IPSec VPN on ASA5520 with ADSL peers ok, but not ok with Mobile Internet connection bands(3G,E or H)

duran_tci · ‎06-19-2012

We have an ASA5520 configured with a IPSec VPN, from any ADSL home/office our VPN clients can connect without any problem, but when we use our cellular phones in tetering mode (as an accesspoint) our VPN clients are impossible to connect. Same machines,same software, same operating system, same remote IP (ASA5520 external IP) only change Wifi connection (ADSL to cellular phone). The signal of cellular phones is not the problem we was doing the tests with different phones (IPHONE & ANDROID), different locations (all in spain) and differents providers (vodafone, orange and movistar) of internet by cellular phone.

We think that perhaps the problem is the licenses that our ASA5520 has... ¿Is our problem that our ASA do not have a license for this?

Our ASA5520 comes with this licenses:

------------------------------------------------------------------------------------------

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited perpetual

Maximum VLANs : 150 perpetual

Inside Hosts : Unlimited perpetual

Failover : Active/Active perpetual

VPN-DES : Enabled perpetual

VPN-3DES-AES : Enabled perpetual

Security Contexts : 2 perpetual

GTP/GPRS : Disabled perpetual

AnyConnect Premium Peers : 2 perpetual

AnyConnect Essentials : Disabled perpetual

Other VPN Peers : 750 perpetual

Total VPN Peers : 750 perpetual

Shared License : Disabled perpetual

AnyConnect for Mobile : Disabled perpetual

AnyConnect for Cisco VPN Phone : Disabled perpetual

Advanced Endpoint Assessment : Disabled perpetual

UC Phone Proxy Sessions : 2 perpetual

Total UC Proxy Sessions : 2 perpetual

Botnet Traffic Filter : Disabled perpetual

Intercompany Media Engine : Disabled perpetual

This platform has an ASA 5520 VPN Plus license.

-------------------------------------------------------------------------------------

Sorry for my english.

Thanks for your response!

Best Regards!

c.spescha · ‎06-19-2012

hi there

Are you using certs?

cheers

Claudio

Sent from Cisco Technical Support iPad App

duran_tci · ‎06-19-2012

No, we are not using certificates, we are using preshared keys.

c.spescha · ‎06-19-2012

I have the same setup and it works.

Iphone as access point (no vpn), then PC using Wifi connection to Iphone and PC establishes an ipsec connection to the ASA.

Sent from Cisco Technical Support iPad App

duran_tci · ‎06-19-2012

What licenses has your asa?

Has "AnyConnect Essentials" feature Enabled?

Could you paste me the license features that your asa has Enabled?

Thanks for your response!

Best Regards!!

c.spescha · ‎06-19-2012

yes, it's with anyconnect essentials lic.

If this lic was missing, you should see a lic failure in the Fw's log.

Sent from Cisco Technical Support iPad App

c.spescha · ‎06-19-2012

Essentials Lic is only used for SSL Vpn, Ipsec with ipsec client is free of charge.

Sent from Cisco Technical Support iPad App

duran_tci · ‎06-19-2012

Exactly, I think that IPSec is free up to 750 simultaneous connections. I will try upgrade the android versions of my cellular phones and I will try again the tests. Perhaps is an android issue, tomorrow I will try iphone too.

I have too one Debian (linux) box with strongswan installed and run perfectly with this actual version of android but perhaps asa5520 need an upgrade of android IPSec implementation...

Thanks for your help! Is very useful!

Best Regards!

duran_tci · ‎06-20-2012

Issue solved! Thanks c.spescha for your help! The problem was an old "IPSec passthrought" implementation in our old android phones, in latest versions of cyanogenmod the vpn is working whiout problems. Iphone work good too.

Thanks!

Best Regards!