Clark,

I've got them downloaded and I am going to check the contents.

Best regards,

Peter

Peter thanks for all the replies and we are just to reach the success, please cooperate till we get the success.

How the other 9 location are running withour any issue with 870 router with 12.4 IOS i think there is something different to treat 15.0. IOS for the split tunnel.

Thanks

Hi Clark,

Hmmm... This is becoming convoluted.

Can you afford to run debugs on the 887VA? If yes please activate the debug crypto ipsec client ezvpn command followed by terminal monitor if you are working remotely, and then trigger the VPN reestablishment by issuing the clear crypto ipsec client ezvpn command. The debug output will be rather large but I will need it to be captured in its entirety and posted here.

Thank you!

Best regards,

Peter

ok i will do it

Here is the attached i did'nt changed the peer ip address for the client so dont be strange. I noticed that i am not able to ping from the router itself. after creating the virtual interface

Clark,

I believe I have found the problem in the HQ's configuration. Your ISAKMP profile that defines how the IPsec clients are authenticated does not match the group name KK. Paste the following lines to the HQ's configuration:

crypto isakmp profile client

  match identity group KK

  end

This will add another identity to the ISAKMP profile. After this change on HQ, issue the clear crypto ipsec client ezvpn on the 887VA and test the behavior again.

Best regards,

Peter

Hello Peter,

I noticed this before but i did'nt touch becz the existing are working, but on ur previous reply i did the changes and the client was not able to connect

attached are the debugs from the client router it stucks in Xauth,

Clark,

The HQ's configuration is quite messy - there are ISAKMP profiles and IPsec client configuration groups that do not seem to be used. Can we perhaps streamline its configuration? I guess the dynmap crypto dynamic-map is unused and can be removed, and I am not sure about the cana configuration group. Can you have a look and tell me what can be removed from the HQ's config?

Best regards,

Peter

Dear Peter

sure i will do that but want to know form you that can we add 2 no's of match identity in a profile client, It will not affect the client conenction.

crypto isakmp profile client

  match identity group KK

match identity group abc

  end

Thanks

Hi Clark,

To my best knowledge, a crypto isakmp profile can contain multiple match identity statements and they act like a logical OR - they simply map multiple identities to the ISAKMP profile. Also, adding an identity match statement into an ISAKMP profile should not affect any existing IPsec sessions.

By the way, the client is not stuck in Xauth. Quite the contrary, it expects you to enter the following command:

crypto ipsec client ezvpn xauth

and to enter the proper username and password. The reason it did not request the username and password up to now is because the KK clients were not mapped to the ISAKMP configuration that actually requests an Xauth. Let me rephrase that: because of this configuration error on HQ, your EzVPN clients in the KK configuration group were actually allowed to connect without user authentication - based only on the group authentication using a pre-shared key. Most certainly, that is not what you wanted. Please be aware that after you add the KK identity to your existing ISAKMP profile, all clients in the KK identity will be, sooner or later, required to authenticate using Xauth in the same way.

Is it required that you enter the username and password manually? Should this not be stored in the configuration of the clients?

Best regards,

Peter

Dear Peter,

i told you that i have a 10 sites but actually i have more than 10  sites and all will be affected once their VPN is disconnected becz they have to authenticate,

so how the alternate can be used rather than visiting each vpn client and confguring the username and password.

Is it required that you enter the username and password manually?

NO

Should this not be stored in the configuration of the clients?

NO

Thanks

Clark,

Well, if the KK clients are not supposed to be actually doing the Xauth authentication then we need to create a separate ISAKMP profile for them that does not require them to authenticate - something along the lines of:

client isakmp profile KKclients

  match identity group KK

  client configuration address respond

In this case, the match identity group KK must be present only in this ISAKMP profile and no other.

These configuration changes on HQ have to be performed carefully - you always need to have a backup of the original HQ's configuration handy in case a configuration change causes unforeseen issues.

Best regards,

Peter

Hello Peter,

I put only one match identity command and still it does'nt works  agian it is asking me to put the below commands

Pending XAuth Request, Please enter the following command:

Aug 29 14:14:55.941: EZVPN: crypto ipsec client ezvpn xauth

Thanks

Hi Clark,

Would you perhaps be willing to post your HQ config once again after the changes? I would like to see the latest version and try it out on my topology. Has the client's configuration been changed in any significant way?

Best regards,

Peter