Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco VPN client 3.5.1 and Cisco ASA 5.2(2)

Hello there,

I have a bit strange problem regarding Cisco VPN client (IPSec) with Cisco ASA. The Cisco ASA is running software version 5.2(2). The Cisco VPN client version is 3.5.1.

The problem is the Cisco VPN client could successfully authenticate with the Cisco ASA but couldn't PING to any LAN network behind the Cisco ASA. Anyway, the problem was gone when we used the Cisco VPN client version 4.6 or 4.8. All the settings are exactly same. What has it happened? What is the cause of this issue? How can I troubleshoot this problem?

Please advice.

Thanks,

Nitass

2 ACCEPTED SOLUTIONS

Accepted Solutions
Green

Re: Cisco VPN client 3.5.1 and Cisco ASA 5.2(2)

I understood your problem, I never used 3.5.1 so I thought maybe nat-t wasn't enabled by default like 4.x.

Cisco Employee

Re: Cisco VPN client 3.5.1 and Cisco ASA 5.2(2)

Nitass,

With the VPN client version if you used IPSec over UDP, it will use port UDP port 10000.

Since you are coming through a NAT device, I am sure ASA is detecting UDP 4500 (which is NAT-T) and then trying to use that.

But, you can use IPSec over TCP. If thats the case then make sure you have IPSec over TCP configured on the ASA. According to your previous output of

sh run | in isakmp --> you did not have that configured on the ASA

This is the command.

"isakmp ipsec-over-tcp port 10000"

Let me know if this helps.

Thanks

Gilbert

16 REPLIES
Green

Re: Cisco VPN client 3.5.1 and Cisco ASA 5.2(2)

FYI, 5.2 is the ASDM version on the ASA. The ASA version would be 7.x. Make sure the client is set for ipsec over udp.

New Member

Re: Cisco VPN client 3.5.1 and Cisco ASA 5.2(2)

Thanks for reply. You are right.

The Cisco ASA is running software 7.2(2) and ASDM 5.2(2). The NAT-T has already been enabled. And as I mentioned above, both Cisco VPN client 4.6 and 4.8 worked fine. The problem was only for Cisco VPN client 3.5.1. All configurations were exactly same.

Please advice.

Thanks,

Nitass

Green

Re: Cisco VPN client 3.5.1 and Cisco ASA 5.2(2)

I understood your problem, I never used 3.5.1 so I thought maybe nat-t wasn't enabled by default like 4.x.

New Member

Re: Cisco VPN client 3.5.1 and Cisco ASA 5.2(2)

Hi,

I just noticed that the transparent tunneling status was inactive and the tunnel port was also 0. Anyway, I already enabled nat-t on the Cisco VPN client 3.5.1.

How should I do? Please advice.

Thanks,

Nitass

New Member

Re: Cisco VPN client 3.5.1 and Cisco ASA 5.2(2)

Btw, I have tried to configure IPSec over TCP but it still didn't work. I could telnet port 10000 from the client machine but the VPN client software couldn't establish the VPN tunnel.

Please advice.

Thanks,

Nitass

Cisco Employee

Re: Cisco VPN client 3.5.1 and Cisco ASA 5.2(2)

Nitass,

I read through the information posted on the website, seems like you see the Transparent Tunneling as Inactive. Can you make sure that IPSec over UDP is checked on the client.

Can you send the output of "sh run | in isakmp"

Thanks

Gilbert

New Member

Re: Cisco VPN client 3.5.1 and Cisco ASA 5.2(2)

Thanks for reply.

ciscoasa# sh run | inc isakmp

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto isakmp enable outside

crypto isakmp policy 10

crypto isakmp nat-traversal 20

Additional, the following was output of show crypto ipsec sa. It seemed that the sa didn't detect nat device along the way.

ciscoasa# sh crypto ipsec sa

(snip)

inbound esp sas:

spi: 0x7B9777AF (2073524143)

transform: esp-3des esp-md5-hmac none

in use settings ={RA, Tunnel, }

slot: 0, conn_id: 82, crypto-map: outside_dyn_map

sa timing: remaining key lifetime (sec): 28747

I also attached the transparent tunneling setting to this message.

Please advice.

Thanks a lot,

Nitass

Cisco Employee

Re: Cisco VPN client 3.5.1 and Cisco ASA 5.2(2)

After the VPN client is connected, can you send the output of "sh vpn-session remote" from the ASA.

Can you please let me know what is the NAT ting device through which the client passes through.

Thanks

gilbert

New Member

Re: Cisco VPN client 3.5.1 and Cisco ASA 5.2(2)

Hi gilbert,

You are right. The problem is from the NAT. When I removed NATing device along the way, the connection was fine. The NATing device is just NetScreen firewall. Anyway, it worked fine with VPN client 4.6 and 4.8. I am wonder that why NAT-T, IPSec over UDP or IPSec over TCP did not work for this case. How could I do? Could you please advice?

The below is output of the show vpn-sessiondb remote command that you asked.

ciscoasa# sh vpn-sessiondb remote

Session Type: Remote

Username: sawayama

Index: 1

Assigned IP: 10.192.35.130 Public IP: 1.1.1.1

Protocol: IPSec Encryption: 3DES

Hashing: MD5

Bytes Tx: 0 Bytes Rx: 0

Client Type: N/A Client Ver: 3.5.1 (Rel)

Group Policy: remote

Tunnel Group: remote

Login Time: 12:37:16 ICT Fri Jun 22 2007

Duration: 0h:00m:10s

Filter Name: vpnacl

NAC Result: N/A

Posture Token:

Thanks,

Nitass

Cisco Employee

Re: Cisco VPN client 3.5.1 and Cisco ASA 5.2(2)

Nitass,

From the output of "sh vpn-sessiondb" it seems that your VPN client is just trying to use IPSec and not IPSec over UDP or IPSec over TCP.

Protocol: IPSec

If client is going through a NAT device then the ASA will detect the NAT device and try to use UDP 4500 (NAT_T) for negotiation.

In this case, seems like it is not happening. We need to look deep into the ASA debugs and the client side debugs to see what is happening.

Since the Client is connecting just with IPSec, and I do not see any kind of packets received on the ASA from the output that was sent, I believe the NAT device might be blocking ESP packets.

You need to do somemore extensive troubleshooting to figure out where the problem is happening precisely.

It maybe that Netgear device is not doing the PAT properly or it has a One to One NAT for your VPN client.

Rate this post if it helps.

Cheers,

Gilbert

New Member

Re: Cisco VPN client 3.5.1 and Cisco ASA 5.2(2)

Hi Gilbert,

Thank you very much. I am appreciated to your kind.

For this issue, I did it in the lab. All device configurations were same. Only changing was the VPN client software version.

As I checked, I understood the VPN client 3.5.1 could not support NAT-T. It was supported from the version 3.6.1. Anyway, I think the TCP over UDP or TCP should work in this situation.

How do you think? Could you please advice?

Thanks,

Nitass

Green

Re: Cisco VPN client 3.5.1 and Cisco ASA 5.2(2)

Ipsec over udp is nat-t, like I said in my first post.

Cisco Employee

Re: Cisco VPN client 3.5.1 and Cisco ASA 5.2(2)

Nitass,

With the VPN client version if you used IPSec over UDP, it will use port UDP port 10000.

Since you are coming through a NAT device, I am sure ASA is detecting UDP 4500 (which is NAT-T) and then trying to use that.

But, you can use IPSec over TCP. If thats the case then make sure you have IPSec over TCP configured on the ASA. According to your previous output of

sh run | in isakmp --> you did not have that configured on the ASA

This is the command.

"isakmp ipsec-over-tcp port 10000"

Let me know if this helps.

Thanks

Gilbert

New Member

Re: Cisco VPN client 3.5.1 and Cisco ASA 5.2(2)

Sorry, please wait a moment.

New Member

Re: Cisco VPN client 3.5.1 and Cisco ASA 5.2(2)

I tried to use IPSec over TCP 10000 but it still did not work. The VPN client displayed failed to establish a TCP connection. Anyway, I could telnet port 10000 of the ASA.

The ASA configuration is listed below.

ciscoasa# sh run | inc isakmp

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto isakmp enable outside

crypto isakmp policy 10

crypto isakmp ipsec-over-tcp port 10000

I have a question. As you mentioned above, since you are coming through a NAT device, I am sure ASA is detecting UDP 4500 (which is NAT-T) and then trying to use that, why did you think the ASA detect UDP 4500? I think because of the VPN client 3.5.1 does not support NAT-T (UDP 4500). So, the ASA could detect the UDP 10000 instead of 4500. Please correct me if I misunderstood anything.

Thanks,

Nitass

New Member

Re: Cisco VPN client 3.5.1 and Cisco ASA 5.2(2)

It works now. Thank you very much both.

The cause of this problem was the IPSec over UDP was disabled by default group policy. After I enabled it, everything was fine.

Thanks again,

Nitass

341
Views
20
Helpful
16
Replies
CreatePlease to create content