01-26-2009 12:27 PM - last edited on 03-25-2019 05:41 PM by ciscomoderator
Hey Guys,
So I've tried everything to get this to work with no joy. I'm hoping someone out here can help me.
Essentially we have inside clients running XP and Vista using the PPTP client to connect to a VPN server outside. The connections always fail (but are successful from other networks).
The log entries are:
4 Jan 26 2009 11:41:40 713903 IP = 216.13.201.234, Information Exchange processing failed
5 Jan 26 2009 11:41:40 713904 IP = 216.13.201.234, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping
3 Jan 26 2009 11:41:40 106100 192.168.111.66 216.13.201.234 access-list Inside_access_in permitted tcp Inside/192.168.111.66(1375) -> Outside/216.13.201.234(1723) hit-cnt 1 first hit [0x7001adbb, 0xeac55bde]
4 Jan 26 2009 11:39:24 713903 IP = 216.13.201.234, Error: Unable to remove PeerTblEntry
3 Jan 26 2009 11:39:24 713902 IP = 216.13.201.234, Removing peer from peer table failed, no match!
4 Jan 26 2009 11:38:52 713903 IP = 216.13.201.234, Information Exchange processing failed
Please see the attached running config.
Thanks guys!
01-26-2009 12:47 PM
By other networks, you mean other networks behind the ASA or other networks outside the ASA? Go ahead and increase the log on your ASA since it does not show that there is something wrong on the specific log.
01-26-2009 12:48 PM
By other networks I mean other networks not behind the ASA.
And that log output is showing all log messages up to level 7. Are you sure those messages on the log output aren't problematic?
01-26-2009 12:51 PM
The only log that shows reference to a PPTP connection is the following:
3 Jan 26 2009 11:41:40 106100 192.168.111.66 216.13.201.234 access-list Inside_access_in permitted tcp Inside/192.168.111.66(1375) -> Outside/216.13.201.234(1723) hit-cnt 1 first hit [0x7001adbb, 0xeac55bde]
The rest of the lines are related to a vpn connection not being established.
01-26-2009 12:54 PM
Those messages all appear with the connection attempt, though. They aren't a separate issue. Everytime the client tries to connect, those 5 messages appear in the log.
Should I try turning off PPTP inspection maybe?
01-26-2009 01:00 PM
I don't think you should do that, do you recognize this ip address 216.13.201.234? is that the server's ip address?
01-26-2009 01:07 PM
Yes, that's the server IP.
01-26-2009 01:13 PM
Odd..Does this happen to all the clients that try this connection behind this ASA? It seems as if the ASA was intercepting this connection and using it for itself, can you try again this connection and while doing this go ahea and get the "show conn
Client ip is the workstation ip address you are trying from.
If possible go ahead and remove the Crypto map from outside interface while trying this too.
01-26-2009 01:14 PM
What I think is happening is you have the following config for Nat cntrl
global (Outside) 1 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1 access-list Inside_nat_outbound
nat (management) 101 0.0.0.0 0.0.0.0
and with this statement
access-list Outside_access_in extended permit tcp any host access-list Outside_access_in extended permit tcp any host 216.13.201.234 eq pptp
basically permits any outside (src) traffic
static (Inside,Outside) tcp interface pptp 192.168.111.224 pptp netmask 255.255.255.255
is using the interface as outside address to 192.168.111.224, and the rproblem is that the interface ip address is noy in the same subnet as your destination address
Interface address = 216.13.219.142 255.255.255.248 while your acl dst is 216.13.201.234.HTH
01-26-2009 02:04 PM
Thanks for this info. Wouldn't
static (Inside,Outside) tcp interface pptp 192.168.111.224 pptp netmask 255.255.255.255
be used for incoming PPTP connections to .224?
We are concerned with outgoing connections here to external PPTP servers. I removed that static NAT with no change.
Any other suggestions?
Thank you!!
01-26-2009 07:30 PM
My apologies, I misread the post and thought this issue was with incoming connections to .224
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide