Problem setting up remote access VPN alongside Site-to-Site VPNs

Unanswered Question
Nov 11th, 2013
User Badges:

Hi,


I'm having issues setting up a remote access VPN alongside four site-to-site VPNs. All site-to-site works perfectly and only phase1 of the remote access tunnel is able to complete sucessfully.


i have tried setting the remote access VPN using both the CLI and the ASDM wizard. I'm thinking the site-to-site tunnels are interferring with the remote access VPN.


Here is the "debug crypto isakmp 7" log:


Nov 11 15:01:37 [IKEv1]: IP = 108.163.152.8, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 312

Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, processing SA payload

Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, Oakley proposal is acceptable

Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, processing VID payload

Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, processing VID payload

Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, Received Fragmentation VID

Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, processing VID payload

Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, Received NAT-Traversal ver 02 VID

Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, processing VID payload

Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, processing IKE SA payload

Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, IKE SA Proposal # 1, Transform # 2 acceptable  Matches global IKE entry # 4

Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, constructing ISAKMP SA payload

Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, constructing NAT-Traversal VID ver 02 payload

Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, constructing Fragmentation VID + extended capabilities payload

Nov 11 15:01:37 [IKEv1]: IP = 108.163.152.8, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124

Nov 11 15:01:37 [IKEv1]: IP = 108.163.152.8, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 232

Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, processing ke payload

Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, processing ISA_KE payload

Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, processing nonce payload

Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, processing NAT-Discovery payload

Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, computing NAT Discovery hash

Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, processing NAT-Discovery payload

Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, computing NAT Discovery hash

Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, constructing ke payload

Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, constructing nonce payload

Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, constructing Cisco Unity VID payload

Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, constructing xauth V6 VID payload

Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, Send IOS VID

Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)

Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, constructing VID payload

Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, Send Altiga/Cisco VPN3000/Cisco ASA GW VID

Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, constructing NAT-Discovery payload

Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, computing NAT Discovery hash

Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, constructing NAT-Discovery payload

Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, computing NAT Discovery hash

Nov 11 15:01:37 [IKEv1]: IP = 108.163.152.8, Connection landed on tunnel_group DefaultRAGroup

Nov 11 15:01:37 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 108.163.152.8, Generating keys for Responder...

Nov 11 15:01:37 [IKEv1]: IP = 108.163.152.8, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 304

Nov 11 15:01:37 [IKEv1]: IP = 108.163.152.8, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 67

Nov 11 15:01:37 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 108.163.152.8, processing ID payload

Nov 11 15:01:37 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 108.163.152.8, processing hash payload

Nov 11 15:01:37 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 108.163.152.8, Computing hash for ISAKMP

Nov 11 15:01:37 [IKEv1]: Group = DefaultRAGroup, IP = 108.163.152.8, Automatic NAT Detection Status:     Remote end   IS   behind a NAT device     This   end is NOT behind a NAT device

Nov 11 15:01:37 [IKEv1]: IP = 108.163.152.8, Connection landed on tunnel_group DefaultRAGroup

Nov 11 15:01:37 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 108.163.152.8, constructing ID payload

Nov 11 15:01:37 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 108.163.152.8, constructing hash payload

Nov 11 15:01:37 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 108.163.152.8, Computing hash for ISAKMP

Nov 11 15:01:37 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 108.163.152.8, constructing dpd vid payload

Nov 11 15:01:37 [IKEv1]: IP = 108.163.152.8, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84

Nov 11 15:01:37 [IKEv1]: Group = DefaultRAGroup, IP = 108.163.152.8, PHASE 1 COMPLETED

Nov 11 15:01:37 [IKEv1]: IP = 108.163.152.8, Keep-alive type for this connection: None

Nov 11 15:01:37 [IKEv1]: IP = 108.163.152.8, Keep-alives configured on but peer does not support keep-alives (type = None)

Nov 11 15:01:37 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 108.163.152.8, Starting P1 rekey timer: 21600 seconds.

Nov 11 15:01:37 [IKEv1]: IP = 108.163.152.8, IKE_DECODE RECEIVED Message (msgid=95fd42c0) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NAT-OA (131) + NONE (0) total length : 299

Nov 11 15:01:37 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 108.163.152.8, processing hash payload

Nov 11 15:01:37 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 108.163.152.8, processing SA payload

Nov 11 15:01:37 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 108.163.152.8, processing nonce payload

Nov 11 15:01:37 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 108.163.152.8, processing ID payload

Nov 11 15:01:37 [IKEv1]: Group = DefaultRAGroup, IP = 108.163.152.8, Received remote Proxy Host FQDN in ID Payload:  Host Name: test-vm  Address 0.0.0.0, Protocol 17, Port 1701

Nov 11 15:01:37 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 108.163.152.8, processing ID payload

Nov 11 15:01:37 [IKEv1]: Group = DefaultRAGroup, IP = 108.163.152.8, Received local Proxy Host data in ID Payload:  Address 70.38.31.202, Protocol 17, Port 1701

Nov 11 15:01:37 [IKEv1]: Group = DefaultRAGroup, IP = 108.163.152.8, L2TP/IPSec session detected.

Nov 11 15:01:37 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 108.163.152.8, processing NAT-Original-Address payload

Nov 11 15:01:37 [IKEv1]: Group = DefaultRAGroup, IP = 108.163.152.8, QM IsRekeyed old sa not found by addr

Nov 11 15:01:37 [IKEv1]: Group = DefaultRAGroup, IP = 108.163.152.8, Static Crypto Map check, checking map = outside_map, seq = 1...

Nov 11 15:01:37 [IKEv1]: Group = DefaultRAGroup, IP = 108.163.152.8, Static Crypto Map check, map = outside_map, seq = 1, ACL does not match proxy IDs src:0.0.0.0 dst:70.38.31.202

Nov 11 15:01:37 [IKEv1]: Group = DefaultRAGroup, IP = 108.163.152.8, Static Crypto Map check, checking map = outside_map, seq = 2...

Nov 11 15:01:37 [IKEv1]: Group = DefaultRAGroup, IP = 108.163.152.8, Static Crypto Map check, map = outside_map, seq = 2, ACL does not match proxy IDs src:0.0.0.0 dst:70.38.31.202

Nov 11 15:01:37 [IKEv1]: Group = DefaultRAGroup, IP = 108.163.152.8, Static Crypto Map check, checking map = outside_map, seq = 3...

Nov 11 15:01:37 [IKEv1]: Group = DefaultRAGroup, IP = 108.163.152.8, Static Crypto Map check, map = outside_map, seq = 3, ACL does not match proxy IDs src:0.0.0.0 dst:70.38.31.202

Nov 11 15:01:37 [IKEv1]: Group = DefaultRAGroup, IP = 108.163.152.8, Static Crypto Map check, checking map = outside_map, seq = 4...

Nov 11 15:01:37 [IKEv1]: Group = DefaultRAGroup, IP = 108.163.152.8, Static Crypto Map check, map = outside_map, seq = 4, ACL does not match proxy IDs src:0.0.0.0 dst:70.38.31.202

Nov 11 15:01:37 [IKEv1]: Group = DefaultRAGroup, IP = 108.163.152.8, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/17/0 local proxy 70.38.31.202/255.255.255.255/17/1701 on interface outside

Nov 11 15:01:37 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 108.163.152.8, sending notify message

Nov 11 15:01:37 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 108.163.152.8, constructing blank hash payload

Nov 11 15:01:37 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 108.163.152.8, constructing qm hash payload

Nov 11 15:01:37 [IKEv1]: IP = 108.163.152.8, IKE_DECODE SENDING Message (msgid=4c11ba7e) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 352

Nov 11 15:01:37 [IKEv1]: Group = DefaultRAGroup, IP = 108.163.152.8, QM FSM error (P2 struct &0xca511100, mess id 0x95fd42c0)!

Nov 11 15:01:37 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 108.163.152.8, IKE QM Responder FSM error history (struct &0xca511100)  <state>, <event>:  QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH

Nov 11 15:01:37 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 108.163.152.8, sending delete/delete with reason message

Nov 11 15:01:37 [IKEv1]: Group = DefaultRAGroup, IP = 108.163.152.8, Removing peer from correlator table failed, no match!

Nov 11 15:01:37 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 108.163.152.8, IKE SA MM:17d9a7b1 rcv'd Terminate: state MM_ACTIVE  flags 0x00000042, refcnt 1, tuncnt 0

Nov 11 15:01:37 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 108.163.152.8, IKE SA MM:17d9a7b1 terminating:  flags 0x01000002, refcnt 0, tuncnt 0

Nov 11 15:01:37 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 108.163.152.8, sending delete/delete with reason message

Nov 11 15:01:37 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 108.163.152.8, constructing blank hash payload

Nov 11 15:01:37 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 108.163.152.8, constructing IKE delete payload

Nov 11 15:01:37 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 108.163.152.8, constructing qm hash payload

Nov 11 15:01:37 [IKEv1]: IP = 108.163.152.8, IKE_DECODE SENDING Message (msgid=b1206c64) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80

Nov 11 15:01:37 [IKEv1]: Group = DefaultRAGroup, IP = 108.163.152.8, Session is being torn down. Reason: crypto map policy not found

Nov 11 15:01:38 [IKEv1]: IP = 108.163.152.8, Received encrypted packet with no matching SA, dropping

Nov 11 15:01:40 [IKEv1]: IP = 108.163.152.8, Received encrypted packet with no matching SA, dropping

Nov 11 15:01:44 [IKEv1]: IP = 108.163.152.8, Received encrypted packet with no matching SA, dropping


show running-configuration


cl-t129-05ih# sh run

: Saved

:

ASA Version 8.3(1)

!

hostname cl-t129-05ih

domain-name privatedns.com

enable password y1Bc0g0AYjBIerBD encrypted

passwd y1Bc0g0AYjBIerBD encrypted

no names

!

interface Vlan1

nameif outside

security-level 0

ip address 70.38.31.202 255.255.255.224

!

interface Vlan2

nameif inside

security-level 100

ip address 10.2.28.1 255.255.255.0

!

interface Vlan999

nameif dmz

security-level 50

ip address 70.38.15.249 255.255.255.248

!

interface Ethernet0/0

speed 100

duplex full

!

interface Ethernet0/1

switchport access vlan 2

!

interface Ethernet0/2

switchport access vlan 2

!

interface Ethernet0/3

switchport access vlan 999

!

interface Ethernet0/4

switchport access vlan 2

!

interface Ethernet0/5

switchport access vlan 2

!

interface Ethernet0/6

switchport access vlan 2

!

interface Ethernet0/7

switchport access vlan 2

!            

boot system disk0:/asa831-k8.bin

ftp mode passive

clock timezone AST -4

clock summer-time ADT recurring

dns domain-lookup outside

dns domain-lookup inside

dns server-group DefaultDNS

name-server 209.172.41.202

name-server 209.172.41.200

domain-name privatedns.com

object network obj-10.2.28.0

subnet 10.2.28.0 255.255.255.0

object network obj-192.168.111.0

subnet 192.168.111.0 255.255.255.0

object network obj-192.168.1.76

host 192.168.1.76

object network obj-10.2.28.10

host 10.2.28.10

object network RosenSC1

subnet 172.16.0.0 255.240.0.0

object network obj-10.2.28.11

host 10.2.28.11

object network obj-10.2.28.12

host 10.2.28.12

object network obj-10.2.28.13

host 10.2.28.13

object network obj-10.2.28.14

host 10.2.28.14

object network obj-10.2.28.15

host 10.2.28.15

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network NETWORK_OBJ_10.2.28.0_24

subnet 10.2.28.0 255.255.255.0

object network NETWORK_OBJ_192.168.111.0_24

subnet 192.168.111.0 255.255.255.0

object network NETWORK_OBJ_172.16.0.0_12

subnet 172.16.0.0 255.240.0.0

object network obj-10.2.28.20

host 10.2.28.20

object network obj-10.2.28.21

host 10.2.28.21

object network obj-10.2.28.22

host 10.2.28.22

object network obj-10.2.28.23

host 10.2.28.23

object network obj-10.2.28.30

host 10.2.28.30

object network obj-10.2.28.31

host 10.2.28.31

object network obj-10.2.28.32

host 10.2.28.32

object network obj-10.2.28.33

host 10.2.28.33

object network dmz-subnet

subnet 192.168.2.0 255.255.255.0

object network db-dmz-wan

host 70.38.15.248

object network webserver

host 192.168.2.30

object network webserver-static-nat

host 192.168.2.30

object network WashingtonSq

host 192.168.1.14

object network obj-10.2.28.24

host 10.2.28.24

object network obj-10.2.28.25

host 10.2.28.25

object network NETWORK_OBJ_70.38.15.248_29

subnet 70.38.15.248 255.255.255.248

object network NETWORK_OBJ_71.13.156.64_27

subnet 71.13.156.64 255.255.255.224

object network NETWORK_OBJ_10.10.10.0_24

subnet 10.10.10.0 255.255.255.0

object network NETWORK_OBJ_10.2.28.128_25

subnet 10.2.28.128 255.255.255.128

object network NETWORK_OBJ_10.2.28.224_27

subnet 10.2.28.224 255.255.255.224

object network NETWORK_OBJ_10.2.29.0_24

subnet 10.2.29.0 255.255.255.0

object-group service www_srv tcp

description ssl

port-object eq ftp

port-object eq ssh

port-object eq www

port-object eq https

port-object eq 3389

port-object eq smtp

port-object eq pop3

port-object eq 8443

object-group network www_servers_1

network-object host 10.2.28.10

network-object host 10.2.28.11

network-object host 10.2.28.12

network-object host 10.2.28.13

network-object host 10.2.28.14

network-object host 10.2.28.15

network-object host 10.2.28.20

network-object host 10.2.28.21

network-object host 10.2.28.22

network-object host 10.2.28.23

network-object host 10.2.28.30

network-object host 10.2.28.31

network-object host 10.2.28.32

network-object host 10.2.28.33

network-object host 10.2.28.24

network-object host 10.2.28.25

access-list outside_1_cryptomap extended permit ip 10.2.28.0 255.255.255.0 192.168.111.0 255.255.255.0

access-list outside_2_cryptomap extended permit ip 10.2.28.0 255.255.255.0 172.16.0.0 255.240.0.0

access-list inside_nat0_outbound extended permit ip 10.2.28.0 255.255.255.0 192.168.111.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.2.28.0 255.255.255.0 object RosenSC1

access-list inside_nat0_outbound extended permit ip 10.2.28.0 255.255.255.0 host 192.168.2.76

access-list inside_nat0_outbound extended permit ip host 10.2.28.10 host 192.168.2.76

access-list outside_in extended permit ip 108.163.152.0 255.255.254.0 any

access-list outside_in extended permit ip host 209.172.41.160 any

access-list outside_in remark From RT #6150450 : continuously tries to log into port 3389 (rdp).

access-list outside_in extended deny ip host 112.216.31.116 any

access-list outside_in extended deny ip host 72.46.134.18 any

access-list outside_in extended permit tcp any object-group www_servers_1 object-group www_srv

access-list outside_in extended permit icmp host 209.172.32.36 any

access-list outside_in extended permit tcp host 173.252.62.122 any eq 1433

access-list outside_in remark From RT #6150450 : continuously tries to log into port 3389 (rdp).

access-list outside_in extended permit ip 10.2.28.0 255.255.255.0 any

access-list outside_3_cryptomap extended permit ip 10.2.28.0 255.255.255.0 object WashingtonSq

access-list outside_4_cryptomap extended permit ip 70.38.15.248 255.255.255.248 71.13.156.64 255.255.255.224

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip local pool vpn-pool2 10.2.29.100-10.2.29.200 mask 255.255.255.0

ip verify reverse-path interface outside

ip verify reverse-path interface inside

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit host 209.172.41.160 echo outside

icmp permit host 209.172.32.36 echo outside

asdm image disk0:/asdm-711-52.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source static NETWORK_OBJ_10.2.28.0_24 NETWORK_OBJ_10.2.28.0_24 destination static NETWORK_OBJ_192.168.111.0_24 NETWORK_OBJ_192.168.111.0_24

nat (inside,outside) source static NETWORK_OBJ_10.2.28.0_24 NETWORK_OBJ_10.2.28.0_24 destination static NETWORK_OBJ_172.16.0.0_12 NETWORK_OBJ_172.16.0.0_12

nat (inside,outside) source static NETWORK_OBJ_10.2.28.0_24 NETWORK_OBJ_10.2.28.0_24 destination static WashingtonSq WashingtonSq

nat (dmz,outside) source static NETWORK_OBJ_70.38.15.248_29 NETWORK_OBJ_70.38.15.248_29 destination static NETWORK_OBJ_71.13.156.64_27 NETWORK_OBJ_71.13.156.64_27

nat (inside,outside) source static any any destination static NETWORK_OBJ_10.2.29.0_24 NETWORK_OBJ_10.2.29.0_24

!

object network obj_any

nat (inside,outside) dynamic interface

object network obj-10.2.28.20

nat (inside,outside) static 70.38.40.177

object network obj-10.2.28.21

nat (inside,outside) static 70.38.40.178

object network obj-10.2.28.22

nat (inside,outside) static 70.38.40.179

object network obj-10.2.28.23

nat (inside,outside) static 70.38.40.180

object network obj-10.2.28.30

nat (inside,outside) static 174.142.209.104

object network obj-10.2.28.31

nat (inside,outside) static 174.142.209.105

object network obj-10.2.28.32

nat (inside,outside) static 174.142.209.106

object network obj-10.2.28.33

nat (inside,outside) static 174.142.209.107

object network obj-10.2.28.24

nat (inside,outside) static 70.38.40.181

object network obj-10.2.28.25

nat (inside,outside) static 70.38.40.182

access-group outside_in in interface outside

route outside 0.0.0.0 0.0.0.0 70.38.31.193 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 0.0.0.0 0.0.0.0 outside

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt noproxyarp outside

sysopt noproxyarp inside

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport

crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport

crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport

crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport

crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport

crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport

crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport

crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES-SHA-TRANS

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer 173.252.62.122

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set pfs group1

crypto map outside_map 2 set peer 216.246.172.4

crypto map outside_map 2 set transform-set ESP-3DES-SHA

crypto map outside_map 3 match address outside_3_cryptomap

crypto map outside_map 3 set peer 206.71.243.34

crypto map outside_map 3 set transform-set ESP-3DES-SHA

crypto map outside_map 4 match address outside_4_cryptomap

crypto map outside_map 4 set peer 71.13.156.125

crypto map outside_map 4 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 1

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 10

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

ssh version 2

console timeout 0



threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 209.172.41.202 source outside prefer

webvpn

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

dns-server value 209.172.41.202 209.172.41.200

vpn-tunnel-protocol l2tp-ipsec

default-domain value privatedns.com

username someuser1 password some-encrypted-password nt-encrypted privilege 0

username someuser1 attributes

vpn-group-policy DefaultRAGroup

username someuser2 password some-encrypted-password nt-encrypted privilege 0

username someuser2 attributes

vpn-group-policy DefaultRAGroup

username someuser3 password OIfCCniUgohBqJyX encrypted privilege 15

tunnel-group DefaultL2LGroup ipsec-attributes

isakmp keepalive threshold 20 retry 2

tunnel-group DefaultRAGroup general-attributes

address-pool vpn-pool2

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *****

tunnel-group DefaultRAGroup ppp-attributes

no authentication chap

authentication ms-chap-v2

tunnel-group 173.252.62.122 type ipsec-l2l

tunnel-group 173.252.62.122 ipsec-attributes

pre-shared-key *****

tunnel-group 216.246.172.4 type ipsec-l2l

tunnel-group 216.246.172.4 ipsec-attributes

pre-shared-key *****

tunnel-group 206.71.243.34 type ipsec-l2l

tunnel-group 206.71.243.34 ipsec-attributes

pre-shared-key *****

tunnel-group 71.13.156.125 type ipsec-l2l

tunnel-group 71.13.156.125 ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect ftp

  inspect netbios

  inspect sunrpc

  inspect sip 

  inspect xdmcp

  inspect dns

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email [email protected]

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:8bd5d82c383dcd8a248eb6e60061852e

: end


show version


cl-t129-05ih# sh vers

Cisco Adaptive Security Appliance Software Version 8.3(1)

Device Manager Version 7.1(1)52


This platform has an ASA 5505 Security Plus license.


I have been banging my head on the wall for a few days trying to figure this out.


Thanks in advance for any idea you may have.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
davrojas Tue, 11/12/2013 - 19:56
User Badges:
  • Bronze, 100 points or more

Hello iweb_tech,


I see the debug states:


Nov 11 15:01:37 [IKEv1]: Group = DefaultRAGroup, IP = 108.163.152.8,  Static Crypto Map check, map = outside_map, seq = 4, ACL does not match  proxy IDs src:0.0.0.0 dst:70.38.31.202


And based on your show run:


access-list outside_4_cryptomap extended permit ip 70.38.15.248 255.255.255.248 71.13.156.64 255.255.255.224


So if it is :


Wildcard Mask: 0.0.0.7

First Address: 70.38.15.248

Last Address: 70.38.15.255



Or


Wildcard Mask>: 255.255.255.248 same as saying    any.any.any. [248-255]



It seems like neither way does this address 70.38.31.202 seem to fit, can you confirm?



-daVid

iweb_tech Thu, 11/14/2013 - 05:49
User Badges:

This 70.38.31.202 IP and outside_4_cryptomap ACL is used for one of the Site-to-Site VPN. This IP is the peer IP and 70.38.15.248/29 is the "local subnet". We are doing the site-to-site using publicly routable IP addresses so this is why it looks a bit uncommon


Basically, this site-to-site should not interfere with the remote access vpn but it seems like it is...


anyone have any other idea?


Thanks!

Jouni Forss Thu, 11/14/2013 - 07:40
User Badges:
  • Super Bronze, 10000 points or more

Hi,


The configuration itself seems fine though the thing that causes problems for me personally is the fact that this seems to be supposed to use L2TP/IPsec which I have never used.


The configuration guide seems to suggest that your configuration is pretty much done by the book so I don't really know what the problem is.


It does say it doesnt match anything configured on your firewall


Nov 11 15:01:37 [IKEv1]: Group = DefaultRAGroup, IP = 108.163.152.8,  Rejecting IPSec tunnel: no matching crypto map entry for remote proxy  0.0.0.0/0.0.0.0/17/0 local proxy 70.38.31.202/255.255.255.255/17/1701 on  interface outside


Have you considered using the Cisco VPN Client software (or some 3rd party IPsec VPN Client software) to connect to the ASA?



- Jouni

Actions

This Discussion