SSL VPN Connection Issue

Similar Messages

• SSL VPN Connection error with SA520

  Hi there,
  I have an SA520 setup and all my users can login to the SSL VPN tunnel except one user. The laptop is running windows 7 64bit and had IE9 installed. When I try to connect her to use an SSL VPN Tunnel, I get the following error: Cisco-SSLVPN-Tunnel Install Failed: Error in getting proxy settings!.
  I have made sure the firewall was turned off. Any idea on how to get the ssl tunel connected?
  Thanks

  Hihi,
  we have the same problem, running on Vista 32 bit, and IE9.
  On the same machine, using virtual PC and emulating an XP environment it works, what a paradox!
  It works also on Win 7 64 bit, although only with the 64 bit version of IE.
  Coming back to our Vista issue, we did not find any way to make it work properly.
  Tried to turn off firewall, disinstall a lot of stuff that may interphere, etc. , still same problem.
  We are a bit annoyed there seems to be no documentation about this error nor troubleshooting help.
  Anyone has any suggestion ??
  Tks

• SSL VPN (WebVPN) issues with IOS 15.0(1)M1

  Hello everyone... I need your help!
  I am having some weird issues with webvpn/anyconnect, please find the relevant information below;
  Symptoms:
  - AnyConnect Client prompts users with the following error:
  "The secure gateway has rejected the agent's VPN connect or reconnect request. A new connection requires re-authentication and must be started manually. Please contact your network administrator if this problem persists."
  Debug:
  Mar  5 13:09:45:
  Mar  5 13:09:45: WV-TUNL: Tunnel CSTP Version recv  use 1
  Mar  5 13:09:45: WV-TUNL: Allocating tunl_info
  Mar  5 13:09:45: WV-TUNL: Allocating stc_config
  Mar  5 13:09:45: Inserting static route: 172.25.130.126 255.255.255.255 SSLVPN-VIF36 to routing table
  Mar  5 13:09:45: WV-TUNL: Use frame IP addr (172.25.130.126) netmask (255.255.255.255)
  Mar  5 13:09:45: WV-TUNL: Tunnel entry create failed:IP= 172.25.130.126 vrf=77 session=0x67234340
  Mar  5 13:09:45: HTTP/1.1 401 Unauthorized
  Mar  5 13:09:45:
  Mar  5 13:09:45:
  Mar  5 13:09:45:
  Mar  5 13:09:45: Deleting static route: 172.25.130.126 255.255.255.255 SSLVPN-VIF36 from routing table
  Mar  5 13:09:45: WV-TUNL: Failed to install (addr 172.25.130.126, table_id 77) to TCP
  Mar  5 13:09:45: WV-TUNL*: Received server IP packet 0x6692EB08:
  Mar  5 13:09:45: WV-TUNL: CSTP Message frame received from user usr-test (172.25.130.126)
  WV-TUNL:      Severity ERROR Type USER_LOGOUT
  WV-TUNL:      Text: HTTP response contained an HTTP error code.
  Mar  5 13:09:45: WV-TUNL: Call user logout function
  Mar  5 13:09:45: WV-TUNL: Clean-up tunnel session (usr-test)
  When the error occurs, the "SVCIP install TCP failed" counter increments:
  VPN-Router1#  show webvpn stats detail context CUSTOMER-VPN
  [snip]
  Tunnel Statistics:
      Active connections       : 1       
      Peak connections         : 3          Peak time                : 19:09:04
      Connect succeed          : 9          Connect failed           : 5       
      Reconnect succeed        : 0          Reconnect failed         : 0       
      SVCIP install IOS succeed: 14         SVCIP install IOS failed : 0       
      SVCIP clear IOS succeed  : 18         SVCIP clear IOS failed   : 0       
      SVCIP install TCP succeed: 9          SVCIP install TCP failed : 5       
      DPD timeout              : 0        
  [snip]
  IOS Version Details:
  Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1)
  System image file is "disk2:c7200-advipservicesk9-mz.150-1.M1.bin"
  The router also runs IPSEC remote access VPN in addition to the webvpn/anyconnect scheme.
  Config:
  webvpn context CUSTOMER-VPN
  title "SSL VPN for Customer"
  ssl authenticate verify all
  login-message "Enter username and passcode"
  policy group CUSTOMER-VPN
     functions svc-required
     svc keep-client-installed
     svc split include 10.1.16.0 255.255.240.0
     svc split include 10.1.2.0 255.255.254.0
  vrf-name CUSTOMER-VPN
  default-group-policy CUSTOMER-VPN
  aaa authentication list AAA-LIST
  aaa authentication auto
  aaa accounting list AAA-LIST
  gateway vpn virtual-host customer.xx.com
  logging enable
  inservice
  The error happens sporadically, at least once a week, and on different contexts. Does anyone have any clue on what can cause this issue? Any help is appreciated!

  Have you seen my post https://supportforums.cisco.com/message/2016069#2016069 ?
  At that point in time we were running with local pool definition.
  As the http 401 rc happens very sporadically we still gathering incident reports internally.
  Will open a case if you did not yet.
  cheers, Andy

• ASA5520 AnyConnect SSL VPN Connected but unable to ping my inside LAN

  Hi there, please forgive if I have missed any forum protocols as this is my first post.
  I am trying to configure Anyconnect SSL VPN. I am able to connect to the VPN on a laptop, witch is able to download the anyconnect client from the ASA. I am unable to ping any of my IP's that are on the inside of my ASA. Before posting here I have spent many hours on forums and watching videos on anyconnect SSL VPN creation and I am following it to the T but still no ping. Any help would be very much appreciated.
  Inside              192.168.1.254/24
  Outside           dhcp
  VPN Pool        192.168.250.1-50/24
  Inside LAN     192.168.1.0/24
  : Saved
  ASA Version 8.4(4)1
  interface GigabitEthernet0/0
  nameif outside
  security-level 0
  ip address dhcp setroute
  interface GigabitEthernet0/1
  nameif inside
  security-level 99
  ip address 192.168.1.254 255.255.255.0
  interface GigabitEthernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  nameif management
  security-level 99
  ip address 192.168.100.1 255.255.255.0
  ftp mode passive
  dns server-group DefaultDNS
  domain-name dock.local
  same-security-traffic permit inter-interface
  object network inside-network-object
  subnet 192.168.1.0 255.255.255.0
  object network management-network-object
  subnet 192.168.100.0 255.255.255.0
  object network NETWORK_OBJ_192.168.250.0_25
  subnet 192.168.250.0 255.255.255.128
  object-group network AllInside-networks
  network-object object inside-network-object
  network-object object management-network-object
  access-list inside_access_in extended permit ip any any
  access-list outside_access_in extended permit icmp any any echo-reply
  access-list split_tunnel standard permit 192.168.1.0 255.255.255.0
  access-list split_tunnel standard permit 192.168.100.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  mtu management 1500
  ip local pool vpn_pool 192.168.250.1-192.168.250.100 mask 255.255.255.0
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-647.bin
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source dynamic AllInside-networks interface
  nat (inside,any) source static any any destination static NETWORK_OBJ_192.168.250.0_25 NETWORK_OBJ_192.168.250.0_25 no-proxy-arp route-lookup
  access-group outside_access_in in interface outside
  access-group inside_access_in in interface inside
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable 4433
  http 192.168.100.0 255.255.255.0 management
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  telnet timeout 5
  ssh 192.168.1.0 255.255.255.0 inside
  ssh 192.168.100.0 255.255.255.0 management
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
  webvpn
  enable outside
  anyconnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 1
  anyconnect enable
  tunnel-group-list enable
  group-policy GroupPolicy_anyconnect internal
  group-policy GroupPolicy_anyconnect attributes
  wins-server none
  dns-server value 8.8.8.8
  vpn-tunnel-protocol ssl-client ssl-clientless
  split-tunnel-policy tunnelall
  split-tunnel-network-list value split_tunnel
  default-domain value dock.local
  username test password JAasdf434ey521ZCT encrypted privilege 15
  tunnel-group anyconnect type remote-access
  tunnel-group anyconnect general-attributes
  address-pool vpn_pool
  default-group-policy GroupPolicy_anyconnect
  tunnel-group anyconnect webvpn-attributes
  group-alias anyconnect enable
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http
  https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email
  [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:24bcba3c4124ab371297d52260135924
  : end :

  : Saved
  ASA Version 8.4(4)1
  interface GigabitEthernet0/0
  nameif outside
  security-level 0
  ip address dhcp setroute
  interface GigabitEthernet0/1
  nameif inside
  security-level 99
  ip address 192.168.1.254 255.255.255.0
  interface GigabitEthernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  nameif management
  security-level 99
  ip address 192.168.100.1 255.255.255.0
  ftp mode passive
  dns server-group DefaultDNS
  domain-name dock.local
  same-security-traffic permit inter-interface
  object network inside-network-object
  subnet 192.168.1.0 255.255.255.0
  object network management-network-object
  subnet 192.168.100.0 255.255.255.0
  object network NETWORK_OBJ_192.168.250.0_25
  subnet 192.168.250.0 255.255.255.0
  object-group network AllInside-networks
  network-object object inside-network-object
  network-object object management-network-object
  access-list inside_access_in extended permit ip any any
  access-list outside_access_in extended permit icmp any any echo-reply
  access-list split_tunnel standard permit 192.168.1.0 255.255.255.0
  access-list split_tunnel standard permit 192.168.100.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  mtu management 1500
  ip local pool Anyconnect-pool 192.168.250.1-192.168.250.100 mask 255.255.255.0
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-647.bin
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source dynamic AllInside-networks interface
  nat (inside,outside) source static inside-network-object inside-network-object destination static NETWORK_OBJ_192.168.250.0_25 NETWORK_OBJ_192.168.250.0_25
  nat (inside,outside) source static management-network-object management-network-object destination static NETWORK_OBJ_192.168.250.0_25 NETWORK_OBJ_192.168.250.0_25
  access-group outside_access_in in interface outside
  access-group inside_access_in in interface inside
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 192.168.100.2 255.255.255.255 management
  http 192.168.100.0 255.255.255.0 management
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  telnet timeout 5
  ssh 192.168.1.0 255.255.255.0 inside
  ssh 192.168.100.0 255.255.255.0 management
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  management-access inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
  webvpn
  enable outside
  anyconnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 1
  anyconnect enable
  tunnel-group-list enable
  group-policy GroupPolicy_Anyconnect_VPN internal
  group-policy GroupPolicy_Anyconnect_VPN attributes
  wins-server none
  dns-server value 8.8.8.8
  vpn-tunnel-protocol ssl-client
  split-tunnel-policy tunnelall
  split-tunnel-network-list value split_tunnel
  default-domain value dock.local
  username sander password f/J.5nLef/EqyPfy encrypted
  username aveha password JA8X3IiqPvFFsZCT encrypted privilege 15
  tunnel-group Anyconnect_VPN type remote-access
  tunnel-group Anyconnect_VPN general-attributes
  address-pool Anyconnect-pool
  default-group-policy GroupPolicy_Anyconnect_VPN
  tunnel-group Anyconnect_VPN webvpn-attributes
  group-alias Anyconnect_VPN enable
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http
  https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email
  [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:4636fa566ffc11b0f7858b760d974dee
  : end:

• ASA 5505 vpn connection issues

  Hello I am having some issues with getting my vpn connection working on a new site. I get no internet connection when hooking up the asa. My current config is below. I have included a packet trace from my remote site to my main site. Any help would be appriciated, I am not very experanced in coniguring the devices.
  hostname ciscoasa
  domain-name .com
  enable password w3iW.W8jLtqmhFnt encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Vlan1
   nameif inside
   security-level 100
   ip address 10.10.10.1 255.255.255.0
  interface Vlan2
   nameif outside
   security-level 0
   ip address 72.xxx.xx.xx 255.255.255.0
  interface Ethernet0/0
   switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  dns server-group DefaultDNS
   domain-name .com
  access-list NONATACL extended permit ip 10.10.10.0 255.255.255.0 192.1.1.0 255.2
  55.255.0
  access-list VPNACL extended permit ip 10.10.10.0 255.255.255.0 192.1.1.0 255.255
  .255.0
  access-list OUTSIDEACL extended permit icmp any any
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/flash
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list NONATACL
  nat (inside) 1 0.0.0.0 0.0.0.0
  access-group OUTSIDEACL in interface outside
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 0.0.0.0 0.0.0.0 inside
  http 10.10.10.1 255.255.255.255 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESPDESMD5 esp-des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map VPNMAP 13 match address VPNACL
  crypto map VPNMAP 13 set peer 68.xx.xxx.xxx
  crypto map VPNMAP 13 set transform-set ESPDESMD5
  crypto map VPNMAP interface outside
  crypto isakmp identity address
  crypto isakmp enable outside
  crypto isakmp policy 13
   authentication pre-share
   encryption des
   hash md5
   group 2
   lifetime 86400
  telnet 10.10.10.0 255.255.255.0 inside
  telnet 192.1.1.0 255.255.255.0 outside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd dns 192.1.1.6 192.1.1.4
  dhcpd wins 192.1.1.6 192.1.1.4
  dhcpd ping_timeout 750
  dhcpd domain .com
  dhcpd auto_config outside
  dhcpd address 10.10.10.10-10.10.10.40 inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  tunnel-group 76.xxx.xxx.xx type ipsec-l2l
  tunnel-group 76.xxx.xxx.xx ipsec-attributes
   pre-shared-key *
  tunnel-group 68.xx.xxx.xxx type ipsec-l2l
  tunnel-group 68.xx.xxx.xxx ipsec-attributes
   pre-shared-key *
  class-map inspection_default
   match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum 512
  policy-map global_policy
   class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:229af8a14b475d91b876176163124158
  : end
  ciscoasa(config)#reciated

  Hello Belnet,
  What do the logs show from the ASA.
  Can you post them ??
  Any other question..Sure..Just remember to rate all of the community answers.
  Julio

• IP Phone Over SSL VPN Registering Issue

  I have a Cisco 7945G phone that I have setup with a VPN profile so it can be used remotely.  This device was configured properly, tested at multiple locations and implemented.  This device worked fine for several months but recently the end user has moved into a new house and now has a new service provider (Verizon FIOS).  Now for some reason the phone will not get past the Registering process and doesn't prompt her for her VPN credentials.  Nothing has changed with the phone so I am assuming it is either her new ISP or the Modem/Router they provided her.  The device gets an IP address via DHCP from her home network but then just sits as the registering screen.  She is able to use the Anyconnect client on her laptop to connect to our SSL VPN that way so I don't think the provider is blocking VPN traffic; but there is something that is stoping the phone from getting out.            

  Honestly best thing you could try is download the console logs from the phone and review the VPN bootup process. Check if it's able to establish a TCP connection to the URL of the VPN.
  Maybe their DHCP doesn't give it a DNS server, and phone is unable to resolve your VPN URL? (a shoot in the dark)
  If the phone console logs don't reveal a lot of info, your best shot is a capture at the user site, so we could review the process.

• Cisco ASA 5505 Remote Access IP/Sec VPN Connectivity Issues

  We have a Cisco ASA that we use just for Remote Access VPN. It uses UDP and was working fine for about 2 months. Recently clients have had intermittent issues when connecting from home. The following message is display by the Cisco VPN Client :
  "Secure VPN connection terminated locally by the Client. Reason 412: The remote peer is no longer responding"
  Upon looking at a client side packet capture, I notice that no response is being given back to the client for the udp packets sent to the ASA on udp 500. If I login to the ASA from the LAN and send a single ping FROM the ASA, then the client can connect without issue. I don't understand the significance of the needed outbound ping since ping is not used by the client to test if the ASA is alive.
  Once again this is a remote access udp ip/sec VPN. I set most of it up with the VPN wizard and then backed up the config. The issue started happening at least a month after setup (maybe two) and I restored to the saved config just in-case, but the issue remains.
  Any insight would be greatly appreciated.
  I'm using IOS 831 and have tried 821 and 823 as one thread that I found recommended downgraded to 821.
  Thanks much,
  Justin

  Javier,
  I logged into the ASA last time the VPN went down. I issued the following commands:
  debug crypto isakmp 190
  debug crypto ipsec 190
  capture outside-cap interface outside match udp any any
  I then used a remote access tool to access the client and tried to connect. I got absolutely nothing from debugging. So I issued the following command:
  show capture outside | include 500
  and also got nothing. So I issued the following command:
  ping 4.2.2.2
  Upon which my normal deug messaged began to showup, so I issued the show capture outside command again and recieved the expected output below:
     1: 15:44:18.570160 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500:  udp 868
     2: 15:44:18.579269 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151:  udp 444
     3: 15:44:18.703866 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500:  udp 172
     4: 15:44:18.706567 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151:  udp 76
     5: 15:44:18.831499 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500:  udp 92
     6: 15:44:19.024061 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151:  udp 76
     7: 15:44:19.111963 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500:  udp 60
     8: 15:44:19.517185 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500:  udp 204
     9: 15:44:19.521350 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500:  udp 92
    10: 15:44:19.522723 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151:  udp 252
    11: 15:44:42.121957 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500:  udp 868
    12: 15:44:42.130822 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155:  udp 444
    13: 15:44:42.228397 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500:  udp 172
    14: 15:44:42.231036 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155:  udp 76
    15: 15:44:42.329557 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500:  udp 92
    16: 15:44:42.521091 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155:  udp 76
    17: 15:44:42.610167 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500:  udp 60
    18: 15:44:42.649258 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500:  udp 204
    19: 15:44:42.653790 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155:  udp 252
    20: 15:44:42.789342 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500:  udp 1036
    21: 15:44:42.792119 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155:  udp 92
    22: 15:44:42.800846 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155:  udp 188
    23: 15:44:42.892120 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500:  udp 60
    34: 15:44:54.446220 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500:  udp 92
    35: 15:44:54.447913 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155:  udp 92
    70: 15:45:01.825000 802.1Q vlan#2 P0 OFFICE_IP.10000 > REMOTE_IP.10000:  udp 100
  174: 15:45:03.417764 802.1Q vlan#2 P0 OFFICE_IP.10000 > REMOTE_IP.10000:  udp 500
  377: 15:45:07.881500 802.1Q vlan#2 P0 REMOTE_IP.10000 > OFFICE_IP.10000:  udp 100    1: 15:44:18.570160 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500:  udp 868
     2: 15:44:18.579269 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151:  udp 444
     3: 15:44:18.703866 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500:  udp 172
     4: 15:44:18.706567 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151:  udp 76
     5: 15:44:18.831499 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500:  udp 92
     6: 15:44:19.024061 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151:  udp 76
     7: 15:44:19.111963 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500:  udp 60
     8: 15:44:19.517185 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500:  udp 204
     9: 15:44:19.521350 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500:  udp 92
    10: 15:44:19.522723 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151:  udp 252
    11: 15:44:42.121957 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500:  udp 868
    12: 15:44:42.130822 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155:  udp 444
    13: 15:44:42.228397 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500:  udp 172
    14: 15:44:42.231036 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155:  udp 76
    15: 15:44:42.329557 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500:  udp 92
    16: 15:44:42.521091 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155:  udp 76
    17: 15:44:42.610167 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500:  udp 60
    18: 15:44:42.649258 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500:  udp 204
    19: 15:44:42.653790 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155:  udp 252
    20: 15:44:42.789342 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500:  udp 1036
    21: 15:44:42.792119 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155:  udp 92
    22: 15:44:42.800846 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155:  udp 188
    23: 15:44:42.892120 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500:  udp 60
    34: 15:44:54.446220 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500:  udp 92
    35: 15:44:54.447913 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155:  udp 92
    70: 15:45:01.825000 802.1Q vlan#2 P0 OFFICE_IP.10000 > REMOTE_IP.10000:  udp 100
  174: 15:45:03.417764 802.1Q vlan#2 P0 OFFICE_IP.10000 > REMOTE_IP.10000:  udp 500
  377: 15:45:07.881500 802.1Q vlan#2 P0 REMOTE_IP.10000 > OFFICE_IP.10000:  udp 100
  It would seem as if no traffic reached the ASA until some outbound traffic to an arbitrary public IP. In this case I sent an echo request to a public DNS server. It seems almost like a state-table issue although I don't know how ICMP ties in.
  Once again, any insight would be greatly appreciated.
  Thanks,
  Justin

• IPad2, Verizon 3G, VPN Connectivity Issues

  Greetings all. I am the systems administrator for my corporation and have seen an issue that I wish to present to the community for discussion.
  For those enterprise users that have an iPad2 with Verizons 3G, are you experiencing connectivity issues while trying to connect to your VPNs from the 3G network? If so, have you found any work around to allow connectivity or does it work fine for you?
  Here's a summary of my issues:
  We have a VPN server built on Debian Linux that has been in operation for over four years. It handles remote VPN connections from Windows, Linux,  Android, OS X, iOS, and from many different devices including multiple flavors of Apple products (iMacs, Minis, MacBooks, iPads, etc.). To date, it has performed flawlessly with assorted devices connecting to it through broadband and assorted 3G networks.
  Recently I purchased an iPad2 with Verizon 3G. I was able to set up the VPN connection using PPTP and connect using a Wi-Fi connection. When I turned off the Wi-Fi and attempted the same connection via Verizon 3G, it fails. I then took an associates iPad1 using AT&T 3G, set up the same connection, and was able to connect. I don't have access to an iPad2 on AT&T 3G so, I can't speak for that.
  Here's the logs from the VPN server while connecting from my iPad2:
  Wi-Fi
  Jul 27 05:20:43 localhost pppd[31694]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
  Jul 27 05:20:43 localhost pppd[31694]: pptpd-logwtmp: $Version$
  Jul 27 05:20:43 localhost pppd[31694]: pppd 2.4.4 started by root, uid 0
  Jul 27 05:20:43 localhost pppd[31694]: Using interface ppp2
  Jul 27 05:20:43 localhost pppd[31694]: Connect: ppp2 <--> /dev/pts/4
  Jul 27 05:20:46 localhost pppd[31694]: Unsupported protocol 'IPv6 Control Protocol' (0x8057) received
  Jul 27 05:20:46 localhost pppd[31694]: found interface eth1 for proxy arp
  Jul 27 05:20:46 localhost pppd[31694]: local  IP address 192.168.1.69
  Jul 27 05:20:46 localhost pppd[31694]: remote IP address 192.168.1.82
  Jul 27 05:20:46 localhost pppd[31694]: pptpd-logwtmp.so ip-up ppp2 scott XXX.XXX.XXX.XXX (removed external IP for security reasons)
  Quick connect, able to utilize VPN connection normally. No issues.
  Verizon 3G
  Jul 27 05:20:29 localhost pppd[31682]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
  Jul 27 05:20:29 localhost pppd[31682]: pptpd-logwtmp: $Version$
  Jul 27 05:20:29 localhost pppd[31682]: pppd 2.4.4 started by root, uid 0
  Jul 27 05:20:29 localhost pppd[31682]: Using interface ppp2
  Jul 27 05:20:29 localhost pppd[31682]: Connect: ppp2 <--> /dev/pts/4
  Jul 27 05:20:32 localhost pppd[31682]: peer refused to authenticate: terminating link
  Jul 27 05:20:33 localhost pppd[31682]: Connection terminated.
  Jul 27 05:20:33 localhost pppd[31682]: Exit.
  As you can see, the peer refuses to authenticate causing the link to be terminated while attempting to connect using Verizons network. This is with the same VPN connection settings on the iPad2 that just worked with WiFi connection from the same device.
  Here's what I can verify with regards to 3G networks:
  Older (<4) iPhones and iPad1 using AT&T can connect
  Windows and OS X based laptops using Sprint 3G can connect
  Android based smart phones using Sprint 3G can connect
  I have not called Verizon or Apple Support yet but, that's next when I have the time. My initial conclusion is that there is something with Verizons 3G services that is causing the issue. It may be that Verizon is using some sort of data compression process that is problematic with VPN transmission. While the log shows an unsupported IPv6 protocol when connecting via Wi-Fi, it still negotiates a successful connection and I don't think that's the root cause for the disconnect. Thoughts?

  Hi Alexander,
  I am running in to the exact same issue (although not with Linux).  Did you ever find a fix for this?  I have some support tickets open with my VAR's, but found your post and thought I would check.  If I find anything I will post.
  Thanks
  Stu

• WRT54GS VPN Connection Issues: Error code 87

  Hello experts,
  I have unsuccessfully tried to help my wife connect her XP laptop to her work VPN over our home wi-fi network. I have a WRT54GS v.4 router with the latest firmware, WPA2 encryption. It connects to the VPN just fine but is unable to ping any internal IP addresses and I get the following log message everytime. 
  1      09:58:43.546  10/10/09  Sev=Warning/2 CVPND/0xE3400013
  AddRoute failed to add a route: code 87
   Destination 192.168.1.255
   Netmask 255.255.255.255
   Gateway 192.168.1.1
   Interface 192.168.1.237
  2      09:58:43.546  10/10/09  Sev=Warning/2 CM/0xA3100024
  Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: c0a801ed, Gateway: c0a80101.
  I have tried the following troubleshooting tasks:
  a) Plugged her laptop directly to the cable modem >> Works like a charm which makes me think it has got to be a router issue.
  b) Reset to factory defaults, tried running it without any encryption, tried running it in DMZ mode >> No joy, still get the same above error message in the VPN log.
  c) Opened up ports 500 and 1723 for TCP/IP and UDP with her laptop's IP address >> Still no luck.
  All passthrough options are enabled for VPN in the router's config interface. I have also tried disabling the router's firewall.
  I am at my wit's end here guys. Is it possible that the WRT54GS isn't VPN friendly (although it seems very unlikely) and I just have to get another router? Any help is appreciated.
  Edit: The VPN server is IPSec/UDP
  Message Edited by sidewinder_us on 10-10-2009 07:36 AM

  No, I wasn't trying to ping my router from the VPN connection, I was trying to ping the VPN host server at the office for troubleshooting purposes and the request times out everytime. I am still getting the error message in the log "AddRoute failed to add a route: code 87". I disabled "Block Anonymous Internet Requests" like you said but it didn't make any difference. I am able to ping the computer's IP address assigned by the VPN but I can't ping the host server or anything else.
  It's basically connecting to the VPN but not connecting as in I can't do anything on the VPN like access local folders or run a specific software called eClinicalWorks which works fine from the office.
  If I plug the laptop directly to the cable modem, I don't get that error message in the VPN client's log anymore and everything works fine.
  Message Edited by sidewinder_us on 10-12-2009 03:14 PM

• ASA 5505 VPN Connection Issue

  Good morning everyone,
  At my last position I was IT Director whose area of expertise was database and application development. All of the company's networking planning and maintainence I entrusted to my sysadmin, Salvadore. Back in 2004 we began implementing major changes in the network. Salvadore recommended SonicWALL firewalls. He did a fantastic job of securing our valuable server assets. Among the many improvements Salvadore established VPN access to the datacenter assets for mobile employees. What I remember especially well was the ease-of-use: start the VPN Client then RDP to a server or connect with SQL Server, in addition to connecting to all devices on my home network. It was absolutely beautiful!
  Fast forward to today. I have since retired. I do a little bit of daytrading on the side for entertainment. I leased a dedicated server to run an application that runs continuously 24 hours a day, 5 days a week. I contacted Salvadore to do a security audit on the server. As expected the server was under constant assault by bots trying to hack the RDP port. Salvadore recommended a firewall. The datacenter host offered us two choices of Cisco firewalls, one of which we chose: ASA 5505.
  Today I have a secure server which pleases me. The one thing that bothers me however is that I lose access to my home network devices while the VPN Client is connected. Here are the symptoms:
  I cannot send an email with Outlook as I normally do by relaying off of my Internet provider's SMTP server.
  I cannot connect to the TradeStation servers with my TradeStation application using login credentials that are authorized for my home network only.
  I cannot access my Seagate network storage drive.
  This is what I discovered:
  My wireless adapter (which I use from this laptop) identifies itself as "Wireless LAN adapter Wireless Network Connection" in IPCONFIG. IPv4 address is 192.168.0.5. Default Gateway: 192.168.0.1.
  After I connect the VPN Client, IPCONFIG reports a new adapter: "Ethernet adapter Local Area Connection 2". IPv4 address is 10.0.10.4. Default Gateway: 10.0.10.1.
  When I launch Windows Task Manager and click on the Networking tab, I see those two adapters.
  When launch IE and go to bandwidthplace.com to run a test, I see all of the network traffic going over "Ethernet adapter Local Area Connection 2".
  When I disconnect VPN and then rerun the bandwidth test, I see that all of the network traffic now goes over "Wireless LAN adapter Wireless Network Connection".
  This explains all of the symptoms:
  My Internet Provider will only allow me to relay off of their email servers if I am connected to their network.
  TradeStation refuses connection to their network because my credentials do not match my network address.
  There is no Seagate network storage device on the remote server network.
  My questions to the Cisco Support Community are:
  Is this the best I can hope for?
  Must all traffic be routed through the VPN connection?
  Is there any way to route traffic destined for 10.0.*.* through VPN and everything else through the default connection?
  Thank you everyone for your help. I would be happy to provide additional detailed information.

  Hi Brian,
  you can route traffic destined to 10.0.*.* over the VPN and keep normal internet traffic unencrypted over the default connection - this setup is known as VPN Split Tunnelling.
  This doc shows how to setup the access control list and apply this to the tunnel policy.
  Hope this helps
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml

• IP phone SSL VPN configuration issue

  Hello,
  I am trying to configure the SSL VPN for the IP phone.
  I am using the CM8.0.2 and 7975.
  - I configured ASA and tested with my PC. PC can ping the CM.
  - I uploaded the ASA cert as a Phone-VPN-trust
  - I uploaded the CA root cert. Tried both, Phone-VPN-trust and Phone-trust. Which one is correct?
  - I created a VPN gateway and typed URL and selected the cert
  - I created the VPN group and added the VPN gateway to it.
  - I created the VPN profile and added the VPN group to it.
  - I disabled the Host ID check
  - I configured the Common Phone Profile with VPN group and VPN profile and added it to a 7975 phone.
  When I go into the phone settings, the VPN option is disabled and the Enable soft button is greyed out.
  What is missing? What am I doing wrong?

  Hi,
  If you're not using certificates in client authentication then the SSL handshake will complete before the user is requested to authenticate with username/password.  If this authentication request fails you will see the SSL session terminated immediately following this failure (as in the logs you provided).  Notice the 5 seconds between the SSL session establishment and termination, this is most likely when the user is being authenticated against the aaa server.  If the phone is failing authentication against an external aaa-server you'll want to investigate the logs on that server to determine the root cause of the failure.  The ASA can also provide confirmation of the authentication request/reject with the command 'show aaa-server'.  If you want to see what's going on at an authentication protocol level you can enable several debugs including "debug aaa authentication|common|internal' and protocol specific debugs such as 'debug radius user|session|all' or 'debug ldap'.
  Did this answer your question? If so, please mark it Answered!

• Cisco ASA 5505 VPN connection issue ("Unable to add route")

  I'm trying to get IPSec VPN working onto a new Cisco ASA5505. Pretty standard configuration.
  Setup:
  * Cisco VPN client on Windows 7 (v5.0.07.0290 x64 on Laptop1 and v5.0.07.0440 x64 on Laptop2)
  * PPPoE/NAT and internal DHCP on the ASA were configured with the Startup Wizard in ASDM
  NATting is working fine - internal PCs get an IP address in the 192.168.2.0/24 range and can all access the Internet.
  I wanted to be able to connect from anywhere to the ASA in order to reach one of the internal servers. Should be pretty basic.
  First I tried with the built-in ASDM IPSec Wizard, instructions found here.
  VPN clients can connect to the ASA, are connected (until they're manually disconnected), but cannot reach the internal network nor the Internet. Note VPN client can connect fine to a different VPN site (not administered by myself).
  Client logs show following error messages:
  1 15:53:09.363 02/11/12 Sev=Warning/3     IKE/0xA300005F
  Firewall, Cisco Intrusion Prevention Security Agent, is not running, the client will not send firewall information to concentrator.
  2 15:53:13.593 02/11/12 Sev=Warning/2     CVPND/0xE3400013
  AddRoute failed to add a route with metric of 0: code 160
  Destination     192.168.1.255
  Netmask     255.255.255.255
  Gateway     172.16.1.1
  Interface     172.16.1.101
  3 15:53:13.593 02/11/12 Sev=Warning/2     CM/0xA3100024
  Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: ac100165, Gateway: ac100101.
  4 15:54:30.425 02/11/12 Sev=Warning/2     CVPND/0xA3400015
  Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.16.1.101, error 0
  5 15:54:31.433 02/11/12 Sev=Warning/2     CVPND/0xA3400015
  Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.16.1.101, error 0
  6 15:54:32.445 02/11/12 Sev=Warning/2     CVPND/0xA3400015
  Error with call to IpHlpApi.DLL: CleanUpVASettings: Was able to delete all VA settings after all, error 0
  7 20:50:45.355 02/11/12 Sev=Warning/3     IKE/0xA300005F
  Firewall, Cisco Intrusion Prevention Security Agent, is not running, the client will not send firewall information to concentrator.
  8 20:50:50.262 02/11/12 Sev=Warning/2     CVPND/0xE3400013
  AddRoute failed to add a route with metric of 0: code 160
  Destination     192.168.1.255
  Netmask     255.255.255.255
  Gateway     172.16.1.1
  Interface     172.16.1.100
  9 20:50:50.262 02/11/12 Sev=Warning/2     CM/0xA3100024
  Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: ac100164, Gateway: ac100101.
  I've already tried the suggestions from this link, although the problem is different there (as the user can still access the internet, even without split tunneling, which I cannot).
  A show run shows the following output (note in the below I have tried a different VPN network: 192.168.3.0/24 instead of 172.16.1.0/24 seen in the Client log)
  Result of the command: "sh run"
  : Saved
  ASA Version 8.2(5)
  hostname AsaDWD
  enable password kLu0SYBETXUJHVHX encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.2.254 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  pppoe client vpdn group DW-VPDN
  ip address pppoe setroute
  ftp mode passive
  access-list inside_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.240
  pager lines 24
  logging enable
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  ip local pool DWD-VPN-Pool 192.168.3.5-192.168.3.15 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.2.0 255.255.255.0 inside
  http 0.0.0.0 0.0.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  vpdn group DW-VPDN request dialout pppoe
  vpdn group DW-VPDN localname fa******@SKYNET
  vpdn group DW-VPDN ppp authentication pap
  vpdn username fa******@SKYNET password *****
  dhcpd auto_config outside
  dhcpd address 192.168.2.5-192.168.2.36 inside
  dhcpd domain DOMAIN interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy DWD internal
  group-policy DWD attributes
  vpn-tunnel-protocol IPSec
  username test password ******* encrypted privilege 0
  username test attributes
  vpn-group-policy DWD
  tunnel-group DWD type remote-access
  tunnel-group DWD general-attributes
  address-pool DWD-VPN-Pool
  default-group-policy DWD
  tunnel-group DWD ipsec-attributes
  pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
  message-length maximum client auto
  message-length maximum 512
  policy-map global_policy
  class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:3e6c9478a1ee04ab2e1e1cabbeddc7f4
  : end
  I've installed everything using the CLI as well (after a factory reset). This however yielded exactl the same issue.
  Following commands have been entered:
  ip local pool vpnpool 172.16.1.100-172.16.1.199 mask 255.255.255.0
  username *** password ****
  isakmp policy 1 authentication pre-share
  isakmp policy 1 encryption 3des
  isakmp policy 1 hash sha
  isakmp policy 1 group 2
  isakmp policy 1 lifetime 43200
  isakmp enable outside
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 10 set reverse-route
  crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000
  crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto isakmp nat-traversal
  sysopt connection permit-ipsec
  sysopt connection permit-vpn
  group-policy dwdvpn internal
  group-policy dwdvpn attributes
  vpn-tunnel-protocol IPSec
  default-domain value DWD
  tunnel-group dwdvpn type ipsec-ra
  tunnel-group dwdvpn ipsec-attributes
  pre-shared-key ****
  tunnel-group dwdvpn general-attributes
  authentication-server-group LOCAL
  default-group-policy dwdvpn
  Unfortunately I'm getting the same "AddRoute failed to add a route with metric of 0: code 160" error message.
  I'm very confused as this should be a pretty standard setup. I tried to follow the instructions on the Cisco site to the letter...
  The only "differences" in my setup are an internal network of 192.168.2.0 (with ASA IP address 192.168.2.254) and PPPoE with DHCP instead of no PPPoE at all.
  Does anyone know what's going on?

  Yes, I have tried from a different laptop - same results. Using that laptop I can connect to a different IPSec site without issues.
  Please find my renewed config below:
  DWD-ASA(config)# sh run: Saved:ASA Version 8.2(5) !hostname DWD-ASAenable password ******* encryptedpasswd ****** encryptednames!interface Ethernet0/0 switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1 nameif inside security-level 100 ip address 192.168.2.254 255.255.255.0 !interface Vlan2 nameif outside security-level 0 pppoe client vpdn group DWD ip address pppoe setroute !ftp mode passiveaccess-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.224 pager lines 24logging asdm informationalmtu inside 1500mtu outside 1500ip local pool vpnpool 192.168.50.10-192.168.50.20 mask 255.255.255.0icmp unreachable rate-limit 1 burst-size 1no asdm history enablearp timeout 14400global (outside) 1 interfacenat (inside) 0 access-list inside_nat0_outboundnat (inside) 1 0.0.0.0 0.0.0.0timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00dynamic-access-policy-record DfltAccessPolicyhttp server enablehttp 192.168.2.0 255.255.255.0 insidehttp 0.0.0.0 0.0.0.0 outsideno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstartcrypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAPcrypto map outside_map interface outsidecrypto isakmp enable outsidecrypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400telnet timeout 5ssh 0.0.0.0 0.0.0.0 outsidessh timeout 5console timeout 0vpdn group DWD request dialout pppoevpdn group DWD localname *****@SKYNETvpdn group DWD ppp authentication papvpdn username *****@SKYNET password ***** dhcpd auto_config outside!dhcpd address 192.168.2.10-192.168.2.40 insidedhcpd enable inside!threat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptwebvpn enable outside svc enablegroup-policy DfltGrpPolicy attributes vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpngroup-policy dwdipsec internalgroup-policy dwdipsec attributes vpn-tunnel-protocol IPSec default-domain value DWDDOMusername user1 password ***** encrypted privilege 0username user1 attributes vpn-group-policy dwdipsectunnel-group dwdipsec type remote-accesstunnel-group dwdipsec general-attributes address-pool vpnpool default-group-policy dwdipsectunnel-group dwdipsec ipsec-attributes pre-shared-key *****tunnel-group dwdssl type remote-accesstunnel-group dwdssl general-attributes address-pool vpnpool!class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters  message-length maximum client auto  message-length maximum 512policy-map global_policy class inspection_default  inspect dns preset_dns_map   inspect ftp   inspect h323 h225   inspect h323 ras   inspect rsh   inspect rtsp   inspect esmtp   inspect sqlnet   inspect skinny    inspect sunrpc   inspect xdmcp   inspect sip    inspect netbios   inspect tftp   inspect ip-options !service-policy global_policy globalprompt hostname context no call-home reporting anonymousCryptochecksum:f5c8dd644aa2a27374a923671da1c834: endDWD-ASA(config)#

• IOS SSL VPN application issues

  Hi,
  I have setup WEBVPN with the SSL client on a Cisco 2811. The WebVPN gateway is via a loopback address on the router, so I NAT port 443 to this address as it enters the ADSL interface.
  Everything works great apart from when I try to access an internal address on the router itself (such as the internal LAN 192.168.0.1).
  If I try to telnet to this address I connect but then spurious characters appear and the session hangs. I also cannot access the CME web pages via this address.
  I have tried disabling CEF to see if some weird internal issue is the problem but that did not fix it.
  Anyone else experienced this?
  Thanks
  Scott

  Farrukh,
  As requested please see related config below:
  aaa new-model
  aaa authentication login default local
  aaa authentication login sdm_vpn_xauth_ml_1 local
  aaa authentication login sdm_vpn_xauth_ml_2 local
  aaa authentication login sdm_vpn_xauth_ml_3 local
  aaa authorization exec default local
  aaa authorization network sdm_vpn_group_ml_1 local
  ip cef
  crypto pki trustpoint TP-self-signed-569873274
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-569873274
  revocation-check none
  rsakeypair TP-self-signed-569873274
  crypto pki certificate chain TP-self-signed-569873274
  certificate self-signed 01
  interface GigabitEthernet1/0
  description $SWDMADDR:192.168.0.2$
  ip address 10.0.0.1 255.255.255.0
  no ip route-cache cef
  interface GigabitEthernet1/0.1
  encapsulation dot1Q 1 native
  ip address 192.168.0.1 255.255.255.0
  ip access-group 100 in
  ip nat inside
  ip virtual-reassembly
  no ip route-cache same-interface
  interface GigabitEthernet1/0.20
  encapsulation dot1Q 20
  ip address 192.168.20.1 255.255.255.0
  ip helper-address 10.0.0.1
  no ip route-cache same-interface
  interface Dialer0
  description $FW_OUTSIDE$
  ip address negotiated
  ip access-group 101 in
  ip mtu 1452
  ip nat outside
  ip inspect SDM_LOW out
  ip virtual-reassembly
  encapsulation ppp
  dialer pool 1
  dialer-group 1
  ppp authentication chap pap callin
  ip local pool TEST 192.168.20.200 192.168.20.240
  ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
  ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
  access-list 101 remark WEBVPN
  access-list 101 permit tcp any host 203.206.169.63 eq 443
  access-list 101 deny ip any any log
  route-map SDM_RMAP_1 permit 1
  match ip address 102
  webvpn gateway gateway_1
  ip address 203.206.169.63 port 443
  ssl trustpoint TP-self-signed-569873274
  inservice
  webvpn install svc flash:/webvpn/svc_1.pkg sequence 1
  webvpn context Default_context
  ssl authenticate verify all
  no inservice
  webvpn context visicom
  secondary-color white
  title-color #669999
  text-color black
  ssl authenticate verify all
  url-list "WEB"
  heading "Welcome"
  url-text "OWA" url-value "http://192.168.0.10/exchange"
  policy group policy_1
  url-list "WEB"
  functions svc-enabled
  svc address-pool "TEST"
  svc keep-client-installed
  svc rekey method new-tunnel
  svc split include 192.168.0.0 255.255.255.0
  svc split include 192.168.20.0 255.255.255.0
  svc split include 10.10.10.0 255.255.255.0
  default-group-policy policy_1
  aaa authentication list sdm_vpn_xauth_ml_3
  gateway gateway_1
  inservice

• Server 2012 R2 RRAS NAT VPN connectivity issues

  Hello all,
  I'm having trouble making IKEv2 connections to my VPN server from the Internet after changing my home lab network infrastructure to use Server 2012 R2 RRAS NAT routing. Despite all of the appearances of a proper configuration, it appears that NAT-T is not
  working properly.
  Let me preface my questions/issues with some critical infrastructure disclosures/explanations to help troubleshoot this issue:
  1. This is a home lab environment with no impact to corporate production systems in any way. All information garnered from help in this session is understood to be as-is.
  2. The entire environment is on Server 2012 R2 Hyper-V. I’ve configured trunking on all of the layer 2 (Cisco Catalyst switch) etherchannels, and I’ve configured trunking on the Hyper-V vSwitches. I have no issue with internal routing or NAT or with attaching
  to VPN from an internal VLAN, which indicates that routing (Layer 3) is not at issue here since everything goes where it should.
  3. The NAT server and the VPN server are two separate Windows Server 2012 R2 Std. Hyper-V VMs. The NAT server has 1 NAT uplink to/from my ISP and 5 router interfaces (NICs with no gateways specified). I have a static IP, so it’s not an IP changing anywhere.
  I have all of the port forwarding on the public NAT interface configured properly. Email, web, and application access work fine from out-to-in. The VPN server has 2 NICs: one on a VPN VLAN and the other on an internal VLAN.
  4. I ran Netmon from my corporate office and saw that IKEv2 traffic to my host over UDP 500 was successful (I got a response back), but the connection to UDP 4500 was attempted 3 times and then fails. Since UDP 4500 is the NAT-T port, I’m thinking this is
  where the fault is occurring. I also ran Netmon from the NAT router itself and found that traffic was flowing from the Internet to the VPN server up the stack to Layer 3.
  5. As a test, I turned off Windows firewall on both the VPN server and the NAT server. This made no difference, so firewall is not at play here.
  6. My certificates are configured properly with my external VPN address and appropriate SANs pointing to the public IP address. These same certificates worked without issue prior to the migration to Server 2012 R2 RRAS as my NAT router.
  The actual error I'm receiving is Error 809 which indicates a problem with the connectivity to the VPN server, presumably through the NAT router. Prior to the change to virtual routing, I was using a Linksys E3000 with L2TP/PPTP passthrough enabled and had
  no issues connecting to my VPN server remotely.
  Some questions I have specifically regarding Server 2012 R2 RRAS and NAT:
  1. Is NAT-T "turned on" by default? Are there any settings required through netsh or elsewhere that I might have overlooked to enable NAT Traversal?
  2. How can I test if NAT-T is working outside of VPN testing?
  3. Is it Microsoft's recommendation/requirement that VPN and NAT be collocated on the same server? I noticed in the NAT forwarding rules that the pre-defined L2TP forwarder says "L2TP on this server." Does that indicate that L2TP can't pass beyond
  that server? What are the security implications for running VPN from the router?
  Any help would be appreciated. I've been troubleshooting this issue for 2 weeks and cannot seem to find any documentation or help on this issue. I'm hoping if others have similar issues, this post will help point them in the right direction. I have netmon
  captures to assist with troubleshooting if it comes to that. I'm certain this is NAT-T at this point, but I just can't prove it beyond a shadow of a doubt, and I have customers who have asked about using Microsoft RRAS for routing. I can't, in good conscience,
  recommend it if NAT-T is problematic since most companies want some sort of VPN solution for their environment.
  Respectfully yours,
  Ron Arestia

  Hi Ron,
  Please try to create and configure the AssumeUDPEncapsulationContextOnSendRule registry value.
  For detailed information, please refer to the link below:
  http://support.microsoft.com/kb/926179
  Best Regards.
  Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• VPN connection issue - problem accessing individual computers on network

  Hello,
  So far I have set up my XServe for VPN access so I can log into my office mac network from my home mac using the L2TP protocol. The server sits behind a basic router, and the router forwards the following ports direct to the server's IP address (192.168.1.2): ports 500, 4500, 1701 and 548 (AFP).
  The office network uses 192.168.1.x IP range and each computer has a static DHCP map assigned, and each machine also has a unique DNS name to simplify access to them.
  My home mac uses 192.168.0.x range.
  The server has NAT turned off and also the firewall off for the moment, while I test everything.
  The VPN is set to provide the IP range 192.168.1.150 to 192.168.1.174 to remote clients, and in the Client Information settings pane it is set for: DNS servers = 192.168.1.2, network routing definitions = 192.168.1.0, netmask 255.255.255.0 (Private) and 0.0.0.0, netmask 0.0.0.0 (Public).
  I can connect fine over VPN from home using internet connect, I am assigned an IP address with the 192.168.1.150-174 range and can connect through the "Go" menu's "Connect to server..." directly to the server on 192.168.1.2. What I cannot do is use this method to connect to any other computer on the network (for example 192.168.1.5), nor can I use DNS names to reach them.
  In the internet connect app I set the DNS server as 192.168.1.2, is this correct? Also, do I need to open port 53 (DNS) on my router? Is there something else I have overlooked as this is all new to me.
  Thanks for your help.

  OK, sorry my bad. The macs did not have Personal File Sharing enabled, now they have I can link via their individual IP addresses. Doh!
  But I still want use DNS names, can anyone shed any light on that?