09-28-2010 04:14 AM
Hi all
For a couple off days now, I am trying to resolve the fol lowong
issue, I am not really expierenced in ASA's or vpn, so any help will be appreciated.
I'm trying so set up an remote access vpn to an asa. but
I get he following error:
firewall# Sep 28 04:04:40 [IKEv1]: Group = RECOR, Username = pptpusr01, IP = xxxxxxxxxxxx
, QM FSM error (P2 struct &0xac69d548, mess id 0x14921bd8)!
Sep 28 04:04:40 [IKEv1]: Group = RECOR, Username = pptpusr01, IP =xxxxxxxxxxxxxxxxxxxxx
, Removing peer from correlator table failed, no match!
I have attached my running config
If anyone has an idea, pleasen let me know.
Kind regards
Bert
Solved! Go to Solution.
09-30-2010 12:41 AM
Assuming that you are not using L2TP, please kindly remove the following line:
crypto dynamic-map outside_dyn_map 20 set transform-set recor_l2tp
09-28-2010 05:42 AM
The following configuration should be removed as it is not required:
no access-list inside_nat0_outbound_1 extended permit ip 192.0.0.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
no access-list inside_nat0_outbound_1 extended permit ip any 192.0.0.128 255.255.255.224
no nat (inside) 0 access-list inside_nat0_outbound_2 outside
no access-list inside_nat0_outbound_2 extended permit ip object-group VPNSites 172.16.0.0 255.255.255.0
After the above changes, please run the following debugs on ASA:
debug cry isa
debug cry ipsec
Please also turn on logs on VPN Client.
Collect the debug output from ASA and logs from VPN Client after trying to connect via vpn client.
09-29-2010 12:16 AM
Thanks for the help
But are you sure that I should remove those access-lists, because we also have some site-to-site-vpn connections.
Here is the output I got from
debug cry ipsec
debug cry isa
Sep 29 00:01:37 [IKEv1]: Group = TUNNELRECOR, Username = pptpusr01, IP
= XXXXXXXXXXXXXXX, QM FSM error (P2 struct &0xae63f758, mess id 0xea4f7e96)!
Sep 29 00:01:37 [IKEv1]: Group = TUNNELRECOR, Username = pptpusr01, IP = XXXXXXXXXX
, Removing peer from correlator table failed, no match!
This is the log from my ipsec client.
Cisco Systems VPN Client Version 5.0.03.0560
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3
Config file directory: C:\Program Files\Cisco Systems\VPN Client\
1 09:10:17.483 09/29/10 Sev=Info/4 CM/0x63100002
Begin connection process
2 09:10:17.498 09/29/10 Sev=Info/4 CM/0x63100004
Establish secure connection
3 09:10:17.498 09/29/10 Sev=Info/4 CM/0x63100024
Attempt connection with server "94.107.244.10"
4 09:10:17.514 09/29/10 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 94.107.244.10.
5 09:10:17.530 09/29/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 94.107.244.10
6 09:10:17.530 09/29/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 94.107.244.10
7 09:10:17.530 09/29/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Frag), VID(?)) from 94.107.244.10
8 09:10:17.530 09/29/10 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
9 09:10:17.530 09/29/10 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
10 09:10:17.530 09/29/10 Sev=Info/5 IKE/0x63000001
Peer supports DPD
11 09:10:17.530 09/29/10 Sev=Info/5 IKE/0x63000001
Peer supports IKE fragmentation payloads
12 09:10:17.545 09/29/10 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
13 09:10:17.545 09/29/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, VID(?), VID(Unity)) to 94.107.244.10
14 09:10:17.545 09/29/10 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0x066D, Remote Port = 0x01F4
15 09:10:17.545 09/29/10 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
16 09:10:17.545 09/29/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = XXXXXXXXXXXXXXXXXXXXXXXXX
17 09:10:17.545 09/29/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from XXXXXXXXXXXXXXXXXXXXXXXXX
18 09:10:17.545 09/29/10 Sev=Info/4 CM/0x63100015
Launch xAuth application
19 09:10:17.623 09/29/10 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
20 09:10:17.623 09/29/10 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
21 09:10:23.030 09/29/10 Sev=Info/4 CM/0x63100017
xAuth application returned
22 09:10:23.030 09/29/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 94.107.244.10
23 09:10:23.030 09/29/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = XXXXXXXXXXXXXXXXXXXXXXXXX
24 09:10:23.030 09/29/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from XXXXXXXXXXXXXXXXXXXXXXXXX
25 09:10:23.030 09/29/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to XXXXXXXXXXXXXXXXXXXXXXXXX
26 09:10:23.030 09/29/10 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
27 09:10:23.623 09/29/10 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator
28 09:10:23.623 09/29/10 Sev=Info/5 IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client Firewall, Capability= (Centralized Protection Policy).
29 09:10:23.639 09/29/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to XXXXXXXXXXXXXXXXXXXXXXXXX
30 09:10:23.639 09/29/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 94.107.244.10
31 09:10:23.639 09/29/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from XXXXXXXXXXXXXXXXXXXXXXXXX
32 09:10:23.639 09/29/10 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 192.0.0.141
33 09:10:23.639 09/29/10 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0
34 09:10:23.639 09/29/10 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 192.0.0.29
35 09:10:23.639 09/29/10 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 192.0.0.30
36 09:10:23.639 09/29/10 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000
37 09:10:23.639 09/29/10 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = XXXXXXXXXXXXXXXXXXXXXXXXX
38 09:10:23.639 09/29/10 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
39 09:10:23.639 09/29/10 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5510 Version 8.2(1) built by builders on Tue 05-May-09 22:45
40 09:10:23.639 09/29/10 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT: , value = 0x00000001
41 09:10:23.639 09/29/10 Sev=Info/4 CM/0x63100019
Mode Config data received
42 09:10:23.655 09/29/10 Sev=Info/4 IKE/0x63000056
Received a key request from Driver: Local IP = 192.0.0.141, GW IP = XXXXXXXXXXXXXXXXXXXXXXXXX, Remote IP = 0.0.0.0
43 09:10:23.655 09/29/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 94.107.244.10
44 09:10:23.670 09/29/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = XXXXXXXXXXXXXXXXXXXXXXXXX
45 09:10:23.670 09/29/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 94.107.244.10
46 09:10:23.670 09/29/10 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
47 09:10:23.670 09/29/10 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 6 seconds, setting expiry to 86394 seconds from now
48 09:10:23.670 09/29/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = XXXXXXXXXXXXXXXXXXXXXXXXX
49 09:10:23.670 09/29/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from 94.107.244.10
50 09:10:23.670 09/29/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 94.107.244.10
51 09:10:23.670 09/29/10 Sev=Info/4 IKE/0x63000049
Discarding IPsec SA negotiation, MsgID=EA4F7E96
52 09:10:23.670 09/29/10 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=9D3BF51BDE44D6A5 R_Cookie=4FC9E37E218D5CEA) reason = DEL_REASON_IKE_NEG_FAILED
53 09:10:23.670 09/29/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer =XXXXXXXXXXXXXXXXXXXXXXXXX
54 09:10:23.670 09/29/10 Sev=Info/4 IKE/0x63000058
Received an ISAKMP message for a non-active SA, I_Cookie=9D3BF51BDE44D6A5 R_Cookie=4FC9E37E218D5CEA
55 09:10:23.670 09/29/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(Dropped) from 94.107.244.10
56 09:10:24.623 09/29/10 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
57 09:10:27.123 09/29/10 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=9D3BF51BDE44D6A5 R_Cookie=4FC9E37E218D5CEA) reason = DEL_REASON_IKE_NEG_FAILED
58 09:10:27.123 09/29/10 Sev=Info/4 CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED". 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
59 09:10:27.123 09/29/10 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
60 09:10:27.139 09/29/10 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
61 09:10:27.139 09/29/10 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
62 09:10:27.139 09/29/10 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
63 09:10:27.139 09/29/10 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
64 09:10:27.139 09/29/10 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
65 09:10:27.139 09/29/10 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
Thanks in advance
Bert
09-29-2010 05:28 AM
Yes, you should remove that because it is already covered under the following NAT:
nat (inside) 0 access-list inside_nat0_outbound_1
You currently have 2 NAT exemption statements on inside interface, and the one with "outside" keyword should be removed.
And also add the following as from the debugs IPSec proposal does not match:
crypto dynamic-map remote-dyn-map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map remote-dyn-map 50 set transform-set ESP-3DES-SHA
crypto map outside_map 65000 ipsec-isakmp dynamic remote-dyn-map
09-30-2010 12:13 AM
Hi Jennifer
Thank you for all the help, I've added the commands you gave me but
I am still getting the same error messagesfrom the debugs,
When I use my vpn client to connect, i have to login with my usernme and password
and the i get "securing communications channel" followed by "not connected"
I've attachted them.
Thank you
Bert
09-30-2010 12:41 AM
Assuming that you are not using L2TP, please kindly remove the following line:
crypto dynamic-map outside_dyn_map 20 set transform-set recor_l2tp
09-30-2010 03:00 AM
Hi
That solved my problem, thank very much.
I have one more question.
My network looks like this
ASA5510 ---------------------------Router (don't know the type, not managed by me)-----------------------Internal network
Will the people who connect to the vpn have local lan access?
I can't test this until saturday, I was just wondering because they told me that that was an issue with previous installations.
Again, thank very much
09-30-2010 03:56 AM
Base on your configuration, your ip local pool for the vpn is in the same subnet as your internal network. You should change the pool to a different unique subnet.
Then you would need to add the "inside_nat0_outbound" with the newly created ip pool subnet:
access-list inside_nat0_outbound extended permit ip any
Assuming that the router that is not managed by you has default gateway pointing towards the ASA inside interface, you should have access to your internal network. That is the purpose of IPSec VPN client, ie: to get access to your internal network.
09-30-2010 04:20 AM
So if i understand correctly, i should change the following:
ip local pool VPN-Clients 192.0.1.2-192.0.1.150 mask 255.255.255.0
access-list inside_nat0_outbound extended permit ip any <192.0.1.0> <255.255.255.0>
What about the dns server setting, it is now on 192.0.0.29, does this have to change.
I have adjusted my topology, the previous one, was not correct. The internal network is directly connected to the asa.
ASA5510(192.0.0.40) ---------------------------(192.0.0.187)Router (don't know the type, not managed by me)
|----------------------Internal network (192.0.0.0)
thank you
09-30-2010 04:33 AM
Yes, absolutely correct.
DNS can stay the same if that is the correct internal dns server ip address.
09-30-2010 04:55 AM
Ok, thank you very much
EDIT: I have configured my asa like you suggested, but i still don't seem to have Local Lan Access.
These are the settings i get from my dhcp pool
Connection-specific DNS Suffix . : xxxxxxxxxxxxxxxxx
IP Address. . . . . . . . . . . . : 192.0.1.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.0.1.2
One last question, i have to forward a couple of ports to the router
Is this the correct?
access-list outside-access-in extended permit tcp any interface outside eq 3389
static (inside,outside) tcp interface 3389 192.0.0.187 3389 netmask 255.255.255.255
thank you
09-30-2010 05:35 AM
No, you don't have to forward anything on the ASA.
Once you VPN in, you should be able to access 192.0.0.187 if it's allowed for RDP. Please kindly make sure that personal firewall on that PC is turned off as it will not allow inbound connection from a different subnet.
09-30-2010 05:44 AM
Hello
Ok, but when i connect i still cannot ping other clients in the network or the inside interface of the asa.
And when connected, the default gateway points to my clients IP adres
Connection-specific DNS Suffix . : xxxxxxxxxxxxxxxxx
IP Address. . . . . . . . . . . . : 192.0.1.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.0.1.2
Thank you
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide