cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1897
Views
0
Helpful
10
Replies

Remote access vpn failed, after wan-ip change

Leif Harald
Level 1
Level 1

Hi.

Router: ASA 5510

We have changed the ISP, so therefore new wan ip-addresses.

Internet works, and site-to-site vpn works, but I'm failing to localice why the remote access vpn won't work.

Any help / clue would be most graceful.

10 Replies 10

Jennifer Halim
Cisco Employee
Cisco Employee

Pls share your config.

Do you use IP Address or hostname for your remote access vpn? Have you changed them to the new IP?

Is there an easy way to get the part of the config thats of interrest, and hide all passwords etc?

We're using ip-adresses, the dns is not in use at the vpn-setup.

Have you changed the VPN Client peer to the new ISP IP Address?

On the client side, I have changed the ip-address to the asdm/vpn, yes.

Pls share the output of:

sh run tunn

sh run group-policy

sh run crypto

Leif Harald
Level 1
Level 1

ASA Version 8.0(2)  ASDM 6.0(2)-- Cisco ASA 5510

Result of the command: "sh run crypto"

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-256-SHA ESP-3DES-SHA

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set nat-t-disable

crypto map internet_map 1 match address internet_1_cryptomap

crypto map internet_map 1 set pfs

crypto map internet_map 1 set peer 213.xxx.xxx.114

crypto map internet_map 1 set transform-set ESP-3DES-SHA

crypto map internet_map 2 match address internet_2_cryptomap

crypto map internet_map 2 set pfs

crypto map internet_map 2 set peer 84.xxx.xxx.199

crypto map internet_map 2 set transform-set ESP-3DES-SHA

crypto map internet_map 3 match address internet_3_cryptomap

crypto map internet_map 3 set pfs

crypto map internet_map 3 set peer 81.xxx.xxx.10

crypto map internet_map 3 set transform-set ESP-3DES-SHA

crypto map internet_map 4 match address internet_4_cryptomap

crypto map internet_map 4 set pfs

crypto map internet_map 4 set peer 62.xxx.xxx.150

crypto map internet_map 4 set transform-set ESP-3DES-SHA

crypto map internet_map 5 match address internet_5_cryptomap

crypto map internet_map 5 set pfs

crypto map internet_map 5 set peer 213.xxx.xxx.242

crypto map internet_map 5 set transform-set ESP-3DES-SHA

crypto map internet_map 5 set nat-t-disable

crypto map internet_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map internet_map interface internet

crypto isakmp identity address

crypto isakmp enable internet

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash md5

group 1

lifetime 86400

crypto isakmp policy 40

authentication pre-share

encryption aes-256

hash sha

group 7

lifetime 86400

crypto isakmp policy 60

authentication pre-share

encryption 3des

hash sha

group 5

lifetime 86400

crypto isakmp policy 80

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

crypto isakmp ipsec-over-tcp port 10000

Result of the command: "sh run tunn"

tunnel-group 213.xxx.xxx.114 type ipsec-l2l

tunnel-group 213.xxx.xxx.114 ipsec-attributes

pre-shared-key *

tunnel-group 80.xxx.xxx.210 type ipsec-l2l

tunnel-group 80.xxx.xxx.210 general-attributes

default-group-policy Lan2LanPolicy

tunnel-group 80.xxx.xxx.210 ipsec-attributes

pre-shared-key *

peer-id-validate nocheck

tunnel-group 81.xxx.xxx.10 type ipsec-l2l

tunnel-group 81.xxx.xxx.10 general-attributes

default-group-policy Lan2LanPolicy

tunnel-group 81.xxx.xxx.10 ipsec-attributes

pre-shared-key *

peer-id-validate cert

tunnel-group 85.xxx.xxx.158 type ipsec-l2l

tunnel-group 85.xxx.xxx.158 general-attributes

default-group-policy Lan2LanPolicy

tunnel-group 85.xxx.xxx.158 ipsec-attributes

pre-shared-key *

peer-id-validate cert

tunnel-group 84.xxx.xxx.154 type ipsec-l2l

tunnel-group 84.xxx.xxx.154 general-attributes

default-group-policy Lan2LanPolicy

tunnel-group 84.xxx.xxx.154 ipsec-attributes

pre-shared-key *

peer-id-validate nocheck

tunnel-group 84.xxx.xxx.196 type ipsec-l2l

tunnel-group 84.xxx.xxx.196 ipsec-attributes

pre-shared-key *

peer-id-validate nocheck

tunnel-group 84.xxx.xxx.199 type ipsec-l2l

tunnel-group 84.xxx.xxx.199 general-attributes

default-group-policy Lan2LanPolicy

tunnel-group 84.xxx.xxx.199 ipsec-attributes

pre-shared-key *

peer-id-validate nocheck

tunnel-group 62.xxx.xxx.150 type ipsec-l2l

tunnel-group 62.xxx.xxx.150 ipsec-attributes

pre-shared-key *

tunnel-group vpn-group-tupe-1 type remote-access

tunnel-group vpn-group-tupe-1 general-attributes

address-pool ip-pool

authentication-server-group vpn-gruoup-tupe-2 LOCAL

default-group-policy vpn-group-tupe-1

tunnel-group vpn-group-tupe-1 webvpn-attributes

group-alias vpn-group-tupe-1 enable

tunnel-group vpn-group-tupe-1 ipsec-attributes

pre-shared-key *

tunnel-group 213.xxx.xxx.242 type ipsec-l2l

tunnel-group 213.xxx.xxx.242 ipsec-attributes

pre-shared-key *

tunnel-group vpn-group-tupe-1-v2 type remote-access

tunnel-group vpn-group-tupe-1-v2 general-attributes

address-pool ip-pool

authentication-server-group vpn-gruoup-tupe-2

default-group-policy vpn-group-tupe-1-v2_2

tunnel-group vpn-group-tupe-1-v2 ipsec-attributes

pre-shared-key *

Result of the command: "sh run group-policy"

group-policy GroupPolicyIPsec internal

group-policy GroupPolicyIPsec attributes

vpn-filter none

vpn-tunnel-protocol IPSec

group-policy vpn-admin-oslo internal

group-policy vpn-admin-oslo attributes

dns-server value 172.20.0.10

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value vpn-admin-oslo_splitTunnelAcl

default-domain value akademiet.lokal

group-policy vpn-gruoup-tupe-1-v2_1 internal

group-policy vpn-gruoup-tupe-1-v2_1 attributes

dns-server value 172.20.0.10 172.20.7.10

vpn-tunnel-protocol IPSec webvpn

default-domain value akademiet.lokal

group-policy vpn-gruoup-tupe-1-v2 internal

group-policy vpn-gruoup-tupe-1-v2 attributes

dns-server value 172.20.0.10 172.20.7.10

vpn-tunnel-protocol IPSec

default-domain value akademiet.lokal

group-policy vpn-gruoup-tupe-1-v2_2 internal

group-policy vpn-gruoup-tupe-1-v2_2 attributes

dns-server value 172.20.0.10 172.20.7.10

vpn-tunnel-protocol IPSec

default-domain value akademiet.lokal

group-policy vpn-gruoup-tupe-1 internal

group-policy vpn-gruoup-tupe-1 attributes

dns-server value 172.20.0.10 172.20.7.10

vpn-tunnel-protocol IPSec svc webvpn

password-storage disable

group-lock value vpn-gruoup-tupe-1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value vpn-gruoup-tupe-1_splitTunnelAcl

default-domain value akademiet.lokal

webvpn

  url-list none

group-policy Lan2LanPolicy internal

group-policy Lan2LanPolicy attributes

vpn-filter none

vpn-tunnel-protocol IPSec

Where is it failing? Can you also send the logs from the VPN Client side.

Also, you've disabled NAT-T, can you enable it:

no crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set nat-t-disable

At the moment I doesn't have any Windows computers, we use a "ton" of macs, so I don't have the cisco vpn client log available.

The mac and the iphone says both that the VPN-server doesn't replay. So it looks like a connectivity issue. I've triple checked the ip-address both on the iphone and the mac.

I also trid your Nat-t suggestion, with no luck. (thanks though!)

Hi Leif,

Try to remove and reinstall client from on of the the 'MAC or iphone' with new IP and see of that fixes the issue. This may sounds like strange, but as nothing changed (except IP) on head end, I would check from client end.

hth

MS

Reinstalling the client did not help (as expected). It has to be a configuration issue / connectivity fault at the asa.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: