cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3155
Views
6
Helpful
14
Replies

Problem in Cisco Remote access VPN

meet_mkhan
Level 1
Level 1

Hi Experts,

Kindly help in solving the problem in remote access vpn.

I configured Remote access VPN on cosco asa 5510 evrything is working fine i can able to connect internet

on that machine but user cannot able to connect using easy vpn client 5.0 to its server.

Kindly check below config

Note e0/0 ip add 192.168.10.10 is natted with public ip 213.42.204.135 on main(core ) firewall

scenario :

ISP-------MAINFIREWALL(ASA 5510)--------------SWITCH----------USEREND FIREWALL(CISCO ASA5510 WITH REMOTE ACCESS VPN CONFIGIRED)

ASA Version 8.0(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
 nameif OUTSIDE
 security-level 0
 ip address 192.168.10.10 255.255.255.0
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.14.12 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
pager lines 24
mtu inside 1500
mtu OUTSIDE 1500
ip local pool mpool 192.168.14.2-192.168.14.10 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (OUTSIDE) 101 interface
nat (inside) 101 0.0.0.0 0.0.0.0
route OUTSIDE 0.0.0.0 0.0.0.0 192.168.10.12 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.14.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128
-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256
-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OUTSIDE_map interface OUTSIDE
crypto isakmp enable OUTSIDE
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
group-policy mediaphone internal
group-policy mediaphone attributes
 dns-server value 213.42.20.20 195.241.229.222
 vpn-tunnel-protocol IPSec
username khans password X5bLOVudYKsK1JS/ encrypted privilege 15
username khan password Af47yOOFe80n.V9z encrypted privilege 0
username khan attributes
 vpn-group-policy mediaphone
tunnel-group mediaphone type remote-access
tunnel-group mediaphone general-attributes
 address-pool mpool
 default-group-policy mediaphone
tunnel-group mediaphone ipsec-attributes
 pre-shared-key *
prompt hostname context
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end
ciscoasa#

14 Replies 14

ajiddima
Level 1
Level 1

hi,

Configuration looks correct, Please get the debugs below to identify the cause:

 

- deb cry isa 127

- deb cry ips 127

 

Thanks.,

 

Hi,

Thanks for the reply.I am really sorry for the delay response

i enabled debugging but nothing is displayed

ciscoasa# debug crypto ipsec
ciscoasa# debug crypto isa
ciscoasa# debug crypto isakmp
ciscoasa# debug crypto eas
ciscoasa# debug crypto easy
ciscoasa# debug crypto ?

  ca         Set PKI debug levels
  condition  Set IPSec/ISAKMP debug filters
  engine     Set crypto engine debug levels
  ipsec      Set IPSec debug levels
  isakmp     Set ISAKMP debug levels
  vpnclient  Set EasyVPN client debug levels
ciscoasa# debug crypto von
ciscoasa# debug crypto vpncli
ciscoasa# debug crypto vpnclient
ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa#

Hi,

 

Could you make sure "terminal mon" is enabled to see the debugs(incase you are not using the console connection).

 

You may try :

Logging buffered debug and see the "show log" output.

You may also also try "logging monitor debug" and see whether you are seeing the live logs on the monitor.

And from the client PC: please get the wireshark capture to see the IKE traffic. Whether it is able to get a reply from the server.

 

-Altaf

Hi,

Pls check here under details and also check attached screen shot of client pc.

 

ciscoasa# debug crypto ipsec
ciscoasa# sh lo
ciscoasa# sh log
ciscoasa# sh logging
Syslog logging: enabled
    Facility: 20
    Timestamp logging: disabled
    Standby logging: disabled
    Deny Conn when Queue Full: disabled
    Console logging: disabled
    Monitor logging: level debugging, 260 messages logged
    Buffer logging: disabled
    Trap logging: disabled
    History logging: disabled
    Device ID: disabled
    Mail logging: disabled
    ASDM logging: level informational, 788 messages logged
ciscoasa#  sh log
Syslog logging: enabled
    Facility: 20
    Timestamp logging: disabled
    Standby logging: disabled
    Deny Conn when Queue Full: disabled
    Console logging: disabled
    Monitor logging: level debugging, 442 messages logged
    Buffer logging: disabled
    Trap logging: disabled
    History logging: disabled
    Device ID: disabled
    Mail logging: disabled
    ASDM logging: level informational, 805 messages logged
ciscoasa# ter
ciscoasa# terminal moni
ciscoasa# terminal monitor
Monitor option not supported for the console.
ciscoasa#
ciscoasa#  sh log
Syslog logging: enabled
    Facility: 20
    Timestamp logging: disabled
    Standby logging: disabled
    Deny Conn when Queue Full: disabled
    Console logging: disabled
    Monitor logging: level debugging, 575 messages logged
    Buffer logging: disabled
    Trap logging: disabled
    History logging: disabled
    Device ID: disabled
    Mail logging: disabled
    ASDM logging: level informational, 823 messages logged
ciscoasa#
ciscoasa#  sh cr
ciscoasa#  sh cry
ciscoasa#  sh crypto is
ciscoasa#  sh crypto isakmp sa
ciscoasa#  sh crypto isakmp sa

There are no isakmp sas

Hi,

 

I see you are using a console connection where the logs should show us. Looking at the captures  taken on the client we see there is no response from the ASA so the client retry it several times. Since we are not getting any logs on the ASA and client is not getting any reply back from the ASA ,it looks IKE is blocked on the client side.  To confirm you can take a capture on the ASA end as well to see if clients request are reaching till the ASA. If not then it is IKE traffic getting blocked on the client side.

 

-Altaf

 

 

Hi,

My scenario is like

ISP-------MAINFIREWALL(ASA 5510)--------------SWITCH----------USEREND FIREWALL(CISCO ASA5510 WITH REMOTE ACCESS VPN CONFIGIRED)

so ike traffic is permitted on main firewall do i have to permit in Userend firewall also.

Hi,

 

Yes, Please permit UDP 500 and ESP to the ASA outside on the user end firewall. Also take the capture on the VPN firewall to confirm you are recieving the IKE traffic.

Thanks,

Altaf

 

 

 

:Hi,

Pls check here under runn config of userend asa i am getting same error at uesrend when connecting to server same wireshark output after allowing 

esp and 4500,500 ports

 

========================
ciscoasa# sh running-config
: Saved
:
ASA Version 8.0(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 192.168.10.10 255.255.255.0
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.14.12 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 213.42.20.20
 name-server 195.241.229.222
access-list mphone_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 1
92.168.14.4 255.255.255.252
access-list inside_nat0_outbound extended permit tcp any any eq 500
access-list inside_nat0_outbound extended permit tcp any any eq 4500
access-list inside_nat0_outbound extended permit esp any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool mypool 192.168.14.4-192.168.14.7 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.10.12 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.14.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128
-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256
-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
group-policy mphone internal
group-policy mphone attributes
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value mphone_splitTunnelAcl
username khans password X5bLOVudYKsK1JS/ encrypted privilege 15
username khan password Af47yOOFe80n.V9z encrypted privilege 0
username khan attributes
 vpn-group-policy mphone
tunnel-group mphone type remote-access
tunnel-group mphone general-attributes
 address-pool mypool
 default-group-policy mphone
tunnel-group mphone ipsec-attributes
 pre-shared-key *
prompt hostname context
Cryptochecksum:96bbf7ab1981c6a540c7c6f51f3e5ff0
: end
ciscoasa#

Hi,

check below debugging of userendasa

 

ciscoasa# sh logging
Syslog logging: enabled
    Facility: 20
    Timestamp logging: disabled
    Standby logging: disabled
    Deny Conn when Queue Full: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: level debugging, 1010 messages logged
    Trap logging: disabled
    History logging: disabled
    Device ID: disabled
    Mail logging: disabled
    ASDM logging: level informational, 3126 messages logged
55/137
%ASA-7-710005: UDP request discarded from 192.168.10.66/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.66/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.6/137 to outside:192.168.10
.255/137
%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 10 per se
cond, max configured rate is 10; Current average rate is 10 per second, max conf
igured rate is 5; Cumulative total count is 6001
%ASA-7-710005: UDP request discarded from 192.168.10.221/137 to outside:192.168.
10.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.11/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.66/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.9/137 to outside:192.168.10
.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.66/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.221/137 to outside:192.168.
10.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.11/137 to outside:192.168.1
0.255/137
% 192.168.10.51/137 to outside:192.168.10.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.66/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.221/137 to outside:192.168.
10.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.221/137 to outside:192.168.
10.255/137
.10.221/445 (192.168.10.221/445) to inside:192.168.14.238/1901 (192.168.10.10/15
05)
%ASA-6-305011: Built dynamic TCP translation from inside:192.168.14.238/1902 to
outside:192.168.10.10/1506
%ASA-6-302013: Built outbound TCP connection 778 for outside:192.168.10.221/139
(192.168.10.221/139) to inside:192.168.14.238/1902 (192.168.10.10/1506)
%ASA-6-302014: Teardown TCP connection 778 for outside:192.168.10.221/139 to ins
ide:192.168.14.238/1902 duration 0:00:00 bytes 0 TCP Reset-I
%ASA-7-710005: UDP request discarded from 192.168.10.51/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.100/137 to outside:192.168.
10.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.11/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.51/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.100/137 to outside:192.168.
10.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.11/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.51/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.100/137 to outside:192.168.
10.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.11/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.66/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.100/137 to outside:192.168.
10.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.11/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.66/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.14.238/138 to inside:192.168.1
4.255/138
%ASA-7-710005: UDP request discarded from 192.168.10.51/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.100/137 to outside:192.168.
10.255/137
% to outside:192.168.10.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.11/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.100/137 to outside:192.168.
10.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.66/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.11/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.100/137 to outside:192.168.
10.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.66/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.100/137 to outside:192.168.
10.255/137
ciscoasa#      UDP request discarded from 192.168.10.51/137 to o

Hi,

 

so there is no udp packets recieved correct ? as we dont see udp 500 from the above.

 

Did you get a packet capture from source IP (client public IP) to ASA out ip on the vpn firewall? This is confirm and avoid any syslog that we may have lost from the last output.

-Altaf

 

 

-Altaf

Hi,

I can see only udp req discard on ip add 192.168.14.238 which is conn to userend asa.but client ip from where i am connecting vpn is not here in this config

 

ciscoasa# sh logging
Syslog logging: enabled
    Facility: 20
    Timestamp logging: disabled
    Standby logging: disabled
    Deny Conn when Queue Full: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: level debugging, 1010 messages logged
    Trap logging: disabled
    History logging: disabled
    Device ID: disabled
    Mail logging: disabled
    ASDM logging: level informational, 3126 messages logged
55/137
%ASA-7-710005: UDP request discarded from 192.168.10.66/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.66/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.6/137 to outside:192.168.10
.255/137
%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 10 per se
cond, max configured rate is 10; Current average rate is 10 per second, max conf
igured rate is 5; Cumulative total count is 6001
%ASA-7-710005: UDP request discarded from 192.168.10.221/137 to outside:192.168.
10.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.11/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.66/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.9/137 to outside:192.168.10
.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.66/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.221/137 to outside:192.168.
10.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.11/137 to outside:192.168.1
0.255/137
% 192.168.10.51/137 to outside:192.168.10.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.66/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.221/137 to outside:192.168.
10.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.221/137 to outside:192.168.
10.255/137
.10.221/445 (192.168.10.221/445) to inside:192.168.14.238/1901 (192.168.10.10/15
05)
%ASA-6-305011: Built dynamic TCP translation from inside:192.168.14.238/1902 to
outside:192.168.10.10/1506
%ASA-6-302013: Built outbound TCP connection 778 for outside:192.168.10.221/139
(192.168.10.221/139) to inside:192.168.14.238/1902 (192.168.10.10/1506)
%ASA-6-302014: Teardown TCP connection 778 for outside:192.168.10.221/139 to ins
ide:192.168.14.238/1902 duration 0:00:00 bytes 0 TCP Reset-I
%ASA-7-710005: UDP request discarded from 192.168.10.51/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.100/137 to outside:192.168.
10.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.11/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.51/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.100/137 to outside:192.168.
10.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.11/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.51/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.100/137 to outside:192.168.
10.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.11/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.66/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.100/137 to outside:192.168.
10.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.11/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.66/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.14.238/138 to inside:192.168.1
4.255/138
%ASA-7-710005: UDP request discarded from 192.168.10.51/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.100/137 to outside:192.168.
10.255/137
% to outside:192.168.10.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.11/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.100/137 to outside:192.168.
10.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.66/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.11/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.100/137 to outside:192.168.
10.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.66/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.100/137 to outside:192.168.
10.255/137
ciscoasa#      UDP request discarded from 192.168.10.51/137 to o
ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa# cle
ciscoasa# clear logg
ciscoasa# clear logging
ERROR: % Incomplete command
ciscoasa# clear logging bu
ciscoasa# clear logging buffer
ciscoasa# clear logging as
ciscoasa# clear logging asdm
ciscoasa#
ciscoasa#
ciscoasa# clear logging
ERROR: % Incomplete command
ciscoasa# clear logging buffer
ciscoasa# sh logging
Syslog logging: enabled
    Facility: 20
    Timestamp logging: disabled
    Standby logging: disabled
    Deny Conn when Queue Full: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: level debugging, 4864 messages logged
    Trap logging: disabled
    History logging: disabled
    Device ID: disabled
    Mail logging: disabled
    ASDM logging: level informational, 3921 messages logged
%ASA-5-111008: User 'enable_15' executed the 'clear logging buffer' command.
%ASA-7-710005: UDP request discarded from 192.168.10.66/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.11/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.66/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.11/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.66/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.11/137 to outside:192.168.1
0.255/137
ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa# sh logging
Syslog logging: enabled
    Facility: 20
    Timestamp logging: disabled
    Standby logging: disabled
    Deny Conn when Queue Full: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: level debugging, 4986 messages logged
    Trap logging: disabled
    History logging: disabled
    Device ID: disabled
    Mail logging: disabled
    ASDM logging: level informational, 3934 messages logged
ded from 192.168.10.100/137 to outside:192.168.10.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.11/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.100/137 to outside:192.168.
10.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.51/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.11/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.100/137 to outside:192.168.
10.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.51/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.11/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.51/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.100/137 to outside:192.168.
10.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.11/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.51/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.100/137 to outside:192.168.
10.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.57/137 to outside:192.168.1
0.255/137
%ASA-6-305011: Built dynamic TCP translation from inside:192.168.14.238/2044 to
outside:192.168.10.10/1638
%ASA-6-302013: Built outbound TCP connection 994 for outside:192.168.10.221/80 (
192.168.10.221/80) to inside:192.168.14.238/2044 (192.168.10.10/1638)
%ASA-6-302014: Teardown TCP connection 992 for outside:192.168.10.221/445 to ins
ide:192.168.14.238/2041 duration 0:00:10 bytes 1807 TCP FINs
%ASA-7-710005: UDP request discarded from 192.168.10.51/137 to outside:192.168.1
0.255/137
%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 10 per se
cond, max configured rate is 10; Current average rate is 9 per second, max confi
gured rate is 5; Cumulative total count is 5889
%ASA-7-710005: UDP request discarded from 192.168.10.100/137 to outside:192.168.
10.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.11/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.57/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.51/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.11/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.100/137 to outside:192.168.
10.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.57/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.11/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.221/137 to outside:192.168.
10.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.221/137 to outside:192.168.
10.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.100/137 to outside:192.168.
10.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.6/137 to outside:192.168.10
.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.11/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.221/137 to outside:192.168.
10.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.221/137 to outside:192.168.
10.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.100/137 to outside:192.168.
10.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.6/137 to outside:192.168.10
.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.11/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.221/137 to outside:192.168.
10.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.221/137 to outside:192.168.
10.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.6/137 to outside:192.168.10
.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.11/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.221/137 to outside:192.168.
10.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.88/137 to outside:192.168.1
0.255/137
ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa# sh logging
Syslog logging: enabled
    Facility: 20
    Timestamp logging: disabled
    Standby logging: disabled
    Deny Conn when Queue Full: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: level debugging, 5124 messages logged
    Trap logging: disabled
    History logging: disabled
    Device ID: disabled
    Mail logging: disabled
    ASDM logging: level informational, 3951 messages logged
37 to outside:192.168.10.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.51/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.163/137 to outside:192.168.
10.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.85/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.163/137 to outside:192.168.
10.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.85/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.163/137 to outside:192.168.
10.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.85/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.11/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.11/137 to outside:192.168.1
0.255/137
%ASA-6-302014: Teardown TCP connection 995 for outside:192.168.10.221/445 to ins
ide:192.168.14.238/2045 duration 0:00:10 bytes 1807 TCP FINs
%ASA-7-609002: Teardown local-host outside:192.168.10.221 duration 0:00:46
%ASA-7-710005: UDP request discarded from 192.168.10.11/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.11/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.11/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.66/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.221/137 to outside:192.168.
10.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.221/137 to outside:192.168.
10.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.65/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.11/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.66/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.221/137 to outside:192.168.
10.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.221/137 to outside:192.168.
10.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.65/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.11/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.66/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to inside:255.255.255.255/6
7
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to outside:255.255.255.255/
67
%ASA-7-710005: UDP request discarded from 192.168.11.1/67 to inside:255.255.255.
255/68
%ASA-7-710005: UDP request discarded from 192.168.11.1/67 to outside:255.255.255
.255/68
%ASA-7-710005: UDP request discarded from 192.168.1.1/67 to inside:255.255.255.2
55/68
%ASA-7-710005: UDP request discarded from 192.168.1.1/67 to outside:255.255.255.
255/68
%ASA-7-710005: UDP request discarded from 192.168.10.221/137 to outside:192.168.
10.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.221/137 to outside:192.168.
10.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.65/137 to outside:192.168.1
0.255/137
%ASA-7-710005: UDP request discarded from 192.168.10.11/137 to outside:192.168.1
0.255/137
%02015: Built outbound UDP connection 1007 for outside:157.55.130.146/40002 (157
.55.130.146/40002) to inside:192.168.14.238/13942 (192.168.10.10/1174)
%ASA-7-609001: Built local-host outside:65.55.223.24
%ASA-6-302015: Built outbound UDP connection 1008 for outside:65.55.223.24/40009
 (65.55.223.24/40009) to inside:192.168.14.238/13942 (192.168.10.10/1174)
%ASA-7-710005: UDP request discarded from 192.168.10.11/137 to outside:192.168.1
0.255/137
%ASA-7-609001: Built local-host outside:157.55.235.157
%ASA-6-302015: Built outbound UDP connection 1009 for outside:157.55.235.157/400
21 (157.55.235.157/40021) to inside:192.168.14.238/13942 (192.168.10.10/1174)
%ASA-7-609001: Built local-host outside:111.221.74.41
%ASA-6-302015: Built outbound UDP connection 1010 for outside:111.221.74.41/4001
0 (111.221.74.41/40010) to inside:192.168.14.238/13942 (192.168.10.10/1174)

Those udp request as you see is for port 137. IKE uses udp port 500 so IKE coming looks like.

 

as suggested in earlier post, packet capture would help.

-Altaf

 

 

 

 

Hi,

Thankx for your support .the Problem is 

%ASA-4-106023: Deny udp src OUTSIDE:49.206.238.201/50875 dst INSIDE:213.42.x.x/500 by access-group "104" [0x0, 0x0]

MAINFIREWALL(ASA 5510) blocking udp 500 when i allowed udp 500

vpn client  connected without any issue..

Thanks Meet, I was suspecting a packet block.

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: