Federico Coto F... Thu, 04/29/2010 - 12:26
User Badges:
  • Green, 3000 points or more

Hi,


When you connect your VPN client, the tunnel get established?

Can you confirm that ''sh cry isa sa'' shows QM_IDLE or Active?


If the tunnel establishes, but no traffic is passing through, let's do the following:

1. Check what is the IP given to the VPN client.

2. Include the following commands on the ASA:

     management-access inside

     crypto isakmp nat-t

     sysopt connection permit-vpn

3. Try to PING the inside IP of the PIX from the VPN client.


If still does not work, please post the output of:

sh cry ips sa


Federico.

Federico Coto F... Thu, 04/29/2010 - 12:37
User Badges:
  • Green, 3000 points or more

So, we need to go back a little....


The tunnel is not establishing yet.

Please post the output of the ''debug cry isa 127'' from your ASA, when attempting to connect.


Also,

Do you get an error on the client side?


Federico.

Federico Coto F... Thu, 04/29/2010 - 13:57
User Badges:
  • Green, 3000 points or more

Stephen,


Please let me know if this information is correct...


The IP where the VPN client is coming from is 66.201.46.82
The IP assigned to the VPN client is 10.10.220.236
The group/user is BeneAdmin/slewis


I see the phase 1 getting established:
Apr 29 20:27:01 [IKEv1]: Group = BeneAdmin, Username = slewis, IP = 66.201.46.82, PHASE 1 COMPLETED
And landing on the default SYSTEM_DEFAULT_CRYPTO_MAP


Then, phase 2 also gets established:
Apr 29 20:27:01 [IKEv1]: Group = BeneAdmin, Username = slewis, IP = 66.201.46.82, PHASE 2 COMPLETED (msgid=ca124a13)

So, at this point the tunnel is up.


It also adds a static route back to the client:
Apr 29 20:27:01 [IKEv1]: Group = BeneAdmin, Username = slewis, IP = 66.201.46.82,
Adding static route for client address: 10.10.220.236


But then, the ASA receives an error from the client:
Apr 29 20:27:18 [IKEv1 DEBUG]: Group = BeneAdmin, Username = slewis, IP = 66.201.46.82, Active unit receives a delete event for remote peer 66.201.46.82
Apr 29 20:27:18 [IKEv1]: Group = BeneAdmin, Username = slewis, IP = 66.201.46.82, Session is being torn down. Reason: User Requested


Let's do the following:

The crypto map should only be applied to

no crypto map inside_map interface inside
no crypto isakmp enable inside


Also, I don't know why the VPN client is getting .236 IP, because the pool you have is:
ip local pool Admin 10.10.220.237-10.10.220.238 mask 255.255.255.0


Are you losing Internet connectivity from the client side?
Can you attempt to connect via the VPN client from another location?

What exactly is the local LAN behind the ASA that you want to access and the pool for the VPN clients?


Federico.

stephilewis Thu, 04/29/2010 - 14:38
User Badges:

Also, thank you Sir for your time helping with this issue.

stephilewis Thu, 04/29/2010 - 14:21
User Badges:

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman"; mso-ascii-font-family:Cambria; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Cambria; mso-hansi-theme-font:minor-latin;}

no

Actions

This Discussion