cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
690
Views
0
Helpful
5
Replies

Remote access VPN not connecting

Naresh Kumar
Level 1
Level 1

i have this wired issue for which i have googled and found answers repeated "check the group name & Preshared key" .

i have given same group "cisco" preshared key also "cisco" . even dynamic crypto i have enabled all the combination. I am unable to trace issue please help. 

please find the ASA config and below that i have pased the log from the client

interface Vlan1

nameif inside

security-level 100

ip address A.B.C.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 10.0.0.2 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

clock timezone GST 4

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

same-security-traffic permit intra-interface

access-list DfltGrpPlcy_splitTunnelAcl standard permit A.B.C.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip A.B.C.0 255.255.255.0 A.B.C50.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip A.B.C.0 255.255.255.0 A.B.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip A.B.C.0 255.255.255.0 A.B.150.0 255.255.255.192

access-list inside_access_in extended permit ip A.B.C.0 255.255.255.0 any

access-list inside_access_in extended permit ip host A.B.C.52 any

access-list inside_access_in extended permit ip A.B.C.0 255.255.255.0 A.B.1.0 255.255.255.0

access-list inside_access_in extended permit ip host A.B.C.253 any

access-list inside_access_in extended permit ip host A.B.C.2 any

access-list outside_access_in extended permit tcp any interface outside eq 3389

access-list outside_access_in extended permit tcp any interface outside eq 433

access-list outside_access_in extended permit tcp any interface outside eq https

access-list outside_access_in extended permit tcp any interface outside eq 9675

access-list outside_access_in extended permit tcp any interface outside eq 8181

access-list outside_access_in extended permit tcp any interface outside eq 555

access-list outside_access_in extended permit tcp any interface outside eq 556

access-list outside_access_in extended permit tcp any interface outside eq 557

access-list outside_access_in extended permit tcp any interface outside eq 558

access-list outside_access_in extended permit tcp any interface outside eq 559

access-list outside_access_in extended permit tcp any interface outside eq 4433

access-list foreshore_splitTunnelAcl standard permit A.B.C.0 255.255.255.0

access-list ciscoasa_splitTunnelAcl standard permit A.B.C.0 255.255.255.0

access-list ciscoasa_splitTunnelAcl_1 standard permit A.B.C.0 255.255.255.0

access-list plswork_splitTunnelAcl standard permit A.B.C.0 255.255.255.0

access-list cisco_splitTunnelAcl standard permit A.B.C.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool VPNpool A.B.C50.1-A.B.C50.254 mask 255.255.255.0

ip local pool VPN A.B.150.1-A.B.150.50 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 3389 A.B.C.52 3389 netmask 255.255.255.255

static (inside,outside) tcp interface https A.B.C.52 https netmask 255.255.255.255

static (inside,outside) tcp interface 9675 A.B.C.52 9675 netmask 255.255.255.255

static (inside,outside) tcp interface 8181 A.B.C.253 8181 netmask 255.255.255.255

static (inside,outside) tcp interface 555 A.B.C.253 555 netmask 255.255.255.255

static (inside,outside) tcp interface 556 A.B.C.253 556 netmask 255.255.255.255

static (inside,outside) tcp interface 557 A.B.C.253 557 netmask 255.255.255.255

static (inside,outside) tcp interface 558 A.B.C.253 558 netmask 255.255.255.255

static (inside,outside) tcp interface 559 A.B.C.253 559 netmask 255.255.255.255

static (inside,outside) tcp interface 4433 A.B.C.2 4433 netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 10.0.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http A.B.C.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 20 set transform-set ESP-3DES-SHA ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet A.B.C.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy cisco internal

group-policy cisco attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value cisco_splitTunnelAcl

username admin password f3UhLvUj1QsXsuK7 encrypted privilege 15

username nash password BH5w693cwLDQ92T7 encrypted privilege 0

username nash attributes

vpn-group-policy cisco

tunnel-group cisco type remote-access

tunnel-group cisco general-attributes

address-pool VPN

default-group-policy cisco

tunnel-group cisco ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:4a35e5d3de5970472fb336aa253e1c30

: end

*****************************************************************************************************************************************************************************

Cisco VPN client log

******************************************************************************************************************************************************************************

Cisco Systems VPN Client Version 5.0.07.0290

Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 6.1.7601 Service Pack 1

Config file directory: C:\Program Files (x86)\Cisco Systems\VPN Client\

1      23:15:13.622  10/28/13  Sev=Info/6          GUI/0x63B00011

Reloaded the Certificates in all Certificate Stores successfully.

2      23:15:20.330  10/28/13  Sev=Info/4          CM/0x63100002

Begin connection process

3      23:15:20.345  10/28/13  Sev=Info/4          CM/0x63100004

Establish secure connection

4      23:15:20.345  10/28/13  Sev=Info/4          CM/0x63100024

Attempt connection with server "Dyndns host name"

5      23:15:20.626  10/28/13  Sev=Info/6          IKE/0x6300003B

Attempting to establish a connection with XXX.XXX.XXX.XXX (public ip address)

.

6      23:15:20.642  10/28/13  Sev=Info/4          IKE/0x63000001

Starting IKE Phase 1 Negotiation

7      23:15:20.688  10/28/13  Sev=Info/4          IKE/0x63000013

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to XXX.XXX.XXX.XXX ( public ip address)

8      23:15:20.704  10/28/13  Sev=Info/4          IPSEC/0x63700008

IPSec driver successfully started

9      23:15:20.704  10/28/13  Sev=Info/4          IPSEC/0x63700014

Deleted all keys

10     23:15:20.704  10/28/13  Sev=Info/5          IKE/0x6300002F

Received ISAKMP packet: peer = XXX.XXX.XXX.XXX (public ip address)

11     23:15:20.704  10/28/13  Sev=Info/4          IKE/0x63000014

RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from

XXX.XXX.XXX.XXX  (public ip address)

12     23:15:20.704  10/28/13  Sev=Info/5          IKE/0x63000001

Peer is a Cisco-Unity compliant peer

13     23:15:20.704  10/28/13  Sev=Info/5          IKE/0x63000001

Peer supports XAUTH

14     23:15:20.704  10/28/13  Sev=Info/5          IKE/0x63000001

Peer supports DPD

15     23:15:20.704  10/28/13  Sev=Info/5          IKE/0x63000001

Peer supports NAT-T

16     23:15:20.704  10/28/13  Sev=Info/5          IKE/0x63000001

Peer supports IKE fragmentation payloads

17     23:15:20.720  10/28/13  Sev=Warning/3          IKE/0xE3000057

The received HASH payload cannot be verified

18     23:15:20.720  10/28/13  Sev=Warning/2          IKE/0xE300007E

Hash verification failed... may be configured with invalid group password.

19     23:15:20.720  10/28/13  Sev=Warning/2          IKE/0xE300009B

Failed to authenticate peer (Navigator:915)

20     23:15:20.720  10/28/13  Sev=Info/4          IKE/0x63000013

SENDING >>> ISAKMP OAK INFO (NOTIFY:INVALID_HASH_INFO) to XXX.XXX.XXX.XXX ( public ip address)

21     23:15:20.720  10/28/13  Sev=Info/4          IKE/0x63000013

SENDING >>> ISAKMP OAK INFO (NOTIFY:AUTH_FAILED) to XXX.XXX.XXX.XXX (public ip address)

22     23:15:20.720  10/28/13  Sev=Warning/2          IKE/0xE30000A7

Unexpected SW error occurred while processing Aggressive Mode negotiator:(Navigator:2263)

23     23:15:20.720  10/28/13  Sev=Info/4          IKE/0x63000017

Marking IKE SA for deletion  (I_Cookie=500F4A9D4B38543A R_Cookie=D996BF1E938A51CF) reason = DEL_REASON_IKE_NEG_FAILED

24     23:15:21.390  10/28/13  Sev=Info/4          IKE/0x6300004B

Discarding IKE SA negotiation (I_Cookie=500F4A9D4B38543A R_Cookie=D996BF1E938A51CF) reason = DEL_REASON_IKE_NEG_FAILED

25     23:15:21.390  10/28/13  Sev=Info/4          CM/0x63100014

Unable to establish Phase 1 SA with server "Dyndns host name" because of "DEL_REASON_IKE_NEG_FAILED"

26     23:15:21.390  10/28/13  Sev=Info/5          CM/0x63100025

Initializing CVPNDrv

27     23:15:21.422  10/28/13  Sev=Info/6          CM/0x63100046

Set tunnel established flag in registry to 0.

28     23:15:21.422  10/28/13  Sev=Info/4          IKE/0x63000001

IKE received signal to terminate VPN connection

5 Replies 5

harshisi_2
Level 1
Level 1

Hi Naresh,

The logs do point out the issue with the pre-shared key, could you please upload the debugs from ASA at the time of connection.

debug cry isa 200

could you try other keys like cisco123 etc and test, please ensure there is no leading space as that is a very common mistake in such cases.

Regards,

~Harry

Hello Harry

I tired all the steps mentioned above. still no luck

I have tried debug cry isa 200 -- but there was no logs

Regards

Naresh

Naresh

It is interesting that there was no debug output and I have been thinking about that. I see from the client logs that it looks like you are using dynamic dns. But I do not see anything in the ASA config about that. I wonder if the client is really connecting to the right ASA?

HTH

Rick

HTH

Rick

Hi Richard,

This is a scrubbed config from naresh and hence it won't have the public ip addresses (he has hidden them)  as he has given us the group name and pre-shared key, so that no one tries to connect to it.

Regards,

~Harry

Hi Naresh,

there must be a conditional debug on the ASA which may cause these debgus not to show up.

try entering debug cry condition reset and then enter

debug cry isa 200.

alternativly, try finding the public ip of the client you are connecting from and then go to asdm -> monitoring -> logging -> real time logs -> and put that public ip in filter at the top and gather logs while connecting

please ensure that the loggign level for asdm is set to debugging by going to asdm > configuration > device managerment > logging filters > select logging level for asdm to debugging.

Regards,

~Harry

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: