Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
815
Views
0
Helpful
0
Replies

Non Cisco IKEv1 Remote Access VPN fail after upgrade

ra maintenance
Level 1
Level 1

‎10-27-2016 08:11 AM - edited ‎02-21-2020 09:01 PM

Hello everyone,

We upgraded our ASA from 7.2(5) to 9.1(7) and non Cisco Cisco IKEv1 Remote Access VPN now fail.

Phase 1 is OK, AAA user auth is successful but we have the following errors in ASDM :
Group = XXX, Username = XXXX, IP = 80.12.X.Y, QM FSM error (P2 struct &0x7659d900, mess id 0x60ecf534)!
Group = XXX, Username = XXXX, IP = 80.12.X.Y, Aborting Connection: IKEv1 RA client which did not request an assigned IP is attempting to establish a phase 2 SA for 10.59.Z.Z.

IP of client at the other end of tunnel (10.59.Z.Z) is static, there is NO client address assignement policy :
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
no vpn-addr-assign local

We can't change this behavior/configuration on remote devices.

I found on bug search tool this bug CSCuo45321 "ASA allows IKEv1 clients to bypass address assignment, causing conflict" which is "fix" on my version.
I don't find a way to bypass address assignment now.
Could you help us, please ?
Thanks !


Philippe

1 person had this problem
Labels:
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents