Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2266
Views
0
Helpful
11
Replies

Only One VPN session allowed on ASA 5510

ed.crawford
Level 1
Level 1

‎12-02-2010 12:48 AM

I have a broadband router with the internal interface of the broadband router plugged into the external interface of an ASA 5510.  The NAT and PAT translations have to be done on the broadband router, and I am sending all inbound traffic to the ASA.  Everything works great with exception of multiple VPN sessions.

I can establish one remote VPN session, however it appears that I can not establish another session at the same time.  I suspect that it has something to do with the fact that NAT has to take place on the broadband router.  The broadband is PPOA so I can't go directly to the ASA.  How can I fix this?

Another issue is if I am connected to the VPN and then disconnect, I can not reconnect unless I wait a while; almost like something has to time out.  Any ideas?

Thanks for your help.

Labels:
0 Helpful
11 Replies 11

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎12-02-2010 05:59 AM

Hi,

Are you establishing VPN connections to the ASA? (router redirecting VPN traffic to the ASA)..

Since the ASA is behind NAT, you might need ''cry isa nat-t''

Federico.

0 Helpful

ed.crawford
Level 1
Level 1
In response to Federico Coto Fajardo

‎12-02-2010 06:20 AM

The broadband router is a Zyxel 660-H.  I am forwarding all ports to the ASA

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to ed.crawford

‎12-02-2010 10:25 AM

Problem could be that the router is not redirecting the VPN traffic correctly.

Can you try enabling IPsec/TCP on the ASA and client and attempt to connect more than one client at the same time?

Federico.

0 Helpful

ed.crawford
Level 1
Level 1
In response to Federico Coto Fajardo

‎12-07-2010 01:06 AM

Where is that set on the ASA?  If I set the client to IPSEC over TCP I get nothing.

0 Helpful

Jitendriya Athavale
Cisco Employee
Cisco Employee
In response to ed.crawford

‎12-07-2010 07:26 AM

try taking the client back to ipsec over udp and try the nat traversal comamnd on asa as suggested previously

issue the command

crypto isakmp nat-traversal

on the asa

0 Helpful

ed.crawford
Level 1
Level 1
In response to Jitendriya Athavale

‎12-07-2010 08:25 AM

I did that and it still does not work.  Here is what I get from the ASA logs:

4Dec 07 201016:18:36713903Group = VPN_UNRESTRICTED, IP = 195.112.60.245, Error: Unable to remove PeerTblEntry

3Dec 07 201016:18:36713902Group = VPN_UNRESTRICTED, IP = 195.112.60.245, Removing peer from peer table failed, no match!

6Dec 07 201016:18:06302021195.112.60.2450192.168.134.10Teardown ICMP connection for faddr 195.112.60.245/0 gaddr 192.168.134.1/0 laddr 192.168.134.1/0

6Dec 07 201016:18:06302020195.112.60.2450192.168.134.10Built inbound ICMP connection for faddr 195.112.60.245/0 gaddr 192.168.134.1/0 laddr 192.168.134.1/0


6Dec 07 201016:17:36302021195.112.60.2450192.168.134.10Teardown ICMP connection for faddr 195.112.60.245/0 gaddr 192.168.134.1/0 laddr 192.168.134.1/0


6Dec 07 201016:17:36302020195.112.60.2450192.168.134.10Built inbound ICMP connection for faddr 195.112.60.245/0 gaddr 192.168.134.1/0 laddr 192.168.134.1/0


6Dec 07 201016:17:06302021195.112.60.2450192.168.134.10Teardown ICMP connection for faddr 195.112.60.245/0 gaddr 192.168.134.1/0 laddr 192.168.134.1/0

6Dec 07 201016:17:06302020195.112.60.2450192.168.134.10Built inbound ICMP connection for faddr 195.112.60.245/0 gaddr 192.168.134.1/0 laddr 192.168.134.1/0

0 Helpful

Robert Salazar
Cisco Employee
Cisco Employee

‎12-07-2010 10:37 AM

Are you using the same credentials for your second/simultaneous connection attempt?

What error message do you see on the client when the attempt fails?

0 Helpful

ed.crawford
Level 1
Level 1
In response to Robert Salazar

‎12-07-2010 11:22 PM

No, different credentials

0 Helpful

ed.crawford
Level 1
Level 1
In response to ed.crawford

‎12-07-2010 11:34 PM

The strange thing is I don't see the nat-t in the running config.  I issue crypto isakmp nat-tra 21 with no errors, but is I do

sh run all | inc nat

it doesn't show it.

comms-asa-01(config)# crypto isakmp nat-traversal 21
comms-asa-01(config)# end
comms-asa-01# sh run all | inc nat
nat (inside) 0 access-list inside_nat0_outbound

0 Helpful

Jitendriya Athavale
Cisco Employee
Cisco Employee
In response to ed.crawford

‎12-08-2010 01:40 AM

When you connect the vpn

Can you issue the command

Show crypto ipsec sa peer

And can you paste that

Regards,

Jitendriya

0 Helpful

ed.crawford
Level 1
Level 1
In response to Jitendriya Athavale

‎12-08-2010 02:15 AM

I don't think it every sets up an sa. The client just says contacting security gateway.  Here was the result:

comms-asa-01# Show crypto ipsec sa peer 195.112.60.245

There are no ipsec sas for peer 195.112.60.245
comms-asa-01# Show crypto ipsec sa peer 195.112.60.245

There are no ipsec sas for peer 195.112.60.245
comms-asa-01# Show crypto ipsec sa peer 195.112.60.245

There are no ipsec sas for peer 195.112.60.245
comms-asa-01# Show crypto ipsec sa peer 195.112.60.245

There are no ipsec sas for peer 195.112.60.245
comms-asa-01# Show crypto ipsec sa peer 195.112.60.245

There are no ipsec sas for peer 195.112.60.245
comms-asa-01# Show crypto ipsec sa peer 195.112.60.245

There are no ipsec sas for peer 195.112.60.245
comms-asa-01# Show crypto ipsec sa peer 195.112.60.245

There are no ipsec sas for peer 195.112.60.245
comms-asa-01# Show crypto ipsec sa peer 195.112.60.245

There are no ipsec sas for peer 195.112.60.245

Here are the client logs

Cisco Systems VPN Client Version 5.0.01.0600
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7600

82     10:09:10.699  12/08/10  Sev=Info/4 CM/0x63100002
Begin connection process

83     10:09:10.704  12/08/10  Sev=Info/4 CM/0x63100004
Establish secure connection

84     10:09:10.705  12/08/10  Sev=Info/4 CM/0x63100024
Attempt connection with server "mail.commsfm.com"

85     10:09:10.711  12/08/10  Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 81.136.150.101.

86     10:09:10.725  12/08/10  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 81.136.150.101

87     10:09:10.838  12/08/10  Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 81.136.150.101

88     10:09:10.839  12/08/10  Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from 81.136.150.101

89     10:09:10.839  12/08/10  Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer

90     10:09:10.839  12/08/10  Sev=Info/5 IKE/0x63000001
Peer supports XAUTH

91     10:09:10.839  12/08/10  Sev=Info/5 IKE/0x63000001
Peer supports DPD

92     10:09:10.839  12/08/10  Sev=Info/5 IKE/0x63000001
Peer supports NAT-T

93     10:09:10.840  12/08/10  Sev=Info/5 IKE/0x63000001
Peer supports IKE fragmentation payloads

94     10:09:10.848  12/08/10  Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful

95     10:09:10.849  12/08/10  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 81.136.150.101

96     10:09:10.849  12/08/10  Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA

97     10:09:10.849  12/08/10  Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port =  0xDDEC, Remote Port = 0x1194

98     10:09:10.850  12/08/10  Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
   Remote end IS behind a NAT device
   This   end IS behind a NAT device

99     10:09:10.850  12/08/10  Sev=Info/4 CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

100    10:09:11.200  12/08/10  Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started

101    10:09:11.200  12/08/10  Sev=Info/4 IPSEC/0x63700014
Deleted all keys

102    10:09:21.347  12/08/10  Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA

103    10:09:31.485  12/08/10  Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA

104    10:09:41.622  12/08/10  Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA

105    10:09:51.778  12/08/10  Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA

106    10:10:01.918  12/08/10  Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA

107    10:10:12.058  12/08/10  Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA

108    10:10:22.205  12/08/10  Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA

109    10:10:32.340  12/08/10  Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA

110    10:10:42.486  12/08/10  Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA

111    10:10:52.636  12/08/10  Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA

112    10:11:02.776  12/08/10  Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA

113    10:11:12.916  12/08/10  Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA

114    10:11:23.062  12/08/10  Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA

115    10:11:33.198  12/08/10  Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA

116    10:11:43.343  12/08/10  Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA

117    10:11:53.495  12/08/10  Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA

118    10:12:03.634  12/08/10  Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA

119    10:12:13.775  12/08/10  Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA

120    10:12:23.917  12/08/10  Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA

121    10:12:34.062  12/08/10  Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA

0 Helpful
Customers Also Viewed These Support Documents