Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA5540 and VPN3002 client problem

I am unable to get my 3002 HW client to connect to my ASA Appliance. ASA debugging indicated Dynamic Crypto Map mismatch (the HW client DHCP derived IP address is whats being looked for).

3002 HW Client SW version 4.1.7H

Mode = Client

PAT enabled

IPSec over TCP

ASA5540 SW version 7.0(4)

NAT-T Enabled, IPSec over TCP Enabled.

Encryption Domain setting:

0.0.0.0/0.0.0.0 (protected inside)

172.26.16.0/255.255.240.0 (protected outside - VPN Client IP Pool)

This configuration works fine for all my SW Clients.

As a test, I changed the Dynamic crypto map to an implicit 0.0.0.0/0.0.0.0 (inside)

0.0.0.0/0.0.0.0 outside (basically any/any) and the HW client sucessfully connects. This is not an acceptable solution as this prevents my configuration of LtoL tunnels.

The HW client can sucessfully connect to my old VPN3K Concentrators.

I also tried using IPSec over UDP, 3DES instead of AES256 encryption.

I cannot find anything in any release notes or Bug Tracker like this.

Any comments or suggestions are appreciated.

3 REPLIES
New Member

Re: ASA5540 and VPN3002 client problem

Upgraded 3002 HW client to 4.7.2D without success.

ovt Bronze
Bronze

Re: ASA5540 and VPN3002 client problem

Contrary to both Software client 4.x and IOS Easy VPN client VPN3002 suggests to establish *two* pairs of SAs to an Easy VPN server: Outside3002IP/32<->OutsideServerIP/32 and AddressFromPool/32<->CentralSiteLAN/xx. You can probably verify this in the debug output of your PIX -- look at "Proxy identities" or somthing like this (I haven't work with PIX OS 7 yet). The first SA may be the source of your problem as the Server policy should allow to establish such SA. I think that, if the VPN 3002 IP is assigned dynamically, the only way to work around this problem is to use any<->any Proxy IDs on the PIX for Remote-access users (you've never seen configuration of the IOS EasyVPN server with Crypto ACL applied to the Dynamic crypto map, right?). The real question here is why should this approach break Site-to-Site tunnels on the PIX if it works on IOS routers???

New Member

Re: ASA5540 and VPN3002 client problem

Thanks for your reply....

Maintenance release 7.0.4.5 was posted last night. I downloaded it and gave it a try even though the release notes gave no indication of addressing an issue like this. I'm currently usign an implicit any any dynamic crypto map until I can figure out why this issue is only being seen with the 3002 HW client. I took another look at the ASA debug and it does complain about not knowing about the proxy identity in the crypto map (why would this only be an issue with the 3002?).

126
Views
0
Helpful
3
Replies