11-11-2013 11:15 AM - edited 02-21-2020 07:18 PM
Hi,
I'm having issues setting up a remote access VPN alongside four site-to-site VPNs. All site-to-site works perfectly and only phase1 of the remote access tunnel is able to complete sucessfully.
i have tried setting the remote access VPN using both the CLI and the ASDM wizard. I'm thinking the site-to-site tunnels are interferring with the remote access VPN.
Here is the "debug crypto isakmp 7" log:
Nov 11 15:01:37 [IKEv1]: IP = 108.163.152.8, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 312
Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, processing SA payload
Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, Oakley proposal is acceptable
Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, processing VID payload
Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, processing VID payload
Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, Received Fragmentation VID
Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, processing VID payload
Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, Received NAT-Traversal ver 02 VID
Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, processing VID payload
Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, processing IKE SA payload
Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, IKE SA Proposal # 1, Transform # 2 acceptable Matches global IKE entry # 4
Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, constructing ISAKMP SA payload
Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, constructing NAT-Traversal VID ver 02 payload
Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, constructing Fragmentation VID + extended capabilities payload
Nov 11 15:01:37 [IKEv1]: IP = 108.163.152.8, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
Nov 11 15:01:37 [IKEv1]: IP = 108.163.152.8, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 232
Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, processing ke payload
Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, processing ISA_KE payload
Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, processing nonce payload
Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, processing NAT-Discovery payload
Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, computing NAT Discovery hash
Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, processing NAT-Discovery payload
Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, computing NAT Discovery hash
Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, constructing ke payload
Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, constructing nonce payload
Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, constructing Cisco Unity VID payload
Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, constructing xauth V6 VID payload
Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, Send IOS VID
Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, constructing VID payload
Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, constructing NAT-Discovery payload
Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, computing NAT Discovery hash
Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, constructing NAT-Discovery payload
Nov 11 15:01:37 [IKEv1 DEBUG]: IP = 108.163.152.8, computing NAT Discovery hash
Nov 11 15:01:37 [IKEv1]: IP = 108.163.152.8, Connection landed on tunnel_group DefaultRAGroup
Nov 11 15:01:37 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 108.163.152.8, Generating keys for Responder...
Nov 11 15:01:37 [IKEv1]: IP = 108.163.152.8, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 304
Nov 11 15:01:37 [IKEv1]: IP = 108.163.152.8, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 67
Nov 11 15:01:37 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 108.163.152.8, processing ID payload
Nov 11 15:01:37 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 108.163.152.8, processing hash payload
Nov 11 15:01:37 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 108.163.152.8, Computing hash for ISAKMP
Nov 11 15:01:37 [IKEv1]: Group = DefaultRAGroup, IP = 108.163.152.8, Automatic NAT Detection Status: Remote end IS behind a NAT device This end is NOT behind a NAT device
Nov 11 15:01:37 [IKEv1]: IP = 108.163.152.8, Connection landed on tunnel_group DefaultRAGroup
Nov 11 15:01:37 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 108.163.152.8, constructing ID payload
Nov 11 15:01:37 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 108.163.152.8, constructing hash payload
Nov 11 15:01:37 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 108.163.152.8, Computing hash for ISAKMP
Nov 11 15:01:37 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 108.163.152.8, constructing dpd vid payload
Nov 11 15:01:37 [IKEv1]: IP = 108.163.152.8, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
Nov 11 15:01:37 [IKEv1]: Group = DefaultRAGroup, IP = 108.163.152.8, PHASE 1 COMPLETED
Nov 11 15:01:37 [IKEv1]: IP = 108.163.152.8, Keep-alive type for this connection: None
Nov 11 15:01:37 [IKEv1]: IP = 108.163.152.8, Keep-alives configured on but peer does not support keep-alives (type = None)
Nov 11 15:01:37 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 108.163.152.8, Starting P1 rekey timer: 21600 seconds.
Nov 11 15:01:37 [IKEv1]: IP = 108.163.152.8, IKE_DECODE RECEIVED Message (msgid=95fd42c0) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NAT-OA (131) + NONE (0) total length : 299
Nov 11 15:01:37 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 108.163.152.8, processing hash payload
Nov 11 15:01:37 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 108.163.152.8, processing SA payload
Nov 11 15:01:37 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 108.163.152.8, processing nonce payload
Nov 11 15:01:37 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 108.163.152.8, processing ID payload
Nov 11 15:01:37 [IKEv1]: Group = DefaultRAGroup, IP = 108.163.152.8, Received remote Proxy Host FQDN in ID Payload: Host Name: test-vm Address 0.0.0.0, Protocol 17, Port 1701
Nov 11 15:01:37 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 108.163.152.8, processing ID payload
Nov 11 15:01:37 [IKEv1]: Group = DefaultRAGroup, IP = 108.163.152.8, Received local Proxy Host data in ID Payload: Address 70.38.31.202, Protocol 17, Port 1701
Nov 11 15:01:37 [IKEv1]: Group = DefaultRAGroup, IP = 108.163.152.8, L2TP/IPSec session detected.
Nov 11 15:01:37 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 108.163.152.8, processing NAT-Original-Address payload
Nov 11 15:01:37 [IKEv1]: Group = DefaultRAGroup, IP = 108.163.152.8, QM IsRekeyed old sa not found by addr
Nov 11 15:01:37 [IKEv1]: Group = DefaultRAGroup, IP = 108.163.152.8, Static Crypto Map check, checking map = outside_map, seq = 1...
Nov 11 15:01:37 [IKEv1]: Group = DefaultRAGroup, IP = 108.163.152.8, Static Crypto Map check, map = outside_map, seq = 1, ACL does not match proxy IDs src:0.0.0.0 dst:70.38.31.202
Nov 11 15:01:37 [IKEv1]: Group = DefaultRAGroup, IP = 108.163.152.8, Static Crypto Map check, checking map = outside_map, seq = 2...
Nov 11 15:01:37 [IKEv1]: Group = DefaultRAGroup, IP = 108.163.152.8, Static Crypto Map check, map = outside_map, seq = 2, ACL does not match proxy IDs src:0.0.0.0 dst:70.38.31.202
Nov 11 15:01:37 [IKEv1]: Group = DefaultRAGroup, IP = 108.163.152.8, Static Crypto Map check, checking map = outside_map, seq = 3...
Nov 11 15:01:37 [IKEv1]: Group = DefaultRAGroup, IP = 108.163.152.8, Static Crypto Map check, map = outside_map, seq = 3, ACL does not match proxy IDs src:0.0.0.0 dst:70.38.31.202
Nov 11 15:01:37 [IKEv1]: Group = DefaultRAGroup, IP = 108.163.152.8, Static Crypto Map check, checking map = outside_map, seq = 4...
Nov 11 15:01:37 [IKEv1]: Group = DefaultRAGroup, IP = 108.163.152.8, Static Crypto Map check, map = outside_map, seq = 4, ACL does not match proxy IDs src:0.0.0.0 dst:70.38.31.202
Nov 11 15:01:37 [IKEv1]: Group = DefaultRAGroup, IP = 108.163.152.8, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/17/0 local proxy 70.38.31.202/255.255.255.255/17/1701 on interface outside
Nov 11 15:01:37 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 108.163.152.8, sending notify message
Nov 11 15:01:37 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 108.163.152.8, constructing blank hash payload
Nov 11 15:01:37 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 108.163.152.8, constructing qm hash payload
Nov 11 15:01:37 [IKEv1]: IP = 108.163.152.8, IKE_DECODE SENDING Message (msgid=4c11ba7e) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 352
Nov 11 15:01:37 [IKEv1]: Group = DefaultRAGroup, IP = 108.163.152.8, QM FSM error (P2 struct &0xca511100, mess id 0x95fd42c0)!
Nov 11 15:01:37 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 108.163.152.8, IKE QM Responder FSM error history (struct &0xca511100) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Nov 11 15:01:37 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 108.163.152.8, sending delete/delete with reason message
Nov 11 15:01:37 [IKEv1]: Group = DefaultRAGroup, IP = 108.163.152.8, Removing peer from correlator table failed, no match!
Nov 11 15:01:37 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 108.163.152.8, IKE SA MM:17d9a7b1 rcv'd Terminate: state MM_ACTIVE flags 0x00000042, refcnt 1, tuncnt 0
Nov 11 15:01:37 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 108.163.152.8, IKE SA MM:17d9a7b1 terminating: flags 0x01000002, refcnt 0, tuncnt 0
Nov 11 15:01:37 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 108.163.152.8, sending delete/delete with reason message
Nov 11 15:01:37 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 108.163.152.8, constructing blank hash payload
Nov 11 15:01:37 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 108.163.152.8, constructing IKE delete payload
Nov 11 15:01:37 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 108.163.152.8, constructing qm hash payload
Nov 11 15:01:37 [IKEv1]: IP = 108.163.152.8, IKE_DECODE SENDING Message (msgid=b1206c64) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Nov 11 15:01:37 [IKEv1]: Group = DefaultRAGroup, IP = 108.163.152.8, Session is being torn down. Reason: crypto map policy not found
Nov 11 15:01:38 [IKEv1]: IP = 108.163.152.8, Received encrypted packet with no matching SA, dropping
Nov 11 15:01:40 [IKEv1]: IP = 108.163.152.8, Received encrypted packet with no matching SA, dropping
Nov 11 15:01:44 [IKEv1]: IP = 108.163.152.8, Received encrypted packet with no matching SA, dropping
show running-configuration
cl-t129-05ih# sh run
: Saved
:
ASA Version 8.3(1)
!
hostname cl-t129-05ih
domain-name privatedns.com
enable password y1Bc0g0AYjBIerBD encrypted
passwd y1Bc0g0AYjBIerBD encrypted
no names
!
interface Vlan1
nameif outside
security-level 0
ip address 70.38.31.202 255.255.255.224
!
interface Vlan2
nameif inside
security-level 100
ip address 10.2.28.1 255.255.255.0
!
interface Vlan999
nameif dmz
security-level 50
ip address 70.38.15.249 255.255.255.248
!
interface Ethernet0/0
speed 100
duplex full
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
switchport access vlan 2
!
interface Ethernet0/3
switchport access vlan 999
!
interface Ethernet0/4
switchport access vlan 2
!
interface Ethernet0/5
switchport access vlan 2
!
interface Ethernet0/6
switchport access vlan 2
!
interface Ethernet0/7
switchport access vlan 2
!
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone AST -4
clock summer-time ADT recurring
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 209.172.41.202
name-server 209.172.41.200
domain-name privatedns.com
object network obj-10.2.28.0
subnet 10.2.28.0 255.255.255.0
object network obj-192.168.111.0
subnet 192.168.111.0 255.255.255.0
object network obj-192.168.1.76
host 192.168.1.76
object network obj-10.2.28.10
host 10.2.28.10
object network RosenSC1
subnet 172.16.0.0 255.240.0.0
object network obj-10.2.28.11
host 10.2.28.11
object network obj-10.2.28.12
host 10.2.28.12
object network obj-10.2.28.13
host 10.2.28.13
object network obj-10.2.28.14
host 10.2.28.14
object network obj-10.2.28.15
host 10.2.28.15
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_10.2.28.0_24
subnet 10.2.28.0 255.255.255.0
object network NETWORK_OBJ_192.168.111.0_24
subnet 192.168.111.0 255.255.255.0
object network NETWORK_OBJ_172.16.0.0_12
subnet 172.16.0.0 255.240.0.0
object network obj-10.2.28.20
host 10.2.28.20
object network obj-10.2.28.21
host 10.2.28.21
object network obj-10.2.28.22
host 10.2.28.22
object network obj-10.2.28.23
host 10.2.28.23
object network obj-10.2.28.30
host 10.2.28.30
object network obj-10.2.28.31
host 10.2.28.31
object network obj-10.2.28.32
host 10.2.28.32
object network obj-10.2.28.33
host 10.2.28.33
object network dmz-subnet
subnet 192.168.2.0 255.255.255.0
object network db-dmz-wan
host 70.38.15.248
object network webserver
host 192.168.2.30
object network webserver-static-nat
host 192.168.2.30
object network WashingtonSq
host 192.168.1.14
object network obj-10.2.28.24
host 10.2.28.24
object network obj-10.2.28.25
host 10.2.28.25
object network NETWORK_OBJ_70.38.15.248_29
subnet 70.38.15.248 255.255.255.248
object network NETWORK_OBJ_71.13.156.64_27
subnet 71.13.156.64 255.255.255.224
object network NETWORK_OBJ_10.10.10.0_24
subnet 10.10.10.0 255.255.255.0
object network NETWORK_OBJ_10.2.28.128_25
subnet 10.2.28.128 255.255.255.128
object network NETWORK_OBJ_10.2.28.224_27
subnet 10.2.28.224 255.255.255.224
object network NETWORK_OBJ_10.2.29.0_24
subnet 10.2.29.0 255.255.255.0
object-group service www_srv tcp
description ssl
port-object eq ftp
port-object eq ssh
port-object eq www
port-object eq https
port-object eq 3389
port-object eq smtp
port-object eq pop3
port-object eq 8443
object-group network www_servers_1
network-object host 10.2.28.10
network-object host 10.2.28.11
network-object host 10.2.28.12
network-object host 10.2.28.13
network-object host 10.2.28.14
network-object host 10.2.28.15
network-object host 10.2.28.20
network-object host 10.2.28.21
network-object host 10.2.28.22
network-object host 10.2.28.23
network-object host 10.2.28.30
network-object host 10.2.28.31
network-object host 10.2.28.32
network-object host 10.2.28.33
network-object host 10.2.28.24
network-object host 10.2.28.25
access-list outside_1_cryptomap extended permit ip 10.2.28.0 255.255.255.0 192.168.111.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.2.28.0 255.255.255.0 172.16.0.0 255.240.0.0
access-list inside_nat0_outbound extended permit ip 10.2.28.0 255.255.255.0 192.168.111.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.2.28.0 255.255.255.0 object RosenSC1
access-list inside_nat0_outbound extended permit ip 10.2.28.0 255.255.255.0 host 192.168.2.76
access-list inside_nat0_outbound extended permit ip host 10.2.28.10 host 192.168.2.76
access-list outside_in extended permit ip 108.163.152.0 255.255.254.0 any
access-list outside_in extended permit ip host 209.172.41.160 any
access-list outside_in remark From RT #6150450 : continuously tries to log into port 3389 (rdp).
access-list outside_in extended deny ip host 112.216.31.116 any
access-list outside_in extended deny ip host 72.46.134.18 any
access-list outside_in extended permit tcp any object-group www_servers_1 object-group www_srv
access-list outside_in extended permit icmp host 209.172.32.36 any
access-list outside_in extended permit tcp host 173.252.62.122 any eq 1433
access-list outside_in remark From RT #6150450 : continuously tries to log into port 3389 (rdp).
access-list outside_in extended permit ip 10.2.28.0 255.255.255.0 any
access-list outside_3_cryptomap extended permit ip 10.2.28.0 255.255.255.0 object WashingtonSq
access-list outside_4_cryptomap extended permit ip 70.38.15.248 255.255.255.248 71.13.156.64 255.255.255.224
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool vpn-pool2 10.2.29.100-10.2.29.200 mask 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit host 209.172.41.160 echo outside
icmp permit host 209.172.32.36 echo outside
asdm image disk0:/asdm-711-52.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_10.2.28.0_24 NETWORK_OBJ_10.2.28.0_24 destination static NETWORK_OBJ_192.168.111.0_24 NETWORK_OBJ_192.168.111.0_24
nat (inside,outside) source static NETWORK_OBJ_10.2.28.0_24 NETWORK_OBJ_10.2.28.0_24 destination static NETWORK_OBJ_172.16.0.0_12 NETWORK_OBJ_172.16.0.0_12
nat (inside,outside) source static NETWORK_OBJ_10.2.28.0_24 NETWORK_OBJ_10.2.28.0_24 destination static WashingtonSq WashingtonSq
nat (dmz,outside) source static NETWORK_OBJ_70.38.15.248_29 NETWORK_OBJ_70.38.15.248_29 destination static NETWORK_OBJ_71.13.156.64_27 NETWORK_OBJ_71.13.156.64_27
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.2.29.0_24 NETWORK_OBJ_10.2.29.0_24
!
object network obj_any
nat (inside,outside) dynamic interface
object network obj-10.2.28.20
nat (inside,outside) static 70.38.40.177
object network obj-10.2.28.21
nat (inside,outside) static 70.38.40.178
object network obj-10.2.28.22
nat (inside,outside) static 70.38.40.179
object network obj-10.2.28.23
nat (inside,outside) static 70.38.40.180
object network obj-10.2.28.30
nat (inside,outside) static 174.142.209.104
object network obj-10.2.28.31
nat (inside,outside) static 174.142.209.105
object network obj-10.2.28.32
nat (inside,outside) static 174.142.209.106
object network obj-10.2.28.33
nat (inside,outside) static 174.142.209.107
object network obj-10.2.28.24
nat (inside,outside) static 70.38.40.181
object network obj-10.2.28.25
nat (inside,outside) static 70.38.40.182
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 70.38.31.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp outside
sysopt noproxyarp inside
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES-SHA-TRANS
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 173.252.62.122
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group1
crypto map outside_map 2 set peer 216.246.172.4
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set peer 206.71.243.34
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set peer 71.13.156.125
crypto map outside_map 4 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 10
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 209.172.41.202 source outside prefer
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 209.172.41.202 209.172.41.200
vpn-tunnel-protocol l2tp-ipsec
default-domain value privatedns.com
username someuser1 password some-encrypted-password nt-encrypted privilege 0
username someuser1 attributes
vpn-group-policy DefaultRAGroup
username someuser2 password some-encrypted-password nt-encrypted privilege 0
username someuser2 attributes
vpn-group-policy DefaultRAGroup
username someuser3 password OIfCCniUgohBqJyX encrypted privilege 15
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 20 retry 2
tunnel-group DefaultRAGroup general-attributes
address-pool vpn-pool2
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
tunnel-group 173.252.62.122 type ipsec-l2l
tunnel-group 173.252.62.122 ipsec-attributes
pre-shared-key *****
tunnel-group 216.246.172.4 type ipsec-l2l
tunnel-group 216.246.172.4 ipsec-attributes
pre-shared-key *****
tunnel-group 206.71.243.34 type ipsec-l2l
tunnel-group 206.71.243.34 ipsec-attributes
pre-shared-key *****
tunnel-group 71.13.156.125 type ipsec-l2l
tunnel-group 71.13.156.125 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect netbios
inspect sunrpc
inspect sip
inspect xdmcp
inspect dns
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:8bd5d82c383dcd8a248eb6e60061852e
: end
show version
cl-t129-05ih# sh vers
Cisco Adaptive Security Appliance Software Version 8.3(1)
Device Manager Version 7.1(1)52
This platform has an ASA 5505 Security Plus license.
I have been banging my head on the wall for a few days trying to figure this out.
Thanks in advance for any idea you may have.
11-12-2013 07:56 PM
Hello iweb_tech,
I see the debug states:
Nov 11 15:01:37 [IKEv1]: Group = DefaultRAGroup, IP = 108.163.152.8, Static Crypto Map check, map = outside_map, seq = 4, ACL does not match proxy IDs src:0.0.0.0 dst:70.38.31.202
And based on your show run:
access-list outside_4_cryptomap extended permit ip 70.38.15.248 255.255.255.248 71.13.156.64 255.255.255.224
So if it is :
Wildcard Mask: 0.0.0.7
First Address: 70.38.15.248
Last Address: 70.38.15.255
Or
Wildcard Mask>: 255.255.255.248 same as saying any.any.any. [248-255]
It seems like neither way does this address 70.38.31.202 seem to fit, can you confirm?
-daVid
11-14-2013 05:49 AM
This 70.38.31.202 IP and outside_4_cryptomap ACL is used for one of the Site-to-Site VPN. This IP is the peer IP and 70.38.15.248/29 is the "local subnet". We are doing the site-to-site using publicly routable IP addresses so this is why it looks a bit uncommon
Basically, this site-to-site should not interfere with the remote access vpn but it seems like it is...
anyone have any other idea?
Thanks!
11-14-2013 07:40 AM
Hi,
The configuration itself seems fine though the thing that causes problems for me personally is the fact that this seems to be supposed to use L2TP/IPsec which I have never used.
The configuration guide seems to suggest that your configuration is pretty much done by the book so I don't really know what the problem is.
It does say it doesnt match anything configured on your firewall
Nov 11 15:01:37 [IKEv1]: Group = DefaultRAGroup, IP = 108.163.152.8, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/17/0 local proxy 70.38.31.202/255.255.255.255/17/1701 on interface outside
Have you considered using the Cisco VPN Client software (or some 3rd party IPsec VPN Client software) to connect to the ASA?
- Jouni
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: