Solved: IPSec vpn to asa 5510

Bert Kelchtermans · ‎09-28-2010

Hi all

For a couple off days now, I am trying to resolve the fol lowong

issue, I am not really expierenced in ASA's or vpn, so any help will be appreciated.

I'm trying so set up an remote access vpn to an asa. but

I get he following error:

firewall# Sep 28 04:04:40 [IKEv1]: Group = RECOR, Username = pptpusr01, IP = xxxxxxxxxxxx
, QM FSM error (P2 struct &0xac69d548, mess id 0x14921bd8)!
Sep 28 04:04:40 [IKEv1]: Group = RECOR, Username = pptpusr01, IP =xxxxxxxxxxxxxxxxxxxxx
, Removing peer from correlator table failed, no match!

I have attached my running config

If anyone has an idea, pleasen let me know.

Kind regards

Bert

Jennifer Halim · ‎09-30-2010

Assuming that you are not using L2TP, please kindly remove the following line:

crypto dynamic-map outside_dyn_map 20 set transform-set recor_l2tp

View solution in original post

Jennifer Halim · ‎09-28-2010

The following configuration should be removed as it is not required:

no access-list inside_nat0_outbound_1 extended permit ip 192.0.0.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
no access-list inside_nat0_outbound_1 extended permit ip any 192.0.0.128 255.255.255.224

no nat (inside) 0 access-list inside_nat0_outbound_2 outside

no access-list inside_nat0_outbound_2 extended permit ip object-group VPNSites 172.16.0.0 255.255.255.0

After the above changes, please run the following debugs on ASA:

debug cry isa

debug cry ipsec

Please also turn on logs on VPN Client.

Collect the debug output from ASA and logs from VPN Client after trying to connect via vpn client.

Bert Kelchtermans · ‎09-29-2010

Thanks for the help

But are you sure that I should remove those access-lists, because we also have some site-to-site-vpn connections.

Here is the output I got from

debug cry ipsec

debug cry isa

Sep 29 00:01:37 [IKEv1]: Group = TUNNELRECOR, Username = pptpusr01, IP
= XXXXXXXXXXXXXXX, QM FSM error (P2 struct &0xae63f758, mess id 0xea4f7e96)!
Sep 29 00:01:37 [IKEv1]: Group = TUNNELRECOR, Username = pptpusr01, IP = XXXXXXXXXX

, Removing peer from correlator table failed, no match!

This is the log from my ipsec client.

Cisco Systems VPN Client Version 5.0.03.0560
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3
Config file directory: C:\Program Files\Cisco Systems\VPN Client\

1 09:10:17.483 09/29/10 Sev=Info/4 CM/0x63100002
Begin connection process

2 09:10:17.498 09/29/10 Sev=Info/4 CM/0x63100004
Establish secure connection

3 09:10:17.498 09/29/10 Sev=Info/4 CM/0x63100024
Attempt connection with server "94.107.244.10"

4 09:10:17.514 09/29/10 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 94.107.244.10.

5 09:10:17.530 09/29/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 94.107.244.10

6 09:10:17.530 09/29/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 94.107.244.10

7 09:10:17.530 09/29/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Frag), VID(?)) from 94.107.244.10

8 09:10:17.530 09/29/10 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer

9 09:10:17.530 09/29/10 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH

10 09:10:17.530 09/29/10 Sev=Info/5 IKE/0x63000001
Peer supports DPD

11 09:10:17.530 09/29/10 Sev=Info/5 IKE/0x63000001
Peer supports IKE fragmentation payloads

12 09:10:17.545 09/29/10 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful

13 09:10:17.545 09/29/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, VID(?), VID(Unity)) to 94.107.244.10

14 09:10:17.545 09/29/10 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0x066D, Remote Port = 0x01F4

15 09:10:17.545 09/29/10 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

16 09:10:17.545 09/29/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = XXXXXXXXXXXXXXXXXXXXXXXXX

17 09:10:17.545 09/29/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from XXXXXXXXXXXXXXXXXXXXXXXXX

18 09:10:17.545 09/29/10 Sev=Info/4 CM/0x63100015
Launch xAuth application

19 09:10:17.623 09/29/10 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started

20 09:10:17.623 09/29/10 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

21 09:10:23.030 09/29/10 Sev=Info/4 CM/0x63100017
xAuth application returned

22 09:10:23.030 09/29/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 94.107.244.10

23 09:10:23.030 09/29/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = XXXXXXXXXXXXXXXXXXXXXXXXX

24 09:10:23.030 09/29/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from XXXXXXXXXXXXXXXXXXXXXXXXX

25 09:10:23.030 09/29/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to XXXXXXXXXXXXXXXXXXXXXXXXX

26 09:10:23.030 09/29/10 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

27 09:10:23.623 09/29/10 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator

28 09:10:23.623 09/29/10 Sev=Info/5 IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client Firewall, Capability= (Centralized Protection Policy).

29 09:10:23.639 09/29/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to XXXXXXXXXXXXXXXXXXXXXXXXX

30 09:10:23.639 09/29/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 94.107.244.10

31 09:10:23.639 09/29/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from XXXXXXXXXXXXXXXXXXXXXXXXX

32 09:10:23.639 09/29/10 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 192.0.0.141

33 09:10:23.639 09/29/10 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0

34 09:10:23.639 09/29/10 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 192.0.0.29

35 09:10:23.639 09/29/10 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 192.0.0.30

36 09:10:23.639 09/29/10 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000

37 09:10:23.639 09/29/10 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = XXXXXXXXXXXXXXXXXXXXXXXXX

38 09:10:23.639 09/29/10 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000

39 09:10:23.639 09/29/10 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5510 Version 8.2(1) built by builders on Tue 05-May-09 22:45

40 09:10:23.639 09/29/10 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT: , value = 0x00000001

41 09:10:23.639 09/29/10 Sev=Info/4 CM/0x63100019
Mode Config data received

42 09:10:23.655 09/29/10 Sev=Info/4 IKE/0x63000056
Received a key request from Driver: Local IP = 192.0.0.141, GW IP = XXXXXXXXXXXXXXXXXXXXXXXXX, Remote IP = 0.0.0.0

43 09:10:23.655 09/29/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 94.107.244.10

44 09:10:23.670 09/29/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = XXXXXXXXXXXXXXXXXXXXXXXXX

45 09:10:23.670 09/29/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 94.107.244.10

46 09:10:23.670 09/29/10 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds

47 09:10:23.670 09/29/10 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 6 seconds, setting expiry to 86394 seconds from now

48 09:10:23.670 09/29/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = XXXXXXXXXXXXXXXXXXXXXXXXX

49 09:10:23.670 09/29/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from 94.107.244.10

50 09:10:23.670 09/29/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 94.107.244.10

51 09:10:23.670 09/29/10 Sev=Info/4 IKE/0x63000049
Discarding IPsec SA negotiation, MsgID=EA4F7E96

52 09:10:23.670 09/29/10 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=9D3BF51BDE44D6A5 R_Cookie=4FC9E37E218D5CEA) reason = DEL_REASON_IKE_NEG_FAILED

53 09:10:23.670 09/29/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer =XXXXXXXXXXXXXXXXXXXXXXXXX

54 09:10:23.670 09/29/10 Sev=Info/4 IKE/0x63000058
Received an ISAKMP message for a non-active SA, I_Cookie=9D3BF51BDE44D6A5 R_Cookie=4FC9E37E218D5CEA

55 09:10:23.670 09/29/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(Dropped) from 94.107.244.10

56 09:10:24.623 09/29/10 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

57 09:10:27.123 09/29/10 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=9D3BF51BDE44D6A5 R_Cookie=4FC9E37E218D5CEA) reason = DEL_REASON_IKE_NEG_FAILED

58 09:10:27.123 09/29/10 Sev=Info/4 CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED". 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

59 09:10:27.123 09/29/10 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv

60 09:10:27.139 09/29/10 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.

61 09:10:27.139 09/29/10 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection

62 09:10:27.139 09/29/10 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

63 09:10:27.139 09/29/10 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

64 09:10:27.139 09/29/10 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

65 09:10:27.139 09/29/10 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped

Thanks in advance

Bert

Jennifer Halim · ‎09-29-2010

Yes, you should remove that because it is already covered under the following NAT:

nat (inside) 0 access-list inside_nat0_outbound_1

You currently have 2 NAT exemption statements on inside interface, and the one with "outside" keyword should be removed.

And also add the following as from the debugs IPSec proposal does not match:

crypto dynamic-map remote-dyn-map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map remote-dyn-map 50 set transform-set ESP-3DES-SHA
crypto map outside_map 65000 ipsec-isakmp dynamic remote-dyn-map

Bert Kelchtermans · ‎09-30-2010

Hi Jennifer

Thank you for all the help, I've added the commands you gave me but

I am still getting the same error messagesfrom the debugs,

When I use my vpn client to connect, i have to login with my usernme and password

and the i get "securing communications channel" followed by "not connected"

I've attachted them.

Thank you

Bert

Jennifer Halim · ‎09-30-2010

Assuming that you are not using L2TP, please kindly remove the following line:

crypto dynamic-map outside_dyn_map 20 set transform-set recor_l2tp

Bert Kelchtermans · ‎09-30-2010

Hi

That solved my problem, thank very much.

I have one more question.

My network looks like this

ASA5510 ---------------------------Router (don't know the type, not managed by me)-----------------------Internal network

Will the people who connect to the vpn have local lan access?

I can't test this until saturday, I was just wondering because they told me that that was an issue with previous installations.

Again, thank very much

Jennifer Halim · ‎09-30-2010

Base on your configuration, your ip local pool for the vpn is in the same subnet as your internal network. You should change the pool to a different unique subnet.

Then you would need to add the "inside_nat0_outbound" with the newly created ip pool subnet:

access-list inside_nat0_outbound extended permit ip any

Assuming that the router that is not managed by you has default gateway pointing towards the ASA inside interface, you should have access to your internal network. That is the purpose of IPSec VPN client, ie: to get access to your internal network.

Bert Kelchtermans · ‎09-30-2010

So if i understand correctly, i should change the following:

ip local pool VPN-Clients 192.0.1.2-192.0.1.150 mask 255.255.255.0

access-list inside_nat0_outbound extended permit ip any <192.0.1.0> <255.255.255.0>

What about the dns server setting, it is now on 192.0.0.29, does this have to change.

I have adjusted my topology, the previous one, was not correct. The internal network is directly connected to the asa.

ASA5510(192.0.0.40) ---------------------------(192.0.0.187)Router (don't know the type, not managed by me)

|----------------------Internal network (192.0.0.0)

thank you

Jennifer Halim · ‎09-30-2010

Yes, absolutely correct.

DNS can stay the same if that is the correct internal dns server ip address.

Bert Kelchtermans · ‎09-30-2010

Ok, thank you very much

EDIT: I have configured my asa like you suggested, but i still don't seem to have Local Lan Access.

These are the settings i get from my dhcp pool

Connection-specific DNS Suffix . : xxxxxxxxxxxxxxxxx
IP Address. . . . . . . . . . . . : 192.0.1.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.0.1.2

One last question, i have to forward a couple of ports to the router

Is this the correct?

access-list outside-access-in extended permit tcp any interface outside eq 3389

static (inside,outside) tcp interface 3389 192.0.0.187 3389 netmask 255.255.255.255

thank you

Jennifer Halim · ‎09-30-2010

No, you don't have to forward anything on the ASA.

Once you VPN in, you should be able to access 192.0.0.187 if it's allowed for RDP. Please kindly make sure that personal firewall on that PC is turned off as it will not allow inbound connection from a different subnet.

Bert Kelchtermans · ‎09-30-2010

Hello

Ok, but when i connect i still cannot ping other clients in the network or the inside interface of the asa.

And when connected, the default gateway points to my clients IP adres

Connection-specific DNS Suffix . : xxxxxxxxxxxxxxxxx
IP Address. . . . . . . . . . . . : 192.0.1.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.0.1.2

Thank you