Re: ASA 5505 VPN Problem

sonitadmin · ‎01-08-2010

Client has an ASA5505 that was in place but being used for different division of company. They no longer needed it in that area and removed it. They decided to take it back to factory defaults and start over with it in a different office. They want to use it for VPN from public official vehicles and allow access to terminal server on internal network.

I setup the interfaces and routes to allow Internet access from inside. I then went through and set up remote access vpn. I cannot connect with the laptops connected via wireless air cards in the field. I get message that the remote peer did not respond or timed out, something to that effect, don't have the error in front of me right now.

I have attached the config. If someone could take a look at it and see if I have missed something or if I have something configured incorrectly I would really appreciate it.

Federico Coto Fajardo · ‎01-08-2010

Just by looking at the configuration, I see no problems.

Just make sure that you're setting up your VPN client to connect to the public IP on the ASA, and using the group Sheriff with the password defined in the pre-shared-key under the tunnel-group.

If the connection is not succesful, take a look at the output of the following two commands:

ASA(config)# sh cry isa sa

ASA(config)# sh cry ips sa

So, we can see where is the error.

The VPN client itself has some logs that you can enable as well.

Let me know.

Federico.

sonitadmin · ‎01-08-2010

Thanks for the reply. I've turned logging on the ASA device and when I try to connect via the VPN

client all I see is Deny inbound UDP from xx.xx.xx.xx/51786 to xx.xx.xx.xx/500 on interface outside. When I run the commands you sent me, I get the following: There are no isakmp sas and there are no ipsec sas.

Also on VPN client I get Reason 412: The remote peer is no longer responding.

Not sure what I'm missing!

Federico Coto Fajardo · ‎01-08-2010

The error is denying the VPN connection to the ASA, since the IPsec connections establishes on port UDP 500.

I don't see an ACL on the outside interface, but that should not matter to establish the VPN.

Have you tried connecting from any other machines?

You can use the packet tracer command to simulate what's going on and see what's failing:

packet-tracer input outside udp x.x.x.x isakmp y.y.y.y 1024

Where x.x.x.x is the public IP address where you're VPN client is coming from and y.y.y.y is the public IP address of the ASA... check the results....

Federico.

sonitadmin · ‎01-08-2010

Have tried from several different machines, all with same issue. Here is the result of the command:

Result of the command: "packet-tracer input outside udp xx.xx.xx.xx isakmp yy.yy.yy.yy1024"

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in yy.yy.yy.yy 255.255.255.255 outside

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

I am not familiar with this command so I'm not sure what I'm looking at here.

Federico Coto Fajardo · ‎01-08-2010

It is showing you the flow of the packet, and it is being ''dropped'' by an ACL on the outside interface.

mmmm..... there's no ACL on the outside interface....

For testing purposes, do the following, create an ACL:

access-list VPN permit udp any host x.x.x.x eq 500

access-list VPN permit esp any any

(x.x.x.x is the outside IP of the ASA)

And apply the access-list to the outside interface:

access-group VPN in interface outside control-plane

Try that and then run the packet tracer again, to see if you get the same result.

sonitadmin · ‎01-11-2010

Again, thanks for the reply. I was out of the office until now so I am just testing your suggestions. I entered the ACL, and ran

the command again. Below are the results:

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in y.y.y.y 255.255.255.255 outside

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

sonitadmin · ‎01-11-2010

Repost of config with changes.