I support a Dr office with 5 locations. Each has a Cisco ASA5500 with public static IP and a VPN tunnel set up to each other location as well as back to the data center at Dell. I recently put a cisco VOIP system in one location with its own SIP trunk static IP and want to tunnel to the same ASA devices. I bought a Cisco RV042 vpn router and configured the VPN tunnels on it and then tried one ASA device. If I initiate a connection from the ASA the ASA sees nothing and the RV042 looks like it fails at phase one. If I initiate it from the rv042, ASA still sees nothing.
I want to say upfront that the ISP is not blocking port 500. I know this because we already have tunnels set up that work. Also, all settings have been double checked on each device to make sure they match.
I was receiving the below errors until I did a firmware update. After that now it just fails but does not report anything in the logs.
Here are the errors:
packet from : initial Main Mode message received on but no connection has been authorized with policy=PSK
ERROR: asynchronous network error report on eth1 for message to port 500, complainant: Connection refused [errno 146, origin ICMP type 3 code 3 (not authenticated)]
About the ISP blocking port 500 that you stated, the ISP may still be blocking the port. Having other tunnel to a specific device does not necessary mean your provider is allowing it through. There are several providers that your provider most likely connect to and since an IPSec tunnel connection goes directly from 1 peer to another the paths taken by each tunnel are most likely completely different so the path for this particular tunnel may have UDP port 500 packets blocked while other tunnels paths are fine.
With that said, based on your description of the issue there is a very high chance the packets from the router to the ASA are not getting to the ASA. We find this out by doing the following:
1. Apply a capture on the outside interface by doing the following commands:
ASA (config)# capture CAP interface <outside interface name> trace detail match ip host <peer IP> host <local outside IP>
first capture will capture all IP traffic between the 2 peers so make sure there are no pings or other traffic so we don't get much noise in the capture. second capture is for ESP packets once the tunnel is up in case you have issues with this being blocked on the internet as well.
2. Run debugs on the ASA:
debug crypto condition peer <peer IP>
debug crypto isakmp 250
debug crypto ipsec 250
3. Attempt to establish the tunnel from the router to the ASA first. Retrieve the captures, as well as show crypto isakmp sa and show cry ipsec sa peer <Peer IP> and debugs outputs. Then clear the capture contents and attempt another connection from the ASA, be sure to retrieve the new information once again. show capture <capture name> to see capture content and clear capture <capture name> to clear content.
Please post the outputs to understand the behavior, also a copy of the config can help.
Reboot and Factory Default Reset on ISA500 Series Integrated Security Appliances
Reboot or restart of the network device is made when certain changes in the settings need reboot or if the device is frozen. The configuration...
WAN Quality of Service (QoS) Policy Profiles Settings on ISA500 Series Integrated Security Appliances
Wide Area Network (WAN) Quality of Service (QoS) policy profiles manage traffic through classed-based profiles. These pro...
Cisco QuickVPN Installation Tips for Windows Operating Systems
For a video showing installation tips on Quick VPN, visit http://youtu.be/hHu2z6A78N8
Cisco QuickVPN is a free software designed for remote access to a ne...