Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1130
Views
0
Helpful
1
Replies

Remote access VPN issues

Dung Nguyen Anh
Level 1
Level 1

‎10-30-2012 08:47 PM - edited ‎02-21-2020 06:27 PM

Dear,

I have a problem relating to remote access VPN configuration on Cisco ASA 5550 verion 8.2(1). I used Cisco VPN client 5.0.03.0560 with a simple topology :   laptop(client) -----( Internet) ------- (IP public) ASA. Now, I can ping from laptop to OUTSIDE Interface on ASA from Internet

when I connect from Cisco VPN client to ASA , I was notified log on Cisco VPN client as below:

1      10:38:49.281  10/31/12  Sev=Info/6    GUI/0x63B00011

Reloaded the Certificates in all Certificate Stores successfully.

2      10:41:40.793  10/31/12  Sev=Info/4    CM/0x63100002

Begin connection process

3      10:41:40.795  10/31/12  Sev=Info/4    CM/0x63100004

Establish secure connection

4      10:41:40.795  10/31/12  Sev=Info/4    CM/0x63100024

Attempt connection with server "175.100.110.150"

5      10:41:40.797  10/31/12  Sev=Info/6    IKE/0x6300003B

Attempting to establish a connection with 175.100.110.150.

6      10:41:40.833  10/31/12  Sev=Info/4    IKE/0x63000013

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 175.100.110.150

7      10:41:40.834  10/31/12  Sev=Info/4    IPSEC/0x63700008

IPSec driver successfully started

8      10:41:40.834  10/31/12  Sev=Info/4    IPSEC/0x63700014

Deleted all keys

9      10:41:45.887  10/31/12  Sev=Info/4    IKE/0x63000021

Retransmitting last packet!

10     10:41:45.887  10/31/12  Sev=Info/4    IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 175.100.110.150

11     10:41:50.957  10/31/12  Sev=Info/4    IKE/0x63000021

Retransmitting last packet!

12     10:41:50.957  10/31/12  Sev=Info/4    IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 175.100.110.150

13     10:41:56.026  10/31/12  Sev=Info/4    IKE/0x63000021

Retransmitting last packet!

14     10:41:56.026  10/31/12  Sev=Info/4    IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 175.100.110.150

15     10:42:01.096  10/31/12  Sev=Info/4    IKE/0x63000017

Marking IKE SA for deletion  (I_Cookie=3778A234178BBB3D R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

16     10:42:01.610  10/31/12  Sev=Info/4    IKE/0x6300004B

Discarding IKE SA negotiation (I_Cookie=3778A234178BBB3D R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

17     10:42:01.610  10/31/12  Sev=Info/4    CM/0x63100014

Unable to establish Phase 1 SA with server "175.100.110.150" because of "DEL_REASON_PEER_NOT_RESPONDING"

18     10:42:01.610  10/31/12  Sev=Info/5    CM/0x63100025

Initializing CVPNDrv

19     10:42:01.611  10/31/12  Sev=Info/6    CM/0x63100046

Set tunnel established flag in registry to 0.

20     10:42:01.611  10/31/12  Sev=Info/4    IKE/0x63000001

IKE received signal to terminate VPN connection

21     10:42:02.114  10/31/12  Sev=Info/4    IPSEC/0x63700014

Deleted all keys

22     10:42:02.114  10/31/12  Sev=Info/4    IPSEC/0x63700014

Deleted all keys

23     10:42:02.114  10/31/12  Sev=Info/4    IPSEC/0x63700014

Deleted all keys

24     10:42:02.114  10/31/12  Sev=Info/4    IPSEC/0x6370000A

IPSec driver successfully stopped

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

This is my configuration on ASA:

!

crypto isakmp enable outside

crypto isakmp policy 10

auth pre-share

encr 3des

hash md5

group 2

!

! Enable VPN address allocation from local pools

! Notice that it’s enabled by default

!

vpn-addr-assign local

!

! Local address pool

!

ip local pool EZVPN 10.1.245.10-10.1.245.250

!

! Split-tunneling ACL (we use a standard ACL)

!

! Local username for Xauth, define group-lock attribute

!

username CISCO password CISCO1234

username CISCO attributes

group-lock value EZVPN

! Tunnel-group policy

!

group-policy EZVPN internal

group-policy EZVPN attributes

vpn-tunnel-protocol IPSec

address-pools value EZVPN

dns-server value 10.1.254.10

!

!

! Tunnel-group definition

! Note that authentication-server-group is LOCAL by default

!

tunnel-group EZVPN type remote-access

tunnel-group EZVPN general-attributes

authentication-server-group LOCAL

default-group-policy EZVPN

!

tunnel-group EZVPN ipsec-attributes

pre-shared-key CISCO

!

!

! IPsec transform-set

!

crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac

!

! Dynamic crypto-map

!

crypto dynamic-map DYNAMIC 10 set transform-set 3DES_MD5

crypto dynamic-map DYNAMIC 10 set reverse-route

!

! Define crypto-map

!

crypto map VPN 100 ipsec-isakmp dynamic DYNAMIC

!

! Attach crypto map to the interface

!

crypto map VPN interface outside

!

! Permit VPN traffic to bypass ACLs (default)

!

sysop connection permit-vpn

!

! Redistribute static routes into OSPF

!

!

! ACL permit ESH and ISAKMP

!

access-list OUTSIDE_IN permit udp any any eq isakmp

access-list OUTSIDE_IN permit esp any any

!

access-group OUTSIDE_IN in interface outside

please suggest me how to trouble shoot this problem?

thanks so much

Labels:
0 Helpful
1 Reply 1

Jennifer Halim
Cisco Employee
Cisco Employee

‎10-30-2012 08:56 PM

Config looks correct, and you don't need the access-list OUTSIDE_IN for those 2 UDP/500 and ESP.

Can you pls enable debugs on the ASA:

debug cry isa

debug cry ipsec

and try to connect again, and share the output.

0 Helpful
Customers Also Viewed These Support Documents