Solved: RemoteAccess VPN not working ,VPNC client is connecting but no connectivity

shanilkumar2003 · ‎01-16-2013

Hi All,

i have configured remote access VPN to cisco ASA 5520, Cisco vpn client is connecting fine and both phases are coming up but ipsec phase packets are not encapsulating. and ima not able reach the remote subnets 192.168.10.0 and 192.168.180.0

kindly help me to resolve the issue..below is teh relevant config

thanks
Shanil

config====================================================================
access-list acl-nonat line 20 extended permit ip 192.168.10.0 255.255.255.0 172.23.20.0 255.255.255.128
access-list acl-nonat line 20 extended permit ip 192.168.180.0 255.255.255.240 172.23.20.0 255.255.255.128

access-list splitTunnel_raacl line 1 extended permit ip 192.168.10.0 255.255.255.0 any
access-list splitTunnel_raacl line 2 extended permit ip 192.168.180.0 255.255.255.240 any

access-list ra_acl line 1 extended permit ip any 192.168.10.0 255.255.255.0
access-list ra_acl line 2 extended permit ip any 192.168.180.0 255.255.255.240

aaa-server NON-RETAIL-VPN protocol tacacs+
aaa-server NON-RETAIL-VPN (inside) host 192.168.200.14
key 3n0cr1ght5
aaa-server NON-RETAIL-VPN (inside) host 192.168.10.9
key 3n0cr1ght5

ip local pool ra-pool 172.23.20.2-172.23.20.125 mask 255.255.255.128

group-policy RAVPN internal
group-policy RAVPN attributes
vpn-idle-timeout 30
vpn-filter value ra_acl
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splitTunnel_raacl

tunnel-group RAVPN type remote-access
tunnel-group RAVPN general-attributes
address-pool ra-pool
default-group-policy RAVPN
tunnel-group RAVPN ipsec-attributes
pre-shared-key xxxx

crypto ipsec transform-set ravpn-set esp-3des esp-sha-hmac

crypto dynamic-map RAVPN 23 set transform-set ravpn-set

crypto map ENOCMAP 4 ipsec-isakmp dynamic RAVPN
========================================================================

Output
2   IKE Peer: 94.58.71.99
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE

# sh crypto ipsec sa peer 94.58.71.99
peer address: 94.58.71.99
Crypto map tag: RAVPN, seq num: 23, local addr: x.x.x.x

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (172.23.20.2/255.255.255.255/0/0)
      current_peer: 94.58.71.99, username: shanilra
      dynamic allocated peer ip: 172.23.20.2

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 117, #pkts decrypt: 117, #pkts verify: 117
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

Karsten Iwen · ‎01-16-2013

EDIT: Sorry, just see that I've read your config wrong. The vpn-filter is correct, but with the split-tunnel still not needed.

Your vpn-filter-ACL is wrong (mixex up source and destination). Please remove the vpn-filter from your group-policy and test again if it is working. It looks like you want your clients only to reach the two given networks. For that you don't need the vpn-filter anyway as these are the only networks that are tunneled in the split-tunnel-config.

Sent from Cisco Technical Support iPad App

View solution in original post

Jennifer Halim · ‎01-16-2013

From the above output, the issue seems to be either the packet doesn't reach the remote end, or the remote end is not responding, or it doesn't know how to route back towards the vpn pool subnet (172.23.20.0/25).

Which interface did you apply the nonat ACL? and also do you have a route towards 192.168.10.0/24 and 192.168.180.0/24 subnet on the ASA if it's not directly connected to the FW.

And also pls check if the internal router/host knows to route 172.23.20.0/25 back towards the ASA.

Karsten Iwen · ‎01-16-2013

EDIT: Sorry, just see that I've read your config wrong. The vpn-filter is correct, but with the split-tunnel still not needed.

Your vpn-filter-ACL is wrong (mixex up source and destination). Please remove the vpn-filter from your group-policy and test again if it is working. It looks like you want your clients only to reach the two given networks. For that you don't need the vpn-filter anyway as these are the only networks that are tunneled in the split-tunnel-config.

Sent from Cisco Technical Support iPad App

shanilkumar2003 · ‎01-20-2013

Actually i have 8.3 IOS. i have removed cpn-filter acl also give nat exemption as below, no need of acl-nonat, and its started working

thanks all for the valuable suggestions.

nat (inside,any) source static obj-192.168.180.0 obj-192.168.180.0 destination static obj-192.168.199.0 obj-192.168.199.0 no-proxy-arp route-lookup 1060

nat (inside,any) source static obj-192.168.10.0 obj-192.168.10.0 destination static obj-192.168.199.0 obj-192.168.199.0 no-proxy-arp route-looku

nat (inside,any) source static obj-192.168.180.0 obj-192.168.180.0 destination static obj-192.168.199.0 obj-192.168.199.0 no-proxy-arp route-lookup 1060

nat (inside,any) source static obj-192.168.10.0 obj-192.168.10.0 destination static obj-192.168.199.0 obj-192.168.199.0 no-proxy-arp route-looku

thanks

Shanil

Karsten Iwen · ‎01-20-2013

If you are running 8.3, then you should look if your acl "acl-nonat" is still needed. It's a typical name for ACLs that were used for NAT-exemption in previous versions. In 8.3+ it's implemented differently and I assume this ACL can be removed.

Sent from Cisco Technical Support iPad App