Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1192
Views
0
Helpful
2
Replies

File server no longer accessible via IPSEC VPN

cgsmithjr
Level 1
Level 1

‎12-15-2010 05:30 PM - edited ‎02-21-2020 05:02 PM

All of a sudden, without any changes, I'm unable to access the file server over the IPSEC VPN tunnel. Before, I was able to connect to the network shares available on the file server by first connecting to the VPN and then mapping the shares as network drives. My recent attempts to repeat this behavior, have all failed with messages indicating that the resources are not available. I am still able to connect to the VPN using the Cisco client for Mac (v4.9.01.0180) and Windows (v5.0.07.0290) however, attempts to connect to the Windows file server, from differing networks, timeout. I'm able to connect to the VPN and ping the file server, but not access the file shares. I've also tried connecting from a Windows XP machine, from several different networks, with the exact same result. Rebooting the ASA 5505 did not resolve the problem and the SSL Web VPN is still accessible.

show version output:
Result of the command: "show version"
Cisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 6.3(1)
Compiled on Mon 11-Jan-10 14:19 by builders
System image file is "disk0:/asa822-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 1 day 0 hours
Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                              IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04
0: Int: Internal-Data0/0    : address is c84c.7576.8475, irq 11
1: Ext: Ethernet0/0         : address is c84c.7576.846d, irq 255
2: Ext: Ethernet0/1         : address is c84c.7576.846e, irq 255
  3: Ext: Ethernet0/2         : address is c84c.7576.846f, irq 255
4: Ext: Ethernet0/3         : address is c84c.7576.8470, irq 255
5: Ext: Ethernet0/4         : address is c84c.7576.8471, irq 255
6: Ext: Ethernet0/5         : address is c84c.7576.8472, irq 255
  7: Ext: Ethernet0/6         : address is c84c.7576.8473, irq 255
8: Ext: Ethernet0/7         : address is c84c.7576.8474, irq 255
9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Internal-Data0/2    : address is 0000.0004.0001, irq 255
11: Int: Not used            : irq 255
Licensed features for this platform:
Maximum Physical Interfaces    : 8        
VLANs                          : 3, DMZ Restricted
Inside Hosts                   : 50       
Failover                       : Disabled
VPN-DES                        : Enabled  
VPN-3DES-AES                   : Enabled  
SSL VPN Peers                  : 2        
Total VPN Peers                : 10       
Dual ISPs                      : Disabled 
VLAN Trunk Ports               : 0        
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled 
AnyConnect for Cisco VPN Phone : Disabled 
AnyConnect Essentials          : Disabled 
Advanced Endpoint Assessment   : Disabled 
UC Phone Proxy Sessions        : 2        
Total UC Proxy Sessions        : 2        
Botnet Traffic Filter          : Disabled
This platform has a Base license.

Serial Number: JMX142340WD

Running Activation Key: 0x2704fd7c 0x1c830534 0x2050956c 0x9a7464f0 0x4b283cbe

Configuration register is 0x10000001

Configuration has not been modified since last system restart.

Labels:
0 Helpful
2 Replies 2

praprama
Cisco Employee
Cisco Employee

‎12-15-2010 08:22 PM

Hi,

Could you share the outputs of "show cry isa sa" and "show cry ips sa" when trying to access the file server? Are there any syslogs you see on the ASA for any dropped packets to the server?

Also, please check if you have the command "sysopt connection permit-vpn" on the ASA.

Cheers,

Prapanch

0 Helpful

cgsmithjr
Level 1
Level 1
In response to praprama

‎12-15-2010 08:50 PM

When remotely connecting to the IPSEC VPN, I cannot execute those commands.

I tried telnetting, but it just hung. I may have disabled telnet on my

profile. I'm assuming you are asking me to executing these commands while

connected remotely to the VPN. I will check the other command: sysopt

connection permit-vpn in the morning and post.

Thanks.

On Wed, Dec 15, 2010 at 8:22 PM, praprama <

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents