09-05-2013 06:17 AM - edited 02-21-2020 07:07 PM
Dear All,
We configured remote access VPN on the ASA, it works perfectly till yesterday. Suddenly this issue is started and we are unable to connect the VPN. I attached the debud logs from the firewall. Please suggest me how to resolve this issue.
Regards
Krish
09-05-2013 07:31 AM
I think that we need more information, like the debug output or the config file.
Regards
Markus
09-05-2013 08:03 AM
Hi Markus,
Debug file is already attached.
Regards,
Krish
09-05-2013 07:55 PM
Hi Krishna,
Your debug doesn't have much information. however one thing is sure that even phase 1 is not coming up.
Please take the following debug:
debug cry isakmp 125
debug cry ipsec 125
if possible send me the following configuration:
sh run tunnel-group CSTEP
sh run cry dynamic-map
sh run cry ipsec
sh run cry isakmp
if you paste the debugs here, email me.
You said it was working fine then were there any recent hardware or software changes.
Thanks
Jeet Kumar
09-05-2013 10:07 PM
Hi Jeet,
Sometimes it is connecting. Just now i tested again and able to connect it. But servers are not accessible. I am sharing the latest logs.
CenterForStudy# sh run tunnel-group CSTEP
tunnel-group CSTEP type remote-access
tunnel-group CSTEP general-attributes
address-pool REMOTE-POOL
tunnel-group CSTEP ipsec-attributes
pre-shared-key *
CenterForStudy# sh run cry dynamic-map
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
CenterForStudy# sh run cry ipsec
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
CenterForStudy# sh run cry isakmp
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
09-06-2013 10:15 AM
I didn't find any issue with your configuration.
So you saying it is intermittent and doesn't happen all the time.
The debugs that you have attached are all DPD's.
Next time when the issue occur please take the following output:
Debug crypto condition peer x.x.x.x (x.x.x.x is the Public IP of the machine from where you are connecting the VPN client).
Debug crypto ipsec 125
debug crypto isakmp 125
sh vpn-sessiondb summary
Please take this output and email me.
Thanks
Jeet Kumar
09-05-2013 08:02 PM
Hi Krishna ,
Your debug message is not holding complete infromation for IKE Phase 1 , you have stopped captured during Aggressive message 2 . Look into below URL for your better understanding .
kindly let us with complete debug information .
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bcfda6.shtml
HTH
Regards
Santhosh Saravanan
09-05-2013 11:46 PM
Hi Krishna,
which kind of device ist it? Can you post the Interface and vpn configuration?
Regards
Markus
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide