02-17-2010 10:59 PM
Hi,
I have ASA 5510 (8.0.2), ASDM 6.1 and ASA-SSM-10. Our clients are using Cisco VPN client 5.0.02. One of them connects successfully but can not ping or connect anywhere. His account and PC settings are OK since he can connect when he changes his Internet connection and get another public IP address.
I can see TX/RX traffic from ASDM for the VPN session and shun list is empty.
Any suggestions will be much appreciated.
S.
02-18-2010 09:45 AM
Please make sure that the following line is enabled on the ASA "crypto isakmp nat-t 20" if not enabled, then go ahead and enable it, disconnect and reconnect.
If that does not work yet, please check your nat exempt config and post your config here.
Ivan
02-19-2010 04:24 AM
Dear Ivan,
My VPN issue is a bit different; VPN connections from the internet to the outside interface of the Enterprise network are established, and users can reach all required nodes on the inside Enterprise network; while connections from the subscriber network are also established, but users cannot reach anywhere on the inside Enterprise network. kindly help.
Find attached diagram.
02-19-2010 08:16 AM
Understood, can you tell me what protocol is used by the subscriber network clients when they are connected? is it plain ESP or do they use nat-t?
02-19-2010 09:26 AM
IPSec over NAT-T is enabled in the IKE global parameters
02-19-2010 09:49 AM
Ok, thanks, when you see this behavior, do you see packets encrypted and decrypted on the vpn client statistics? Can you get a show crypto ipsec sa from the firewall once these clients that have the issue are connected?
02-19-2010 12:17 PM
On the VPN client statistics, packets encrypted continue to increase, while packets decrypted remains at zero, I also see packects bypassed is increasing.
ASA5540# show crypto ipsec sa
interface: Outside
Crypto map tag: Outside_dyn_map, seq num: 20, local addr: 10.64.250.19
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.64.253.11/255.255.255.255/0/0)
current_peer: 41.138.185.126, username: test
dynamic allocated peer ip: 10.64.253.11
#pkts encaps: 1234, #pkts encrypt: 1234, #pkts digest: 1234
#pkts decaps: 1293, #pkts decrypt: 1293, #pkts verify: 1293
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1234, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 10.64.250.19, remote crypto endpt.: 41.138.185.126
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 160EDD1F
inbound esp sas:
spi: 0x718E62FB (1905156859)
transform: esp-aes esp-sha-hmac none
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 46, crypto-map: Outside_dyn_map
sa timing: remaining key lifetime (sec): 26688
IV size: 16 bytes
replay detection support: Y
outbound esp sas:
spi: 0x160EDD1F (370072863)
transform: esp-aes esp-sha-hmac none
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 46, crypto-map: Outside_dyn_map
sa timing: remaining key lifetime (sec): 26683
IV size: 16 bytes
replay detection support: Y
Crypto map tag: Outside_dyn_map, seq num: 20, local addr: 10.64.250.19
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.64.253.9/255.255.255.255/0/0)
current_peer: 41.138.188.3, username: ofun
dynamic allocated peer ip: 10.64.253.9
#pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10
#pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 10, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 10.64.250.19, remote crypto endpt.: 41.138.188.3
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 796C8A82
inbound esp sas:
spi: 0xA9776EB7 (2843176631)
transform: esp-aes esp-sha-hmac none
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 47, crypto-map: Outside_dyn_map
sa timing: remaining key lifetime (sec): 28745
IV size: 16 bytes
replay detection support: Y
outbound esp sas:
spi: 0x796C8A82 (2037156482)
transform: esp-aes esp-sha-hmac none
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 47, crypto-map: Outside_dyn_map
sa timing: remaining key lifetime (sec): 28745
IV size: 16 bytes
replay detection support: Y
02-19-2010 02:11 PM
Subcriber Network VPN Client
Statistics
Packets
Encypted: 123
Decypted: 0
Discarded: 0
Bypassed: 609
ASA# show crypto ipsec sa
interface: Outside
Crypto map tag: Outside_dyn_map, seq num: 20, local addr: 10.64.250.19
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.64.253.11/255.255.255.255/0/0)
current_peer: 41.138.185.126, username: test
dynamic allocated peer ip: 10.64.253.11
#pkts encaps: 1166, #pkts encrypt: 1166, #pkts digest: 1166
#pkts decaps: 1217, #pkts decrypt: 1217, #pkts verify: 1217
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1166, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 10.64.250.19, remote crypto endpt.: 40.8.185.126
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 160EDD1F
inbound esp sas:
spi: 0x718E62FB (1905156859)
transform: esp-aes esp-sha-hmac none
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 46, crypto-map: Outside_dyn_map
sa timing: remaining key lifetime (sec): 26798
IV size: 16 bytes
replay detection support: Y
outbound esp sas:
spi: 0x160EDD1F (370072863)
transform: esp-aes esp-sha-hmac none
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 46, crypto-map: Outside_dyn_map
sa timing: remaining key lifetime (sec): 26791
IV size: 16 bytes
replay detection support: Y
Internet VPN Client
Statistics
Packets
Encypted: 179
Decypted: 137
Discarded: 7
Bypassed: 549
ASA5540# show crypto ipsec sa
interface: Outside
Crypto map tag: Outside_dyn_map, seq num: 20, local addr: 10.64.250.19
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.64.253.11/255.255.255.255/0/0)
current_peer: 212.100.68.20, username: test
dynamic allocated peer ip: 10.64.253.11
#pkts encaps: 137, #pkts encrypt: 137, #pkts digest: 137
#pkts decaps: 168, #pkts decrypt: 168, #pkts verify: 168
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 137, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 10.64.250.19/4500, remote crypto endpt.: 212.100.68.20/1554
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: EB918365
inbound esp sas:
spi: 0x2E0E9398 (772707224)
transform: esp-aes esp-sha-hmac none
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 48, crypto-map: Outside_dyn_map
sa timing: remaining key lifetime (sec): 28701
IV size: 16 bytes
replay detection support: Y
outbound esp sas:
spi: 0xEB918365 (3952182117)
transform: esp-aes esp-sha-hmac none
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 48, crypto-map: Outside_dyn_map
sa timing: remaining key lifetime (sec): 28692
IV size: 16 bytes
replay detection support: Y
Looking at the in use settings of both inbound and outband esp sas, I see that the internet VPN sesion has NAT-T-Encaps, while it does not appear in the VPN session formed by client on the Subcriber Network.
02-19-2010 02:16 PM
Exactly, so you will need to check that the clients that are connecting have the option "transparent tunneling" enabled on UDP NAT/PAT and try to connect agian, as well in this scenario it totally means that ESP is not being passed back from the filtering device infront of your Subscriber Networks.
If you can please add a copy of your config on the Corporate Side
02-19-2010 04:18 PM
Enable Transparent Tunneling is checked and IPSec over UDP (NAT/PAT) option is selected on all VPN client.
If after connection is established, ESP from the Enterprise Firewall to the VPN client is being filter by the Subscriber Network Firewall, how do I resolve this? Could this be because both firewalls are on the same network (no router between them)? Before now, the Subscriber and Enterprise Network had separate internet connections and remote VPN client worked well.
In my quest for a solution, I configured a remote VPN on a cisco 870 series ISR. The router have a LAB network on the LAN side and I connected the WAN interface to the inside of the Enterprise network. VPN client from the Subscriber Network establish connection and can reach all require nodes on the LAB network.
Here is the show crypto ipsec sa
Router#show crypto ipsec sa
interface: Virtual-Access2
Crypto map tag: Virtual-Access2-head-0, local addr 172.25.101.15
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.106.5/255.255.255.255/0/0)
current_peer 41.138.183.195 port 3460
PERMIT, flags={origin_is_acl,}
#pkts encaps: 282, #pkts encrypt: 282, #pkts digest: 282
#pkts decaps: 1275, #pkts decrypt: 1275, #pkts verify: 1275
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 2
local crypto endpt.: 172.25.101.15, remote crypto endpt.: 41.138.183.195
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0x3493902F(882085935)
inbound esp sas:
spi: 0x626B49BC(1651198396)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 11, flow_id: Motorola SEC 1.0:11, crypto map: Virtual-Access2-head-0
sa timing: remaining key lifetime (k/sec): (4583768/2093)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3493902F(882085935)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 12, flow_id: Motorola SEC 1.0:12, crypto map: Virtual-Access2-head-0
sa timing: remaining key lifetime (k/sec): (4583904/2093)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
What can I do to resolve the problem?
How do I add a copy of my config on the Corporate Side?
02-19-2010 04:30 PM
ESP being filtered is quite a common issue and that is because ESP is porteless, on the other hand what we need to find out is why the client despite of the fact that NAT-T is enabled on the server and it has Transparent tunneling enabled on it is still negotiating on ESP. For instance we need to find out if there is any kind of nat on the Subscriber firewall since this is the only way NAT-T is gonna kick in. Is this Subscriber firewall a Cisco FW?
02-19-2010 09:57 PM
There is no NAT on the Subscriber Firewall, IP addresses are assigned to the Subscriber devices by a dhcp server on their network, these IPs are permitted to any on the outside interface of the Firewall. The Enterprise Firewall have a static private IP address, the private IP address, have a Public IP address NAT on the internet edge routers to allow VPN sessions from the internet.
The Subscriber Firewall is not Cisco, it is a Huawei Eudemon Firewall.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide