10-08-2010 07:45 AM
I must overwrite once a week a preshare key(for VPN client) because ASA clears this password. I dont know where is cause. Maybe bug in software.
10-08-2010 08:29 AM
Tomasz,
Start with saying which version and what do you see in logs (on informational level) around the time when keys get corrupted.
Did you already check fsck?
Marci
10-08-2010 05:22 PM
Hi,
Please provide the version of the VPN Client and the ASA image as well. What I understand is that the pre-shared-key configured under the tunnel-group ipsec-attributes for the remote access vpn is being deleted from the config on the ASA. Please correct if I am wrong.
Thanks,
Namit
10-11-2010 02:10 AM
I have got 3 VPNgroups only one of them has got this problem.
about 30 minutes ago again I overwrote preshare key "asa1(config-tunnel-ipsec)# pre-shared-key X*******" and VPN is connected.
I am working on VPN client 5.0.04.0300 and 5.0.02.0090.
ASA soft has got :
Cisco Adaptive Security Appliance Software Version 8.0(4)
Device Manager Version 6.1(3)
Compiled on Thu 07-Aug-08 20:53 by builders
System image file is "disk0:/asa804-k8.bin"
Config file at boot was "startup-config"
asa1 up 192 days 13 hours
failover cluster up 1 year 18 days
Hardware: ASA5550, 4096 MB RAM, CPU Pentium 4 3000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
....
....
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 250
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 5000
WebVPN Peers : 2
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions : 2
This platform has an ASA 5550 VPN Premium license.
#######################################asa1# sh vpn-sessiondb summa
Active Session Summary
Sessions:
Active : Cumulative : Peak Concurrent : Inactive
IPsec Remote Access : 5 : 1248 : 7
Totals : 5 : 1248
License Information:
IPsec : 5000 Configured : 5000 Active : 6 Load : 0%
SSL VPN : 2 Configured : 2 Active : 0 Load : 0%
Active : Cumulative : Peak Concurrent
IPsec : 6 : 10744 : 8
Totals : 6 : 10744
Active NAC Sessions:
No NAC sessions to display
Active VLAN Mapping Sessions:
No VLAN Mapping sessions to display
asa1#
#######################################logs:
asa1# sh logging | b 8:00
Oct 11 2010 08:38:00: %ASA-7-713236: IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 850
Oct 11 2010 08:38:00: %ASA-7-715047: IP = x.x.x.x, processing SA payload
Oct 11 2010 08:38:00: %ASA-7-715047: IP = x.x.x.x, processing ke payload
Oct 11 2010 08:38:00: %ASA-7-715047: IP = x.x.x.x, processing ISA_KE payload
Oct 11 2010 08:38:00: %ASA-7-715047: IP = x.x.x.x, processing nonce payload
Oct 11 2010 08:38:00: %ASA-7-715047: IP = x.x.x.x, processing ID payload
Oct 11 2010 08:38:00: %ASA-7-715047: IP = x.x.x.x, processing VID payload
Oct 11 2010 08:38:00: %ASA-7-715049: IP = x.x.x.x, Received xauth V6 VID
Oct 11 2010 08:38:00: %ASA-7-715047: IP = x.x.x.x, processing VID payload
Oct 11 2010 08:38:00: %ASA-7-715049: IP = x.x.x.x, Received DPD VID
Oct 11 2010 08:38:00: %ASA-7-715047: IP = x.x.x.x, processing VID payload
Oct 11 2010 08:38:00: %ASA-7-715049: IP = x.x.x.x, Received Fragmentation VID
Oct 11 2010 08:38:00: %ASA-7-715064: IP = x.x.x.x, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False
Oct 11 2010 08:38:00: %ASA-7-715047: IP = x.x.x.x, processing VID payload
Oct 11 2010 08:38:00: %ASA-7-715049: IP = x.x.x.x, Received NAT-Traversal ver 02 VID
Oct 11 2010 08:38:00: %ASA-7-715047: IP = x.x.x.x, processing VID payload
Oct 11 2010 08:38:00: %ASA-7-715049: IP = x.x.x.x, Received Cisco Unity client VID
Oct 11 2010 08:38:00: %ASA-7-713906: IP = x.x.x.x, Connection landed on tunnel_group Medsar
Oct 11 2010 08:38:00: %ASA-7-715047: Group = Medsar, IP = x.x.x.x, processing IKE SA payload
Oct 11 2010 08:38:00: %ASA-7-715028: Group = Medsar, IP = x.x.x.x, IKE SA Proposal # 1, Transform # 6 acceptable Matches global IKE entry # 1
Oct 11 2010 08:38:00: %ASA-7-715046: Group = Medsar, IP = x.x.x.x, constructing ISAKMP SA payload
Oct 11 2010 08:38:00: %ASA-7-715046: Group = Medsar, IP = x.x.x.x, constructing ke payload
Oct 11 2010 08:38:00: %ASA-7-715046: Group = Medsar, IP = x.x.x.x, constructing nonce payload
Oct 11 2010 08:38:00: %ASA-7-713906: Group = Medsar, IP = x.x.x.x, Generating keys for Responder...
Oct 11 2010 08:38:00: %ASA-7-715046: Group = Medsar, IP = x.x.x.x, constructing ID payload
Oct 11 2010 08:38:00: %ASA-7-715046: Group = Medsar, IP = x.x.x.x, constructing hash payload
Oct 11 2010 08:38:00: %ASA-7-715076: Group = Medsar, IP = x.x.x.x, Computing hash for ISAKMP
Oct 11 2010 08:38:00: %ASA-7-715046: Group = Medsar, IP = x.x.x.x, constructing Cisco Unity VID payload
Oct 11 2010 08:38:00: %ASA-7-715046: Group = Medsar, IP = x.x.x.x, constructing xauth V6 VID payload
Oct 11 2010 08:38:00: %ASA-7-715046: Group = Medsar, IP = x.x.x.x, constructing dpd vid payload
Oct 11 2010 08:38:00: %ASA-7-715046: Group = Medsar, IP = x.x.x.x, constructing NAT-Traversal VID ver 02 payload
Oct 11 2010 08:38:00: %ASA-7-715046: Group = Medsar, IP = x.x.x.x, constructing NAT-Discovery payload
Oct 11 2010 08:38:00: %ASA-7-713906: Group = Medsar, IP = x.x.x.x, computing NAT Discovery hash
Oct 11 2010 08:38:00: %ASA-7-715046: Group = Medsar, IP = x.x.x.x, constructing NAT-Discovery payload
Oct 11 2010 08:38:00: %ASA-7-713906: Group = Medsar, IP = x.x.x.x, computing NAT Discovery hash
Oct 11 2010 08:38:00: %ASA-7-715046: Group = Medsar, IP = x.x.x.x, constructing Fragmentation VID + extended capabilities payload
Oct 11 2010 08:38:00: %ASA-7-715046: Group = Medsar, IP = x.x.x.x, constructing VID payload
Oct 11 2010 08:38:00: %ASA-7-715048: Group = Medsar, IP = x.x.x.x, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Oct 11 2010 08:38:00: %ASA-7-713236: IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 432
Oct 11 2010 08:38:00: %ASA-7-713236: IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 56
Oct 11 2010 08:38:00: %ASA-7-713236: IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 56
Oct 11 2010 08:38:00: %ASA-5-713904: Group = Medsar, IP = x.x.x.x, Received an un-encrypted INVALID_HASH_INFO notify message, dropping
Oct 11 2010 08:38:00: %ASA-4-713903: Group = Medsar, IP = x.x.x.x, Error, peer has indicated that something is wrong with our message. This could indicate a pre-shared key mismatch.
Oct 11 2010 08:38:00: %ASA-4-713903: Group = Medsar, IP = x.x.x.x, Information Exchange processing failed
Oct 11 2010 08:38:00: %ASA-7-713236: IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 56
Oct 11 2010 08:38:00: %ASA-7-713236: IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 56
Oct 11 2010 08:38:00: %ASA-5-713904: Group = Medsar, IP = x.x.x.x, Received an un-encrypted AUTH_FAILED notify message, dropping
Oct 11 2010 08:38:00: %ASA-4-713903: Group = Medsar, IP = x.x.x.x, Information Exchange processing failed
Oct 11 2010 08:38:02: %ASA-7-715065: Group = Medsar, IP = x.x.x.x, IKE AM Responder FSM error history (struct &0x2645a0a0)
Oct 11 2010 08:38:02: %ASA-7-713906: Group = Medsar, IP = x.x.x.x, IKE SA AM:6442e280 terminating: flags 0x0104c001, refcnt 0, tuncnt 0
Oct 11 2010 08:38:02: %ASA-7-713906: Group = Medsar, IP = x.x.x.x, sending delete/delete with reason message
Oct 11 2010 08:38:02: %ASA-7-715046: Group = Medsar, IP = x.x.x.x, constructing blank hash payload
Oct 11 2010 08:38:02: %ASA-7-715046: Group = Medsar, IP = x.x.x.x, constructing IKE delete payload
Oct 11 2010 08:38:02: %ASA-7-715046: Group = Medsar, IP = x.x.x.x, constructing qm hash payload
Oct 11 2010 08:38:02: %ASA-7-713236: IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=b36ebb22) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
Oct 11 2010 08:38:02: %ASA-3-713902: Group = Medsar, IP = x.x.x.x, Removing peer from peer table failed, no match!
Oct 11 2010 08:38:02: %ASA-4-713903: Group = Medsar, IP = x.x.x.x, Error: Unable to remove PeerTblEntry
I haven,t got any concept what is cause
10-11-2010 02:21 AM
Tomasz,
Well I find it strange that it's triggered (if I understand what you're saying) so regularly, like there was something (script, CSM, etc) accessing device and overriding those keys.
Can you please run "fsck flash:" for me?
Do you have an external syslog? You could probably trace is there were any changes done on the appliance itself...maybe it's due to ASDM interaction?
I don't remember any bugs to explain this behavior - not to say that there are none
Marcin
10-11-2010 03:28 AM
Thanks.
I have got syslog but ASA is logging only VPN messages.
I configure ASA only by CLI. I dont run ASDM.
I done fsck:
asa1# fsck disk0:
fsck of disk0: complete
asa1#
10-11-2010 05:03 AM
Tomasz,
It was worth a shot :-)
What you could do is to make sure that either of the two syslogs are being logged by default to syslogs regardless of level
%ASA-5-111008:
%ASA-5-111010:
Those two should inform you of any actions done by a user.
Marcin
10-12-2010 03:22 AM
asa1(config)# logging message 111008
asa1(config)# logging message 111010
syslog 111010 not found
Is 111010 message correct?
I apply option 'ForceKeepAlives=1'
I dont know if help something.
10-12-2010 06:29 AM
Tomasz,
The forcekeepalives option can only impact operational IKE tunnels.
The two syslogs were taken from my ASA 8.3
Marcin
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: