connect Cisco VPN client v5 to asa 5505

I have remote vpn configuration issues between ASA5505 and Cisco VPN client v5. Successfully, I can establish a connection between the client Vpn and ASA and receive the IP address of the ASA. Statistical customer VPN windows shows that packets are sent and encrypted but none of the packages is received/decrypted.

Cannot ping asa 5505

Any ideas on what I missed?

Advertisement

Try adding...

ISAKMP nat-traversal crypto

In addition, you cannot ping the inside interface of the ASA vpn without this command...

management-access inside

Please evaluate the useful messages.

Tags: Cisco Security

Similar Questions

  • IOS VPN will not respond to connections Cisco VPN Client.

    Hi all

    I'll put my routers fire here.

    I have two 2921 SRI both with licenses of security concerning leased lines separated. I configured one to accept our workers to remote Client VPN Cisco VPN connections.

    I have followed the set up process I used on another site with a router 1841/s and the same customers and I have also checked against the config given in the last guide of IOS15 EasyVPN.

    With debugs all assets, all I see is

    038062: 14:03:04.519 Dec 8: ISAKMP (0): received x.y.z.z dport-60225 Global (N) SA NEW 500 sport package
    038063: 14:03:04.519 Dec 8: ISAKMP: created a struct peer x.y.z.z, peer port 60225
    038064: 14:03:04.519 Dec 8: ISAKMP: new position created post = 0x3972090C peer_handle = 0x8001D881
    038065: 14:03:04.523 Dec 8: ISAKMP: lock struct 0x3972090C, refcount 1 to peer crypto_isakmp_process_block
    038066: 14:03:04.523 Dec 8: ISAKMP: (0): client setting Configuration parameters 3E156D70
    038067: 14:03:10.027 Dec 8: ISAKMP (0): packet received x.y.z.z dport 500 sport 60225 Global (R) MM_NO_STATE

    Here is the abbreviated config.

    System image file is "flash0:c2900 - universalk9-mz.» Spa. 154 - 1.T1.bin.

    AAA new-model
    !
    !
    AAA authentication login default local
    local VPNAUTH AAA authentication login
    AAA authorization exec default local
    local authorization AAA VPN network
    !
    !
    !
    !
    !
    AAA - the id of the joint session

    crypto ISAKMP policy 10
    BA aes
    preshared authentication
    Group 14

    ISAKMP crypto group configuration of VPN client
    key ****-****-****-****
    DNS 192.168.177.207 192.168.177.3
    xxx.local field
    pool VPNADDRESSES
    ACL REVERSEROUTE

    Crypto ipsec transform-set aes - esp esp-sha-hmac HASH
    tunnel mode

    Profile of crypto ipsec IPSECPROFILE
    the HASH transform-set value

    dynamic-map crypto VPN 1
    the HASH transform-set value
    market arriere-route
    !
    !
    list of authentication of card crypto client VPN VPNAUTH
    card crypto VPN VPN isakmp authorization list
    crypto map VPN client configuration address respond
    card crypto 65535-isakmp dynamic VPN ipsec VPN
    !
    !
    local IP VPNADDRESSES 172.16.198.16 pool 172.16.198.31

    REVERSEROUTE extended IP access list
    IP 192.168.0.0 allow 0.0.255.255 everything
    Licensing ip 10.0.0.0 0.0.0.255 any

    scope of IP-FIREWALL access list
    2 allow any host a.b.c.d eq non500-isakmp udp
    3 allow any host a.b.c.d eq isakmp udp
    4 ahp permits any host a.b.c.d
    5 esp of the permit any host a.b.c.d

    If anyone can see anything wrong, I would be very happy and it would save the destruction of a seemingly innocent router.

    Thank you

    Paul

    > I would be so happy and it would save the destruction of a seemingly innocent router.

    No, which won't work! But instead of destroying the router, I can do it for you. Just send it to me... ;-)

    OK, now more serious...

    1. The default Cisco IPSec client uses only DH group 2, while you set up the 14. Try to use Group 2 in your isakmp policy.
    2. You have your virtual model in place? She is not in the config.
  • Configuration of Cisco for Cisco VPN Client ASA 5505

    Our firm has finally made the move from Sonicwall Cisco for our SMB customers. Got our first customer with a VPN site-to site solid and you have configured the main router for connections via the Cisco VPN Client VPN Wizard.

    When I install the VPN Client on desktop computers that does not capture all the necessary options (unless you have a SSL VPN). I guess that there is a process that I am missing to export a connection profile that Cisco VPN Client users can import for their connection.

    There step by step guides to create the connection profile file to distribute to customers?

    Hello

    The ASDM wizard is for the configuration on the SAA. This wizard will help you complete the VPN configuration on the end of the ASA.

    You will need to set the same in the client, so that they can negotiate and connect.

    Input connection in the client field, that's what you want to be seen that on the VPN client - it can be any name

    Host will be the external ip address of the ASA.

    Group options:

    name - same tunnel as defined on the ASA group
    Password - pre-shared as on ASA.

    Confirm password - same pre-shared key.

    Once this is over, you will see the customer having an entry same as a login entry. You must click on connect there. He will be a guest user and the password. Please enter the login crendentials. VPN connects.

    You can distribute the .pcf file that is formed at the place mentioned in the post above. Once the other client receive the .pcf, they need to import it by clicking this tab on the VPN client.

    Kind regards

    Anisha

  • Cisco VPN Client and Windows XP VPN Client IPSec to ASA

    I configured ASA for IPSec VPN via Cisco VPN Client and XP VPN client communications. I can connect successfully with Cisco VPN Client, but I get an error when connecting with the XP client. Debugging said "misconfigured groups and transport/tunneling mode" I know, they use different methods of transport and tunneling, and I think that I have configured both. Take a look at the config.

    PS a funny thing - when I connect with client VPN in Windows Server 2003, I have no error. The only difference is that client XP is behind an ADSL router and client server is directly connected to the Internet on one of its public IP of interfaces. NAT in the case of XP can cause problems?

    Config is:

    !

    interface GigabitEthernet0/2.30

    Description remote access

    VLAN 30

    nameif remote access

    security-level 0

    IP 85.*. *. 1 255.255.255.0

    !

    access-list 110 scope ip allow a whole

    NAT list extended access permit tcp any host 10.254.17.10 eq ssh

    NAT list extended access permit tcp any host 10.254.17.26 eq ssh

    access-list extended ip allowed any one sheep

    access list nat-ganja extended permit tcp any host 10.254.17.18 eq ssh

    sheep-vpn access-list extended permits all ip 192.168.121.0 255.255.255.0

    tunnel of splitting allowed access list standard 192.168.121.0 255.255.255.0

    flow-export destination inside-Bct 192.168.1.27 9996

    IP local pool raccess 192.168.121.60 - 192.168.121.120 mask 255.255.255.0

    ARP timeout 14400

    global (outside-Baku) 1 interface

    global (outside-Ganja) interface 2

    NAT (inside-Bct) 0 access-list sheep-vpn

    NAT (inside-Bct) 1 access list nat

    NAT (inside-Bct) 2-nat-ganja access list

    Access-group rdp on interface outside-Ganja

    !

    Access remote 0.0.0.0 0.0.0.0 85.*. *. 1 2

    Route outside Baku 10.254.17.24 255.255.255.248 10.254.17.10 1

    Route outside Baku 192.1.1.0 255.255.255.0 10.254.17.10 1

    Outside-Baku route 192.168.39.0 255.255.255.0 10.254.17.10 1

    Route outside-Ganja 192.168.45.0 255.255.255.0 10.254.17.18 1

    Route outside-Ganja 192.168.69.0 255.255.255.0 10.254.17.18 1

    Route outside-Ganja 192.168.184.0 255.255.255.0 10.254.17.18 1

    Route outside Baku 192.168.208.16 255.255.255.240 10.254.17.10 1

    Route outside-Ganja 192.168.208.112 255.255.255.240 10.254.17.18 1

    dynamic-access-policy-registration DfltAccessPolicy

    Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT

    Crypto ipsec transform-set newset aes - esp esp-md5-hmac

    Crypto ipsec transform-set esp-3des esp-md5-hmac vpnclienttrans

    Crypto ipsec transform-set vpnclienttrans transport mode

    Crypto ipsec transform-set esp-3des esp-md5-hmac raccess

    life crypto ipsec security association seconds 214748364

    Crypto ipsec kilobytes of life security-association 214748364

    raccess 1 set transform-set vpnclienttrans crypto dyn1 dynamic-map

    vpnclientmap 30 card crypto ipsec-isakmp dynamic dyn1

    card crypto interface for remote access vpnclientmap

    crypto isakmp identity address

    ISAKMP crypto enable vpntest

    ISAKMP crypto enable outside-Baku

    ISAKMP crypto enable outside-Ganja

    crypto ISAKMP enable remote access

    ISAKMP crypto enable Interior-Bct

    crypto ISAKMP policy 30

    preshared authentication

    3des encryption

    md5 hash

    Group 2

    life 86400

    No encryption isakmp nat-traversal

    No vpn-addr-assign aaa

    Telnet timeout 5

    SSH 192.168.1.0 255.255.255.192 outside Baku

    SSH 10.254.17.26 255.255.255.255 outside Baku

    SSH 10.254.17.18 255.255.255.255 outside Baku

    SSH 10.254.17.10 255.255.255.255 outside Baku

    SSH 10.254.17.26 255.255.255.255 outside-Ganja

    SSH 10.254.17.18 255.255.255.255 outside-Ganja

    SSH 10.254.17.10 255.255.255.255 outside-Ganja

    SSH 192.168.1.0 255.255.255.192 Interior-Bct

    internal vpn group policy

    attributes of vpn group policy

    value of DNS-server 192.168.1.3

    Protocol-tunnel-VPN IPSec l2tp ipsec

    Split-tunnel-policy tunnelspecified

    Split-tunnel-network-list value split tunnel

    BCT.AZ value by default-field

    attributes global-tunnel-group DefaultRAGroup

    raccess address pool

    Group-RADIUS authentication server

    Group Policy - by default-vpn

    IPSec-attributes tunnel-group DefaultRAGroup

    pre-shared-key *.

    Hello

    For the Cisco VPN client, you would need a tunnel-group name configured on the ASA with a pre-shared key.

    Please see configuration below:

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805734ae.shtml

    or

    http://tinyurl.com/5t67hd

    Please see the section of tunnel-group config of the SAA.

    There is a tunnel-group called "rtptacvpn" and a pre-shared key associated with it. This group name is used by the VPN Client Group name.

    So, you would need a specific tunnel-group name configured with a pre-shared key and use it on the Cisco VPN Client.

    Secondly, because you are behind a router ADSL, I'm sure that's configured for NAT. can you please activate NAT - T on your ASA.

    "crypto isakmp nat-traversal.

    Thirdly, change the transformation of the value

    raccess 1 set transform-set vpnclienttrans crypto dyn1 dynamic-map

    Let me know the result.

    Thank you

    Gilbert

  • Unable to connect via the Cisco VPN Client

    Hello

    I have configured remote access VPN to ASA and tries to connect via the Cisco VPN Client 5.0

    I am not able to connect and watch the journal on the SAA

    ASA-3-713902: Group = xxxxx, IP = x.x.x.x, withdrawal homologous peer table is placed, no match!

    ASA-4-713903: Group = xxxxx, IP x.x.x.x, error: impossible to rmeove PeerTblEntry

    ASA does not support the K9 i.e. VPN - DES is enabled and VPN-3DES-AES is disabled.

    What could be the reason.

    Concerning

    Hi, I had this same problem, here is the solution:

    When you perform a debug crypto isakmp 255, so you see that the cisco vpn client does not support SHA +, you must use MD5 + AN or sha with 3DES/AES.

    Be careful, this debugging is very talkative, but that's the only way I found to get ITS proposal on debugging.

    Well, change your strategy using MD5 isakmp / OF would do the trick.

  • PIX: Cisco VPN Client connects but no routing

    Hello

    We have a Cisco PIX 515 with software 7.1 (2). He accepts Cisco VPN Client connections with no problems, but no routing does to internal networks directly connected to the PIX. For example, my PC is affected by the IP 172.16.2.57 and then ping does not respond to internal Windows server 172.16.0.12 or trying to RDP. The most irritating thing is that these attempts are recorded in the system log, but always ended with "SYN timeout", as follows:

    2009-01-06 23:23:01 Local4.Info 217.15.42.214% 302013-6-PIX: built 3315917 for incoming TCP connections (172.16.2.57/1283) outside:172.16.2.57/1283 inside: ALAI2 / 3389 (ALAI2/3389)

    2009-01-06 23:23:31 Local4.Info 217.15.42.214% 302014-6-PIX: TCP connection disassembly 3315917 for outside:172.16.2.57/1283 inside: ALAI2 / 3389 duration 0:00:30 bytes 0 SYN Timeout

    2009-01-06 23:23:31 Local4.Debug 217.15.42.214% 7-PIX-609002: duration of disassembly-outside local host: 172.16.2.57 0:00:30

    We tried to activate and deactivate "nat-control", "permit same-security-traffic inter-interface" and "permit same-security-traffic intra-interface", but the results are the same: the VPN connection is successfully established, but remote clients cannot reach the internal servers.

    I enclose the training concerned in order to understand the problem:

    interface Ethernet0

    Speed 100

    full duplex

    nameif outside

    security-level 0

    IP address xx.yy.zz.tt 255.255.255.240

    !

    interface Ethernet1

    nameif inside

    security-level 100

    172.16.0.1 IP address 255.255.255.0

    !

    access extensive list ip 172.16.0.0 inside_nat0_outbound allow 255.255.255.0 172.16.2.56 255.255.255.248

    !

    access extensive list ip 172.16.0.0 outside_cryptomap_dyn_20 allow 255.255.255.0 172.16.2.56 255.255.255.248

    !

    VPN_client_group_splitTunnelAcl list standard access allowed 172.16.0.0 255.255.255.0

    !

    IP local pool pool_vpn_clientes 172.16.2.57 - 172.16.2.62 mask 255.255.255.248

    !

    NAT-control

    Global xx.yy.zz.tt 12 (outside)

    NAT (inside) 0-list of access inside_nat0_outbound

    NAT (inside) 12 172.16.0.12 255.255.255.255

    !

    internal VPN_clientes group strategy

    attributes of Group Policy VPN_clientes

    xxyyzz.NET value by default-field

    internal VPN_client_group group strategy

    attributes of Group Policy VPN_client_group

    Split-tunnel-policy tunnelspecified

    value of Split-tunnel-network-list VPN_client_group_splitTunnelAcl

    xxyyzz.local value by default-field

    !

    I join all the details of the cryptographic algorithms because the VPN is successfully completed, as I said at the beginning. In addition, routing tables are irrelevant in my opinion, because the inaccessible hosts are directly connected to the internal LAN of the PIX 515.

    Thank you very much.

    can you confirm asa have NAT traversal allow otherwise, activate it in asa and vpn clients try again.

    PIX / ASA 7.1 and earlier versions

    PIX (config) #isakmp nat-traversal 20

    PIX / ASA 7.2 (1) and later versions

    PIX (config) #crypto isakmp nat-traversal 20

  • Unable to connect using the Cisco VPN client

    Hi all. I recently configured a 5510 ASA to allow remote access using the Cisco VPN client. The problem is that everything works fine when I connect using a modem classic or on a computer with a public address that I use for testing purposes, but whenever I try to connect with on an ADSL line, I can't access to the resources. I have connection and after that nothing, I can not achieve anything.

    I enclose the relevant configuration information in the attachment. Any help is welcome.

    Depending on the version, add...

    ISAKMP nat-traversal

    or

    ISAKMP nat-traversal crypto

    Should be all you need.

  • Cisco vpn client to connect but can not access to the internal network

    Hi all

    I have a VPN configured on cisco 5540. My vpn was working fine, but suddenly there is a question that the cisco vpn client to connect but can not access to the internal network

    Any help would be much appreciated.

    Hi Samir,

    I suggest that you go to the ASA and check the configuration to make sure that it complies with the requirements according to the reference below link:

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805734ae.shtml

    (The link above includes split tunneling, but this is just an option.

    Please paste the output of "sh cry ipsec his" here so that we can check if phase 2 is properly trained. I would say as you go to IPSEC vpn client on your PC and check increment in packets sent and received in the window 'status '.

    Let me know if this can help,

    See you soon,.

    Christian V

  • Cisco VPN Client 5.0.0 does not connect

    Hello

    I am trying to establish the VPN session the firewall to 5525 X Cisco ASA crossing 9.1.1 Cisco VPN Client. Although AnyConnect is the way to go, the inherited method must always be supported for some time as part of a migration. I tried two VPN users (authenticated by ad) on two client computers running Windows 7 64 bit and Cisco VPN Client 5.0.07.0440. Both users are able to establish a session to a computer at the ASA, but not the other. Entering credentails evil, the login popup will appear immediately. On the combination of username/password correct name, the following VPN client log messages are generated and the session drops that is "not connected" in the status bar. The PCF file is the same on both client computers.

    Cisco Systems VPN Client Version 5.0.07.0440

    Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.

    Client Type(s): Windows, WinNT

    Running on: 6.1.7601 Service Pack 1

    119    22:49:16.933  06/23/13  Sev=Info/6          IKE/0x6300003B

    Attempting to establish a connection with 203.99.111.44.

    120    22:49:16.939  06/23/13  Sev=Info/4          IKE/0x63000001

    Starting IKE Phase 1 Negotiation

    121    22:49:16.942  06/23/13  Sev=Info/4          IKE/0x63000013

    SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 203.99.111.44

    122    22:49:16.973  06/23/13  Sev=Info/5          IKE/0x6300002F

    Received ISAKMP packet: peer = 203.99.111.44

    123    22:49:16.973  06/23/13  Sev=Info/4          IKE/0x63000014

    RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from 203.99.111.44

    124    22:49:16.974  06/23/13  Sev=Info/5          IKE/0x63000001

    Peer is a Cisco-Unity compliant peer

    125    22:49:16.974  06/23/13  Sev=Info/5          IKE/0x63000001

    Peer supports XAUTH

    126    22:49:16.974  06/23/13  Sev=Info/5          IKE/0x63000001

    Peer supports DPD

    127    22:49:16.974  06/23/13  Sev=Info/5          IKE/0x63000001

    Peer supports NAT-T

    128    22:49:16.974  06/23/13  Sev=Info/5          IKE/0x63000001

    Peer supports IKE fragmentation payloads

    129    22:49:16.977  06/23/13  Sev=Info/6          IKE/0x63000001

    IOS Vendor ID Contruction successful

    130    22:49:16.977  06/23/13  Sev=Info/4          IKE/0x63000013

    SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 203.99.111.44

    131    22:49:16.977  06/23/13  Sev=Info/6          IKE/0x63000055

    Sent a keepalive on the IPSec SA

    132    22:49:16.977  06/23/13  Sev=Info/4          IKE/0x63000083

    IKE Port in use - Local Port =  0xCA7C, Remote Port = 0x1194

    133    22:49:16.977  06/23/13  Sev=Info/5          IKE/0x63000072

    Automatic NAT Detection Status:

    Remote end is NOT behind a NAT device

    This   end IS behind a NAT device

    134    22:49:17.000  06/23/13  Sev=Info/5          IKE/0x6300002F

    Received ISAKMP packet: peer = 203.99.111.44

    135    22:49:17.000  06/23/13  Sev=Info/4          IKE/0x63000014

    RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 203.99.111.44

    136    22:49:17.211  06/23/13  Sev=Info/4          IPSEC/0x63700008

    IPSec driver successfully started

    137    22:49:17.211  06/23/13  Sev=Info/4          IPSEC/0x63700014

    Deleted all keys

    138    22:49:23.207  06/23/13  Sev=Info/4          IKE/0x63000013

    SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 203.99.111.44

    139    22:49:23.393  06/23/13  Sev=Info/5          IKE/0x6300002F

    Received ISAKMP packet: peer = 203.99.111.44

    140    22:49:23.393  06/23/13  Sev=Info/4          IKE/0x63000014

    RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 203.99.111.44

    141    22:49:23.393  06/23/13  Sev=Info/4          IKE/0x63000013

    SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 203.99.111.44

    142    22:49:23.401  06/23/13  Sev=Info/5          IKE/0x6300005E

    Client sending a firewall request to concentrator

    143    22:49:23.401  06/23/13  Sev=Info/4          IKE/0x63000013

    SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 203.99.111.44

    144    22:49:23.427  06/23/13  Sev=Info/5          IKE/0x6300002F

    Received ISAKMP packet: peer = 203.99.111.44

    145    22:49:23.427  06/23/13  Sev=Info/4          IKE/0x63000014

    RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 203.99.111.44

    146    22:49:23.427  06/23/13  Sev=Info/5          IKE/0x63000010

    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 10.2.193.69

    147    22:49:23.427  06/23/13  Sev=Info/5          IKE/0x63000010

    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 10.2.5.2

    148    22:49:23.428  06/23/13  Sev=Info/5          IKE/0x63000010

    MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 10.1.5.2

    149    22:49:23.428  06/23/13  Sev=Info/5          IKE/0x6300000D

    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000

    150    22:49:23.428  06/23/13  Sev=Info/5          IKE/0x6300000D

    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001

    151    22:49:23.428  06/23/13  Sev=Info/5          IKE/0x6300000F

    SPLIT_NET #1

    subnet = 10.0.0.0

    mask = 255.0.0.0

    protocol = 0

    src port = 0

    dest port=0

    152    22:49:23.428  06/23/13  Sev=Info/5          IKE/0x6300000E

    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = example.org

    153    22:49:23.428  06/23/13  Sev=Info/5          IKE/0x6300000D

    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000

    154    22:49:23.428  06/23/13  Sev=Info/5          IKE/0x6300000E

    MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5525 Version 9.1(1) built by builders on Wed 28-Nov-12 11:15 PST

    155    22:49:23.428  06/23/13  Sev=Info/5          IKE/0x6300000D

    MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT: , value = 0x00000001

    156    22:49:23.428  06/23/13  Sev=Info/5          IKE/0x6300000D

    MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194

    157    22:49:23.445  06/23/13  Sev=Info/4          IKE/0x63000056

    Received a key request from Driver: Local IP = 10.2.193.69, GW IP = 203.99.111.44, Remote IP = 0.0.0.0

    158    22:49:23.445  06/23/13  Sev=Info/4          IKE/0x63000013

    SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 203.99.111.44

    159    22:49:23.477  06/23/13  Sev=Info/5          IKE/0x6300002F

    Received ISAKMP packet: peer = 203.99.111.44

    160    22:49:23.477  06/23/13  Sev=Info/4          IKE/0x63000014

    RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 203.99.111.44

    161    22:49:23.477  06/23/13  Sev=Info/5          IKE/0x63000045

    RESPONDER-LIFETIME notify has value of 86400 seconds

    162    22:49:23.477  06/23/13  Sev=Info/5          IKE/0x63000047

    This SA has already been alive for 7 seconds, setting expiry to 86393 seconds from now

    163    22:49:23.477  06/23/13  Sev=Info/5          IKE/0x6300002F

    Received ISAKMP packet: peer = 203.99.111.44

    164    22:49:23.477  06/23/13  Sev=Info/4          IKE/0x63000014

    RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from 203.99.111.44

    165    22:49:23.478  06/23/13  Sev=Info/4          IKE/0x63000013

    SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 203.99.111.44

    166    22:49:23.478  06/23/13  Sev=Info/4          IKE/0x63000049

    Discarding IPsec SA negotiation, MsgID=F3E3C530

    167    22:49:23.478  06/23/13  Sev=Info/4          IKE/0x63000017

    Marking IKE SA for deletion  (I_Cookie=CD65262E1C3808E4 R_Cookie=912AE160ADADEE65) reason = DEL_REASON_IKE_NEG_FAILED

    168    22:49:23.478  06/23/13  Sev=Info/5          IKE/0x6300002F

    Received ISAKMP packet: peer = 203.99.111.44

    169    22:49:23.479  06/23/13  Sev=Info/4          IKE/0x63000058

    Received an ISAKMP message for a non-active SA, I_Cookie=CD65262E1C3808E4 R_Cookie=912AE160ADADEE65

    170    22:49:23.479  06/23/13  Sev=Info/4          IKE/0x63000014

    RECEIVING <<< ISAKMP OAK INFO *(Dropped) from 203.99.111.44

    171    22:49:24.310  06/23/13  Sev=Info/4          IPSEC/0x63700014

    Deleted all keys

    172    22:49:26.838  06/23/13  Sev=Info/4          IKE/0x6300004B

    Discarding IKE SA negotiation (I_Cookie=CD65262E1C3808E4 R_Cookie=912AE160ADADEE65) reason = DEL_REASON_IKE_NEG_FAILED

    173    22:49:26.849  06/23/13  Sev=Info/4          IKE/0x63000001

    IKE received signal to terminate VPN connection

    174    22:49:26.855  06/23/13  Sev=Info/4          IPSEC/0x63700014

    Deleted all keys

    175    22:49:26.855  06/23/13  Sev=Info/4          IPSEC/0x63700014

    Deleted all keys

    176    22:49:26.855  06/23/13  Sev=Info/4          IPSEC/0x63700014

    Deleted all keys

    177    22:49:26.855  06/23/13  Sev=Info/4          IPSEC/0x6370000A

    IPSec driver successfully stopped

    Any ideas why the second client of Windows 7 does not work?

    Kind regards

    Rick.

    Rick

    Thanks for the additional output. It shows the xauth authentication step, which is good to see. But it does not offer much clarity on what is causing the problem.

    My attention is drawn to a couple of message on the balls that are in line with the two sessions for which you posted newspapers.

    32 00:36:08.178 24/06/13 Sev = Info/5 IKE/0x6300005E

    Customer address a request from firewall to hub

    I'm not sure that we see any answer to this, but it makes me wonder if it is somehow involved in the issue. Is it possible that there is a difference in the configuration of firewall and operating between two clients?

    I am also interested in this series of posts

    48 00:36:08.210 24/06/13 Sev = Info/4 IKE / 0 x 63000056

    Received a request from key driver: local IP = 10.2.193.69, GW IP = 203.99.111.44, Remote IP = 0.0.0.0

    I don't know why the pilot requested a key at this point, and I wonder why the remote IP is 0.0.0.0?

    It is followed by a package in which the ASA provides the value of the life of SA - which seems to be on the path to a successful connection. that is followed by

    55 00:36:08.350 24/06/13 Sev = Info/5 IKE/0x6300002F

    Received packet of ISAKMP: peer = 203.99.111.44

    56 00:36:08.350 24/06/13 Sev = Info/4 IKE / 0 x 63000014

    RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:no_proposal_chosen)="" from="">

    during which the SAA indicates that no proposal has been selected. It seems therefore that the ASA is not happy about something.

    If we do not find indications of the client that allows to identify the problem, then maybe we look at the ASA. Are all log messages generated on the SAA during this attempt to establish VPN that could show us the problem? Would it not be possible to run debugs on the SAA in a trial of this machine?

    HTH

    Rick

  • Problems to connect via the Cisco VPN client IPSec of for RV180W small business router

    Hello

    I tried to configure my router Cisco of RV180W as a customer VPN IPSec, but have encountered a problem that I hope someone can help me with. "" I managed to do the work of configuration so that the Cisco's VPN IPSec client authenticates successfully with the XAUTH user, I put on the router, but during the negotiation, the client ends with the following, which appears several times on the router error message: ' Mar 20 Oct 19:41:53 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [34360] has no config mode.

    I've read around the internet and a number of people seem to say that the Cisco VPN Client is not compatible with the router, but the same thing happens to my iPhone VPN client.

    Is it possible that this can be implemented? Below, I have attached the full configuration files and the log files. Thank you much in advance.

    Router log file (I changed the IP addresses > respectively as well as references to MAC addresses)

    Mar 20 Oct 20:03:10 2015 (GMT + 0000): [r1] [IKE] INFO: floating ports NAT - T with counterpart > [44074]
    Mar 20 Oct 20:03:10 2015 (GMT + 0000): [r1] [IKE] WARNING: notification to ignore INITIAL-CONTACT > [44074] because it is admitted only after the phase 1.
    Mar 20 Oct 20:03:10 2015 (GMT + 0000): [r1] [IKE] INFO: NAT - D payload does not match for > [4500]
    Mar 20 Oct 20:03:10 2015 (GMT + 0000): [r1] [IKE] INFO: NAT - D payload does not match for > [44074]
    Mar 20 Oct 20:03:10 2015 (GMT + 0000): [r1] [IKE] INFO: received unknown Vendor ID
    Mar 20 Oct 20:03:10 2015 (GMT + 0000): [r1] [IKE] INFO: received Vendor ID: CISCO-UNITY
    Mar 20 Oct 20:03:10 2015 (GMT + 0000): [r1] [IKE] INFO: NAT detected: is located behind a device. NAT and alsoPeer is behind a NAT device
    Mar 20 Oct 20:03:10 2015 (GMT + 0000): [r1] [IKE] INFO: request sending Xauth for > [44074]
    Mar 20 Oct 20:03:10 2015 (GMT + 0000): [r1] [IKE] INFO: ISAKMP Security Association established for > [4500] -> [44074] with spi =>.
    Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] INFO: receives the type of the attribute 'ISAKMP_CFG_REPLY' of > [44074]
    Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] INFO: login successful for the user "myusername".
    Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] INFO: myusername XAuthUser connected from the IP >
    Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] INFO: sending of information Exchange: Notify payload [10381]
    Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] INFO: receives the type of the attribute 'ISAKMP_CFG_REQUEST' of > [44074]
    Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [44074] has no config mode
    Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [44074] has no config mode
    Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [44074] has no config mode
    Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [44074] has no config mode
    Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] WARNING: ignored attribute 5
    Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [44074] has no config mode
    Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [44074] has no config mode
    Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [44074] has no config mode
    Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [44074] has no config mode
    Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [44074] has no config mode
    Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [44074] has no config mode
    Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] WARNING: attribute ignored 28683
    Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [44074] has no mode config

    Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] WARNING: attribute ignored 28684
    Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [44074] has no config mode
    Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for > [44074] has no mode config

    Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: remove the invalid payload with doi:0.
    Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] INFO: purged-Association of ISAKMP security with proto_id = ISAKMP and spi =>.
    Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] INFO: myusername XAuthUser Logged Out of the IP >
    Mar 20 Oct 20:03:16 2015 (GMT + 0000): [r1] [IKE] INFO: ISAKMP Security Association deleted for > [4500] -> [44074] with spi =>

    The router configuration

    IKE policy

    VPN strategy

    Client configuration

    Hôte : < router="" ip=""> >

    Authentication group name: remote.com

    Password authentication of the Group: mysecretpassword

    Transport: Enable Transparent Tunneling; IPSec over UDP (NAT/PAT)

    Username: myusername

    Password: mypassword

    Please contact Cisco.

    Correct, the RV180 is not compatible with the Cisco VPN Client.  The Iphone uses the Cisco VPN Client.

    You can use the PPTP on the RV180 server to connect a PPTP Client.

    In addition, it RV180 will allow an IPsec connection to third-party customers 3.  Greenbow and Shrew Soft are 2 commonly used clients.

  • Cisco vpn client is supported on the analogue ppp connection

    can someone pls tell me if we can use the client vpn cisco on a ppp connection analog and put a pix that is not PPPs running. If it works, then why do we need to VPN L2tp/ipsec. can someone pls tell me something abt it. It is very urgent.

    concerning

    Assane

    Assane,

    If I understand your question, you speak with PPP initially to get an IP address from your service provider, then use the Client VPN VPN in your Pix Firewall. If so, yes it is possible.

    To name a few reasons why PPTP or L2TP/IPSEC is used instead of Cisco VPN Client are:

    1. because companies have used a PPTP or L2TP/IPSEC solution for some time and are migrating to Cisco VPN

    2. do not install vpn on the PC client software

    3. won't pay for the VPN Client software licenses

    Let me know if it helps.

    Kind regards

    Arul

  • All necessary licenses on ASA 5510 for old Cisco VPN Client

    We're trying to migrate our firewall Watchguard to a Cisco ASA 5510, who bought some time ago. For some reason, all of our users have already installed the old Cisco VPN client. I think it will work. Are there licensing issues on the 5510 I had to be concerned with?  No matter what special config that needs to be done on the 5510?

    Fix. You don't require licensing of AnyConnect of any type of configuration and the use of IKEv1 IPsec remote access VPN (which use the old Cisco VPN client).

    You will be limited to 250 active IPsec peers (remote access more no matter what VPN site-to-site) by the platform (hardware) device capabilities that are enforced by the software.

  • Cisco VPN client (ASA) password expiry messages

    Hi all

    I am looking for a way to change the message displayed on the Cisco VPN client, when a password change is required. This configuration uses an ASA 5520 with Windows 2003 IAS radius for authentication server.

    I have configured the option 'password-management' under the tunnel-group, but when the password expires the vpn client prompts you to "enter a new pin code.

    This customizable message, for example "Please enter a new password to 8 characters etc.

    The original message communicates enough information for the user.

    Thank you

    Hi Matt,

    This is a known defect CSCeh13180 (when using RADIUS with expiry) and there is currently no plan to fix this bug.

    But you can try this for one of your VPN client and see if that helps.

    you need to change the VPNClient.ini on the PC that installed the VPN Client. Here are the settings you will need...

    [RadiusSDI]

    NewPinSubStr = "" enter the new password: ""

    HTH

    Kind regards

    JK

  • Slow initial connection using Cisco VPN Client

    I am currently using Cisco VPN Client v5.0.07.0290.  Whenever I start my connection, it takes me about 90 seconds for the prompt to display authentication and another ~ 90 seconds to finish the auth. and connect successfully.  I have another computer laptop w / the same WIN7 OS and version of Cisco VPN Client and he ends the connection to<30 sec. ="" why="" is="" this? ="" any="" suggestions="">

    Hi Sergio,

    You import the .pcf for the VPN Client file? If so, please try to recreate a new file .pcf locally on the machine itself and try to connect. Let me know how it goes.

    Thank you

    Delvallée

  • Cisco VPN client 3.5.1 and Cisco ASA 5.2 (2)

    Hello

    I have a strange problem about Cisco VPN client (IPSec) with Cisco ASA. The Cisco ASA runs software version 5.2 (2). The Cisco VPN client version is 3.5.1.

    The problem is the customer able Cisco VPN to authenticate successfully with Cisco ASA, but could not PING to any LAN behind the Cisco ASA. In any case, the problem disappeared when we used the Cisco VPN version 4.6 or 4.8 of the customer. All parameters are exactly the same. What has happened? What is the cause of this problem? How can I solve this problem?

    Please advice.

    Thank you

    Nitass

    I understand your problem, I never used 3.5.1 so I thought that maybe nat - t is not enabled by default as 4.x.

Maybe you are looking for


HashFlare