Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2223
Views
0
Helpful
7
Replies

Problem with traffic over Remote Access VPN (Cisco ASA5505)

Lionel271
Level 1
Level 1

‎10-15-2013 06:12 AM - edited ‎02-21-2020 07:14 PM

Hi

I've changed the VPN IP pool on a previously functioning VPN setup on a Cisco ASA5505, I've updated IP addresses everywhere it seemed appropriate, but now the VPN is no longer working. I am testing with a Cisco IPSec client, but the same happens with the AnyConnect client. Clients connect, but cannot access resources on the LAN. Split tunneling also doesn't work, internet is not accessible once VPN is connected.

I found a NAT exempt rule to not be correctly specified, but after fixing this, the problem still persists. 

: Saved
:
ASA Version 8.2(1) 
!
hostname ciscoasa
domain-name our-domain.com
enable password xxxxxxxx encrypted
passwd xxxxxxxx encrypted
names
name 172.17.1.0 remote-vpn
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.1.1.2 255.0.0.0 
!
interface Vlan2
 nameif outside
 security-level 0
 pppoe client vpdn group adslrealm
 ip address pppoe setroute 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone SAST 2
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 10.1.1.138
 name-server 10.1.1.54
 domain-name our-domain.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network ut
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list no_nat extended permit ip 10.0.0.0 255.0.0.0 remote-vpn 255.255.255.0 
access-list split-tunnel standard permit 10.0.0.0 255.0.0.0 
access-list outside_access_in extended permit tcp any interface outside eq https 
access-list outside_access_in extended permit tcp any interface outside eq 5061 
access-list outside_access_in extended permit tcp any interface outside eq 51413 
access-list outside_access_in extended permit udp any interface outside eq 51413 
access-list outside_access_in extended permit tcp any interface outside eq 2121 
access-list outside_access_in extended permit udp any interface outside eq 2121 
access-list inside_access_out extended deny ip any 64.34.106.0 255.255.255.0 
access-list inside_access_out extended deny ip any 69.25.20.0 255.255.255.0 
access-list inside_access_out extended deny ip any 69.25.21.0 255.255.255.0 
access-list inside_access_out extended deny ip any 72.5.76.0 255.255.255.0 
access-list inside_access_out extended deny ip any 72.5.77.0 255.255.255.0 
access-list inside_access_out extended deny ip any 216.52.0.0 255.255.0.0 
access-list inside_access_out extended deny ip any 74.201.0.0 255.255.0.0 
access-list inside_access_out extended deny ip any 64.94.0.0 255.255.0.0 
access-list inside_access_out extended deny ip any 69.25.0.0 255.255.0.0 
access-list inside_access_out extended deny tcp any any eq 12975 
access-list inside_access_out extended deny tcp any any eq 32976 
access-list inside_access_out extended deny tcp any any eq 17771 
access-list inside_access_out extended deny udp any any eq 17771 
access-list inside_access_out extended permit ip any any 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNPool 172.17.1.1-172.17.1.254
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no_nat
nat (inside) 1 10.0.0.0 255.0.0.0
static (inside,outside) tcp interface 5061 10.1.1.157 5061 netmask 255.255.255.255 
static (inside,outside) tcp interface https 10.1.1.157 4443 netmask 255.255.255.255 
static (inside,outside) tcp interface 51413 10.1.1.25 51413 netmask 255.255.255.255 
static (inside,outside) udp interface 51413 10.1.1.25 51413 netmask 255.255.255.255 
static (inside,outside) tcp interface 2121 10.1.1.25 2121 netmask 255.255.255.255 
static (inside,outside) udp interface 2121 10.1.1.25 2121 netmask 255.255.255.255 
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server AD protocol ldap
aaa-server AD (inside) host 10.1.1.138
 ldap-base-dn dc=our-domain,dc=com
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *
 ldap-login-dn cn=ciscoasa,cn=Users,dc=ourdomain,dc=com
 server-type auto-detect
aaa authentication ssh console AD LOCAL
aaa authentication telnet console LOCAL 
http server enable 4343
http 0.0.0.0 0.0.0.0 outside
http 10.0.0.0 255.0.0.0 inside
http remote-vpn 255.255.255.0 inside
snmp-server host inside 10.1.1.190 community oursnmp
snmp-server host inside 10.1.1.44 community oursnmp
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map dyn1 1 set transform-set FirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=ciscoasa
 crl configure
crypto ca trustpoint CA1
 revocation-check crl none
 enrollment retry period 5
 enrollment terminal
 fqdn ciscoasa.our-domain.com
 subject-name CN=ciscoasa.our-domain.com, OU=Department, O=Company, C=US, St=New York, L=New York
 keypair ciscoasa.key
 crl configure
crypto ca certificate chain ASDM_TrustPoint0
 certificate xxxxxxx
    ...
  quit
crypto ca certificate chain CA1
 certificate xxxxxxxxxxxxxx
    ...
  quit
 certificate ca xxxxxxxxxxxxx
    ...
  quit
crypto isakmp enable outside
crypto isakmp policy 1
 authentication rsa-sig
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
ssh 10.0.0.0 255.0.0.0 inside
ssh timeout 5
console timeout 0
vpdn group adslrealm request dialout pppoe
vpdn group adslrealm localname username6@adslrealm
vpdn group adslrealm ppp authentication pap
vpdn username username6@adslrealm password ********* store-local
vpdn username username@adsl-u password ********* store-local
vpdn username username2@adslrealm password ********* 
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server x.x.x.x source outside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
 port 4343
 enable outside
 svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
 svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
 svc image disk0:/anyconnect-linux-2.5.2014-k9.pkg 3
 svc enable
group-policy defaultgroup internal
group-policy defaultgroup attributes
 dns-server value 10.1.1.138 10.1.1.54
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-tunnel
 default-domain value our-domain.com
group-policy DfltGrpPolicy attributes
 dns-server value 10.1.1.138 10.1.1.54
 vpn-tunnel-protocol IPSec l2tp-ipsec svc 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-tunnel
 address-pools value VPNPool
 webvpn
  svc ask none default svc
username person1 password xxxxxxx encrypted
username admin password xxxxxxxx encrypted privilege 15
username person2 password xxxxxxxxx encrypted
username person3 password xxxxxxxxxx encrypted
tunnel-group DefaultRAGroup general-attributes
 address-pool VPNPool
 default-group-policy defaultgroup
tunnel-group DefaultRAGroup ipsec-attributes
 trust-point CA1
tunnel-group OurCompany type remote-access
tunnel-group OurCompany general-attributes
 address-pool VPNPool
tunnel-group OurCompany webvpn-attributes
 group-alias OurCompany enable
 group-url https://x.x.x.x/OurCompany enable
tunnel-group OurIPSEC type remote-access
tunnel-group OurIPSEC general-attributes
 address-pool VPNPool
 default-group-policy defaultgroup
tunnel-group OurIPSEC ipsec-attributes
 pre-shared-key *
 trust-point CA1
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map type inspect sip sip-map
 parameters
  max-forwards-validation action drop log
  state-checking action drop log
  rtp-conformance 
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect netbios 
  inspect tftp 
  inspect icmp 
  inspect pptp 
  inspect sip sip-map 
!             
service-policy global_policy global
prompt hostname context 
Cryptochecksum:xxxxxxxxxxxxxxxxx
: end

I've checked all the debug logs I could think of and tried various troubleshooting steps. Any ideas?

Regards

Lionel

Labels:
0 Helpful
7 Replies 7

Richard Burts
Hall of Fame
Hall of Fame

‎10-15-2013 07:08 AM

Lionel

I have looked through the config that you posted and do not see any obvious explanation in the config for the symptoms that you describe. It seems to me that the likely issue is that something connected in the inside LAN is not routing correctly for your new VPN pool. What was the previous pool? Can you check in the LAN for any remaining references to the old pool?

HTH

Rick

HTH

Rick
0 Helpful

Lionel271
Level 1
Level 1
In response to Richard Burts

‎10-15-2013 07:19 AM

Hi

The previous VPN pool was 10.1.2.1-10.1.2.254. The LAN subnet mask was 255.255.255.0 and is now 255.0.0.0. More IP address were required on the LAN side.

The Cisco ASA is directly connected to the LAN, no routers in between. The devices on the LAN that need to be accessed use the Cisco ASA as their default gateway. There are other devices that use a different router, but these have static routes for 172.17.1.0/24 to 10.1.1.2. Both configurations don't work with the VPN.

The WAN side of the Cisco ASA connects via PPPoE (as per the configuration) to a DSL modem. The tunnel group being used is the one label OurIPSEC.

During checking the debug logs, I've noticed that it says both the ASA and the client device is behind NAT, but neither of them are, although NAT traversal is enabled and we would like to support NAT.

Regards

Lionel

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Lionel271

‎10-15-2013 07:56 AM

Lionel

Thanks for the additional information. I am a bit surprised that a network that outgrew a /24 and needed more addresses is running on an ASA5505, but if it is running ok then that is good.

As far as the indication of being behind NAT is concerned what IP address is being assigned to your ASA outside interface to the DSL modem? I wonder if it is using a private address and then doing translation in the DSL modem?

HTH

Rick

HTH

Rick
0 Helpful

Lionel271
Level 1
Level 1
In response to Lionel271

‎10-15-2013 08:19 AM

Hi

The bulk of the devices are not even routing through the ASA, internal devices such as IP phones, printers, etc. There is also large wastage of IP addresses which needs to be sorted out at some stage.

Outside IP address is 196.215.40.160. The DSL modem is configured as an LLC bridge.

Here are the debug logs when connecting if this helps at all. Nothing is logged when a connection is attempted though.

Regards

Lionel

Oct 15 17:08:51 [IKEv1]: IP = 197.79.9.227, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 765
Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing SA payload
Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing ke payload
Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing ISA_KE payload
Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing nonce payload
Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing ID payload
Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payload
Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, Received Fragmentation VID
Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  False
Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payload
Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, Received NAT-Traversal RFC VID
Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payload
Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payload
Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payload
Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payload
Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payload
Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payload
Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payload
Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, Received NAT-Traversal ver 03 VID
Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payload
Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payload
Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, Received NAT-Traversal ver 02 VID
Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payload
Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, Received xauth V6 VID
Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payload
Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, Received Cisco Unity client VID
Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payload
Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, Received DPD VID
Oct 15 17:08:51 [IKEv1]: IP = 197.79.9.227, Connection landed on tunnel_group OurIPSEC
Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, processing IKE SA payload
Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, IKE SA Proposal # 1, Transform # 5 acceptable  Matches global IKE entry # 2
Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing ISAKMP SA payload
Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing ke payload
Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing nonce payload
Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, Generating keys for Responder...
Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing ID payload
Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing hash payload
Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, Computing hash for ISAKMP
Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing Cisco Unity VID payload
Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing xauth V6 VID payload
Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing dpd vid payload
Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing NAT-Traversal VID ver 02 payload
Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing NAT-Discovery payload
Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, computing NAT Discovery hash
Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing NAT-Discovery payload
Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, computing NAT Discovery hash
Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing Fragmentation VID + extended capabilities payload
Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing VID payload
Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Oct 15 17:08:51 [IKEv1]: IP = 197.79.9.227, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 436
Oct 15 17:08:51 [IKEv1]: IP = 197.79.9.227, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NAT-D (130) + NAT-D (130) + NOTIFY (11) + NONE (0) total length : 128
Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, processing hash payload
Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, Computing hash for ISAKMP
Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, processing NAT-Discovery payload
Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, computing NAT Discovery hash
Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, processing NAT-Discovery payload
Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, computing NAT Discovery hash
Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, processing notify payload
Oct 15 17:08:51 [IKEv1]: Group = OurIPSEC, IP = 197.79.9.227, Automatic NAT Detection Status:     Remote end   IS   behind a NAT device     This   end   IS   behind a NAT device
Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing blank hash payload
Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing qm hash payload
Oct 15 17:08:51 [IKEv1]: IP = 197.79.9.227, IKE_DECODE SENDING Message (msgid=b8b02705) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 72
Oct 15 17:09:02 [IKEv1]: IP = 197.79.9.227, IKE_DECODE RECEIVED Message (msgid=b8b02705) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 88
Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, process_attr(): Enter!
Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, Processing MODE_CFG Reply attributes.
Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: primary DNS = 10.1.1.138
Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: secondary DNS = 10.1.1.54
Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: primary WINS = cleared
Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: secondary WINS = cleared
Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: split tunneling list = split-tunnel
Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: default domain = our-domain.com
Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: IP Compression = disabled
Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: Split Tunneling Policy = Split Network
Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: Browser Proxy Setting = no-modify
Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: Browser Proxy Bypass Local = disable
Oct 15 17:09:02 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, User (person2) authenticated.
Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing blank hash payload
Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing qm hash payload
Oct 15 17:09:02 [IKEv1]: IP = 197.79.9.227, IKE_DECODE SENDING Message (msgid=a2171c19) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 64
Oct 15 17:09:02 [IKEv1]: IP = 197.79.9.227, IKE_DECODE RECEIVED Message (msgid=a2171c19) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 64
Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, process_attr(): Enter!
Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Processing cfg ACK attributes
Oct 15 17:09:02 [IKEv1]: IP = 197.79.9.227, IKE_DECODE RECEIVED Message (msgid=3257625f) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 164
Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, process_attr(): Enter!
Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Processing cfg Request attributes
Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for IPV4 address!
Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for IPV4 net mask!
Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for DNS server address!
Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for WINS server address!
Oct 15 17:09:02 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Received unsupported transaction mode attribute: 5
Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Application Version!
Oct 15 17:09:02 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Client Type: iPhone OS  Client Application Version: 7.0.2
Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Banner!
Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Default Domain Name!
Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Split DNS!
Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Split Tunnel List!
Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Local LAN Include!
Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for PFS setting!
Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Save PW setting!
Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for FWTYPE!
Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for backup ip-sec peer list!
Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Client Browser Proxy Setting!
Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Obtained IP addr (172.17.1.1) prior to initiating Mode Cfg (XAuth enabled)
Oct 15 17:09:02 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Assigned private IP address 172.17.1.1 to remote user
Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing blank hash payload
Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, construct_cfg_set: default domain = our-domain.com
Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Send Client Browser Proxy Attributes!
Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Browser Proxy set to No-Modify. Browser Proxy data will NOT be included in the mode-cfg reply
Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing qm hash payload
Oct 15 17:09:02 [IKEv1]: IP = 197.79.9.227, IKE_DECODE SENDING Message (msgid=3257625f) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 210
Oct 15 17:09:03 [IKEv1 DECODE]: IP = 197.79.9.227, IKE Responder starting QM: msg id = c9359d2e
Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Delay Quick Mode processing, Cert/Trans Exch/RM DSID in progress
Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Resume Quick Mode processing, Cert/Trans Exch/RM DSID completed
Oct 15 17:09:03 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, PHASE 1 COMPLETED
Oct 15 17:09:03 [IKEv1]: IP = 197.79.9.227, Keep-alive type for this connection: DPD
Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Starting P1 rekey timer: 3420 seconds.
Oct 15 17:09:03 [IKEv1]: IP = 197.79.9.227, IKE_DECODE RECEIVED Message (msgid=c9359d2e) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 284
Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, processing hash payload
Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, processing SA payload
Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, processing nonce payload
Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, processing ID payload
Oct 15 17:09:03 [IKEv1 DECODE]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, ID_IPV4_ADDR ID received
172.17.1.1
Oct 15 17:09:03 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Received remote Proxy Host data in ID Payload:  Address 172.17.1.1, Protocol 0, Port 0
Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, processing ID payload
Oct 15 17:09:03 [IKEv1 DECODE]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, ID_IPV4_ADDR_SUBNET ID received--10.0.0.0--255.0.0.0
Oct 15 17:09:03 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Received local IP Proxy Subnet data in ID Payload:   Address 10.0.0.0, Mask 255.0.0.0, Protocol 0, Port 0
Oct 15 17:09:03 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, QM IsRekeyed old sa not found by addr
Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Selecting only UDP-Encapsulated-Tunnel and  UDP-Encapsulated-Transport modes defined by NAT-Traversal
Oct 15 17:09:03 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKE Remote Peer configured for crypto map: dyn1
Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, processing IPSec SA payload
Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IPSec SA Proposal # 1, Transform # 6 acceptable  Matches global IPSec SA entry # 1
Oct 15 17:09:03 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKE: requesting SPI!
IPSEC: New embryonic SA created @ 0xCB809F40, 
    SCB: 0xC9613DB0, 
    Direction: inbound
    SPI      : 0x96A6C295
    Session ID: 0x0001D000
    VPIF num  : 0x00000002
    Tunnel type: ra
    Protocol   : esp
    Lifetime   : 240 seconds
Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKE got SPI from key engine: SPI = 0x96a6c295
Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, oakley constucting quick mode
Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing blank hash payload
Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing IPSec SA payload
Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing IPSec nonce payload
Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing proxy ID
Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Transmitting Proxy Id:
  Remote host: 172.17.1.1  Protocol 0  Port 0
  Local subnet:  10.0.0.0  mask 255.0.0.0 Protocol 0  Port 0
Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing qm hash payload
Oct 15 17:09:03 [IKEv1 DECODE]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKE Responder sending 2nd QM pkt: msg id = c9359d2e
Oct 15 17:09:03 [IKEv1]: IP = 197.79.9.227, IKE_DECODE SENDING Message (msgid=c9359d2e) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 152
Oct 15 17:09:06 [IKEv1]: IP = 197.79.9.227, IKE_DECODE RECEIVED Message (msgid=c9359d2e) with payloads : HDR + HASH (8) + NONE (0) total length : 52
Oct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, processing hash payload
Oct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, loading all IPSEC SAs
Oct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Generating Quick Mode Key!
Oct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, NP encrypt rule look up for crypto map dyn1 1 matching ACL Unknown: returned cs_id=c9f22e78; rule=00000000
Oct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Generating Quick Mode Key!
Oct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, NP encrypt rule look up for crypto map dyn1 1 matching ACL Unknown: returned cs_id=c9f22e78; rule=00000000
Oct 15 17:09:06 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Security negotiation complete for User (person2)  Responder, Inbound SPI = 0x96a6c295, Outbound SPI = 0x09e97594
IPSEC: New embryonic SA created @ 0xCB8F7418, 
    SCB: 0xC9F6DD30, 
    Direction: outbound
    SPI      : 0x09E97594
    Session ID: 0x0001D000
    VPIF num  : 0x00000002
    Tunnel type: ra
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC: Completed host OBSA update, SPI 0x09E97594
IPSEC: Creating outbound VPN context, SPI 0x09E97594
    Flags: 0x00000025
    SA   : 0xCB8F7418
    SPI  : 0x09E97594
    MTU  : 1492 bytes
    VCID : 0x00000000
    Peer : 0x00000000
    SCB  : 0x99890723
    Channel: 0xC6691360
IPSEC: Completed outbound VPN context, SPI 0x09E97594
    VPN handle: 0x001E7FCC
IPSEC: New outbound encrypt rule, SPI 0x09E97594
    Src addr: 10.0.0.0
    Src mask: 255.0.0.0
    Dst addr: 172.17.1.1
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 0
    Use protocol: false
    SPI: 0x00000000
    Use SPI: false
IPSEC: Completed outbound encrypt rule, SPI 0x09E97594
    Rule ID: 0xCB5483E8
IPSEC: New outbound permit rule, SPI 0x09E97594
    Src addr: 196.215.40.160
    Src mask: 255.255.255.255
    Dst addr: 197.79.9.227
    Dst mask: 255.255.255.255
    Src ports
      Upper: 4500
      Lower: 4500
      Op   : equal
    Dst ports
      Upper: 41593
      Lower: 41593
      Op   : equal
    Protocol: 17
    Use protocol: true
    SPI: 0x00000000
    Use SPI: false
IPSEC: Completed outbound permit rule, SPI 0x09E97594
    Rule ID: 0xC9242228
Oct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKE got a KEY_ADD msg for SA: SPI = 0x09e97594
IPSEC: Completed host IBSA update, SPI 0x96A6C295
IPSEC: Creating inbound VPN context, SPI 0x96A6C295
    Flags: 0x00000026
    SA   : 0xCB809F40
    SPI  : 0x96A6C295
    MTU  : 0 bytes
    VCID : 0x00000000
    Peer : 0x001E7FCC
    SCB  : 0x985C5DA5
    Channel: 0xC6691360
IPSEC: Completed inbound VPN context, SPI 0x96A6C295
    VPN handle: 0x0020190C
IPSEC: Updating outbound VPN context 0x001E7FCC, SPI 0x09E97594
    Flags: 0x00000025
    SA   : 0xCB8F7418
    SPI  : 0x09E97594
    MTU  : 1492 bytes
    VCID : 0x00000000
    Peer : 0x0020190C
    SCB  : 0x99890723
    Channel: 0xC6691360
IPSEC: Completed outbound VPN context, SPI 0x09E97594
    VPN handle: 0x001E7FCC
IPSEC: Completed outbound inner rule, SPI 0x09E97594
    Rule ID: 0xCB5483E8
IPSEC: Completed outbound outer SPD rule, SPI 0x09E97594
    Rule ID: 0xC9242228
IPSEC: New inbound tunnel flow rule, SPI 0x96A6C295
    Src addr: 172.17.1.1
    Src mask: 255.255.255.255
    Dst addr: 10.0.0.0
    Dst mask: 255.0.0.0
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 0
    Use protocol: false
    SPI: 0x00000000
    Use SPI: false
IPSEC: Completed inbound tunnel flow rule, SPI 0x96A6C295
    Rule ID: 0xCB7CFCC8
IPSEC: New inbound decrypt rule, SPI 0x96A6C295
    Src addr: 197.79.9.227
    Src mask: 255.255.255.255
    Dst addr: 196.215.40.160
    Dst mask: 255.255.255.255
    Src ports
      Upper: 41593
      Lower: 41593
      Op   : equal
    Dst ports
      Upper: 4500
      Lower: 4500
      Op   : equal
    Protocol: 17
    Use protocol: true
    SPI: 0x00000000
    Use SPI: false
IPSEC: Completed inbound decrypt rule, SPI 0x96A6C295
    Rule ID: 0xCB9BF828
IPSEC: New inbound permit rule, SPI 0x96A6C295
    Src addr: 197.79.9.227
    Src mask: 255.255.255.255
    Dst addr: 196.215.40.160
    Dst mask: 255.255.255.255
    Src ports
      Upper: 41593
      Lower: 41593
      Op   : equal
    Dst ports
      Upper: 4500
      Lower: 4500
      Op   : equal
    Protocol: 17
    Use protocol: true
    SPI: 0x00000000
    Use SPI: false
IPSEC: Completed inbound permit rule, SPI 0x96A6C295
    Rule ID: 0xCBA7C740
Oct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Pitcher: received KEY_UPDATE, spi 0x96a6c295
Oct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Starting P2 rekey timer: 3417 seconds.
Oct 15 17:09:06 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Adding static route for client address: 172.17.1.1 
Oct 15 17:09:06 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, PHASE 2 COMPLETED (msgid=c9359d2e)
0 Helpful

Lionel271
Level 1
Level 1
In response to Lionel271

‎10-15-2013 08:33 AM

Also can't seem to access the internal IP of the ASA over the VPN, which I believe is a step closer than the rest of the LAN.

0 Helpful

Lionel271
Level 1
Level 1
In response to Lionel271

‎10-15-2013 09:22 AM

Hi

I have made some progress. I connected the client device behind a NAT router via DSL and I could access a single device on the LAN (the other one I tested didn't work, but that might be routing related). I could also access the internet via the split tunnel.

But if I switch back to a 3G connection (direct, not behind NAT), I have the original problem.

Neither of these methods can access the internal interface of the ASA, but that is not a requirement.

I should be able to resolve the suspected routing issue myself for the other device, but need to somehow figure out how to get it working without NAT on the client side (it needs to work both with or without NAT).

Regards

Lionel

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Lionel271

‎10-15-2013 09:40 AM

Lionel

I am glad that you are making progress. Put this command into your config and see if it helps with the issue of accessing the ASA inside address from the VPN session

management-access inside

It is a very interesting insight that the problem may be related to address translation.

HTH

Rick

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents