cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2191
Views
10
Helpful
6
Replies

vpn client issue with avaya vpn phone

zeuscyril
Level 4
Level 4

hi all,

i configured asa 5505 with remote vpn client

and i used these vpn client to connect avaya vpn hard phones and i connected 4 phones using same username and password

if i connect 5th phone it is not connecting and if i try to connect cisco vpn client also not connecting with same username and password.

i am attaching the config file!

plz check the config and give me the solution


hostname ciscoasa
domain-name default.domain.invalid
enable password ZYx9xaV1.cM.IUcY encrypted
passwd M5Z8qN9wxh2rt.Wo encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.252
!
interface Ethernet0/0
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 80.227.2.2
name-server 80.27.2.3
domain-name default.domain.invalid
access-list iclgroup_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 192.168.100.0 255.255.25
5.0
access-list test extended permit icmp any any time-exceeded
access-list test extended permit icmp any any unreachable
access-list test extended permit icmp any any echo
access-list test extended permit icmp any any echo-reply
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool poolvpn 192.168.100.10-192.168.100.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group test in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal  20
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.10.20-192.168.10.51 inside
dhcpd enable inside
!

group-policy iclgroup internal
group-policy iclgroup attributes
dns-server value 80.227.2.2 80.227.2.3
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value iclgroup_splitTunnelAcl
username admin password eY/fQXw7Ure8Qrz7 encrypted privilege 15
username iclvpn password LJ.MQHluNRiNWHbt encrypted privilege 0
username iclvpn attributes
vpn-group-policy iclgroup
tunnel-group iclgroup type ipsec-ra
tunnel-group iclgroup general-attributes
address-pool poolvpn
default-group-policy iclgroup
tunnel-group iclgroup ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:9435774fe4af39f

6 Replies 6

Hi,

Check how many VPN tunnels are currently active on the ASA.

You can check this with the command:  sh cry isa sa

The ASA 5505 (without a Security Plus license) can only support up to 10 IPsec tunnels (site-to-site or remote access).

Make sure if you have the license (sh ver) or if you're reaching the max. amount of tunnels permitted.

Federico.

hi Federico,

if i connect 4 phones it will take only 4 tunnels

am i correct ? i am using 3des encryption

thanks

cyril

Yes, I would think that if you connect only four phones, it will be like connecting 4 VPN clients. To make sure you can check the active

tunnels ''sh cry isa sa''

If the ASA has only 4 tunnels active, and it won't let you connect more than that, definitely we're not looking at the license issue. Please verify because the ASA might have Site-to-Site tunnels established or more remote access.

Federico.

ok

i ll check it

thanks

hi,

i checked the sh crypto isakmp sa

only shows 4 sa

but i created addtionally new username and paswor for vpn then it works

thanks

cyril

Ok, so it's working fine now?

Federico.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: