- Cisco Community
- Technology and Support
- Security
- VPN
- Re: Issue with EZYVPN
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Issue with EZYVPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-02-2011 09:32 PM
we have just migrated from PIX to ASA (ASA Version 8.2(3) and have issue with ezyvpn.
Though telnet and ping is working http, https, dns lookup is failing. When we revert back to PIX, everything is fine.
We could not apply the sysopt connection permit-ipsec on the ASA while EZYVPN is enabled.
PIX
AUMAT-WFW0# show vpnclient detail
LOCAL CONFIGURATION
vpnclient server 203.28.106.200
vpnclient mode network-extension-mode
vpnclient vpngroup AUABB-EZYVPN password ********
vpnclient username aumat-wfw0.au.abb.com password ********
vpnclient enable
DOWNLOADED DYNAMIC POLICY
Current Server : 203.28.106.200
Primary DNS : 10.128.208.32
Secondary DNS : 10.128.208.30
Primary WINS : 10.128.208.60
Secondary WINS : 10.128.208.68
Default Domain : au.abb.com
PFS Enabled : No
Secure Unit Authentication Enabled : No
User Authentication Enabled : No
Backup Servers : None
STORED POLICY
Secure Unit Authentication Enabled : No
Split Networks : None
Backup Servers : None
RELATED CONFIGURATION
sysopt connection permit-ipsec
global (outside) 1 interface
nat (inside) 0 access-list _vpnc_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-list test permit ip any host 10.128.248.1
access-list _vpnc_acl permit ip AUMAT 255.255.255.0 any
access-list _vpnc_acl permit ip host 119.225.63.90 any
access-list _vpnc_acl permit ip host 119.225.63.90 host 203.28.106.200
aaa-server radius-authport 1812
aaa-server radius-acctport 1813
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 138.222.124.0 255.255.255.0 inside
http 203.8.5.0 255.255.255.0 inside
http 149.128.114.64 255.255.255.192 inside
http AUMAT 255.255.255.0 inside
crypto ipsec transform-set _vpnc_tset_1 esp-aes-256 esp-sha-hmac
crypto ipsec transform-set _vpnc_tset_2 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set _vpnc_tset_3 esp-aes-192 esp-sha-hmac
crypto ipsec transform-set _vpnc_tset_4 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set _vpnc_tset_5 esp-aes esp-sha-hmac
crypto ipsec transform-set _vpnc_test_6 esp-aes esp-md5-hmac
crypto ipsec transform-set _vpnc_tset_7 esp-3des esp-sha-hmac
crypto ipsec transform-set _vpnc_tset_8 esp-3des esp-md5-hmac
crypto ipsec transform-set _vpnc_tset_9 esp-des esp-md5-hmac
crypto ipsec transform-set _vpnc_tset_10 esp-null esp-md5-hmac
crypto ipsec transform-set _vpnc_tset_11 esp-null esp-sha-hmac
crypto map _vpnc_cm 10 ipsec-isakmp
crypto map _vpnc_cm 10 match address _vpnc_acl
crypto map _vpnc_cm 10 set peer 203.28.106.200
crypto map _vpnc_cm 10 set transform-set _vpnc_tset_1 _vpnc_tset_2 _vpnc_tset_3 _vpnc_tset_4 _vpnc_tset_5 _vpnc_test_6 _vpnc_tset_7 _vpnc_tset_8 _vpnc_tset_9 _vpnc_tset_10 _vpnc_tset_11
crypto map _vpnc_cm interface outside
isakmp enable outside
isakmp key ******** address 203.28.106.200 netmask 255.255.255.255
isakmp keepalive 10 5
isakmp nat-traversal 20
isakmp policy 65001 authentication xauth-pre-share
isakmp policy 65001 encryption aes-256
isakmp policy 65001 hash sha
isakmp policy 65001 group 2
isakmp policy 65001 lifetime 86400
isakmp policy 65002 authentication xauth-pre-share
isakmp policy 65002 encryption aes-256
isakmp policy 65002 hash md5
isakmp policy 65002 group 2
isakmp policy 65002 lifetime 86400
isakmp policy 65003 authentication xauth-pre-share
isakmp policy 65003 encryption aes-192
isakmp policy 65003 hash sha
isakmp policy 65003 group 2
isakmp policy 65003 lifetime 86400
isakmp policy 65004 authentication xauth-pre-share
isakmp policy 65004 encryption aes-192
isakmp policy 65004 hash md5
isakmp policy 65004 group 2
isakmp policy 65004 lifetime 86400
isakmp policy 65005 authentication xauth-pre-share
isakmp policy 65005 encryption aes
isakmp policy 65005 hash sha
isakmp policy 65005 group 2
isakmp policy 65005 lifetime 86400
isakmp policy 65006 authentication xauth-pre-share
isakmp policy 65006 encryption aes
isakmp policy 65006 hash md5
isakmp policy 65006 group 2
isakmp policy 65006 lifetime 86400
isakmp policy 65007 authentication xauth-pre-share
isakmp policy 65007 encryption 3des
isakmp policy 65007 hash sha
isakmp policy 65007 group 2
isakmp policy 65007 lifetime 86400
isakmp policy 65008 authentication xauth-pre-share
isakmp policy 65008 encryption 3des
isakmp policy 65008 hash md5
isakmp policy 65008 group 2
isakmp policy 65008 lifetime 86400
isakmp policy 65009 authentication xauth-pre-share
isakmp policy 65009 encryption des
isakmp policy 65009 hash md5
isakmp policy 65009 group 2
isakmp policy 65009 lifetime 86400
isakmp policy 65010 authentication pre-share
isakmp policy 65010 encryption aes-256
isakmp policy 65010 hash sha
isakmp policy 65010 group 2
isakmp policy 65010 lifetime 86400
isakmp policy 65011 authentication pre-share
isakmp policy 65011 encryption aes-256
isakmp policy 65011 hash md5
isakmp policy 65011 group 2
isakmp policy 65011 lifetime 86400
isakmp policy 65012 authentication pre-share
isakmp policy 65012 encryption aes-192
isakmp policy 65012 hash sha
isakmp policy 65012 group 2
isakmp policy 65012 lifetime 86400
isakmp policy 65013 authentication pre-share
isakmp policy 65013 encryption aes-192
isakmp policy 65013 hash md5
isakmp policy 65013 group 2
isakmp policy 65013 lifetime 86400
isakmp policy 65014 authentication pre-share
isakmp policy 65014 encryption aes
isakmp policy 65014 hash sha
isakmp policy 65014 group 2
isakmp policy 65014 lifetime 86400
isakmp policy 65015 authentication pre-share
isakmp policy 65015 encryption aes
isakmp policy 65015 hash md5
isakmp policy 65015 group 2
isakmp policy 65015 lifetime 86400
isakmp policy 65016 authentication pre-share
isakmp policy 65016 encryption 3des
isakmp policy 65016 hash sha
isakmp policy 65016 group 2
isakmp policy 65016 lifetime 86400
isakmp policy 65017 authentication pre-share
isakmp policy 65017 encryption 3des
isakmp policy 65017 hash md5
isakmp policy 65017 group 2
isakmp policy 65017 lifetime 86400
isakmp policy 65018 authentication pre-share
isakmp policy 65018 encryption des
isakmp policy 65018 hash md5
isakmp policy 65018 group 2
isakmp policy 65018 lifetime 86400
ASA
AUMAT-WFW0# show vpnclient detail
LOCAL CONFIGURATION
vpnclient server 203.28.106.200
vpnclient mode network-extension-mode
vpnclient vpngroup AUABB-EZYVPN password *****
vpnclient username aumat-wfw0.au.abb.com password *****
vpnclient enable
DOWNLOADED DYNAMIC POLICY
Current Server : 203.28.106.200
Primary DNS : 10.128.208.32
Secondary DNS : 10.128.208.30
Primary WINS : 10.128.208.60
Secondary WINS : 10.128.208.68
Default Domain : au.abb.com
PFS Enabled : No
Secure Unit Authentication Enabled : No
User Authentication Enabled : No
Backup Servers : None
STORED POLICY
Secure Unit Authentication Enabled : No
Split Tunnel Networks : None
Backup Servers : None
RELATED CONFIGURATION
global (outside) 1 interface
global (outside) 65001 10.128.242.1
nat (inside) 0 access-list _vpnc_no_nat_acl
nat (inside) 1 0.0.0.0 0.0.0.0
access-list inside_access_in extended permit ip any any
access-list _vpnc_no_nat_acl extended permit ip any any
access-list _vpnc_acl extended permit ip host 119.225.63.90 host 203.28.106.200
access-list _vpnc_acl extended permit ip AUMAT 255.255.255.0 any
access-list _vpnc_acl extended deny udp host 119.225.63.90 eq bootpc any eq bootps
access-list _vpnc_acl extended permit ip host 119.225.63.90 any
aaa authentication serial console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
crypto ipsec transform-set _vpnc_tset_1 esp-aes-256 esp-sha-hmac
crypto ipsec transform-set _vpnc_tset_2 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set _vpnc_tset_3 esp-aes-192 esp-sha-hmac
crypto ipsec transform-set _vpnc_tset_4 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set _vpnc_tset_5 esp-aes esp-sha-hmac
crypto ipsec transform-set _vpnc_tset_6 esp-aes esp-md5-hmac
crypto ipsec transform-set _vpnc_tset_7 esp-3des esp-sha-hmac
crypto ipsec transform-set _vpnc_tset_8 esp-3des esp-md5-hmac
crypto ipsec transform-set _vpnc_tset_9 esp-des esp-md5-hmac
crypto ipsec transform-set _vpnc_tset_10 esp-null esp-md5-hmac
crypto ipsec transform-set _vpnc_tset_11 esp-null esp-sha-hmac
crypto map _vpnc_cm 10 match address _vpnc_acl
crypto map _vpnc_cm 10 set peer 203.28.106.200
crypto map _vpnc_cm 10 set transform-set _vpnc_tset_1 _vpnc_tset_2 _vpnc_tset_3 _vpnc_tset_4 _vpnc_tset_5 _vpnc_tset_6 _vpnc_tset_7 _vpnc_tset_8 _vpnc_tset_9 _vpnc_tset_10 _vpnc_tset_11
crypto map _vpnc_cm 10 set security-association lifetime seconds 2147483647
crypto map _vpnc_cm 10 set security-association lifetime kilobytes 2147483647
crypto map _vpnc_cm 10 set phase1-mode aggressive
crypto map _vpnc_cm interface outside
crypto isakmp enable outside
crypto isakmp policy 65001
authentication xauth-pre-share
encryption aes-256
hash sha
group 2
lifetime 2147483647
crypto isakmp policy 65002
authentication xauth-pre-share
encryption aes-256
hash md5
group 2
lifetime 2147483647
crypto isakmp policy 65003
authentication xauth-pre-share
encryption aes-192
hash sha
group 2
lifetime 2147483647
crypto isakmp policy 65004
authentication xauth-pre-share
encryption aes-192
hash md5
group 2
lifetime 2147483647
crypto isakmp policy 65005
authentication xauth-pre-share
encryption aes
hash sha
group 2
lifetime 2147483647
crypto isakmp policy 65006
authentication xauth-pre-share
encryption aes
hash md5
group 2
lifetime 2147483647
crypto isakmp policy 65007
authentication xauth-pre-share
encryption 3des
hash sha
group 2
lifetime 2147483647
crypto isakmp policy 65008
authentication xauth-pre-share
encryption 3des
hash md5
group 2
lifetime 2147483647
crypto isakmp policy 65009
authentication xauth-pre-share
encryption des
hash md5
group 2
lifetime 2147483647
crypto isakmp policy 65010
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 2147483647
crypto isakmp policy 65011
authentication pre-share
encryption aes-256
hash md5
group 2
lifetime 2147483647
crypto isakmp policy 65012
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 2147483647
crypto isakmp policy 65013
authentication pre-share
encryption aes-192
hash md5
group 2
lifetime 2147483647
crypto isakmp policy 65014
authentication pre-share
encryption aes
hash sha
group 2
lifetime 2147483647
crypto isakmp policy 65015
authentication pre-share
encryption aes
hash md5
group 2
lifetime 2147483647
crypto isakmp policy 65016
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 2147483647
crypto isakmp policy 65017
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 2147483647
crypto isakmp policy 65018
authentication pre-share
encryption des
hash md5
group 2
lifetime 2147483647
tunnel-group 203.28.106.200 type ipsec-ra
tunnel-group 203.28.106.200 ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 90 retry 5
No issue with establishing the IPSec but traffic flow for http, https and nslookup seems to be failing.
AUMAT-WFW0(config)# sh cry isa sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 203.28.106.200
Type : user Role : initiator
Rekey : no State : AM_ACTIVE
AUMAT-WFW0(config)# sh cry ipses sa
^
ERROR: % Invalid input detected at '^' marker.
AUMAT-WFW0(config)# sh cry ipsec sa
interface: outside
Crypto map tag: _vpnc_cm, seq num: 10, local addr: 119.225.63.90
access-list _vpnc_acl extended permit ip 10.128.242.0 255.255.255.0 any
local ident (addr/mask/prot/port): (AUMAT/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer: 203.28.106.200, username: 203.28.106.200
dynamic allocated peer ip: 0.0.0.0
#pkts encaps: 45243, #pkts encrypt: 45245, #pkts digest: 45245
#pkts decaps: 15549, #pkts decrypt: 15549, #pkts verify: 15549
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 45245, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 2, #pre-frag failures: 0, #fragments created: 4
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 102
#send errors: 0, #recv errors: 0
local crypto endpt.: 119.225.63.90, remote crypto endpt.: 203.28.106.200
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 5452B791
current inbound spi : C58AB035
inbound esp sas:
spi: 0xC58AB035 (3314200629)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: _vpnc_cm
sa timing: remaining key lifetime (sec): 21756
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x5452B791 (1414707089)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: _vpnc_cm
sa timing: remaining key lifetime (sec): 21756
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: _vpnc_cm, seq num: 10, local addr: 119.225.63.90
access-list _vpnc_acl extended permit ip host 119.225.63.90 any
local ident (addr/mask/prot/port): (119.225.63.90/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer: 203.28.106.200, username: 203.28.106.200
dynamic allocated peer ip: 0.0.0.0
#pkts encaps: 20, #pkts encrypt: 20, #pkts digest: 20
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 20, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 119.225.63.90, remote crypto endpt.: 203.28.106.200
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 39F7487C
current inbound spi : C3E84E31
inbound esp sas:
spi: 0xC3E84E31 (3286781489)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: _vpnc_cm
sa timing: remaining key lifetime (sec): 27438
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x39F7487C (972507260)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: _vpnc_cm
sa timing: remaining key lifetime (sec): 27438
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Hope you experts can shed some light. Thanks
- Labels:
-
VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-02-2011 11:02 PM
Weird, so there is no problem with VPN establishment. Can you try to do a connection over the tunnel and check what the logs on the remote ASA show? Also check on the local ASA for syslogging.... if you see that they being created and then torn down, checkout the reason for the connection to be closed..
Theres gotta be something that we are missing.
Mike
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-02-2011 11:07 PM
The ezyvpn server firewall is not managed by us but I have ask if we could collect the debugs when we try installing the ASA again. Currently we have reverted to PIX and it works ok.
Kumar Ramalingam
Senior Network Engineer
Logicalis Australia Pty Ltd
t 1800 651 484
t +61 2 9805 9740 (International)
f +61 2 9805 9904
kramalingam@au.logicalis.com
www.au.logicalis.com<>
What are your organisation's greatest barriers to a more flexible workplace?
Let us introduce you to Tomorrow’s Workplace, http://www.au.logicalis.com/tomorrow
Get the latest news and offers:Twitter<>,LinkedIn<>,Facebook<>
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-02-2011 11:27 PM
Mmmmm, I understand.
Is the client configuration the same on both pix and ASA? Did you change something? Did you test any other tcp traffic besides telnet?
Mike
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: