C1841 /w 3G HWIC Easy VPN HW Client (NEM) to ASA 5520 - connection issue

Unanswered Question
May 12th, 2009

Hi,


Im not sure did I pick the right are of the VPN forums but here goes.


Im currently trying to setup and test a scenarion where i have an Cisco 1841 router with HWIC-3G-GSM card and trying to establish a Easy VPN Hardware Client (Network extension mode) connection to a Lab ASA 5520 with a VPN Client profile configured.


For testing purposes im manually connecting the HW VPN connection and givin the username/password. For some reason though the connection wont come up.


At the ASA5520 i get the following log messages after the attempt to connect to the ASA (C1841 only gives connection termination message but nothing else. Before this it was complaining about the authentication method)


May 12 2009 13:50:17 LAB-ASA5520 : %ASA-6-713172: Group = CLIENT3G, IP = 87.93.61.xxx, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device

May 12 2009 13:50:30 LAB-ASA5520 : %ASA-6-113012: AAA user authentication Successful : local database : user = clientuser3g

May 12 2009 13:50:30 LAB-ASA5520 : %ASA-6-113003: AAA group policy for user clientuser3g is being set to CLIENT3G

May 12 2009 13:50:30 LAB-ASA5520 : %ASA-6-113011: AAA retrieved user specific group policy (CLIENT3G) for user = clientuser3g

May 12 2009 13:50:30 LAB-ASA5520 : %ASA-6-113009: AAA retrieved default group policy (CLIENT3G) for user = clientuser3g

May 12 2009 13:50:30 LAB-ASA5520 : %ASA-6-113008: AAA transaction status ACCEPT : user = clientuser3g

May 12 2009 13:50:30 LAB-ASA5520 : %ASA-6-734001: DAP: User clientuser3g, Addr 87.93.61.xxx, Connection IPSec: The following DAP records were selected for this connection: DfltAccessPolicy

May 12 2009 13:50:31 LAB-ASA5520 : %ASA-5-713131: Group = CLIENT3G, Username = clientuser3g, IP = 87.93.61.xxx, Received unknown transaction mode attribute: 28692

May 12 2009 13:50:31 LAB-ASA5520 : %ASA-5-713131: Group = CLIENT3G, Username = clientuser3g, IP = 87.93.61.xxx, Received unknown transaction mode attribute: 28693

May 12 2009 13:50:31 LAB-ASA5520 : %ASA-6-713184: Group = CLIENT3G, Username = clientuser3g, IP = 87.93.61.xxx, Client Type: IOS Client Application Version: 12.4(24)T

May 12 2009 13:50:31 LAB-ASA5520 : %ASA-5-713131: Group = CLIENT3G, Username = clientuser3g, IP = 87.93.61.xxx, Received unknown transaction mode attribute: 28695

May 12 2009 13:50:31 LAB-ASA5520 : %ASA-3-713149: Group = CLIENT3G, Username = clientuser3g, IP = 87.93.61.xxx, Hardware client security attribute SECURE UNIT was enabled but not requested.

May 12 2009 13:50:31 LAB-ASA5520 : %ASA-3-713902: Group = CLIENT3G, Username = clientuser3g, IP = 87.93.61.xxx, Removing peer from peer table failed, no match!

May 12 2009 13:50:31 LAB-ASA5520 : %ASA-4-713903: Group = CLIENT3G, Username = clientuser3g, IP = 87.93.61.180, Error: Unable to remove PeerTblEntry

May 12 2009 13:50:31 LAB-ASA5520 : %ASA-4-113019: Group = , Username = , IP = 0.0.0.0, Session disconnected. Session Type: , Duration: 0h:00m:14s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown

May 12 2009 13:50:31 LAB-ASA5520 : %ASA-5-713904: IP = 87.93.61.xxx, Received encrypted packet with no matching SA, dropping

May 12 2009 13:50:32 LAB-ASA5520 : %ASA-5-713904: IP = 87.93.61.xxx, Received encrypted packet with no matching SA, dropping





Any help with this would be appriciated!


/JF


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jouni Forss Thu, 05/14/2009 - 23:03

Hi again,


Managed to get the actual VPN connection up but im still facing some problems.


So the scenarion was that i have a Cisco 1841 router with HWIC-3G-GSM that is to be used forming a Hardware VPN Client connection (Network extension mode) to an ASA.


At the moment im able to ping from behind the router to a computer behind the ASA but when i ping from behind the ASA to the computer behind the router the i get no reply.


From looking at ACLs and sh crypto ipsec sa it seems that the packets are forwarded to the tunnel at the ASA and they also get decapsulated at the router but after that its a mystery to me. I can ping the computer behind the router from the router so that aint the problem atleast. The biggest problem here is i guess that i havent configured that many VPNs with IOS.


Some of the routerside configurations are in the attached file.


Can anyone comment on the configuration if theres any problems there why the ICMP wont work from ASA(host)-->Router(host)-->ASA(host)


/JF





Jouni Forss Sun, 05/17/2009 - 23:16

Hi,


Even though theres been no replies so far, thought id do an update on the situation.


For some odd reason i have gotten atleast something working. After the weekend when i brought the vpn connection up again i managed to ping from behind the ASA to the inside interface private IP at the router.


But still for some reason the ping wont either go trough or return reply from the host. The host does reply to the routers ping but not the hosts thats behind the ASA (behind the VPN tunnel)

Jouni Forss Mon, 05/18/2009 - 23:37

Well this turned out to be a lone discussion but as a public service to anyone possibly reading this ill post the results here.


I solved the problem of not beeing able to ping host behind the 3G (Hardware Client VPN peer) connection from behind the ASA (other VPN peer). This turned out to be funnily enough a Windows setting. What makes it wierd is the fact that i have used this computer for setting up networking equipment for a long time and it hasnt given me such problems. And as I mentioned I was able to ping the host from other locations. (such as the router interface)


The solution ended up beeing giving the following command under the command promt in Windows:


netsh firewall set icmpsetting 8 enable

Actions

This Discussion