We configured remote access VPN on the ASA, it works perfectly till yesterday. Suddenly this issue is started and we are unable to connect the VPN. I attached the debud logs from the firewall. Please suggest me how to resolve this issue.
Your debug doesn't have much information. however one thing is sure that even phase 1 is not coming up.
Please take the following debug:
debug cry isakmp 125
debug cry ipsec 125
if possible send me the following configuration:
sh run tunnel-group CSTEP
sh run cry dynamic-map
sh run cry ipsec
sh run cry isakmp
if you paste the debugs here, email me.
You said it was working fine then were there any recent hardware or software changes.
Sometimes it is connecting. Just now i tested again and able to connect it. But servers are not accessible. I am sharing the latest logs.
CenterForStudy# sh run tunnel-group CSTEP
tunnel-group CSTEP type remote-access
tunnel-group CSTEP general-attributes
tunnel-group CSTEP ipsec-attributes
CenterForStudy# sh run cry dynamic-map
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
CenterForStudy# sh run cry ipsec
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
CenterForStudy# sh run cry isakmp
crypto isakmp enable outside
crypto isakmp policy 10
I didn't find any issue with your configuration.
So you saying it is intermittent and doesn't happen all the time.
The debugs that you have attached are all DPD's.
Next time when the issue occur please take the following output:
Debug crypto condition peer x.x.x.x (x.x.x.x is the Public IP of the machine from where you are connecting the VPN client).
Debug crypto ipsec 125
debug crypto isakmp 125
sh vpn-sessiondb summary
Please take this output and email me.
Hi Krishna ,
Your debug message is not holding complete infromation for IKE Phase 1 , you have stopped captured during Aggressive message 2 . Look into below URL for your better understanding .
kindly let us with complete debug information .