08-06-2012 10:10 AM
Hi everyone...
I have a VPN working correctly on an ASA 8.0(5), but when I try to connect from an iPhone (IOS 5.1.1) it connects and right away gets a teardown.
Any thoughts?
Thank you!
Solved! Go to Solution.
08-08-2012 01:38 AM
can you pls share your ASA config, and advise which group-policy you are using for iphone users?
08-07-2012 01:39 AM
which type of vpn are you using to connect with iphone?
08-07-2012 04:10 PM
Hi Jennifer,
I'm using IPSec, with the client that comes with the IOS
08-08-2012 01:38 AM
can you pls share your ASA config, and advise which group-policy you are using for iphone users?
08-08-2012 05:52 AM
Well Jennifer, this is really awkward and weird...
I've been with this problem like 1 week or so now, and today I tested it again, after several tests with my iPhone and another iPad (always the same result, got connected and disconnected 1 sec after), and this morning I've been connected for more than 10 minutes but I didn't do any changes on the config.
Anyway, let me know which part of the ASA config you want me to share, just in case...
These are images from the iPhone config and connection
Thank you!!!!
08-08-2012 08:48 AM
Indeed weird.. if it's connected then it is not the ASA configuration issue.
How is the iphone and ipad connected? via 3G or wireless?
when it disconnected within 1 sec, is the wireless or 3g signal good?
08-08-2012 11:57 AM
I always tried connected by WiFi, and always with a good signal.
And tried the iPad from a different location and I had the exact same error. Maybe a problem on the other side (I mean FW side), but in several opportunities, I don't know what else to think...
Tonight will test both again (iPhone and iPad).
08-08-2012 07:16 PM
Hi Jennifer...
Still with problems, it's really weird: tonight AGAIN I get connectivity and 1 second after that, disconnected.
Is there any other mode than IPSEC with the native client, to configure a VPN from iPhone/iPad? :S
08-09-2012 05:31 AM
yes, you can use AnyConnect client, however, you would need to have at least version 8.x, and also have the AnyConnect Mobile, and either AnyConnect Essential or AnyConnect Premium license installed on the ASA.
08-10-2012 05:04 AM
I have 8.0(5), but I didn't know about the extra licences, good tip.
Now I have to see what's different between the connectivity from the wireless at work, from my connection at home, or even with 3G...
Nice troubleshooting ahead
09-01-2012 09:47 AM
Hi Jennifer...
I still have the problem, and I'm almost about to give up...
Can I paste the config here so you may help me to find if I did something wrong?
Thank you!!!
09-01-2012 12:28 PM
It seems that I have finally found what the problem is. It doesn't like the split-tunneling config.
If I just "tunnel all" subnets, works fine.
09-01-2012 08:27 PM
Great findings and solving the problem.
Pls kindly mark your post answered so others can learn from it. Thanks.
09-04-2012 02:56 PM
Hi Pablo, i have read all the discussion, and i wonder if you could tell me what is the split-tunneling configuration that you modify on the ASA?.
what was the command that you issued..
Best Regards,
Juan Pablo Hidalgo
10-19-2012 05:53 PM
Hi everyone,
I came back with this matter because the split-tunnel is needed, so I checked a debug and at this point starts to go down:
Oct 19 21:12:45 [IKEv1]: Group = VPN_IPHONE, Username = Usuario10, IP = 190.48.243.117, Security negotiation complete for User (Usuario10) Responder, Inbound SPI = 0xd7e29b06, Outbound SPI = 0x07713d8c
Oct 19 21:12:45 [IKEv1 DEBUG]: Group = VPN_IPHONE, Username = Usuario10, IP = 190.48.243.117, IKE got a KEY_ADD msg for SA: SPI = 0x07713d8c
Oct 19 21:12:45 [IKEv1 DEBUG]: Group = VPN_IPHONE, Username = Usuario10, IP = 190.48.243.117, Pitcher: received KEY_UPDATE, spi 0xd7e29b06
Oct 19 21:12:45 [IKEv1 DEBUG]: Group = VPN_IPHONE, Username = Usuario10, IP = 190.48.243.117, Failed to update IPSec SA. Tearing down SA.
Oct 19 21:12:45 [IKEv1]: Group = VPN_IPHONE, Username = Usuario10, IP = 190.48.243.117, QM FSM error (P2 struct &0x6fa71fd0, mess id 0x21631287)!
Oct 19 21:12:45 [IKEv1 DEBUG]: Group = VPN_IPHONE, Username = Usuario10, IP = 190.48.243.117, IKE QM Responder FSM error history (struct &0x6fa71fd0)
, : QM_DONE, EV_ERROR-->QM_WAIT_MSG3, EV_IPSEC_FAIL-->QM_WAIT_MSG3, NullEvent-->QM_WAIT_MSG3, EV_LOAD_IPSEC-->QM_WAIT_MSG3, EV_PROC_MSG-->QM_WAIT_MSG3, EV_HASH_OK-->QM_WAIT_MSG3, NullEvent-->QM_WAIT_MSG3, EV_COMP_HASH Oct 19 21:12:45 [IKEv1 DEBUG]: Group = VPN_IPHONE, Username = Usuario10, IP = 190.48.243.117, sending delete/delete with reason message
Oct 19 21:12:45 [IKEv1 DEBUG]: Group = VPN_IPHONE, Username = Usuario10, IP = 190.48.243.117, constructing blank hash payload
Oct 19 21:12:45 [IKEv1 DEBUG]: Group = VPN_IPHONE, Username = Usuario10, IP = 190.48.243.117, constructing IPSec delete payload
Oct 19 21:12:45 [IKEv1 DEBUG]: Group = VPN_IPHONE, Username = Usuario10, IP = 190.48.243.117, constructing qm hash payload
Oct 19 21:12:45 [IKEv1]: IP = 190.48.243.117, IKE_DECODE SENDING Message (msgid=ad050387) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68
Oct 19 21:12:45 [IKEv1 DEBUG]: Group = VPN_IPHONE, Username = Usuario10, IP = 190.48.243.117, IKE Deleting SA: Remote Proxy 192.168.20.23, Local Proxy 192.168.0.0
Oct 19 21:12:45 [IKEv1]: Group = VPN_IPHONE, Username = Usuario10, IP = 190.48.243.117, Removing peer from correlator table failed, no match!
Oct 19 21:12:45 [IKEv1 DEBUG]: Group = VPN_IPHONE, Username = Usuario10, IP = 190.48.243.117, IKE SA AM:a6b75ef4 rcv'd Terminate: state AM_ACTIVE flags 0x0841c041, refcnt 1, tuncnt 0
Oct 19 21:12:45 [IKEv1 DEBUG]: Group = VPN_IPHONE, Username = Usuario10, IP = 190.48.243.117, IKE SA AM:a6b75ef4 terminating: flags 0x0941c001, refcnt 0, tuncnt 0
Oct 19 21:12:45 [IKEv1 DEBUG]: Group = VPN_IPHONE, Username = Usuario10, IP = 190.48.243.117, sending delete/delete with reason message
Oct 19 21:12:45 [IKEv1 DEBUG]: Group = VPN_IPHONE, Username = Usuario10, IP = 190.48.243.117, constructing blank hash payload
Oct 19 21:12:45 [IKEv1 DEBUG]: Group = VPN_IPHONE, Username = Usuario10, IP = 190.48.243.117, constructing IKE delete payload
Oct 19 21:12:45 [IKEv1 DEBUG]: Group = VPN_IPHONE, Username = Usuario10, IP = 190.48.243.117, constructing qm hash payload
Oct 19 21:12:45 [IKEv1]: IP = 190.48.243.117, IKE_DECODE SENDING Message (msgid=bb090f3d) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Oct 19 21:12:45 [IKEv1]: Group = VPN_IPHONE, Username = Usuario10, IP = 190.48.243.117, Session is being torn down. Reason: Unknown
Oct 19 21:12:45 [IKEv1]: Ignoring msg to mark SA with dsID 643072 dead because SA deleted
And this is VPN config
crypto ipsec transform-set VPNRA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DYNMAP 65535 match address remotevpn
crypto dynamic-map DYNMAP 65535 set transform-set VPNRA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map VPNMAP 10 ipsec-isakmp dynamic DYNMAP
crypto map VPNMAP 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map VPNMAP interface GC
crypto map VPNMAP interface TASA
crypto map TASA2_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map TASA2_map interface TASA2
crypto map management_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map management_map interface management
crypto isakmp enable TASA
crypto isakmp enable management
crypto isakmp enable TASA2
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
group-policy DfltGrpPolicy attributes
group-policy TESTVPNPolicy internal
group-policy TESTVPNPolicy attributes
dns-server value 100.0.3.13 100.0.3.14
vpn-simultaneous-logins 20
vpn-tunnel-protocol IPSec webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN-RA-TESTVPN
default-domain value TESTVPN.com.ar
address-pools value vpnpool
client-firewall none
tunnel-group DefaultRAGroup general-attributes
authentication-server-group CiscoVPN-SG
tunnel-group TESTVPN type remote-access
tunnel-group TESTVPN general-attributes
address-pool vpnpool
authentication-server-group CiscoVPN-SG LOCAL
default-group-policy TESTVPNPolicy
tunnel-group TESTVPN ipsec-attributes
pre-shared-key *
!
It's driving me crazy...
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: