Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

Who Me Too'd this topic

ASA 5510 Remote Access iOS devices issue

Sam Byers
Level 1
Level 1

‎06-12-2012 11:41 AM - edited ‎02-21-2020 06:07 PM

I'm having a weird issue that just cropped up in the last week or so. Previously, ipads and iphones were working fine on our IPSec VPN, but now they don't work at all.

The iOS device throws one of two errors:

1. "Negotiation with the VPN server failed." (asks for user and pass first, then gives this error after about 30 seconds)

2. "The VPN server did not repond." (might just be intermittnet 3G network I'm testing over)                  

If the error is #1, the ASA says this:

tacacs+ and aaa debug:

user: testuser
Tacacs packet sent
Sending TACACS Start message. Session id: 11763, seq no:1
Received TACACS packet. Session id:1263956303  seq no:2
tacp_procpkt_authen: GETPASS
mk_pkt - type: 0x1, session_id: 11763
mkpkt_continue - response: ***
Tacacs packet sent
Sending TACACS Continue message. Session id: 11763, seq no:3
Received TACACS packet. Session id:1263956303  seq no:4
tacp_procpkt_authen: PASS
TACACS Session finished. Session id: 11763, seq no: 3

crypto isakmp debug (Negotiation with the VPN server failed.):

Jun 11 15:09:57 [IKEv1]: IP = 174.232.18.200, IKE_DECODE RECEIVED Message (msgid=ad46fa43) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Jun 11 15:09:57 [IKEv1 DEBUG]: Group = MobileDevices, Username = testuser, IP = 174.232.18.200, processing hash payload
Jun 11 15:09:57 [IKEv1 DEBUG]: Group = MobileDevices, Username = testuser, IP = 174.232.18.200, processing delete
Jun 11 15:09:57 [IKEv1]: Group = MobileDevices, Username = testuser, IP = 174.232.18.200, Connection terminated for peer testuser.  Reason: Peer

Terminate  Remote Proxy N/A, Local Proxy N/A
Jun 11 15:09:57 [IKEv1 DEBUG]: Group = MobileDevices, Username = testuser, IP = 174.232.18.200, IKE SA AM:b19cbbe4 terminating:  flags 0x0941c801,

refcnt 0, tuncnt 0

Same error with a different debugging level and another tunnel group:

Jun 12 10:16:50 [IKEv1]: Group = Test_Tunnel_Group, Username = testuser, IP = 174.252.107.180, User (testuser) authenticated.
Jun 12 10:16:50 [IKEv1]: Group = Test_Tunnel_Group, Username = testuser, IP = 174.252.107.180, Assigned private IP address 10.1.50.175 to remote user
Jun 12 10:16:50 [IKEv1]: Group = Test_Tunnel_Group, Username = testuser, IP = 174.252.107.180, Forcing iPhone to host mask. <--is this forcing the mask to 255.255.255.255 because the iphone requires that?

If the error is #2, the ASA says this:

Jun 11 15:13:18 [IKEv1]: IP = 174.232.18.200, Connection landed on tunnel_group MobileDevices

I've changed a lot of settings, but I haven't gotten anywhere. I've tried different tunnel groups and connection profiles. This setup works fine on a Windows computer with the Cisco VPN Client (5.0.07). ASA is running 8.2(5), split tunnel, no pfs, group name and psk, tried with and without peer ID validation, NAT-T (udp 500, 4500).

Any ideas? Thanks in advance.

3 people had this problem
0 Helpful
Who Me Too'd this topic