Site-to-Site VPN picking up DfltGrpPolicy instead of Tunnel-Group

Answered Question
Jan 24th, 2009
User Badges:

Hi there,


Our ASA was configured by a consultant some time ago to enable SSLVPN connectivity to RSA backend. I am now trying to get a Site-to-Site VPN working but seem to be getting into loads of dificulties. I am getting a load of debugging messages relating to the l2l VPN which i beleive is setup correctly. The following is what i beleive is of interest


"Jan 24 2009 12:13:01: %ASA-6-113009: AAA retrieved default group policy (DfltGrpPolicy) for user = x.x.x.x"


The user shows the IP Address of the remote Cisco Router that we are trying to get the VPN setup to.


I must admit that i have not done much with the SSLVPN side of things so this part of the config is out of my depth which is why i am posting here.


If anyone can help it would be really appreciated.


Below is the relevent details (i can post more if there isn't enough). My question is, how do i get the l2l using the tunnel-group and not the default group policy ?


thanks in advance for any help.




dynamic-access-policy-record

DfltAccessPolicy

webvpn

url-list none

svc ask none default svc

aaa-server VPNAUTH protocol radius

aaa-server VPNAUTH host *.*.*.*

retry-interval 5

timeout 3

key ****

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

aaa authorization command LOCAL

group-policy DfltGrpPolicy attributes

dns-server value !.!.!.!

vpn-idle-timeout none

vpn-tunnel-protocol webvpn

ip-comp enable

ipsec-udp enable

default-domain value mydomain.com

address-pools value vpnpool

webvpn

http-proxy enable

svc keep-installer none

svc keepalive 60

svc rekey method ssl

svc ask none default svc

activex-relay disable

file-entry disable

file-browsing disable

url-entry disable

tunnel-group DefaultRAGroup webvpn-attributes

radius-reject-message

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

tunnel-group DefaultRAGroup ppp-attributes

authentication pap

authentication ms-chap-v2

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool vpnpool

authentication-server-group VPNAUTH

tunnel-group DefaultWEBVPNGroup webvpn-attributes

radius-reject-message

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *

Correct Answer by ggilbert about 8 years 5 months ago

Wayne


Do "sh run all tunnel-group" you should see the group-policy associated with it.


eg:

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 general-attributes

no accounting-server-group

default-group-policy DfltGrpPolicy

tunnel-group 1.1.1.1 ipsec-attributes

pre-shared-key *

peer-id-validate req

no chain

no trust-point

isakmp keepalive threshold 10 retry 2


Let me know if this helps.


Cheers,

Gilbert

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
ggilbert Sat, 01/24/2009 - 06:58
User Badges:
  • Cisco Employee,

Hello,

I can help you with this one.


Are you trying to build a static lan to lan tunnel of dynamic lan to lan tunnel.


If you are trying to build a static lan to lan tunnel then if issue the following command given below, you will see the group policy that is being used.


sh run all tunnel-group x.x.x.x


If you want to use a different group-policy for that tunnel group, then you can create a different group-policy and use that for the lan to lan tunnel.


Thanks

Gilbert


murphyw Sun, 01/25/2009 - 03:37
User Badges:

Hi Gilbert,


Thanks very much for you prompt reply.


Can you please explain how my static lan to lan is picking up the group policy as i am struggling to see in the code where it is picking up the default one ?


I would much appreciate your help on this as i am struggling to see where this is happening and i have been unable to find many good resources for version 8.


Thanks in advance


Wayne

Correct Answer
ggilbert Mon, 01/26/2009 - 05:04
User Badges:
  • Cisco Employee,

Wayne


Do "sh run all tunnel-group" you should see the group-policy associated with it.


eg:

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 general-attributes

no accounting-server-group

default-group-policy DfltGrpPolicy

tunnel-group 1.1.1.1 ipsec-attributes

pre-shared-key *

peer-id-validate req

no chain

no trust-point

isakmp keepalive threshold 10 retry 2


Let me know if this helps.


Cheers,

Gilbert

murphyw Mon, 01/26/2009 - 13:19
User Badges:

Hi Gilbert,


Thanks again for the prompt post. I will have a go at this on Wednesday. To be honest i didn't realise that tunnel-groups used group policies, i have never had any dealings with Group Policies as all my experience has been from version 6 and migrated to version 7 on our Pix Firewalls (not really done anything with the ASA).


Dont suppose you can provide a link to a resource that explains its usage a little do you ? I have read the Command Reference but it doesn't really say why/context of use. The code on the ASA doesn't actually specify a group policy for the tunnel which is why i am guessing its using the default, which is configured to use AAA for authentication which i dont want to be doing.


Thanks again and if you know of a link to something that would be fantastic.

ggilbert Tue, 01/27/2009 - 05:50
User Badges:
  • Cisco Employee,

If you are using ASDM and when you configure the site to site tunnel, its should under the advanced section -- tunnel group where the group policy can be chosen.


With regard to the group-policy, you can look at the link given below. (I am sure you might have already gone through this, if not...its here)


http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/vpngrp.html


Group-policies are used for tweaking the tunnel access settings.

For eg: vpn-filter --access for specific IP's/ports


tunneling protocols specification.


Normally, its left at default even if you configure a new one for a Lan to Lan tunnel.

murphyw Wed, 01/28/2009 - 03:30
User Badges:

Hi Gilbert,


Thanks once again for your help on this. I now understand whats going on with the groups. I have reconfigured it and seem to be getting a new issue which i have googled and cannot seem to work out whats going on. If you could please point me in the right direction i would much appreciate it. Here is the debug I am now receiving;


Jan 28 2009 11:20:09: %ASA-6-113009: AAA retrieved default group policy (sitea_29_1) for user = 1.1.1.1

Jan 28 2009 11:20:09: %ASA-3-713206: Group = 1.1.1.1, IP = 1.1.1.1, Tunnel Rejected: Conflicting protocols specified by tunnel-group and group-policy

Jan 28 2009 11:20:09: %ASA-7-715065: Group = 1.1.1.1, IP = 1.1.1.1, IKE MM Responder FSM error history (struct &0xb0388270) , : MM_DONE,



I am trying to get this working without Split Tunneling as i want all traffic to traverse the tunnel. To expand my knowledge, i am trying to get this done through the CLI.


I have tried two different access-lists as i read that to disable split tunnelling you need to use standard access lists but in the crypto map it wont let me, i also read that in the extended, set the IP as the source if disabling split tunneling which is what i have tried. I have also tried using the standard access-list in the group policy as there is an option there for split tunneling.


The attached configpost.txt is the relevant sections of the config


Also, the attached shrunalltunnelgroups.txt is the tunnel group settings


Kindest Regards


Wayne





ggilbert Wed, 01/28/2009 - 05:52
User Badges:
  • Cisco Employee,

Wayne,

Ok - I read your note and here are somethings to clarify with the terminology.


What you are trying to do is Lan to Lan tunnel configuration.


With regard to split-tunneling, its a terminology used for Remote Access VPN clients. Like IPSec VPN clients or Cisco Anyconnect VPN Clients.


Having said that, what is your end goal.

Please clarify.


Send me the output of "sh run all group-policy" as well.


Thanks

Gilbert

Rate this post, if it helped.

murphyw Wed, 01/28/2009 - 06:09
User Badges:

Hi Gilbert,


Thanks for the reply. I have worked it out and got the tunnel up and running (although its dropping the odd ping request).


I had to set the protocols to only IPSec in the group-policy i created to get it working.


Now i just need to take a look at whats causing the request time outs :)


Regards


Wayne

murphyw Wed, 01/28/2009 - 06:16
User Badges:

Hmm, seems like my split-tunnelling isn't working.


I have a remote site and i want to force all traffic from the local subnet 172.29.1.0/24 through the VPN out of the main site.


This works fine through the VPN Concentrator but i cannot seem to get this working through the ASA.


Any suggestions ? I have noticed a setting in the Policy about split tunnelling but does this only work with remote access policies and not site-to-site ?


Anyhow, going to have a play around until you get chance to reply


Thank you for your help so far


Wayne

murphyw Wed, 01/28/2009 - 06:08
User Badges:

Sorted that error out, now i am getting an error that there is no crypto map entry (guessing this is now an issue trying to disable the split tunnelling). If you can think of anything that can help with the configuration provided then that would be fantastic.


I will continue to debug this in the mean time and post if i spot it.


Wayne

murphyw Wed, 01/28/2009 - 06:38
User Badges:

Hmm, i am having issues with forcing all the ipsec traffic down the tunnel and onto our internal network.


What i think is happening here is as follows;


1. Traffic is flowing down the tunnel fine (all traffic that is)

2. As it hits the ASA, the routing table of the ASA tells it to route traffic out to the Internet (which you would expect)


The problem i have which seems to work ok on the VPN Concentrator is that i want all traffic once it comes out of the VPN to then route through a seperate internet link (so it gets our filtering applied) and not to go directly out of the ASA.


Is there a way to resolve this issue ?


Regards


Wayne

murphyw Wed, 01/28/2009 - 07:01
User Badges:

Ooo, there is a tunneled parameter on the end of the route command.


Thanks very much this is all working now.


Wayne

Actions

This Discussion