BSOD with VPN Client problem
I use the VPN Client 5.0.06.0110 to connect to my computer at home at my desk, which has an ASA5505. If my immediate network to the client PC connection is lost while the VPN is active, I get a BSOD. There is no problem if my grave DSL or a cable beyond my router is disconnected. He only (and always) will fail if the network cable to the computer running the VPN Client is cut (or if my router loses power), while the link is connected.
I am running:
Windows 7 (all updates installed)
Pentium Core 2
4 GB of ram
Atheros L1 Gigabit 10/100/1000 controller
Any suggestion would be appreciated.
BTW, here is the description for your reference:
PC restarts if physical link is disrupted when a VPN connection | |
Symptom: Restart the computer (the user can also see a Blue Screen Of Death (BSOD) before the reboot, based on the setup of the PC) if the physical link is disrupted when a VPN connection (that is when you see the error message "a network cable is unplugged). This can occur if you run "shutdown" on your PC is connected to the way of the switch, turn off the SOHO router (or switch) the PC is connected to, lose your WiFi connection, or even disconnect the LAN cable to your wired Ethernet port.
Conditions: |
Tags: Cisco Security
Similar Questions
-
VPN access with VPN client problem. Help, please
I have a PIX 520 as VPN tunnels endpoint device. I was able to establish an IPsec connection. I checked that I have gave me an address in the IP pool that I set up but I can't to any resource on the internal network. I could only ping myself. When I run ' ipconfig/all' I see my address on the correct vpn with DNS interface, but my front door is set to my own address. I think that's the problem. Please help me solve this problem. Let me know if you need more information.
Here are some suggestions you might try to get this working:
1.) change your "taken" to access-list. The lines are no longer supported by Cisco even if they still work. This will help you in debugging your access list because there will be some hitcounts.
There is a tool from cisco for conduits of concert on access lists:
http://www.Cisco.com/cgi-bin/tablebuild.pl/PIX?sort=release
Download the: occ - 121.zip
PIX Firewall Outbound leads binary converter for Windows, version 1.2.1
2.) change your pool of VPN.
IP local pool techvpn 10.x.x.100 - 10.x.x.120
With this, it's already you have a 10.x.x.x subnet in your internal network. The ip pool automatically assigns a 255.0.0.0 for the VPN Clients subnet mask. This may cause routing problems. You can use a subnet used anywhere 172.16.100.x.
example:
No vpngroup address techvpn pool lsdvpn
no ip local pool techvpn
IP local pool techvpn 172.16.100.1 - 172.16.100.254
vpngroup address techvpn pool lsdvpn
No inside_outbound_nat0_acl access list
No outside_cryptomap_dyn_20 access list
inside_outbound_nat0_acl ip access list allow any 172.16.100.0 255.255.255.0
outside_cryptomap_dyn_20 ip access list allow any 172.16.100.0 255.255.255.0
Claire ipsec his
Claire isakmp his
sincerely
Patrick
-
VPN client problem long transfer of files with VPN3000
I have problems transferring big files (more than 4 MB) using customer vpn 4.8.02 or 5.0 with vpn3020 4.7.2.N
It happens the question with MTU. Try reducing the MTU value by running the file setMTU.exe on the VPN client. Make sure you do not fragment bit is not set on the intermediate routers. For setting MTU on VPN 3000 refer URL http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_book09186a00800d81b3.html
-
Access PIX using SSH when connected remotely with VPN client
Hello
I think that this should be a fairly simple for someone to sort for me - I'm new to PIX configuration If Yes please excuse my stupidity!
I changed the config on our PIX to allow only access via SSH (rather than via telnet as it was previously configured)
Now, everything works fine when I'm in the office - I can connect to the PIX using SSH without any problem.
However, if I work from home and connect to the office using my VPN client (IPSEC tunnel ends on the PIX firewall itself) I find that I can not connect to the PIX.
I have configured the PIX to access ssh on the office LAN subnet and the client pool of IP addresses used for VPN connections by using the following commands:
SSH 172.64.10.0 255.255.255.0 inside
SSH 192.28.161.0 255.255.255.0 inside
where the 1st line is reference to the office's LAN, which works very well, and the 2nd line denotes the IP address pool configured on the PIX for VPN access.
Can someone tell me how to fix this? I have the feeling that its something pressing!
Thank you
Neil
Try the command "management-access to the Interior.
-
Internet access with VPN Client to ASA and full effect tunnel
I'm trying to migrate our concentrator at our new 5520 s ASA. The concentrator has been used only for VPN Client connections, and I have not the easiest road. However, I, for some reason, can't access to internet through our business network when I've got profiles with lots of tunneling.
I've included the configuration file, with many public IP information and omitted site-to-site tunnels. I left all the relevant stuff on tunnel-groups and group strategies concerning connectivity of VPN clients. The range of addresses that I use for VPN clients is 172.16.254.0/24. The group, with what I'm trying to access the internet "adsmgt" and the complete tunnel to our network part is fine.
As always, any help is appreciated. Thank you!
Hüseyin... good to see you come back.. bud, yes try these Hüseyin sugesstiong... If we looked to be ok, we'll try a different approach...
IM thinking too, because complete tunnel is (no separation) Jim ASA has to go back for the outbound traffic from the internet, a permit same-security-traffic intra-interface, instruction should be able to do it... but Jim start by Hüseyin suggestions.
Rgds
Jorge
-
Windows 7 64 bit VPN client problems
Hello
I am running Windows 7 Professional 64 bit and Cisco VPN client 5.0.07.0240. I am able to connect to my corporate network and work ok but connection is very slow!
Connection time is distributed as follows:
Client program VPN Opening: 70 seconds.
Click on connect and wait for the user credentials dialog box: 30 seconds.
Enter the credentials, and then click ok then 'user authentication': 90 seconds.
"Negotiate security policies": 60 seconds.
User area credentials if poster again, re - enter the credentials that the dialog box is empty, and then click ok: 90 seconds.
"User authentication", then connection established: 120 seconds.
I have a colleague running 64-bit Windows 7 (ultimate edition) which uses the same version and does not have these problems.
Any ideas anyone?
See you soon,.
Gary
Gary, thanks for the update. If disabling the firewall and restart vpn service did not help. Could you please try and install the 5.0.07.0290 version?
Before do you, I would like to know if you import .pcf for the VPN Client files. If so, please try to re-create a file .pcf on the PC and try and use this file to connect. Also, I see that the existing .pcf file you are using is a file read-only. Could you change this and give permissions to write to the file, and try to connect. If th does not help the two steps will then install the 5.0.07.0290 version.
Thank you
Delvallée
-
I've recently updated to 8.3.2 and I have been informed of these NAT changes, but even after reading the https://supportforums.cisco.com/docs/DOC-12569 I am still unable to rectify the communication network 192.168.100.0 VPN with hosts on 172.16.1.0 and 172.16.9.0. VPN clients connect to the external interface, and I try to ping inside and the demilitarized zone, respectable 172.16.1.0 and 172.16.9.0 hosts. VPN client shows that the two previously mentioned networks such as roads of security, but still not to the ping pong.
# sh nat
Manual NAT policies (Section 1)
1 (inside) to the (whole) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - obj - unidirectional 192.168.100.0 192.168.100.0
translate_hits = 0, untranslate_hits = 0
2 (inside) to the (whole) source static obj - 172.16.1.0 obj - 172.16.1.0 destination static obj - obj - unidirectional 192.168.100.0 192.168.100.0
translate_hits = 0, untranslate_hits = 0
3 (inside) to the (whole) source static obj - 172.16.1.0 obj - 172.16.1.0 destination static obj - 172.16.12.0 obj - one-way 172.16.12.0
translate_hits = 0, untranslate_hits = 0
4 (dmz) to (outside) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - obj - unidirectional 192.168.100.0 192.168.100.0
translate_hits = 0, untranslate_hits = 0
5 (dmz) to (outside) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - 172.16.12.0 obj - one-way 172.16.12.0
translate_hits = 0, untranslate_hits = 0
Auto NAT policies (Section 2)
1 (dmz), to the source (external) static obj - 172.16.9.5 interface tcp www www service
translate_hits = 0, untranslate_hits = 142
2 (dmz) (outdoor) source static obj - 172.16.9.5 - 01 interface service tcp 3389 3389
translate_hits = 0, untranslate_hits = 2
3 (dmz) (outdoor) source static obj - 172.16.9.5 - 02 interface tcp ldap ldap service
translate_hits = 0, untranslate_hits = 0
4 (dmz) (outdoor) source static obj interface - 172.16.9.5 - 03 service ftp ftp tcp
translate_hits = 0, untranslate_hits = 0
5 (dmz) to (outside) of the source static obj - 172.16.9.5 - 04 interface tcp smtp smtp service
translate_hits = 0, untranslate_hits = 267
6 (inside) source static obj - 172.16.9.0 172.16.9.0 (dmz)
translate_hits = 4070, untranslate_hits = 224
7 (inside) to (dmz) source static obj - 10.1.0.0 10.1.0.0
translate_hits = 0, untranslate_hits = 0
8 (inside) to (dmz) source static obj - 172.16.0.0 172.16.0.0
translate_hits = 152, untranslate_hits = 4082
9 (dmz) to dynamic interface of the obj - 172.16.9.0 - 01 source (outdoor)
translate_hits = 69, untranslate_hits = 0
10 (inside) to the obj_any interface dynamic source (external)
translate_hits = 196, untranslate_hits = 32
I think you must following two NAT config
NAT (inside, outside) source static obj - 172.16.1.0 obj - 172.16.1.0 destination static obj - 192.168.100.0 obj - 192.168.100.0
NAT (dmz, external) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - 192.168.100.0 obj - 192.168.100.0Please configure them and remove any additional NAT configuration and then try again.
-
IPSec remote VPN with VPN client in error
Hello
ASA 5505 configuration is: (installation using ASDM)
output from the command: 'show running-config '.
: Saved
:
ASA Version 8.2 (5)
!
hostname TESTSelect _ from encrypted password
_ encrypted passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address dhcp setroute
!
passive FTP mode
sap_vpn_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0
inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.10.0 255.255.255.224
pager lines 24
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
IP local pool test_pool 192.168.10.0 - 192.168.10.20 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
AAA authentication http LOCAL console
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd outside auto_config
!
dhcpd address 192.168.1.5 - 192.168.1.132 inside
dhcpd allow inside
!a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal sap_vpn group policy
attributes of the strategy of group sap_vpn
value of server DNS 192.168.2.1
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list sap_vpn_splitTunnelAcl
username password encrypted _ privilege 0 test
username test attributes
VPN-group-policy sap_vpn
Username password encrypted _ privilege 15 TEST
type tunnel-group sap_vpn remote access
tunnel-group sap_vpn General-attributes
address test_pool pool
Group Policy - by default-sap_vpn
sap_vpn group of tunnel ipsec-attributes
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:b67cdffbb9567f754052e72f69ef95f1
: endI use customer VPN authentication with IP 192.168.2.20 host group with username:sap_vpn and key pre-shared password but not able to connect to the vpn and the error message attached.
ASA, set up with the initial wizard ASDM: inside the interface IP 192.168.1.1 (VLAN1) and outside (VLAN2) IP 192.168.2.20 assigned by using DHCP. I use outside interface IP 192.168.2.20 to HOST IP to the VPN client for the remote connection? is it good?
Please advise for this.
Hello
What train a static IP outside? We need a static IP address to connect, please try again and let us know how it works?
Kind regards
-
Hello
is it possible to install?
I have a pc and I want to connect to the Remote LAN.
PC (using vpn client) - vpn (internet)---> ROUTER1 - a vpn (MPLS network)---> ROUTER2---> SERVER site
How can I connect to a remote server? Is there an easy way?
I did the configuration of the vpn client (I can connect ROUTER1 and access a LAN via vpn with 192.168.1.x), but I can't connect to the server, even if I set the subnet (192.168.1.x) under the access list of site to site vpn (access list for traffic that must pass between ROUTER1 and ROUTER2).
Please advise! Thanks in advance.
Looks like I've not well explained.
On ROUTER1
===================
1 ACL VNC_acl is used to split tunnel, so you should include IP server_NET it NOT vpn IP pool.
2 ACL najavorbel is used to set the lan lan traffic between ROUTER1 and ROUTER2, 2 you should inlcude
IP 192.168.133.0 allow 0.0.0.255 0.0.0.255
You must change the crypto ROUTER2 ACL of the minor or the najavorbel of the ACL
The other way to is to the client VPN NAT IP to a local area network lan IP ROUTER1, in this way, you don't need any changes on ROUTER2. But I have to take a look at your configuration to make the suggestion.
-
Cisco 2621 to VPN client problem
If I ping on the client to the network (behind the router), debug displays the client encryption and decryption of the router. The ping will not, because the router is not encrypt and so the customer is not getting anything to decrypt.
The Setup is a bit different because the default route is within the network, as it is not the regular internet gateway. I have to add routes for pointing the customer who logs on the internet. Also, one machine uses this as a gateway (using a routemap). To troubleshoot, I removed the routemap custom without result. I think to change the default route, but I don't see how this would have on it.
Any ideas? Am I missing something?
Cisco 2621 12.2 (15) T running to the latest version of the client.
username password XXX 7 XXXXXX
AAA new-model
!
AAA authentication login userauthen local
AAA authorization groupauthor LAN
AAA - the id of the joint session
IP subnet zero
!
!
audit of IP notify Journal
Max-events of po verification IP 100
!
!
crypto ISAKMP policy 3
BA 3des
preshared authentication
Group 2
!
Configuration group customer crypto isakmp XXXX
key XXXXX
pool ippool
!
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
!
Crypto-map dynamic dynmap 10
Set transform-set RIGHT
!
map clientmap client to authenticate crypto list userauthen
card crypto clientmap isakmp authorization list groupauthor
client configuration address map clientmap crypto answer
10 ipsec-isakmp crypto map clientmap Dynamics dynmap
!
!
interface Loopback1
192.168.254.1 IP address 255.255.255.0
!
interface FastEthernet0/0
IP address 200.x.x.x 255.255.x.x
no ip proxy-arp
NAT outside IP
automatic duplex
automatic speed
clientmap card crypto
!
interface FastEthernet0/1
the IP 10.0.0.1 255.255.255.0
no ip proxy-arp
IP nat inside
route CUSTOMGATE card intellectual property policy
automatic duplex
automatic speed
!
IP local pool ippool 10.172.10.100 10.172.10.200
IP nat inside source map route sheep interface FastEthernet0/0 overload
no ip address of the http server
no ip http secure server
IP classless
IP route 0.0.0.0 0.0.0.0 10.0.0.30
access-list 100 deny ip 10.0.0.0 0.0.0.255 10.172.10.0 0.0.0.255
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
username password XXX 7 XXXXXX
AAA new-model
!
AAA authentication login userauthen local
AAA authorization groupauthor LAN
AAA - the id of the joint session
IP subnet zero
!
!
audit of IP notify Journal
Max-events of po verification IP 100
!
!
crypto ISAKMP policy 3
BA 3des
preshared authentication
Group 2
!
Configuration group customer crypto isakmp XXXX
key XXXXX
pool ippool
!
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
!
Crypto-map dynamic dynmap 10
Set transform-set RIGHT
!
map clientmap client to authenticate crypto list userauthen
card crypto clientmap isakmp authorization list groupauthor
client configuration address map clientmap crypto answer
10 ipsec-isakmp crypto map clientmap Dynamics dynmap
!
!
interface Loopback1
192.168.254.1 IP address 255.255.255.0
!
interface FastEthernet0/0
IP address 200.x.x.x 255.255.x.x
no ip proxy-arp
NAT outside IP
automatic duplex
automatic speed
clientmap card crypto
!
interface FastEthernet0/1
the IP 10.0.0.1 255.255.255.0
no ip proxy-arp
IP nat inside
route CUSTOMGATE card intellectual property policy
automatic duplex
automatic speed
!
IP local pool ippool 10.172.10.100 10.172.10.200
IP nat inside source map route sheep interface FastEthernet0/0 overload
no ip address of the http server
no ip http secure server
IP classless
IP route 0.0.0.0 0.0.0.0 10.0.0.30
IP route 20.x.x.x 255.255.255.255 200.x.x.x (it is here to let him speak to the customer)
access-list 100 deny ip 10.0.0.0 0.0.0.255 10.172.10.0 0.0.0.255
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
access-list 110 deny host ip 10.0.0.73 10.1.0.0 0.0.0255
access-list 110 permit ip 10.0.0.73 host everything
!
CUSTOMGATE allowed 10 route map
corresponds to the IP 110
IP 200.x.x.x next value break
!
sheep allowed 10 route map
corresponds to the IP 100
!
!
CUSTOMGATE allowed 10 route map
corresponds to the IP 110
IP 200.x.x.x next value break
!
sheep allowed 10 route map
corresponds to the IP 100
!
Add at least:
> Route ip 10.172.10.0 255.255.255.0 200.x.x.x
to force the traffic for VPN clients on the external interface. also make sure you hav a route for the clients IP address (not the VPN negotiated one) that also indicates the external interface.
The fact that the router is not encrypt means that it is not even see the responses from the inside, hosts, which indicates that your internal network is not a road to 10.172.10.0 pointing to this router, OR the router receives responses but sends them back out inside interface which will be set by the first route, I mentioned above.
-
Installation of VM with VPN client access to the network local provents
What is the best approach for the connection to the VPN in the following scenario?
We want to install VM for our projects as VPN client networking (using the cisco vpn client). In many cases the VPN profile that is configured by the client is configured to prevent access to the local network, but rather the tunnels all through the VPN.
I tried the NAT and Bridged networks and once you connect to the VPN client, the conectitivy of the virtual machine is limited to the VMWare console. SSH and other connections no longer work.
Thanks for any idea.
I'd VNC - that's what I use for a VM XP that uses the client VPN SecuRemote CheckPoint blocking the same way (wisely) off incoming traffic when the connection is made to the other end of the VPN.
Just paste lines similar to the following in your .vmx file when the virtual machine is shut down:
RemoteDisplay.vnc.enabled = TRUE
RemoteDisplay.vnc.port = '5910 '.
RemoteDisplay.vnc.password = 'somepassword '.
RemoteDisplay.vnc.keymap = 'uk '.Note that you point your VNC client software on the IP address (and port of your .vmx file) to your server 2.0, not the virtual machine host. Use a different port for each computer virtual you need simultaneous to access.
-
Problem with VPN client connecting the PIX of IPSec.
PIX # 17 Sep 14:58:51 [IKEv1 DEBUG]: IP = Y, IKE Peer included IKE fragmentation capability flags: Main Mode: real aggressive Mode: false
Sep 17 14:58:51 [IKEv1]: IP = Y, landed on tunnel_group connection
Sep 17 14:58:51 [IKEv1 DEBUG]: Group = X, IP = Y, IKE SA proposal # 1, transform # 13 entry overall IKE acceptable matches # 1
Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, the authenticated user (X).
Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, mode of transaction attribute not supported received: 5
Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, Y = IP, Type of customer: Client Windows NT Version of the Application: 5.0.06.0160
Sep 17 14:58:58 [IKEv1]: Group = Xe, Username = X, IP = Y, assigned private IP 10.0.1.7 remote user address
Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, IP = Y, fast Mode resumed treatment, Cert/Trans Exch/RM IDDM
Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, PHASE 1 COMPLETED
Sep 17 14:58:58 [IKEv1]: IP = Y, Keep-alive type for this connection: DPD
Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, Y = IP, timer to generate a new key to start P1: 6840 seconds.
Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, Y = IP, data received in payload ID remote Proxy Host: address 10.0.1.7, protocol 0, Port 0
Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, received data IP Proxy local subnet in payload ID: address 0.0.0.0 Mask 0.0.0.0, protocol 0, Port 0
Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, his old QM IsRekeyed not found addr
Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, Y = IP, remote peer IKE configured crypto card: outside_dyn_map
Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, Y = IP, IPSec processing SA payload
Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, Y = IP, IPSec SA proposal # 14, turn # 1 entry overall SA IPSec acceptable matches # 20
Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, IKE: asking SPI!
Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, Y = IP, IPSec initiator of the substitution of regeneration of the key duration to 2147483 to 7200 seconds
Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, IP = Y, passing the Id of the Proxy:
Remote host: 10.0.1.7 Protocol Port 0 0
Local subnet: 0.0.0.0 mask 0.0.0.0 Protocol Port 0 0
Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, IP = notification sending answering MACHINE service LIFE of the initiator
Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, the security negotiation is complete for the user (slalanne) answering machine, Inbound SPI = 0 x 6
044adb5, outbound SPI = 0xcd82f95e
Sep 17 14:58:58 [IKEv1 DEBUG]: Group = X, Username = X, Y = IP, timer to generate a new key to start P2: 6840 seconds.
Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, adding static route to the customer's address: 10.0.1.7
Sep 17 14:58:58 [IKEv1]: Group = X, Username = X, IP = Y, PHASE 2 COMPLETED (msgid = c4d80320)
PIX # 17 Sep 14:59:40 [IKEv1]: Group = X, Username = X, Y = IP, Connection over for homologous X. Reason: Peer terminate remote Proxy 10.0.1.7, 0.0.0.0Sep Proxy Local 17 14:59:40 [IKEv1 DEBUG]: Group = X, Username = X, IP = Y, IKE removing SA: 10.0.1.7 Remote Proxy, Proxy Local 0.0.0.0
Sep 17 14:59:40 [IKEv1]: IP = Y, encrypted packet received with any HIS correspondent, drop
Then debugging IPSec are also normal.
Now this user is a disconnect and other clients to connect normally. the former user is trying to connect to the site and here is the difference in debugging:
Sep 17 14:25:22 [IKEv1]: Group = X, Username = X, Y = IP, tunnel IPSec rejecting: no entry card crypto for remote proxy proxy 10.0.1.8/255.255.255.255/0/0 local 0.0.0.0/0.0.0.0/0/0 on the interface outside
Sep 17 14:25:22 [IKEv1]: Group = X, Username = X, IP = Y, error QM WSF (P2 struct & 0x2a5fd68, mess id 0x16b59315).
Sep 17 14:25:22 [IKEv1 DEBUG]: Group = X, Username = X, IP = O, case of mistaken IKE responder QM WSF (struct & 0x2a5fd68), :
QM_DONE, EV_ERROR--> QM_BLD_MSG2, EV_NEGO_SA--> QM_BLD_MSG2, EV_IS_REKEY--> QM_BL
D_MSG2, EV_CONFIRM_SA--> QM_BLD_MSG2, EV_PROC_MSG--> QM_BLD_MSG2, EV_HASH_OK--> QM_
BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH
Sep 17 14:25:22 [IKEv1]: Group = X, Username = X, IP = Y, peer table correlator withdrawal failed, no match!
Sep 17 14:25:22 [IKEv1]: IP = Y, encrypted packet received with any HIS correspondent, dropHere is the config VPN... and I don't see what the problem is:
Dynamic crypto map outside_dyn_map 20 match address outside_cryptomap_dyn_20
Crypto-map dynamic outside_dyn_map 20 the transform-set ESP-DES-MD5 value
life together - the association of security crypto dynamic-map outside_dyn_map 20 seconds 7200
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
ISAKMP crypto identity hostname
crypto ISAKMP allow outside
crypto ISAKMP policy 20
preshared authentication
the Encryption
md5 hash
Group 2
life 7200
crypto ISAKMP policy 65535
preshared authentication
the Encryption
sha hash
Group 2
life 86400outside_cryptomap_dyn_20 list of allowed ip extended access any 10.0.1.0 255.255.255.248
attributes global-tunnel-group DefaultRAGroup
authentication-server-group (outside LOCAL)
Type-X group tunnel ipsec-ra
tunnel-group X general attributes
address pool addresses
authentication-server-group (outside LOCAL)
Group Policy - by default-X
tunnel-group X ipsec-attributes
pre-shared-key *.
context of prompt hostnamemask of 10.0.1.6 - 10.0.1.40 IP local pool 255.255.255.0
Please remove the acl of the dynamic encryption card crypto, it causes odd behavior
try to use split instead of the acl acl in dynamic crypto map, and let me know how it goes
-
A remote user on our network has problems with the Cisco VPN. They are using Win XP, Cisco Client 3.5.2 and connect via a router of Compaq Ipaq into a modem cable. When they VPN in our 3000 VPN concentrator works very well. When they try to VPN in the PIX on our network, it indicates that the client is no longer. If they use a Microsoft VPN to connect to the network with the 3000 (we run both MS and Cisco VPN) with it set to use the remote control, the default gateway, the Cisco VPN will connect to the PIX, see the network behind PIX, ping stuff behind the PIX, but not map a drive. The remote user can ping the PIX of their unVPNed in the remote location. No other user is a problem connecting to the PIX (except those with the bad remote access or broadband satellite which cannot VPN into anything anyway). We have even a few AOLer connect to it. Help me please.
If the compaq ipaq router makes a PAT, that might be the problem. PIX is unable to manage the ipsec clients who crossed pat. The vpn3000 has some mechanism to deal with this. PPTP is different to ipsec.
You must ensure that the ipsec client has its own public routable ip address.
Kind regards
-
CSA with the Client VPN and remote access
Hello world!
I have the folowing isue: I have to tune in to the CSA for a clinet it connects remote with VPN Client only. He should not be able to connect to any other network or lan or dial-up.
No idea what the policy should change or tune?
Thank you
You can create an access network rule that depends on a State of the system. The State of the system can be defined to have a game of skill, which belongs to the range of VPN and the network access rule would declare that the client computer cannot act as a server on UDP/TCP ports when the State of the system is ensured.
So, if the laptop is not connected to the VPN, it would not be able to act as a server for connections to all and will be locked out. You will need to create an exception for the IP address of the VPN server to your corporate offices and allow the CSA client opening these ports.
-
ASA 8.3 - SSL VPN - NAT problem
Need help to find how to configure anyconnect VPN with VPN client using a NAT networking internal.
There are many items on the side - how to disable NAT for vpn pool.
I need to create the gateway VPN to the complex international lnetwork, vpnpool is out of range of regular subnet of that network, so it's going to be questions witout NAT routing.
I so need to vpn clients connected to
be PATed to . The problem is that there is also a dynamic to PAT rule for the ordinary acccess Iternet which translates as 'rules NAT asymmetry... "error. Create two times different NAT rules and moving them on up/down makes no difference. There are also some hidden rules of vpn setup :-(that could not be seen.
V8.3 seems is destroying trust in Cisco firewall...
Thank you.
Stan,
Something like this works for me.
192.168.0.0/24---routeur--172.16.0.0/24 ASA-= cloud = host. (the tunnel he get IP address of 'over' pool, which is also connected to the inside)
BSNs-ASA5520-10 (config) # clear xlate
INFO: 762 xlates deleted
BSNs-ASA5520-10 (config) # sh run nat
NAT (inside, outside) static all of a destination SHARED SHARED static
!
NAT source auto after (indoor, outdoor) dynamic one interface
BSNs-ASA5520-10 (config) # sh run object network
network of the LOCAL_NETWORK object
192.168.0.0 subnet 255.255.255.0
The SHARED object network
172.16.0.0 subnet 255.255.255.0
BSNs-ASA5520-10 (config) # sh run ip local pool
IP local pool ALL 10.0.0.100 - 10.0.0.200
local IP ON 172.16.0.100 pool - 172.16.0.155
BSNs-ASA5520-10 (config) # sh run tunne
BSNs-ASA5520-10 (config) # sh run tunnel-group
attributes global-tunnel-group DefaultWEBVPNGroup
address pool ONIf I get your drift... bypass inside and outside is not really necessary on Cisco equipment as it should work straight out of the box via the proxy arp, but I'm not face or solution providers for remote access.
Marcin
Maybe you are looking for
-
Re: Supported on different languages
I bought my laptop in Czech Republic. Now, whenever I have to contact the support, I'm redirected to site Czech support as soon as I get the serial number. I don't speak Czech, nor I intend to learn it soon. Although the site offers only Czech, Slova
-
G50 - 70 Wireless does not not at startup and virtual machine
Hello IM here.im again faced a problem in wireless.i can not access my lenovo g50 - 70 bluetooth, wifi at startup (live cd) and in virtual machine.please help its really annoying...
-
HP Mini 110-3519la: HP Mini 110-3519la password Bios RESET
Hi, a year ago, I bought a computer hp mini 110 and I put the bios administrative and user password, I need to make some changes in these options but I forgot the password of the administration, the system show me this message "turn off system" [9419
-
I recently upgraded to vista 64 bit microsoft windows update and now my lap top integrated cam and sound card are not recognized by the computer. No devices are listed in the Device Manager.
-
USB human interface with the brand lleyow
Please I frequently have problem with usb human interface with the brand of lleyow next to bet. Pease how can I fix this problem driver version 6.0.6000.16386 windows vista pk2 thanks