cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2685
Views
0
Helpful
8
Replies

ASA 5505 IPSEC VPN Cisco Client

stephilewis
Level 1
Level 1

e

8 Replies 8

Hi,

When you connect your VPN client, the tunnel get established?

Can you confirm that ''sh cry isa sa'' shows QM_IDLE or Active?

If the tunnel establishes, but no traffic is passing through, let's do the following:

1. Check what is the IP given to the VPN client.

2. Include the following commands on the ASA:

     management-access inside

     crypto isakmp nat-t

     sysopt connection permit-vpn

3. Try to PING the inside IP of the PIX from the VPN client.

If still does not work, please post the output of:

sh cry ips sa

Federico.

''sh cry isa sa'' shows "There are no isakmp sas"

So, we need to go back a little....

The tunnel is not establishing yet.

Please post the output of the ''debug cry isa 127'' from your ASA, when attempting to connect.

Also,

Do you get an error on the client side?

Federico.

4te

Stephen,

Please let me know if this information is correct...

The IP where the VPN client is coming from is 66.201.46.82
The IP assigned to the VPN client is 10.10.220.236
The group/user is BeneAdmin/slewis

I see the phase 1 getting established:
Apr 29 20:27:01 [IKEv1]: Group = BeneAdmin, Username = slewis, IP = 66.201.46.82, PHASE 1 COMPLETED
And landing on the default SYSTEM_DEFAULT_CRYPTO_MAP

Then, phase 2 also gets established:
Apr 29 20:27:01 [IKEv1]: Group = BeneAdmin, Username = slewis, IP = 66.201.46.82, PHASE 2 COMPLETED (msgid=ca124a13)

So, at this point the tunnel is up.


It also adds a static route back to the client:
Apr 29 20:27:01 [IKEv1]: Group = BeneAdmin, Username = slewis, IP = 66.201.46.82,
Adding static route for client address: 10.10.220.236

But then, the ASA receives an error from the client:
Apr 29 20:27:18 [IKEv1 DEBUG]: Group = BeneAdmin, Username = slewis, IP = 66.201.46.82, Active unit receives a delete event for remote peer 66.201.46.82
Apr 29 20:27:18 [IKEv1]: Group = BeneAdmin, Username = slewis, IP = 66.201.46.82, Session is being torn down. Reason: User Requested

Let's do the following:

The crypto map should only be applied to

no crypto map inside_map interface inside
no crypto isakmp enable inside

Also, I don't know why the VPN client is getting .236 IP, because the pool you have is:
ip local pool Admin 10.10.220.237-10.10.220.238 mask 255.255.255.0

Are you losing Internet connectivity from the client side?
Can you attempt to connect via the VPN client from another location?

What exactly is the local LAN behind the ASA that you want to access and the pool for the VPN clients?

Federico.

no

Also, thank you Sir for your time helping with this issue.

Stephen,

If you could, then try to start from scratch.

Here's the information for VPN:

http://www.cisco.com/en/US/docs/security/asdm/6_2/user/guide/vpn_wiz.html

Then please post your configuration if you have any problem.

Otherwise, we can continue troubleshooting the issue as it is.

Federico.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: