Cisco VPN client can't connect to work VPN (sort of)

david.macklem · ‎03-07-2013

Hi, I'm hoping someone has seen this problem before and can help.

I've run into a firewall problem with my Cisco VPN client (5.0.07.290). When the Windows 7 VPN client is behind a Linux router and firewall (SuSE 11 SP2), the VPN connection fails - even though I've opened all of the recommended ports (and then some :-)). I've opened UDP ports 500, 4500, 10000, TCP ports 1723 and protocols ESP and AH (50 and 51, respectively).

This problem only occurs when the client is behind the firewall. When the client machine is directly connected to my cable modem, i do not have this problem and I am able to successfully connect my office VPN.

What I'm seeing in the client logs looks like the initial set up is successful ("Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system") but as soon as the client sends a "Client sending a firewall request to concentrator" message, no more responses are received.

Here's a snippet of the log:

57 08:53:28.339 03/07/13 Sev=Info/4 CM/0x6310000E

Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

58 08:53:28.359 03/07/13 Sev=Info/5 IKE/0x6300005E

Client sending a firewall request to concentrator

59 08:53:28.359 03/07/13 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to XXX.XX.XX.17

60 08:53:32.347 03/07/13 Sev=Info/6 IKE/0x63000055

Sent a keepalive on the IPSec SA

61 08:53:33.369 03/07/13 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

62 08:53:33.369 03/07/13 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK TRANS *(Retransmission) to XXX.XX.XX.17

I've attached the full log below for completeness....

I know my firewall config must be wrong but I'm hardly an IPsec expert :-) and I'd like some hints about what I've done wrong.

Thanks!

Javier Portuguez · ‎03-07-2013

This is an interesting scenario.

Could you please get the VPN logs from the ASA?

debug crypto condition peer clients_public_IP

debug crypto ikev1 190

debug crypto ipsec190

* Understanding ASA IPSec and IKE debugs - IKEv1 Aggressive Mode.

On the other hand, do you see any logs on the Linux FW?

Thanks.

Portu.

david.macklem · ‎03-07-2013

Portu,

Thanks for your quick reply.

Unfortunately, I do not have access to the ASA logs nor would I be permitted to turn on the debug settings asked for above. I might be able to get the logs but it will take awhile and I suspect they wouldn't be helpful as this ASA supports thousands of clients, therefore, separating out my connection attempts from other clients would be difficult.

I can, though, do whatever you want on the Linux router. Looking over the firewall logs at the time of this problem, I don't see anything that looks suspicious such as dropped packets destined for the Windows client.

As I said in my original post, I'm not a networking expert - by any means - but I am willing to try anything to resolve this. (But I might need a bit of handholding if I need to set up a wireshark andor tcpdump.)

Thanks again.

Javier Portuguez · ‎03-07-2013

Thanks David,

Is it possible to take the Linux FW off the picture, at least for testing from that location?

Thanks.

Please rate any helpful posts.

david.macklem · ‎03-07-2013

Portu,

Yes, I can do that. In fact, I do have the logs from a successful connection. But, please note that, for this successful connection, the Windows client is directly connected to my cable modem - it is not NAT'ed by the linux router.

But, doh, how can I upload this log? Since I'm replying, I no longer see the upload link...

David