Why can't my VPN tunnel connect?

tinkertronix · ‎01-22-2014

I am having trouble setting up a new VPN tunnel. I followed the ipsec site to site vpn wizard on my Cisco ASA 5505 and the client wizard on my RV110W. When the RV110W attempts to connect it displays the following error.

IPSec SA not established

On the ASA in the logging pane, I see this error.

3 Jan 22 2014 14:18:07 68.191.x.x Denied ICMP type=3, code=1 from 68.191.x.x on interface outside

What could I possibly be doing wrong? My SSL vpn seems to be working just fine, but I need my two offices (in neighboring cities) to be able to connect. I can post the config file if needed. But I'm not sure which chunk of it you would need to help. If you let me know, i'll post it asap.

Jon Are Endrerud · ‎01-22-2014

Please past full config from asa.

Sent from Cisco Technical Support iPhone App

Please rate as helpful, if that would be the case. Thanx

tinkertronix · ‎01-22-2014

: Saved
:
ASA Version 8.2(5) 
!
hostname KunduChatt
enable password JskQtsEY8US7PaGV encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 108.174.110.1 gateway description gateway
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 50
 ip address 108.174.110.34 255.255.255.0 
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 66.18.32.2
 name-server 66.18.32.3
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network net-local
object-group network net-remote
access-list outside_access_in extended permit ip any any 
access-list inside_access_in extended permit ip any any 
access-list NAT-EXEMPT extended permit ip 192.168.1.0 255.255.255.0 192.168.201.0 255.255.255.0 
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.201.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.201.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool ssl 192.168.1.61-192.168.1.70 mask 255.255.255.0
ip local pool anyconnectvpn 192.168.2.1-192.168.2.20 mask 255.255.0.0
ip local pool AnyConnect 192.168.2.21-192.168.2.41 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit host 69.191.229.122 unreachable outside
icmp permit any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 gateway 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs 
crypto map outside_map 1 set peer 68.191.229.122 
crypto map outside_map 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=KunduChatt
 keypair VPN
 crl configure
crypto ca certificate chain ASDM_TrustPoint0
 certificate 5889c152
    308201e3 3082014c a0030201 02020458 89c15230 0d06092a 864886f7 0d010105 
    05003036 31133011 06035504 03130a4b 756e6475 43686174 74311f30 1d06092a 
    864886f7 0d010902 16104b75 6e647543 68617474 2e6b756e 6475301e 170d3134 
    30313036 31373135 32325a17 0d323430 31303431 37313532 325a3036 31133011 
    06035504 03130a4b 756e6475 43686174 74311f30 1d06092a 864886f7 0d010902 
    16104b75 6e647543 68617474 2e6b756e 64753081 9f300d06 092a8648 86f70d01 
    01010500 03818d00 30818902 818100a5 1bb8d616 cbffa8e1 0f36a47d ae6593a3 
    4b8eab59 3b5af36f a028d7d5 2595edf5 506f1f4d 8870a027 f66e5402 3b8d6479 
    6e00b92f dedf7f57 5fde6afa 7ae4190e 434c34f4 c07f8aeb 1583de64 cf99e66e 
    23743297 1d4ae6b3 a39aa878 d9121e8a b8d5d354 35a46335 5a6991e2 dadea8a5 
    621cbf01 66b92c62 667b4d8e 482ecf02 03010001 300d0609 2a864886 f70d0101 
    05050003 8181002a 1fc9477c cefee981 46760cc8 1a7a5cfc 1ea567b9 b1254bdd 
    9d033018 13ca73e8 238ed72b 4a757b55 0d9f6809 ecad0bfb 4df46776 baef6806 
    d72b568e b4d515b5 e47bd8e0 ec41d9d0 9e276d8a 82aafbd4 4f834c89 34986404 
    0483447d 2d41571c 1c6200f4 9032b6a4 7bd890ce ccb079e7 9aa71c2d 9757be36 
    34552442 f8275e
  quit
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime none
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 66.18.32.2 66.18.32.3
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.36 inside
dhcpd dns 66.18.32.2 66.18.32.3 interface inside
dhcpd enable inside
!
dhcpd dns 66.18.32.2 66.18.32.3 interface outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
 enable inside
 enable outside
 svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
 svc image disk0:/anyconnect-linux-2.5.2014-k9.pkg 2
 svc enable
 tunnel-group-list enable
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy Linux internal
group-policy Linux attributes
 vpn-tunnel-protocol svc 
group-policy stsvpn internal
group-policy stsvpn attributes
 vpn-idle-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec 
group-policy Clientlessvpn internal
group-policy Clientlessvpn attributes
 vpn-tunnel-protocol svc webvpn
 webvpn
  url-list none
group-policy AnyConnect internal
group-policy AnyConnect attributes
 vpn-tunnel-protocol svc webvpn
username test password P4ttSyrm33SV8TYp encrypted privilege 0
username test attributes
 vpn-group-policy DfltGrpPolicy
tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
 address-pool AnyConnect
 default-group-policy AnyConnect
tunnel-group AnyConnect webvpn-attributes
 group-alias AnyConnect enable
 group-url https://108.174.110.34/AnyConnect enable
tunnel-group Clientless type remote-access
tunnel-group Clientless general-attributes
 default-group-policy Clientlessvpn
tunnel-group Clientless webvpn-attributes
 group-alias Clientless enable
 group-url https://108.174.110.34/Clientless enable
tunnel-group Linux type remote-access
tunnel-group Linux general-attributes
 address-pool anyconnectvpn
 default-group-policy Linux
tunnel-group Linux webvpn-attributes
 group-alias Linux enable
 group-url https://108.174.110.34/Linux enable
tunnel-group stsvpn type ipsec-l2l
tunnel-group stsvpn general-attributes
 default-group-policy stsvpn
tunnel-group stsvpn ipsec-attributes
 pre-shared-key *****
 peer-id-validate nocheck
tunnel-group 68.191.229.122 type ipsec-l2l
tunnel-group 68.191.229.122 ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:21ba420e51804436036df8c15a8ffb50
: end
asdm location gateway 255.255.255.255 inside
no asdm history enable

tinkertronix · ‎01-23-2014

SInce original posting I've tried every combination of encryptions and ike policies and still the RV110W traffic is being denied. I've check my ACL on the outside interface. A rule permiting ANY outside traffic did nothing to relieve the issue.