Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Cisco Employee

ASA disconnects client due to XAUTH failure even though XAUTH disabled

Dear friends,

I am trying to create an IPsec tunnel between a ZyXEL ZyWALL P1 hardware firewall and an ASA 5510, OS version 8.0(2). Both parties should authenticate themselves using only PKI X.509 certificates without any XAUTH authentication.


The current configuration of the ASA permits software Cisco VPN Clients to connect without any problems. However, when I try to connect the ZyWALL, the ASA complains about the "peer is not authenticated by xauth - drop connection" and it indeed drops the connection. This puzzles me, as both the hardware ZyWALL and software clients are handled by the same tunnel group in which the XAUTH is deactivated using the command "isakmp ikev1-user-authentication none". My goal, obviously, is to configure the ASA in such a way that it will be possible to create an IPsec tunnel between the ZyWALL and the ASA authenticated using the certificates only, without the XAUTH.

The ZyWALL does not seem to support the MODE configuration. I do not know if this is a noteworthy fact but I am including it for the sake of completeness.

I am enclosing the relevant snippets of the configuration and the output of the debug crypto isakmp 127 command. A short explanation of the various addresses seen in the debug output:

  • 158.193.139.0/24 is the public segment in the lab where the ZyWALL appliance is being tested
  • 192.168.167.0/24 is the private segment behind the ZyWALL appliance (its "LAN" interface)
  • 172.27.137.0/24 is the private segment behind ASA to which clients gain access via IPsec

I am most grateful for all guidance you can give me!

Best regards,

Peter

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: ASA disconnects client due to XAUTH failure even though XAUT

Peter,

Well I needed to re-read a big part of your email.

I understand that you essentially want your zyxel firewall to act as a ezvpn clinet (note that it DOES NOT send unity tag in MM1) and not a l2l tunnel.

Group = TG-RAIS, Username = Peter Paluch VPN, IP = 158.193.139.173, processing hash payload

Is that username configured anywhere on the zyxel firewall?

Marcin

Cisco Employee

Re: ASA disconnects client due to XAUTH failure even though XAUT

Peter,

Re routing stuff:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c5.html#wp2189584

Cna you give it a try?


Marcin

Edit.

P.S.

8.0.2 is ANCIENT consider 8.0.5 if above does not work.

15 REPLIES
Cisco Employee

Re: ASA disconnects client due to XAUTH failure even though XAUT

Peter,

Jun 21 13:46:11 [IKEv1]: IP = 158.193.139.173, Trying to find group via cert rules...
Jun 21 13:46:11 [IKEv1]: IP = 158.193.139.173, Connection landed on tunnel_group TG-RAIS
Jun 21 13:46:11 [IKEv1]: Group = TG-RAIS, IP = 158.193.139.173, No valid authentication type found for the tunnel group

Would you kindly add crypto map entry with:

- set peer (if known and not dynamic)

- trustpoint

- match of of access-lists

and retry - with ASA being the initiator.

Cisco Employee

Re: ASA disconnects client due to XAUTH failure even though XAUT

Hello Marcin,

Thank you very much for your reply. I will try to modify the ASAs config and get back to you.

In the meantime, the debug snippet you have quoted appears also when the software Cisco VPN Client is connecting. It's kind of logical because I have deactivated all authentication options for the tunnel group (the only one remaining is the RSA signature during the IKE Phase 1).

What also bugs me is that basically, the IKE Phase 1 is actually reported as completed by the ASA. It is the transition through the Phase 1.5 (the XAUTH) which should not be there at all when the ASA reports a problem.

Thank you very much for replying!

Best regards,

Peter

Cisco Employee

Re: ASA disconnects client due to XAUTH failure even though XAUT

Peter,

It appears to be the zyxel box:

Jun 21 13:46:11 [IKEv1 DECODE]: IP = 158.193.139.173, ID_FQDN ID received, len 17
0000: 7A797831 2E76706E 2E656365 72742E73     zyx1.vpn.ecert.s
0010: 6B                                      k

Marcin

Cisco Employee

Re: ASA disconnects client due to XAUTH failure even though XAUT

Marcin,

Thank you very much for your answer. Can you please elaborate in more detail why do you believe this is a problem? I have noticed that the ZyWALL is sending its ID as the FQDN, as opposed to Cisco VPN Client that sends the client's ID as the DER_ASN1_DN (Distinguished Name).

Thank you!

Best regards,

Peter

Cisco Employee

Re: ASA disconnects client due to XAUTH failure even though XAUT

Peter,

I believe at the base of the problem lies the fact that you're falling under dynamic crypto and not statically assigned, thus you're not able to specify which trustpoint you will use to send for authentication.

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/c5.html#wp2239653

If in doubt debug isakmp at 100 + debug crypt ca ... debugs.

Marcin

Cisco Employee

Re: ASA disconnects client due to XAUTH failure even though XAUT

Hello Marcin,

I believe at the base of the problem lies the fact that you're falling under dynamic crypto and not statically assigned, thus you're not able to specify which trustpoint you will use to send for authentication.

This statement is true but I am afraid that it does not apply here. In the deployment I am troubleshooting, the ASA is and always will be a responder, never an initiator of an IPsec tunnel. The URL that you have referenced about the crypto map set trustpoint command states specifically:

This crypto map command is valid only for initiating a connection. For information on the responder side, see the tunnel-group commands.

Thus, for my ASA in the responder role, this command does not apply. The configuration file I have attached in my first reply contains the following stanza:

tunnel-group TG-RAIS ipsec-attributes
trust-point CA-ECert
isakmp ikev1-user-authentication none

So the trustpoint for this connection can be obviously determined clearly. Actually, the IKE Phase 1 is shown in the debug to be completed successfully which would not be the case if the actual trustpoint and the related certificate exchange was not successful in the first place. I have also to stress that the same configuration using a Cisco VPN client works just fine. I am attaching the output of the debug crypto isakmp 127 using the Cisco VPN Client software to compare the results.

There is something fishy going on... something is different and I cannot find out what it is.

Best regards,

Peter

Cisco Employee

Re: ASA disconnects client due to XAUTH failure even though XAUT

Peter,

OK this was the information I missed.

To avoid further back and forth, please attach.

Full debug from ASA  when zyxel is connecting (where peer is the IP address of zyxel device at time of testing)

-------

deb crypto cond peer ....

deb cry isa 100

deb crypto ipsec 100

deb cry ca mess 100

deb cry ca trans 100

--------

and following sections from config;
---------

show run crypto

show run tunnel-group

show run group-policy

---------

Cisco Employee

Re: ASA disconnects client due to XAUTH failure even though XAUT

Hello Marcin,

Please find attached the information you have requested. Also please check the attachments in my original post - they also contain selected snippets of the relevant configuration.

Thank you for your ongoing support!

Best regards,

Peter

Cisco Employee

Re: ASA disconnects client due to XAUTH failure even though XAUT

Marcin,

Perhaps there can be an issue with the certificate data itself. I am enclosing the certificate information in the attachment. Please note that the Subject Name identifies me as a person while the Subject Alternative Name refers to the DNS FQDN of the ZyWALL appliance. Do you believe that these two fields should correspond to each other? Also, the name "zyx1.vpn.ecert.sk" is not currently present in DNS. Is that perhaps required?

Thank you!

Best regards,

Peter

Cisco Employee

Re: ASA disconnects client due to XAUTH failure even though XAUT

Peter,

Well I needed to re-read a big part of your email.

I understand that you essentially want your zyxel firewall to act as a ezvpn clinet (note that it DOES NOT send unity tag in MM1) and not a l2l tunnel.

Group = TG-RAIS, Username = Peter Paluch VPN, IP = 158.193.139.173, processing hash payload

Is that username configured anywhere on the zyxel firewall?

Marcin

Cisco Employee

Re: ASA disconnects client due to XAUTH failure even though XAUT

Marcin,

Thank you for asking me about the EzVPN and/or L2L tunnels. Actually I wanted to create a L2L tunnel but I was trying to terminate it on a remote access tunnel group and that was the problem! Man, am I stupid...

Nevertheless, thank you! After creating a separate tunnel group with the type ipsec-l2l and mapping the ZyWALL into it, I am now able to successfully establish the IPsec connection.

I still do have a problem, though. It seems to be related to routing. The ZyWALL now nicely creates an IPsec tunnel and the ASA accepts it. It also recognizes the network behind the ZyWALL, according to the debug output. However, no route is added to the ASA's routing table pointing towards the network behind the ZyWALL. The traffic sourced on the internal network behind the ASA destined for the network behind the ZyWALL leaves the ASA unencrypted via the default route and never reaches the ZyWALL. What am I missing here?

The relevant portions of the configuration now look as follows:

group-policy GP-RAIS-PeterP-ZyX internal
group-policy GP-RAIS-PeterP-ZyX attributes
vpn-tunnel-protocol IPSec

tunnel-group TG-PeterP-ZyX type ipsec-l2l
tunnel-group TG-PeterP-ZyX general-attributes
default-group-policy GP-RAIS-PeterP-ZyX
tunnel-group TG-PeterP-ZyX ipsec-attributes
trust-point CA-ECert

After the IPsec connection is closed, the debug contains the following line:

Jun 22 13:11:03 [IKEv1]: Group = TG-PeterP-ZyX, IP = 158.193.139.173,

Deleting static route for L2L peer that came in on a dynamic map.

address: 192.168.167.0, mask: 255.255.255.0

However, there was no such "static" route present in the routing table at all during the entire duration of the IPsec connection.

Thank you so much with your patience with me, Marcin!

Best regards,

Peter

Cisco Employee

Re: ASA disconnects client due to XAUTH failure even though XAUT

Peter,

Re routing stuff:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c5.html#wp2189584

Cna you give it a try?


Marcin

Edit.

P.S.

8.0.2 is ANCIENT consider 8.0.5 if above does not work.

Cisco Employee

Re: ASA disconnects client due to XAUTH failure even though XAUT

Hello Marcin,

That command did it. Thank you!

I would like to thank you very much for all your patience and help. You have been a great support and I appreciate it very much. I owe you one should you ever travel to Slovakia

Best regards,

Peter

Cisco Employee

Re: ASA disconnects client due to XAUTH failure even though XAUT

Peter,

Have a Zlaty Bazant for me ;-)

Marcin

Cisco Employee

Re: ASA disconnects client due to XAUTH failure even though XAUT

Marcin,

LOL Okay, I surely will (and what about Saris? )

Best regards,

Peter

2894
Views
18
Helpful
15
Replies
CreatePlease to create content