cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2432
Views
0
Helpful
7
Replies

Problem with traffic over Remote Access VPN (Cisco ASA5505)

Lionel271
Level 1
Level 1

Hi

I've changed the VPN IP pool on a previously functioning VPN setup on a Cisco ASA5505, I've updated IP addresses everywhere it seemed appropriate, but now the VPN is no longer working. I am testing with a Cisco IPSec client, but the same happens with the AnyConnect client. Clients connect, but cannot access resources on the LAN. Split tunneling also doesn't work, internet is not accessible once VPN is connected.

I found a NAT exempt rule to not be correctly specified, but after fixing this, the problem still persists.

: Saved

:

ASA Version 8.2(1)

!

hostname ciscoasa

domain-name our-domain.com

enable password xxxxxxxx encrypted

passwd xxxxxxxx encrypted

names

name 172.17.1.0 remote-vpn

!

interface Vlan1

nameif inside

security-level 100

ip address 10.1.1.2 255.0.0.0

!

interface Vlan2

nameif outside

security-level 0

pppoe client vpdn group adslrealm

ip address pppoe setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

clock timezone SAST 2

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 10.1.1.138

name-server 10.1.1.54

domain-name our-domain.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network ut

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list no_nat extended permit ip 10.0.0.0 255.0.0.0 remote-vpn 255.255.255.0

access-list split-tunnel standard permit 10.0.0.0 255.0.0.0

access-list outside_access_in extended permit tcp any interface outside eq https

access-list outside_access_in extended permit tcp any interface outside eq 5061

access-list outside_access_in extended permit tcp any interface outside eq 51413

access-list outside_access_in extended permit udp any interface outside eq 51413

access-list outside_access_in extended permit tcp any interface outside eq 2121

access-list outside_access_in extended permit udp any interface outside eq 2121

access-list inside_access_out extended deny ip any 64.34.106.0 255.255.255.0

access-list inside_access_out extended deny ip any 69.25.20.0 255.255.255.0

access-list inside_access_out extended deny ip any 69.25.21.0 255.255.255.0

access-list inside_access_out extended deny ip any 72.5.76.0 255.255.255.0

access-list inside_access_out extended deny ip any 72.5.77.0 255.255.255.0

access-list inside_access_out extended deny ip any 216.52.0.0 255.255.0.0

access-list inside_access_out extended deny ip any 74.201.0.0 255.255.0.0

access-list inside_access_out extended deny ip any 64.94.0.0 255.255.0.0

access-list inside_access_out extended deny ip any 69.25.0.0 255.255.0.0

access-list inside_access_out extended deny tcp any any eq 12975

access-list inside_access_out extended deny tcp any any eq 32976

access-list inside_access_out extended deny tcp any any eq 17771

access-list inside_access_out extended deny udp any any eq 17771

access-list inside_access_out extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool VPNPool 172.17.1.1-172.17.1.254

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list no_nat

nat (inside) 1 10.0.0.0 255.0.0.0

static (inside,outside) tcp interface 5061 10.1.1.157 5061 netmask 255.255.255.255

static (inside,outside) tcp interface https 10.1.1.157 4443 netmask 255.255.255.255

static (inside,outside) tcp interface 51413 10.1.1.25 51413 netmask 255.255.255.255

static (inside,outside) udp interface 51413 10.1.1.25 51413 netmask 255.255.255.255

static (inside,outside) tcp interface 2121 10.1.1.25 2121 netmask 255.255.255.255

static (inside,outside) udp interface 2121 10.1.1.25 2121 netmask 255.255.255.255

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server AD protocol ldap

aaa-server AD (inside) host 10.1.1.138

ldap-base-dn dc=our-domain,dc=com

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *

ldap-login-dn cn=ciscoasa,cn=Users,dc=ourdomain,dc=com

server-type auto-detect

aaa authentication ssh console AD LOCAL

aaa authentication telnet console LOCAL

http server enable 4343

http 0.0.0.0 0.0.0.0 outside

http 10.0.0.0 255.0.0.0 inside

http remote-vpn 255.255.255.0 inside

snmp-server host inside 10.1.1.190 community oursnmp

snmp-server host inside 10.1.1.44 community oursnmp

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map dyn1 1 set transform-set FirstSet

crypto dynamic-map dyn1 1 set reverse-route

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map mymap 1 ipsec-isakmp dynamic dyn1

crypto map mymap interface outside

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=ciscoasa

crl configure

crypto ca trustpoint CA1

revocation-check crl none

enrollment retry period 5

enrollment terminal

fqdn ciscoasa.our-domain.com

subject-name CN=ciscoasa.our-domain.com, OU=Department, O=Company, C=US, St=New York, L=New York

keypair ciscoasa.key

crl configure

crypto ca certificate chain ASDM_TrustPoint0

certificate xxxxxxx

    ...

  quit

crypto ca certificate chain CA1

certificate xxxxxxxxxxxxxx

    ...

  quit

certificate ca xxxxxxxxxxxxx

    ...

  quit

crypto isakmp enable outside

crypto isakmp policy 1

authentication rsa-sig

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

ssh 10.0.0.0 255.0.0.0 inside

ssh timeout 5

console timeout 0

vpdn group adslrealm request dialout pppoe

vpdn group adslrealm localname username6@adslrealm

vpdn group adslrealm ppp authentication pap

vpdn username username6@adslrealm password ********* store-local

vpdn username username@adsl-u password ********* store-local

vpdn username username2@adslrealm password *********

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection scanning-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server x.x.x.x source outside

ssl trust-point ASDM_TrustPoint0 outside

webvpn

port 4343

enable outside

svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2

svc image disk0:/anyconnect-linux-2.5.2014-k9.pkg 3

svc enable

group-policy defaultgroup internal

group-policy defaultgroup attributes

dns-server value 10.1.1.138 10.1.1.54

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split-tunnel

default-domain value our-domain.com

group-policy DfltGrpPolicy attributes

dns-server value 10.1.1.138 10.1.1.54

vpn-tunnel-protocol IPSec l2tp-ipsec svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split-tunnel

address-pools value VPNPool

webvpn

  svc ask none default svc

username person1 password xxxxxxx encrypted

username admin password xxxxxxxx encrypted privilege 15

username person2 password xxxxxxxxx encrypted

username person3 password xxxxxxxxxx encrypted

tunnel-group DefaultRAGroup general-attributes

address-pool VPNPool

default-group-policy defaultgroup

tunnel-group DefaultRAGroup ipsec-attributes

trust-point CA1

tunnel-group OurCompany type remote-access

tunnel-group OurCompany general-attributes

address-pool VPNPool

tunnel-group OurCompany webvpn-attributes

group-alias OurCompany enable

group-url https://x.x.x.x/OurCompany enable

tunnel-group OurIPSEC type remote-access

tunnel-group OurIPSEC general-attributes

address-pool VPNPool

default-group-policy defaultgroup

tunnel-group OurIPSEC ipsec-attributes

pre-shared-key *

trust-point CA1

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map type inspect sip sip-map

parameters

  max-forwards-validation action drop log

  state-checking action drop log

  rtp-conformance

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect netbios

  inspect tftp

  inspect icmp

  inspect pptp

  inspect sip sip-map

!            

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxxxxxxxxxxxxxxxx

: end

I've checked all the debug logs I could think of and tried various troubleshooting steps. Any ideas?

Regards

Lionel

7 Replies 7

Richard Burts
Hall of Fame
Hall of Fame

Lionel

I have looked through the config that you posted and do not see any obvious explanation in the config for the symptoms that you describe. It seems to me that the likely issue is that something connected in the inside LAN is not routing correctly for your new VPN pool. What was the previous pool? Can you check in the LAN for any remaining references to the old pool?

HTH

Rick

HTH

Rick

Hi

The previous VPN pool was 10.1.2.1-10.1.2.254. The LAN subnet mask was 255.255.255.0 and is now 255.0.0.0. More IP address were required on the LAN side.

The Cisco ASA is directly connected to the LAN, no routers in between. The devices on the LAN that need to be accessed use the Cisco ASA as their default gateway. There are other devices that use a different router, but these have static routes for 172.17.1.0/24 to 10.1.1.2. Both configurations don't work with the VPN.

The WAN side of the Cisco ASA connects via PPPoE (as per the configuration) to a DSL modem. The tunnel group being used is the one label OurIPSEC.

During checking the debug logs, I've noticed that it says both the ASA and the client device is behind NAT, but neither of them are, although NAT traversal is enabled and we would like to support NAT.

Regards

Lionel

Lionel

Thanks for the additional information. I am a bit surprised that a network that outgrew a /24 and needed more addresses is running on an ASA5505, but if it is running ok then that is good.

As far as the indication of being behind NAT is concerned what IP address is being assigned to your ASA outside interface to the DSL modem? I wonder if it is using a private address and then doing translation in the DSL modem?

HTH

Rick

HTH

Rick

Hi

The bulk of the devices are not even routing through the ASA, internal devices such as IP phones, printers, etc. There is also large wastage of IP addresses which needs to be sorted out at some stage.

Outside IP address is 196.215.40.160. The DSL modem is configured as an LLC bridge.

Here are the debug logs when connecting if this helps at all. Nothing is logged when a connection is attempted though.

Regards

Lionel

Oct 15 17:08:51 [IKEv1]: IP = 197.79.9.227, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 765

Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing SA payload

Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing ke payload

Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing ISA_KE payload

Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing nonce payload

Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing ID payload

Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payload

Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, Received Fragmentation VID

Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  False

Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payload

Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, Received NAT-Traversal RFC VID

Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payload

Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payload

Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payload

Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payload

Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payload

Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payload

Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payload

Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, Received NAT-Traversal ver 03 VID

Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payload

Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payload

Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, Received NAT-Traversal ver 02 VID

Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payload

Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, Received xauth V6 VID

Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payload

Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, Received Cisco Unity client VID

Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, processing VID payload

Oct 15 17:08:51 [IKEv1 DEBUG]: IP = 197.79.9.227, Received DPD VID

Oct 15 17:08:51 [IKEv1]: IP = 197.79.9.227, Connection landed on tunnel_group OurIPSEC

Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, processing IKE SA payload

Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, IKE SA Proposal # 1, Transform # 5 acceptable  Matches global IKE entry # 2

Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing ISAKMP SA payload

Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing ke payload

Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing nonce payload

Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, Generating keys for Responder...

Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing ID payload

Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing hash payload

Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, Computing hash for ISAKMP

Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing Cisco Unity VID payload

Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing xauth V6 VID payload

Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing dpd vid payload

Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing NAT-Traversal VID ver 02 payload

Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing NAT-Discovery payload

Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, computing NAT Discovery hash

Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing NAT-Discovery payload

Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, computing NAT Discovery hash

Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing Fragmentation VID + extended capabilities payload

Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing VID payload

Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, Send Altiga/Cisco VPN3000/Cisco ASA GW VID

Oct 15 17:08:51 [IKEv1]: IP = 197.79.9.227, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 436

Oct 15 17:08:51 [IKEv1]: IP = 197.79.9.227, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NAT-D (130) + NAT-D (130) + NOTIFY (11) + NONE (0) total length : 128

Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, processing hash payload

Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, Computing hash for ISAKMP

Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, processing NAT-Discovery payload

Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, computing NAT Discovery hash

Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, processing NAT-Discovery payload

Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, computing NAT Discovery hash

Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, processing notify payload

Oct 15 17:08:51 [IKEv1]: Group = OurIPSEC, IP = 197.79.9.227, Automatic NAT Detection Status:     Remote end   IS   behind a NAT device     This   end   IS   behind a NAT device

Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing blank hash payload

Oct 15 17:08:51 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, constructing qm hash payload

Oct 15 17:08:51 [IKEv1]: IP = 197.79.9.227, IKE_DECODE SENDING Message (msgid=b8b02705) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 72

Oct 15 17:09:02 [IKEv1]: IP = 197.79.9.227, IKE_DECODE RECEIVED Message (msgid=b8b02705) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 88

Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, process_attr(): Enter!

Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, IP = 197.79.9.227, Processing MODE_CFG Reply attributes.

Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: primary DNS = 10.1.1.138

Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: secondary DNS = 10.1.1.54

Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: primary WINS = cleared

Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: secondary WINS = cleared

Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: split tunneling list = split-tunnel

Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: default domain = our-domain.com

Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: IP Compression = disabled

Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: Split Tunneling Policy = Split Network

Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: Browser Proxy Setting = no-modify

Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKEGetUserAttributes: Browser Proxy Bypass Local = disable

Oct 15 17:09:02 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, User (person2) authenticated.

Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing blank hash payload

Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing qm hash payload

Oct 15 17:09:02 [IKEv1]: IP = 197.79.9.227, IKE_DECODE SENDING Message (msgid=a2171c19) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 64

Oct 15 17:09:02 [IKEv1]: IP = 197.79.9.227, IKE_DECODE RECEIVED Message (msgid=a2171c19) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 64

Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, process_attr(): Enter!

Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Processing cfg ACK attributes

Oct 15 17:09:02 [IKEv1]: IP = 197.79.9.227, IKE_DECODE RECEIVED Message (msgid=3257625f) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 164

Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, process_attr(): Enter!

Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Processing cfg Request attributes

Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for IPV4 address!

Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for IPV4 net mask!

Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for DNS server address!

Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for WINS server address!

Oct 15 17:09:02 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Received unsupported transaction mode attribute: 5

Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Application Version!

Oct 15 17:09:02 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Client Type: iPhone OS  Client Application Version: 7.0.2

Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Banner!

Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Default Domain Name!

Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Split DNS!

Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Split Tunnel List!

Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Local LAN Include!

Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for PFS setting!

Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Save PW setting!

Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for FWTYPE!

Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for backup ip-sec peer list!

Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, MODE_CFG: Received request for Client Browser Proxy Setting!

Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Obtained IP addr (172.17.1.1) prior to initiating Mode Cfg (XAuth enabled)

Oct 15 17:09:02 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Assigned private IP address 172.17.1.1 to remote user

Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing blank hash payload

Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, construct_cfg_set: default domain = our-domain.com

Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Send Client Browser Proxy Attributes!

Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Browser Proxy set to No-Modify. Browser Proxy data will NOT be included in the mode-cfg reply

Oct 15 17:09:02 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing qm hash payload

Oct 15 17:09:02 [IKEv1]: IP = 197.79.9.227, IKE_DECODE SENDING Message (msgid=3257625f) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 210

Oct 15 17:09:03 [IKEv1 DECODE]: IP = 197.79.9.227, IKE Responder starting QM: msg id = c9359d2e

Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Delay Quick Mode processing, Cert/Trans Exch/RM DSID in progress

Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Resume Quick Mode processing, Cert/Trans Exch/RM DSID completed

Oct 15 17:09:03 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, PHASE 1 COMPLETED

Oct 15 17:09:03 [IKEv1]: IP = 197.79.9.227, Keep-alive type for this connection: DPD

Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Starting P1 rekey timer: 3420 seconds.

Oct 15 17:09:03 [IKEv1]: IP = 197.79.9.227, IKE_DECODE RECEIVED Message (msgid=c9359d2e) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 284

Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, processing hash payload

Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, processing SA payload

Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, processing nonce payload

Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, processing ID payload

Oct 15 17:09:03 [IKEv1 DECODE]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, ID_IPV4_ADDR ID received

172.17.1.1

Oct 15 17:09:03 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Received remote Proxy Host data in ID Payload:  Address 172.17.1.1, Protocol 0, Port 0

Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, processing ID payload

Oct 15 17:09:03 [IKEv1 DECODE]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, ID_IPV4_ADDR_SUBNET ID received--10.0.0.0--255.0.0.0

Oct 15 17:09:03 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Received local IP Proxy Subnet data in ID Payload:   Address 10.0.0.0, Mask 255.0.0.0, Protocol 0, Port 0

Oct 15 17:09:03 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, QM IsRekeyed old sa not found by addr

Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Selecting only UDP-Encapsulated-Tunnel and  UDP-Encapsulated-Transport modes defined by NAT-Traversal

Oct 15 17:09:03 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKE Remote Peer configured for crypto map: dyn1

Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, processing IPSec SA payload

Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IPSec SA Proposal # 1, Transform # 6 acceptable  Matches global IPSec SA entry # 1

Oct 15 17:09:03 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKE: requesting SPI!

IPSEC: New embryonic SA created @ 0xCB809F40,

    SCB: 0xC9613DB0,

    Direction: inbound

    SPI      : 0x96A6C295

    Session ID: 0x0001D000

    VPIF num  : 0x00000002

    Tunnel type: ra

    Protocol   : esp

    Lifetime   : 240 seconds

Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKE got SPI from key engine: SPI = 0x96a6c295

Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, oakley constucting quick mode

Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing blank hash payload

Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing IPSec SA payload

Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing IPSec nonce payload

Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing proxy ID

Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Transmitting Proxy Id:

  Remote host: 172.17.1.1  Protocol 0  Port 0

  Local subnet:  10.0.0.0  mask 255.0.0.0 Protocol 0  Port 0

Oct 15 17:09:03 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, constructing qm hash payload

Oct 15 17:09:03 [IKEv1 DECODE]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKE Responder sending 2nd QM pkt: msg id = c9359d2e

Oct 15 17:09:03 [IKEv1]: IP = 197.79.9.227, IKE_DECODE SENDING Message (msgid=c9359d2e) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 152

Oct 15 17:09:06 [IKEv1]: IP = 197.79.9.227, IKE_DECODE RECEIVED Message (msgid=c9359d2e) with payloads : HDR + HASH (8) + NONE (0) total length : 52

Oct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, processing hash payload

Oct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, loading all IPSEC SAs

Oct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Generating Quick Mode Key!

Oct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, NP encrypt rule look up for crypto map dyn1 1 matching ACL Unknown: returned cs_id=c9f22e78; rule=00000000

Oct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Generating Quick Mode Key!

Oct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, NP encrypt rule look up for crypto map dyn1 1 matching ACL Unknown: returned cs_id=c9f22e78; rule=00000000

Oct 15 17:09:06 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Security negotiation complete for User (person2)  Responder, Inbound SPI = 0x96a6c295, Outbound SPI = 0x09e97594

IPSEC: New embryonic SA created @ 0xCB8F7418,

    SCB: 0xC9F6DD30,

    Direction: outbound

    SPI      : 0x09E97594

    Session ID: 0x0001D000

    VPIF num  : 0x00000002

    Tunnel type: ra

    Protocol   : esp

    Lifetime   : 240 seconds

IPSEC: Completed host OBSA update, SPI 0x09E97594

IPSEC: Creating outbound VPN context, SPI 0x09E97594

    Flags: 0x00000025

    SA   : 0xCB8F7418

    SPI  : 0x09E97594

    MTU  : 1492 bytes

    VCID : 0x00000000

    Peer : 0x00000000

    SCB  : 0x99890723

    Channel: 0xC6691360

IPSEC: Completed outbound VPN context, SPI 0x09E97594

    VPN handle: 0x001E7FCC

IPSEC: New outbound encrypt rule, SPI 0x09E97594

    Src addr: 10.0.0.0

    Src mask: 255.0.0.0

    Dst addr: 172.17.1.1

    Dst mask: 255.255.255.255

    Src ports

      Upper: 0

      Lower: 0

      Op   : ignore

    Dst ports

      Upper: 0

      Lower: 0

      Op   : ignore

    Protocol: 0

    Use protocol: false

    SPI: 0x00000000

    Use SPI: false

IPSEC: Completed outbound encrypt rule, SPI 0x09E97594

    Rule ID: 0xCB5483E8

IPSEC: New outbound permit rule, SPI 0x09E97594

    Src addr: 196.215.40.160

    Src mask: 255.255.255.255

    Dst addr: 197.79.9.227

    Dst mask: 255.255.255.255

    Src ports

      Upper: 4500

      Lower: 4500

      Op   : equal

    Dst ports

      Upper: 41593

      Lower: 41593

      Op   : equal

    Protocol: 17

    Use protocol: true

    SPI: 0x00000000

    Use SPI: false

IPSEC: Completed outbound permit rule, SPI 0x09E97594

    Rule ID: 0xC9242228

Oct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, IKE got a KEY_ADD msg for SA: SPI = 0x09e97594

IPSEC: Completed host IBSA update, SPI 0x96A6C295

IPSEC: Creating inbound VPN context, SPI 0x96A6C295

    Flags: 0x00000026

    SA   : 0xCB809F40

    SPI  : 0x96A6C295

    MTU  : 0 bytes

    VCID : 0x00000000

    Peer : 0x001E7FCC

    SCB  : 0x985C5DA5

    Channel: 0xC6691360

IPSEC: Completed inbound VPN context, SPI 0x96A6C295

    VPN handle: 0x0020190C

IPSEC: Updating outbound VPN context 0x001E7FCC, SPI 0x09E97594

    Flags: 0x00000025

    SA   : 0xCB8F7418

    SPI  : 0x09E97594

    MTU  : 1492 bytes

    VCID : 0x00000000

    Peer : 0x0020190C

    SCB  : 0x99890723

    Channel: 0xC6691360

IPSEC: Completed outbound VPN context, SPI 0x09E97594

    VPN handle: 0x001E7FCC

IPSEC: Completed outbound inner rule, SPI 0x09E97594

    Rule ID: 0xCB5483E8

IPSEC: Completed outbound outer SPD rule, SPI 0x09E97594

    Rule ID: 0xC9242228

IPSEC: New inbound tunnel flow rule, SPI 0x96A6C295

    Src addr: 172.17.1.1

    Src mask: 255.255.255.255

    Dst addr: 10.0.0.0

    Dst mask: 255.0.0.0

    Src ports

      Upper: 0

      Lower: 0

      Op   : ignore

    Dst ports

      Upper: 0

      Lower: 0

      Op   : ignore

    Protocol: 0

    Use protocol: false

    SPI: 0x00000000

    Use SPI: false

IPSEC: Completed inbound tunnel flow rule, SPI 0x96A6C295

    Rule ID: 0xCB7CFCC8

IPSEC: New inbound decrypt rule, SPI 0x96A6C295

    Src addr: 197.79.9.227

    Src mask: 255.255.255.255

    Dst addr: 196.215.40.160

    Dst mask: 255.255.255.255

    Src ports

      Upper: 41593

      Lower: 41593

      Op   : equal

    Dst ports

      Upper: 4500

      Lower: 4500

      Op   : equal

    Protocol: 17

    Use protocol: true

    SPI: 0x00000000

    Use SPI: false

IPSEC: Completed inbound decrypt rule, SPI 0x96A6C295

    Rule ID: 0xCB9BF828

IPSEC: New inbound permit rule, SPI 0x96A6C295

    Src addr: 197.79.9.227

    Src mask: 255.255.255.255

    Dst addr: 196.215.40.160

    Dst mask: 255.255.255.255

    Src ports

      Upper: 41593

      Lower: 41593

      Op   : equal

    Dst ports

      Upper: 4500

      Lower: 4500

      Op   : equal

    Protocol: 17

    Use protocol: true

    SPI: 0x00000000

    Use SPI: false

IPSEC: Completed inbound permit rule, SPI 0x96A6C295

    Rule ID: 0xCBA7C740

Oct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Pitcher: received KEY_UPDATE, spi 0x96a6c295

Oct 15 17:09:06 [IKEv1 DEBUG]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Starting P2 rekey timer: 3417 seconds.

Oct 15 17:09:06 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, Adding static route for client address: 172.17.1.1

Oct 15 17:09:06 [IKEv1]: Group = OurIPSEC, Username = person2, IP = 197.79.9.227, PHASE 2 COMPLETED (msgid=c9359d2e)

Also can't seem to access the internal IP of the ASA over the VPN, which I believe is a step closer than the rest of the LAN.

Hi

I have made some progress. I connected the client device behind a NAT router via DSL and I could access a single device on the LAN (the other one I tested didn't work, but that might be routing related). I could also access the internet via the split tunnel.

But if I switch back to a 3G connection (direct, not behind NAT), I have the original problem.

Neither of these methods can access the internal interface of the ASA, but that is not a requirement.

I should be able to resolve the suspected routing issue myself for the other device, but need to somehow figure out how to get it working without NAT on the client side (it needs to work both with or without NAT).

Regards

Lionel

Lionel

I am glad that you are making progress. Put this command into your config and see if it helps with the issue of accessing the ASA inside address from the VPN session

management-access inside

It is a very interesting insight that the problem may be related to address translation.

HTH

Rick

HTH

Rick