06-21-2007 09:41 AM - edited 02-21-2020 03:07 PM
Hello there,
I have a bit strange problem regarding Cisco VPN client (IPSec) with Cisco ASA. The Cisco ASA is running software version 5.2(2). The Cisco VPN client version is 3.5.1.
The problem is the Cisco VPN client could successfully authenticate with the Cisco ASA but couldn't PING to any LAN network behind the Cisco ASA. Anyway, the problem was gone when we used the Cisco VPN client version 4.6 or 4.8. All the settings are exactly same. What has it happened? What is the cause of this issue? How can I troubleshoot this problem?
Please advice.
Thanks,
Nitass
Solved! Go to Solution.
06-21-2007 10:12 AM
I understood your problem, I never used 3.5.1 so I thought maybe nat-t wasn't enabled by default like 4.x.
06-22-2007 06:09 AM
Nitass,
With the VPN client version if you used IPSec over UDP, it will use port UDP port 10000.
Since you are coming through a NAT device, I am sure ASA is detecting UDP 4500 (which is NAT-T) and then trying to use that.
But, you can use IPSec over TCP. If thats the case then make sure you have IPSec over TCP configured on the ASA. According to your previous output of
sh run | in isakmp --> you did not have that configured on the ASA
This is the command.
"isakmp ipsec-over-tcp port 10000"
Let me know if this helps.
Thanks
Gilbert
06-21-2007 09:53 AM
FYI, 5.2 is the ASDM version on the ASA. The ASA version would be 7.x. Make sure the client is set for ipsec over udp.
06-21-2007 10:09 AM
Thanks for reply. You are right.
The Cisco ASA is running software 7.2(2) and ASDM 5.2(2). The NAT-T has already been enabled. And as I mentioned above, both Cisco VPN client 4.6 and 4.8 worked fine. The problem was only for Cisco VPN client 3.5.1. All configurations were exactly same.
Please advice.
Thanks,
Nitass
06-21-2007 10:12 AM
I understood your problem, I never used 3.5.1 so I thought maybe nat-t wasn't enabled by default like 4.x.
06-21-2007 11:35 AM
Hi,
I just noticed that the transparent tunneling status was inactive and the tunnel port was also 0. Anyway, I already enabled nat-t on the Cisco VPN client 3.5.1.
How should I do? Please advice.
Thanks,
Nitass
06-21-2007 12:31 PM
Btw, I have tried to configure IPSec over TCP but it still didn't work. I could telnet port 10000 from the client machine but the VPN client software couldn't establish the VPN tunnel.
Please advice.
Thanks,
Nitass
06-21-2007 12:44 PM
Nitass,
I read through the information posted on the website, seems like you see the Transparent Tunneling as Inactive. Can you make sure that IPSec over UDP is checked on the client.
Can you send the output of "sh run | in isakmp"
Thanks
Gilbert
06-21-2007 01:01 PM
Thanks for reply.
ciscoasa# sh run | inc isakmp
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto isakmp enable outside
crypto isakmp policy 10
crypto isakmp nat-traversal 20
Additional, the following was output of show crypto ipsec sa. It seemed that the sa didn't detect nat device along the way.
ciscoasa# sh crypto ipsec sa
(snip)
inbound esp sas:
spi: 0x7B9777AF (2073524143)
transform: esp-3des esp-md5-hmac none
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 82, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 28747
I also attached the transparent tunneling setting to this message.
Please advice.
Thanks a lot,
Nitass
06-21-2007 01:23 PM
After the VPN client is connected, can you send the output of "sh vpn-session remote" from the ASA.
Can you please let me know what is the NAT ting device through which the client passes through.
Thanks
gilbert
06-21-2007 09:49 PM
Hi gilbert,
You are right. The problem is from the NAT. When I removed NATing device along the way, the connection was fine. The NATing device is just NetScreen firewall. Anyway, it worked fine with VPN client 4.6 and 4.8. I am wonder that why NAT-T, IPSec over UDP or IPSec over TCP did not work for this case. How could I do? Could you please advice?
The below is output of the show vpn-sessiondb remote command that you asked.
ciscoasa# sh vpn-sessiondb remote
Session Type: Remote
Username: sawayama
Index: 1
Assigned IP: 10.192.35.130 Public IP: 1.1.1.1
Protocol: IPSec Encryption: 3DES
Hashing: MD5
Bytes Tx: 0 Bytes Rx: 0
Client Type: N/A Client Ver: 3.5.1 (Rel)
Group Policy: remote
Tunnel Group: remote
Login Time: 12:37:16 ICT Fri Jun 22 2007
Duration: 0h:00m:10s
Filter Name: vpnacl
NAC Result: N/A
Posture Token:
Thanks,
Nitass
06-22-2007 05:26 AM
Nitass,
From the output of "sh vpn-sessiondb" it seems that your VPN client is just trying to use IPSec and not IPSec over UDP or IPSec over TCP.
Protocol: IPSec
If client is going through a NAT device then the ASA will detect the NAT device and try to use UDP 4500 (NAT_T) for negotiation.
In this case, seems like it is not happening. We need to look deep into the ASA debugs and the client side debugs to see what is happening.
Since the Client is connecting just with IPSec, and I do not see any kind of packets received on the ASA from the output that was sent, I believe the NAT device might be blocking ESP packets.
You need to do somemore extensive troubleshooting to figure out where the problem is happening precisely.
It maybe that Netgear device is not doing the PAT properly or it has a One to One NAT for your VPN client.
Rate this post if it helps.
Cheers,
Gilbert
06-22-2007 05:37 AM
Hi Gilbert,
Thank you very much. I am appreciated to your kind.
For this issue, I did it in the lab. All device configurations were same. Only changing was the VPN client software version.
As I checked, I understood the VPN client 3.5.1 could not support NAT-T. It was supported from the version 3.6.1. Anyway, I think the TCP over UDP or TCP should work in this situation.
How do you think? Could you please advice?
Thanks,
Nitass
06-22-2007 05:40 AM
Ipsec over udp is nat-t, like I said in my first post.
06-22-2007 06:09 AM
Nitass,
With the VPN client version if you used IPSec over UDP, it will use port UDP port 10000.
Since you are coming through a NAT device, I am sure ASA is detecting UDP 4500 (which is NAT-T) and then trying to use that.
But, you can use IPSec over TCP. If thats the case then make sure you have IPSec over TCP configured on the ASA. According to your previous output of
sh run | in isakmp --> you did not have that configured on the ASA
This is the command.
"isakmp ipsec-over-tcp port 10000"
Let me know if this helps.
Thanks
Gilbert
06-22-2007 06:21 AM
Sorry, please wait a moment.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide