enable logging on the client and post a log capture.

Hi,

Please see the attach configuration and the Cisco's vpn client log file...I have also attached asa's syslog output..

Whats happening is that i have now connected asa's outside interface directly to my test system which i am assuming to be coming from Internet e.g.,1.0.0.1 has been assigned to asa's outsided and 1.0.0.2 to the PC.

Now when there is no vpn config is on asa side and i try to connect then the vpn client obviously gives me an error message that peer isn't available... The thing is once i do the ASA's remote access vpn config via VPN wizard in ASDM, the vpn client gives me the error messages like failed to authenticate peer etc. (U can view them in the attached log file)...VPN Client gives following error notification:-

Initializing the connection...

Contacting the security gateway at 1.0.0.1...

Secure VPN Connection terminated locally by the Client.

Reason 401: An unrecognized error occurred while establishing the VPN connection.

Not connected.

What i m getting confused is that though on ASA's side i m defining encryption perimeters but on vpn client side there is no encryption options available, so that both ASA and vpn client use same authentication and/or encryption methods.

In simple words VPN client is not getting authenticated and I can't seem to identify what I am missing in my configuration.

Your help will be greately appreciated.

Bye

Hi fernando,

Thank you so much for your response and helping out.

Please see the attach configuration and the Cisco's vpn client log file...I have also attached asa's syslog output..

Whats happening is that i have now connected asa's outside interface directly to my test system which i am assuming to be coming from Internet e.g.,1.0.0.1 has been assigned to asa's outsided and 1.0.0.2 to the PC.

Now when there is no vpn config is on asa side and i try to connect then the vpn client obviously gives me an error message that peer isn't available... The thing is once i do the ASA's remote access vpn config via VPN wizard in ASDM, the vpn client gives me the error messages like failed to authenticate peer etc. (U can view them in the attached log file)...VPN Client gives following error notification:-

Initializing the connection...

Contacting the security gateway at 1.0.0.1...

Secure VPN Connection terminated locally by the Client.

Reason 401: An unrecognized error occurred while establishing the VPN connection.

Not connected.

What i m getting confused is that though on ASA's side i m defining encryption perimeters but on vpn client side there is no encryption options available, so that both ASA and vpn client use same authentication and/or encryption methods.

In simple words VPN client is not getting authenticated and I can't seem to identify what I am missing in my configuration.

Your help will be greately appreciated.

Bye

mmmm ... The VPN logs shows that the password for the VPN group on your client might no match teh one you configured on your ASA. Have you confirmed this .. i suggest this.

1.- from the ASA create a new group from the beginning. Just follow the wizard's defaults.

2.- on the ASA enable debug to the monitor so that you can see the output on your telnet session .. then type in debug crypto isakmp and debug crypto ipsec from the command line ... please log this as I need you to send me the results.

3.- Configure the VPN client with the new group and password .. and try to connect

4.- Please post the output of point 2

Hi fernando

Thank you again for your enormous help and support.

This time what i have done is that I have reset the ASA to its factory defaults and the current scenario now is:

A. On the outside interface of ASA, a machine with a Cisco VPN client is directly connected. One piece of information is, this machine with VPN client is running W2K3 OS without any firewall.

B. On the inside interface of ASA exists the protected network.

C. There is no other configuration related to remote branches.

After this connectivity done as per your suggestions, I created the new Remote Access VPN via ASDM with default parameters. On the client created the associated connection with the new user account information.

Please see the attachments. If you need any more information please let me know.

One thing is a bit strange though that when i give the debug crypto isakmp and debug crypto ipsec, nothing appears on console when the vpn clients connects.

Thank you again for helping out.

Regards,

Noman Bari

Hi that was actually a huge piece of information ... the VPN client version installed does not support 2003. You need to install either 4.7.00.0533 or 4.8.00.0440. That should resolve your problem. One thing I noticed on your config is that you are using the MAnagement0/0 interface as your inside network. You need to remove the 'management only' command otherwise packets will not traverse the interface. 'Management only' allows incomming connections to the interface only and as its name says it is for management purpose only.

I hope it helps ... Please rate it if it does !!!

Dear Fernando,

Thank your for your advice. I tried this out. Now on the outside of asa exist

a WinXP running Cisco VPN Client ver.4.6.00.0049 and inside a machine. The outcome is still the same. I again restored asa to factory defaults and again went through the vpn wizard with default parameters.

Mgmt interface thing i corrected, yesterday when i restored to factory defaults, i some how forgot to uncheck it..normally i do..but thanx for pointing this out.

I really can't understand one thing that in the wizard it says config on both sides must match exactly but the problem is on vpn client there is no option available to configure the parameters such as enryption etc...this is what is bugging me...Do you know any answer on this....

I will be impatiently waiting for the response bcuz now I am totally baffled by this situation.

Thank you again for your thoughtful responses. If you need any more information then please let me know.

Bye

Hi,

If i was a judge in American Idol then I would say to you, Dude...You Rock....!!! : ).....

It worked...How did i miss this i dunno but u resolved the issue and credit goes to u..

Thank you for your enormous support....

There is one question though.. since vpn wasn't working last few days so i started to explore IPS feature of my asa... the thing is from console i am able to connect to the ips sensor but from ASDM i can't.. ASDM gives me a message that use the mgmt. ip address as 10.1.9.201 (by default) but no security certificate for the IPS subsystem appears(as the dialog box says when u click on IPS icon in ASDM)...Your advice here will be greatly helpful.

Hope to hear from u....

Bye

Hi .. I am glad I was able to help you out a bit .. in regards to your question .. I believe you have the IPS module on the ASA right ..? Well I am sure you need to cnfiure the sensor form the command line first by running the setup command. This setup will take trhought a series of interactive questions and at the end you shoudl be bale to access it from the ASDM.

I hope it helps ... check this link for some help ..

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00804596f0.html

Hi,

Its your greatness that you are under stating the way you have provided the help but I really do appreciate and greatly admire your efforts and amount of your precious time that you have spend on this problem resolution.

And, yes, IPS is in the ASA machine...Thank you so much for your advice... I will go over the steps again... And I really do hope that you won't mind if I bug u again with my stupid queries : ) in the future ...

Bye

Hi .. no problems .. I am more than happy to help if I can ..

Cheers,