01-22-2014 01:26 PM
I am having trouble setting up a new VPN tunnel. I followed the ipsec site to site vpn wizard on my Cisco ASA 5505 and the client wizard on my RV110W. When the RV110W attempts to connect it displays the following error.
IPSec SA not established
On the ASA in the logging pane, I see this error.
3 Jan 22 2014 14:18:07 68.191.x.x Denied ICMP type=3, code=1 from 68.191.x.x on interface outside
What could I possibly be doing wrong? My SSL vpn seems to be working just fine, but I need my two offices (in neighboring cities) to be able to connect. I can post the config file if needed. But I'm not sure which chunk of it you would need to help. If you let me know, i'll post it asap.
01-22-2014 02:53 PM
Please past full config from asa.
Sent from Cisco Technical Support iPhone App
01-22-2014 02:55 PM
: Saved : ASA Version 8.2(5) ! hostname KunduChatt enable password JskQtsEY8US7PaGV encrypted passwd 2KFQnbNIdI.2KYOU encrypted names name 108.174.110.1 gateway description gateway ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 50 ip address 108.174.110.34 255.255.255.0 ! ftp mode passive dns domain-lookup inside dns domain-lookup outside dns server-group DefaultDNS name-server 66.18.32.2 name-server 66.18.32.3 same-security-traffic permit inter-interface same-security-traffic permit intra-interface object-group network net-local object-group network net-remote access-list outside_access_in extended permit ip any any access-list inside_access_in extended permit ip any any access-list NAT-EXEMPT extended permit ip 192.168.1.0 255.255.255.0 192.168.201.0 255.255.255.0 access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.201.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.201.0 255.255.255.0 pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 ip local pool ssl 192.168.1.61-192.168.1.70 mask 255.255.255.0 ip local pool anyconnectvpn 192.168.2.1-192.168.2.20 mask 255.255.0.0 ip local pool AnyConnect 192.168.2.21-192.168.2.41 mask 255.255.255.0 icmp unreachable rate-limit 1 burst-size 1 icmp permit any inside icmp permit host 69.191.229.122 unreachable outside icmp permit any outside no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 access-group inside_access_in in interface inside access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 gateway 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy http server enable http 192.168.1.0 255.255.255.0 inside http 0.0.0.0 0.0.0.0 outside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set pfs crypto map outside_map 1 set peer 68.191.229.122 crypto map outside_map 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 crypto map outside_map interface outside crypto ca trustpoint ASDM_TrustPoint0 enrollment self subject-name CN=KunduChatt keypair VPN crl configure crypto ca certificate chain ASDM_TrustPoint0 certificate 5889c152 308201e3 3082014c a0030201 02020458 89c15230 0d06092a 864886f7 0d010105 05003036 31133011 06035504 03130a4b 756e6475 43686174 74311f30 1d06092a 864886f7 0d010902 16104b75 6e647543 68617474 2e6b756e 6475301e 170d3134 30313036 31373135 32325a17 0d323430 31303431 37313532 325a3036 31133011 06035504 03130a4b 756e6475 43686174 74311f30 1d06092a 864886f7 0d010902 16104b75 6e647543 68617474 2e6b756e 64753081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100a5 1bb8d616 cbffa8e1 0f36a47d ae6593a3 4b8eab59 3b5af36f a028d7d5 2595edf5 506f1f4d 8870a027 f66e5402 3b8d6479 6e00b92f dedf7f57 5fde6afa 7ae4190e 434c34f4 c07f8aeb 1583de64 cf99e66e 23743297 1d4ae6b3 a39aa878 d9121e8a b8d5d354 35a46335 5a6991e2 dadea8a5 621cbf01 66b92c62 667b4d8e 482ecf02 03010001 300d0609 2a864886 f70d0101 05050003 8181002a 1fc9477c cefee981 46760cc8 1a7a5cfc 1ea567b9 b1254bdd 9d033018 13ca73e8 238ed72b 4a757b55 0d9f6809 ecad0bfb 4df46776 baef6806 d72b568e b4d515b5 e47bd8e0 ec41d9d0 9e276d8a 82aafbd4 4f834c89 34986404 0483447d 2d41571c 1c6200f4 9032b6a4 7bd890ce ccb079e7 9aa71c2d 9757be36 34552442 f8275e quit crypto isakmp enable inside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2 lifetime none telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd dns 66.18.32.2 66.18.32.3 dhcpd auto_config outside ! dhcpd address 192.168.1.5-192.168.1.36 inside dhcpd dns 66.18.32.2 66.18.32.3 interface inside dhcpd enable inside ! dhcpd dns 66.18.32.2 66.18.32.3 interface outside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ssl trust-point ASDM_TrustPoint0 outside webvpn enable inside enable outside svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1 svc image disk0:/anyconnect-linux-2.5.2014-k9.pkg 2 svc enable tunnel-group-list enable group-policy DfltGrpPolicy attributes vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn group-policy Linux internal group-policy Linux attributes vpn-tunnel-protocol svc group-policy stsvpn internal group-policy stsvpn attributes vpn-idle-timeout none vpn-filter none vpn-tunnel-protocol IPSec l2tp-ipsec group-policy Clientlessvpn internal group-policy Clientlessvpn attributes vpn-tunnel-protocol svc webvpn webvpn url-list none group-policy AnyConnect internal group-policy AnyConnect attributes vpn-tunnel-protocol svc webvpn username test password P4ttSyrm33SV8TYp encrypted privilege 0 username test attributes vpn-group-policy DfltGrpPolicy tunnel-group AnyConnect type remote-access tunnel-group AnyConnect general-attributes address-pool AnyConnect default-group-policy AnyConnect tunnel-group AnyConnect webvpn-attributes group-alias AnyConnect enable group-url https://108.174.110.34/AnyConnect enable tunnel-group Clientless type remote-access tunnel-group Clientless general-attributes default-group-policy Clientlessvpn tunnel-group Clientless webvpn-attributes group-alias Clientless enable group-url https://108.174.110.34/Clientless enable tunnel-group Linux type remote-access tunnel-group Linux general-attributes address-pool anyconnectvpn default-group-policy Linux tunnel-group Linux webvpn-attributes group-alias Linux enable group-url https://108.174.110.34/Linux enable tunnel-group stsvpn type ipsec-l2l tunnel-group stsvpn general-attributes default-group-policy stsvpn tunnel-group stsvpn ipsec-attributes pre-shared-key ***** peer-id-validate nocheck tunnel-group 68.191.229.122 type ipsec-l2l tunnel-group 68.191.229.122 ipsec-attributes pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:21ba420e51804436036df8c15a8ffb50 : end asdm location gateway 255.255.255.255 inside no asdm history enable
01-23-2014 07:16 PM
SInce original posting I've tried every combination of encryptions and ike policies and still the RV110W traffic is being denied. I've check my ACL on the outside interface. A rule permiting ANY outside traffic did nothing to relieve the issue.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: