Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

iPhone-ASA VPN connects and gets teardown

Hi everyone...

I have a VPN working correctly on an ASA 8.0(5), but when I try to connect from an iPhone (IOS 5.1.1) it connects and right away gets a teardown.

Any thoughts?

Thank you!

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

iPhone-ASA VPN connects and gets teardown

can you pls share your ASA config, and advise which group-policy you are using for iphone users?

18 REPLIES
Cisco Employee

iPhone-ASA VPN connects and gets teardown

which type of vpn are you using to connect with iphone?

New Member

iPhone-ASA VPN connects and gets teardown

Hi Jennifer,

I'm using IPSec, with the client that comes with the IOS

Cisco Employee

iPhone-ASA VPN connects and gets teardown

can you pls share your ASA config, and advise which group-policy you are using for iphone users?

New Member

iPhone-ASA VPN connects and gets teardown

Well Jennifer, this is really awkward and weird...

I've been with this problem like 1 week or so now, and today I tested it again, after several tests with my iPhone and another iPad (always the same result, got connected and disconnected 1 sec after), and this morning I've been connected for more than 10 minutes but I didn't do any changes on the config.

Anyway, let me know which part of the ASA config you want me to share, just in case...

These are images from the iPhone config and connection

Thank you!!!!

Cisco Employee

iPhone-ASA VPN connects and gets teardown

Indeed weird.. if it's connected then it is not the ASA configuration issue.

How is the iphone and ipad connected? via 3G or wireless?

when it disconnected within 1 sec, is the wireless or 3g signal good?

New Member

iPhone-ASA VPN connects and gets teardown

I always tried connected by WiFi, and always with a good signal.

And tried the iPad from a different location and I had the exact same error. Maybe a problem on the other side (I mean FW side), but in several opportunities, I don't know what else to think...

Tonight will test both again (iPhone and iPad).

New Member

iPhone-ASA VPN connects and gets teardown

Hi Jennifer...

Still with problems, it's really weird: tonight AGAIN I get connectivity and 1 second after that, disconnected.

Is there any other mode than IPSEC with the native client, to configure a VPN from iPhone/iPad? :S

Cisco Employee

iPhone-ASA VPN connects and gets teardown

yes, you can use AnyConnect client, however, you would need to have at least version 8.x, and also have the AnyConnect Mobile, and either AnyConnect Essential or AnyConnect Premium license installed on the ASA.

New Member

iPhone-ASA VPN connects and gets teardown

I have 8.0(5), but I didn't know about the extra licences, good tip.

Now I have to see what's different between the connectivity from the wireless at work, from my connection at home, or even with 3G...

Nice troubleshooting ahead

New Member

iPhone-ASA VPN connects and gets teardown

Hi Jennifer...

I still have the problem, and I'm almost about to give up...

Can I paste the config here so you may help me to find if I did something wrong?

Thank you!!!

New Member

iPhone-ASA VPN connects and gets teardown

It seems that I have finally found what the problem is. It doesn't like the split-tunneling config.

If I just "tunnel all" subnets, works fine.

Cisco Employee

iPhone-ASA VPN connects and gets teardown

Great findings and solving the problem.

Pls kindly mark your post answered so others can learn from it. Thanks.

iPhone-ASA VPN connects and gets teardown

Hi Pablo, i have read all the discussion, and i wonder if you could tell me what is the split-tunneling configuration that you modify on the ASA?.

what was the command that you issued..

Best Regards,

Juan Pablo Hidalgo

New Member

Re: iPhone-ASA VPN connects and gets teardown

Hi everyone,

I came back with this matter because the split-tunnel is needed, so I checked a debug and at this point starts to go down:

Oct 19 21:12:45 [IKEv1]: Group = VPN_IPHONE, Username = Usuario10, IP = 190.48.243.117, Security negotiation complete for User (Usuario10)  Responder, Inbound SPI = 0xd7e29b06, Outbound SPI = 0x07713d8c

Oct 19 21:12:45 [IKEv1 DEBUG]: Group = VPN_IPHONE, Username = Usuario10, IP = 190.48.243.117, IKE got a KEY_ADD msg for SA: SPI = 0x07713d8c

Oct 19 21:12:45 [IKEv1 DEBUG]: Group = VPN_IPHONE, Username = Usuario10, IP = 190.48.243.117, Pitcher: received KEY_UPDATE, spi 0xd7e29b06

Oct 19 21:12:45 [IKEv1 DEBUG]: Group = VPN_IPHONE, Username = Usuario10, IP = 190.48.243.117, Failed to update IPSec SA. Tearing down SA.

Oct 19 21:12:45 [IKEv1]: Group = VPN_IPHONE, Username = Usuario10, IP = 190.48.243.117, QM FSM error (P2 struct &0x6fa71fd0, mess id 0x21631287)!

Oct 19 21:12:45 [IKEv1 DEBUG]: Group = VPN_IPHONE, Username = Usuario10, IP = 190.48.243.117, IKE QM Responder FSM error history (struct &0x6fa71fd0)  , :  QM_DONE, EV_ERROR-->QM_WAIT_MSG3, EV_IPSEC_FAIL-->QM_WAIT_MSG3, NullEvent-->QM_WAIT_MSG3, EV_LOAD_IPSEC-->QM_WAIT_MSG3, EV_PROC_MSG-->QM_WAIT_MSG3, EV_HASH_OK-->QM_WAIT_MSG3, NullEvent-->QM_WAIT_MSG3, EV_COMP_HASH

Oct 19 21:12:45 [IKEv1 DEBUG]: Group = VPN_IPHONE, Username = Usuario10, IP = 190.48.243.117, sending delete/delete with reason message

Oct 19 21:12:45 [IKEv1 DEBUG]: Group = VPN_IPHONE, Username = Usuario10, IP = 190.48.243.117, constructing blank hash payload

Oct 19 21:12:45 [IKEv1 DEBUG]: Group = VPN_IPHONE, Username = Usuario10, IP = 190.48.243.117, constructing IPSec delete payload

Oct 19 21:12:45 [IKEv1 DEBUG]: Group = VPN_IPHONE, Username = Usuario10, IP = 190.48.243.117, constructing qm hash payload

Oct 19 21:12:45 [IKEv1]: IP = 190.48.243.117, IKE_DECODE SENDING Message (msgid=ad050387) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68

Oct 19 21:12:45 [IKEv1 DEBUG]: Group = VPN_IPHONE, Username = Usuario10, IP = 190.48.243.117, IKE Deleting SA: Remote Proxy 192.168.20.23, Local Proxy 192.168.0.0

Oct 19 21:12:45 [IKEv1]: Group = VPN_IPHONE, Username = Usuario10, IP = 190.48.243.117, Removing peer from correlator table failed, no match!

Oct 19 21:12:45 [IKEv1 DEBUG]: Group = VPN_IPHONE, Username = Usuario10, IP = 190.48.243.117, IKE SA AM:a6b75ef4 rcv'd Terminate: state AM_ACTIVE  flags 0x0841c041, refcnt 1, tuncnt 0

Oct 19 21:12:45 [IKEv1 DEBUG]: Group = VPN_IPHONE, Username = Usuario10, IP = 190.48.243.117, IKE SA AM:a6b75ef4 terminating:  flags 0x0941c001, refcnt 0, tuncnt 0

Oct 19 21:12:45 [IKEv1 DEBUG]: Group = VPN_IPHONE, Username = Usuario10, IP = 190.48.243.117, sending delete/delete with reason message

Oct 19 21:12:45 [IKEv1 DEBUG]: Group = VPN_IPHONE, Username = Usuario10, IP = 190.48.243.117, constructing blank hash payload

Oct 19 21:12:45 [IKEv1 DEBUG]: Group = VPN_IPHONE, Username = Usuario10, IP = 190.48.243.117, constructing IKE delete payload

Oct 19 21:12:45 [IKEv1 DEBUG]: Group = VPN_IPHONE, Username = Usuario10, IP = 190.48.243.117, constructing qm hash payload

Oct 19 21:12:45 [IKEv1]: IP = 190.48.243.117, IKE_DECODE SENDING Message (msgid=bb090f3d) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80

Oct 19 21:12:45 [IKEv1]: Group = VPN_IPHONE, Username = Usuario10, IP = 190.48.243.117, Session is being torn down. Reason: Unknown

Oct 19 21:12:45 [IKEv1]: Ignoring msg to mark SA with dsID 643072 dead because SA deleted

And this is VPN config

crypto ipsec transform-set VPNRA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map DYNMAP 65535 match address remotevpn

crypto dynamic-map DYNMAP 65535 set transform-set VPNRA

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map VPNMAP 10 ipsec-isakmp dynamic DYNMAP

crypto map VPNMAP 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map VPNMAP interface GC

crypto map VPNMAP interface TASA

crypto map TASA2_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map TASA2_map interface TASA2

crypto map management_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map management_map interface management

crypto isakmp enable TASA

crypto isakmp enable management

crypto isakmp enable TASA2

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

!

group-policy DfltGrpPolicy attributes

group-policy TESTVPNPolicy internal

group-policy TESTVPNPolicy attributes

dns-server value 100.0.3.13 100.0.3.14

vpn-simultaneous-logins 20

vpn-tunnel-protocol IPSec webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN-RA-TESTVPN

default-domain value TESTVPN.com.ar

address-pools value vpnpool

client-firewall none

tunnel-group DefaultRAGroup general-attributes

authentication-server-group CiscoVPN-SG

tunnel-group TESTVPN type remote-access

tunnel-group TESTVPN general-attributes

address-pool vpnpool

authentication-server-group CiscoVPN-SG LOCAL

default-group-policy TESTVPNPolicy

tunnel-group TESTVPN ipsec-attributes

pre-shared-key *

!


It's driving me crazy...

New Member

Re: iPhone-ASA VPN connects and gets teardown

Hello Pablo,

I am seeing you have configured the tunnel-group for remote access as

TESTVPN and on your iphone vpn pic i m seeing group name as MIRGOR.

Could you do one thing?

Could you reconfigure or create a new profile on your phone with group name as TESTVPN and user name as

Usuario10 or whatever available user name present on your firewall?

Bejoy

bejoybkn.blogspot.in

New Member

iPhone-ASA VPN connects and gets teardown

Hi Bejoy, thank you for your response, and apologize for this misunderstanding: in the written config I changed the name on purpose, but the group config remains the same as in the picture I pasted above.

The VPN is with that configuration is actually getting connected, and teardown 1 second after.

So I just deleted the split-tunnel list value and created it from scratch. So far no problems, but I just added 3 subnets... Wonder which was the conflicting subnet yet. If customer requests to add more subnets to the tunnelled ones, I will add them 1 each time, and will test the VPN with the debug running until I find what was the original problem ¬¬

Thank you all guys

iPhone-ASA VPN connects and gets teardown

Hello Pablo,

It does not make sense at all why a split tunnel policy would torn down a connection for an Iphone or Ipad user... Could be a bug...

If there is a way you could post the real configuration ( No changes made on purpose ) while the issue happens I would analize it to check for something weird..

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

iPhone-ASA VPN connects and gets teardown

Right now I don't have the problematic config because I wiped out the original split-tunnel list and started from scratch.

So far no issues, but just added 3 subnets and I know that maybe some more are needed.

So, when they request to add new ones, and if after adding I start having these weird issues, I promise I will post the real config

Thank you!

1874
Views
5
Helpful
18
Replies
CreatePlease login to create content