Solved: Re: Remove VPN configuration assistance / ASDM

grggyoung · ‎01-13-2019

I setup remote VPN access yesterday and missed a minor step. The remote VPN is working but I meant to setup the connection on port 8443 but missed that. It is using port 443 and I am no longer able to connect through ASDM. I can connect via Putty but not very experienced using the command line. Is this an easy update or should i just open a TAC request?

Mohammed al Baqari · ‎01-13-2019

Try the command clear configure webvpn. Then connect using asdm and
reconfigure anyconnect

View solution in original post

Sheraz.Salim · ‎01-13-2019

It this is anyconnect vpn than you have to run this command as you already have a cli access. login to putty and give it this.

===================

webvpn
port 8443
enable outside
dtls port 8443
anyconnect image disk0:/anyconnect-win-4.2.01035-k9.pkg 1
anyconnect enable
tunnel-group-list enable

==================

Edit: giving above command change your vpn to port 8443 and you will have access to ASDM port 443. however as mentioned by @Mohammed al Baqari you can change the http port to 8443.

if you access your ASDM from management interface than give command this

http server enable 8443 or http server enable 443 ///by default is 443

http 192.168.1.0 255.255.255.0 mgmt ///where 192.168.1.0 is your management subnet

please do not forget to rate.

Mohammed al Baqari · ‎01-13-2019

Post the following in the cli

Config t
webvpn
port 8443
wr mem

This will make your anyconnect vpn listen on port 443 and you can get
access to asdm again.

If you want to change asdm to port 8443 and keep anyconnect on 443 post the
following

conf t
http server enable 8443
wr mem

grggyoung · ‎01-13-2019

I get the message that WebVPN is enabled when I ran the port 8443 command.

** @Mohammed al Baqari I was also assuming you had a typo and meant anyconnect vpn would listen on port 8443.

Thank you for your assistance.

Sheraz.Salim · ‎01-13-2019

he can confirm this :-) yes seem to be a typo error too.

please do not forget to rate.

grggyoung · ‎01-13-2019

Should have been more clear, I cannot change the port because the WebVPN is enabled. Can you assist with the commands needed to disable?

Sheraz.Salim · ‎01-13-2019

You want to disable the webvpn?

if that you want disable it than

!

no webvpn

!

this command will disable your webvpn.

!

and if you want to re-change the port no.

!

webvpn
port 8443
enable outside
dtls port 8443

anyconnect enable

!

if anyconnet client is connected you can check with this command.

!

show vpn-sessiondb anyconnect

!

and if you still want to go ahead and change the port to 8443 for anyconnect. you can kick out this client or all the client with this command

!

vpn-sessiondb logoff anyconnect noconfirm

but make sure you have a change control in place for this.

please do not forget to rate.

grggyoung · ‎01-13-2019

Sorry but I'm still struggling. When I enter no webvpn I receive an error. It doesn't accept it as a valid command

Sheraz.Salim · ‎01-13-2019

what is your asa code.

I double check on my ASA its taking the command here my output

!

ASA(config)# no webvpn
WARNING: Disabling webvpn removes proxy-bypass settings.
Do not overwrite the configuration file if you want to keep existing proxy-bypass commands.

!

please do not forget to rate.

grggyoung · ‎01-13-2019

I forgot to use the config-t command but I'm still struggling. I am going to reset the router and start over. I have messed something up in the configuration. No the VPN doesn't work and I cannot connect to the ASDM software.

Sheraz.Salim · ‎01-13-2019

What is the issue now. you need access to ASDM

give this command on the CLI

http enable

http x.x.x.x 255.255.255.0 mgmt 5443

!

go to browser https://x.x.x.x.x:5443

please do not forget to rate.

Mohammed al Baqari · ‎01-13-2019

Try the command clear configure webvpn. Then connect using asdm and
reconfigure anyconnect

grggyoung · ‎01-17-2019

well not sure what I did wrong the first time. I reset the router, followed the configuration wizard. This time it didn't knock out my ASDM. I cannot figure what I did differently.

To switch the port I logged into the ASDM
Configuration -- Remote Access VPN -- AnyConnect Connection Profile
Unchecked Enabled Cisco AnyConnect VPN Client...... <press Apply>
Unchecked Allow Access and Enable DTLS for the outside interface <press Apply>
Clicked on Port Settings, updated to 8443 for both HTTPS and DTLS
Pressed Apply

That seemed to do the trick, thank you to everyone who replied to this message.

manish.sharma@cjpl.in · ‎08-17-2019

I have a task in hand, where by i need to get Site to Site and Remote to site configure in my Branch Router

HQ- Only Site to Site VPN to Branch Router

Branch- Site to Site VPN with HQ router and Client to Branch Site VPN Access

I have following configuration, site to site is working fine but when i connect laptop from out side branch network using Cisco VPN Client ver 5 i, it ask for username and password but after sometime, no connection established. i enabled logging in VPN Client and get following error message which means Phase 2 is not getting negotiated.

If i change the transform-set to esp-aes esp-sha-mac then i loose my site to site VPN connectivity to my HQ router.

I am stuck now and have tried all the possible solution but nothing seems to be working do not know where i am going wrong

Branch Router Config (Cisco 3825)

Interface gigabitethernet 0/0
ip address 192.168.4.1 255.255.255.0
ip nat inside
no shut
!

Interface gigabitethernet 0/1
ip address XX.XX.XX.XX 255.255.255.0
ip nat outside
no shut
!

IP route 0.0.0.0 0.0.0.0 XX.XX.XX.XX
!
IP nat inside source list 199 interface Gigabitethernet 0/1 overload

!
IP access-list extended 199
deny ip 192.168.4.0 0.0.0.255 10.0.0.0 0.0.0.255
deny ip 172.16.0.0 0.0.255.255 10.0.0.0 0.0.0.255
permit ip 192.168.4.0 0.0.255.255 any
permit ip 172.16.0.0 0.0.255.255 any

!
IP access-list extended 100
permit ip 192.168.4.0 0.0.0.255 10.0.0.0 0.0.0.255
!

IP access-list extended 102
permit ip 172.16.0.0 0.0.255.255 any

!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
!

crypto isakmp key XX address XX.XX.XX

crypto ipsec transform-set MY-SET esp-aes esp-md5-hmac

crypto map IPSEC-SITE-TO-SITE-VPN 10 ipsec-isakmp
set peer XX.XX.XX.XX
set transform-set MY-SET
match address 100

!

Interface gigabitethernet 0/1
crypto map IPSEC-SITE-TO-SITE-VPN
!

aaa new-model
aaa authentication login users local
aaa authorization network groups local
!
ip local pool VPNPOOL 172.16.0.1 172.16.0.50
!
!
Crypto isakmp Client Configuration group internal
key cisco
pool vpnpool
acl 102
!
crypto dynamic-map d-map 1
set transform-set MY-SET
reverse-route
!

crypto map IPSEC-SITE-TO-SITE-VPN 11 ipsec-isakmp dynamic d-map
!
crypto map IPSEC-SITE-TO-SITE-VPN client configuration address respond
!
crypto map IPSEC-SITE-TO-SITE-VPN isakmp authorization list groups
crypto map IPSEC-SITE-TO-SITE-VPN client authentication list users
!
username XX password XX
!

Cisco VPN Client Log message

Cisco Systems VPN Client Version 5.0.07.0410
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7601 Service Pack 1

684 18:05:07.967 08/16/19 Sev=Info/4 CM/0x63100002
Begin connection process

685 18:05:07.967 08/16/19 Sev=Info/4 CM/0x63100004
Establish secure connection

686 18:05:07.967 08/16/19 Sev=Info/4 CM/0x63100024
Attempt connection with server "xx.xx.xx.xx"

687 18:05:07.982 08/16/19 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with xx.xx.xx.xx.

688 18:05:07.982 08/16/19 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation

689 18:05:07.998 08/16/19 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to xx.xx.xx.xx

690 18:05:08.123 08/16/19 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xx.xx.xx.xx

691 18:05:08.123 08/16/19 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?), VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D, NAT-D) from xx.xx.xx.xx

692 18:05:08.123 08/16/19 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer

693 18:05:08.123 08/16/19 Sev=Info/5 IKE/0x63000001
Peer supports DPD

694 18:05:08.123 08/16/19 Sev=Info/5 IKE/0x63000001
Peer supports DWR Code and DWR Text

695 18:05:08.232 08/16/19 Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 6h.

696 18:05:08.123 08/16/19 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH

697 18:05:08.123 08/16/19 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T

698 18:05:08.123 08/16/19 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful

699 18:05:08.123 08/16/19 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to xx.xx.xx.xx

700 18:05:08.123 08/16/19 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA

701 18:05:08.123 08/16/19 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0xC613, Remote Port = 0x1194

702 18:05:08.123 08/16/19 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device

703 18:05:08.123 08/16/19 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

704 18:05:08.232 08/16/19 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xx.xx.xx.xx

705 18:05:08.232 08/16/19 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from xx.xx.xx.xx

706 18:05:08.232 08/16/19 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds

707 18:05:08.232 08/16/19 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 1 seconds, setting expiry to 86399 seconds from now

708 18:05:08.232 08/16/19 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xx.xx.xx.xx

709 18:05:08.232 08/16/19 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from xx.xx.xx.xx

710 18:05:08.232 08/16/19 Sev=Info/4 CM/0x63100015
Launch xAuth application

711 18:05:08.294 08/16/19 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started

712 18:05:08.294 08/16/19 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

713 18:05:12.045 08/16/19 Sev=Info/4 CM/0x63100017
xAuth application returned

714 18:05:12.045 08/16/19 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to xx.xx.xx.xx

715 18:05:12.248 08/16/19 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xx.xx.xx.xx

716 18:05:12.248 08/16/19 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from xx.xx.xx.xx

717 18:05:12.248 08/16/19 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to xx.xx.xx.xx

718 18:05:12.248 08/16/19 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

719 18:05:12.264 08/16/19 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator

720 18:05:12.264 08/16/19 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to xx.xx.xx.xx

721 18:05:17.529 08/16/19 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!

722 18:05:17.529 08/16/19 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(Retransmission) to xx.xx.xx.xx

723 18:05:18.547 08/16/19 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA

724 18:05:22.673 08/16/19 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to xx.xx.xx.xx

725 18:05:22.673 08/16/19 Sev=Info/6 IKE/0x6300003D
Sending DPD request to xx.xx.xx.xx, our seq# = 3435816096

726 18:05:22.673 08/16/19 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!

727 18:05:22.673 08/16/19 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(Retransmission) to xx.xx.xx.xx

728 18:05:27.770 08/16/19 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!

729 18:05:27.770 08/16/19 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(Retransmission) to xx.xx.xx.xx

730 18:05:27.770 08/16/19 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to xx.xx.xx.xx

731 18:05:27.770 08/16/19 Sev=Info/6 IKE/0x6300003D
Sending DPD request to xx.xx.xx.xx, our seq# = 3435816097

732 18:05:28.804 08/16/19 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA

733 18:05:32.916 08/16/19 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to xx.xx.xx.xx

734 18:05:32.916 08/16/19 Sev=Info/6 IKE/0x6300003D
Sending DPD request to xx.xx.xx.xx, our seq# = 3435816098

735 18:05:32.916 08/16/19 Sev=Info/4 IKE/0x6300002D
Phase-2 retransmission count exceeded: MsgID=45C6D766

736 18:05:32.916 08/16/19 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=FBE3680929414118 R_Cookie=691F595CFB68BADA) reason = DEL_REASON_IKE_NEG_FAILED

737 18:05:32.916 08/16/19 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to xx.xx.xx.xx

738 18:05:36.008 08/16/19 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=FBE3680929414118 R_Cookie=691F595CFB68BADA) reason = DEL_REASON_IKE_NEG_FAILED

739 18:05:36.008 08/16/19 Sev=Info/4 CM/0x6310000F
Phase 1 SA deleted before Mode Config is completed cause by "DEL_REASON_IKE_NEG_FAILED". 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

740 18:05:36.008 08/16/19 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv

741 18:05:36.008 08/16/19 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.

742 18:05:36.008 08/16/19 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection

743 18:05:36.024 08/16/19 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

744 18:05:36.024 08/16/19 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

745 18:05:36.024 08/16/19 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

746 18:05:36.024 08/16/19 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped

Any help would be greatly appreciated

Remote VPN configuration assistance / ASDM