Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1765
Views
0
Helpful
6
Replies

Having issues with Cisco 5510 VPN (Multiple users)

sankhla_cisco
Level 1
Level 1

‎10-22-2011 07:48 PM

Hi,

I have a Cisco 5510 installed in our data center. Below are the details:

Cisco Adaptive Security Appliance Software Version 8.3(1)

Device Manager Version 6.3(1)

I am having a very frustrating problem and am not able to find a solution to this problem. We have about 6 computer with different usernames that are trying to connect from the office to the datacenter and not all the machines are able to connect. We are all behind an Apple Airport wireless network in the office and the have our own usernames and passwords that we use to connect to the datacenter.

There is no problem when connection from home or if we are not at the same location, but when we are all at the same location, a few of us would never be able to get in on the network.

I have vpn-simultaneous-connections to be set to 500 in the group policy, but I don't know why this issue is happening. This is very frustrating as when all of us are in the office, we cannot work on our machines in the datacenter. I am happy to provide any information needed.

Can someone help me out? I will buy them dinner if they are in the Bay area

Look forward to hearing from the expert community out there.

Cheers,

Vishal

Labels:
0 Helpful
6 Replies 6

Eugene Khabarov
Level 7
Level 7

‎10-22-2011 11:36 PM

Is there any NAT devices? Maybe there is some kind of nat router behind apple airport wireless ap? If so you should use NAT-T on your clients and VPN servers.

---

HTH. Please rate this post if it was helpful. If this solves your problem, please mark this post as "Correct Answer."

0 Helpful

sankhla_cisco
Level 1
Level 1
In response to Eugene Khabarov

‎10-23-2011 09:02 AM

Hi Eugene,

Thanks a lot for your reply. I have a few questions.

1. I am using the default inbuilt VPN client available on my macbook pro to connect to the ASA (IPSEC). How do I enforce NAT-T on the inbuilt client?

2. I am pretty sure this is not enabled on the ASA also, how do I go about enabling it?

Let me know, I can try this out and let you know how it goes.

Thanks!

0 Helpful

Eugene Khabarov
Level 7
Level 7
In response to sankhla_cisco

‎10-23-2011 10:57 AM

Hi! There is Official version of Cisco VPN Client 4.x for MacOS. Did you tryed it?  On the transport settings of the connections tab there is IPSEC over UDP radio button.

On the ASA at the group-policy attributes

you should enable:

ipsec-udp enable

---

HTH. Please rate this post if it was helpful. If this solves your problem, please mark this post as "Correct Answer."

0 Helpful

sankhla_cisco
Level 1
Level 1
In response to Eugene Khabarov

‎10-23-2011 02:53 PM

Sounds good, let me try this and get back to you.

Do you think this setting might be the one preventing multiple people behind the wireless router from connecting to the ASA?

I have the following settings only under group-policy attributes

wins-server value xx.xx.xx.xx

dns-server value xx.xx.xx.xx 4.2.2.2

vpn-access-hours none

vpn-simultaneous-logins 500

vpn-idle-timeout 240

vpn-session-timeout none

vpn-filter none

group-lock value

pfs disable 

ipsec-udp disable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value _splitTunnelAcl

split-dns value 1 xx.xx.xx.xx 4.2.2.2

client-firewall none

client-access-rule none

0 Helpful

Eugene Khabarov
Level 7
Level 7
In response to sankhla_cisco

‎10-24-2011 12:21 PM

ipsec-udp enable

I think will help.

---

HTH. Please rate this post if it was helpful. If this solves your problem, please mark this post as "Correct Answer."

0 Helpful

sankhla_cisco
Level 1
Level 1
In response to Eugene Khabarov

‎10-24-2011 05:21 PM

Hi Eugene,

I made this change and did -  ipsec-udp enable


I am still having this issue, below is a log from VPN Tracker.

17:19:43          XAUTH Started

17:19:43          next step: waiting for xauth (659)

17:19:43          seen nptype=8(hash) (1402)

17:19:43          seen nptype=12(delete) (1402)

17:19:43          message authentication failed. (2097)

17:19:43          delete payload is not protected, ignored. (2122)

17:19:43          purged ISAKMP-SA proto_id=ISAKMP spi=6d1e9bbc3e8bcd75:db592648742adb21. (1754)

17:19:43          Connection Dropped

The VPN gateway asked VPN Tracker to disconnect. If this problem occured for the first time and you were able to connect before, please reconnect

•  If this problem always occurs when trying to establish a connection, there is likely a configuration mismatch between VPN Tracker and your VPN gateway

•  If this problem occurs regularly after having successfully established a connection, please make sure the phase 1 and phase 2 lifetimes in VPN Tracker match what is configured on your VPN gateway

Your VPN gateway's log may contain additional information about this problem.

Status: 0x9050A (PHASE1_DELETE_PAYLOAD)

17:19:43          About to Disconnect (Error)

17:19:43          Disconnecting (Error)

17:19:43          connectiond received signal 3, terminating (978)

17:19:43          Next step: Processing connectiond connection request

17:19:43          Next step: Deleting SAs

17:19:43          Next step: Removing SA 192.168.24.14 <---> xx.xx.xx.xx

17:19:43          Next step: Cleaning status information after stop

17:19:43          Next step: Removing connectiond info

17:19:43          Next step: Removing reachability check for VPN gateway

17:19:43          Not Connected

17:19:43          connectiond shutdown (165)

0 Helpful
Customers Also Viewed These Support Documents