06-12-2012 11:41 AM - edited 02-21-2020 06:07 PM
I'm having a weird issue that just cropped up in the last week or so. Previously, ipads and iphones were working fine on our IPSec VPN, but now they don't work at all.
The iOS device throws one of two errors:
1. "Negotiation with the VPN server failed." (asks for user and pass first, then gives this error after about 30 seconds)
2. "The VPN server did not repond." (might just be intermittnet 3G network I'm testing over)
If the error is #1, the ASA says this:
tacacs+ and aaa debug:
user: testuser
Tacacs packet sent
Sending TACACS Start message. Session id: 11763, seq no:1
Received TACACS packet. Session id:1263956303 seq no:2
tacp_procpkt_authen: GETPASS
mk_pkt - type: 0x1, session_id: 11763
mkpkt_continue - response: ***
Tacacs packet sent
Sending TACACS Continue message. Session id: 11763, seq no:3
Received TACACS packet. Session id:1263956303 seq no:4
tacp_procpkt_authen: PASS
TACACS Session finished. Session id: 11763, seq no: 3
crypto isakmp debug (Negotiation with the VPN server failed.):
Jun 11 15:09:57 [IKEv1]: IP = 174.232.18.200, IKE_DECODE RECEIVED Message (msgid=ad46fa43) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Jun 11 15:09:57 [IKEv1 DEBUG]: Group = MobileDevices, Username = testuser, IP = 174.232.18.200, processing hash payload
Jun 11 15:09:57 [IKEv1 DEBUG]: Group = MobileDevices, Username = testuser, IP = 174.232.18.200, processing delete
Jun 11 15:09:57 [IKEv1]: Group = MobileDevices, Username = testuser, IP = 174.232.18.200, Connection terminated for peer testuser. Reason: Peer
Terminate Remote Proxy N/A, Local Proxy N/A
Jun 11 15:09:57 [IKEv1 DEBUG]: Group = MobileDevices, Username = testuser, IP = 174.232.18.200, IKE SA AM:b19cbbe4 terminating: flags 0x0941c801,
refcnt 0, tuncnt 0
Same error with a different debugging level and another tunnel group:
Jun 12 10:16:50 [IKEv1]: Group = Test_Tunnel_Group, Username = testuser, IP = 174.252.107.180, User (testuser) authenticated.
Jun 12 10:16:50 [IKEv1]: Group = Test_Tunnel_Group, Username = testuser, IP = 174.252.107.180, Assigned private IP address 10.1.50.175 to remote user
Jun 12 10:16:50 [IKEv1]: Group = Test_Tunnel_Group, Username = testuser, IP = 174.252.107.180, Forcing iPhone to host mask. <--is this forcing the mask to 255.255.255.255 because the iphone requires that?
If the error is #2, the ASA says this:
Jun 11 15:13:18 [IKEv1]: IP = 174.232.18.200, Connection landed on tunnel_group MobileDevices
I've changed a lot of settings, but I haven't gotten anywhere. I've tried different tunnel groups and connection profiles. This setup works fine on a Windows computer with the Cisco VPN Client (5.0.07). ASA is running 8.2(5), split tunnel, no pfs, group name and psk, tried with and without peer ID validation, NAT-T (udp 500, 4500).
Any ideas? Thanks in advance.