asa 5510 vpn issue

Unanswered Question
Jun 8th, 2009

Dear all,

i have configured remote access vpn on cisco asa 5510 it was running cisco IOS 7.2 version and then i upgrgaded it to cisco IOS 8.0 but still the cisco vpn clients cannot connect to VPN following is the log on the cisco vpn client

Cisco Systems VPN Client Version 5.0.02.0090

Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 6.0.6002 Service Pack 2

49 16:53:59.236 06/08/09 Sev=Info/4 CM/0x63100002

Begin connection process

50 16:53:59.249 06/08/09 Sev=Info/4 CM/0x63100004

Establish secure connection

51 16:53:59.250 06/08/09 Sev=Info/4 CM/0x63100024

Attempt connection with server "ajmdubai.dyndns.org"

52 16:53:59.269 06/08/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 217.165.146.206

53 16:53:59.468 06/08/09 Sev=Info/4 IPSEC/0x63700008

IPSec driver successfully started

54 16:53:59.468 06/08/09 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

55 16:54:04.538 06/08/09 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

56 16:54:04.539 06/08/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 217.165.146.206

57 16:54:09.609 06/08/09 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

58 16:54:09.609 06/08/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 217.165.146.206

59 16:54:14.679 06/08/09 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

60 16:54:14.679 06/08/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 217.165.146.206

61 16:54:19.749 06/08/09 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=99EAAB2E98CFE782 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

62 16:54:20.262 06/08/09 Sev=Info/4 IKE/0x6300004B

Discarding IKE SA negotiation (I_Cookie=99EAAB2E98CFE782 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

63 16:54:20.263 06/08/09 Sev=Info/4 CM/0x63100014

Unable to establish Phase 1 SA with server "ajmdubai.dyndns.org" because of "DEL_REASON_PEER_NOT_RESPONDING"

64 16:54:20.263 06/08/09 Sev=Info/5 CM/0x63100025

Initializing CVPNDrv

65 16:54:20.268 06/08/09 Sev=Info/6 CM/0x63100046

Set tunnel established flag in registry to 0.

66 16:54:20.271 06/08/09 Sev=Info/4 IKE/0x63000001

IKE received signal to terminate VPN connection

67 16:54:20.762 06/08/09 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

68 16:54:20.763 06/08/09 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

69 16:54:20.763 06/08/09 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

70 16:54:20.763 06/08/09 Sev=Info/4 IPSEC/0x6370000A

IPSec driver successfully stopped

following is the error captured on the cisco asa 5510

group=ajmremote ip=x.x.x.x removing peer from peer table failed no match

error unable to remove peer tblentry

recieved invalid cookie message for non-existent SA

iam attaching the config done on the cisco asa 5510 please go through it and please advise asap as iam facing a deadline on it to fix as from wednesday the users are about to work from home and i need this remote access vpn to be working

please see the config done on cisco asa 5510 for remote access vpn it is in the attachment

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
kstiver Tue, 06/09/2009 - 20:51

The VPN Client is not getting a response from the ASA, as inidicated by DEL_REASON_PEER_NOT_RESPONDING. I see that the client debug indicates a destination address of 217.165.146.206, but your config has an outside address of 10.0.0.2...

slmansfield Wed, 06/10/2009 - 06:04

In addition to the issue raised by kstiver, I'm wondering whether your outside-entry access list is too restrictive.

mirzaakberali Thu, 06/11/2009 - 00:45

yes the outside address is 10.0.0.2 it is working behind an adsl router and i have done port forwarding for ports 4500 and 500 udp on the adsl router to the firewall.

one more interesting thing i have noticed is that no one can initiate vpn client connection from that office . i believe that the asa 5510 is blocking outgoing client vpn connections.

waiting eagerly for the response

Actions

This Discussion