Cisco ASA and dynamic VPN L2L Fortigate configuration
I met a problem recently with an ASA 5510 (7.0) and a bunch of Fortigate 50 (3.0 MR7). The ASA is the hub and Fortigates are rays with a dynamic public IP.
I followed this document on the site Web of Cisco (http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml) to set up my ASA and the parameters passed to my counterparts to set up their Fortigates.
However, the ASA journal reveals that attemtps Fortigate connection always tried with DefaultRAGroup before falling back to DefaultL2LGroup and finally died. Experience with putting in place a dynamic VPN between Cisco and Fortigate someone? Which could not fail at each end? Here's a typical piece of error log ASA. The ASA is currently having a static VPN tunnel and a site-2-client VPN in two groups by default.
6. January 10, 2011 20:58:45 | 713905: Group DefaultL2LGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
5. January 10, 2011 20:58:45 | 713201: Group = DefaultL2LGroup, IP = 116.230.243.205, in double Phase 1 detected package. Retransmit the last packet.
6. January 10, 2011 20:58:45 | 713905: Group DefaultL2LGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
5. January 10, 2011 20:58:45 | 713201: Group = DefaultL2LGroup, IP = 116.230.243.205, in double Phase 1 detected package. Retransmit the last packet.
6. January 10, 2011 20:58:41 | 713905: Group DefaultL2LGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
5. January 10, 2011 20:58:41 | 713201: Group = DefaultL2LGroup, IP = 116.230.243.205, in double Phase 1 detected package. Retransmit the last packet.
4. January 10, 2011 20:58:39 | 713903: Group = DefaultL2LGroup, IP = 116.230.243.205, ERROR, had decrypt packets, probably due to problems not match pre-shared key. Abandonment
5. January 10, 2011 20:58:39 | 713904: Group = DefaultL2LGroup, IP = 116.230.243.205, received the package of Mode main Oakley encrypted with invalid payloads, MessID = 0
6. January 10, 2011 20:58:39 | 713905: Group = DefaultRAGroup, IP = 116.230.243.205, WARNING, had decrypt packets, probably due to problems not match pre-shared key. User switching to the tunnel-group: DefaultL2LGroup
5. January 10, 2011 20:58:39 | 713904: Group = DefaultRAGroup, IP = 116.230.243.205, received the package of Mode main Oakley encrypted with invalid payloads, MessID = 0
4. January 10, 2011 20:58:33 | 713903: Group = DefaultRAGroup, IP = 116.230.243.205, error: cannot delete PeerTblEntry
3. January 10, 2011 20:58:33 | 713902: Group = DefaultRAGroup, IP = 116.230.243.205, Removing peer to peer table has no, no match!
6. January 10, 2011 20:58:33 | 713905: Group DefaultRAGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
5. January 10, 2011 20:58:33 | 713201: Group = DefaultRAGroup, IP = 116.230.243.205, in double Phase 1 detected package. Retransmit the last packet.
6. January 10, 2011 20:58:25 | 713905: Group DefaultRAGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
5. January 10, 2011 20:58:25 | 713201: Group = DefaultRAGroup, IP = 116.230.243.205, in double Phase 1 detected package. Retransmit the last packet.
6. January 10, 2011 20:58:21 | 713905: Group DefaultRAGroup, IP = 116.230.243.205, P1 = relay msg sent to the WSF MM
5. January 10, 2011 20:58:21 | 713201: Group = DefaultRAGroup, IP = 116.230.243.205, in double Phase 1 detected package. Retransmit the last packet.
5. January 10, 2011 20:58:19 | 713904: IP = 116.230.243.205, encrypted packet received with any HIS correspondent, drop
Yes, sounds about right. He will try to match with the DefaultRAGroup first, and when you know that it's a dynamic IPSec in LAN-to-LAN, it will be
then back to the DefaultL2LGroup, because he doesn't know if the VPN Client or L2L again when he is contacted fist as they are connecting from dynamic IP peer.
You must ensure that your L2L tunnel-group by default has been configured with the corresponding pre-shared key.
Assuming that you have configured the dynamic map and assign to the card encryption.
Here is an example of configuration where ASA has a static and peripheral ip address pair has dynamic IP:
Hope that helps.
Tags: Cisco Security
Similar Questions
-
Cisco ASA and AnyConnect VPN certificate error
Hello
I am trying to configure Cisco AnyConnect VPN and everything works, but I get this warning message when the connection is opened:
I don't have public certificate in ASA. Is it possible to use the self-signed certificate and get rid of this warning message?
Hello
This is expected behavior on the SAA for an SSL connection. You can certainly use the certificate self-signed on the SAA and then apply it on the external interface.
Once done, you will need to install this certificate on the clients and this will alleviate the popup error message.Here is a document that you can refer to create a self-signed certificate.
https://supportforums.Cisco.com/document/44116/ASA-self-signed-certificate-WebVPNKind regards
Dinesh MoudgilPS Please note the useful messages.
-
Configure to integrate Cisco ASA and JOINT
Hello
We have Cisco ASA and JOINT, need assistance on the integration of the same thing; Please email me so that I'll share the details of the architecture.
Thank you best regards &,.
REDA
Hi reda,.
If I correctly your diagram, you do not want to send any traffic from the external switch to the JOINT with a SPAN port and all traffic from your DMZ interfaces with another.
Is this correct?
If so, can you tell me why you want to inspect the traffic before it goes through the firewall? As I said in my original answer, we generally advise putting IP addresses after the firewall.
Not to mention that in your case, I guess that some traffic will be inspected twice so you will need to assign a different virtual sensors to each JOINT internal interfaces to ensure that the same instance does not see the traffic of several times.
Kind regards
Nicolas
-
The traffic load between the power of Cisco ASA and FireSight Management Center fire
Hi all
I have a stupid question to ask.
Can I know what is the traffic load and the e/s flow between firepower Cisco ASA and FireSight Management Center?
Currently working on a project, client require such information to adapt to their network. Tried to find in the document from Cisco, but no luck.
Maybe you all have no idea to provide.
It varies depending on the number of events reported from the module to the CSP. No event = only health controls and policy changes are exchanged. 10,000 events per second = much more traffic.
Generally it is not a heavy load, however.
-
IPSec vpn cisco asa and acs 5.1
We have configured authentication ipsec vpn cisco asa acs 5.1:
Here is the config in cisco vpn 5580:
standard access list acltest allow 10.10.30.0 255.255.255.0
RADIUS protocol AAA-server Gserver
AAA-server host 10.1.8.10 Gserver (inside)
Cisco key
AAA-server host 10.1.8.11 Gserver (inside)
Cisco key
internal group gpTest strategy
gpTest group policy attributes
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list acltest
type tunnel-group test remote access
tunnel-group test general attributes
address localpool pool
Group Policy - by default-gpTest
authentication-server-group LOCAL Gserver
authorization-server-group Gserver
accounting-server-group Gserver
IPSec-attributes of tunnel-group test
pre-shared-key cisco123
GBA, we config user group: VPN users. all VPN users in this group. ACS can visit his political profile: If the user in the 'VPN users' group, access ACS.
When we connect from a VPN Client to the server, all users connect to success. When you see the parser in ACS journal, each user success connect also get
error:
22040 wrong password or invalid shared secret
(pls see picture to attach it)
the system still works, but I don't know why, we get the error log.
Thanks for any help you can provide!
Duyen
Hello Duyen,
I think I've narrowed the issue. When remote access VPN using RADIUS authentication we must keep in mind that authentication and authorization are included on the same package.
Depending on your configuration, the ACS is defined as a server RADIUS (Gserver Protocol radius aaa server) and becomes the VPN Tunnel authenticated and 'authorized' on this server group:
authentication-server-group LOCAL Gserver
authorization-server-group Gserver
As noted above, the RADIUS of request/response includes authentication and authorization on the same package. This seems to be a problem of incorrect configuration that we should not set up the 'permission' in the Tunnel of the group.
Please remove the authorization under the Tunnel of Group:
No authorization-server-group Gserver
Please test the connection again and check the logs of the ACS. At this point there are only sucessful newspaper reported on the side of the ACS.
Is 'Permission-server-group' LDAP permission when authenticating to a LDAP server so to retrieve the attributes of permission on the server. RAY doesn't have the command as explained above.
I hope this helps.
Kind regards.
-
I have a tunnel VPN L2L on a Cisco ASA 5520 I am trying to get IPPS, to work on. On my ACL cryptomap I defined a local group object and a remote object-group, and I'm the one-to-one NAT scene on the local group. I also have a configured route map that will take the static routes and redistribute in my ACE. EIGRP two things - 1, I noticed, I don't see on my ASA static routes that point to remote subnets and 2, the ACL that I used in my definition of route map is not getting any hits on it.
Any thoughts on where I can go wrong?
Thank you
Darren
You have configured the following:
crypto set reverse-road map
If you do, can you remove and Add again and see if that fixes the problem?
-
IKE Dead Peer Detection between Cisco ASA and Cisco PIX
I have a network environment in Star with about 30 offices of satellite remote using VPN Site to Site connectivity. The majority of remote satellite offices have the features of Cisco PIX 501 running PIX Version 6.3. The hub office runs a version 8.2 (1) Cisco ASA.
I configured Dead Peer Detection on the Cisco ASA device at the office hub with the default settings of the following-
Confidence interval - 10 seconds
Retry interval - 2 seconds
I think I'm right assuming that raises are limited to 3 before the tunnel is completely demolished. Basically, the problem that I am facing is with several remote satellite offices. What seems to be the case, the tunnel between the remote offices and the hub is demolished (probably because of the length of IKE, always 86400 seconds) and the tunnel then fails to renegotiate unless traffic is physically forced from the hub office. The tunnel NOT to renegotiate after satellite office, ONLY the end of the hub; so that means sending traffic to the satellite when the VPN tunnel is out of service, not to renegotiate the tunnel. The Hub office is a colo and therefore traffic rarely comes to that end, the tunnel remains so down until manual intervention occurs and the ICMP traffic is forced into the tunnel.
Should the KeepAlive and retry interval settings corresponds to both ends, for example if the two devices be configured for DPD?
What are the potential pitfalls to the extension of the life of IKE, and this will help or even hinder the problem?
Thank you in advance for helping out with this.
Hi Nicolas,.
I think that the two DPD settings must match on both ends, if these do not match then problems like yours might arise which seems to happen here, is that one end shows a tunnel down, but the other end may not detect it down, we could have to watch debugs, or record two ends to see if this is the case , setting in the meantime ike DPD for same timers could hetlp on.
In regard to the increase in the life expectancy of IKE, well you just need to be aware that this could allow keys to be discovered since these are not renegotiated unless the tunnel is down on the level of IKE. Other than that I don't see why this would affect you.
-
IPSec VPN between Cisco ASA and Fortigate1000
Hello
I find a useful document on how to create a tunnel VPN IPSec with ASA 5510 firewall Fortigate 1000...
the configuration of the coast FG is done without any problem, BUT the document (. doc FG) said I must configure the ASA with a GRE interface and assign an internal IP address in order to communicate with the FG...
The question is: How do I configure the interface on the SAA ACCORD?
Thanks in advance, Experts...
Kind regards...
ASA firewall does not support the interface/GRE GRE tunnel.
If you need to have GRE configured, you will need to complete the GRE tunnel on router IOS.
If you want to configure just pure tunnel VPN IPSec (lan-to-lan), here is an example of configuration on the side of the ASA:
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080950890.shtml
Hope that helps.
-
SSL VPN from Cisco ASA and ACS 5.1 change password
Dear Sir.
I am tring configure ASA to change the local password on ACS 5.1. When the user access with ssl vpn if the ACS 5.1 password expiration date. ASA will display the dialog box or window popup to change the password. But it does not work. I'm tring to Setup with the functionality of password management on the SAA. When I enable password management it will not work and is unable to change the password. Could you tell me about this problem?
Thank you
Aphichat
Dear Sir,
I'm tring to setup ASA to change local password on ACS 5.1. When user access with ssl vpn if password on ACS 5.1 expire. ASA will show dialog box or pop-up to change password. But It don't work. I'm tring to setup with password management feature on ASA . When I enable password management it don't work and can't to change password. Could you advise me about this problem?
Thank you
Aphichat
Hi Aphichat,
Go to the password link below change promt via AEC in ASA: -.
https://supportforums.Cisco.com/docs/doc-1328;JSESSIONID=A51E68318579261787BD60DDA0707819. Node0
Hope to help!
Ganesh.H
Don't forget to note the useful message
-
Cisco ASA AnyConnect SSL VPN - certificates + token?
Hello
I'm looking for an answer is it possible such configuration:
The Cisco AnyConnect SSL VPN service with two-factor - first method is the Microsoft CA certificate local and second method - a token solution Symantec VIP password?
I don't know if two-factor authentication is user/password from Active Directory + OTP by Symantec VIP there is no problem, because you can send the user + pass with Radius, but with certificates I do not really understand who will check the validity of the certificate, which certificate, we will send you to the RADIUS for the validation server and how the configuration of the point of view of ASA will look like.
Thank you very much for the help!
Hi Alex,
I don't see a problem with having certificate + token to connect to the VPN. Certificate authentication must be performed on the SAA, see an example below:
https://supportforums.Cisco.com/blog/152941/AnyConnect-certificate-based-authentication
Authentication token can be specified as primary/secondary (authentication SDI) on the SAA, an example below:
It may be useful
-Randy-
-
Cisco ASA 5510, ipsec vpn. What address to connect the client to
Hello
It's maybe a stupid question, but I can't find the answer anywhere.
I used the ipsec vpn configuration wizard, I activated the external interface to access ipsec and went through SCW pools of addresses etc. When I try to connect with the cisco vpn client to my address of the external interface (of a remote host) I'm unable to connect. I scanned the interface for open ports, but there is not, I have to allow traffic to ipsec at this interface?
Best regards
Andreas
No, once you have configured the access remote vpn ipsec, it will be automatically activated, and you should be able to connect to the ASA outside the ip address of the interface.
Can you please share the configuration? and also which group name you are trying to access the vpn client?
-
Cisco ASA 5505 remote VPN access to the local network
I have installed two ASA 5505 VPN site to site that works perfectly. Now, I also need to have 1 customer site to remote access VPN with Cisco VPN dialer. I can get the VPN dialer to connect the VPN and get a VPN IP address, but I do not have access to the remote network. can someone take a look and see what I'm missing? I have attached the ASA running config.
Apologize for the misunderstanding.
To access the remote vpn client 10.10.100.x subnet, the vpn-filter ACL is the opposite.
Please please share the following ACL:
FROM: / * Style Definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 cm 5.4pt cm 0 5.4pt ; mso-para-marge-haut : 0 cm ; mso-para-marge-droit : 0 cm ; mso-para-marge-bas : 10.0pt ; mso-para-marge-gauche : 0 cm ; ligne-hauteur : 115 % ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}
outside_cryptomapVPN list of allowed ip extended access any 10.10.20.0 255.255.255.224
TO:
/ * Style definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 cm 5.4pt cm 0 5.4pt ; mso-para-marge-haut : 0 cm ; mso-para-marge-droit : 0 cm ; mso-para-marge-bas : 10.0pt ; mso-para-marge-gauche : 0 cm ; ligne-hauteur : 115 % ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}
outside_cryptomapVPN to access extended list ip 10.10.20.0 allow 255.255.255.224 all
Hope that helps.
-
Problem Cisco ASA and downloadable ACLs
Hi all
Can someone shed some light on how configure ACS for acl user base download.
We used the TACCAS for remote access user authentication.
I need a config on ASA or should I just set up the strategy of /authorisation element profile and link the user profile?
Thanks in advance
Example of configuration.
-
VPN site to site ASA and SSL VPN
Hello
Already configured vpn site to site for both sites. Now, I try to configure vpn remote access to one site.
But I'm starting to config some command like below to access remote vpn, the existing site-to-site vpn disconnected auto.
No crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
Please, help me to check.
Thank you
Ko Htwe
Hello
You can have a single card encryption for an interface, you must configure both tunnels (access site to & remote) in a single card with number of different sequesnce encryption. Please make sure that the sequence number for the remote access is higher than for the site to site.
You can also get this back to the config command, why did you remove it.
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
If you still have a problem, please let us know the configuration.
Kind regards
Mohammad
-
Cisco ASA 5510 VPN with PIX 515
Hello
I have VPN between Cisco ASA and Cisco PIX.
I saw in my syslog server this error that appears once a day, more or less:
Received a package encrypted with any HIS correspondent, drop
I ve seen issue in another post, but in none of then the solution.
Here are my files from the firewall configuration:
Output from the command: 'show running-config '.
: Saved
:
ASA Version 8.2 (1)
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto WAN_map2 2 corresponds to the address WAN_cryptomap_1
card crypto WAN_map2 2 set pfs
card crypto WAN_map2 2 peer 62.80.XX game. XX
map WAN_map2 2 game of transformation-ESP-DES-MD5 crypto
card crypto WAN_map2 2 defined security-association 2700 seconds life
card crypto WAN_map2 2 set nat-t-disable
card crypto WAN_map2 WAN interface
enable LAN crypto ISAKMP
ISAKMP crypto enable WAN
crypto ISAKMP policy 1
preshared authentication
the Encryption
md5 hash
Group 5
lifetime 28800
No encryption isakmp nat-traversal
tunnel-group 62.80.XX. XX type ipsec-l2l
tunnel-group 62.80.XX. IPSec-attributes of XX
pre-shared-key *.++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
8.0 (4) version PIX
!
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card encryption VPN_map2 3 corresponds to the address VPN_cryptomap_2
card encryption VPN_map2 3 set pfs
card crypto VPN_map2 3 peer 194.30.XX game. XX
VPN_map2 3 transform-set ESP-DES-MD5 crypto card game
card encryption VPN_map2 3 defined security-association life seconds 2700
card encryption VPN_map2 3 set security-association kilobytes of life 4608000
card VPN_map2 3 set nat-t-disable encryption
VPN crypto map VPN_map2 interface
crypto ISAKMP enable VPN
crypto ISAKMP allow inside
crypto ISAKMP policy 30
preshared authentication
the Encryption
md5 hash
Group 5
lifetime 28800
No encryption isakmp nat-traversal
ISAKMP crypto am - disable
attributes of Group Policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec
tunnel-group 194.30.XX. XX type ipsec-l2l
tunnel-group 194.30.XX. IPSec-attributes of XX
pre-shared-key *.If you need more information dedailed ask me questions.
Thanks in advance for your help.
Javi
Hi Javi,
Please after the release of "see broadcasting DfltGrpPolicy of any political group." See if you have the "vpn-idle-timoeout" command configured in that. If so, please change to "vpn-idle-timeout no" and see if that stops at these popping up error messages.
http://www.Cisco.com/en/us/docs/security/ASA/asa80/command/reference/uz.html#wp1571426
Thank you and best regards,
Assia
Maybe you are looking for
-
Graphics card for HP Compaq DC7900 compact
Hello, I'm looking in the graphic upgrade to my PC HP Compaq DC7900 Small Form Factor.Currantly his using Intel Q45/Q43 Chipset integrated graphics. I want to put an external card that will give enough power for the modern games.The food is the real
-
How can I activate java on BDV-N990W?
I can't watch video clips from youtube on my java cause system are not enabled. How can I do? Thank you
-
Deletion and addition of RAM chips
Oh God, I hope someone will help me. I'm having a few problems and I guess that now, just trying to make the best of what I have. I have a Pavilion g7 2297nr. It's hard as hell, trying to find info on my particular model. I am trying to remove th
-
If my motherboard has a PCI slot for a graphics card, can I add a slot to it?
I was exchanged under warranty a Compaq Presario with a card mother H-apricot-RS780L-Μatx (apricot). It has integrated graphics card ATI Radeon HD 3000 and no PCI slot to upgrade. I can add a slot it or am I stuck with it?
-
How to remove body, hidden under fabric polygons?
I tried to close all the holes tshirt, just like on the fabric stock patterns, but it seems that it is not enoughThank you