cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1093
Views
20
Helpful
16
Replies

Cisco VPN client 3.5.1 and Cisco ASA 5.2(2)

nitass
Level 1
Level 1

Hello there,

I have a bit strange problem regarding Cisco VPN client (IPSec) with Cisco ASA. The Cisco ASA is running software version 5.2(2). The Cisco VPN client version is 3.5.1.

The problem is the Cisco VPN client could successfully authenticate with the Cisco ASA but couldn't PING to any LAN network behind the Cisco ASA. Anyway, the problem was gone when we used the Cisco VPN client version 4.6 or 4.8. All the settings are exactly same. What has it happened? What is the cause of this issue? How can I troubleshoot this problem?

Please advice.

Thanks,

Nitass

2 Accepted Solutions

Accepted Solutions

I understood your problem, I never used 3.5.1 so I thought maybe nat-t wasn't enabled by default like 4.x.

View solution in original post

Nitass,

With the VPN client version if you used IPSec over UDP, it will use port UDP port 10000.

Since you are coming through a NAT device, I am sure ASA is detecting UDP 4500 (which is NAT-T) and then trying to use that.

But, you can use IPSec over TCP. If thats the case then make sure you have IPSec over TCP configured on the ASA. According to your previous output of

sh run | in isakmp --> you did not have that configured on the ASA

This is the command.

"isakmp ipsec-over-tcp port 10000"

Let me know if this helps.

Thanks

Gilbert

View solution in original post

16 Replies 16

acomiskey
Level 10
Level 10

FYI, 5.2 is the ASDM version on the ASA. The ASA version would be 7.x. Make sure the client is set for ipsec over udp.

Thanks for reply. You are right.

The Cisco ASA is running software 7.2(2) and ASDM 5.2(2). The NAT-T has already been enabled. And as I mentioned above, both Cisco VPN client 4.6 and 4.8 worked fine. The problem was only for Cisco VPN client 3.5.1. All configurations were exactly same.

Please advice.

Thanks,

Nitass

I understood your problem, I never used 3.5.1 so I thought maybe nat-t wasn't enabled by default like 4.x.

Hi,

I just noticed that the transparent tunneling status was inactive and the tunnel port was also 0. Anyway, I already enabled nat-t on the Cisco VPN client 3.5.1.

How should I do? Please advice.

Thanks,

Nitass

Btw, I have tried to configure IPSec over TCP but it still didn't work. I could telnet port 10000 from the client machine but the VPN client software couldn't establish the VPN tunnel.

Please advice.

Thanks,

Nitass

ggilbert
Cisco Employee
Cisco Employee

Nitass,

I read through the information posted on the website, seems like you see the Transparent Tunneling as Inactive. Can you make sure that IPSec over UDP is checked on the client.

Can you send the output of "sh run | in isakmp"

Thanks

Gilbert

Thanks for reply.

ciscoasa# sh run | inc isakmp

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto isakmp enable outside

crypto isakmp policy 10

crypto isakmp nat-traversal 20

Additional, the following was output of show crypto ipsec sa. It seemed that the sa didn't detect nat device along the way.

ciscoasa# sh crypto ipsec sa

(snip)

inbound esp sas:

spi: 0x7B9777AF (2073524143)

transform: esp-3des esp-md5-hmac none

in use settings ={RA, Tunnel, }

slot: 0, conn_id: 82, crypto-map: outside_dyn_map

sa timing: remaining key lifetime (sec): 28747

I also attached the transparent tunneling setting to this message.

Please advice.

Thanks a lot,

Nitass

After the VPN client is connected, can you send the output of "sh vpn-session remote" from the ASA.

Can you please let me know what is the NAT ting device through which the client passes through.

Thanks

gilbert

Hi gilbert,

You are right. The problem is from the NAT. When I removed NATing device along the way, the connection was fine. The NATing device is just NetScreen firewall. Anyway, it worked fine with VPN client 4.6 and 4.8. I am wonder that why NAT-T, IPSec over UDP or IPSec over TCP did not work for this case. How could I do? Could you please advice?

The below is output of the show vpn-sessiondb remote command that you asked.

ciscoasa# sh vpn-sessiondb remote

Session Type: Remote

Username: sawayama

Index: 1

Assigned IP: 10.192.35.130 Public IP: 1.1.1.1

Protocol: IPSec Encryption: 3DES

Hashing: MD5

Bytes Tx: 0 Bytes Rx: 0

Client Type: N/A Client Ver: 3.5.1 (Rel)

Group Policy: remote

Tunnel Group: remote

Login Time: 12:37:16 ICT Fri Jun 22 2007

Duration: 0h:00m:10s

Filter Name: vpnacl

NAC Result: N/A

Posture Token:

Thanks,

Nitass

Nitass,

From the output of "sh vpn-sessiondb" it seems that your VPN client is just trying to use IPSec and not IPSec over UDP or IPSec over TCP.

Protocol: IPSec

If client is going through a NAT device then the ASA will detect the NAT device and try to use UDP 4500 (NAT_T) for negotiation.

In this case, seems like it is not happening. We need to look deep into the ASA debugs and the client side debugs to see what is happening.

Since the Client is connecting just with IPSec, and I do not see any kind of packets received on the ASA from the output that was sent, I believe the NAT device might be blocking ESP packets.

You need to do somemore extensive troubleshooting to figure out where the problem is happening precisely.

It maybe that Netgear device is not doing the PAT properly or it has a One to One NAT for your VPN client.

Rate this post if it helps.

Cheers,

Gilbert

Hi Gilbert,

Thank you very much. I am appreciated to your kind.

For this issue, I did it in the lab. All device configurations were same. Only changing was the VPN client software version.

As I checked, I understood the VPN client 3.5.1 could not support NAT-T. It was supported from the version 3.6.1. Anyway, I think the TCP over UDP or TCP should work in this situation.

How do you think? Could you please advice?

Thanks,

Nitass

Ipsec over udp is nat-t, like I said in my first post.

Nitass,

With the VPN client version if you used IPSec over UDP, it will use port UDP port 10000.

Since you are coming through a NAT device, I am sure ASA is detecting UDP 4500 (which is NAT-T) and then trying to use that.

But, you can use IPSec over TCP. If thats the case then make sure you have IPSec over TCP configured on the ASA. According to your previous output of

sh run | in isakmp --> you did not have that configured on the ASA

This is the command.

"isakmp ipsec-over-tcp port 10000"

Let me know if this helps.

Thanks

Gilbert

Sorry, please wait a moment.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: