Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
950
Views
0
Helpful
6
Replies

sysopt connection permit-ipsec

jeff.velten
Level 1
Level 1

‎02-07-2008 08:02 AM - edited ‎02-21-2020 03:32 PM

I recently installed an ASA to replace an ailing PIX, and everything seems to be working well. Now we are looking at migrating remote VPN and eventually LAN-to-LAN traffic over to the ASA, due to the looming EOL on our VPN Concentrator.

I used the ASDM wizard to configure remote access VPN on the ASA, authenticating to Windows IAS. When attempting to connect with the Cisco VPN Client (version 4.0) I can see the authentication is successful on the IAS server, but the client says authentication failed. In reviewing my config from CLI, I noticed that I'm missing the line "sysopt connection permit-ipsec" I suspect this is causing my failed authentication, as the ASA is rejecting IPSEC traffic.

I attempted to add the line in CLI, and it doesn't give me any errors, but it still does not appear when I do a "show run"

The ASA is running version 7.0(6), and I was unable to find any reference to this in the release notes for any of the later versions.

Labels:
0 Helpful
6 Replies 6

acomiskey
Level 10
Level 10

‎02-07-2008 08:16 AM

Try a "show run sysopt", it should display there.

Also, the command changed in version 7.2 and later to "sysopt connection permit-vpn".

0 Helpful

andrew.burns
Level 7
Level 7

‎02-07-2008 09:30 AM

Hi,

It doesn't appear because it's the default, i.e. ESP and IKE traffic are allowed without having to specify them in the interface access-list so this is very unlikely to be the problem.

That doesn't help you though - so if you are sure the config is all OK then it might be time to try some debugs. (If you post the config that might also help)

I also seem to remember that the Cisco VPN client has an ability to provide extra logging so if you can enable that and have a look that might also give you some more clues.

HTH

Andrew.

0 Helpful

srue
Level 7
Level 7
In response to andrew.burns

‎02-07-2008 09:46 AM

"sysopt connection permit-vpn" or "sysopt connection permit-ipsec" have nothing to do with actually connecting a remote or site2site vpn. This command doesn't matter until the tunnel is established. without this command, you need acl entries on your inbound ACL to allow access to the internal network over a vpn tunnel. with this command, vpn connections are *not* subject to ACL checks.

Post your config though and we can troubleshoot further. Also, you might want to upgrade your vpn client from 4.0.

0 Helpful

jeff.velten
Level 1
Level 1
In response to srue

‎02-07-2008 10:12 AM

Thanks for the replies. Here's the relevant config from the ASA. I'll re-test with the VPN client and post a debug from there as well, if needed.

route outside 0.0.0.0 0.0.0.0 172.16.0.1 tunneled

!

group-policy DelcoNST internal

group-policy DelcoNST attributes

wins-server value 172.16.0.42 172.16.0.41

dns-server value 172.16.0.42 172.16.0.41

vpn-access-hours none

vpn-simultaneous-logins 5

vpn-idle-timeout none

vpn-session-timeout none

vpn-filter none

vpn-tunnel-protocol IPSec

group-lock value DelcoNST

ipsec-udp enable

default-domain value co.delaware.ny.us

!

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5

crypto dynamic-map outside_dyn_map 40 set reverse-route

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp enable inside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

tunnel-group DelcoNST type ipsec-ra

tunnel-group DelcoNST general-attributes

!

authentication-server-group DELCO-RADIUS LOCAL

default-group-policy DelcoNST

dhcp-server 172.16.0.44

tunnel-group DelcoNST ipsec-attributes

pre-shared-key *

peer-id-validate cert

no vpn-addr-assign aaa

no vpn-addr-assign local

0 Helpful

jeff.velten
Level 1
Level 1
In response to jeff.velten

‎02-08-2008 07:44 AM

OK, the log on the VPN client isn't much help. I'm getting:

PEER_DELETE-IKE_DELETE_UNSPECIFIED

But on the ASA, I'm getting this:

4|Feb 08 2008 10:09:37|713903: Group = DelcoNST, Username = jeff.velten, IP = 204.14.57.75, Error: Unable to remove PeerTblEntry

3|Feb 08 2008 10:09:37|713902: Group = DelcoNST, Username = jeff.velten, IP = 204.14.57.75, Removing peer from peer table failed, no match!

3|Feb 08 2008 10:09:37|713132: Group = DelcoNST, Username = jeff.velten, IP = 204.14.57.75, Cannot obtain an IP address for remote peer

6|Feb 08 2008 10:09:37|713184: Group = DelcoNST, Username = jeff.velten, IP = 204.14.57.75, Client Type: WinNT Client Application Version: 4.0.4 (D)

5|Feb 08 2008 10:09:37|713130: Group = DelcoNST, Username = jeff.velten, IP = 204.14.57.75, Received unsupported transaction mode attribute: 5

6|Feb 08 2008 10:09:26|713172: Group = DelcoNST, IP = 204.14.57.75, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device

From poking around here a bit, the last few messages seem to indicate that the client is not getting an IP address.

0 Helpful

srue
Level 7
Level 7
In response to jeff.velten

‎02-08-2008 08:24 AM

This could be an IAS issue. I've seen this where there are lots of IAS policies...i usually have to move the one I'm having trouble with up to the top in the remote access policies.

0 Helpful
Customers Also Viewed These Support Documents