Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2851
Views
0
Helpful
5
Replies

RA IPsec VPN Connection Dropping

eecsstudent9
Level 1
Level 1

‎01-24-2011 02:48 AM - edited ‎02-21-2020 05:07 PM

Hi,

I have configured a VPN that I'm attempting to setup. However, what is happening is that any client that connects to the VPN disconnects after a short period of time. Here is the the log that the Cisco VPN client generates. I 've attempted VPN time outs isakmp NAT traversal and isakmp keepalives and can not figure out what is happening.

Cisco Systems VPN Client Version 5.0.07.0290

Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 6.1.7600

Config file directory: C:\Program Files (x86)\Cisco Systems\VPN Client\

1      16:20:23.358  01/21/11  Sev=Warning/2 CVPND/0xA3400015

Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=192.168.25.190, error 0

2      16:20:24.367  01/21/11  Sev=Warning/2 CVPND/0xA3400015

Error with call to IpHlpApi.DLL: CleanUpVASettings: Was able to delete all VA settings after all, error 0

3      16:20:24.990  01/21/11  Sev=Warning/2 IKE/0xA3000067

Received an IPC message during invalid state (IKE_MAIN:512)

4      16:53:11.288  01/21/11  Sev=Warning/2 CVPND/0xA3400015

Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=192.168.25.192, error 0

5      16:53:12.291  01/21/11  Sev=Warning/2 CVPND/0xA3400015

Error with call to IpHlpApi.DLL: CleanUpVASettings: Was able to delete all VA settings after all, error 0

Here is my Cisco ASA configuration:

: Saved

:

ASA Version 8.2(3)3

!

hostname ***

domain-name ***

enable password 49j00eCjj encrypted

passwd NJfXtvcV encrypted

names

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.x.x 255.255.255.0

!

interface Ethernet0/2

nameif t1

security-level 0

ip address 65.44.x.x 255.255.255.248

!            

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa823-3-k8.bin

ftp mode passive

dns domain-lookup outside

dns domain-lookup inside

dns server-group DefaultDNS

name-server x.x.x.x

name-server x.x.x.x

domain-name ******

dns server-group GoogleDNS

name-server 8.8.8.8

name-server 8.8.4.4

access-list inside_nat0_outbound extended permit ip any 192.168.25.128 255.255.255.128

access-list inside_nat0_outbound extended permit ip 192.168.25.0 255.255.255.0 192.168.25.128 255.255.255.12

access-list outside_access_in extended permit icmp any any

access-list test1_splitTunnelAcl standard permit 192.168.25.0 255.255.255.0

access-list INBOUND extended permit tcp any interface outside eq ssh

access-list t1_access_in extended permit tcp any interface t1 eq ssh

access-list torrent extended permit tcp any host x.x.x.x eq 51413

access-list torrent extended permit udp any host x.x.x.x eq 51413

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu t1 1500

mtu management 1500

ip local pool testtestVPN 192.168.25.150-192.168.25.199 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any t1

asdm image disk0:/asdm-625-53.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (t1) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface ssh 192.168.25.11 ssh netmask 255.255.255.255

static (inside,t1) tcp interface ssh 192.168.25.11 ssh netmask 255.255.255.255

access-group INBOUND in interface outside

access-group t1_access_in in interface t1

route outside 0.0.0.0 0.0.0.0 24.x.x.x 1 track 1

route t1 0.0.0.0 0.0.0.0 65.x.x.x 254

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.25.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sla monitor 123

type echo protocol ipIcmpEcho 24.x.x.x interface outside

sla monitor schedule 123 life forever start-time now

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto map t1_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map t1_map interface t1

crypto isakmp enable outside

crypto isakmp enable t1

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha    

group 2

lifetime 86400

!

track 1 rtr 123 reachability

telnet 192.168.25.0 255.255.255.0 inside

telnet timeout 5

ssh 192.168.25.0 255.255.255.0 inside

ssh timeout 5

console timeout 10

dhcpd address 192.168.25.100-192.168.25.149 inside

dhcpd dns 8.8.8.8 8.8.4.4 interface inside

dhcpd enable inside

!

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy test internal

group-policy test attributes

dns-server value x.x.x.x x.x.x.x

vpn-idle-timeout none

vpn-session-timeout none

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value test1_splitTunnelAcl

group-policy test_t1 internal

group-policy test_t1 attributes

dns-server value x.x.x.x x.x.x.x

vpn-tunnel-protocol IPSec

username test1 password 2fomu81iLrRLiQui encrypted privilege 0

username test1 attributes

vpn-group-policy test

username testAcc2 password DB.oqF6Xv7LQVHFz encrypted

username testAcc3 password pjgDRS0eZt0h4lPx encrypted

tunnel-group test type remote-access

tunnel-group test general-attributes

address-pool testVPN

default-group-policy test

tunnel-group test ipsec-attributes

pre-shared-key *****

isakmp keepalive threshold 300 retry 5

tunnel-group test_t1 type remote-access

tunnel-group test_t1 general-attributes

address-pool testVPN

default-group-policy test_t1

tunnel-group test_t1 ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns migrated_dns_map_1

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

!

service-policy global_policy global

privilege cmd level 3 mode exec command perfmon

privilege cmd level 3 mode exec command ping

privilege cmd level 3 mode exec command who

privilege cmd level 3 mode exec command logging

privilege cmd level 3 mode exec command failover

privilege cmd level 3 mode exec command packet-tracer

privilege show level 5 mode exec command import

privilege show level 5 mode exec command running-config

privilege show level 3 mode exec command reload

privilege show level 3 mode exec command mode

privilege show level 3 mode exec command firewall

privilege show level 3 mode exec command asp

privilege show level 3 mode exec command cpu

privilege show level 3 mode exec command interface

privilege show level 3 mode exec command clock

privilege show level 3 mode exec command dns-hosts

privilege show level 3 mode exec command access-list

privilege show level 3 mode exec command logging

privilege show level 3 mode exec command vlan

privilege show level 3 mode exec command ip

privilege show level 3 mode exec command ipv6

privilege show level 3 mode exec command failover

privilege show level 3 mode exec command asdm

privilege show level 3 mode exec command arp

privilege show level 3 mode exec command route

privilege show level 3 mode exec command ospf

privilege show level 3 mode exec command aaa-server

privilege show level 3 mode exec command aaa

privilege show level 3 mode exec command eigrp

privilege show level 3 mode exec command crypto

privilege show level 3 mode exec command vpn-sessiondb

privilege show level 3 mode exec command ssh

privilege show level 3 mode exec command dhcpd

privilege show level 3 mode exec command vpn

privilege show level 3 mode exec command blocks

privilege show level 3 mode exec command wccp

privilege show level 3 mode exec command dynamic-filter

privilege show level 3 mode exec command webvpn

privilege show level 3 mode exec command module

privilege show level 3 mode exec command uauth

privilege show level 3 mode exec command compression

privilege show level 3 mode configure command interface

privilege show level 3 mode configure command clock

privilege show level 3 mode configure command access-list

privilege show level 3 mode configure command logging

privilege show level 3 mode configure command ip

privilege show level 3 mode configure command failover

privilege show level 5 mode configure command asdm

privilege show level 3 mode configure command arp

privilege show level 3 mode configure command route

privilege show level 3 mode configure command aaa-server

privilege show level 3 mode configure command aaa

privilege show level 3 mode configure command crypto

privilege show level 3 mode configure command ssh

privilege show level 3 mode configure command dhcpd

privilege show level 5 mode configure command privilege

privilege clear level 3 mode exec command dns-hosts

privilege clear level 3 mode exec command logging

privilege clear level 3 mode exec command arp

privilege clear level 3 mode exec command aaa-server

privilege clear level 3 mode exec command crypto

privilege clear level 3 mode exec command dynamic-filter

privilege cmd level 3 mode configure command failover

privilege clear level 3 mode configure command logging

privilege clear level 3 mode configure command arp

privilege clear level 3 mode configure command crypto

privilege clear level 3 mode configure command aaa-server

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:8321a517f14aed6b02412bdb17f62ab3

: end

Labels:
0 Helpful
5 Replies 5

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎01-24-2011 06:21 AM

Hi,

One thing that you can check is to leave a constant PING to the outside IP of the ASA from the VPN client and check if the VPN drops because IP connectivity to the ASA fails at that point.

If for whatever reason, the communication between the client and the ASA stops, the VPN will drop.

Federico.

0 Helpful

eecsstudent9
Level 1
Level 1
In response to Federico Coto Fajardo

‎01-27-2011 08:22 AM

So besides my earlier message about the errors from the VPN:
Re: RA IPsec VPN Connection Dropping

So after some testing\debugging I found that when the VPN connection drop I get the following errors in the ASA:

192.168.25.43 is a static IP computer on the inside interface.

192.168.25.161 is the VPN client

2Jan 27 201102:47:50106001192.168.25.4322192.168.25.16152139Inbound TCP connection denied from 192.168.25.43/22 to 192.168.25.161/52139 flags PSH ACK  on interface inside

2Jan 27 201102:47:40106001192.168.25.4322192.168.25.16152139Inbound TCP connection denied from 192.168.25.43/22 to 192.168.25.161/52139 flags PSH ACK  on interface inside

I can't figure out how to allow this TCP connection as an ACL list?

Can you please help?

I've also found that the connection did indeed drop because I had a back up route to the internet configured and that was causing the VPN over the outside interface to drop. But I still have the issue where the Inbound TCP connection denied from 192.168.25.43/22 to 192.168.25.161/52139 flags PSH ACK  on interface inside. How do I allow this? I tried setting a bi directional ACL for the VPN tunnel group but that doesn't seem to work... I'm at a complete loss

0 Helpful

sean_evershed
Level 7
Level 7

‎01-24-2011 06:25 AM

What Windows version exactly are your clients running?

What error message does the ASA generate when the client disconnects?

0 Helpful

eecsstudent9
Level 1
Level 1
In response to sean_evershed

‎01-27-2011 02:14 AM

So after some testing\debugging I found that when the VPN connection drop I get the following errors in the ASA:

192.168.25.43 is a static IP computer on the inside interface.

192.168.25.161 is the VPN client

2Jan 27 201102:47:50106001192.168.25.4322192.168.25.16152139Inbound TCP connection denied from 192.168.25.43/22 to 192.168.25.161/52139 flags PSH ACK  on interface inside

2Jan 27 201102:47:40106001192.168.25.4322192.168.25.16152139Inbound TCP connection denied from 192.168.25.43/22 to 192.168.25.161/52139 flags PSH ACK  on interface inside

I can't figure out how to allow this TCP connection as an ACL list?

Can you please help?

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to eecsstudent9

‎01-27-2011 08:27 AM

The TCP_flags are as follows:

-ACK-The acknowledgment number was received.

-FIN-Data was sent.

-PSH-The receiver passed data to the application.

-RST-The connection was reset.

-SYN-Sequence numbers were synchronized to start a connection.

-URG-The urgent pointer was declared valid.

In your case I think one recommendation is to use a non-overlapping VPN pool.

Can you test another range tha won't overlapp with the internal network?

Federico.

0 Helpful
Customers Also Viewed These Support Documents