03-15-2012 11:59 PM
I have users trying to vpn though our natted asa to another natted asa in China.
we have added nat-traversal 60 since their seems to be some delay, but I am sure nat-traversal is enabled by default in ASA ver 8 and 8.2
client gets a login prompt and then session dies.
seems to be stuck on phase 2
when directly connected to the internet with non nat IP - it works straight away.
wondering where to go from here.
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:21:43.121574 IP 10.1.100.9.isakmp > 222.66.58.204.isakmp: isakmp: phase 1 I agg
12:21:43.166598 IP 222.66.58.204.isakmp > 10.1.100.9.isakmp: isakmp: phase 1 R agg
12:21:43.184121 IP 10.1.100.9.ipsec-msft > 222.66.58.204.ipsec-msft: NONESP-encap: isakmp: phase 1 I agg[E]
12:21:51.156655 IP 222.66.58.204.isakmp > 10.1.100.9.isakmp: isakmp: phase 1 R agg
12:21:51.156838 IP 10.1.100.9.ipsec-msft > 222.66.58.204.ipsec-msft: NONESP-encap: isakmp: phase 1 I agg[E]
12:21:59.156134 IP 222.66.58.204.isakmp > 10.1.100.9.isakmp: isakmp: phase 1 R agg
12:21:59.156318 IP 10.1.100.9.ipsec-msft > 222.66.58.204.ipsec-msft: NONESP-encap: isakmp: phase 1 I agg[E]
12:22:07.156253 IP 222.66.58.204.isakmp > 10.1.100.9.isakmp: isakmp: phase 1 R agg
12:22:07.156426 IP 10.1.100.9.ipsec-msft > 222.66.58.204.ipsec-msft: NONESP-encap: isakmp: phase 1 I agg[E]
12:22:13.184205 IP 10.1.100.9.ipsec-msft > 222.66.58.204.ipsec-msft: NONESP-encap: isakmp: phase 2/others I inf[E]
12:22:15.156178 IP 222.66.58.204.isakmp > 10.1.100.9.isakmp: isakmp: phase 2/others R inf[E]
Mar 14 12:21:43 spitfires-iMac racoon[772]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1).
Mar 14 12:21:43 spitfires-iMac racoon[772]: IKEv1 Phase1 AUTH: success. (Initiator, Aggressive-Mode Message 2).
Mar 14 12:21:43 spitfires-iMac racoon[772]: IKE Packet: receive success. (Initiator, Aggressive-Mode message 2).
Mar 14 12:21:43 spitfires-iMac racoon[772]: IKEv1 Phase1 Initiator: success. (Initiator, Aggressive-Mode).
Mar 14 12:21:43 spitfires-iMac racoon[772]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 3).
Mar 14 12:22:13 spitfires-iMac configd[15]: SCNCController: Disconnecting. (Connection tried to negotiate for, 0 seconds).
Mar 14 12:22:13 spitfires-iMac racoon[772]: IKE Packet: transmit success. (Information message).
Mar 14 12:22:13 spitfires-iMac racoon[772]: IKEv1 Information-Notice: transmit success. (Delete ISAKMP-SA).
Mar 14 12:22:13 spitfires-iMac racoon[772]: Disconnecting. (Connection tried to negotiate for, 30.068002 seconds).
03-16-2012 05:02 AM
Hi Simon,
I would check the real-time log on both ASA's using ASDM.
On the ASA 8.0, check that you are inspecting ipsec traffic using these commands:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect ipsec-pass-thru
service-policy global_policy global
03-16-2012 07:32 PM
Hello __Pluppo__
I had added that and tested with the same result, then removed it.
so i just added it back.
The funny thing is that access through asa ver 8.0 to another asa ver 8.0 works no problem at all.
but the asa in china ver 8.2 gets a login prompt and then fails after credentials are submitted.
they attempted to connect through their asa to our asa and failed as well.
Cheers
Also would like to add
the client in china is cisco vpn client
our client is the built in client on mac os x 10.6
03-18-2012 07:05 PM
here are all the logs I can find for this connection on my end
Mar 19 09:59:55 10.1.5.1 Jan 19 2003 00:16:20: %ASA-6-302015: Built outbound UDP connection 28291216 for outside:222.66.58.204/500 (222.66.58.204/500) to inside:10.x.x.x/500 (218.x.x.x/456)
Mar 19 09:59:58 10.1.5.1 Jan 19 2003 00:16:24: %ASA-6-302015: Built outbound UDP connection 28291369 for outside:222.66.58.204/4500 (222.66.58.204/4500) to inside:10.x.x.x/4500 (218.x.x.x/12904)
I have the
inspect ipsec-pass-thru
and crypto isakmp nat-traversal 21
enabled
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide