sysopt connection permit-ipsec

Unanswered Question
Feb 7th, 2008
User Badges:

I recently installed an ASA to replace an ailing PIX, and everything seems to be working well. Now we are looking at migrating remote VPN and eventually LAN-to-LAN traffic over to the ASA, due to the looming EOL on our VPN Concentrator.

I used the ASDM wizard to configure remote access VPN on the ASA, authenticating to Windows IAS. When attempting to connect with the Cisco VPN Client (version 4.0) I can see the authentication is successful on the IAS server, but the client says authentication failed. In reviewing my config from CLI, I noticed that I'm missing the line "sysopt connection permit-ipsec" I suspect this is causing my failed authentication, as the ASA is rejecting IPSEC traffic.

I attempted to add the line in CLI, and it doesn't give me any errors, but it still does not appear when I do a "show run"

The ASA is running version 7.0(6), and I was unable to find any reference to this in the release notes for any of the later versions.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Thu, 02/07/2008 - 08:16
User Badges:
  • Green, 3000 points or more

Try a "show run sysopt", it should display there.


Also, the command changed in version 7.2 and later to "sysopt connection permit-vpn".

andrew.burns Thu, 02/07/2008 - 09:30
User Badges:
  • Gold, 750 points or more

Hi,


It doesn't appear because it's the default, i.e. ESP and IKE traffic are allowed without having to specify them in the interface access-list so this is very unlikely to be the problem.


That doesn't help you though - so if you are sure the config is all OK then it might be time to try some debugs. (If you post the config that might also help)


I also seem to remember that the Cisco VPN client has an ability to provide extra logging so if you can enable that and have a look that might also give you some more clues.


HTH

Andrew.




srue Thu, 02/07/2008 - 09:46
User Badges:
  • Blue, 1500 points or more

"sysopt connection permit-vpn" or "sysopt connection permit-ipsec" have nothing to do with actually connecting a remote or site2site vpn. This command doesn't matter until the tunnel is established. without this command, you need acl entries on your inbound ACL to allow access to the internal network over a vpn tunnel. with this command, vpn connections are *not* subject to ACL checks.

Post your config though and we can troubleshoot further. Also, you might want to upgrade your vpn client from 4.0.

jeff.velten Thu, 02/07/2008 - 10:12
User Badges:

Thanks for the replies. Here's the relevant config from the ASA. I'll re-test with the VPN client and post a debug from there as well, if needed.


route outside 0.0.0.0 0.0.0.0 172.16.0.1 tunneled

!

group-policy DelcoNST internal

group-policy DelcoNST attributes

wins-server value 172.16.0.42 172.16.0.41

dns-server value 172.16.0.42 172.16.0.41

vpn-access-hours none

vpn-simultaneous-logins 5

vpn-idle-timeout none

vpn-session-timeout none

vpn-filter none

vpn-tunnel-protocol IPSec

group-lock value DelcoNST

ipsec-udp enable

default-domain value co.delaware.ny.us

!

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5

crypto dynamic-map outside_dyn_map 40 set reverse-route

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp enable inside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

tunnel-group DelcoNST type ipsec-ra

tunnel-group DelcoNST general-attributes

!

authentication-server-group DELCO-RADIUS LOCAL

default-group-policy DelcoNST

dhcp-server 172.16.0.44

tunnel-group DelcoNST ipsec-attributes

pre-shared-key *

peer-id-validate cert

no vpn-addr-assign aaa

no vpn-addr-assign local


jeff.velten Fri, 02/08/2008 - 07:44
User Badges:

OK, the log on the VPN client isn't much help. I'm getting:

PEER_DELETE-IKE_DELETE_UNSPECIFIED


But on the ASA, I'm getting this:

4|Feb 08 2008 10:09:37|713903: Group = DelcoNST, Username = jeff.velten, IP = 204.14.57.75, Error: Unable to remove PeerTblEntry

3|Feb 08 2008 10:09:37|713902: Group = DelcoNST, Username = jeff.velten, IP = 204.14.57.75, Removing peer from peer table failed, no match!

3|Feb 08 2008 10:09:37|713132: Group = DelcoNST, Username = jeff.velten, IP = 204.14.57.75, Cannot obtain an IP address for remote peer

6|Feb 08 2008 10:09:37|713184: Group = DelcoNST, Username = jeff.velten, IP = 204.14.57.75, Client Type: WinNT Client Application Version: 4.0.4 (D)

5|Feb 08 2008 10:09:37|713130: Group = DelcoNST, Username = jeff.velten, IP = 204.14.57.75, Received unsupported transaction mode attribute: 5

6|Feb 08 2008 10:09:26|713172: Group = DelcoNST, IP = 204.14.57.75, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device


From poking around here a bit, the last few messages seem to indicate that the client is not getting an IP address.

srue Fri, 02/08/2008 - 08:24
User Badges:
  • Blue, 1500 points or more

This could be an IAS issue. I've seen this where there are lots of IAS policies...i usually have to move the one I'm having trouble with up to the top in the remote access policies.

Actions

This Discussion