client vpn through ASA 5520 ver 8.0 to ASA 5520 ver 8.2

Andrew MacTaggart · ‎03-15-2012

I have users trying to vpn though our natted asa to another natted asa in China.

we have added nat-traversal 60 since their seems to be some delay, but I am sure nat-traversal is enabled by default in ASA ver 8 and 8.2

client gets a login prompt and then session dies.

seems to be stuck on phase 2

when directly connected to the internet with non nat IP - it works straight away.

wondering where to go from here.

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on en0, link-type EN10MB (Ethernet), capture size 65535 bytes

12:21:43.121574 IP 10.1.100.9.isakmp > 222.66.58.204.isakmp: isakmp: phase 1 I agg

12:21:43.166598 IP 222.66.58.204.isakmp > 10.1.100.9.isakmp: isakmp: phase 1 R agg

12:21:43.184121 IP 10.1.100.9.ipsec-msft > 222.66.58.204.ipsec-msft: NONESP-encap: isakmp: phase 1 I agg[E]

12:21:51.156655 IP 222.66.58.204.isakmp > 10.1.100.9.isakmp: isakmp: phase 1 R agg

12:21:51.156838 IP 10.1.100.9.ipsec-msft > 222.66.58.204.ipsec-msft: NONESP-encap: isakmp: phase 1 I agg[E]

12:21:59.156134 IP 222.66.58.204.isakmp > 10.1.100.9.isakmp: isakmp: phase 1 R agg

12:21:59.156318 IP 10.1.100.9.ipsec-msft > 222.66.58.204.ipsec-msft: NONESP-encap: isakmp: phase 1 I agg[E]

12:22:07.156253 IP 222.66.58.204.isakmp > 10.1.100.9.isakmp: isakmp: phase 1 R agg

12:22:07.156426 IP 10.1.100.9.ipsec-msft > 222.66.58.204.ipsec-msft: NONESP-encap: isakmp: phase 1 I agg[E]

12:22:13.184205 IP 10.1.100.9.ipsec-msft > 222.66.58.204.ipsec-msft: NONESP-encap: isakmp: phase 2/others I inf[E]

12:22:15.156178 IP 222.66.58.204.isakmp > 10.1.100.9.isakmp: isakmp: phase 2/others R inf[E]

Mar 14 12:21:43 spitfires-iMac racoon[772]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1).

Mar 14 12:21:43 spitfires-iMac racoon[772]: IKEv1 Phase1 AUTH: success. (Initiator, Aggressive-Mode Message 2).

Mar 14 12:21:43 spitfires-iMac racoon[772]: IKE Packet: receive success. (Initiator, Aggressive-Mode message 2).

Mar 14 12:21:43 spitfires-iMac racoon[772]: IKEv1 Phase1 Initiator: success. (Initiator, Aggressive-Mode).

Mar 14 12:21:43 spitfires-iMac racoon[772]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 3).

Mar 14 12:22:13 spitfires-iMac configd[15]: SCNCController: Disconnecting. (Connection tried to negotiate for, 0 seconds).

Mar 14 12:22:13 spitfires-iMac racoon[772]: IKE Packet: transmit success. (Information message).

Mar 14 12:22:13 spitfires-iMac racoon[772]: IKEv1 Information-Notice: transmit success. (Delete ISAKMP-SA).

Mar 14 12:22:13 spitfires-iMac racoon[772]: Disconnecting. (Connection tried to negotiate for, 30.068002 seconds).

Erik Ingeberg · ‎03-16-2012

Hi Simon,

I would check the real-time log on both ASA's using ASDM.

On the ASA 8.0, check that you are inspecting ipsec traffic using these commands:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect ipsec-pass-thru

service-policy global_policy global

Andrew MacTaggart · ‎03-16-2012

Hello __Pluppo__

I had added that and tested with the same result, then removed it.

so i just added it back.

The funny thing is that access through asa ver 8.0 to another asa ver 8.0 works no problem at all.

but the asa in china ver 8.2 gets a login prompt and then fails after credentials are submitted.

they attempted to connect through their asa to our asa and failed as well.

Cheers

Also would like to add

the client in china is cisco vpn client

our client is the built in client on mac os x 10.6

Andrew MacTaggart · ‎03-18-2012

here are all the logs I can find for this connection on my end

Mar 19 09:59:55 10.1.5.1 Jan 19 2003 00:16:20: %ASA-6-302015: Built outbound UDP connection 28291216 for outside:222.66.58.204/500 (222.66.58.204/500) to inside:10.x.x.x/500 (218.x.x.x/456)

Mar 19 09:59:58 10.1.5.1 Jan 19 2003 00:16:24: %ASA-6-302015: Built outbound UDP connection 28291369 for outside:222.66.58.204/4500 (222.66.58.204/4500) to inside:10.x.x.x/4500 (218.x.x.x/12904)

I have the

inspect ipsec-pass-thru

and crypto isakmp nat-traversal 21

enabled