IPSec vpn to asa 5510

Answered Question
Sep 28th, 2010
User Badges:

Hi all

For a couple off days now, I am trying to resolve the fol lowong

issue, I am not really expierenced in ASA's or vpn, so any help will be appreciated.


I'm trying so set up an remote access vpn to an asa. but


I get he following error:


firewall# Sep 28 04:04:40 [IKEv1]: Group = RECOR, Username = pptpusr01, IP = xxxxxxxxxxxx
, QM FSM error (P2 struct &0xac69d548, mess id 0x14921bd8)!
Sep 28 04:04:40 [IKEv1]: Group = RECOR, Username = pptpusr01, IP =xxxxxxxxxxxxxxxxxxxxx
, Removing peer from correlator table failed, no match!


I have attached my running config


If anyone has an idea, pleasen let me know.


Kind regards


Bert

Attachment: 
Correct Answer by Jennifer Halim about 6 years 7 months ago

Assuming that you are not using L2TP, please kindly remove the following line:


crypto dynamic-map outside_dyn_map 20 set transform-set recor_l2tp

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jennifer Halim Tue, 09/28/2010 - 05:42
User Badges:
  • Cisco Employee,

The following configuration should be removed as it is not required:


no access-list inside_nat0_outbound_1 extended permit ip 192.0.0.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
no access-list inside_nat0_outbound_1 extended permit ip any 192.0.0.128 255.255.255.224

no nat (inside) 0 access-list inside_nat0_outbound_2 outside

no access-list inside_nat0_outbound_2 extended permit ip object-group VPNSites 172.16.0.0 255.255.255.0


After the above changes, please run the following debugs on ASA:

debug cry isa

debug cry ipsec


Please also turn on logs on VPN Client.


Collect the debug output from ASA and logs from VPN Client after trying to connect via vpn client.

Bert Kelchtermans Wed, 09/29/2010 - 00:16
User Badges:

Thanks for the help


But are you sure that I should remove those access-lists, because we also have some site-to-site-vpn connections.



Here is the output I got from


debug cry ipsec

debug cry isa


Sep 29 00:01:37 [IKEv1]: Group = TUNNELRECOR, Username = pptpusr01, IP
= XXXXXXXXXXXXXXX, QM FSM error (P2 struct &0xae63f758, mess id 0xea4f7e96)!
Sep 29 00:01:37 [IKEv1]: Group = TUNNELRECOR, Username = pptpusr01, IP = XXXXXXXXXX

, Removing peer from correlator table failed, no match!



This is the log from my ipsec client.


Cisco Systems VPN Client Version 5.0.03.0560
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3
Config file directory: C:\Program Files\Cisco Systems\VPN Client\


1      09:10:17.483  09/29/10  Sev=Info/4    CM/0x63100002
Begin connection process


2      09:10:17.498  09/29/10  Sev=Info/4    CM/0x63100004
Establish secure connection


3      09:10:17.498  09/29/10  Sev=Info/4    CM/0x63100024
Attempt connection with server "94.107.244.10"


4      09:10:17.514  09/29/10  Sev=Info/6    IKE/0x6300003B
Attempting to establish a connection with 94.107.244.10.


5      09:10:17.530  09/29/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 94.107.244.10


6      09:10:17.530  09/29/10  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 94.107.244.10


7      09:10:17.530  09/29/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Frag), VID(?)) from 94.107.244.10


8      09:10:17.530  09/29/10  Sev=Info/5    IKE/0x63000001
Peer is a Cisco-Unity compliant peer


9      09:10:17.530  09/29/10  Sev=Info/5    IKE/0x63000001
Peer supports XAUTH


10     09:10:17.530  09/29/10  Sev=Info/5    IKE/0x63000001
Peer supports DPD


11     09:10:17.530  09/29/10  Sev=Info/5    IKE/0x63000001
Peer supports IKE fragmentation payloads


12     09:10:17.545  09/29/10  Sev=Info/6    IKE/0x63000001
IOS Vendor ID Contruction successful


13     09:10:17.545  09/29/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, VID(?), VID(Unity)) to 94.107.244.10


14     09:10:17.545  09/29/10  Sev=Info/4    IKE/0x63000083
IKE Port in use - Local Port =  0x066D, Remote Port = 0x01F4


15     09:10:17.545  09/29/10  Sev=Info/4    CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system


16     09:10:17.545  09/29/10  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = XXXXXXXXXXXXXXXXXXXXXXXXX


17     09:10:17.545  09/29/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from XXXXXXXXXXXXXXXXXXXXXXXXX

18     09:10:17.545  09/29/10  Sev=Info/4    CM/0x63100015
Launch xAuth application


19     09:10:17.623  09/29/10  Sev=Info/4    IPSEC/0x63700008
IPSec driver successfully started


20     09:10:17.623  09/29/10  Sev=Info/4    IPSEC/0x63700014
Deleted all keys


21     09:10:23.030  09/29/10  Sev=Info/4    CM/0x63100017
xAuth application returned


22     09:10:23.030  09/29/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 94.107.244.10


23     09:10:23.030  09/29/10  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = XXXXXXXXXXXXXXXXXXXXXXXXX


24     09:10:23.030  09/29/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from XXXXXXXXXXXXXXXXXXXXXXXXX


25     09:10:23.030  09/29/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to XXXXXXXXXXXXXXXXXXXXXXXXX


26     09:10:23.030  09/29/10  Sev=Info/4    CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system


27     09:10:23.623  09/29/10  Sev=Info/5    IKE/0x6300005E
Client sending a firewall request to concentrator


28     09:10:23.623  09/29/10  Sev=Info/5    IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client Firewall, Capability= (Centralized Protection Policy).


29     09:10:23.639  09/29/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to XXXXXXXXXXXXXXXXXXXXXXXXX


30     09:10:23.639  09/29/10  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 94.107.244.10


31     09:10:23.639  09/29/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from XXXXXXXXXXXXXXXXXXXXXXXXX


32     09:10:23.639  09/29/10  Sev=Info/5    IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 192.0.0.141


33     09:10:23.639  09/29/10  Sev=Info/5    IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0


34     09:10:23.639  09/29/10  Sev=Info/5    IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 192.0.0.29


35     09:10:23.639  09/29/10  Sev=Info/5    IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 192.0.0.30


36     09:10:23.639  09/29/10  Sev=Info/5    IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000


37     09:10:23.639  09/29/10  Sev=Info/5    IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = XXXXXXXXXXXXXXXXXXXXXXXXX


38     09:10:23.639  09/29/10  Sev=Info/5    IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000


39     09:10:23.639  09/29/10  Sev=Info/5    IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5510 Version 8.2(1) built by builders on Tue 05-May-09 22:45


40     09:10:23.639  09/29/10  Sev=Info/5    IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT: , value = 0x00000001


41     09:10:23.639  09/29/10  Sev=Info/4    CM/0x63100019
Mode Config data received


42     09:10:23.655  09/29/10  Sev=Info/4    IKE/0x63000056
Received a key request from Driver: Local IP = 192.0.0.141, GW IP = XXXXXXXXXXXXXXXXXXXXXXXXX, Remote IP = 0.0.0.0


43     09:10:23.655  09/29/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 94.107.244.10


44     09:10:23.670  09/29/10  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = XXXXXXXXXXXXXXXXXXXXXXXXX


45     09:10:23.670  09/29/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 94.107.244.10


46     09:10:23.670  09/29/10  Sev=Info/5    IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds


47     09:10:23.670  09/29/10  Sev=Info/5    IKE/0x63000047
This SA has already been alive for 6 seconds, setting expiry to 86394 seconds from now


48     09:10:23.670  09/29/10  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = XXXXXXXXXXXXXXXXXXXXXXXXX


49     09:10:23.670  09/29/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from 94.107.244.10


50     09:10:23.670  09/29/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 94.107.244.10


51     09:10:23.670  09/29/10  Sev=Info/4    IKE/0x63000049
Discarding IPsec SA negotiation, MsgID=EA4F7E96


52     09:10:23.670  09/29/10  Sev=Info/4    IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=9D3BF51BDE44D6A5 R_Cookie=4FC9E37E218D5CEA) reason = DEL_REASON_IKE_NEG_FAILED


53     09:10:23.670  09/29/10  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer =XXXXXXXXXXXXXXXXXXXXXXXXX


54     09:10:23.670  09/29/10  Sev=Info/4    IKE/0x63000058
Received an ISAKMP message for a non-active SA, I_Cookie=9D3BF51BDE44D6A5 R_Cookie=4FC9E37E218D5CEA


55     09:10:23.670  09/29/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(Dropped) from 94.107.244.10


56     09:10:24.623  09/29/10  Sev=Info/4    IPSEC/0x63700014
Deleted all keys


57     09:10:27.123  09/29/10  Sev=Info/4    IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=9D3BF51BDE44D6A5 R_Cookie=4FC9E37E218D5CEA) reason = DEL_REASON_IKE_NEG_FAILED


58     09:10:27.123  09/29/10  Sev=Info/4    CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system


59     09:10:27.123  09/29/10  Sev=Info/5    CM/0x63100025
Initializing CVPNDrv


60     09:10:27.139  09/29/10  Sev=Info/6    CM/0x63100046
Set tunnel established flag in registry to 0.


61     09:10:27.139  09/29/10  Sev=Info/4    IKE/0x63000001
IKE received signal to terminate VPN connection


62     09:10:27.139  09/29/10  Sev=Info/4    IPSEC/0x63700014
Deleted all keys


63     09:10:27.139  09/29/10  Sev=Info/4    IPSEC/0x63700014
Deleted all keys


64     09:10:27.139  09/29/10  Sev=Info/4    IPSEC/0x63700014
Deleted all keys


65     09:10:27.139  09/29/10  Sev=Info/4    IPSEC/0x6370000A
IPSec driver successfully stopped



Thanks in advance


Bert

Jennifer Halim Wed, 09/29/2010 - 05:28
User Badges:
  • Cisco Employee,

Yes, you should remove that because it is already covered under the following NAT:


nat (inside) 0 access-list inside_nat0_outbound_1


You currently have 2 NAT exemption statements on inside interface, and the one with "outside" keyword should be removed.


And also add the following as from the debugs IPSec proposal does not match:


crypto dynamic-map remote-dyn-map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map remote-dyn-map 50 set transform-set ESP-3DES-SHA
crypto map outside_map 65000 ipsec-isakmp dynamic remote-dyn-map

Bert Kelchtermans Thu, 09/30/2010 - 00:13
User Badges:

Hi Jennifer


Thank you for all the help, I've added the commands you gave me but

I am still getting the same error messagesfrom the debugs,


When I use my vpn client to connect, i have to login with my usernme and password

and the i get "securing communications channel"  followed by "not connected"


I've attachted them.


Thank you


Bert

Correct Answer
Jennifer Halim Thu, 09/30/2010 - 00:41
User Badges:
  • Cisco Employee,

Assuming that you are not using L2TP, please kindly remove the following line:


crypto dynamic-map outside_dyn_map 20 set transform-set recor_l2tp

Bert Kelchtermans Thu, 09/30/2010 - 03:00
User Badges:

Hi


That solved my problem, thank very much.


I have one more question.


My network looks like this



ASA5510 ---------------------------Router (don't know the type, not managed by me)-----------------------Internal network



Will the people who connect to the vpn have local lan access?



I can't test this until saturday, I was just wondering because they told me that that was an issue with previous installations.


Again, thank very much

Jennifer Halim Thu, 09/30/2010 - 03:56
User Badges:
  • Cisco Employee,

Base on your configuration, your ip local pool for the vpn is in the same subnet as your internal network. You should change the pool to a different unique subnet.


Then you would need to add the "inside_nat0_outbound" with the newly created ip pool subnet:


access-list inside_nat0_outbound extended permit ip any


Assuming that the router that is not managed by you has default gateway pointing towards the ASA inside interface, you should have access to your internal network. That is the purpose of IPSec VPN client, ie: to get access to your internal network.

Bert Kelchtermans Thu, 09/30/2010 - 04:20
User Badges:

So if i understand correctly, i should change the following:


ip local pool VPN-Clients 192.0.1.2-192.0.1.150 mask 255.255.255.0

access-list inside_nat0_outbound extended permit ip any <192.0.1.0> <255.255.255.0>


What about the dns server setting,  it is now on 192.0.0.29, does this have to change.


I have adjusted my topology, the previous one, was not correct. The internal network is directly connected to the asa.


ASA5510(192.0.0.40) ---------------------------(192.0.0.187)Router (don't know the type, not managed by me)

                                |----------------------Internal network (192.0.0.0)



thank you

Jennifer Halim Thu, 09/30/2010 - 04:33
User Badges:
  • Cisco Employee,

Yes, absolutely correct.

DNS can stay the same if that is the correct internal dns server ip address.

Bert Kelchtermans Thu, 09/30/2010 - 04:55
User Badges:

Ok, thank you very much


EDIT: I have configured my asa like you suggested, but i still don't seem to have Local Lan Access.


These are the settings i get from my dhcp pool



Connection-specific DNS Suffix  . : xxxxxxxxxxxxxxxxx
IP Address. . . . . . . . . . . . : 192.0.1.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.0.1.2



One last question, i have to forward a couple of ports to the router


Is this the correct?




access-list outside-access-in extended permit tcp any interface outside eq 3389

static (inside,outside) tcp interface 3389 192.0.0.187 3389 netmask 255.255.255.255


thank you

Jennifer Halim Thu, 09/30/2010 - 05:35
User Badges:
  • Cisco Employee,

No, you don't have to forward anything on the ASA.

Once you VPN in, you should be able to access 192.0.0.187 if it's allowed for RDP. Please kindly make sure that personal firewall on that PC is turned off as it will not allow inbound connection from a different subnet.

Bert Kelchtermans Thu, 09/30/2010 - 05:44
User Badges:

Hello


Ok, but when i connect i still cannot ping other clients in the network or the inside interface of the asa.



And when connected, the default gateway points to my clients IP adres


Connection-specific DNS Suffix  . : xxxxxxxxxxxxxxxxx
IP Address. . . . . . . . . . . . : 192.0.1.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.0.1.2




Thank you

Actions

This Discussion