Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12878
Views
0
Helpful
2
Replies

Cisco VPN Client error connecting to ASA 5505

Go to solution
bachma0507
Level 1
Level 1

‎04-13-2011 06:48 AM

I am unable to connect to the vpn I set up on my ASA 5505 using the Cisco VPN Client on a Windows machine. The log of the vpn client and the config of the ASA 5505 are below. Any help in resolving this is appreciated.

LOG CISCO VPN CLIENT

Cisco Systems VPN Client Version 5.0.06.0160

Copyright (C) 1998-2009 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 6.1.7600

Config file directory: C:\Program Files\Cisco Systems\VPN Client\

1      09:34:23.030  04/13/11  Sev=Info/4 CM/0x63100002

Begin connection process

2      09:34:23.061  04/13/11  Sev=Info/4 CM/0x63100004

Establish secure connection

3      09:34:23.061  04/13/11  Sev=Info/4 CM/0x63100024

Attempt connection with server "71.xx.xx.253"

4      09:34:23.061  04/13/11  Sev=Info/6 IKE/0x6300003B

Attempting to establish a connection with 71.xx.xx.253.

5      09:34:23.061  04/13/11  Sev=Info/4 IKE/0x63000001

Starting IKE Phase 1 Negotiation

6      09:34:23.077  04/13/11  Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 71.xx.xx.253

7      09:34:23.170  04/13/11  Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 71.xx.xx.253

8      09:34:23.170  04/13/11  Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from 71.xx.xx.253

9      09:34:23.170  04/13/11  Sev=Info/5 IKE/0x63000001

Peer is a Cisco-Unity compliant peer

10     09:34:23.170  04/13/11  Sev=Info/5 IKE/0x63000001

Peer supports XAUTH

11     09:34:23.170  04/13/11  Sev=Info/5 IKE/0x63000001

Peer supports DPD

12     09:34:23.170  04/13/11  Sev=Info/5 IKE/0x63000001

Peer supports NAT-T

13     09:34:23.170  04/13/11  Sev=Info/5 IKE/0x63000001

Peer supports IKE fragmentation payloads

14     09:34:23.170  04/13/11  Sev=Info/6 IKE/0x63000001

IOS Vendor ID Contruction successful

15     09:34:23.170  04/13/11  Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 71.xx.xx.253

16     09:34:23.170  04/13/11  Sev=Info/6 IKE/0x63000055

Sent a keepalive on the IPSec SA

17     09:34:23.170  04/13/11  Sev=Info/4 IKE/0x63000083

IKE Port in use - Local Port =  0xEB07, Remote Port = 0x1194

18     09:34:23.170  04/13/11  Sev=Info/5 IKE/0x63000072

Automatic NAT Detection Status:

   Remote end is NOT behind a NAT device

   This   end IS behind a NAT device

19     09:34:23.170  04/13/11  Sev=Info/4 CM/0x6310000E

Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

20     09:34:23.170  04/13/11  Sev=Info/4 CM/0x6310000E

Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

21     09:34:23.186  04/13/11  Sev=Info/5 IKE/0x6300005E

Client sending a firewall request to concentrator

22     09:34:23.186  04/13/11  Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 71.xx.xx.253

23     09:34:23.248  04/13/11  Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 71.xx.xx.253

24     09:34:23.248  04/13/11  Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 71.xx.xx.253

25     09:34:23.248  04/13/11  Sev=Info/5 IKE/0x63000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 172.26.6.1

26     09:34:23.248  04/13/11  Sev=Info/5 IKE/0x63000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.0.0

27     09:34:23.248  04/13/11  Sev=Info/5 IKE/0x63000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 172.26.0.250

28     09:34:23.248  04/13/11  Sev=Info/5 IKE/0x63000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 172.26.0.251

29     09:34:23.248  04/13/11  Sev=Info/5 IKE/0x6300000D

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000

30     09:34:23.248  04/13/11  Sev=Info/5 IKE/0x6300000E

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = TLCUSA

31     09:34:23.248  04/13/11  Sev=Info/5 IKE/0x6300000D

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000

32     09:34:23.248  04/13/11  Sev=Info/5 IKE/0x6300000E

MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5505 Version 8.2(1) built by builders on Tue 05-May-09 22:45

33     09:34:23.248  04/13/11  Sev=Info/5 IKE/0x6300000D

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT: , value = 0x00000001

34     09:34:23.248  04/13/11  Sev=Info/5 IKE/0x6300000D

MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194

35     09:34:23.248  04/13/11  Sev=Info/4 CM/0x63100019

Mode Config data received

36     09:34:23.264  04/13/11  Sev=Info/4 IKE/0x63000056

Received a key request from Driver: Local IP = 172.26.6.1, GW IP = 71.xx.xx.253, Remote IP = 0.0.0.0

37     09:34:23.264  04/13/11  Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 71.xx.xx.253

38     09:34:23.326  04/13/11  Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 71.xx.xx.253

39     09:34:23.326  04/13/11  Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 71.xx.xx.253

40     09:34:23.326  04/13/11  Sev=Info/5 IKE/0x63000045

RESPONDER-LIFETIME notify has value of 86400 seconds

41     09:34:23.326  04/13/11  Sev=Info/5 IKE/0x63000047

This SA has already been alive for 0 seconds, setting expiry to 86400 seconds from now

42     09:34:23.326  04/13/11  Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 71.xx.xx.253

43     09:34:23.326  04/13/11  Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from 71.xx.xx.253

44     09:34:23.326  04/13/11  Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 71.xx.xx.253

45     09:34:23.326  04/13/11  Sev=Info/4 IKE/0x63000049

Discarding IPsec SA negotiation, MsgID=89EE7032

46     09:34:23.326  04/13/11  Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion  (I_Cookie=2617522400DC1763 R_Cookie=029325381036CCD8) reason = DEL_REASON_IKE_NEG_FAILED

47     09:34:23.326  04/13/11  Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 71.xx.xx.253

48     09:34:23.326  04/13/11  Sev=Info/4 IKE/0x63000058

Received an ISAKMP message for a non-active SA, I_Cookie=2617522400DC1763 R_Cookie=029325381036CCD8

49     09:34:23.326  04/13/11  Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK INFO *(Dropped) from 71.xx.xx.253

50     09:34:26.696  04/13/11  Sev=Info/4 IKE/0x6300004B

Discarding IKE SA negotiation (I_Cookie=2617522400DC1763 R_Cookie=029325381036CCD8) reason = DEL_REASON_IKE_NEG_FAILED

51     09:34:26.696  04/13/11  Sev=Info/4 CM/0x63100012

Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

52     09:34:26.696  04/13/11  Sev=Info/5 CM/0x63100025

Initializing CVPNDrv

53     09:34:26.696  04/13/11  Sev=Info/6 CM/0x63100046

Set tunnel established flag in registry to 0.

54     09:34:26.696  04/13/11  Sev=Info/4 IKE/0x63000001

IKE received signal to terminate VPN connection

----------------------------------------------------------------------------------------

ASA 5505 CONFIG

: Saved

:

ASA Version 8.2(1)

!

hostname ciscoasa

domain-name mycompany.com

enable password tdkuTUSh53d2MT6B encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 172.26.0.252 255.255.0.0

!

interface Vlan2

nameif outside

security-level 0

ip address 71.xx.xx.253 255.255.255.240

!

interface Ethernet0/0

switchport access vlan 2

speed 100

duplex full

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name mycompany.com

access-list LIMU_Split_Tunnel_List remark The corporate network behind the ASA

access-list LIMU_Split_Tunnel_List standard permit 172.26.0.0 255.255.0.0

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit udp any any eq 4500

access-list outside_access_in extended permit udp any any eq isakmp

access-list outside_access_in extended permit tcp any host 71.xx.xxx.251 eq ftp

access-list outside_access_in extended permit tcp any host 71.xx.xxx.244 eq 3389

access-list inside_outbound_nat0_acl extended permit ip any 172.26.5.192 255.255.255.240

access-list inside_outbound_nat0_acl extended permit ip any 172.26.6.0 255.255.255.128

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

ip local pool VPN_POOL 172.26.6.1-172.26.6.100 mask 255.255.0.0

icmp unreachable rate-limit 1 burst-size 1

asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) 71.xx.xxx.251 172.26.5.9 netmask 255.255.255.255

static (inside,outside) 71.xx.xxx.244 172.26.0.136 netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 71.xx.xxx.241 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 172.26.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

no threat-detection basic-threat

no threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

wins-server value 172.26.0.250 172.26.0.251

dns-server value 172.26.0.250 172.26.0.251

vpn-tunnel-protocol IPSec l2tp-ipsec svc

default-domain value TLCUSA

group-policy LIMUVPNPOL1 internal

group-policy LIMUVPNPOL1 attributes

dns-server value 172.26.0.250 172.26.0.251

vpn-idle-timeout 30

vpn-tunnel-protocol IPSec l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value LIMU_Split_Tunnel_List

address-pools value VPN_POOL

group-policy TLCVPNGROUP internal

group-policy TLCVPNGROUP attributes

dns-server value 172.26.0.250 172.26.0.251

vpn-tunnel-protocol IPSec l2tp-ipsec svc

re-xauth disable

ipsec-udp enable

default-domain value TLCUSA

username barry.julien password YCkQv7rLwCSNRqra06+QXg== nt-encrypted privilege 0

username barry.julien attributes

vpn-group-policy TLCVPNGROUP

vpn-tunnel-protocol IPSec l2tp-ipsec

username bjulien password bhKBinDUWhYqGbP4 encrypted

username bjulien attributes

vpn-group-policy TLCVPNGROUP

tunnel-group DefaultRAGroup general-attributes

address-pool VPN_POOL

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

tunnel-group DefaultRAGroup ppp-attributes

no authentication ms-chap-v1

authentication ms-chap-v2

tunnel-group TLCVPNGROUP type remote-access

tunnel-group TLCVPNGROUP general-attributes

address-pool VPN_POOL

default-group-policy TLCVPNGROUP

tunnel-group TLCVPNGROUP ipsec-attributes

pre-shared-key *

isakmp ikev1-user-authentication none

tunnel-group TLCVPNGROUP ppp-attributes

authentication pap

authentication ms-chap-v2

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:b94898c163c59cee6c143943ba87e8a4

: end

asdm history enable

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Robert Salazar
Cisco Employee
Cisco Employee

‎04-13-2011 08:05 AM

can you try changing the dynamic map transform set to ESP-3DES-SHA.

e.g.

remove crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5

and replace with

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Robert Salazar
Cisco Employee
Cisco Employee

‎04-13-2011 08:05 AM

can you try changing the dynamic map transform set to ESP-3DES-SHA.

e.g.

remove crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5

and replace with

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

0 Helpful

Go to solution
bachma0507
Level 1
Level 1
In response to Robert Salazar

‎04-13-2011 08:59 AM

Thank you! That worked.

0 Helpful
Customers Also Viewed These Support Documents