Cisco VPN :: All Remote Wireless IPSec Remote Clients Fail Connecting To ASA 5500
Sep 12, 2012
We have two ASA 5500 series Firewalls running 8.4(1). One in New York, another in Atlanta.They are configured identically for simple IPSecV1 remote access for clients. Authentication is performed by an Radius server local to each site.
There are multiple IPSec Site-to-Site tunnels on these ASA's as well but those are not affected by the issues we're having.First, let me start with the famous last words, NOTHING WAS CHANGED.
All of a sudden, we were getting reports of remote users to the Atlanta ASA timing out when trying to bring up the tunnel. They would get prompted for their ID/Password, then nothing until it times out.Sames users going to the NY ASA are fine.After extensive troubleshooting, here is what I've discovered. Remote clients will authenticate fine to the Atlanta Firewall ONLY IF THEY ARE USING A WIRED CONNECTION.
If they are using the wireless adapter for their client machine, they will get stuck trying to login to Atlanta.These same clients will get into the New York ASA with no problems using wired or wireless connections.Windows 7 clients use the Shrewsoft VPN client and Mac clients use the Cisco VPN client. They BOTH BEHAVE the same way and fail to connect to the Atlanta ASA if they use their wireless adapter to initiate the connection.
Using myself as an example.
1. On my home Win 7 laptop using wireless, I can connect to the NY ASA with no issues.
2. The same creditials USED to work for Atlanta as well but have now stopped working. I get stuck until it times out.
3. I run a wire from my laptop to the FiOS router, then try again using the same credentials to Atlanta and I get RIGHT IN.
This makes absolutely no sense to me. Why would the far end of the cloud care if I have a wired or wireless network adapter? I should just be an IP address right? Again, this is beyond my scope of knowledge.We've rebuilt and moved the Radius server to another host in Atlanta in our attempts to troubleshoot to no avail. We've also rebooted the Atlanta Firewall and nothing changed.
We've tried all sorts of remote client combinations. Wireless Internet access points from different carriers (Clear, Verizon, Sprint) all exhibit the same behavior. Once I plug the laptops into a wired connection, BAM, they work connecting to Atlanta. The New York ASA is fine for wired and wireless connections. Same with some other remote office locations that we have.
Below I've detailed the syslog sequence on the Atlanta ASA for both a working wired remote connection and a failed wireless connection. At first we thought the AAA/Radius server was rejecting us but is shows the same reject message for the working connection. Again, both MAC and Windows clients show the same sequence.Where the connection fails is the "IKE Phase 1" process.
%ASA-6-713172: Automatic NAT Detection Status: Remote end is|is not behind a NAT device This end is|is not behind a NAT device
NAT-Traversal auto-detected NAT.
%ASA-6-113004: AAA user aaa_type Successful: server = server_IP_address, User = user
%ASA-6-113005: AAA user authentication Rejected: reason = string: server = server_IP_address, User = user
We are configured the Remote IPSec VPN on cisco 1800 series router.The Clients are able to login to VPN and access the local corporate network Servers . But VPN Clients are not able to communicate with other VPN clients using their VPN Adapter IP.
Components used : CISCO VPN Client 5.7 Router 1800 Series
I have a existing wireless setup of 4400 WLC with some AP's connected remotely,now i am migrating the whole setup to the new WLC 5500. All the AP has been registered to the new WLC 5500 except the remote location AP's.As there was no option of giving IP address in GUI of the controller in 4400 WLC, i have changed the controller name and restarted the AP, but even though it is going back to the old controller.
We have a problem with an existing L2L VPN connection. The connection has to this day served only connections originating in one direction. Meaning only one end initiates the connections. This has worked normally so far. Now the third party behind the L2L VPN also wants to access some resources trough the L2L VPN and because of that also initiates the connections. This is where we face our problem.
For some reason the remote end cant bring up the L2L VPN where as we can (and the second party in our end of course). The connection was originally on a Cisco 6509 WS-SVC-IPSEC-1 module. For the tests in new equipment we moved the connection to a Cisco 7609 with SPA-IPSEC-2G module. The remote end uses Checkpoint FW1 R70 (or something like that. I'm not familiar with Checkpoints) With both equipment the problem remains. We did the tests today and i took some debug messages on our end with "debug crypto isakmp" and "debug crypto isakmp error" enabled. I also enable the "debug crypto condition peer ipv4 x.x.x.x" for the debugs as there are several other connections on the same device. This is what the debug shows (Remote end IP replaced with x.x.x.x):
Jun 1 2011 07:20:58.062 UTC: ISAKMP: local port 500, remote port 500Jun 1 2011 07:20:58.062 UTC: insert sa successfully sa = 207E7B00Jun 1 2011 07:20:58.062 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCHJun 1 2011 07:20:58.062 UTC: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1 [code].....
To my eye it seems that the attributes/parameters for Phase 1 are OK on both ends (have to be since the connection forms normally when the traffic is initiated from our side) but somewhere along the way the negotiations stop because our end gets a malformed packet during the negotiations? Does this mean the remote end is somehow faulty? Is there some compatibility problem with the VPN devices in question? or its the sign of some known problem with VPN connections? So far I have not found any explanation to what is causing this.
While trying to connect to WiFi at remote sites APs, the connection is getting time out.User are getting error as 'Unable to connect to <WiFi-SSID>' The APs at corporate office are functioning properly and user are able to connect to the APs.
I am having the peculiar issue in our ASA5500 firewall (version 8.2(5) ), where the remote access vpn is getting issue, I am unable to ping the internal resource for sometime, however without any modification the problem gets resolves.
During the issue we can see Tx count 0
Username : xxxxxx Index : 3147 Assigned IP : 172.17.254.24 Public IP : 14.99.x.x Protocol : IKE IPsec License : IPsec Encryption : 3DES AES128 Hashing : SHA1 Bytes Tx : 0 Bytes Rx : 8764 Group Policy : EMP-VPN Tunnel Group : EMP-VPN Login Time : 15:07:51 IST Fri Oct 12 2012 Duration : 0h:06m:34s Inactivity : 0h:00m:00s NAC Result : Unknown VLAN Mapping : N/A VLAN : none
I just purchased 5 RV220W to act as internet/wireless router at a remote site. There is no VPN, just LAN and Wireless routing to the internet.I have setup remote management and it works fine when I am directly connected to the internet. However, everytime I try to connect through our HTTP/HTTPs proxy farm, it usually fails. Specificially, I get the log-in page and can log in. It starts to render the landing page but redirects to a page stating "Your session has been terminated." On rare instances the first page will appear, however within a few clicks I end up with the same terminated page.
As a test, I bypassed the farm and forced my browser to use one proxy exclusively. At that point I could access the HTTPS interface with no issue. I have not had any issues with other SSL sites with the proxy configuration in use.Is there some sort of MITM prevention I could be running into? If so, can it be turned off.I am new to the RV-series of routers. Is there any logging I could turn on that would provide insight on why the session may be getting terminated?
I've some strange problems with multiple ASA (NEM) VPN remote clients (v8.4.5). On the HQ I've an ASA5510 (v8.4.5) with multiple NEM's connected to it. The group policy used on the HQ is configured for split tunneling. Now here's the problem;
The remote ASA (NEM) constructs easily a VPN connection to the main location; it seems that everything works well. Traffic through most of the tunneled networks works perfectly. Traffic to certain subnets or hosts brings me into trouble, there is no traffic flowing through the tunnel at all!
When using the command "show crypto ipsec sa | i caps|ident|spi” I can see all of the tunneled subnets. The subnets that works perfecly gives me the correct "local and remote ident" output. The subnets with problems gives me wrong values in the "remote ident". The remote ident should be the IP address of the inside LAN (of the remote NEM) and not the IP address of the ouside interface (of the remote NEM). How is this posible?
Here's is the crypto ipsec sa output:
Result of the command: "show crypto ipsec sa | i caps|ident|spi"
local ident (addr/mask/prot/port): (10.200.60.0/255.255.255.0/0/0) <-- this is the good subnet of the inside interface (NEM) remote ident (addr/mask/prot/port): (10.100.2.2/255.255.255.255/0/0) <-- this is the good subnet (HQ) #pkts encaps: 54712, #pkts encrypt: 54712, #pkts digest: 54712 #pkts decaps: 31893, #pkts decrypt: 31893, #pkts verify: 31893 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 current outbound spi: A4FA947A
Is it possible to restrict the Remote Access VPN to ASA based on the Source Public IP , if so how ? here I am not talking about the VPN-Filter under group-policy . I Want to restrict the access from specified source IP (Public IP)
I am using Cisco 2911 router , i configured remote client in that . i need to provide the static ip to the remote users instead of providing from the dhcp pool. is it possible? if it is how we can do that.
On wireless (lenovo tabletx61) I cannot connect through the intranet - no problem connecting through internet. When I manage to connect through intranet connection is dropped quite often.No problem connecting via Ethernet cables.
I am trying to understand how to remote control a clients computer through the internet.
I have Symatec PCanywhere installed on both When i'm on the same connection (wireless internet).I can get it to work no problem.However when I try to remote in using a different internet connection it does not go through.
I've done some research and found out that instead of using the IP address it gives me (dynamically) [192.168.2.5] i need to aquire the WAN IP address from a website or through the router. As well as configuring virtual server through the router, and enable port forwarding in some way or another for specific ports.
We have remote VPN setup with Cisco ASA 5510. By using VPN filter, I can follow the guide and make client to use all necessary server services. (dns, ssh etc). However, is there any way that allow inside server access remote VPN client's services, ex. let inside server ssh to remote VPN client? Consider remote access VPN filter ACL's syntax, I have to always let source be the "remote VPN client PC", the dest is "inside firewall server", how can I let the other way traffice going?
site A : ASA 5510 VPN gateway for remote users LAN 192.168.192.0/22 site B : ASA 5505 LAN 192.168.208.0/22
Both sites are connected through a site to site VPN.Remote clients (AnyConnect/VPN client) can connect to Site A LAN and see machines on LAN A but cannot see Site B LAN.
Here is a part of my configuration :
On Site A (ASA 5510) -------------------------------- name 192.168.192.0 SiteA_Internal_Network name 192.168.208.0 SiteB_Internal_Network name 192.168.133.0 VPNPool_AnyConnect name 192.168.133.32 VPNPool_VpnClient
I have an ASA 5520 8.2(3) and allowing my remote client-to-site-vpn clients to access resources directly connected to my ASA on separate lower security interfaces (not the outside) besides just clients on my internal networks. Someone mentioned to me configuring 'VPN on a stick' however from what I've read this seems to be only applicable when it comes to split-tunneling back out the outside interface (could be off on that). Is this possible on other lower security interfaces as well, and if so what would a mock config that accomplishes that look like (acl's, nat, etc)? Also, if I want internal users to be able to connect to these remote clients once they are active, are there any nat statements necessary (such as nonatting them) or are the vpn clients just seen as internal clients from the rest of the internal network's standpoint by default?
i want to create Remote IP Sec VPN on Cisco ASA5510.Problem is this 5510ASA is behind another 5520ASA and it dont have any public IP address on any of 5510 interface.if i do static NAT of ASA 5510 Private IP on internet facing 5520 IP Public POOL, then will VPN work on 5510 ASA? and what ports need to forward on 5520 for 5510 to become IPSEC VPN head end
I am setting up a new remote access VPN using the traditional IPSec client via ASA 5515-X runnning OS 8.6.1(5). We require to provide each client multiple DNS suffixes, but are only to provide a single DNS suffix in the group policy.I have tested using an external DHCP server, but using our Windows Server 2008 infrastructure and Option 119 the list is not provided to clients, and I have read that Windows 7 clients may ignore this option anyway.
I have a RV082 and several of my remote laptops cannot access my server using its domain name. It can be accessed using its internal ip address. The issue is that you can log onto the server using remote access and the ip however you cannot use any shortcuts using the domain name. You can see the server with the domin name however no access path is available. This is only on a few remote user laptops. Others work perfectly.
I have been asked to set up remote access VPN on an ASA 5505 that I previously had no invlovement with. I have set it up the VPN using the wizard, they way I normally do, but the clients have no access to anything in the inside subnet, not even the inside interface IP address of the ASA. Thay can ping each other. The remote access policy below that I am working on is labeled VPNPHONE, address pool 172.16.20.1-10. I do not need split tunneling to be enabled. The active WAN interface is the one labeled outside_cable. [code]
We have a 5508 with 188.8.131.52 vor Internal APs and OEAPs. till now every thing is ok. Now we have to connect an AP (local) in a remote office, connected to the WLC by a VPN Tunnel. The problem is that the AP in the remote office uses the NAT Address to connect to the WLC, so the traffic goes over the Internet, not trough the VPN Tunnel. On the controller I have the following setting:
AP Discovery - NAT IP Only ................. Disabled On the AP: AP Link Latency.................................. Disabled
How to force the AP to use the internal IP Address of the WLC?
I have Cisco ASA 5505 and i want to create vpn remote access ...l
so i created and connected to the vpn ...my problem is to reach my Local connection of 192.168.1.0 /24 i put the WAN Connection in the FA0/0 and put my LOCAL AREA CONNECITON into FA0/1 .. so how i can route or translate my connection , and using cisco ASDM 6.1 in GUI ,,,
I have a Cisco ASA 5512 device. I'm using both clientless SSL vpn. And also IPSEC which is used for our external users who connect using an IPAD and then a remote client to remote desktop into our terminal server.I created the connection using the IPSEC wizard in the ASDM software. Usually the connection works fine, but intermittently it fails to allow the user to connect using RDP.I'm able to initiate the VPN connection, and it says connected and can confirm the connection is up, however when trying to connect to the RDP server, it eventually times out. It was working fine most of the time as I say, however now I can't connect at-all.I've viewed the lgo as I try and connect and can see that my evice tries to initiate the connection, but can't quite figure out what it's trying to do. If I look at the connection in the monitoring page it says that its connected. But it's RX traffic has a value, but the TX value is 0.The interesting thing is, I can't connect, but at present have a user that is connected fine and working properly.
I configured my cisco client with the info from the vpn wizard and get the following error :
error in the cisco vpn client when enabling the log : Invalid SPI size (log) + reason 412 the remote peer is no longer responding (application) message I see via the ASDM-IDM : Built inbound UDP connection for interface WAN
I'll explain briefly what I'm trying to do here :
* Remote vpn with windows users having cisco clients * Group authentication and in the asa5510 LOCAL authentication
My WAN interface contains a public ip/29 I also defined a LAN interface with security level 100 in 10.0.60.0 255.255.252.0 range the vpn dhcp range I want to attribute to vpn users : 10.0.69.0/24
Basically I want users to initiate the vpn tunnel to the public IP and be able only to access the LAN range with the 10.0.60.0/22 range
ASA Version 8.2(5) ! hostname xxxx domain-name xxxx
Im facing with some DHCP lease issue and its like this,Our Cisco 2951 edge router is configured with local dhcp pool for a set of remote users when they connect through Cisco VPN which was working fine until we planned to change it to a Windows box that is configured for DHCP.The basic idea now is to relay the DHCP requests that are coming from the remote clients through Cisco VPN to the DHCP Windows server. So we added the scope on the server and changed the client config on the router as follows (highlighted is the dhcp relay config). [code]
I've got a Cisco 1941 setup working fine for Cisco Anyconnect. Clients can connect to local resources fine. The issue I have is I need the remote clients to access a third party IP address but to do so they must do it through the VPN. At the moment only local resources are accessed across the vpn and if they need internet they use their own internet connection they are connecting with.I've added the below to make sure traffic going to the IP is going across the VPN.