Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSec vpn to asa 5510

Hi all

For a couple off days now, I am trying to resolve the fol lowong

issue, I am not really expierenced in ASA's or vpn, so any help will be appreciated.

I'm trying so set up an remote access vpn to an asa. but


I get he following error:

firewall# Sep 28 04:04:40 [IKEv1]: Group = RECOR, Username = pptpusr01, IP = xxxxxxxxxxxx
, QM FSM error (P2 struct &0xac69d548, mess id 0x14921bd8)!
Sep 28 04:04:40 [IKEv1]: Group = RECOR, Username = pptpusr01, IP =xxxxxxxxxxxxxxxxxxxxx
, Removing peer from correlator table failed, no match!

I have attached my running config

If anyone has an idea, pleasen let me know.

Kind regards

Bert

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: IPSec vpn to asa 5510

Assuming that you are not using L2TP, please kindly remove the following line:

crypto dynamic-map outside_dyn_map 20 set transform-set recor_l2tp

12 REPLIES
Cisco Employee

Re: IPSec vpn to asa 5510

The following configuration should be removed as it is not required:

no access-list inside_nat0_outbound_1 extended permit ip 192.0.0.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
no access-list inside_nat0_outbound_1 extended permit ip any 192.0.0.128 255.255.255.224

no nat (inside) 0 access-list inside_nat0_outbound_2 outside

no access-list inside_nat0_outbound_2 extended permit ip object-group VPNSites 172.16.0.0 255.255.255.0

After the above changes, please run the following debugs on ASA:

debug cry isa

debug cry ipsec

Please also turn on logs on VPN Client.

Collect the debug output from ASA and logs from VPN Client after trying to connect via vpn client.

New Member

Re: IPSec vpn to asa 5510

Thanks for the help

But are you sure that I should remove those access-lists, because we also have some site-to-site-vpn connections.

Here is the output I got from

debug cry ipsec

debug cry isa

Sep 29 00:01:37 [IKEv1]: Group = TUNNELRECOR, Username = pptpusr01, IP
= XXXXXXXXXXXXXXX, QM FSM error (P2 struct &0xae63f758, mess id 0xea4f7e96)!
Sep 29 00:01:37 [IKEv1]: Group = TUNNELRECOR, Username = pptpusr01, IP = XXXXXXXXXX

, Removing peer from correlator table failed, no match!

This is the log from my ipsec client.

Cisco Systems VPN Client Version 5.0.03.0560
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3
Config file directory: C:\Program Files\Cisco Systems\VPN Client\

1      09:10:17.483  09/29/10  Sev=Info/4    CM/0x63100002
Begin connection process

2      09:10:17.498  09/29/10  Sev=Info/4    CM/0x63100004
Establish secure connection

3      09:10:17.498  09/29/10  Sev=Info/4    CM/0x63100024
Attempt connection with server "94.107.244.10"

4      09:10:17.514  09/29/10  Sev=Info/6    IKE/0x6300003B
Attempting to establish a connection with 94.107.244.10.

5      09:10:17.530  09/29/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 94.107.244.10

6      09:10:17.530  09/29/10  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 94.107.244.10

7      09:10:17.530  09/29/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Frag), VID(?)) from 94.107.244.10

8      09:10:17.530  09/29/10  Sev=Info/5    IKE/0x63000001
Peer is a Cisco-Unity compliant peer

9      09:10:17.530  09/29/10  Sev=Info/5    IKE/0x63000001
Peer supports XAUTH

10     09:10:17.530  09/29/10  Sev=Info/5    IKE/0x63000001
Peer supports DPD

11     09:10:17.530  09/29/10  Sev=Info/5    IKE/0x63000001
Peer supports IKE fragmentation payloads

12     09:10:17.545  09/29/10  Sev=Info/6    IKE/0x63000001
IOS Vendor ID Contruction successful

13     09:10:17.545  09/29/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, VID(?), VID(Unity)) to 94.107.244.10

14     09:10:17.545  09/29/10  Sev=Info/4    IKE/0x63000083
IKE Port in use - Local Port =  0x066D, Remote Port = 0x01F4

15     09:10:17.545  09/29/10  Sev=Info/4    CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

16     09:10:17.545  09/29/10  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = XXXXXXXXXXXXXXXXXXXXXXXXX

17     09:10:17.545  09/29/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from XXXXXXXXXXXXXXXXXXXXXXXXX

18     09:10:17.545  09/29/10  Sev=Info/4    CM/0x63100015
Launch xAuth application

19     09:10:17.623  09/29/10  Sev=Info/4    IPSEC/0x63700008
IPSec driver successfully started

20     09:10:17.623  09/29/10  Sev=Info/4    IPSEC/0x63700014
Deleted all keys

21     09:10:23.030  09/29/10  Sev=Info/4    CM/0x63100017
xAuth application returned

22     09:10:23.030  09/29/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 94.107.244.10

23     09:10:23.030  09/29/10  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = XXXXXXXXXXXXXXXXXXXXXXXXX

24     09:10:23.030  09/29/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from XXXXXXXXXXXXXXXXXXXXXXXXX

25     09:10:23.030  09/29/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to XXXXXXXXXXXXXXXXXXXXXXXXX

26     09:10:23.030  09/29/10  Sev=Info/4    CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

27     09:10:23.623  09/29/10  Sev=Info/5    IKE/0x6300005E
Client sending a firewall request to concentrator

28     09:10:23.623  09/29/10  Sev=Info/5    IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client Firewall, Capability= (Centralized Protection Policy).

29     09:10:23.639  09/29/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to XXXXXXXXXXXXXXXXXXXXXXXXX

30     09:10:23.639  09/29/10  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 94.107.244.10

31     09:10:23.639  09/29/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from XXXXXXXXXXXXXXXXXXXXXXXXX

32     09:10:23.639  09/29/10  Sev=Info/5    IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 192.0.0.141

33     09:10:23.639  09/29/10  Sev=Info/5    IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0

34     09:10:23.639  09/29/10  Sev=Info/5    IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 192.0.0.29

35     09:10:23.639  09/29/10  Sev=Info/5    IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 192.0.0.30

36     09:10:23.639  09/29/10  Sev=Info/5    IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000

37     09:10:23.639  09/29/10  Sev=Info/5    IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = XXXXXXXXXXXXXXXXXXXXXXXXX

38     09:10:23.639  09/29/10  Sev=Info/5    IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000

39     09:10:23.639  09/29/10  Sev=Info/5    IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5510 Version 8.2(1) built by builders on Tue 05-May-09 22:45

40     09:10:23.639  09/29/10  Sev=Info/5    IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT: , value = 0x00000001

41     09:10:23.639  09/29/10  Sev=Info/4    CM/0x63100019
Mode Config data received

42     09:10:23.655  09/29/10  Sev=Info/4    IKE/0x63000056
Received a key request from Driver: Local IP = 192.0.0.141, GW IP = XXXXXXXXXXXXXXXXXXXXXXXXX, Remote IP = 0.0.0.0

43     09:10:23.655  09/29/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 94.107.244.10

44     09:10:23.670  09/29/10  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = XXXXXXXXXXXXXXXXXXXXXXXXX

45     09:10:23.670  09/29/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 94.107.244.10

46     09:10:23.670  09/29/10  Sev=Info/5    IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds

47     09:10:23.670  09/29/10  Sev=Info/5    IKE/0x63000047
This SA has already been alive for 6 seconds, setting expiry to 86394 seconds from now

48     09:10:23.670  09/29/10  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = XXXXXXXXXXXXXXXXXXXXXXXXX

49     09:10:23.670  09/29/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from 94.107.244.10

50     09:10:23.670  09/29/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 94.107.244.10

51     09:10:23.670  09/29/10  Sev=Info/4    IKE/0x63000049
Discarding IPsec SA negotiation, MsgID=EA4F7E96

52     09:10:23.670  09/29/10  Sev=Info/4    IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=9D3BF51BDE44D6A5 R_Cookie=4FC9E37E218D5CEA) reason = DEL_REASON_IKE_NEG_FAILED

53     09:10:23.670  09/29/10  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer =XXXXXXXXXXXXXXXXXXXXXXXXX

54     09:10:23.670  09/29/10  Sev=Info/4    IKE/0x63000058
Received an ISAKMP message for a non-active SA, I_Cookie=9D3BF51BDE44D6A5 R_Cookie=4FC9E37E218D5CEA

55     09:10:23.670  09/29/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(Dropped) from 94.107.244.10

56     09:10:24.623  09/29/10  Sev=Info/4    IPSEC/0x63700014
Deleted all keys

57     09:10:27.123  09/29/10  Sev=Info/4    IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=9D3BF51BDE44D6A5 R_Cookie=4FC9E37E218D5CEA) reason = DEL_REASON_IKE_NEG_FAILED

58     09:10:27.123  09/29/10  Sev=Info/4    CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

59     09:10:27.123  09/29/10  Sev=Info/5    CM/0x63100025
Initializing CVPNDrv

60     09:10:27.139  09/29/10  Sev=Info/6    CM/0x63100046
Set tunnel established flag in registry to 0.

61     09:10:27.139  09/29/10  Sev=Info/4    IKE/0x63000001
IKE received signal to terminate VPN connection

62     09:10:27.139  09/29/10  Sev=Info/4    IPSEC/0x63700014
Deleted all keys

63     09:10:27.139  09/29/10  Sev=Info/4    IPSEC/0x63700014
Deleted all keys

64     09:10:27.139  09/29/10  Sev=Info/4    IPSEC/0x63700014
Deleted all keys

65     09:10:27.139  09/29/10  Sev=Info/4    IPSEC/0x6370000A
IPSec driver successfully stopped

Thanks in advance

Bert

Cisco Employee

Re: IPSec vpn to asa 5510

Yes, you should remove that because it is already covered under the following NAT:


nat (inside) 0 access-list inside_nat0_outbound_1

You currently have 2 NAT exemption statements on inside interface, and the one with "outside" keyword should be removed.

And also add the following as from the debugs IPSec proposal does not match:

crypto dynamic-map remote-dyn-map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map remote-dyn-map 50 set transform-set ESP-3DES-SHA
crypto map outside_map 65000 ipsec-isakmp dynamic remote-dyn-map

New Member

Re: IPSec vpn to asa 5510

Hi Jennifer

Thank you for all the help, I've added the commands you gave me but

I am still getting the same error messagesfrom the debugs,

When I use my vpn client to connect, i have to login with my usernme and password

and the i get "securing communications channel"  followed by "not connected"

I've attachted them.

Thank you

Bert

Cisco Employee

Re: IPSec vpn to asa 5510

Assuming that you are not using L2TP, please kindly remove the following line:

crypto dynamic-map outside_dyn_map 20 set transform-set recor_l2tp

New Member

Re: IPSec vpn to asa 5510

Hi

That solved my problem, thank very much.

I have one more question.

My network looks like this

ASA5510 ---------------------------Router (don't know the type, not managed by me)-----------------------Internal network

Will the people who connect to the vpn have local lan access?

I can't test this until saturday, I was just wondering because they told me that that was an issue with previous installations.

Again, thank very much

Cisco Employee

Re: IPSec vpn to asa 5510

Base on your configuration, your ip local pool for the vpn is in the same subnet as your internal network. You should change the pool to a different unique subnet.

Then you would need to add the "inside_nat0_outbound" with the newly created ip pool subnet:


access-list inside_nat0_outbound extended permit ip any

Assuming that the router that is not managed by you has default gateway pointing towards the ASA inside interface, you should have access to your internal network. That is the purpose of IPSec VPN client, ie: to get access to your internal network.

New Member

Re: IPSec vpn to asa 5510

So if i understand correctly, i should change the following:

ip local pool VPN-Clients 192.0.1.2-192.0.1.150 mask 255.255.255.0

access-list inside_nat0_outbound extended permit ip any <192.0.1.0> <255.255.255.0>

What about the dns server setting,  it is now on 192.0.0.29, does this have to change.

I have adjusted my topology, the previous one, was not correct. The internal network is directly connected to the asa.

ASA5510(192.0.0.40) ---------------------------(192.0.0.187)Router (don't know the type, not managed by me)

                                |----------------------Internal network (192.0.0.0)

thank you

Cisco Employee

Re: IPSec vpn to asa 5510

Yes, absolutely correct.

DNS can stay the same if that is the correct internal dns server ip address.

New Member

Re: IPSec vpn to asa 5510

Ok, thank you very much

EDIT: I have configured my asa like you suggested, but i still don't seem to have Local Lan Access.

These are the settings i get from my dhcp pool

Connection-specific DNS Suffix  . : xxxxxxxxxxxxxxxxx
IP Address. . . . . . . . . . . . : 192.0.1.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.0.1.2

One last question, i have to forward a couple of ports to the router

Is this the correct?


access-list outside-access-in extended permit tcp any interface outside eq 3389

static (inside,outside) tcp interface 3389 192.0.0.187 3389 netmask 255.255.255.255

thank you

Cisco Employee

Re: IPSec vpn to asa 5510

No, you don't have to forward anything on the ASA.

Once you VPN in, you should be able to access 192.0.0.187 if it's allowed for RDP. Please kindly make sure that personal firewall on that PC is turned off as it will not allow inbound connection from a different subnet.

New Member

Re: IPSec vpn to asa 5510

Hello

Ok, but when i connect i still cannot ping other clients in the network or the inside interface of the asa.


And when connected, the default gateway points to my clients IP adres

Connection-specific DNS Suffix  . : xxxxxxxxxxxxxxxxx
IP Address. . . . . . . . . . . . : 192.0.1.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.0.1.2

Thank you

3068
Views
0
Helpful
12
Replies