キャンセル
次の結果を表示 
次の代わりに検索 
もしかして: 
告知
シスコ サポート コミュニティへようこそ!あなたの ご意見 をお聞かせください
New Member

ASA 5505 IPSec VPN接続ができない事象について

以下環境でCisco VPN ClientからIPSecVPNの接続ができない状況です。

原因等、お分かりになりましたらご教授頂ければ幸いです。

[接続環境]

■クライアントPC

OS:Windows XP Professional

Cisco VPN Client:バージョン4.6.03.0021

インターネット:Bフレッツ回線PPPoE接続

111.216.xxx.xxx/32

■Cisco VPN Client設定

ホスト:210.xxx.xxx.xxx

→ASA 5505のWAN側のIPアドレスでこちらもBフレッツ回線によるPPPoE接続

認証:グループ認証(Group = ITS-MNG_xxxxx)
トランスポート:「透過的トン絵リングを有効にする」のチェックを外す

■事象

グループ認証(ITS-MNG_xxxxx)とユーザ認証(mngxx)は通過するものの、

その先が進まず、VPN Client 画面左したのメッセージ欄で「接続されていません。」

と表示されます。

■ASA 5505
関連する箇所の設定は以下の通りです。

interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group CHN
ip address pppoe setroute

interface Vlan461
nameif inside_461
security-level 100
ip address 10.244.61.254 255.255.255.0
!
interface Vlan481
no forward interface Vlan461
nameif inside_481
security-level 100
ip address 10.244.81.254 255.

access-list acl_nat2 extended permit ip 10.244.61.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip 10.244.81.0 255.255.255.0 10.244.81.224 255.255.255.240

access-list acl_nat0 extended permit ip 10.244.81.0 255.255.255.0 any
access-list inside_nat2_outbound extended permit ip 10.244.61.0 255.255.255.0 192.168.100.0 255.255.255.0

ip local pool IPsec01-User1 10.244.81.225-10.244.81.230 mask 255.255.255.0 

global (outside) 2 interface
nat (inside_461) 0 access-list inside_nat2_outbound
nat (inside_461) 2 access-list acl_nat2
nat (inside_481) 2 access-list acl_nat0
access-group acl_out in interface outside

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-256-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 2
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400

group-policy grppolicy internal
group-policy grppolicy attributes
vpn-tunnel-protocol svc
group-policy IPsec01 internal
group-policy IPsec01 attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value toDC_splitTunnelAcl

username mngxx password gGRri9RDSitdFNAI encrypted
username mngxx attributes
vpn-group-policy IPsec01

tunnel-group ITS-MNG_xxxxx type remote-access
tunnel-group ITS-MNG_xxxxx general-attributes
address-pool IPsec01-User1
default-group-policy IPsec01
tunnel-group ITS-MNG_xxxxx ipsec-attributes
pre-shared-key *

■各種ログ

・「ASA 5505のshow logより

[考察]
PHASE 1,2まではCOMPLETEDとなっているがその先で接続できない状況と想定。

Mar 08 2012 09:42:21: %ASA-5-713130: Group = ITS-MNG_xxxxx, Username = mngxx, IP = 111.216.xxx.xxx, Received unsupported transaction mode attribute: 5
Mar 08 2012 09:42:21: %ASA-5-713119: Group = ITS-MNG_xxxxx, Username = mngxx, IP = 111.216.xxx.xxx, PHASE 1 COMPLETED
Mar 08 2012 09:42:21: %ASA-5-713075: Group = ITS-MNG_xxxxx, Username = mngxx, IP = 111.216.xxx.xxx, Overriding Initiator's IPSec rekeying duration from 2147483 to 28800 seconds
Mar 08 2012 09:42:21: %ASA-5-713049: Group = ITS-MNG_xxxxx, Username = mngxx, IP = 111.216.xxx.xxx, Security negotiation complete for User (mngxx)  Responder, Inbound SPI = 0xa2a1c5f7, Outbound SPI = 0x35567485
Mar 08 2012 09:42:21: %ASA-5-713120: Group = ITS-MNG_xxxxx, Username = mngxx, IP = 111.216.xxx.xxx, PHASE 2 COMPLETED (msgid=7370cf62)
Mar 08 2012 09:42:21: %ASA-5-713050: Group = ITS-MNG_xxxxx, Username = mngxx, IP = 111.216.xxx.xxx, Connection terminated for peer mngxx.  Reason: Peer Terminate  Remote Proxy 10.244.81.225, Local Proxy 0.0.0.0
Mar 08 2012 09:42:21: %ASA-4-113019: Group = ITS-MNG_xxxxx, Username = mngxx, IP = 111.216.xxx.xxx, Session disconnected. Session Type: IPsec, Duration: 0h:00m:06s, Bytes xmt: 0, Bytes rcv: 0, Reason: User RequestedMar 08 2012 09:42:21: %ASA-5-713130: Group = ITS-MNG_xxxxx, Username = mngxx, IP = 111.216.114.111, Received unsupported transaction mode attribute: 5
Mar 08 2012 09:42:21: %ASA-5-713119: Group = ITS-MNG_xxxxx, Username = mngxx, IP = 111.216.xxx.xxx, PHASE 1 COMPLETED
Mar 08 2012 09:42:21: %ASA-5-713075: Group = ITS-MNG_xxxxx, Username = mngxx, IP = 111.216.xxx.xxx, Overriding Initiator's IPSec rekeying duration from 2147483 to 28800 seconds
Mar 08 2012 09:42:21: %ASA-5-713049: Group = ITS-MNG_xxxxx, Username = mngxx, IP = 111.216.xxx.xxx, Security negotiation complete for User (mngxx)  Responder, Inbound SPI = 0xa2a1c5f7, Outbound SPI = 0x35567485
Mar 08 2012 09:42:21: %ASA-5-713120: Group = ITS-MNG_xxxxx, Username = mngxx, IP = 111.216.xxx.xxx, PHASE 2 COMPLETED (msgid=7370cf62)
Mar 08 2012 09:42:21: %ASA-5-713050: Group = ITS-MNG_xxxxx, Username = mngxx, IP = 111.216.xxx.xxx, Connection terminated for peer mngxx.  Reason: Peer Terminate  Remote Proxy 10.244.81.225, Local Proxy 0.0.0.0
Mar 08 2012 09:42:21: %ASA-4-113019: Group = ITS-MNG_xxxxx, Username = mngxx, IP = 111.216.xxx.xxx, Session disconnected. Session Type: IPsec, Duration: 0h:00m:06s, Bytes xmt: 0, Bytes rcv: 0, Reason: User Requested

・VPN Clientのログより

Cisco Systems VPN Client Version 4.6.03.0021
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3

262    11:06:31.039  03/08/12  Sev=Info/4       CM/0x63100002
Begin connection process

263    11:06:31.055  03/08/12  Sev=Info/4       CM/0x63100004
Establish secure connection using Ethernet

264    11:06:31.055  03/08/12  Sev=Info/4       CM/0x63100024
Attempt connection with server "210.xxx.xxx.xxx"

265    11:06:31.071  03/08/12  Sev=Info/6       IKE/0x6300003B
Attempting to establish a connection with 210.xxx.xxx.xxx.

266    11:06:31.086  03/08/12  Sev=Info/4       IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Unity)) to 210.xxx.xxx.xxx

267    11:06:31.102  03/08/12  Sev=Info/5       IKE/0x6300002F
Received ISAKMP packet: peer = 210.xxx.xxx.xxx

268    11:06:31.102  03/08/12  Sev=Info/4       IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Frag), VID(?)) from 210.xxx.xxx.xxx

269    11:06:31.102  03/08/12  Sev=Info/5       IKE/0x63000001
Peer is a Cisco-Unity compliant peer

270    11:06:31.102  03/08/12  Sev=Info/5       IKE/0x63000001
Peer supports XAUTH

271    11:06:31.102  03/08/12  Sev=Info/5       IKE/0x63000001
Peer supports DPD

272    11:06:31.118  03/08/12  Sev=Info/6       IKE/0x63000001
IOS Vendor ID Contruction successful

273    11:06:31.118  03/08/12  Sev=Info/4       IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, VID(?), VID(Unity)) to 210.xxx.xxx.xxx

274    11:06:31.133  03/08/12  Sev=Info/4       IKE/0x63000083
IKE Port in use - Local Port =  0x01F4, Remote Port = 0x01F4

275    11:06:31.133  03/08/12  Sev=Info/4       CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

276    11:06:31.133  03/08/12  Sev=Info/5       IKE/0x6300002F
Received ISAKMP packet: peer = 210.xxx.xxx.xxx

277    11:06:31.149  03/08/12  Sev=Info/4       IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 210.xxx.xxx.xxx

278    11:06:31.149  03/08/12  Sev=Info/4       CM/0x63100015
Launch xAuth application

279    11:06:31.211  03/08/12  Sev=Info/4       IPSEC/0x63700008
IPSec driver successfully started

280    11:06:31.211  03/08/12  Sev=Info/4       IPSEC/0x63700014
Deleted all keys

281    11:06:31.211  03/08/12  Sev=Info/6       IPSEC/0x6370002B
PPPoE Protocol has been detected.

282    11:06:33.352  03/08/12  Sev=Info/4       CM/0x63100017
xAuth application returned

283    11:06:33.352  03/08/12  Sev=Info/4       IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 210.xxx.xxx.xxx

284    11:06:33.368  03/08/12  Sev=Info/5       IKE/0x6300002F
Received ISAKMP packet: peer = 210.xxx.xxx.xxx

285    11:06:33.368  03/08/12  Sev=Info/4       IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 210.xxx.xxx.xxx

286    11:06:33.368  03/08/12  Sev=Info/4       IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 210.xxx.xxx.xxx

287    11:06:33.368  03/08/12  Sev=Info/4       CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

288    11:06:33.430  03/08/12  Sev=Info/5       IKE/0x6300005E
Client sending a firewall request to concentrator

289    11:06:33.430  03/08/12  Sev=Info/5       IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client, Capability= (Centralized Protection Policy).

290    11:06:33.430  03/08/12  Sev=Info/4       IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 210.xxx.xxx.xxx

291    11:06:33.461  03/08/12  Sev=Info/5       IKE/0x6300002F
Received ISAKMP packet: peer = 210.xxx.xxx.xxx

292    11:06:33.461  03/08/12  Sev=Info/4       IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 210.xxx.xxx.xxx

293    11:06:33.461  03/08/12  Sev=Info/5       IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 10.244.81.225

294    11:06:33.461  03/08/12  Sev=Info/5       IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0

295    11:06:33.461  03/08/12  Sev=Info/5       IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000

296    11:06:33.461  03/08/12  Sev=Info/5       IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000002

297    11:06:33.461  03/08/12  Sev=Info/5       IKE/0x6300000F
SPLIT_NET #1
       subnet = 10.244.81.0
       mask = 255.255.255.0
       protocol = 0
       src port = 0
       dest port=0

298    11:06:33.461  03/08/12  Sev=Info/5       IKE/0x6300000F
SPLIT_NET #2
       subnet = 10.244.61.0
       mask = 255.255.255.0
       protocol = 0
       src port = 0
       dest port=0

299    11:06:33.461  03/08/12  Sev=Info/5       IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000

300    11:06:33.461  03/08/12  Sev=Info/5       IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5505 Version 8.2(1) built by builders on Tue 05-May-09 22:45

301    11:06:33.461  03/08/12  Sev=Info/4       CM/0x63100019
Mode Config data received

302    11:06:33.493  03/08/12  Sev=Info/4       IKE/0x63000056
Received a key request from Driver: Local IP = 10.244.81.225, GW IP = 210.xxx.xxx.xxx, Remote IP = 0.0.0.0

303    11:06:33.493  03/08/12  Sev=Info/4       IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 210.xxx.xxx.xxx

304    11:06:33.508  03/08/12  Sev=Info/5       IKE/0x6300002F
Received ISAKMP packet: peer = 210.xxx.xxx.xxx

305    11:06:33.508  03/08/12  Sev=Info/4       IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 210.xxx.xxx.xxx

306    11:06:33.508  03/08/12  Sev=Info/5       IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds

307    11:06:33.508  03/08/12  Sev=Info/5       IKE/0x63000047
This SA has already been alive for 2 seconds, setting expiry to 86398 seconds from now

308    11:06:33.508  03/08/12  Sev=Info/5       IKE/0x6300002F
Received ISAKMP packet: peer = 210.xxx.xxx.xxx

309    11:06:33.524  03/08/12  Sev=Info/4       IKE/0x63000014
RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NOTIFY:STATUS_RESP_LIFETIME) from 210.xxx.xxx.xxx

310    11:06:33.524  03/08/12  Sev=Info/5       IKE/0x63000045
RESPONDER-LIFETIME notify has value of 28800 seconds

311    11:06:33.524  03/08/12  Sev=Info/4       IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH) to 210.xxx.xxx.xxx

312    11:06:33.524  03/08/12  Sev=Info/5       IKE/0x63000059
Loading IPsec SA (MsgID=2E8C8617 OUTBOUND SPI = 0xA6892F13 INBOUND SPI = 0x02C79F18)

313    11:06:33.524  03/08/12  Sev=Info/5       IKE/0x63000025
Loaded OUTBOUND ESP SPI: 0xA6892F13

314    11:06:33.524  03/08/12  Sev=Info/5       IKE/0x63000026
Loaded INBOUND ESP SPI: 0x02C79F18

315    11:06:33.524  03/08/12  Sev=Warning/2    CVPND/0xE3400003
Function RegOpenKey failed with an error code of 0x00000002(WindowsVirtualAdapter:558)

316    11:06:33.524  03/08/12  Sev=Warning/3    CVPND/0xE340000C
The Client was unable to enable the Virtual Adapter because it could not open the device.

317    11:06:33.539  03/08/12  Sev=Info/5       CVPND/0x63400013
   Destination           Netmask           Gateway         Interface   Metric
       0.0.0.0           0.0.0.0    115.162.91.135    115.162.91.135        1
110.66.250.202   255.255.255.255    115.162.91.135    115.162.91.135        1
115.162.91.135   255.255.255.255         127.0.0.1         127.0.0.1       50
115.255.255.255   255.255.255.255    115.162.91.135    115.162.91.135       50
     127.0.0.0         255.0.0.0         127.0.0.1         127.0.0.1        1
   169.254.0.0       255.255.0.0    169.254.221.11    169.254.221.11       20
169.254.221.11   255.255.255.255         127.0.0.1         127.0.0.1       20
169.254.255.255   255.255.255.255    169.254.221.11    169.254.221.11       20
     224.0.0.0         240.0.0.0    169.254.221.11    169.254.221.11       20
     224.0.0.0         240.0.0.0    115.162.91.135    115.162.91.135        1
255.255.255.255   255.255.255.255    115.162.91.135    115.162.91.135        1
255.255.255.255   255.255.255.255    169.254.221.11    169.254.221.11        1


318    11:06:33.539  03/08/12  Sev=Info/6       CM/0x6310003A
Unable to restore route changes from file.

319    11:06:33.539  03/08/12  Sev=Info/6       CM/0x63100037
The routing table was returned to original state prior to Virtual Adapter

320    11:06:33.539  03/08/12  Sev=Warning/2    CVPND/0xE3400003
Function RegOpenKey failed with an error code of 0x00000002(WindowsVirtualAdapter:558)

321    11:06:33.539  03/08/12  Sev=Warning/3    CVPND/0xE340000C
The Client was unable to enable the Virtual Adapter because it could not open the device.

322    11:06:33.539  03/08/12  Sev=Warning/2    IKE/0xE3000099
Failed to active IPSec SA: Unable to enable Virtual Adapter (NavigatorQM:936)

323    11:06:33.539  03/08/12  Sev=Warning/2    IKE/0xE30000A5
Unexpected SW error occurred while processing Quick Mode negotiator:(Navigator:2202)

324    11:06:33.539  03/08/12  Sev=Info/4       IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 210.xxx.xxx.xxx

325    11:06:33.539  03/08/12  Sev=Info/5       IKE/0x63000018
Deleting IPsec SA: (OUTBOUND SPI = A6892F13 INBOUND SPI = 2C79F18)

326    11:06:33.539  03/08/12  Sev=Info/4       IKE/0x63000049
Discarding IPsec SA negotiation, MsgID=2E8C8617

327    11:06:33.555  03/08/12  Sev=Info/5       IKE/0x6300002F
Received ISAKMP packet: peer = 210.xxx.xxx.xxx

328    11:06:33.555  03/08/12  Sev=Info/4       IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, DEL) from 210.xxx.xxx.xxx

329    11:06:33.555  03/08/12  Sev=Info/5       IKE/0x6300003C
Received a DELETE payload for IKE SA with Cookies:  I_Cookie=6AD1BD604CD5EAB1 R_Cookie=C9768016B817E57D

330    11:06:33.555  03/08/12  Sev=Info/4       IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=6AD1BD604CD5EAB1 R_Cookie=C9768016B817E57D) reason = Unknown

331    11:06:33.680  03/08/12  Sev=Info/4       IPSEC/0x63700014
Deleted all keys

332    11:06:33.680  03/08/12  Sev=Info/6       IPSEC/0x6370002B
PPPoE Protocol has been detected.

333    11:06:33.680  03/08/12  Sev=Info/4       IPSEC/0x63700010
Created a new key structure

334    11:06:33.680  03/08/12  Sev=Info/4       IPSEC/0x6370000F
Added key with SPI=0x132f89a6 into key list

335    11:06:33.680  03/08/12  Sev=Info/4       IPSEC/0x63700010
Created a new key structure

336    11:06:33.680  03/08/12  Sev=Info/4       IPSEC/0x6370000F
Added key with SPI=0x189fc702 into key list

337    11:06:33.680  03/08/12  Sev=Info/4       IPSEC/0x63700013
Delete internal key with SPI=0x189fc702

338    11:06:33.680  03/08/12  Sev=Info/4       IPSEC/0x6370000C
Key deleted by SPI 0x189fc702

339    11:06:33.680  03/08/12  Sev=Info/4       IPSEC/0x63700013
Delete internal key with SPI=0x132f89a6

340    11:06:33.680  03/08/12  Sev=Info/4       IPSEC/0x6370000C
Key deleted by SPI 0x132f89a6

341    11:06:34.180  03/08/12  Sev=Info/4       IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=6AD1BD604CD5EAB1 R_Cookie=C9768016B817E57D) reason = Unknown

342    11:06:34.180  03/08/12  Sev=Info/4       CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "Unknown".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

343    11:06:34.180  03/08/12  Sev=Info/5       CM/0x63100025
Initializing CVPNDrv

344    11:06:34.180  03/08/12  Sev=Info/4       IKE/0x63000001
IKE received signal to terminate VPN connection

345    11:06:34.196  03/08/12  Sev=Info/4       IPSEC/0x63700014
Deleted all keys

346    11:06:34.196  03/08/12  Sev=Info/4       IPSEC/0x63700014
Deleted all keys

347    11:06:34.196  03/08/12  Sev=Info/4       IPSEC/0x63700014
Deleted all keys

348    11:06:34.196  03/08/12  Sev=Info/4       IPSEC/0x6370000A
IPSec driver successfully stopped

■Cisco ASA 5505のバージョン
opfw001# sh version

Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(1)

Compiled on Tue 05-May-09 22:45 by builders
System image file is "disk0:/asa821-k8.bin"
Config file at boot was "startup-config"

opfw001 up 61 days 15 hours

Hardware:   ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04
0: Int: Internal-Data0/0    : address is 8843.e111.de35, irq 11
1: Ext: Ethernet0/0         : address is 8843.e111.de2d, irq 255
2: Ext: Ethernet0/1         : address is 8843.e111.de2e, irq 255
3: Ext: Ethernet0/2         : address is 8843.e111.de2f, irq 255
4: Ext: Ethernet0/3         : address is 8843.e111.de30, irq 255
5: Ext: Ethernet0/4         : address is 8843.e111.de31, irq 255
6: Ext: Ethernet0/5         : address is 8843.e111.de32, irq 255
7: Ext: Ethernet0/6         : address is 8843.e111.de33, irq 255
8: Ext: Ethernet0/7         : address is 8843.e111.de34, irq 255
9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces  : 8
VLANs                        : 3, DMZ Restricted
Inside Hosts                 : 50
Failover                     : Disabled
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
SSL VPN Peers                : 2
Total VPN Peers              : 10
Dual ISPs                    : Disabled
VLAN Trunk Ports             : 0
Shared License               : Disabled
AnyConnect for Mobile        : Disabled
AnyConnect for Linksys phone : Disabled
AnyConnect Essentials        : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions      : 2
Total UC Proxy Sessions      : 2
Botnet Traffic Filter        : Disabled

何か、お気づきの点等あればご教授頂ければ幸いです。

  • ファイアウォール
1 件の返信
New Member

ASA 5505 IPSec VPN接続ができない事象について

こんばんは。加藤と申します。

VPNクライアント側に下記のようなログがありますね。

--------------------------------------------------------

315    11:06:33.524  03/08/12  Sev=Warning/2    CVPND/0xE3400003
Function RegOpenKey failed with an error code of 0x00000002(WindowsVirtualAdapter:558)

316    11:06:33.524  03/08/12  Sev=Warning/3    CVPND/0xE340000C
The Client was unable to enable the Virtual Adapter because it could not open the device.

--------------------------------------------------------

下記FAQの事例に近いかと思いますので、VPNクライアントのアンインストール/再インストールを試してみてはいかがでしょうか。

============================

Cisco VPN Client に関する FAQ

http://www.cisco.com/cisco/web/support/JP/102/1020/1020616_vpnclientfaq-j.html#error

Q. 接続中に次のようなメッセージが VPN Client のログに出力されました。

208    15:09:08.619  01/17/08  Sev=Debug/7     CVPND/0x63400015
Value for ini parameter VAEnableAlt is 1.

209    15:09:08.619  01/17/08  Sev=Warning/2    CVPND/0xE3400003
Function RegOpenKey failed with an error code of 0x00000002(WindowsVirtualAdapter:558)

210    15:09:08.619  01/17/08  Sev=Warning/3    CVPND/0xE340000C
The Client was unable to enable the Virtual Adapter because it could not open the device.

============================

あと、VPN Client のバージョンがだいぶ古いようですので、切り分けがすんだら新しいバージョンのものにしてみるのといいかもしれません。

お役に立てれば幸いです。よろしくお願いします。

5141
閲覧回数
0
いいね!
1
返信
このウィジェットは表示できません。