ASA 5510 Remote Access VPN and Site to site VPN trouble

Unanswered Question
Apr 21st, 2010

Hello, all. We are having Cisco ASA 5510 with configured Remote Access VPN with RADIUS auth on it. Now we need to add site to site VPN to device with dynamic IP address. I added such tunnel but after this traffic in remote access VPN do not flow. People have a connection but resourses are unreacheble. There is a message in syslog: IKE Initiator unable to find policy.

Here is the config:

: Saved
: Written by enable_15 at 21:46:05.021 YEKDT Tue Apr 20 2010
!
ASA Version 8.2(1)
!
hostname ciscoasa
domain-name test.ru
enable password ***** encrypted
passwd ***** encrypted
names
name 192.168.101.0 VPN-network
dns-guard
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address aa.aa.aa.aa 255.255.255.224
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa821-k8.bin
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone YEKST 5
clock summer-time YEKDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup Outside
dns domain-lookup Inside
dns domain-lookup management
dns server-group DefaultDNS
name-server 192.168.100.2
domain-name test.ru
object-group service DM_INLINE_SERVICE_1
service-object tcp eq 5355
service-object tcp eq aol
service-object tcp eq ftp
service-object tcp eq www
service-object tcp eq https
service-object udp eq isakmp
service-object udp eq 4500
service-object tcp eq 3112
service-object tcp eq 10001
service-object tcp eq 27780
service-object tcp eq 2106
service-object tcp eq 17453
service-object tcp eq 7777
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object 87
access-list Outside_access_in extended permit icmp any any
access-list Inside_access_in extended permit icmp any any
access-list Inside_access_in extended permit ip host 192.168.100.2 any
access-list Inside_access_in_1 extended permit icmp any any
access-list Inside_access_in_1 extended permit ip host 192.168.100.2 any
access-list Inside_access_in_1 extended permit object-group DM_INLINE_SERVICE_1 192.168.100.0 255.255.255.0 any
access-list Inside_access_in_1 extended permit udp host 192.168.100.3 any eq ntp
access-list Outside_access_in_1 extended permit icmp any any
access-list Outside_access_in_1 extended permit tcp any host aa.aa.aa.aa eq https
access-list Outside_access_in_1 extended permit tcp any host aa.aa.aa.aa eq smtp
access-list Outside_access_in_1 extended permit tcp any host aa.aa.aa.a eq 9001
access-list Inside_nat0_outbound extended permit ip host 192.168.100.4 VPN-network 255.255.255.128
access-list Inside_nat0_outbound extended permit ip host 192.168.100.2 VPN-network 255.255.255.128
access-list Inside_nat0_outbound extended permit ip host 192.168.100.55 VPN-network 255.255.255.128
access-list Inside_nat0_outbound extended permit ip host 192.168.100.52 VPN-network 255.255.255.128
access-list Outside_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.102.0 255.255.255.0
access-list Outside_cryptomap extended permit ip 192.168.100.0 255.255.255.0 VPN-network 255.255.255.128
pager lines 24
logging enable
logging timestamp
logging console debugging
logging trap debugging
logging history debugging
logging asdm informational
logging host Inside 192.168.100.19
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool VPN_Pool-1 192.168.101.11-192.168.101.99 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
asdm location VPN-network 255.255.255.0 Inside
asdm location 192.168.100.9 255.255.255.255 Inside
no asdm history enable
arp timeout 14400
nat-control
global (Outside) 1 interface
global (Outside) 2 aa.aa.aa.aa netmask 255.255.255.224
nat (Inside) 0 access-list Outside_cryptomap
nat (Inside) 2 192.168.100.2 255.255.255.255
nat (Inside) 1 192.168.100.0 255.255.255.0
static (Inside,Outside) tcp aa.aa.aa.aa https 192.168.100.2 https netmask 255.255.255.255
static (Inside,Outside) tcp aa.aa.aa.aa smtp 192.168.100.2 smtp netmask 255.255.255.255
static (Inside,Outside) tcp aa.aa.aa.aa 9001 192.168.100.2 3389 netmask 255.255.255.255
access-group Outside_access_in_1 in interface Outside
access-group Inside_access_in_1 in interface Inside
route Outside 0.0.0.0 0.0.0.0 aa.aa.aa.aa 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TEST_RADIUS protocol radius
aaa-server TEST_RADIUS (Inside) host 192.168.100.2
key *********
radius-common-pw ***********
acl-netmask-convert auto-detect
http server enable
http VPN-network 255.255.255.0 Inside
http 192.168.100.3 255.255.255.255 Inside
http 192.168.100.2 255.255.255.255 Inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 TRANS_ESP_3DES_SHA
crypto dynamic-map Dlink1 60000 match address Outside_cryptomap
crypto dynamic-map Dlink1 60000 set transform-set ESP-3DES-SHA
crypto map Outside_map 60 ipsec-isakmp dynamic Dlink1
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto ca server
shutdown
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 300
telnet 192.168.100.2 255.255.255.255 Inside
telnet 192.168.100.3 255.255.255.255 Inside
telnet VPN-network 255.255.255.0 Inside
telnet 0.0.0.0 0.0.0.0 management
telnet timeout 10
ssh timeout 5
console timeout 0
management-access Inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 83.229.137.50
ntp server 207.46.232.182
webvpn
enable Outside
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.100.2
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain value test.ru
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy WebVPNPolicy internal
group-policy WebVPNPolicy attributes
vpn-tunnel-protocol webvpn
webvpn
  url-list value test_resorces
username user password 8aW37OK9TyEGFcvUBrjp8A== nt-encrypted privilege 0
username user attributes
vpn-group-policy DefaultRAGroup
vpn-group-policy WebVPNPolicy
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key ********
tunnel-group DefaultRAGroup general-attributes
address-pool VPN_Pool-1
authentication-server-group TEST_RADIUS LOCAL
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key ***************
isakmp keepalive disable
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group TEST_RADIUS
default-group-policy WebVPNPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect pptp
!
service-policy global_policy global
smtp-server 192.168.100.2
prompt hostname context
Cryptochecksum:8234cbc5e419665ac16df19bb973991c
: end

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2 (1 ratings)
Loading.
Federico Coto F... Thu, 04/22/2010 - 08:27

Hi,

On this new dynamic-to-static VPN tunnel, the tunnel gets established but can't access resources?

Do you have the remote site LAN defined in the ACL Outside_cryptomap?

Can you confirm the tunnel phase 1 is up with the command sh cry isa sa?

Can you check then if packets are flowing through the tunnel with the command sh cry ip sa?

Federico.

realnakrul Thu, 04/22/2010 - 20:27

Hi,

No, new dynamic-to-static VPN tunnel works fine. Old remote access VPN do not work. Connection established, i can see it in ASDM, but resourses are unreacheble. I think problem is in NAT or in access-lists...

Federico Coto F... Thu, 04/22/2010 - 22:32

Old VPN remote access tunnels should work.

The VPN clients should get an IP from the pool 192.168.101.x and be able to reach devices on the 192.168.100.x

When you attempt to connect with a VPN client, can you PING 192.168.100.1 (inside IP of the ASA)?

The local LAN of the remote dynamic-to-static sites is 192.168.102.x?

Sometimes the problem is that the traffic for the VPN clients is sent through a dynamic-to-static tunnel instead than back to the clients.

Federico.

realnakrul Thu, 04/22/2010 - 22:47

You are absolutely right.

VPN clients are getting IP address from the pool 192.168.101.x but they can not reach devices on the 192.168.100.x. They can not ping 192.168.100.1

The local LAN of the remote dynamic-to-static sites is 192.168.102.x? - Yes.

When i am pinging i recive a message in syslog:

IKE Initiator unable to find policy: Outide, 192.168.101.11, 192.168.100.1

Federico Coto F... Fri, 04/23/2010 - 07:12

Configution seems fine.

Please gather the output of the following two commands when attempting a connection with a non-working VPN client connection.

debug cry isa 127

debug cry ipsec 127

Those will show us what the problem is.

Federico.

realnakrul Mon, 04/26/2010 - 00:06

Hi all, hope you have a good weekend.

Here is the log. I don`t have a lot of devices to test two types of VPN together. Firs time i connected as Site to Site VPN and typed on ASA

sh crypto isakmp sa

sh crypto ipsec sa

Then i disconnected as Site to site and connected as a remote VPN and typed those commands.

In first case i recived:

ciscoasa(config)# sh crypto isakmp sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 188.18.95.223
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
ciscoasa(config)# sh crypto ipsec sa
interface: Outside
    Crypto map tag: Dlink1, seq num: 60000, local addr: aa.aa.aa.aa

      access-list Outside_cryptomap permit ip 192.168.100.0 255.255.255.0 192.16
8.102.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.102.0/255.255.255.0/0/0)
      current_peer: 188.18.95.223

      #pkts encaps: 16, #pkts encrypt: 16, #pkts digest: 16
      #pkts decaps: 16, #pkts decrypt: 16, #pkts verify: 16
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 16, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: aa.aa.aa.aa, remote crypto endpt.: 188.18.95.223

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 0200289D

    inbound esp sas:
      spi: 0x68C61AC3 (1757813443)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 69632, crypto-map: Dlink1
         sa timing: remaining key lifetime (sec): 27229
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x0001FFFF
    outbound esp sas:
      spi: 0x0200289D (33564829)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 69632, crypto-map: Dlink1
         sa timing: remaining key lifetime (sec): 27229
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

then i recived:

ciscoasa(config)# Apr 26 12:36:16 [IKEv1]: IP = 188.18.95.223, IKE_DECODE RECEIV
ED Message (msgid=c3b780f) with payloads : HDR + HASH (8) + DELETE (12) + NONE (
0) total length : 64
Apr 26 12:36:16 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 188.18.95.223, proc
essing hash payload
Apr 26 12:36:16 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 188.18.95.223, proc
essing delete
Apr 26 12:36:16 [IKEv1]: Group = DefaultL2LGroup, IP = 188.18.95.223, Connection
terminated for peer DefaultL2LGroup.  Reason: Peer Terminate  Remote Proxy 192.
168.102.0, Local Proxy 192.168.100.0
Apr 26 12:36:16 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 188.18.95.223, Acti
ve unit receives a delete event for remote peer 188.18.95.223.

Apr 26 12:36:16 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 188.18.95.223, IKE
Deleting SA: Remote Proxy 192.168.102.0, Local Proxy 192.168.100.0
Apr 26 12:36:16 [IKEv1]: Group = DefaultL2LGroup, IP = 188.18.95.223, Deleting s
tatic route for L2L peer that came in on a dynamic map. address: 192.168.102.0,
mask: 255.255.255.0
Apr 26 12:36:16 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 188.18.95.223, IKE
SA MM:107469d3 rcv'd Terminate: state MM_ACTIVE  flags 0x00000042, refcnt 1, tun
cnt 0
Apr 26 12:36:16 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 188.18.95.223, IKE
SA MM:107469d3 terminating:  flags 0x01000002, refcnt 0, tuncnt 0
Apr 26 12:36:16 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 188.18.95.223, send
ing delete/delete with reason message
Apr 26 12:36:16 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 188.18.95.223, cons
tructing blank hash payload
Apr 26 12:36:16 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 188.18.95.223, cons
tructing IKE delete payload
Apr 26 12:36:16 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 188.18.95.223, cons
tructing qm hash payload
Apr 26 12:36:16 [IKEv1]: IP = 188.18.95.223, IKE_DECODE SENDING Message (msgid=2
e137aed) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length :
76
Apr 26 12:36:16 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0x68c61ac3
Apr 26 12:36:16 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0x68c61ac3
Apr 26 12:36:16 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0x200289d
Apr 26 12:36:16 [IKEv1]: Ignoring msg to mark SA with dsID 69632 dead because SA
deleted
Apr 26 12:36:16 [IKEv1]: IP = 188.18.95.223, Received encrypted packet with no m
atching SA, dropping
Apr 26 12:36:40 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Apr 26 12:36:40 [IKEv1]: IKE Initiator unable to find policy: Intf Inside, Src:
192.168.100.55, Dst: 192.168.102.1
Apr 26 12:36:45 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Apr 26 12:36:45 [IKEv1]: IKE Initiator unable to find policy: Intf Inside, Src:
192.168.100.55, Dst: 192.168.102.1
Apr 26 12:36:50 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Apr 26 12:36:50 [IKEv1]: IKE Initiator unable to find policy: Intf Inside, Src:
192.168.100.55, Dst: 192.168.102.1
Apr 26 12:36:56 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Apr 26 12:36:56 [IKEv1]: IKE Initiator unable to find policy: Intf Inside, Src:
192.168.100.55, Dst: 192.168.102.1
Apr 26 12:50:38 [IKEv1]: IP = 188.17.69.131, IKE_DECODE RECEIVED Message (msgid=
0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VEND
OR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 344
Apr 26 12:50:38 [IKEv1 DEBUG]: IP = 188.17.69.131, processing SA payload
Apr 26 12:50:38 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class
Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
Apr 26 12:50:38 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class
Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
Apr 26 12:50:38 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class
Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
Apr 26 12:50:38 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class
Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
Apr 26 12:50:38 [IKEv1 DEBUG]: IP = 188.17.69.131, Oakley proposal is acceptable

Apr 26 12:50:38 [IKEv1 DEBUG]: IP = 188.17.69.131, processing VID payload
Apr 26 12:50:38 [IKEv1 DEBUG]: IP = 188.17.69.131, processing VID payload
Apr 26 12:50:38 [IKEv1 DEBUG]: IP = 188.17.69.131, Received NAT-Traversal RFC VI
D
Apr 26 12:50:38 [IKEv1 DEBUG]: IP = 188.17.69.131, processing VID payload
Apr 26 12:50:38 [IKEv1 DEBUG]: IP = 188.17.69.131, Received NAT-Traversal ver 02
VID
Apr 26 12:50:38 [IKEv1 DEBUG]: IP = 188.17.69.131, processing VID payload
Apr 26 12:50:38 [IKEv1 DEBUG]: IP = 188.17.69.131, Received Fragmentation VID
Apr 26 12:50:38 [IKEv1 DEBUG]: IP = 188.17.69.131, processing VID payload
Apr 26 12:50:38 [IKEv1 DEBUG]: IP = 188.17.69.131, processing VID payload
Apr 26 12:50:38 [IKEv1 DEBUG]: IP = 188.17.69.131, processing VID payload
Apr 26 12:50:38 [IKEv1 DEBUG]: IP = 188.17.69.131, processing IKE SA payload
Apr 26 12:50:38 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class
Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
Apr 26 12:50:38 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class
Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
Apr 26 12:50:38 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class
Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
Apr 26 12:50:38 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class
Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
Apr 26 12:50:38 [IKEv1 DEBUG]: IP = 188.17.69.131, IKE SA Proposal # 1, Transfor
m # 4 acceptable  Matches global IKE entry # 3
Apr 26 12:50:38 [IKEv1 DEBUG]: IP = 188.17.69.131, constructing ISAKMP SA payloa
d
Apr 26 12:50:38 [IKEv1 DEBUG]: IP = 188.17.69.131, constructing NAT-Traversal VI
D ver 02 payload
Apr 26 12:50:38 [IKEv1 DEBUG]: IP = 188.17.69.131, constructing Fragmentation VI
D + extended capabilities payload
Apr 26 12:50:38 [IKEv1]: IP = 188.17.69.131, IKE_DECODE SENDING Message (msgid=0
) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total leng
th : 124
Apr 26 12:50:38 [IKEv1]: IP = 188.17.69.131, IKE_DECODE RECEIVED Message (msgid=
0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (130) + NAT-D (130) + NONE
(0) total length : 260
Apr 26 12:50:38 [IKEv1 DEBUG]: IP = 188.17.69.131, processing ke payload
Apr 26 12:50:38 [IKEv1 DEBUG]: IP = 188.17.69.131, processing ISA_KE payload
Apr 26 12:50:38 [IKEv1 DEBUG]: IP = 188.17.69.131, processing nonce payload
Apr 26 12:50:38 [IKEv1 DEBUG]: IP = 188.17.69.131, processing NAT-Discovery payl
oad
Apr 26 12:50:38 [IKEv1 DEBUG]: IP = 188.17.69.131, computing NAT Discovery hash
Apr 26 12:50:38 [IKEv1 DEBUG]: IP = 188.17.69.131, processing NAT-Discovery payl
oad
Apr 26 12:50:38 [IKEv1 DEBUG]: IP = 188.17.69.131, computing NAT Discovery hash
Apr 26 12:50:38 [IKEv1 DEBUG]: IP = 188.17.69.131, constructing ke payload
Apr 26 12:50:38 [IKEv1 DEBUG]: IP = 188.17.69.131, constructing nonce payload
Apr 26 12:50:38 [IKEv1 DEBUG]: IP = 188.17.69.131, constructing Cisco Unity VID
payload
Apr 26 12:50:38 [IKEv1 DEBUG]: IP = 188.17.69.131, constructing xauth V6 VID pay
load
Apr 26 12:50:38 [IKEv1 DEBUG]: IP = 188.17.69.131, Send IOS VID
Apr 26 12:50:38 [IKEv1 DEBUG]: IP = 188.17.69.131, Constructing ASA spoofing IOS
Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Apr 26 12:50:38 [IKEv1 DEBUG]: IP = 188.17.69.131, constructing VID payload
Apr 26 12:50:38 [IKEv1 DEBUG]: IP = 188.17.69.131, Send Altiga/Cisco VPN3000/Cis
co ASA GW VID
Apr 26 12:50:38 [IKEv1 DEBUG]: IP = 188.17.69.131, constructing NAT-Discovery pa
yload
Apr 26 12:50:38 [IKEv1 DEBUG]: IP = 188.17.69.131, computing NAT Discovery hash
Apr 26 12:50:38 [IKEv1 DEBUG]: IP = 188.17.69.131, constructing NAT-Discovery pa
yload
Apr 26 12:50:38 [IKEv1 DEBUG]: IP = 188.17.69.131, computing NAT Discovery hash
Apr 26 12:50:38 [IKEv1]: IP = 188.17.69.131, Connection landed on tunnel_group D
efaultRAGroup
Apr 26 12:50:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 188.17.69.131, Gener
ating keys for Responder...
Apr 26 12:50:38 [IKEv1]: IP = 188.17.69.131, IKE_DECODE SENDING Message (msgid=0
) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR
(13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 304
Apr 26 12:50:38 [IKEv1]: IP = 188.17.69.131, IKE_DECODE RECEIVED Message (msgid=
0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
Apr 26 12:50:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 188.17.69.131, proce
ssing ID payload
Apr 26 12:50:38 [IKEv1 DECODE]: Group = DefaultRAGroup, IP = 188.17.69.131, ID_I
PV4_ADDR ID received
192.168.102.2
Apr 26 12:50:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 188.17.69.131, proce
ssing hash payload
Apr 26 12:50:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 188.17.69.131, Compu
ting hash for ISAKMP
Apr 26 12:50:38 [IKEv1]: Group = DefaultRAGroup, IP = 188.17.69.131, Automatic N
AT Detection Status:     Remote end   IS   behind a NAT device     This   end is
NOT behind a NAT device
Apr 26 12:50:38 [IKEv1]: IP = 188.17.69.131, Connection landed on tunnel_group D
efaultRAGroup
Apr 26 12:50:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 188.17.69.131, const
ructing ID payload
Apr 26 12:50:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 188.17.69.131, const
ructing hash payload
Apr 26 12:50:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 188.17.69.131, Compu
ting hash for ISAKMP
Apr 26 12:50:38 [IKEv1]: IP = 188.17.69.131, IKE_DECODE SENDING Message (msgid=0
) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
Apr 26 12:50:38 [IKEv1]: Group = DefaultRAGroup, IP = 188.17.69.131, PHASE 1 COM
PLETED
Apr 26 12:50:38 [IKEv1]: IP = 188.17.69.131, Keep-alive type for this connection
: None
Apr 26 12:50:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 188.17.69.131, Start
ing P1 rekey timer: 21600 seconds.
Apr 26 12:50:38 [IKEv1 DECODE]: IP = 188.17.69.131, IKE Responder starting QM: m
sg id = 00000001
Apr 26 12:50:38 [IKEv1]: IP = 188.17.69.131, IKE_DECODE RECEIVED Message (msgid=
1) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NAT-
OA (131) + NONE (0) total length : 260
Apr 26 12:50:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 188.17.69.131, proce
ssing hash payload
Apr 26 12:50:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 188.17.69.131, proce
ssing SA payload
Apr 26 12:50:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 188.17.69.131, proce
ssing nonce payload
Apr 26 12:50:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 188.17.69.131, proce
ssing ID payload
Apr 26 12:50:38 [IKEv1 DECODE]: Group = DefaultRAGroup, IP = 188.17.69.131, ID_I
PV4_ADDR ID received
192.168.102.2
Apr 26 12:50:38 [IKEv1]: Group = DefaultRAGroup, IP = 188.17.69.131, Received re
mote Proxy Host data in ID Payload:  Address 192.168.102.2, Protocol 17, Port 17
01
Apr 26 12:50:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 188.17.69.131, proce
ssing ID payload
Apr 26 12:50:38 [IKEv1 DECODE]: Group = DefaultRAGroup, IP = 188.17.69.131, ID_I
PV4_ADDR ID received
aa.aa.aa.aa
Apr 26 12:50:38 [IKEv1]: Group = DefaultRAGroup, IP = 188.17.69.131, Received lo
cal Proxy Host data in ID Payload:  Address aa.aa.aa.aa, Protocol 17, Port 17
01
Apr 26 12:50:38 [IKEv1]: Group = DefaultRAGroup, IP = 188.17.69.131, L2TP/IPSec
session detected.
Apr 26 12:50:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 188.17.69.131, proce
ssing NAT-Original-Address payload
Apr 26 12:50:38 [IKEv1]: Group = DefaultRAGroup, IP = 188.17.69.131, QM IsRekeye
d old sa not found by addr
Apr 26 12:50:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 188.17.69.131, Selec
ting only UDP-Encapsulated-Tunnel and  UDP-Encapsulated-Transport modes defined
by NAT-Traversal
Apr 26 12:50:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 188.17.69.131, Selec
ting only UDP-Encapsulated-Tunnel and  UDP-Encapsulated-Transport modes defined
by NAT-Traversal
Apr 26 12:50:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 188.17.69.131, Selec
ting only UDP-Encapsulated-Tunnel and  UDP-Encapsulated-Transport modes defined
by NAT-Traversal
Apr 26 12:50:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 188.17.69.131, Selec
ting only UDP-Encapsulated-Tunnel and  UDP-Encapsulated-Transport modes defined
by NAT-Traversal
Apr 26 12:50:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 188.17.69.131, Selec
ting only UDP-Encapsulated-Tunnel and  UDP-Encapsulated-Transport modes defined
by NAT-Traversal
Apr 26 12:50:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 188.17.69.131, Selec
ting only UDP-Encapsulated-Tunnel and  UDP-Encapsulated-Transport modes defined
by NAT-Traversal
Apr 26 12:50:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 188.17.69.131, Selec
ting only UDP-Encapsulated-Tunnel and  UDP-Encapsulated-Transport modes defined
by NAT-Traversal
Apr 26 12:50:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 188.17.69.131, Selec
ting only UDP-Encapsulated-Tunnel and  UDP-Encapsulated-Transport modes defined
by NAT-Traversal
Apr 26 12:50:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 188.17.69.131, Selec
ting only UDP-Encapsulated-Tunnel and  UDP-Encapsulated-Transport modes defined
by NAT-Traversal
Apr 26 12:50:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 188.17.69.131, Selec
ting only UDP-Encapsulated-Tunnel and  UDP-Encapsulated-Transport modes defined
by NAT-Traversal
Apr 26 12:50:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 188.17.69.131, Selec
ting only UDP-Encapsulated-Tunnel and  UDP-Encapsulated-Transport modes defined
by NAT-Traversal
Apr 26 12:50:38 [IKEv1]: Group = DefaultRAGroup, IP = 188.17.69.131, IKE Remote
Peer configured for crypto map: SYSTEM_DEFAULT_CRYPTO_MAP
Apr 26 12:50:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 188.17.69.131, proce
ssing IPSec SA payload
Apr 26 12:50:38 [IKEv1]: Phase 2 failure:  Mismatched attribute types for class
Encapsulation Mode:  Rcv'd: UDP Transport  Cfg'd: UDP Tunnel(NAT-T)
Apr 26 12:50:38 [IKEv1]: Phase 2 failure:  Mismatched attribute types for class
Encapsulation Mode:  Rcv'd: UDP Transport  Cfg'd: UDP Tunnel(NAT-T)
Apr 26 12:50:38 [IKEv1]: Phase 2 failure:  Mismatched attribute types for class
Encapsulation Mode:  Rcv'd: UDP Transport  Cfg'd: UDP Tunnel(NAT-T)
Apr 26 12:50:38 [IKEv1]: Phase 2 failure:  Mismatched attribute types for class
Encapsulation Mode:  Rcv'd: UDP Transport  Cfg'd: UDP Tunnel(NAT-T)
Apr 26 12:50:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 188.17.69.131, IPSec
SA Proposal # 2, Transform # 1 acceptable  Matches global IPSec SA entry # 6553
5
Apr 26 12:50:38 [IKEv1]: Group = DefaultRAGroup, IP = 188.17.69.131, IKE: reques
ting SPI!
Apr 26 12:50:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 188.17.69.131, IKE g
ot SPI from key engine: SPI = 0xb1747a61
Apr 26 12:50:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 188.17.69.131, oakle
y constucting quick mode
Apr 26 12:50:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 188.17.69.131, const
ructing blank hash payload
Apr 26 12:50:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 188.17.69.131, const
ructing IPSec SA payload
Apr 26 12:50:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 188.17.69.131, const
ructing IPSec nonce payload
Apr 26 12:50:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 188.17.69.131, const
ructing proxy ID
Apr 26 12:50:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 188.17.69.131, Trans
mitting Proxy Id:
  Remote host: 188.17.69.131  Protocol 17  Port 0
  Local host:  aa.aa.aa.aa  Protocol 17  Port 1701
Apr 26 12:50:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 188.17.69.131, const
ructing NAT-Original-Address payload
Apr 26 12:50:38 [IKEv1]: Group = DefaultRAGroup, IP = 188.17.69.131, NAT-Travers
al sending NAT-Original-Address payload
Apr 26 12:50:38 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 188.17.69.131, const
ructing qm hash payload
Apr 26 12:50:38 [IKEv1 DECODE]: Group = DefaultRAGroup, IP = 188.17.69.131, IKE
Responder sending 2nd QM pkt: msg id = 00000001
Apr 26 12:50:38 [IKEv1]: IP = 188.17.69.131, IKE_DECODE SENDING Message (msgid=1
) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NAT-O
A (131) + NONE (0) total length : 172
Apr 26 12:50:39 [IKEv1]: IP = 188.17.69.131, IKE_DECODE RECEIVED Message (msgid=
1) with payloads : HDR + HASH (8) + NONE (0) total length : 52
Apr 26 12:50:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 188.17.69.131, proce
ssing hash payload
Apr 26 12:50:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 188.17.69.131, loadi
ng all IPSEC SAs
Apr 26 12:50:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 188.17.69.131, Gener
ating Quick Mode Key!
Apr 26 12:50:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 188.17.69.131, NP en
crypt rule look up for crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 matching ACL U
nknown: returned cs_id=ab847a10; rule=00000000
Apr 26 12:50:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 188.17.69.131, Gener
ating Quick Mode Key!
Apr 26 12:50:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 188.17.69.131, NP en
crypt rule look up for crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 matching ACL U
nknown: returned cs_id=ab847a10; rule=00000000
Apr 26 12:50:39 [IKEv1]: Group = DefaultRAGroup, IP = 188.17.69.131, Security ne
gotiation complete for User ()  Responder, Inbound SPI = 0xb1747a61, Outbound SP
I = 0x24233197
Apr 26 12:50:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 188.17.69.131, IKE g
ot a KEY_ADD msg for SA: SPI = 0x24233197
Apr 26 12:50:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 188.17.69.131, Pitch
er: received KEY_UPDATE, spi 0xb1747a61
Apr 26 12:50:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 188.17.69.131, Start
ing P2 rekey timer: 3059 seconds.
Apr 26 12:50:39 [IKEv1]: Group = DefaultRAGroup, IP = 188.17.69.131, PHASE 2 COM
PLETED (msgid=00000001)
Apr 26 12:50:39 [IKEv1]: IKEQM_Active() Add L2TP classification rules: ip <188.1
7.69.131> mask <0xFFFFFFFF> port <57283>
Apr 26 12:50:45 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Apr 26 12:50:45 [IKEv1]: IKE Initiator unable to find policy: Intf Outside, Src:
192.168.100.2, Dst: 192.168.101.11
Apr 26 12:50:51 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Apr 26 12:50:51 [IKEv1]: IKE Initiator unable to find policy: Intf Inside, Src:
192.168.100.2, Dst: 192.168.101.11
Apr 26 12:50:51 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Apr 26 12:50:51 [IKEv1]: IKE Initiator unable to find policy: Intf Outside, Src:
192.168.100.2, Dst: 192.168.101.11
Apr 26 12:50:53 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Apr 26 12:50:53 [IKEv1]: IKE Initiator unable to find policy: Intf Outside, Src:
192.168.100.2, Dst: 192.168.101.11
Apr 26 12:50:54 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Apr 26 12:50:54 [IKEv1]: IKE Initiator unable to find policy: Intf Outside, Src:
192.168.100.2, Dst: 192.168.101.11
Apr 26 12:50:55 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Apr 26 12:50:55 [IKEv1]: IKE Initiator unable to find policy: Intf Outside, Src:
192.168.100.2, Dst: 192.168.101.11
Apr 26 12:50:56 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Apr 26 12:50:56 [IKEv1]: IKE Initiator unable to find policy: Intf Inside, Src:
192.168.100.2, Dst: 192.168.101.11
Apr 26 12:50:57 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Apr 26 12:50:57 [IKEv1]: IKE Initiator unable to find policy: Intf Outside, Src:
192.168.100.2, Dst: 192.168.101.11
Apr 26 12:50:57 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Apr 26 12:50:57 [IKEv1]: IKE Initiator unable to find policy: Intf Outside, Src:
192.168.100.2, Dst: 192.168.101.11
Apr 26 12:50:58 [IKEv1]: IKE Receiver: Runt ISAKMP packet discarded on Port 4500
from 188.17.69.131:57283
Apr 26 12:51:01 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Apr 26 12:51:01 [IKEv1]: IKE Initiator unable to find policy: Intf Inside, Src:
192.168.100.2, Dst: 192.168.101.11
Apr 26 12:51:01 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Apr 26 12:51:01 [IKEv1]: IKE Initiator unable to find policy: Intf Outside, Src:
192.168.100.2, Dst: 192.168.101.11
Apr 26 12:51:03 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Apr 26 12:51:03 [IKEv1]: IKE Initiator unable to find policy: Intf Outside, Src:
192.168.100.2, Dst: 192.168.101.11
Apr 26 12:51:06 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Apr 26 12:51:06 [IKEv1]: IKE Initiator unable to find policy: Intf Inside, Src:
192.168.100.2, Dst: 192.168.101.11
Apr 26 12:51:08 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Apr 26 12:51:08 [IKEv1]: IKE Initiator unable to find policy: Intf Outside, Src:
192.168.100.2, Dst: 192.168.101.11
Apr 26 12:51:09 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Apr 26 12:51:09 [IKEv1]: IKE Initiator unable to find policy: Intf Outside, Src:
192.168.100.2, Dst: 192.168.101.11
Apr 26 12:51:15 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Apr 26 12:51:15 [IKEv1]: IKE Initiator unable to find policy: Intf Outside, Src:
192.168.100.2, Dst: 192.168.101.11
Apr 26 12:51:18 [IKEv1]: IKE Receiver: Runt ISAKMP packet discarded on Port 4500
from 188.17.69.131:57283
sh crypto isakApr 26 12:51:38 [IKEv1]: IKE Receiver: Runt ISAKMP packet discarde
d on Port 4500 from 188.17.69.131:57283
Apr 26 12:51:39 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Apr 26 12:51:39 [IKEv1]: IKE Initiator unable to find policy: Intf Outside, Src:
192.168.100.2, Dst: 192.168.101.11
mp sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 188.17.69.131
    Type    : user            Role    : responder
    Rekey   : no              State   : MM_ACTIVE
ciscoasa(config)# Apr 26 12:51:58 [IKEv1]: IKE Receiver: Runt ISAKMP packet disc
arded on Port 4500 from 188.17.69.131:57283
sh crypto ipsec sa
interface: Outside
    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: aa.aa
.aa.aa

      local ident (addr/mask/prot/port): (aa.aa.aa.aa/255.255.255.255/17/1701
)
      remote ident (addr/mask/prot/port): (188.17.69.131/255.255.255.255/17/0)
      current_peer: 188.17.69.131, username: test\admin
      dynamic allocated peer ip: 192.168.101.11

      #pkts encaps: 22, #pkts encrypt: 22, #pkts digest: 22
      #pkts decaps: 185, #pkts decrypt: 185, #pkts verify: 185
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 22, #pkts comp failed: 0, #pkts decomp failed: 0
      #post-frag successes: 0, #post-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: aa.aa.aa.aa/4500, remote crypto endpt.: 188.17.69.
131/57283
      path mtu 1500, ipsec overhead 66, media mtu 1500
      current outbound spi: 24233197

    inbound esp sas:
      spi: 0xB1747A61 (2977200737)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={RA, Transport,  NAT-T-Encaps, }
         slot: 0, conn_id: 73728, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
<--- More --->

         sa timing: remaining key lifetime (kB/sec): (3914775/25369)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x921932FB (2451124987)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={RA, Transport,  NAT-T-Encaps, }
         slot: 0, conn_id: 73728, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (kB/sec): (3914996/25365)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
Apr 26 12:52:18 [IKEv1]: IKE Receiver: Runt ISAKMP packet discarde
d on Port 4500 from 188.17.69.131:57283
Apr 26 12:52:27 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Apr 26 12:52:27 [IKEv1]: IKE Initiator unable to find policy: Intf Outside, Src:
192.168.100.2, Dst: 192.168.101.11
Apr 26 12:52:38 [IKEv1]: IKE Receiver: Runt ISAKMP packet discarded on Port 4500
from 188.17.69.131:57283
Apr 26 12:52:48 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Apr 26 12:52:48 [IKEv1]: IKE Initiator unable to find policy: Intf Outside, Src:
192.168.100.2, Dst: 192.168.101.11
Apr 26 12:52:49 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Apr 26 12:52:49 [IKEv1]: IKE Initiator unable to find policy: Intf Outside, Src:
192.168.100.2, Dst: 192.168.101.11
Apr 26 12:52:59 [IKEv1]: IKE Receiver: Runt ISAKMP packet discarded on Port 4500
from 188.17.69.131:57283

Federico Coto F... Mon, 04/26/2010 - 12:39

There are some things that I don't understand...


For example, according to the ASA configuration, the pool of VPN addresses is 192.168.101.0/25
But, according to the logs/debugs, you're getting a VPN connection from the internal LAN
192.168.100.0/24 to 192.168.102.0/24
There's no Site-to-Site VPN configured.

In other words, the VPN clients should be getting an IP from the VPN pool (not from 192.168.102.x)

If you have changed your configuration, please post it again.

Federico.

realnakrul Mon, 04/26/2010 - 20:08

Hi

No, i don`t change the configuration. In the beggining of log you can see site to site VPN connection:

      Crypto map tag: Dlink1, seq num: 60000, local addr: aa.aa.aa.aa

      access-list Outside_cryptomap permit ip 192.168.100.0 255.255.255.0 192.168.102.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.102.0/255.255.255.0/0/0)
      current_peer: 188.18.95.223

Then (in the end of the log) you can see Remote access VPN:

      Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: aa.aa.aa.aa

      local ident (addr/mask/prot/port): (aa.aa.aa.aa/255.255.255.255/17/1701)
      remote ident (addr/mask/prot/port): (188.17.69.131/255.255.255.255/17/0)
      current_peer: 188.17.69.131, username: test\admin
      dynamic allocated peer ip: 192.168.101.11

And a lot of continius errors:

Apr 26 12:52:27 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Apr 26 12:52:27 [IKEv1]: IKE Initiator unable to find policy: Intf Outside, Src:
192.168.100.2, Dst: 192.168.101.11
Apr 26 12:52:38 [IKEv1]: IKE Receiver: Runt ISAKMP packet discarded on Port 4500
from 188.17.69.131:57283

Federico Coto F... Mon, 04/26/2010 - 20:22

1. Please check that the VPN client is configured for NAT-T (UDP not TCP)
2. Check that the VPN client is configured for an MTU of 1300 on its virtual network adapter
3. Could you try to establish a VPN client connection from a different location?

Federico.

realnakrul Mon, 04/26/2010 - 20:49

Sorry, what VPN client? I establish VPN connection using standart Windows VPN Client (remote access connection). I dont remember there NAT-T or MTU settings...

And as you can see there is some differences between Site to Site and remote access connection logs:

      Crypto map tag: Dlink1, seq num: 60000, local addr: aa.aa.aa.aa

      access-list Outside_cryptomap permit ip 192.168.100.0 255.255.255.0 192.168.102.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.102.0/255.255.255.0/0/0)
      current_peer: 188.18.95.223

      Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: aa.aa.aa.aa

      local ident (addr/mask/prot/port): (aa.aa.aa.aa/255.255.255.255/17/1701)
      remote ident (addr/mask/prot/port): (188.17.69.131/255.255.255.255/17/0)
      current_peer: 188.17.69.131, username: test\admin
      dynamic allocated peer ip: 192.168.101.11

But there is in the config:

access-list Outside_cryptomap extended permit ip 192.168.100.0 255.255.255.0 VPN-network 255.255.255.128

Federico Coto F... Mon, 04/26/2010 - 21:58

I'm sorry.

I thought you were using the Cisco IPsec VPN client.

I now see that you're connecting using L2TP/IPsec.

This is using the windows native VPN connection protected with IPsec.

So, the client connection establishes phase 1.

Also, as we saw on the ''sh cry ips sa'' for the VPN client connection, we see packets encrypted/decrypted.

Do you get increments on those packets everytime you attempt to send traffic from the VPN client?

Federico.

realnakrul Mon, 04/26/2010 - 23:20

Every time when i am trying to ping 192.168.100.2 i recive:

Apr 27 12:19:40 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Apr 27 12:19:40 [IKEv1]: IKE Initiator unable to find policy: Intf Outside, Src: 192.168.100.2, Dst: 192.168.101.11

realnakrul Mon, 04/26/2010 - 23:51

Interesting thing: i deleted

access-list Outside_cryptomap extended permit ip 192.168.100.0 255.255.255.0 VPN-network 255.255.255.0

and now i can ping 192.168.100.1 (asa inside interface)

but other resources are unavaible

realnakrul Tue, 04/27/2010 - 01:15

Solved. Problem was in nat.

Correct is

nat (Inside) 0 access-list Inside_nat0_outbound

Actions

This Discussion