Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

No UDP IPsec VPNs

Hi,

I have the problem that since yesterday the ASA5520 does not serve VPN connections (L2L and RAS) over UDP.

With the Cisco IPsec Client and Transport over TCP/10000 it works. But with native OS VPN Clients (Linux, MAC, IOS,..)

which do not support TCP Transport it does not work anymore. I receive a error message that the VPN server does not respond.

There haven't been any configuration changes.

I captured UDP traffic with:

capture test interface VPN-OUTSIDE match udp any any

but I don't see anything logged on connecting a client.

Below are the relevant parts of the config. Does something look wrong with it?

Thanks,

Chris

!

ASA Version 8.2(5)

!

hostname asa

!

boot system disk0:/asa825-k8.bin

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

same-security-traffic permit inter-interface

access-list VPN-OUTSIDE_cryptomap extended permit ip 10.10.8.128 255.255.255.224 10.1.0.0 255.255.0.0

mtu VPN-OUTSIDE 1500

mtu management 1500

mtu VPN-INSIDE 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-713.bin

no asdm history enable

arp timeout 14400

route VPN-OUTSIDE 0.0.0.0 0.0.0.0 XY 1

route management 0.0.0.0 0.0.0.0 10.10.43.88 254

route VPN-INSIDE 10.10.40.21 255.255.255.255 172.16.0.1 1

route VPN-INSIDE 10.10.40.22 255.255.255.255 172.16.0.1 1

route VPN-INSIDE 0.0.0.0 0.0.0.0 172.16.0.1 tunneled

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set l2tp esp-3des esp-sha-hmac

crypto ipsec transform-set l2tp mode transport

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set l2tp ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000

crypto map VPNOUTSIDE_map 1 match address VPN-OUTSIDE_cryptomap

crypto map VPNOUTSIDE_map 1 set pfs

crypto map VPNOUTSIDE_map 1 set peer XY

crypto map VPNOUTSIDE_map 1 set transform-set ESP-3DES-SHA

crypto map VPNOUTSIDE_map 1 set security-association lifetime seconds 3600

crypto map VPNOUTSIDE_map 1 set security-association lifetime kilobytes 4608000

crypto map VPNOUTSIDE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map VPNOUTSIDE_map interface VPN-OUTSIDE

crypto isakmp enable VPN-OUTSIDE

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 7200

crypto isakmp ipsec-over-tcp port 10000

client-update enable

no vpn-addr-assign aaa

vpn-addr-assign local reuse-delay 1

webvpn

group-policy DfltGrpPolicy attributes

wins-server value 10.10.40.51 10.10.40.52

dns-server value 10.10.40.21 10.10.40.22

vpn-simultaneous-logins 100

vpn-idle-timeout 120

vpn-tunnel-protocol l2tp-ipsec svc

group-lock value DefaultRAGroup

split-tunnel-policy tunnelspecified

split-tunnel-network-list value fhv-splittunnel

group-policy fhv-vpn-policy internal

group-policy fhv-vpn-policy attributes

wins-server value 10.10.40.51 10.10.40.52

dns-server value 10.10.40.21 10.10.40.22

vpn-access-hours none

vpn-simultaneous-logins 100

vpn-idle-timeout 120

vpn-session-timeout none

vpn-filter none

vpn-tunnel-protocol IPSec

group-lock value fhv-vpn

vlan none

nac-settings none

smartcard-removal-disconnect enable

tunnel-group DefaultRAGroup general-attributes

authentication-server-group vpn-auth

dhcp-server 10.10.40.22

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key key

tunnel-group DefaultRAGroup ppp-attributes

no authentication chap

no authentication ms-chap-v1

authentication ms-chap-v2

tunnel-group fhv-vpn type remote-access

tunnel-group fhv-vpn general-attributes

authentication-server-group vpn-auth

default-group-policy fhv-vpn-policy

dhcp-server 10.10.40.22

tunnel-group fhv-vpn ipsec-attributes

pre-shared-key key

tunnel-group fhv-vpn ppp-attributes

no authentication chap

no authentication ms-chap-v1

authentication ms-chap-v2

1 REPLY
Bronze

No UDP IPsec VPNs

Hi Chrisitian,

you say that config was not changed and it worked couple days before right? I assume both means IPSec over UDP and also TCP together wroked properly.

Also you mentioned that you can't see any output in capture file regarding VPN connection.

My question is: Is your ASA behind other box which could block specific UDP traffic? It looks like it is.

Best regards,

Jan

244
Views
0
Helpful
1
Replies
CreatePlease to create content