Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Issue with EZYVPN

we have just migrated from PIX to ASA (ASA Version 8.2(3) and have issue with ezyvpn.

Though telnet and ping is working http, https, dns lookup is failing. When we revert back to PIX, everything is fine.

We could not apply the sysopt connection permit-ipsec on the ASA while EZYVPN is enabled.

PIX

AUMAT-WFW0# show vpnclient detail

LOCAL CONFIGURATION

vpnclient server 203.28.106.200

vpnclient mode network-extension-mode

vpnclient vpngroup AUABB-EZYVPN password ********

vpnclient username aumat-wfw0.au.abb.com password ********

vpnclient enable

DOWNLOADED DYNAMIC POLICY

Current Server                     : 203.28.106.200

Primary DNS                        : 10.128.208.32

Secondary DNS                      : 10.128.208.30

Primary WINS                       : 10.128.208.60

Secondary WINS                     : 10.128.208.68

Default Domain                     : au.abb.com

PFS Enabled                        : No

Secure Unit Authentication Enabled : No

User Authentication Enabled        : No

Backup Servers                     : None

STORED POLICY

Secure Unit Authentication Enabled : No

Split Networks                     : None

Backup Servers                     : None

             

RELATED CONFIGURATION

sysopt connection permit-ipsec

global (outside) 1 interface

nat (inside) 0 access-list _vpnc_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-list test permit ip any host 10.128.248.1

access-list _vpnc_acl permit ip AUMAT 255.255.255.0 any

access-list _vpnc_acl permit ip host 119.225.63.90 any

access-list _vpnc_acl permit ip host 119.225.63.90 host 203.28.106.200

aaa-server radius-authport 1812

aaa-server radius-acctport 1813

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

http 138.222.124.0 255.255.255.0 inside

http 203.8.5.0 255.255.255.0 inside

http 149.128.114.64 255.255.255.192 inside

http AUMAT 255.255.255.0 inside

crypto ipsec transform-set _vpnc_tset_1 esp-aes-256 esp-sha-hmac

crypto ipsec transform-set _vpnc_tset_2 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set _vpnc_tset_3 esp-aes-192 esp-sha-hmac

crypto ipsec transform-set _vpnc_tset_4 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set _vpnc_tset_5 esp-aes esp-sha-hmac

crypto ipsec transform-set _vpnc_test_6 esp-aes esp-md5-hmac

crypto ipsec transform-set _vpnc_tset_7 esp-3des esp-sha-hmac

crypto ipsec transform-set _vpnc_tset_8 esp-3des esp-md5-hmac

crypto ipsec transform-set _vpnc_tset_9 esp-des esp-md5-hmac

crypto ipsec transform-set _vpnc_tset_10 esp-null esp-md5-hmac

crypto ipsec transform-set _vpnc_tset_11 esp-null esp-sha-hmac

crypto map _vpnc_cm 10 ipsec-isakmp

crypto map _vpnc_cm 10 match address _vpnc_acl

crypto map _vpnc_cm 10 set peer 203.28.106.200

crypto map _vpnc_cm 10 set transform-set _vpnc_tset_1 _vpnc_tset_2 _vpnc_tset_3 _vpnc_tset_4 _vpnc_tset_5 _vpnc_test_6 _vpnc_tset_7 _vpnc_tset_8 _vpnc_tset_9 _vpnc_tset_10 _vpnc_tset_11

crypto map _vpnc_cm interface outside

isakmp enable outside

isakmp key ******** address 203.28.106.200 netmask 255.255.255.255

isakmp keepalive 10 5

isakmp nat-traversal 20

isakmp policy 65001 authentication xauth-pre-share

isakmp policy 65001 encryption aes-256

isakmp policy 65001 hash sha

isakmp policy 65001 group 2

isakmp policy 65001 lifetime 86400

isakmp policy 65002 authentication xauth-pre-share

isakmp policy 65002 encryption aes-256

isakmp policy 65002 hash md5

isakmp policy 65002 group 2

isakmp policy 65002 lifetime 86400

isakmp policy 65003 authentication xauth-pre-share

isakmp policy 65003 encryption aes-192

isakmp policy 65003 hash sha

isakmp policy 65003 group 2

isakmp policy 65003 lifetime 86400

isakmp policy 65004 authentication xauth-pre-share

isakmp policy 65004 encryption aes-192

isakmp policy 65004 hash md5

isakmp policy 65004 group 2

isakmp policy 65004 lifetime 86400

isakmp policy 65005 authentication xauth-pre-share

isakmp policy 65005 encryption aes

isakmp policy 65005 hash sha

isakmp policy 65005 group 2

isakmp policy 65005 lifetime 86400

isakmp policy 65006 authentication xauth-pre-share

isakmp policy 65006 encryption aes

isakmp policy 65006 hash md5

isakmp policy 65006 group 2

isakmp policy 65006 lifetime 86400

isakmp policy 65007 authentication xauth-pre-share

isakmp policy 65007 encryption 3des

isakmp policy 65007 hash sha

isakmp policy 65007 group 2

isakmp policy 65007 lifetime 86400

isakmp policy 65008 authentication xauth-pre-share

isakmp policy 65008 encryption 3des

isakmp policy 65008 hash md5

isakmp policy 65008 group 2

isakmp policy 65008 lifetime 86400

isakmp policy 65009 authentication xauth-pre-share

isakmp policy 65009 encryption des

isakmp policy 65009 hash md5

isakmp policy 65009 group 2

isakmp policy 65009 lifetime 86400

isakmp policy 65010 authentication pre-share

isakmp policy 65010 encryption aes-256

isakmp policy 65010 hash sha

isakmp policy 65010 group 2

isakmp policy 65010 lifetime 86400

isakmp policy 65011 authentication pre-share

isakmp policy 65011 encryption aes-256

isakmp policy 65011 hash md5

isakmp policy 65011 group 2

isakmp policy 65011 lifetime 86400

isakmp policy 65012 authentication pre-share

isakmp policy 65012 encryption aes-192

isakmp policy 65012 hash sha

isakmp policy 65012 group 2

isakmp policy 65012 lifetime 86400

isakmp policy 65013 authentication pre-share

isakmp policy 65013 encryption aes-192

isakmp policy 65013 hash md5

isakmp policy 65013 group 2

isakmp policy 65013 lifetime 86400

isakmp policy 65014 authentication pre-share

isakmp policy 65014 encryption aes

isakmp policy 65014 hash sha

isakmp policy 65014 group 2

isakmp policy 65014 lifetime 86400

isakmp policy 65015 authentication pre-share

isakmp policy 65015 encryption aes

isakmp policy 65015 hash md5

isakmp policy 65015 group 2

isakmp policy 65015 lifetime 86400

isakmp policy 65016 authentication pre-share

isakmp policy 65016 encryption 3des

isakmp policy 65016 hash sha

isakmp policy 65016 group 2

isakmp policy 65016 lifetime 86400

isakmp policy 65017 authentication pre-share

isakmp policy 65017 encryption 3des

isakmp policy 65017 hash md5

isakmp policy 65017 group 2

isakmp policy 65017 lifetime 86400

isakmp policy 65018 authentication pre-share

isakmp policy 65018 encryption des

isakmp policy 65018 hash md5

isakmp policy 65018 group 2

isakmp policy 65018 lifetime 86400

ASA

AUMAT-WFW0# show vpnclient detail

LOCAL CONFIGURATION
vpnclient server 203.28.106.200
vpnclient mode network-extension-mode
vpnclient vpngroup AUABB-EZYVPN password *****
vpnclient username aumat-wfw0.au.abb.com password *****
vpnclient enable

DOWNLOADED DYNAMIC POLICY
Current Server : 203.28.106.200
Primary DNS : 10.128.208.32
Secondary DNS : 10.128.208.30
Primary WINS : 10.128.208.60
Secondary WINS : 10.128.208.68
Default Domain : au.abb.com
PFS Enabled : No
Secure Unit Authentication Enabled : No
User Authentication Enabled : No
Backup Servers : None

STORED POLICY
Secure Unit Authentication Enabled : No
Split Tunnel Networks : None
Backup Servers : None

RELATED CONFIGURATION
global (outside) 1 interface
global (outside) 65001 10.128.242.1
nat (inside) 0 access-list _vpnc_no_nat_acl
nat (inside) 1 0.0.0.0 0.0.0.0
access-list inside_access_in extended permit ip any any
access-list _vpnc_no_nat_acl extended permit ip any any
access-list _vpnc_acl extended permit ip host 119.225.63.90 host 203.28.106.200
access-list _vpnc_acl extended permit ip AUMAT 255.255.255.0 any
access-list _vpnc_acl extended deny udp host 119.225.63.90 eq bootpc any eq bootps
access-list _vpnc_acl extended permit ip host 119.225.63.90 any
aaa authentication serial console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
crypto ipsec transform-set _vpnc_tset_1 esp-aes-256 esp-sha-hmac
crypto ipsec transform-set _vpnc_tset_2 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set _vpnc_tset_3 esp-aes-192 esp-sha-hmac
crypto ipsec transform-set _vpnc_tset_4 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set _vpnc_tset_5 esp-aes esp-sha-hmac
crypto ipsec transform-set _vpnc_tset_6 esp-aes esp-md5-hmac
crypto ipsec transform-set _vpnc_tset_7 esp-3des esp-sha-hmac
crypto ipsec transform-set _vpnc_tset_8 esp-3des esp-md5-hmac
crypto ipsec transform-set _vpnc_tset_9 esp-des esp-md5-hmac
crypto ipsec transform-set _vpnc_tset_10 esp-null esp-md5-hmac
crypto ipsec transform-set _vpnc_tset_11 esp-null esp-sha-hmac
crypto map _vpnc_cm 10 match address _vpnc_acl
crypto map _vpnc_cm 10 set peer 203.28.106.200
crypto map _vpnc_cm 10 set transform-set _vpnc_tset_1 _vpnc_tset_2 _vpnc_tset_3 _vpnc_tset_4 _vpnc_tset_5 _vpnc_tset_6 _vpnc_tset_7 _vpnc_tset_8 _vpnc_tset_9 _vpnc_tset_10 _vpnc_tset_11
crypto map _vpnc_cm 10 set security-association lifetime seconds 2147483647
crypto map _vpnc_cm 10 set security-association lifetime kilobytes 2147483647
crypto map _vpnc_cm 10 set phase1-mode aggressive
crypto map _vpnc_cm interface outside
crypto isakmp enable outside
crypto isakmp policy 65001
authentication xauth-pre-share
encryption aes-256
hash sha
group 2
lifetime 2147483647
crypto isakmp policy 65002
authentication xauth-pre-share
encryption aes-256
hash md5
group 2
lifetime 2147483647
crypto isakmp policy 65003
authentication xauth-pre-share
encryption aes-192
hash sha
group 2
lifetime 2147483647
crypto isakmp policy 65004
authentication xauth-pre-share
encryption aes-192
hash md5
group 2
lifetime 2147483647
crypto isakmp policy 65005
authentication xauth-pre-share
encryption aes
hash sha
group 2
lifetime 2147483647
crypto isakmp policy 65006
authentication xauth-pre-share
encryption aes
hash md5
group 2
lifetime 2147483647
crypto isakmp policy 65007
authentication xauth-pre-share
encryption 3des
hash sha
group 2
lifetime 2147483647
crypto isakmp policy 65008
authentication xauth-pre-share
encryption 3des
hash md5
group 2
lifetime 2147483647
crypto isakmp policy 65009
authentication xauth-pre-share
encryption des
hash md5
group 2
lifetime 2147483647
crypto isakmp policy 65010
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 2147483647
crypto isakmp policy 65011
authentication pre-share
encryption aes-256
hash md5
group 2
lifetime 2147483647
crypto isakmp policy 65012
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 2147483647
crypto isakmp policy 65013
authentication pre-share
encryption aes-192
hash md5
group 2
lifetime 2147483647
crypto isakmp policy 65014
authentication pre-share
encryption aes
hash sha
group 2
lifetime 2147483647
crypto isakmp policy 65015
authentication pre-share
encryption aes
hash md5
group 2
lifetime 2147483647
crypto isakmp policy 65016
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 2147483647
crypto isakmp policy 65017
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 2147483647
crypto isakmp policy 65018
authentication pre-share
encryption des
hash md5
group 2
lifetime 2147483647
tunnel-group 203.28.106.200 type ipsec-ra
tunnel-group 203.28.106.200 ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 90 retry 5

No issue with establishing the IPSec but traffic flow for http, https and nslookup seems to be failing.

AUMAT-WFW0(config)# sh cry isa sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 203.28.106.200
    Type    : user            Role    : initiator
    Rekey   : no              State   : AM_ACTIVE
AUMAT-WFW0(config)# sh cry ipses sa
                               ^
ERROR: % Invalid input detected at '^' marker.
AUMAT-WFW0(config)# sh cry ipsec sa
interface: outside
    Crypto map tag: _vpnc_cm, seq num: 10, local addr: 119.225.63.90

      access-list _vpnc_acl extended permit ip 10.128.242.0 255.255.255.0 any
      local ident (addr/mask/prot/port): (AUMAT/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      current_peer: 203.28.106.200, username: 203.28.106.200
      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 45243, #pkts encrypt: 45245, #pkts digest: 45245
      #pkts decaps: 15549, #pkts decrypt: 15549, #pkts verify: 15549
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 45245, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 2, #pre-frag failures: 0, #fragments created: 4
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 102
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 119.225.63.90, remote crypto endpt.: 203.28.106.200

      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: 5452B791
      current inbound spi : C58AB035

    inbound esp sas:
      spi: 0xC58AB035 (3314200629)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 4096, crypto-map: _vpnc_cm
         sa timing: remaining key lifetime (sec): 21756
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x5452B791 (1414707089)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 4096, crypto-map: _vpnc_cm
         sa timing: remaining key lifetime (sec): 21756
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: _vpnc_cm, seq num: 10, local addr: 119.225.63.90

      access-list _vpnc_acl extended permit ip host 119.225.63.90 any
      local ident (addr/mask/prot/port): (119.225.63.90/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      current_peer: 203.28.106.200, username: 203.28.106.200
      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 20, #pkts encrypt: 20, #pkts digest: 20
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 20, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 119.225.63.90, remote crypto endpt.: 203.28.106.200

      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: 39F7487C
      current inbound spi : C3E84E31

    inbound esp sas:
      spi: 0xC3E84E31 (3286781489)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 4096, crypto-map: _vpnc_cm
         sa timing: remaining key lifetime (sec): 27438
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0x39F7487C (972507260)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 4096, crypto-map: _vpnc_cm
         sa timing: remaining key lifetime (sec): 27438
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Hope you experts can shed some light. Thanks

3 REPLIES
Cisco Employee

Issue with EZYVPN

Weird, so there is no problem with VPN establishment. Can you try to do a connection over the tunnel and check what the logs on the remote ASA show? Also check on the local ASA for syslogging.... if you see that they being created and then torn down, checkout the reason for the connection to be closed..

Theres gotta be something that we are missing.

Mike

Mike
New Member

Re: Issue with EZYVPN

The ezyvpn server firewall is not managed by us but I have ask if we could collect the debugs when we try installing the ASA again. Currently we have reverted to PIX and it works ok.

Kumar Ramalingam

Senior Network Engineer

Logicalis Australia Pty Ltd

t 1800 651 484

t +61 2 9805 9740 (International)

f +61 2 9805 9904

kramalingam@au.logicalis.com

www.au.logicalis.com<>

What are your organisation's greatest barriers to a more flexible workplace?

Let us introduce you to Tomorrow’s Workplace, http://www.au.logicalis.com/tomorrow

Get the latest news and offers:Twitter<>,LinkedIn<>,Facebook<>

Cisco Employee

Re: Issue with EZYVPN

Mmmmm, I understand.

Is the client configuration the same on both pix and ASA? Did you change something? Did you test any other tcp traffic besides telnet?

Mike

Mike
366
Views
0
Helpful
3
Replies
CreatePlease to create content