×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Remote access VPN not connecting

Unanswered Question
Oct 28th, 2013
User Badges:

i have this wired issue for which i have googled and found answers repeated "check the group name & Preshared key" .

i have given same group "cisco" preshared key also "cisco" . even dynamic crypto i have enabled all the combination. I am unable to trace issue please help. 




please find the ASA config and below that i have pased the log from the client



interface Vlan1

nameif inside

security-level 100

ip address A.B.C.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 10.0.0.2 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

clock timezone GST 4

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

same-security-traffic permit intra-interface

access-list DfltGrpPlcy_splitTunnelAcl standard permit A.B.C.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip A.B.C.0 255.255.255.0 A.B.C50.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip A.B.C.0 255.255.255.0 A.B.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip A.B.C.0 255.255.255.0 A.B.150.0 255.255.255.192

access-list inside_access_in extended permit ip A.B.C.0 255.255.255.0 any

access-list inside_access_in extended permit ip host A.B.C.52 any

access-list inside_access_in extended permit ip A.B.C.0 255.255.255.0 A.B.1.0 255.255.255.0

access-list inside_access_in extended permit ip host A.B.C.253 any

access-list inside_access_in extended permit ip host A.B.C.2 any

access-list outside_access_in extended permit tcp any interface outside eq 3389

access-list outside_access_in extended permit tcp any interface outside eq 433

access-list outside_access_in extended permit tcp any interface outside eq https

access-list outside_access_in extended permit tcp any interface outside eq 9675

access-list outside_access_in extended permit tcp any interface outside eq 8181

access-list outside_access_in extended permit tcp any interface outside eq 555

access-list outside_access_in extended permit tcp any interface outside eq 556

access-list outside_access_in extended permit tcp any interface outside eq 557

access-list outside_access_in extended permit tcp any interface outside eq 558

access-list outside_access_in extended permit tcp any interface outside eq 559

access-list outside_access_in extended permit tcp any interface outside eq 4433

access-list foreshore_splitTunnelAcl standard permit A.B.C.0 255.255.255.0

access-list ciscoasa_splitTunnelAcl standard permit A.B.C.0 255.255.255.0

access-list ciscoasa_splitTunnelAcl_1 standard permit A.B.C.0 255.255.255.0

access-list plswork_splitTunnelAcl standard permit A.B.C.0 255.255.255.0

access-list cisco_splitTunnelAcl standard permit A.B.C.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool VPNpool A.B.C50.1-A.B.C50.254 mask 255.255.255.0

ip local pool VPN A.B.150.1-A.B.150.50 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 3389 A.B.C.52 3389 netmask 255.255.255.255

static (inside,outside) tcp interface https A.B.C.52 https netmask 255.255.255.255

static (inside,outside) tcp interface 9675 A.B.C.52 9675 netmask 255.255.255.255

static (inside,outside) tcp interface 8181 A.B.C.253 8181 netmask 255.255.255.255

static (inside,outside) tcp interface 555 A.B.C.253 555 netmask 255.255.255.255

static (inside,outside) tcp interface 556 A.B.C.253 556 netmask 255.255.255.255

static (inside,outside) tcp interface 557 A.B.C.253 557 netmask 255.255.255.255

static (inside,outside) tcp interface 558 A.B.C.253 558 netmask 255.255.255.255

static (inside,outside) tcp interface 559 A.B.C.253 559 netmask 255.255.255.255

static (inside,outside) tcp interface 4433 A.B.C.2 4433 netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 10.0.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http A.B.C.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 20 set transform-set ESP-3DES-SHA ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet A.B.C.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy cisco internal

group-policy cisco attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value cisco_splitTunnelAcl

username admin password f3UhLvUj1QsXsuK7 encrypted privilege 15

username nash password BH5w693cwLDQ92T7 encrypted privilege 0

username nash attributes

vpn-group-policy cisco

tunnel-group cisco type remote-access

tunnel-group cisco general-attributes

address-pool VPN

default-group-policy cisco

tunnel-group cisco ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:4a35e5d3de5970472fb336aa253e1c30

: end


*****************************************************************************************************************************************************************************

Cisco VPN client log

******************************************************************************************************************************************************************************


Cisco Systems VPN Client Version 5.0.07.0290

Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 6.1.7601 Service Pack 1

Config file directory: C:\Program Files (x86)\Cisco Systems\VPN Client\



1      23:15:13.622  10/28/13  Sev=Info/6          GUI/0x63B00011

Reloaded the Certificates in all Certificate Stores successfully.



2      23:15:20.330  10/28/13  Sev=Info/4          CM/0x63100002

Begin connection process



3      23:15:20.345  10/28/13  Sev=Info/4          CM/0x63100004

Establish secure connection



4      23:15:20.345  10/28/13  Sev=Info/4          CM/0x63100024

Attempt connection with server "Dyndns host name"



5      23:15:20.626  10/28/13  Sev=Info/6          IKE/0x6300003B

Attempting to establish a connection with XXX.XXX.XXX.XXX (public ip address)

.



6      23:15:20.642  10/28/13  Sev=Info/4          IKE/0x63000001

Starting IKE Phase 1 Negotiation



7      23:15:20.688  10/28/13  Sev=Info/4          IKE/0x63000013

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to XXX.XXX.XXX.XXX ( public ip address)



8      23:15:20.704  10/28/13  Sev=Info/4          IPSEC/0x63700008

IPSec driver successfully started



9      23:15:20.704  10/28/13  Sev=Info/4          IPSEC/0x63700014

Deleted all keys



10     23:15:20.704  10/28/13  Sev=Info/5          IKE/0x6300002F

Received ISAKMP packet: peer = XXX.XXX.XXX.XXX (public ip address)


11     23:15:20.704  10/28/13  Sev=Info/4          IKE/0x63000014

RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from

XXX.XXX.XXX.XXX  (public ip address)



12     23:15:20.704  10/28/13  Sev=Info/5          IKE/0x63000001

Peer is a Cisco-Unity compliant peer



13     23:15:20.704  10/28/13  Sev=Info/5          IKE/0x63000001

Peer supports XAUTH



14     23:15:20.704  10/28/13  Sev=Info/5          IKE/0x63000001

Peer supports DPD



15     23:15:20.704  10/28/13  Sev=Info/5          IKE/0x63000001

Peer supports NAT-T



16     23:15:20.704  10/28/13  Sev=Info/5          IKE/0x63000001

Peer supports IKE fragmentation payloads



17     23:15:20.720  10/28/13  Sev=Warning/3          IKE/0xE3000057

The received HASH payload cannot be verified



18     23:15:20.720  10/28/13  Sev=Warning/2          IKE/0xE300007E

Hash verification failed... may be configured with invalid group password.



19     23:15:20.720  10/28/13  Sev=Warning/2          IKE/0xE300009B

Failed to authenticate peer (Navigator:915)



20     23:15:20.720  10/28/13  Sev=Info/4          IKE/0x63000013

SENDING >>> ISAKMP OAK INFO (NOTIFY:INVALID_HASH_INFO) to XXX.XXX.XXX.XXX ( public ip address)


21     23:15:20.720  10/28/13  Sev=Info/4          IKE/0x63000013

SENDING >>> ISAKMP OAK INFO (NOTIFY:AUTH_FAILED) to XXX.XXX.XXX.XXX (public ip address)



22     23:15:20.720  10/28/13  Sev=Warning/2          IKE/0xE30000A7

Unexpected SW error occurred while processing Aggressive Mode negotiator:(Navigator:2263)



23     23:15:20.720  10/28/13  Sev=Info/4          IKE/0x63000017

Marking IKE SA for deletion  (I_Cookie=500F4A9D4B38543A R_Cookie=D996BF1E938A51CF) reason = DEL_REASON_IKE_NEG_FAILED



24     23:15:21.390  10/28/13  Sev=Info/4          IKE/0x6300004B

Discarding IKE SA negotiation (I_Cookie=500F4A9D4B38543A R_Cookie=D996BF1E938A51CF) reason = DEL_REASON_IKE_NEG_FAILED



25     23:15:21.390  10/28/13  Sev=Info/4          CM/0x63100014

Unable to establish Phase 1 SA with server "Dyndns host name" because of "DEL_REASON_IKE_NEG_FAILED"



26     23:15:21.390  10/28/13  Sev=Info/5          CM/0x63100025

Initializing CVPNDrv



27     23:15:21.422  10/28/13  Sev=Info/6          CM/0x63100046

Set tunnel established flag in registry to 0.



28     23:15:21.422  10/28/13  Sev=Info/4          IKE/0x63000001

IKE received signal to terminate VPN connection

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
harshisi_2 Mon, 10/28/2013 - 14:19
User Badges:

Hi Naresh,


The logs do point out the issue with the pre-shared key, could you please upload the debugs from ASA at the time of connection.


debug cry isa 200


could you try other keys like cisco123 etc and test, please ensure there is no leading space as that is a very common mistake in such cases.



Regards,


~Harry

Naresh Kumar Tue, 10/29/2013 - 04:49
User Badges:

Hello Harry


I tired all the steps mentioned above. still no luck


I have tried debug cry isa 200 -- but there was no logs


Regards

Naresh

Richard Burts Tue, 10/29/2013 - 07:01
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Naresh


It is interesting that there was no debug output and I have been thinking about that. I see from the client logs that it looks like you are using dynamic dns. But I do not see anything in the ASA config about that. I wonder if the client is really connecting to the right ASA?


HTH


Rick

harshisi_2 Tue, 10/29/2013 - 08:14
User Badges:

Hi Richard,


This is a scrubbed config from naresh and hence it won't have the public ip addresses (he has hidden them)  as he has given us the group name and pre-shared key, so that no one tries to connect to it.


Regards,


~Harry

harshisi_2 Tue, 10/29/2013 - 08:19
User Badges:

Hi Naresh,


there must be a conditional debug on the ASA which may cause these debgus not to show up.


try entering debug cry condition reset and then enter

debug cry isa 200.


alternativly, try finding the public ip of the client you are connecting from and then go to asdm -> monitoring -> logging -> real time logs -> and put that public ip in filter at the top and gather logs while connecting


please ensure that the loggign level for asdm is set to debugging by going to asdm > configuration > device managerment > logging filters > select logging level for asdm to debugging.


Regards,


~Harry

Actions

This Discussion