Types of VPN Session

I look at my ASA logs for VPN (ASA-4-113019% messages) connections. Some of the connections show a type of session of "IKE" and other "IPSecOverNatT". Why would it be? My users are using an IPSec client to connect.

Thank you.

The reason why you see IPSecOverNatT is that it is peripheral NAT in the path between the vpn client and the head line, and like IPSec Phase 2 VPN endpoint device is in the ESP packets (ie: it is a Protocol, so it is not a TCP or UDP port number that can be translated by a NAT device) where the ESP packet is encapsulated in TCP or UDP port (called NAT - T - NAT Traversal) so it can be coordinated by a NAT device.

Hope that answers your question.

Tags: Cisco Security

Similar Questions

  • Types of Vpn"

    Hi all

    It is a matter totally newbie but here's...

    It is written in some places, the L2TP, PPTP and GRE are types of vpn tunnels, if for example you can create a dialer L2TP and (after authentication), it will form a tunnel L2TP, which you can wrap in a GRE tunnel

    first of all, what is the need for this? Because L2TP allows to transfer any layer 3 Protocol. you need top GRE?

    the other thing is, in some texts, there are explanations on the configuration a L2TP on the LAKE and the LNS and of course as a dialer to the client end. no free WILL. so... what exactly? is it a tunnel? What is a dialer? is it two? What are the differences, and when I would prefer one over the other?

    Ipsec, isakamp, encryption, mapping all phases are well understood. My confusion is these types different tunnel/dialer.

    Thanks in advance,

    Willow

    Dear friends,

    Let me join you.

    (1) what is the difference between L2TP and GRE? they need IPSec and are has a few tunnels, while L2TP is also a dialer via PPP/PPPoe to connect to the ISP.

    L2TP is used to encapsulate and tunnel set Layer2 frameworks (e.g. Ethernet, HDLC, PPP, Frame Relay, or ATM) including their payload. GRE is used to encapsulate and tunnel Layer 3 packets (such as IPv4 or IPv6). There are other significant differences between free WILL and L2TP, but at this stage, I consider it the most important distinction between them. In other words, if you consider a tunnel to a pipe, and then with L2TP, you would be feeding Layer2 frames in this pipe and with free WILL, you could feed Layer 3 packets in this pipe. The choice of L2TP or free WILL depends on the application - whether you need tunnel frames together because they are sent by the source, or if you just need packages of origin without their tunnel link layer encapsulation.

    In fact, there is an exception to the above rules that may make things more confusing. You can also tunnel Layer2 executives through tunnels GRE as well. The trick is to know what kind of frame you syringe in a GRE packet. If you look more closely the format of the header 4 bytes to the base address WILL, the first 2 bytes specify version GRE and indicators and the 2 following bytes have the same meaning as the EtherType Ethernet field: they identify the type of payload of the GRE packet. If there is a valid EtherType value recorded for the frame you want to carry through a GRE tunnel, then by all means, you can create a tunnel it. If there is no registered EtherType value then you are in trouble because you can't invent a value and put it there - maybe receiver endpoint do not understand the value, or it can it be confused with another protocol and process encapsulated incorrectly frame. All the common Layer 3 protocols have their EtherType recorded because they are intended to be carried in Ethernet frames, so with Layer 3 packets, we generally have no problem. However, not all the Layer2 protocols have their EtherTypes because tunneling frames within other frames is not a common practice. This is why the nature of the ACCORD as a Layer 3 mainly tunneling protocol.

    Just for your convenience, you can find the list of EtherType values to

    http://standards-Oui.IEEE.org/EtherType/ETH.txt

    L2TP or IPsec need se GRE. The two protocols of defintion will happily run without IPsec, but then, of course, they will carry all data encrypted and unprotected. IPsec is an add-on to the two protocols to ensure data transmission security (authentication, confidentiality, integrity, protection against replay attacks).

    By saying "L2TP is also a dialer via PPP/PPPoE to connect to the ISP" you want to say probably virtual-PPP interface - am I wrong? Can you clarify this more in detail?

    (2) what is the Protocol-point difference charged and tunnel point-to-point protocol? since they both are supported on non - IP traffic

    PPP is a protocol of Layer2 and is intended to be run directly through the physical network interfaces. It is not a tunneling protocol, it is rather a protocol binding to data originally created to be used on interfaces series of computers and routers. He replaced or complete other binding protocols series such as SLIP or HDLC. Regarding the installation of the OSI model, PPP is on the same layer that Ethernet - both run through the physical network interfaces and define how two directly connected network interfaces to send messages between them.

    PPTP is a tunneling protocol that uses a modification of the GRE protocol and Protocol additional signs to tunnel PPP frames in IP packets on a routed network. It's the confusing thing, PPTP: she uses GRE to tunnel PPP frames and only PPP frames. You can't see other types of PPTP traffic directly - it was not designed to function this way even if the Agreement itself would be able to do this. Instead, what you want to carry on a PPTP tunnel must first be put in PPP frames, and they will get so encapsulated WILL and sent on the tunnel on the other side.

    The fact that the PPP is used inside PPTP does not imply that the PPP was invented with PPTP in mind. It actually has the opposite - PPP existed well before PPTP and creators of felt PPTP that it would be beneficial to use because it provides some features neat it otherwise would re-implement (authentication, superior negotiation of the Protocol, the IP autoconfiguration to name a few). The fact that the PPP is used inside PPTP does not have PPP, only a tunneling protocol; PPP is rather just a "victim" of PPTP.

    PPTP is not a data link layer protocol, it is not directly used on any type of physical interface, on the contrary: PPTP expects connectivity IP base (using any type of data link layer and physical) between endpoints is already in place.

    (3) what about standalone (no GRE) PPTP? why they want PPTP running inside a GRE? How to get it? also, why can I not use PPTP with GRE and ipsec for security, or simply of PPTP with ipsec?  Why should I use L2TP? What is its benefits?

    PPTP consists internally of a somewhat modified GRE more additional control running on TCP channel which provides the installation of the tunnel and disassembly session. There is no such thing as a standalone without GRE PPTP: PPTP is Grateful, even if not a vanilla ACCORD, rather an adapted version of it.

    On the combination of PPTP and IPsec - technically, there nothing that would prevent you from protecting a PPTP with IPsec tunnel. It's just a unicast IP traffic and all this kind of traffic between two fixed end points can be protected by IPsec. If this combination is not available on a particular device or operating system, it is simply because this combination was never sufficiently strongly requested by customers to be implemented by providers.

    L2TP has the advantage of being richer, more widely supported and actively developed, but it was really designed to be used in environments of provider where hundreds or thousands of individual subscribers and their traffic are by tunnel between an access concentrator and a network server. These features are not used if the L2TP is terminated in a single user PC or router home. Of course, it has nothing bad about it, there just the L2TP is an excessive for such a small scale deployment. Yet, as it turns out, PPTP is considered to be more be simply outdated and not developed or maintained and L2TP is universally suggested as one of the possible replacements.

    (4) who is the dialer in GRE + IPSEC tunnel (or free WILL independent tunnel?) this Protocol is used? which layer 2 is used to make the connection?

    I'm not quite sure what you mean by the "dialer". With Volition, encapsulation is

    IP tunnel header. GRE header | Package originating IP

    This whole package is an IP packet, and is simply routed over the network to the tunnel endpoint, décapsulés-L2 and L2 encapsulated at each router according to the normal rules.

    (5) when you say GRE protocol 47 and ipsec uses the protocol 50 or 51 (esp / ah)-how the two, they meet? How to watch an encapsulation with these two protocols? What is used at each layer?

    Depending on whether IPsec is used in transport or tunnel mode, a GRE packet protected by IPsec looks like this:

    Tunnel mode:
    Intellectual property for the IPsec tunnel header. ESP / AH | GRE tunnel IP header | GRE header | Package originating IP

    Mode of transport:
    GRE tunnel IP header | ESP / AH | GRE header | Package originating IP

    With IPsec protection, the outer header (on the left shown) will always use the value of protocol 50/51. The value of Protocol 47 is engaged in the header of GRE IP tunnel (tunnel mode) or is moved to the ESP header's next header field / AH (mode of transport).

    (6) that LNS actually means "a L2TP server just insdie a router?

    LNS means L2TP Network Server and it peut - but does not need to-say that this feature is implemented in a network router. LNS is a software service, and it can be done either in the operating system (and perhaps partially in hardware) of a router, or it can be run on a server. There are implementations of the feature of LNS for Linux servers, for example.

    The terminology of the LAKE (L2TP Access Concentrator) and LNS (L2TP Network Server) is given by the RFCS that specify the use of L2TP. These RFCs do not oblige how or where these two elements are implemented. Any device that performs the tasks of LAKE or LNS is called a LAKE or a LNS, and either a dedicated router or even a PC or a raspberry Pi is not serious to L2TP.

    (7) if I come with a GRE tunnel and ipsec, I still need to use L2TP as dial-up at the end of the customer, I don't?

    Certainly not - the GRE tunnels create IP packages, and these IP packets will be routed to the other end of the tunnel through existing IP connectivity. Until you can have a GRE tunnel between two end points, you must have a connectivity IP to work between them (this is the same as for PPTP; after all, PPTP is based on the GRE). There is no need to use L2TP here. Even if encapsulate you the GRE in IPsec, you still get an IP packet that you can send to the other end of the tunnel, as there is already usable IP connectivity.

    Welcome to ask for more!

    Best regards
    Peter

  • Cisco ASA VPN session reflect a public IP of different source

    Hi all

    I tested and managed to successfully establish the vpn on my cisco asa 5520.

    On my syslog, I can see "parent anyconnect session has begun" during my setting up vpn and "webvpn session is over" at the end of my vpn session

    where public ip used to establish the vpn address is reflected. However after the line "webvpn session is over", I can see other lines in my syslog example "group = vpngroup, username = test, ip = x.x.x.x, disconnected session, session type: anyconnect parent, duration 0 h: 00m23s, xmt bytes: 0, rcv:0 bytes, reason: requested user" where x.x.x.x is not the ip address used to establish my vpn for remote access, it is not related to my vpn ip address below. I am very sure that the x.x.x.x ip failed any vpn for my cisco asa5520. So why it is reflected in my logs to asa cisco? Pls advise, TIA!

    Hello

    Think I remember some display on a similar question in the past. Did some research on google and the next BugID was mentioned in the discussion.

    113019 syslog reports an invalid address when the VPN client disconnects.

  • How to allow remote VPN Sessions to communicate

    Hi all

    I'm trying to understand how to enable remote VPN client sessions to communicate.  For example, if my manager has been connected via VPN to the office and needed me to fix something on his laptop, I cannot VPN to the office and RDP into her laptop.  Not sure if this can be done without pain.

    A brief out of my config.  Remote client VPN sessions work fine.  It's only when I try to access other customer VPN sessions, is where I have a problem.

    Thank you is advanced!

    FW # executed sho

    : Saved

    :

    interface Ethernet0/0

    nameif inside

    security-level 100

    IP 192.168.1.1 255.255.255.0

    !

    interface Ethernet0/1

    nameif outside

    security-level 0

    IP 4.4.1.8 255.255.255.252

    !

    interface Ethernet0/2

    !

    interface Ethernet0/3

    !

    !

    permit same-security-traffic inter-interface

    permit same-security-traffic intra-interface

    outside_in list extended access permit icmp any one

    split_tunnel list standard access allowed 192.168.1.0 255.255.255.0

    inside_access_in of access allowed any ip an extended list

    outside_access_in of access allowed any ip an extended list

    access-list sheep extended 10.10.10.0 any allowed ip 255.255.255.0

    IP local pool vpn 10.10.10.1 - 10.10.10.15 mask 255.255.255.0

    Global 1 interface (outside)

    NAT (inside) 0 access-list sheep

    NAT (inside) 1 0.0.0.0 0.0.0.0

    inside_access_in access to the interface inside group

    Access-group outside_in in external interface

    Route outside 0.0.0.0 0.0.0.0 4.4.1.7 1

    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

    Crypto-map dynamic inetdyn_map 20 the value transform-set ESP-DES-SHA

    map inet_map 65535-isakmp ipsec crypto dynamic inetdyn_map

    inet_map interface card crypto outside

    inside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

    inside crypto map inside_map interface

    crypto isakmp identity address

    crypto ISAKMP allow inside

    crypto ISAKMP allow outside

    crypto ISAKMP policy 10

    preshared authentication

    the Encryption

    sha hash

    Group 2

    life 86400

    Crypto isakmp nat-traversal 21

    internal vpnipsec group policy

    attributes of the strategy of group vpnipsec

    value of 192.168.1.5 WINS server

    value of server DNS 192.168.1.5

    Split-tunnel-policy tunnelspecified

    value of Split-tunnel-network-list split_tunnel

    moobie.com value by default-field

    type tunnel-group vpnipsec remote access

    tunnel-group vpnipsec General-attributes

    vpn address pool

    Group Policy - by default-vpnipsec

    vpnipsec group of tunnel ipsec-attributes

    pre-shared key nope

    !

    Hello

    You need to allow pool vpn split tunnel, here's what you need to do

    split_tunnel list standard access allowed 10.10.10.0 255.255.255.0

    same-security- allowed traffic intra-interface

    Kind regards

    Bad Boy

    P.S. Please mark this message as 'Responded' If you find this information useful so that it brings goodness to other users of the community

  • Memory consumed by a VPN session

    Hello

    I would like to know that how can I get the use of memory for a VPN session. Whether a site or customer to the site etc.

    -Rajiv

    Sent by Cisco Support technique iPhone App

    Hello

    There are two types of memory used, one is processor memory for control plan, for the session tracking #, ike, ipsec his and the other is the memory of e/s for incoming and outgoing packets.

    The processor memory may still change depending on how ipsec his you, # used ACLs etc, so there is no easy way to track, other than looking at the use of the memory before and after, and again once it is perhaps not very accurate. You can able to look at the memory usage of processes.

    The same memory IO, which is usually transient when packets come and go.

    What are trying to use this for? Just curious

  • AC VPN: vpn-session-timeout and prompt the user

    Hello

    Is it possible to invite the user to continue the session shortly before it hits the vpn-session-timeout value (ASA).

    Thank you

    Sean

    Sean,

    I believe that no job like this been done on it by the BU.

    We had this never open a:

    https://Tools.Cisco.com/bugsearch/bug/CSCsx17267/?reffering_site=dumpcr

    M.

  • The 'IETF-RADIUS-Idle-Timeout' value substitute "Vpn-session-timeout' of group policy?

    Hello community,

    I wish to have a dynamic substitution of "Vpn-session-timeout' of Group Policy (using"ldap attribute-map").

    Read the section "Support for RADIUS authorization attributes" of the SAA, it is not clear, but apparently attribute 'IETF-RADIUS-Session-Timeout' being Cisco attribute name of the ASA to "vpn-session-timeout '.

    Can anyone confirm?

    R, Alex

    Yes!

    http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_ser...

  • ASA 5505 VPN sessions maximum 25?

    Hello friend´s

    The company I work when acquired several ASA 5505, so now we will be able to connect several branches at Headquarters. But, now, I know that the ASA 5505 just scalates to 25 VPN sessions, I think that it won´t be enough to support the operations of an office. I have a lot of questions about this:

    Is - what the number 25 menas supporting up to 25 L2L tunnels? Or it means 25 sessions, regardless of the amount of L2L tunnels?

    Is this the way number 25 supporting up to 25 users in the Branch Office? Or it means that a user can use several sessions?

    I'm the stage of testing in a laboratory where one PC connects to many applications, at - it now someone if there is a command in the SAA to check how many VPN sessions is used?

    Please, do not hesitate to ask as much as necessary information. Any comments or document will be appreciated.

    Kind regards!

    Hi Alex,

    The assistance session 25 ASA 5505 VPN as max for IKEv1 or IPSEC tunnels customers it could be up to 25 L2L tunnels or 25 users using ikev1 (Legacy IPSEC client) and another 25 sessions for Anyconnect or Webvpn in this case are used in function.

    To check how many sessions VPN is currently running, run the command 'Show vpn-sessiondb' and 'display the summary vpn-sessiondb '.

    Find the official documentation for the ASA5505 on the following link:

    http://www.Cisco.com/c/en/us/products/collateral/security/ASA-5500-series-next-generation-firewalls/datasheet-C78-733510.html

    Rate if helps.

    -Randy-

  • Road of default remote access VPN session

    ASA version 8.2.2

    How do you assign remote access VPN sessions a single default route?  Other than the default route assigned to ASA.  For example, my VPN ASA (handles vpn sessions), defaults to the Internet.  I wish that sessions VPN for remote access by default internal network first, then follow the default route to the Internet on another firewall.

    The SAA outside the IP address of the interface is a public.  Inside is a private 10.x.x.x.  VPN clients receive 172.17.x.x.

    Thank you

    After the command 'road' added keyword "tunnel".

    in the tunnel

    Specifies the route as the default gateway of tunnel for the VPN traffic.

    http://www.Cisco.com/en/us/docs/security/ASA/asa80/command/reference/QR.html#wp1767323

  • Internet problems after having disconnected the VPN session

    I was wondering if someone could tell me a solution for this problem I have.  A year or more ago.

    When I had Vista (32 bit), I used to use Cisco's VPN IPSEC client.  At the time, I found that when I disconnect a VPN session, something on my machine would get watered upward.  In other words, I could no longer RDP to my machine from another machine (which I would do so on the internet).  I also found that I could not access other services on my machine to other machines as well through the internet.

    Basically, I found this case I disabled/re-enabled my NIC (do it manually or by restarting), I was able to connect once more to my machine.

    Now I have Windows 7 (64-bit).  So now I also use Cisco SSL VPN client.  I had hope that this should disappear with the new operating system and the new VPN client, but the problem persists!  Fortunately, the Windows 7 Task Manager can be triggered based on the events that occur.  I created a task that will disable/re-enable my NIC whenever he sees the event of disconnection of SSL in the registry.  While this is a great workaround for me, I would go at the bottom of the issue.  I even helped others in my office with the same question by providing my elegant solution!

    Side note: my friend just asked me why he couldn't TRACERT what either.  He spoke to me through our enterprise IM client while VPN was in our network.  I asked if he was on the VPN on the attempt, and he said that it has disconnected first thinking it was the case.  I suggested to him that he can hit the same question that I have, in that the VPN is somehow corrupt its TCP stack or something.  I asked to disconnect from the VPN, once again, turn his NIC, and lo-and-here it could once more tracert.

    This issue is documented anywhere?  Are there patches?

    TIA,

    MCDONAMW

    What version of AnyConnect you test with?  This could be related to bug CSCsz12568 that has been fixed in the 2.4 client later.  What you can do is capture a snapshot of the Windows routing table before connecting, once connected, disconnected and then again later to see if there is not strange roads that can be bad traffic orientation.

  • Cisco 881 - Access Gateway VPN session

    Nice day

    I configured my Cisco 881 and finally has surpassed "thecan't see my network" issue IPSec VPN.

    I have a usecase where I need to access the gateway of the VPN Session.

    When I connect to the VPN using Cisco VPN Client 4.8 x, I do not return a default gateway on the VPN map. When I try to ping my IP from the LAN (10.20.30.1) bridge that does not work and I cannot access it with other tools.

    I'm sure it's an ACL question and it makes sense to hide the default gateway, but the big question is how to configure my router to see the gateway and access them from the VPN session?

    Please see my attached cleaned configuration.

    Network Info:

    • Internet Internet service provider gateway: 192.168.68.1
    • DNS: 192.168.2.1
    • Address WAN Cisco 881 at: 192.168.68.222
    • Address on Cisco 881 LAN: 10.20.30.1
    • DHCP for LAN on Cisco 881: 10.20.30.10 - 10.20.30.50
    • DHCP for IPSec VPN: 10.20.40.10 - 10.20.40.50

    Thank you in advance for your help!

    Kind regards

    -JsD

    Brand pls kindly this post as answered so that others facing the same issue can follow the workaround solution provided according to your final configuration.

    Great update and explanation btw. Thank you for that.

  • How to limit maximum SSL VPN sessions by group policy on ASA5510?

    How to limit maximum SSL VPN sessions by group policy on ASA5510?

    There are ideas?

    There are 2-Group Policy: within a maximum of 10 connections, in the second - 15 (total licenses for SSL VPN 25 connections).

    Hi Anton,.

    It is an interesting question.

    Please check the following options, depending on your scenario:

    simultaneous VPN connections

    Pour configurer configure the number of simultaneous connections allowed for a user, use the command simultaneous vpn connections in the configuration of group policy or username configuration mode. To remove the attribute from the running configuration, don't use No form of this command. This option allows inheritance of a value from another group policy. Enter 0 to disable the connection and prevent the access of the user.

    simultaneous vpn connections {integer}

    No vpn - connections

    http://www.Cisco.com/en/us/docs/security/ASA/asa84/command/reference/uz.html#wp1664777

    There is a global command, although may not be useful, I wanted to share it with you:

    VPN-sessiondb max-session-limit

    --> To specify the maximum limit of VPN session.

    Best option:

    What you can do is to create a pool of IP 10 IP addresses in one and 15 in the other, this way you let only 10 connections and 15 respectively.

    IP local pool only_10 192.168.1.1 - 192.168.1.10

    IP local pool only_15 192.168.2.1 - 192.168.1.15

    Then,

    attributes of the strategy of group only_10

    the address value only_10 pools

    !

    attributes of the strategy of group only_20

    the address value only_20 pools

  • How much max VPN session is my ASA

    This is my version to see the ASA5512 VPN

    "Other peers VPN: 250" means that I can use 250 IPSEC session? If I still use MAX 250 VPN Cisco AnyConnect Secure Mobility Client session?
    "Total peer VPN: 250" means that I can use 2 Anyconnect premium + 248 250 IPSEC or IPSEC session at the same time?

    "AnyConnect for Mobile: Disabled" means, I can't use AnyConnect Secure mobility Client (smartphone apps) connect to the ASA by AnyConnect SSL? Can I use AnyConnect secure mobility Client (smartphone apps) connect to the ASA by IPSEC?

    The devices allowed for this platform:
    The maximum physical Interfaces: unlimited perpetual
    VLAN maximum: 100 perpetual
    Guests of the Interior: perpetual unlimited
    Failover: Active/active perpetual
    Encryption - A: enabled perpetual
    AES-3DES-Encryption: activated perpetual
    Security contexts: 2 perpetual
    GTP/GPRS: Disabled perpetual
    AnyConnect Premium peers: 2 perpetual
    AnyConnect Essentials: Disabled perpetual
    Counterparts in other VPNS: 250 perpetual
    Total VPN counterparts: 250 perpetual
    Shared license: disabled perpetual
    AnyConnect for Mobile: disabled perpetual
    AnyConnect Cisco VPN phone: disabled perpetual
    Assessment of Advanced endpoint: disabled perpetual
    Proxy UC phone sessions: 2 perpetual
    Proxy total UC sessions: 2 perpetual
    Botnet traffic filter: disabled perpetual
    Intercompany Media Engine: Disabled perpetual
    The IPS Module: Disabled perpetual
    Cluster: Disabled perpetual

    THX

    Hello!

    ASA5512 can contain up to 250 concurrent VPN of any type: IPsec Site to Site or IPsec Remote access or Anyconnect SSL VPN or IPsec IKEv2, or even without VPN client.

    This means you can use 2 Anyconnect premium + 248 IPSEC VPN from Site to Site. Or, for example, 200 simultaneous IPsec Site to Site VPN + 25 Client VPN (IPsec IKEv1) + 25 AnyConnect VPN (SSL or IPsec IKE v2). But not more than 250 and then at the same time.

    "AnyConnect for Mobile" is now obsolete. The license for Anyconnect schema was changed in early 2015. You can see the new pattern here:

    http://www.Cisco.com/c/dam/en/us/products/security/AnyConnect-og.PDF

    With the new scheme, if you need to connect mobile devices (iOS, Android and so on), using the Anyconnect client, you just need to have a license Anyconnect MORE for the necessary amount of users/devices. License AnyConnect more open along the lines in the output of the show version:

    AnyConnect Premium Peers : 250 perpetual
    AnyConnect for Mobile : Enabled perpetualAnyConnect for Cisco VPN Phone : Enabled perpetualAdvanced Endpoint Assessment : Enabled perpetual
    But, despite the exit "AnyConnect peers Premium: 250 perpetual", you will have the right to use no more then amount ordered... If you need advanced features, for example, Suite B cryptography or VPN without customer, you must order license Anyconnect Apex for amount of users/devices needed. For ASA5512, you need to order licenses Anyconnect more or Apex, but no more so for 250 users, because ASA5512 can't take no more then 250 simultaneous connections. If you want to use the Anyconnect client for mobile devices and you use IPsec IKEv2 for VPN, you will also need order licenses Anyconnect more or Apex. I hope this helps.

  • Journal entries of false IP addresses in the VPN session

    I noticed a very strange problem on ASA5520 running version 9.1 (1). Whenever a VPN user disconnects (or expires or gets disconnected with force), a journal entry refers to the IP address that is not the user's IP address. It is one of the examples where the 196.95.116.118 IP address is logged:

    -SNIP-

    March 28, 2014 13:37:45: % ASA-4-113019: group = , username = , IP = 196.95.116.118, disconnected Session. Session type: IKEv1, duration: 0: 00: 05:00, xmt bytes: 59216, RRs bytes: 123329, reason: the user has requested

    -SNIP-

    So far, I have captured about 7 of these IP addresses and they all model x.x.116.118. This is the list:

    24.80.116.118
    60.57.116.118
    84.104.116.118
    164.78.116.118
    180.18.116.118
    196.95.116.118
    202.89.116.118

    None of them are related to any of my clients or the company itself. In addition, they do not belong to my ISP. In all of the features VPN and ASA are not affected. Anyone who would have knowledge or idea where these addresses are known to and why they have this strange pattern?

    Hello

    This related to a bug https://tools.cisco.com/bugsearch/bug/CSCub72545/?reffering_site=dumpcr

    It will be useful.

    Kind regards

    Shetty

  • History of VPN Session

    Hi all

    I need to view the history of connection using ASDM ipsec vpn.

    In ASDM, there is an option under vpn/control that displays the vpn connection, but only vpn connection in real time. But I need is all the logon.

    Thanks in advance

    Hello

    There is no option to check the history for VPN on ASDM.

    Only, you can check the previous info session newspapers/VPN the syslogs to the ASA.

    Kind regards

    Aditya

    Please evaluate the useful messages and mark the correct answers.

Maybe you are looking for