HI, i am trying to create a remote access vpn on our 5520 but i am currently unable to pass traffic. The vpn client authenticates correctly but I am seeing no traffic decap
sh ipsec sa user *username*
Crypto map tag: def_cryp_map, seq num: 65535, local addr: x.x.x.x
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.149.1/255.255.255.255/0/0)
current_peer: y.y.y.y, username: *username*
dynamic allocated peer ip: 172.16.149.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
windows routing table on the client looks like this
route: 10.0.0.0 mask: 255.0.0.0 gw: 172.16.149.2 int: 172.16.149.1
IPv4 Address. . . . . . . . . . . : 172.16.149.1
Subnet Mask . . . . . . . . . . . : 255.255.255.224
ip local pool SSS-pool 172.16.149.1-172.16.149.31 mask 255.255.255.224
crypto map outside_map 65535 ipsec-isakmp dynamic def_cryp_map
crypto map outside_map interface outside
tunnel-group SSSVPN type remote-access
tunnel-group SSSVPN general-attributes
password-management password-expire-in-days 5
tunnel-group SSSVPN ipsec-attributes
group-policy SSSGrpPolicy internal
group-policy SSSGrpPolicy attributes
dns-server value 172.16.140.100 172.16.140.101
vpn-tunnel-protocol IPSec svc
split-tunnel-network-list value SSSVPNTunnelList
access-list SSSVPNTunnelList extended permit ip object-group rfc1918_addresses 172.16.149.0 255.255.255.224
any help appreciated
I am not quite sure why the Windows "route print" output shows the the Gateway would be "172.16.149.2" while it actually should be "172.16.149.1" which is the IP address you have gotten from the VPN device.
This would though explain why we arent seing anything on the VPN devices counters.
Though I am not sure why the gateway would be different from the VPN Pool IP address.
Here is an example of the output from one of my old VPN Client connections
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 10.6.63.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
Network Destination Netmask Gateway Interface Metric
172.16.255.0 255.255.255.0 10.6.63.2 10.6.63.2 1
What is the client OS and internet connection you are using? If it is Windows 7 64 bit using 4G connection, this is bound to happen. There is no support for WWAN adapters using CIsco Ipsec lcient.
Do see the same behaviour for Windows XP and Windows 7 32 bit machines as well.
P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users
The OS is win7 64bit. This is a VM bridging out onto my LAN adapter. We have the same symptoms on host computers as well.
Fix was to enable nat-traversal on the asa.
Strangley, our mac clients would work successfuly but windows failed which was confusing