10-30-2012 08:47 PM - edited 02-21-2020 06:27 PM
Dear,
I have a problem relating to remote access VPN configuration on Cisco ASA 5550 verion 8.2(1). I used Cisco VPN client 5.0.03.0560 with a simple topology : laptop(client) -----( Internet) ------- (IP public) ASA. Now, I can ping from laptop to OUTSIDE Interface on ASA from Internet
when I connect from Cisco VPN client to ASA , I was notified log on Cisco VPN client as below:
1 10:38:49.281 10/31/12 Sev=Info/6 GUI/0x63B00011
Reloaded the Certificates in all Certificate Stores successfully.
2 10:41:40.793 10/31/12 Sev=Info/4 CM/0x63100002
Begin connection process
3 10:41:40.795 10/31/12 Sev=Info/4 CM/0x63100004
Establish secure connection
4 10:41:40.795 10/31/12 Sev=Info/4 CM/0x63100024
Attempt connection with server "175.100.110.150"
5 10:41:40.797 10/31/12 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 175.100.110.150.
6 10:41:40.833 10/31/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 175.100.110.150
7 10:41:40.834 10/31/12 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
8 10:41:40.834 10/31/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
9 10:41:45.887 10/31/12 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
10 10:41:45.887 10/31/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 175.100.110.150
11 10:41:50.957 10/31/12 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
12 10:41:50.957 10/31/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 175.100.110.150
13 10:41:56.026 10/31/12 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
14 10:41:56.026 10/31/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 175.100.110.150
15 10:42:01.096 10/31/12 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=3778A234178BBB3D R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
16 10:42:01.610 10/31/12 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=3778A234178BBB3D R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
17 10:42:01.610 10/31/12 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "175.100.110.150" because of "DEL_REASON_PEER_NOT_RESPONDING"
18 10:42:01.610 10/31/12 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
19 10:42:01.611 10/31/12 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
20 10:42:01.611 10/31/12 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
21 10:42:02.114 10/31/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
22 10:42:02.114 10/31/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
23 10:42:02.114 10/31/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
24 10:42:02.114 10/31/12 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
This is my configuration on ASA:
!
crypto isakmp enable outside
crypto isakmp policy 10
auth pre-share
encr 3des
hash md5
group 2
!
! Enable VPN address allocation from local pools
! Notice that it’s enabled by default
!
vpn-addr-assign local
!
! Local address pool
!
ip local pool EZVPN 10.1.245.10-10.1.245.250
!
! Split-tunneling ACL (we use a standard ACL)
!
! Local username for Xauth, define group-lock attribute
!
username CISCO password CISCO1234
username CISCO attributes
group-lock value EZVPN
! Tunnel-group policy
!
group-policy EZVPN internal
group-policy EZVPN attributes
vpn-tunnel-protocol IPSec
address-pools value EZVPN
dns-server value 10.1.254.10
!
!
! Tunnel-group definition
! Note that authentication-server-group is LOCAL by default
!
tunnel-group EZVPN type remote-access
tunnel-group EZVPN general-attributes
authentication-server-group LOCAL
default-group-policy EZVPN
!
tunnel-group EZVPN ipsec-attributes
pre-shared-key CISCO
!
!
! IPsec transform-set
!
crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac
!
! Dynamic crypto-map
!
crypto dynamic-map DYNAMIC 10 set transform-set 3DES_MD5
crypto dynamic-map DYNAMIC 10 set reverse-route
!
! Define crypto-map
!
crypto map VPN 100 ipsec-isakmp dynamic DYNAMIC
!
! Attach crypto map to the interface
!
crypto map VPN interface outside
!
! Permit VPN traffic to bypass ACLs (default)
!
sysop connection permit-vpn
!
! Redistribute static routes into OSPF
!
!
! ACL permit ESH and ISAKMP
!
access-list OUTSIDE_IN permit udp any any eq isakmp
access-list OUTSIDE_IN permit esp any any
!
access-group OUTSIDE_IN in interface outside
please suggest me how to trouble shoot this problem?
thanks so much
10-30-2012 08:56 PM
Config looks correct, and you don't need the access-list OUTSIDE_IN for those 2 UDP/500 and ESP.
Can you pls enable debugs on the ASA:
debug cry isa
debug cry ipsec
and try to connect again, and share the output.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide