10-28-2013 12:53 PM - edited 02-21-2020 07:16 PM
i have this wired issue for which i have googled and found answers repeated "check the group name & Preshared key" .
i have given same group "cisco" preshared key also "cisco" . even dynamic crypto i have enabled all the combination. I am unable to trace issue please help.
please find the ASA config and below that i have pased the log from the client
interface Vlan1
nameif inside
security-level 100
ip address A.B.C.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.0.0.2 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone GST 4
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
same-security-traffic permit intra-interface
access-list DfltGrpPlcy_splitTunnelAcl standard permit A.B.C.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip A.B.C.0 255.255.255.0 A.B.C50.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip A.B.C.0 255.255.255.0 A.B.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip A.B.C.0 255.255.255.0 A.B.150.0 255.255.255.192
access-list inside_access_in extended permit ip A.B.C.0 255.255.255.0 any
access-list inside_access_in extended permit ip host A.B.C.52 any
access-list inside_access_in extended permit ip A.B.C.0 255.255.255.0 A.B.1.0 255.255.255.0
access-list inside_access_in extended permit ip host A.B.C.253 any
access-list inside_access_in extended permit ip host A.B.C.2 any
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp any interface outside eq 433
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any interface outside eq 9675
access-list outside_access_in extended permit tcp any interface outside eq 8181
access-list outside_access_in extended permit tcp any interface outside eq 555
access-list outside_access_in extended permit tcp any interface outside eq 556
access-list outside_access_in extended permit tcp any interface outside eq 557
access-list outside_access_in extended permit tcp any interface outside eq 558
access-list outside_access_in extended permit tcp any interface outside eq 559
access-list outside_access_in extended permit tcp any interface outside eq 4433
access-list foreshore_splitTunnelAcl standard permit A.B.C.0 255.255.255.0
access-list ciscoasa_splitTunnelAcl standard permit A.B.C.0 255.255.255.0
access-list ciscoasa_splitTunnelAcl_1 standard permit A.B.C.0 255.255.255.0
access-list plswork_splitTunnelAcl standard permit A.B.C.0 255.255.255.0
access-list cisco_splitTunnelAcl standard permit A.B.C.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNpool A.B.C50.1-A.B.C50.254 mask 255.255.255.0
ip local pool VPN A.B.150.1-A.B.150.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 A.B.C.52 3389 netmask 255.255.255.255
static (inside,outside) tcp interface https A.B.C.52 https netmask 255.255.255.255
static (inside,outside) tcp interface 9675 A.B.C.52 9675 netmask 255.255.255.255
static (inside,outside) tcp interface 8181 A.B.C.253 8181 netmask 255.255.255.255
static (inside,outside) tcp interface 555 A.B.C.253 555 netmask 255.255.255.255
static (inside,outside) tcp interface 556 A.B.C.253 556 netmask 255.255.255.255
static (inside,outside) tcp interface 557 A.B.C.253 557 netmask 255.255.255.255
static (inside,outside) tcp interface 558 A.B.C.253 558 netmask 255.255.255.255
static (inside,outside) tcp interface 559 A.B.C.253 559 netmask 255.255.255.255
static (inside,outside) tcp interface 4433 A.B.C.2 4433 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http A.B.C.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 20 set transform-set ESP-3DES-SHA ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet A.B.C.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy cisco internal
group-policy cisco attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value cisco_splitTunnelAcl
username admin password f3UhLvUj1QsXsuK7 encrypted privilege 15
username nash password BH5w693cwLDQ92T7 encrypted privilege 0
username nash attributes
vpn-group-policy cisco
tunnel-group cisco type remote-access
tunnel-group cisco general-attributes
address-pool VPN
default-group-policy cisco
tunnel-group cisco ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:4a35e5d3de5970472fb336aa253e1c30
: end
*****************************************************************************************************************************************************************************
Cisco VPN client log
******************************************************************************************************************************************************************************
Cisco Systems VPN Client Version 5.0.07.0290
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7601 Service Pack 1
Config file directory: C:\Program Files (x86)\Cisco Systems\VPN Client\
1 23:15:13.622 10/28/13 Sev=Info/6 GUI/0x63B00011
Reloaded the Certificates in all Certificate Stores successfully.
2 23:15:20.330 10/28/13 Sev=Info/4 CM/0x63100002
Begin connection process
3 23:15:20.345 10/28/13 Sev=Info/4 CM/0x63100004
Establish secure connection
4 23:15:20.345 10/28/13 Sev=Info/4 CM/0x63100024
Attempt connection with server "Dyndns host name"
5 23:15:20.626 10/28/13 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with XXX.XXX.XXX.XXX (public ip address)
.
6 23:15:20.642 10/28/13 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation
7 23:15:20.688 10/28/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to XXX.XXX.XXX.XXX ( public ip address)
8 23:15:20.704 10/28/13 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
9 23:15:20.704 10/28/13 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
10 23:15:20.704 10/28/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = XXX.XXX.XXX.XXX (public ip address)
11 23:15:20.704 10/28/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from
XXX.XXX.XXX.XXX (public ip address)
12 23:15:20.704 10/28/13 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
13 23:15:20.704 10/28/13 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
14 23:15:20.704 10/28/13 Sev=Info/5 IKE/0x63000001
Peer supports DPD
15 23:15:20.704 10/28/13 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
16 23:15:20.704 10/28/13 Sev=Info/5 IKE/0x63000001
Peer supports IKE fragmentation payloads
17 23:15:20.720 10/28/13 Sev=Warning/3 IKE/0xE3000057
The received HASH payload cannot be verified
18 23:15:20.720 10/28/13 Sev=Warning/2 IKE/0xE300007E
Hash verification failed... may be configured with invalid group password.
19 23:15:20.720 10/28/13 Sev=Warning/2 IKE/0xE300009B
Failed to authenticate peer (Navigator:915)
20 23:15:20.720 10/28/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO (NOTIFY:INVALID_HASH_INFO) to XXX.XXX.XXX.XXX ( public ip address)
21 23:15:20.720 10/28/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO (NOTIFY:AUTH_FAILED) to XXX.XXX.XXX.XXX (public ip address)
22 23:15:20.720 10/28/13 Sev=Warning/2 IKE/0xE30000A7
Unexpected SW error occurred while processing Aggressive Mode negotiator:(Navigator:2263)
23 23:15:20.720 10/28/13 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=500F4A9D4B38543A R_Cookie=D996BF1E938A51CF) reason = DEL_REASON_IKE_NEG_FAILED
24 23:15:21.390 10/28/13 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=500F4A9D4B38543A R_Cookie=D996BF1E938A51CF) reason = DEL_REASON_IKE_NEG_FAILED
25 23:15:21.390 10/28/13 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "Dyndns host name" because of "DEL_REASON_IKE_NEG_FAILED"
26 23:15:21.390 10/28/13 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
27 23:15:21.422 10/28/13 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
28 23:15:21.422 10/28/13 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
10-28-2013 02:19 PM
Hi Naresh,
The logs do point out the issue with the pre-shared key, could you please upload the debugs from ASA at the time of connection.
debug cry isa 200
could you try other keys like cisco123 etc and test, please ensure there is no leading space as that is a very common mistake in such cases.
Regards,
~Harry
10-29-2013 04:49 AM
Hello Harry
I tired all the steps mentioned above. still no luck
I have tried debug cry isa 200 -- but there was no logs
Regards
Naresh
10-29-2013 07:01 AM
Naresh
It is interesting that there was no debug output and I have been thinking about that. I see from the client logs that it looks like you are using dynamic dns. But I do not see anything in the ASA config about that. I wonder if the client is really connecting to the right ASA?
HTH
Rick
10-29-2013 08:14 AM
Hi Richard,
This is a scrubbed config from naresh and hence it won't have the public ip addresses (he has hidden them) as he has given us the group name and pre-shared key, so that no one tries to connect to it.
Regards,
~Harry
10-29-2013 08:19 AM
Hi Naresh,
there must be a conditional debug on the ASA which may cause these debgus not to show up.
try entering debug cry condition reset and then enter
debug cry isa 200.
alternativly, try finding the public ip of the client you are connecting from and then go to asdm -> monitoring -> logging -> real time logs -> and put that public ip in filter at the top and gather logs while connecting
please ensure that the loggign level for asdm is set to debugging by going to asdm > configuration > device managerment > logging filters > select logging level for asdm to debugging.
Regards,
~Harry
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: