cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2664
Views
0
Helpful
14
Replies

Cisco 2651XM EZVPN to ASA5520

                   Hi, My company is using ezvpn to connect from branch (877) to hq (ASA5520). Everything is doing great but when I tried to establish ezvpn connection from Cisco2651XM (emergency using) to ASA5520 but it's surprisingly not working. I compared both config on both 877 and 2651 and it's the same. I really don't know what going on here LOL....Please help

show version: 

Cisco IOS Software, C2600 Software (C2600-ADVIPSERVICESK9-M), Version 12.4(4)T, RELEASE SOFTWARE (fc1)

show running-config on Cisco 2651 :

!

!

crypto ipsec client ezvpn XXX_VPN

connect auto

group XXX_ezvpn key cisco123

mode network-extension

peer 203.170.236.194

xauth userid mode interactive

!        

!

interface FastEthernet0/0

description ### ADSL Link ###

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip virtual-reassembly

ip tcp adjust-mss 1452

duplex auto

speed auto

pppoe enable

pppoe-client dial-pool-number 1

!

interface FastEthernet0/1

ip address 192.168.199.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

crypto ipsec client ezvpn XXX_VPN inside

!

interface Dialer0

description ### ADSL Link ###

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication pap chap callin

ppp chap hostname xxxxxxxxx@fttxbiz

ppp chap password 0 xxxxxxxx

ppp pap sent-username xxxxxxx@fttxbiz password 0 xxxxxxxx

crypto ipsec client ezvpn XXX_VPN

!

Please help ......Thank you

14 Replies 14

Harish Balakrishnan
Enthusiast
Enthusiast

Hello Polkit,

I hop you go the public IP via PPOE,

can you get the output for

'sh crypto ipsec client ezvpn'

also do a debug as follows and remove and add the crypto ipsec client ezvpn XXX_VPN from dialer interface and get the output

'debug crypto ipsec client ezvpn'

Regards

Harish.

Here is the output.


Test-Router#sh crypto ipsec client ezvpn
Easy VPN Remote Phase: 6

Tunnel name : BLA_VPN
Inside interface list: FastEthernet0/1
Outside interface: Dialer0
Current State: SS_OPEN
Last Event: SOCKET_READY
Default Domain: xxx.co.th

Save Password: Disallowed
Current EzVPN Peer: 203.170.236.194

---------------------------------------------------------------------------------------------

Here is the output from debug after remove and add crypto to int dialer 0

*Mar  1 15:40:53.375: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*Mar  1 15:40:53.375: EZVPN(BLA_VPN): Current State: IDLE
*Mar  1 15:40:53.375: EZVPN(BLA_VPN): Event: VALID_CONFIG_ENTERED
*Mar  1 15:40:53.375: EZVPN(BLA_VPN): ezvpn_check_tunnel_interface_state
*Mar  1 15:40:53.375: EZVPN(BLA_VPN): New State: VALID_CFG
*Mar  1 15:40:53.375: EZVPN(BLA_VPN): Current State: VALID_CFG
*Mar  1 15:40:53.375: EZVPN(BLA_VPN): Event: VALID_CONFIG_ENTERED
*Mar  1 15:40:53.379: EZVPN(BLA_VPN): No state change
*Mar  1 15:40:53.379: EZVPN(BLA_VPN): Current State: VALID_CFG
*Mar  1 15:40:53.379: EZVPN(BLA_VPN): Event: TUNNEL_INTERFACE_UP
*Mar  1 15:40:53.379: EZVPN(BLA_VPN): ezvpn_check_tunnel_interface_address
*Mar  1 15:40:53.379: EZVPN(BLA_VPN): New State: TUNNEL_INT_UP
*Mar  1 15:40:53.379: EZVPN(BLA_VPN): Current State: TUNNEL_INT_UP
*Mar  1 15:40:53.379: EZVPN(BLA_VPN): Event: TUNNEL_HAS_PUBLIC_IP_ADD
*Mar  1 15:40:53.379: EZVPN(BLA_VPN): New State: TRACKING
*Mar  1 15:40:53.383: EZVPN(BLA_VPN): Current State: TRACKING
*Mar  1 15:40:53.383: EZVPN(BLA_VPN): Event: TRACKED OBJECT UP
*Mar  1 15:40:53.383: EZVPN(BLA_VPN): New State: CONNECT_REQUIRED
*Mar  1 15:40:53.383: EZVPN(BLA_VPN): Current State: CONNECT_REQUIRED
*Mar  1 15:40:53.383: EZVPN(BLA_VPN): Event: CONNECT
*Mar  1 15:40:53.383: EZVPN(BLA_VPN): ezvpn_connect_request
*Mar  1 15:40:53.383: EZVPN(BLA_VPN): Found valid peer 203.170.236.194
*Mar  1 15:40:53.383: EZVPN(BLA_VPN): Added PSK for address 203.170.236.194

*Mar  1 15:40:53.383: EzVPN(BLA_VPN): sleep jitter delay 1645
*Mar  1 15:40:55.029: EZVPN(BLA_VPN): New State: READY
*Mar  1 15:40:55.366: EZVPN(BLA_VPN): Current State: READY
*Mar  1 15:40:55.366: EZVPN(BLA_VPN): Event: IKE_PFS
*Mar  1 15:40:55.366: EZVPN(BLA_VPN): No state change
*Mar  1 15:40:55.370: EZVPN(BLA_VPN): Current State: READY
*Mar  1 15:40:55.370: EZVPN(BLA_VPN): Event: CONN_UP
*Mar  1 15:40:55.374: EZVPN(BLA_VPN): ezvpn_conn_up 49A5D809 98573010 76CBD901 91CE014D
*Mar  1 15:40:55.374: EZVPN(BLA_VPN): No state change
*Mar  1 15:40:55.382: EZVPN(BLA_VPN): Current State: READY
*Mar  1 15:40:55.382: EZVPN(BLA_VPN): Event: MODE_CONFIG_REPLY
*Mar  1 15:40:55.382: EzVPN(BLA_VPN): rollback skipped! 49A5D809 98573010 76CBD901 91CE014D
*Mar  1 15:40:55.386: EZVPN(BLA_VPN): ezvpn_parse_mode_config_msg
*Mar  1 15:40:55.386: EZVPN: Attributes sent in message:
*Mar  1 15:40:55.386:         Savepwd off
*Mar  1 15:40:55.386:         Default Domain: bla.co.th
*Mar  1 15:40:55.386: EZVPN: Unknown/Unsupported Attr: APPLICATION_VERSION (0x7)
*Mar  1 15:40:55.394: EZVPN(BLA_VPN): ezvpn_mode_config
*Mar  1 15:40:55.394: EZVPN(BLA_VPN): New State: SS_OPEN
*Mar  1 15:40:55.426: EZVPN(BLA_VPN): Current State: SS_OPEN
*Mar  1 15:40:55.426: EZVPN(BLA_VPN): Event: SOCKET_READY
*Mar  1 15:40:55.426: EZVPN(BLA_VPN): No state change
*Mar  1 15:41:12.390: EZVPN(BLA_VPN): Current State: SS_OPEN
*Mar  1 15:41:12.390: EZVPN(BLA_VPN): Event: CONN_DOWN
*Mar  1 15:41:12.390: EZVPN(BLA_VPN): ezvpn_close 49A5D809 98573010 76CBD901 91CE014D
*Mar  1 15:41:12.394: EZVPN(BLA_VPN): Deleted PSK for address 203.170.236.194

*Mar  1 15:41:12.394: EzVPN(BLA_VPN): rollback skipped!
*Mar  1 15:41:12.394: EZVPN(BLA_VPN): No Connect ACL checking status change
*Mar  1 15:41:12.394: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  Group=BLA_ezvpn  Client_public_addr=180.180.46.31  Server_public_addr=203.170.236.194

----------------------------------------------------------------------------------------------------------------------------------

this show crypto session and show crypto isa sa

Test-Router#sh crypt se
Crypto session current status

Interface: Dialer0
Session status: UP-IDLE
Peer: 203.170.236.194 port 500
  IKE SA: local 180.180.46.31/500 remote 203.170.236.194/500 Active
  IKE SA: local 180.180.46.31/500 remote 203.170.236.194/500 Inactive
  IKE SA: local 180.180.46.31/500 remote 203.170.236.194/500 Inactive
  IKE SA: local 180.180.46.31/500 remote 203.170.236.194/500 Inactive
  IPSEC FLOW: permit ip 192.168.199.0/255.255.255.0 0.0.0.0/0.0.0.0
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 192.168.199.0/255.255.255.0 0.0.0.0/0.0.0.0
        Active SAs: 0, origin: crypto map

Test-Router#
Test-Router#
Test-Router#
Test-Router#sh crypto isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
203.170.236.194 180.180.46.31   QM_IDLE           1369    0 ACTIVE
203.170.236.194 180.180.46.31   MM_NO_STATE       1368    0 ACTIVE (deleted)
203.170.236.194 180.180.46.31   MM_NO_STATE       1367    0 ACTIVE (deleted)
203.170.236.194 180.180.46.31   MM_NO_STATE       1366    0 ACTIVE (deleted)

IPv6 Crypto ISAKMP SA

Thanks Harrish,