Skip to main content

ASA5505 VPN Issue

More
15 years 5 months ago #30864 by lt_tweak
ASA5505 VPN Issue was created by lt_tweak
I am having issues with my VPN clients connecting. It was previously working, so i am thinking it's something simple. Can anyone take a look at this config and see whats missing for remote VPN connection, using cisco client 5.0?

Thanks

: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name mydomain
enable password KiCCVGOXkJE3nyKk encrypted
multicast-routing
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
ospf cost 10
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 4P21McLAKffWjWkr encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 4.2.2.2
name-server 208.67.222.222
name-server 151.203.0.85
name-server 4.2.2.1
domain-name sewingmachine.com
access-list inside_nat0_outbound extended permit ip any 172.31.16.0 255.255.255.240
access-list remote_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list outside_access_in extended permit icmp host *.*.*.151 interface outside
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool Pool1 172.31.16.1-172.31.16.10 mask 255.255.0.0
ip verify reverse-path interface outside
ip verify reverse-path interface dmz
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (inside) 1 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound outside
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy remote internal
group-policy remote attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value remote_splitTunnelAcl
username remote password FQPyOFkYZZbOGZiR encrypted
username remote attributes
vpn-group-policy remote
vpn-tunnel-protocol IPSec l2tp-ipsec
group-lock value remote
username cisco password kwT7MeGuMDvPg8/9 encrypted privilege 15
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
http server enable
http *.*.*.156 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group remote type ipsec-ra
tunnel-group remote general-attributes
address-pool Pool1
default-group-policy remote
tunnel-group remote ipsec-attributes
pre-shared-key *
chain
tunnel-group-map default-group remote
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh *.*.*.156 255.255.255.255 outside
ssh timeout 60
console timeout 0
management-access inside
dhcp-client update dns server both
dhcpd dns 4.2.2.1 4.2.2.2
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns 4.2.2.1 208.67.222.222 interface inside
!

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect dns
inspect http
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0621b5e9b7a4e636a4c6f85aee1556e1
: end
asdm image disk0:/asdm-522.bin
no asdm history enable
More
15 years 5 months ago #30994 by chidimaar
Replied by chidimaar on topic Re: ASA5505 VPN Issue
I believe you have your pre-share key right. Also try to find out at which point connection breaks between client and ASA by attempting the connection with ASA. Turn-on logging on vpn client when you attempt to establish the connection.
May be it will give you good idea of at which point the negotiations are failing.
More
15 years 5 months ago #31076 by lt_tweak
Replied by lt_tweak on topic Client Logging Info
Reason 401: An unrecognized error occurred while establishing the VPN connection.

Yea it really doesn't provide that much information for debugging.

I appreciate the help!
More
15 years 5 months ago #31092 by lt_tweak
Replied by lt_tweak on topic the LOG window
the log window actually provides a bit more info! :P

Cisco Systems VPN Client Version 5.0.00.0340
Copyright (C) 1998-2006 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
33 10:03:02.016 07/21/09 Sev=Info/4 CM/0x63100002
Begin connection process
34 10:03:02.032 07/21/09 Sev=Info/4 CM/0x63100004
Establish secure connection
35 10:03:02.032 07/21/09 Sev=Info/4 CM/0x63100024
Attempt connection with server "*.*.*.43"
36 10:03:02.032 07/21/09 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with *.*.*.43.
37 10:03:02.048 07/21/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to *.*.*.43
38 10:03:02.079 07/21/09 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = *.*.*.43
39 10:03:02.079 07/21/09 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from *.*.*.43
40 10:03:02.079 07/21/09 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
41 10:03:02.079 07/21/09 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
42 10:03:02.079 07/21/09 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
43 10:03:02.079 07/21/09 Sev=Info/5 IKE/0x63000001
Peer supports IKE fragmentation payloads
44 10:03:02.079 07/21/09 Sev=Warning/3 IKE/0xE3000057
The received HASH payload cannot be verified
45 10:03:02.079 07/21/09 Sev=Warning/2 IKE/0xE300007E
Hash verification failed... may be configured with invalid group password.
46 10:03:02.079 07/21/09 Sev=Warning/2 IKE/0xE300009B
Failed to authenticate peer (Navigator:904)
47 10:03:02.079 07/21/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO (NOTIFY:INVALID_HASH_INFO) to *.*.*.43
48 10:03:02.079 07/21/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO (NOTIFY:AUTH_FAILED) to *.*.*.43
49 10:03:02.079 07/21/09 Sev=Warning/2 IKE/0xE30000A7
Unexpected SW error occurred while processing Aggressive Mode negotiator:(Navigator:2237)
50 10:03:02.079 07/21/09 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=CBBE66A7F33EEB39 R_Cookie=A7ED847216EF834A) reason = DEL_REASON_IKE_NEG_FAILED
51 10:03:02.094 07/21/09 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
52 10:03:02.094 07/21/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
53 10:03:02.594 07/21/09 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=CBBE66A7F33EEB39 R_Cookie=A7ED847216EF834A) reason = DEL_REASON_IKE_NEG_FAILED
54 10:03:02.594 07/21/09 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "*.*.*.43" because of "DEL_REASON_IKE_NEG_FAILED"
55 10:03:02.594 07/21/09 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
56 10:03:02.594 07/21/09 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
57 10:03:02.594 07/21/09 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
58 10:03:02.610 07/21/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
59 10:03:02.610 07/21/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
60 10:03:02.610 07/21/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
61 10:03:02.610 07/21/09 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped

again, thanks for the help!
More
15 years 5 months ago #31202 by skepticals
Replied by skepticals on topic Re: ASA5505 VPN Issue

Hash verification failed... may be configured with invalid group password.


Is the users pre-shared key correct as well as the username and password?
Time to create page: 0.140 seconds