Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

RA IPsec VPN configured but no traffic is sent or received (all traffic discarded as I see on VPN client software)

RA IPsec VPN configured but no traffic is sent or received (all traffic discarded as I see on VPN client software).

the firewall is 5540 with OS 7.1

VPN(config)# sh run
: Saved
:
ASA Version 7.1(2) 
!
hostname VPN
domain-name default.domain.invalid
enable password 9jNfZuG3TC5tCVH0 encrypted
names
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 88.85.249.46 255.255.255.240 
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 10.2.200.1 255.255.255.0 
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 no nameif
 no security-level
 ip address 192.168.0.1 255.255.255.0 
!
interface GigabitEthernet1/0
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/2
 shutdown     
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd 9jNfZuG3TC5tCVH0 encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list rbt_splitTunnelAcl extended permit ip 10.0.0.0 255.0.0.0 any 
access-list inside_outbound_nat0_acl extended permit ip 10.0.0.0 255.0.0.0 192.168.192.0 255.255.255.0 
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.192.0 255.255.255.0 
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool rpool 192.168.192.2-192.168.192.200
no failover
icmp permit any outside
icmp permit any unreachable outside
icmp permit any echo outside
icmp permit any inside
icmp permit any unreachable inside
asdm image disk0:/asdm512-k8.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 10.0.0.0 255.0.0.0
route outside 0.0.0.0 0.0.0.0 88.85.249.33 1
route inside 10.0.0.0 255.0.0.0 10.2.200.200 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy sar-group internal
group-policy sar-group attributes
 dns-server value 10.1.61.3 10.1.61.4
 vpn-idle-timeout 30
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value rbt_splitTunnelAcl
 default-domain value sar.com
 split-dns value sar.com 
username ggassim password p.8ZTPsRV8MuW4NM encrypted
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption des
isakmp policy 50 hash md5
isakmp policy 50 group 5
isakmp policy 50 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
isakmp nat-traversal  20
tunnel-group sar-group type ipsec-ra
tunnel-group sar-group general-attributes
 address-pool rpool
 default-group-policy sar-group
tunnel-group sar-group ipsec-attributes
 pre-shared-key *
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny 
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip 
  inspect xdmcp 
!
service-policy global_policy global
Cryptochecksum:e9980b895252f0520fa2074b75a8462d
: end

 

1 REPLY
New Member

hello there, I discovered

hello there,

 

I discovered that it's a windows problem bcz when I issued " ipconfig /release" the vpn client works well.

Is there any fix for the problem as there are many users are not computer engineers and they need to use VPN client.

the following logs I toke from VPN client

1      11:53:48.318  04/18/14  Sev=Warning/2 IKE/0xE300008D
Split-DNS requires Split Tunneling and a primary DNS server
 
2      11:53:52.614  04/18/14  Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route with metric of 0: code 160
Destination 192.168.1.255
Netmask 255.255.255.255
Gateway 192.168.192.1
Interface 192.168.192.3
 
3      11:53:52.614  04/18/14  Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: c0a8c003, Gateway: c0a8c001.
134
Views
0
Helpful
1
Replies
CreatePlease login to create content