 1 rtr 123 reachability

telnet 192.168.1.0 255.255.255.0 management

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 DIGI

ssh timeout 5

console timeout 0

vpn-sessiondb max-other-vpn-limit 250

vpn-sessiondb max-anyconnect-premium-or-essentials-limit 2

vpn load-balancing

interface lbpublic DIGI

interface lbprivate DIGI

dhcp-client client-id interface Pone

dhcpd address 192.168.2.10-192.168.2.150 LAN

dhcpd dns 210.48.*.* 210.48.*.* interface LAN

dhcpd enable LAN

!

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ssl trust-point ASDM_TrustPoint0 DIGI

webvpn

enable DIGI

anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

anyconnect profiles anyhpmt_client_profile disk0:/anyhpmt_client_profile.xml

anyconnect enable

tunnel-group-list enable

tunnel-group-preference group-url

group-policy sslpolicy internal

group-policy sslpolicy attributes

vpn-tunnel-protocol ssl-clientless

webvpn

  url-list none

group-policy GroupPolicy_anyhpmt internal

group-policy GroupPolicy_anyhpmt attributes

wins-server none

dns-server value 8.8.8.8

vpn-tunnel-protocol ikev2 ssl-client ssl-clientless

default-domain value g

webvpn

  anyconnect profiles value anyhpmt_client_profile type user

group-policy vpngroup1 internal

group-policy vpngroup1 attributes

dns-server value 8.8.8.8

vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value splittun-vpngroup1

default-domain value g

address-pools value vpn_250

group-policy newvpn internal

group-policy newvpn attributes

dns-server value 8.8.8.8

vpn-tunnel-protocol ikev1 l2tp-ipsec

default-domain value g

username cshiew password KK1oQOhoxfwWvya4 encrypted

username cshiew attributes

webvpn

  anyconnect keep-installer installed

  anyconnect ask none default anyconnect

username newuser password GJrqM3H2KqQZv/MI encrypted privilege 1

tunnel-group vpngroup1 type remote-access

tunnel-group vpngroup1 general-attributes

address-pool vpn_250

default-group-policy vpngroup1

tunnel-group vpngroup1 webvpn-attributes

group-alias vpngroup1 enable

tunnel-group vpngroup1 ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group sslhpmt type remote-access

tunnel-group sslhpmt general-attributes

default-group-policy sslpolicy

tunnel-group sslhpmt webvpn-attributes

group-alias sslhpmt enable

tunnel-group anyhpmt type remote-access

tunnel-group anyhpmt general-attributes

address-pool vpn_client

default-group-policy GroupPolicy_anyhpmt

tunnel-group anyhpmt webvpn-attributes

group-alias anyhpmt enable

tunnel-group-map default-group vpngroup1

!

class-map global-class

match any

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

class global-class

  cxsc fail-open

class class-default

  user-statistics accounting

policy-map global-policy

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

hpm topN enable

Cryptochecksum:7a5ee8ff016e63420802423269da864b

: end

13 Replies 13

czaja0000
Level 1
Level 1

Hi,

Cisco VPN Client -check and try:

1. Turn on NAT-T/TCP in your profile, and unblock port 10000 in your firewall.

.

2. Edit your vpn profile with your editor (e.g. Notepad) and change ForceKeepAlive=0 to 1

________________

Best regards,
MB

________________ Best regards, MB

Hi, how to unblock port 10000 in firewall?

Safwan Hashan napisano:

Hi, how to unblock port 10000 in firewall?

In version 9.1 - below command (in global configuration mode) enable IPsec over TCP:

crypto ikev1 ipsec-over-tcp

By documentation

crypto ikev1 ipsec-over-tcp [port port1...port10]


Specifies the ports on which the device accepts  IPsec over TCP connections. You can list up to 10 ports. Port numbers  can be in the range of 1-65535. The default port number is 10000.

Another possible solution.

This should be the first test 

On your computer.

Turn your firewall off and disable AV, then test the connection to see whether the problem still occurs.

You tried change the settings in VPN profile (file .pcf)?

________________ Best regards, MB

Hi,

I already unblock the port 10000 in my firewall and also change the VPN profile but still cannot establish the connection.

Safwan Hashan
Level 1
Level 1

Anyone can help me?

Hi,

I dont know what the VPN Clients log means but I guess it could always be due to problems with the VPN Client. On what operating system is the VPN client installed? I wouldnt really suggest using the old IPsec VPN Client anymore as its not really supported anymore. The Anyconnect Client is the way to go at the moment.

Have you monitored the ASA logs during the VPN Client connections attempt?

It would almost seem that the VPN Client software isnt even able to initiate the connection to the ASA? This could hint to a problem on the local computer?

Have you tested this on any other PC than the one those test were done on?

What is the "group" name used in the VPN profile?

I guess you could always even test the VPN with another VPN client software to narrow down the cause of the problem

Shrew VPN Client is one

https://www.shrew.net/software

- Jouni

Hi,

The Cisco VPN Client is running on Windows 7 64bit, the Anyconnect run perfectly in this platform but the if I use Cisco VPN Client, it cannot establish the connection. I'm using vpngroup1 as a group name. I also test using different computer but still cannot.

I try using the Shrew VPN Client as you suggest but still cannot connect to the ASA. This is the error from Shrew VPN

Client.


I monitored ASA log and this log occured when I try to connect using the VPN client. Thanks.

Hi,

Safwan Hashan napisano:

I monitored ASA log and this log occured when I try to connect using the VPN client. Thanks.

The problem seems that the ASA receive again the same message. So, it looks that the client didn't receive anything, expected in a timely fashion and therefore retransmit the first message.

Did you check local computer? (try turn firewall off and disable AV ..........).

Is this computer belongs to AD, may  you have any policies?

Could you please run the following command on the ASA?

debug crypto isakmp 127

debug crypto ipsec 127

Try to connect VPN and attach the outputs.

________________ Best regards, MB

i dont know which output you referring but this is output from the VPN client.

And for the ASA output, still same as above which is Duplicate first packet detected, ignoring packet. Thanks.

Hi,

Safwan Hashan napisano:

i dont know which output you referring but this is output from the VPN client.

We need more information.

I expect debug output from the ASA.

_________________________________________________________________________

To enable debugging and syslog messages, perform the following CLI steps:

1.

ASA#configure terminal

ASA(config)# debug crypto ikev1 127

ASA(config)# debug crypto ipsec 127

Enable debuging messages for IKEv1 and IPSec.

2.

ASA(config)# logging monitor debug

Sets syslog messages to be sent to Telnet or SSH sessions.

Note: You can alternately use the logging buffer debug command to send log messages to a buffer, and then view them later using the show logging command.

3.

ASA(config)# terminal monitor

Sends the syslog messages to a Telnet or SSH session.

4.

ASA(config)# logging on

Enables syslog message generation.

NOTE: This you have enabled.

Cleanup CLI

ASA(config)# no debug crypto ikev1

ASA(config)# no debug crypto ipsec

ASA(config)# no logging monitor debug

ASA(config)# no terminal monitor

_________________________________________________________________________

More information: Sensible Debugging and Logging

I have one suggestion. Change and try.

group-policy vpngroup1 internal

group-policy vpngroup1 attributes

no vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec

vpn-tunnel-protocol ikev1

________________

Best regards,
MB

Please rate all helpful posts. Thx

________________ Best regards, MB

Hi,

This is output of the debug command. Thanks.

I'm sorry, but I don't see any debug messages about the isakmp or IPSec.

There isn't events from isakmp/ikev1 initiation.

There isn't information about the duplicate packets.

________________ Best regards, MB

Hi,

The information about the duplicate packets i get from the ASDM logs.

czaja0000 wrote:

I'm sorry, but I don't see any debug messages about the isakmp or IPSec.

There isn't events from isakmp/ikev1 initiation.

There isn't information about the duplicate packets.

So, what exactly the problem with my VPN? Appreciate any help. Thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: