Cisco VPN :: ASA5520 - IPSec L2L VPN Remote Peer Is Being Denied
Mar 18, 2012
We are trying to add an additional LAN-to-LAN IPsec VPN to our network. We currently have one remote office connected, when we configure the second VPN matching the first the tunnel never begins to establish. There is an ACL that is dening the static IP for our remote office.
The layout is as follows:
Main office = ASA 5520
Remote Office A = ASA (Unknown Model)
Remote Office B = Adtran Router
All devices have static IP addresses.
We used the ASDM VPN wizard to create both VPN's.
We have created a rule allowing all traffic from our remote office IP, and that had no effect on the VPN aside from eliminating the following message from our logging:
We have verified that both sides are configured the same however the VPN never is initiated so as of right now the ASA is simply blocking all attempts from our remote office to connect.
I've been using an ASA 5505 -- ASA 9.1(1) -- with an IPSec Remote Access VPN. Everything works properly, though I recently noticed that when my IPSec session is disconnected, I get the standard message ID 113019, but within that message the Peer IP address is incorrect. In fact, it isn't even close to my actual remote address. [code]
When I first researched the IP, I found it coming from China, which freaked me out. I changed settings, rolled back to 9.0(1), and nothing worked. Finally I rebooted, reconnected the VPN, and the IP changed. This time it was an address from RIPE NIC. I rebooted again, now an address from ARIN in the USA. One more reboot, now a random Comcast residential address.
Within that boot cycle, the peer address always stays the same. I've connected from different devices, different IPs, different ISPs - nothing matters. Additionally, there are no firewall logs for these IP addresses at all.
ASA Remote Access VPN peer addresses in disconnect message are incorrect and change at reboot.
Any way of narrowing down a degub for a peer address only? For example, I currently run 'debug crypto isakmp 127' which captures everything, but can I run the same dVPN debug for peer address 1.1.1.1?I know you can run 'sh crypto ipsec sa peer 1.1.1.1'.We're using an ASA5520 (8.4.2).
I have an ASA 5520 with multiple site-to-site VPN's. A remote customer has changed their Public IP address and now the VPN has gone down. How can I easily change the peer IP of the remote site to the new one without have to put the pre-shared key in again as we don't know what it is and they don't manage their firewall.
I am unable to VPN to my network from outside using cisco VPN client to PIX-515E. When I try it say: Reason 412: the remote peer is no longer responding. From inside everything work ok, I can connect... (same computer, same settings...)
I am trying to establish a site-to-site VPN between two Cisco routers (2951s). I am using the below config on both routers. One router has an interface with a public IP assigned to it, the other uses a private IP and is natted by our ASA outbound.
If i remove the tunnel protection ipsec profile command from the tunnel interface, the tunnel comes up no problem and I can ping both ends of the tunnel. But as soon as I apply the tunnel protection on the tunnel interface, it dies. Both sides of the tunnel show up but no pings are allowed and I see in the debugs that for some reason the routers don't think the Pre-Shared keys are configured properly. I have gone as far as making the ISAKMP keys very simple and I know there is something I'm missing here.
On the ASA i'm allowing ESP (protocol 50) and ISAKMP (UDP 500) both directions (in and out of the firewall). I am also allowing UDP NAT-T (4500) just in case. I don't see anything on the firewall being blocked but I can't be certain that isn't causing the problem. What could I be missing here?
I have an ASR 1002. Behind that and across another small MAN network (considered inside) I have an ASA. On the remote end, I have a simple 2811.
I need to create a vpn peer from the remote router to both the ASR (to hand off traffic there) and also a peer at the ASA (to encrypto across the MAN). The ASR1002 has the serial connection (DS3) to our MPLS cloud in which the remote is on the opposite side of.
So basically, I've created a single isakmp policy with two crypto map's by the same name but set to different peers and placed on the remote router then applied it to the serial interface. This works fine. Now i throw in the ASA which is behind the ASR. However, the connection still comes through that ASR to get to the ASA.After setting it up, it works as long as I don't have the crypto map applied to the ASR. If i apply the crypto map to the so interface of the ASR, my asa vpn connection stops working.It almost seems as if the crypto map on the ASR is grabbing my enrypted traffic destined for xx.xxx.24.14 and trying to do something with it. [code]
Why can't i peer from my remote router to both the ASA and the ASR on the opposite end of the serial link?
We have two ASA 5500 series Firewalls running 8.4(1). One in New York, another in Atlanta.They are configured identically for simple IPSecV1 remote access for clients. Authentication is performed by an Radius server local to each site.
There are multiple IPSec Site-to-Site tunnels on these ASA's as well but those are not affected by the issues we're having.First, let me start with the famous last words, NOTHING WAS CHANGED.
All of a sudden, we were getting reports of remote users to the Atlanta ASA timing out when trying to bring up the tunnel. They would get prompted for their ID/Password, then nothing until it times out.Sames users going to the NY ASA are fine.After extensive troubleshooting, here is what I've discovered. Remote clients will authenticate fine to the Atlanta Firewall ONLY IF THEY ARE USING A WIRED CONNECTION.
If they are using the wireless adapter for their client machine, they will get stuck trying to login to Atlanta.These same clients will get into the New York ASA with no problems using wired or wireless connections.Windows 7 clients use the Shrewsoft VPN client and Mac clients use the Cisco VPN client. They BOTH BEHAVE the same way and fail to connect to the Atlanta ASA if they use their wireless adapter to initiate the connection.
Using myself as an example.
1. On my home Win 7 laptop using wireless, I can connect to the NY ASA with no issues.
2. The same creditials USED to work for Atlanta as well but have now stopped working. I get stuck until it times out.
3. I run a wire from my laptop to the FiOS router, then try again using the same credentials to Atlanta and I get RIGHT IN.
This makes absolutely no sense to me. Why would the far end of the cloud care if I have a wired or wireless network adapter? I should just be an IP address right? Again, this is beyond my scope of knowledge.We've rebuilt and moved the Radius server to another host in Atlanta in our attempts to troubleshoot to no avail. We've also rebooted the Atlanta Firewall and nothing changed.
We've tried all sorts of remote client combinations. Wireless Internet access points from different carriers (Clear, Verizon, Sprint) all exhibit the same behavior. Once I plug the laptops into a wired connection, BAM, they work connecting to Atlanta. The New York ASA is fine for wired and wireless connections. Same with some other remote office locations that we have.
Below I've detailed the syslog sequence on the Atlanta ASA for both a working wired remote connection and a failed wireless connection. At first we thought the AAA/Radius server was rejecting us but is shows the same reject message for the working connection. Again, both MAC and Windows clients show the same sequence.Where the connection fails is the "IKE Phase 1" process.
------------------------------------------------------------------------------------------------------------------------- WORKING CONNECTION ------------------------------------------------------------------------------------------------------------------------- %ASA-6-713172: Automatic NAT Detection Status: Remote end is|is not behind a NAT device This end is|is not behind a NAT device NAT-Traversal auto-detected NAT. %ASA-6-113004: AAA user aaa_type Successful: server = server_IP_address, User = user %ASA-6-113005: AAA user authentication Rejected: reason = string: server = server_IP_address, User = user
I have a Cisco ASA5520 with Software Version 8.2(5) in place, most my users are Mac Users and I am currently looking into Cisco AnyConnect in comparison to using VPN client.
I have a couple of questions
1) Does Cisco AnyConnect make use of IPsec or is it soley SSL VPN based?
2) From the license information I have below in my ASA I understand that I can have max 750 vpn peers however am I right in saying that this does not apply to Cisco AnyConnect peers? and that with Cisco AnyConnect I can only have 2 peers? Also what are the disabled anyconnect options for?
Licensed features for this platform: Maximum Physical Interfaces : Unlimited Maximum VLANs : 150
[Code]....
3) When trying to set up Cisco Anyconnect on the ASA using ASDM, I noticed I needed to upload AnyConnect client images however when I did this by uploading the .dmg file for mac machines I got the error message "not a valid SVC image". Is this because I am running 8.2?
I am working on wi-fi networks (ISP), So I need to block the peer to peer on my network.My network involves cisco switch 2950/2960, cisco 2800 routers and Access Points, config for peer to peer blocking, for this where I need to config either switches or router.My network basic setup is, The internet will pass from router to switch and then Access Points.
I see that Application protection - blocking peer-to-peer file sharing traffic is a capability of Cisco IOS Firewall. How do i configure my Cisco 2911 ISR to block peer-to-peer file sharing traffic?
With à customer we have à site to site VPN connection. In this tunnel there is one subnet routed with a 3des-sha encryption / hash. Now the want to add a new subnet in this tunnel, but with a AES-128 / MD5 encryption / hash. Is it correct if we make a new crypto map with a higher seq. number?
We have ASA 5520 running 8.2(3) software and we're trying to make Remote Access VPN (l2tp/ipsec) working from Android. We succeeded in making IPSEC tunnel (ending "Phase 2 completed"), but we cannot make L2TP tunnel working.We're using RADIUS for L2TP authentication, but ASA doesn't even try to check credentials entered by use. The same set of credentials entered on Windows {XP, VISTA, 7, Mobile} works ok. Which debugging options should we turned on?
I am using an ASA 5520 running 8.2(4). My objective is to get a VPN client to access more than one network on the inside of the network, i.e., I need to VPN in with an IPSec client and be able to establish tcp connections to servers at 192.168.210.x and 10.21.9.x and 10.21.3.x, I believe I am close to having this resolved, but seem to have a routing issue.
We have an ASA5520 configured with a IPSec VPN, from any ADSL home/office our VPN clients can connect without any problem, but when we use our cellular phones in tetering mode (as an accesspoint) our VPN clients are impossible to connect. Same machines,same software, same operating system, same remote IP (ASA5520 external IP) only change Wifi connection (ADSL to cellular phone). The signal of cellular phones is not the problem we was doing the tests with different phones (IPHONE & ANDROID), different locations (all in spain) and differents providers (vodafone, orange and movistar) of internet by cellular phone.We think that perhaps the problem is the licenses that our ASA5520 has..
Our ASA5520 comes with this licenses: ------------------------------------------------------------------------------------------ Licensed features for this platform: Maximum Physical Interfaces : Unlimited perpetual Maximum VLANs : 150 perpetual Inside Hosts : Unlimited perpetual Failover : Active/Active perpetual
I have an exisitng ASA5520 which is already working with remote clients using Cisco vpn client configured using ipsec over tcp, I am now trying to get vpn access for Iphones working and having a problem where once connected the Iphone cannot ping any internal device. The configuration on the Iphone does not allow for Ipsec over tcp and therefore uses udp 500 by default, if i create a new profile from a pc and do not use ipsec over tcp it has the same issue where it establishes a vpn tunnel but cannot ping any internal device as soon as I change the profile to ipsec over tcp it works fine.
I bought my WAG320N, I too have the internet drop out and from reading in here is a very common problem. Cisco really should bring out a new firmware version and address this issue. Any way you can block peer to peer file sharing with the WAG320N? If so how do you go about it?
One of the schools whose networks I administer has a peer to peer network running about 30 xp machines. DHCP is achieved and DNS settings distributed via a basic Linksys router; is there any way of distributing proxy server address and port short of entering manually in LAN settings of IE on every terminal - there is no budget to install a server.
i configured a remote VPN on cisco ASA 5520 and everythings seems to be working fine...DHCP IP were been lease to users that connect to the VPN. but the issue now is that our customer want a static IP to be given to a particular user when he connect via VPN.
I have roughly 50 users that are remote, and use VPN to access the resources in my network such as file servers, application servers etc. We currently use Microsoft VPN to authenticate those users. It works, but I am not a fan on Microsoft VPN.
I have purchased an ASA5520 to replace my crappy layer 3 HP core backbone switch, and plan on replacing my Microsoft VPN with Cisco VPN. I want to configure my ASA so my remote users can continue to VPN into my network securely?Is this possible?
best way to migrate to a new pool for remote access DHCP address assignment. We are currently using a /24 pool, allowing us 253 IP Addresses... during the recent hurricane we hit 250 IP Addresses used, and had to start asking users to connect to our backup ASA VPN device in another country, not an ideal solution. I'd like to expand our current VPN subnet to a /23, however I do not have a free /24 subnet above (or below) our current /24 subnet.
I can certainly allocate a new /23 subnet, but I am looking for the best migration plan with minimal downtime (no downtime would be preferred). Can I just add the new pool range to the tunnel-group RAVPN general-attributes section alongside the current pool, or should I just remove the old pool, log off all existing remote access VPN users and have them log on again to start using the new pool?We are running ASA Version 8.2(1).
in our VPN configuration (ASA5520, Anyconnect VPN Client), we have different VPN User Groups. These Group Policies are retrieved from an LDAP Server.We'd like to restrict the acess like this:
A Group "Home User" might establish a VPN from anywhere on the Internet
A Group "restricted 3rd party" should only be allowed to establish a VPN from their specific public Source IP Address on the Internet (the public IP Address of this 3rd party Company). When these Users try to connect from any other IP Address on the Internet(Home, hotel, etc), VPN Access should not work!
On our old solution, we were able to limit the remote access network, per user group, to some source IP's.
The IP Filters related to group policies in here seem only to be filters concerning the VPN Address (after the VPN is established: where can this user group connect to). But I did not find filters/access lists, where yoiu can define/restrict public access networks for some groups.Or is it possible to do that by Dynamic Access Policies? How?
I have a ASA 5510 actve/standby and create one site to site VPN with remote peer ip address xx.xx.xx.xx, Our VPN traffic running on 6 mb internet link for video conferancing traffic.Now client give another link 2 mb internet and client told to us our data traffic runnig on 2 mb link but this data traffic running on the same remote peer IP xx.xx.xx.xx.
Secondly request also they need failover over the ISP link.
We have an Active/Active ASA 5520 setup, as i know in Active/Active setup there is no remote VPN access, So i could overcome this limitations?I have a solution but i dont know if it is ablecable or not? we have a spare ASA 5510, so i can use it behind Active/Active Firewalls and assign a public static NAT IP address to it and open all IPSEC and VPN ports and let the remote users to connect to it, is this ablecable setup or not?
Our customer has an ASA5520 Security appliance, I have already config the remote vpn in asa , user can logon via internet by vpn client and can access internal network,customer hope us can make some configuration if the remote user logon asa by vpn and notify them someone login their vpn by email .
I want to prevent guest from doing peer - peer communication on my Guest (5508) controllers. Is this a feature on the WLC or only by applying an ACL on the router interface?
How can I NAT the same set of four hosts and give them access to two different networks across an IPSEC site-to-site VPN tunnel? I'm using an ASA5520 running 8.04.
