- Posts: 3
- Thank you received: 0
ASA5505 VPN Issue
15 years 5 months ago #30864
by lt_tweak
ASA5505 VPN Issue was created by lt_tweak
I am having issues with my VPN clients connecting. It was previously working, so i am thinking it's something simple. Can anyone take a look at this config and see whats missing for remote VPN connection, using cisco client 5.0?
Thanks
: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name mydomain
enable password KiCCVGOXkJE3nyKk encrypted
multicast-routing
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
ospf cost 10
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 4P21McLAKffWjWkr encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 4.2.2.2
name-server 208.67.222.222
name-server 151.203.0.85
name-server 4.2.2.1
domain-name sewingmachine.com
access-list inside_nat0_outbound extended permit ip any 172.31.16.0 255.255.255.240
access-list remote_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list outside_access_in extended permit icmp host *.*.*.151 interface outside
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool Pool1 172.31.16.1-172.31.16.10 mask 255.255.0.0
ip verify reverse-path interface outside
ip verify reverse-path interface dmz
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (inside) 1 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound outside
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy remote internal
group-policy remote attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value remote_splitTunnelAcl
username remote password FQPyOFkYZZbOGZiR encrypted
username remote attributes
vpn-group-policy remote
vpn-tunnel-protocol IPSec l2tp-ipsec
group-lock value remote
username cisco password kwT7MeGuMDvPg8/9 encrypted privilege 15
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
http server enable
http *.*.*.156 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group remote type ipsec-ra
tunnel-group remote general-attributes
address-pool Pool1
default-group-policy remote
tunnel-group remote ipsec-attributes
pre-shared-key *
chain
tunnel-group-map default-group remote
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh *.*.*.156 255.255.255.255 outside
ssh timeout 60
console timeout 0
management-access inside
dhcp-client update dns server both
dhcpd dns 4.2.2.1 4.2.2.2
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns 4.2.2.1 208.67.222.222 interface inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect dns
inspect http
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0621b5e9b7a4e636a4c6f85aee1556e1
: end
asdm image disk0:/asdm-522.bin
no asdm history enable
Thanks
: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name mydomain
enable password KiCCVGOXkJE3nyKk encrypted
multicast-routing
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
ospf cost 10
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 4P21McLAKffWjWkr encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 4.2.2.2
name-server 208.67.222.222
name-server 151.203.0.85
name-server 4.2.2.1
domain-name sewingmachine.com
access-list inside_nat0_outbound extended permit ip any 172.31.16.0 255.255.255.240
access-list remote_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list outside_access_in extended permit icmp host *.*.*.151 interface outside
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool Pool1 172.31.16.1-172.31.16.10 mask 255.255.0.0
ip verify reverse-path interface outside
ip verify reverse-path interface dmz
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (inside) 1 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound outside
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy remote internal
group-policy remote attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value remote_splitTunnelAcl
username remote password FQPyOFkYZZbOGZiR encrypted
username remote attributes
vpn-group-policy remote
vpn-tunnel-protocol IPSec l2tp-ipsec
group-lock value remote
username cisco password kwT7MeGuMDvPg8/9 encrypted privilege 15
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
http server enable
http *.*.*.156 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group remote type ipsec-ra
tunnel-group remote general-attributes
address-pool Pool1
default-group-policy remote
tunnel-group remote ipsec-attributes
pre-shared-key *
chain
tunnel-group-map default-group remote
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh *.*.*.156 255.255.255.255 outside
ssh timeout 60
console timeout 0
management-access inside
dhcp-client update dns server both
dhcpd dns 4.2.2.1 4.2.2.2
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns 4.2.2.1 208.67.222.222 interface inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect dns
inspect http
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0621b5e9b7a4e636a4c6f85aee1556e1
: end
asdm image disk0:/asdm-522.bin
no asdm history enable
15 years 5 months ago #30994
by chidimaar
Replied by chidimaar on topic Re: ASA5505 VPN Issue
I believe you have your pre-share key right. Also try to find out at which point connection breaks between client and ASA by attempting the connection with ASA. Turn-on logging on vpn client when you attempt to establish the connection.
May be it will give you good idea of at which point the negotiations are failing.
May be it will give you good idea of at which point the negotiations are failing.
15 years 5 months ago #31076
by lt_tweak
Replied by lt_tweak on topic Client Logging Info
Reason 401: An unrecognized error occurred while establishing the VPN connection.
Yea it really doesn't provide that much information for debugging.
I appreciate the help!
Yea it really doesn't provide that much information for debugging.
I appreciate the help!
15 years 5 months ago #31092
by lt_tweak
Replied by lt_tweak on topic the LOG window
the log window actually provides a bit more info!
Cisco Systems VPN Client Version 5.0.00.0340
Copyright (C) 1998-2006 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
33 10:03:02.016 07/21/09 Sev=Info/4 CM/0x63100002
Begin connection process
34 10:03:02.032 07/21/09 Sev=Info/4 CM/0x63100004
Establish secure connection
35 10:03:02.032 07/21/09 Sev=Info/4 CM/0x63100024
Attempt connection with server "*.*.*.43"
36 10:03:02.032 07/21/09 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with *.*.*.43.
37 10:03:02.048 07/21/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to *.*.*.43
38 10:03:02.079 07/21/09 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = *.*.*.43
39 10:03:02.079 07/21/09 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from *.*.*.43
40 10:03:02.079 07/21/09 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
41 10:03:02.079 07/21/09 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
42 10:03:02.079 07/21/09 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
43 10:03:02.079 07/21/09 Sev=Info/5 IKE/0x63000001
Peer supports IKE fragmentation payloads
44 10:03:02.079 07/21/09 Sev=Warning/3 IKE/0xE3000057
The received HASH payload cannot be verified
45 10:03:02.079 07/21/09 Sev=Warning/2 IKE/0xE300007E
Hash verification failed... may be configured with invalid group password.
46 10:03:02.079 07/21/09 Sev=Warning/2 IKE/0xE300009B
Failed to authenticate peer (Navigator:904)
47 10:03:02.079 07/21/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO (NOTIFY:INVALID_HASH_INFO) to *.*.*.43
48 10:03:02.079 07/21/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO (NOTIFY:AUTH_FAILED) to *.*.*.43
49 10:03:02.079 07/21/09 Sev=Warning/2 IKE/0xE30000A7
Unexpected SW error occurred while processing Aggressive Mode negotiator:(Navigator:2237)
50 10:03:02.079 07/21/09 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=CBBE66A7F33EEB39 R_Cookie=A7ED847216EF834A) reason = DEL_REASON_IKE_NEG_FAILED
51 10:03:02.094 07/21/09 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
52 10:03:02.094 07/21/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
53 10:03:02.594 07/21/09 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=CBBE66A7F33EEB39 R_Cookie=A7ED847216EF834A) reason = DEL_REASON_IKE_NEG_FAILED
54 10:03:02.594 07/21/09 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "*.*.*.43" because of "DEL_REASON_IKE_NEG_FAILED"
55 10:03:02.594 07/21/09 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
56 10:03:02.594 07/21/09 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
57 10:03:02.594 07/21/09 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
58 10:03:02.610 07/21/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
59 10:03:02.610 07/21/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
60 10:03:02.610 07/21/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
61 10:03:02.610 07/21/09 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
again, thanks for the help!
Cisco Systems VPN Client Version 5.0.00.0340
Copyright (C) 1998-2006 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
33 10:03:02.016 07/21/09 Sev=Info/4 CM/0x63100002
Begin connection process
34 10:03:02.032 07/21/09 Sev=Info/4 CM/0x63100004
Establish secure connection
35 10:03:02.032 07/21/09 Sev=Info/4 CM/0x63100024
Attempt connection with server "*.*.*.43"
36 10:03:02.032 07/21/09 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with *.*.*.43.
37 10:03:02.048 07/21/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to *.*.*.43
38 10:03:02.079 07/21/09 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = *.*.*.43
39 10:03:02.079 07/21/09 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from *.*.*.43
40 10:03:02.079 07/21/09 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
41 10:03:02.079 07/21/09 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
42 10:03:02.079 07/21/09 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
43 10:03:02.079 07/21/09 Sev=Info/5 IKE/0x63000001
Peer supports IKE fragmentation payloads
44 10:03:02.079 07/21/09 Sev=Warning/3 IKE/0xE3000057
The received HASH payload cannot be verified
45 10:03:02.079 07/21/09 Sev=Warning/2 IKE/0xE300007E
Hash verification failed... may be configured with invalid group password.
46 10:03:02.079 07/21/09 Sev=Warning/2 IKE/0xE300009B
Failed to authenticate peer (Navigator:904)
47 10:03:02.079 07/21/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO (NOTIFY:INVALID_HASH_INFO) to *.*.*.43
48 10:03:02.079 07/21/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO (NOTIFY:AUTH_FAILED) to *.*.*.43
49 10:03:02.079 07/21/09 Sev=Warning/2 IKE/0xE30000A7
Unexpected SW error occurred while processing Aggressive Mode negotiator:(Navigator:2237)
50 10:03:02.079 07/21/09 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=CBBE66A7F33EEB39 R_Cookie=A7ED847216EF834A) reason = DEL_REASON_IKE_NEG_FAILED
51 10:03:02.094 07/21/09 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
52 10:03:02.094 07/21/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
53 10:03:02.594 07/21/09 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=CBBE66A7F33EEB39 R_Cookie=A7ED847216EF834A) reason = DEL_REASON_IKE_NEG_FAILED
54 10:03:02.594 07/21/09 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "*.*.*.43" because of "DEL_REASON_IKE_NEG_FAILED"
55 10:03:02.594 07/21/09 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
56 10:03:02.594 07/21/09 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
57 10:03:02.594 07/21/09 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
58 10:03:02.610 07/21/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
59 10:03:02.610 07/21/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
60 10:03:02.610 07/21/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
61 10:03:02.610 07/21/09 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
again, thanks for the help!
- skepticals
- Offline
- Elite Member
Less
More
- Posts: 783
- Thank you received: 0
15 years 5 months ago #31202
by skepticals
Is the users pre-shared key correct as well as the username and password?
Replied by skepticals on topic Re: ASA5505 VPN Issue
Hash verification failed... may be configured with invalid group password.
Is the users pre-shared key correct as well as the username and password?
Time to create page: 0.140 seconds