Re: ASA VPN problem from Ivan Hrvatska on 2010-01-14 (Ccielab archives 01/2010)

From: Ivan Hrvatska <ivanzghr_at_gmail.com>
Date: Thu, 14 Jan 2010 09:32:46 +0100

It didn't help. Same issue again.
Here is the output:

%ASA-7-713236: IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=0)
with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR
(13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE
(0) total length : 853
%ASA-7-715047: IP = x.x.x.x, processing SA payload
%ASA-7-715047: IP = x.x.x.x, processing ke payload
%ASA-7-715047: IP = x.x.x.x, processing ISA_KE payload
%ASA-7-715047: IP = x.x.x.x, processing nonce payload
%ASA-7-715047: IP = x.x.x.x, processing ID payload
%ASA-7-715047: IP = x.x.x.x, processing VID payload
%ASA-7-715049: IP = x.x.x.x, Received xauth V6 VID
%ASA-7-715047: IP = x.x.x.x, processing VID payload
%ASA-7-715049: IP = x.x.x.x, Received DPD VID
%ASA-7-715047: IP = x.x.x.x, processing VID payload
%ASA-7-715049: IP = x.x.x.x, Received Fragmentation VID
%ASA-7-715064: IP = x.x.x.x, IKE Peer included IKE fragmentation
capability flags: Main Mode: True Aggressive Mode: False
%ASA-7-715047: IP = x.x.x.x, processing VID payload
%ASA-7-715049: IP = x.x.x.x, Received NAT-Traversal ver 02 VID
%ASA-7-715047: IP = x.x.x.x, processing VID payload
%ASA-7-715049: IP = x.x.x.x, Received Cisco Unity client VID
%ASA-7-713906: IP = x.x.x.x, Connection landed on tunnel_group xxxxxxxxxxxxx
%ASA-7-715047: Group = GROUP1, IP = x.x.x.x, processing IKE SA payload
%ASA-7-715028: Group = GROUP1, IP = x.x.x.x, IKE SA Proposal # 1,
Transform # 1 acceptable Matches global IKE entry # 1
%ASA-7-715046: Group = GROUP1, IP = x.x.x.x, constructing ISAKMP SA payload
%ASA-7-715046: Group = GROUP1, IP = x.x.x.x, constructing ke payload
%ASA-7-715046: Group = GROUP1, IP = x.x.x.x, constructing nonce payload
%ASA-7-713906: Group = GROUP1, IP = x.x.x.x, Generating keys for Responder...
%ASA-7-715046: Group = GROUP1, IP = x.x.x.x, constructing ID payload
%ASA-7-715046: Group = GROUP1, IP = x.x.x.x, constructing hash payload
%ASA-7-715076: Group = GROUP1, IP = x.x.x.x, Computing hash for ISAKMP
%ASA-7-715046: Group = GROUP1, IP = x.x.x.x, constructing Cisco Unity
VID payload
%ASA-7-715046: Group = GROUP1, IP = x.x.x.x, constructing xauth V6 VID payload
%ASA-7-715046: Group = GROUP1, IP = x.x.x.x, constructing dpd vid payload
%ASA-7-715046: Group = GROUP1, IP = x.x.x.x, constructing
Fragmentation VID + extended capabilities payload
%ASA-7-715046: Group = GROUP1, IP = x.x.x.x, constructing VID payload
%ASA-7-715048: Group = GROUP1, IP = x.x.x.x, Send Altiga/Cisco
VPN3000/Cisco ASA GW VID
%ASA-7-713236: IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=0) with
payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) +
VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) +
NONE (0) total length : 401
%ASA-7-713236: IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=0)
with payloads : HDR + HASH (8) + NOTIFY (11) + VENDOR (13) + VENDOR
(13) + NONE (0) total length : 120
%ASA-7-715047: Group = GROUP1, IP = x.x.x.x, processing hash payload
%ASA-7-715076: Group = GROUP1, IP = x.x.x.x, Computing hash for ISAKMP
%ASA-7-715047: Group = GROUP1, IP = x.x.x.x, processing notify payload
%ASA-7-715047: Group = GROUP1, IP = x.x.x.x, processing VID payload
%ASA-7-715038: Group = GROUP1, IP = x.x.x.x, Processing IOS/PIX Vendor
ID payload (version: 1.0.0, capabilities: 00000408)
%ASA-7-715047: Group = GROUP1, IP = x.x.x.x, processing VID payload
%ASA-7-715049: Group = GROUP1, IP = x.x.x.x, Received Cisco Unity client VID
%ASA-7-715046: Group = GROUP1, IP = x.x.x.x, constructing blank hash payload
%ASA-7-715046: Group = GROUP1, IP = x.x.x.x, constructing qm hash payload
%ASA-7-713236: IP = x.x.x.x, IKE_DECODE SENDING Message
(msgid=3d05283d) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0)
total length : 72
%ASA-7-713236: IP = x.x.x.x, IKE_DECODE RECEIVED Message
(msgid=3d05283d) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0)
total length : 87
%ASA-7-715001: Group = GROUP1, IP = x.x.x.x, process_attr(): Enter!
%ASA-7-715001: Group = GROUP1, IP = x.x.x.x, Processing MODE_CFG Reply
attributes.
%ASA-7-715019: Group = GROUP1, Username = USER1, IP = x.x.x.x,
IKEGetUserAttributes: primary DNS = cleared
%ASA-7-715019: Group = GROUP1, Username = USER1, IP = x.x.x.x,
IKEGetUserAttributes: secondary DNS = cleared
%ASA-7-715019: Group = GROUP1, Username = USER1, IP = x.x.x.x,
IKEGetUserAttributes: primary WINS = cleared
%ASA-7-715019: Group = GROUP1, Username = USER1, IP = x.x.x.x,
IKEGetUserAttributes: secondary WINS = cleared
%ASA-7-715019: Group = GROUP1, Username = USER1, IP = x.x.x.x,
IKEGetUserAttributes: split tunneling list = NONAT
%ASA-7-715019: Group = GROUP1, Username = USER1, IP = x.x.x.x,
IKEGetUserAttributes: IP Compression = disabled
%ASA-7-715019: Group = GROUP1, Username = USER1, IP = x.x.x.x,
IKEGetUserAttributes: Split Tunneling Policy = Split Network
%ASA-7-715019: Group = GROUP1, Username = USER1, IP = x.x.x.x,
IKEGetUserAttributes: Browser Proxy Setting = no-modify
%ASA-7-715019: Group = GROUP1, Username = USER1, IP = x.x.x.x,
IKEGetUserAttributes: Browser Proxy Bypass Local = disable
%ASA-7-713052: Group = GROUP1, Username = USER1, IP = x.x.x.x, User
(USER1) authenticated.
%ASA-7-715046: Group = GROUP1, Username = USER1, IP = x.x.x.x,
constructing blank hash payload
%ASA-7-715046: Group = GROUP1, Username = USER1, IP = x.x.x.x,
constructing qm hash payload
%ASA-7-713236: IP = x.x.x.x, IKE_DECODE SENDING Message
(msgid=92cfbb06) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0)
total length : 64
%ASA-7-713236: IP = x.x.x.x, IKE_DECODE RECEIVED Message
(msgid=92cfbb06) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0)
total length : 60
%ASA-7-715001: Group = GROUP1, Username = USER1, IP = x.x.x.x,
process_attr(): Enter!
%ASA-7-715001: Group = GROUP1, Username = USER1, IP = x.x.x.x,
Processing cfg ACK attributes
%ASA-7-713236: IP = x.x.x.x, IKE_DECODE RECEIVED Message
(msgid=76c1f7f7) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0)
total length : 180
%ASA-7-715001: Group = GROUP1, Username = USER1, IP = x.x.x.x,
process_attr(): Enter!
%ASA-7-715001: Group = GROUP1, Username = USER1, IP = x.x.x.x,
Processing cfg Request attributes
%ASA-7-715053: Group = GROUP1, Username = USER1, IP = x.x.x.x,
MODE_CFG: Received request for IPV4 address!
%ASA-7-715053: Group = GROUP1, Username = USER1, IP = x.x.x.x,
MODE_CFG: Received request for IPV4 net mask!
%ASA-7-715053: Group = GROUP1, Username = USER1, IP = x.x.x.x,
MODE_CFG: Received request for DNS server address!
%ASA-7-715053: Group = GROUP1, Username = USER1, IP = x.x.x.x,
MODE_CFG: Received request for WINS server address!
%ASA-5-713130: Group = GROUP1, Username = USER1, IP = x.x.x.x,
Received unsupported transaction mode attribute: 5
%ASA-7-715053: Group = GROUP1, Username = USER1, IP = x.x.x.x,
MODE_CFG: Received request for Banner!
%ASA-7-715053: Group = GROUP1, Username = USER1, IP = x.x.x.x,
MODE_CFG: Received request for Save PW setting!
%ASA-7-715053: Group = GROUP1, Username = USER1, IP = x.x.x.x,
MODE_CFG: Received request for Default Domain Name!
%ASA-7-715053: Group = GROUP1, Username = USER1, IP = x.x.x.x,
MODE_CFG: Received request for Split Tunnel List!
%ASA-7-715053: Group = GROUP1, Username = USER1, IP = x.x.x.x,
MODE_CFG: Received request for Split DNS!
%ASA-7-715053: Group = GROUP1, Username = USER1, IP = x.x.x.x,
MODE_CFG: Received request for PFS setting!
%ASA-7-715053: Group = GROUP1, Username = USER1, IP = x.x.x.x,
MODE_CFG: Received request for Client Browser Proxy Setting!
%ASA-7-715053: Group = GROUP1, Username = USER1, IP = x.x.x.x,
MODE_CFG: Received request for backup ip-sec peer list!
%ASA-7-715053: Group = GROUP1, Username = USER1, IP = x.x.x.x,
MODE_CFG: Received request for Client Smartcard Removal Disconnect
Setting!
%ASA-7-715053: Group = GROUP1, Username = USER1, IP = x.x.x.x,
MODE_CFG: Received request for Application Version!
%ASA-6-713184: Group = GROUP1, Username = USER1, IP = x.x.x.x, Client
Type: WinNT Client Application Version: 5.0.05.0290
%ASA-7-715053: Group = GROUP1, Username = USER1, IP = x.x.x.x,
MODE_CFG: Received request for FWTYPE!
%ASA-7-715053: Group = GROUP1, Username = USER1, IP = x.x.x.x,
MODE_CFG: Received request for DHCP hostname for DDNS is: laptop!
%ASA-7-715053: Group = GROUP1, Username = USER1, IP = x.x.x.x,
MODE_CFG: Received request for UDP Port!
%ASA-7-713906: Group = GROUP1, Username = USER1, IP = x.x.x.x,
Obtained IP addr (172.17.1.1) prior to initiating Mode Cfg (XAuth
enabled)
%ASA-7-713906: Group = GROUP1, Username = USER1, IP = x.x.x.x, Sending
subnet mask (255.255.255.224) to remote client
%ASA-6-713228: Group = GROUP1, Username = USER1, IP = x.x.x.x,
Assigned private IP address 172.17.1.1 to remote user
%ASA-7-715046: Group = GROUP1, Username = USER1, IP = x.x.x.x,
constructing blank hash payload
%ASA-7-715055: Group = GROUP1, Username = USER1, IP = x.x.x.x, Send
Client Browser Proxy Attributes!
%ASA-7-715001: Group = GROUP1, Username = USER1, IP = x.x.x.x, Browser
Proxy set to No-Modify. Browser Proxy data will NOT be included in the
mode-cfg reply
%ASA-7-715055: Group = GROUP1, Username = USER1, IP = x.x.x.x, Send
Cisco Smartcard Removal Disconnect enable!!
%ASA-7-715046: Group = GROUP1, Username = USER1, IP = x.x.x.x,
constructing qm hash payload
%ASA-7-713236: IP = x.x.x.x, IKE_DECODE SENDING Message
(msgid=76c1f7f7) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0)
total length : 194
%ASA-7-714003: IP = x.x.x.x, IKE Responder starting QM: msg id = f31387ed
%ASA-7-715021: Group = GROUP1, Username = USER1, IP = x.x.x.x, Delay
Quick Mode processing, Cert/Trans Exch/RM DSID in progress
%ASA-7-715022: Group = GROUP1, Username = USER1, IP = x.x.x.x, Resume
Quick Mode processing, Cert/Trans Exch/RM DSID completed
%ASA-5-713119: Group = GROUP1, Username = USER1, IP = x.x.x.x, PHASE 1 COMPLETED
%ASA-7-713121: IP = x.x.x.x, Keep-alive type for this connection: DPD
%ASA-7-715080: Group = GROUP1, Username = USER1, IP = x.x.x.x,
Starting P1 rekey timer: 41040 seconds.
%ASA-7-713906: Group = GROUP1, Username = USER1, IP = x.x.x.x, sending
notify message
%ASA-7-715046: Group = GROUP1, Username = USER1, IP = x.x.x.x,
constructing blank hash payload
%ASA-7-715046: Group = GROUP1, Username = USER1, IP = x.x.x.x,
constructing qm hash payload
%ASA-7-713236: IP = x.x.x.x, IKE_DECODE SENDING Message
(msgid=b555a543) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE
(0) total length : 88
%ASA-7-713236: IP = x.x.x.x, IKE_DECODE RECEIVED Message
(msgid=f31387ed) with payloads : HDR + HASH (8) + SA (1) + NONCE (10)
+ ID (5) + ID (5) + NONE (0) total length : 1026
%ASA-7-715047: Group = GROUP1, Username = USER1, IP = x.x.x.x,
processing hash payload
%ASA-7-715047: Group = GROUP1, Username = USER1, IP = x.x.x.x,
processing SA payload
%ASA-7-715047: Group = GROUP1, Username = USER1, IP = x.x.x.x,
processing nonce payload
%ASA-7-715047: Group = GROUP1, Username = USER1, IP = x.x.x.x,
processing ID payload
%ASA-7-714011: Group = GROUP1, Username = USER1, IP = x.x.x.x,
ID_IPV4_ADDR ID received
172.17.1.1
%ASA-7-713025: Group = GROUP1, Username = USER1, IP = x.x.x.x,
Received remote Proxy Host data in ID Payload: Address 172.17.1.1,
Protocol 0, Port 0
%ASA-7-715047: Group = GROUP1, Username = USER1, IP = x.x.x.x,
processing ID payload
%ASA-7-714011: Group = GROUP1, Username = USER1, IP = x.x.x.x,
ID_IPV4_ADDR_SUBNET ID received--0.0.0.0--0.0.0.0
%ASA-7-713034: Group = GROUP1, Username = USER1, IP = x.x.x.x,
Received local IP Proxy Subnet data in ID Payload: Address 0.0.0.0,
Mask 0.0.0.0, Protocol 0, Port 0
%ASA-7-713906: Group = GROUP1, Username = USER1, IP = x.x.x.x, QM
IsRekeyed old sa not found by addr
%ASA-7-713066: Group = GROUP1, Username = USER1, IP = x.x.x.x, IKE
Remote Peer configured for crypto map: DM1
%ASA-7-715047: Group = GROUP1, Username = USER1, IP = x.x.x.x,
processing IPSec SA payload
%ASA-7-715027: Group = GROUP1, Username = USER1, IP = x.x.x.x, IPSec
SA Proposal # 6, Transform # 1 acceptable Matches global IPSec SA
entry # 10
%ASA-7-713906: Group = GROUP1, Username = USER1, IP = x.x.x.x, IKE:
requesting SPI!
%ASA-7-715006: Group = GROUP1, Username = USER1, IP = x.x.x.x, IKE got
SPI from key engine: SPI = 0x28a4eeca
%ASA-7-713906: Group = GROUP1, Username = USER1, IP = x.x.x.x, oakley
constucting quick mode
%ASA-7-715046: Group = GROUP1, Username = USER1, IP = x.x.x.x,
constructing blank hash payload
%ASA-7-715046: Group = GROUP1, Username = USER1, IP = x.x.x.x,
constructing IPSec SA payload
%ASA-5-713075: Group = GROUP1, Username = USER1, IP = x.x.x.x,
Overriding Initiator's IPSec rekeying duration from 2147483 to 28800
seconds
%ASA-7-715046: Group = GROUP1, Username = USER1, IP = x.x.x.x,
constructing IPSec nonce payload
%ASA-7-715001: Group = GROUP1, Username = USER1, IP = x.x.x.x,
constructing proxy ID
%ASA-7-713906: Group = GROUP1, Username = USER1, IP = x.x.x.x,
Transmitting Proxy Id:
Remote host: 172.17.1.1 Protocol 0 Port 0
Local subnet: 0.0.0.0 mask 0.0.0.0 Protocol 0 Port 0
%ASA-7-713906: Group = GROUP1, Username = USER1, IP = x.x.x.x, Sending
RESPONDER LIFETIME notification to Initiator
%ASA-7-715046: Group = GROUP1, Username = USER1, IP = x.x.x.x,
constructing qm hash payload
%ASA-7-714005: Group = GROUP1, Username = USER1, IP = x.x.x.x, IKE
Responder sending 2nd QM pkt: msg id = f31387ed
%ASA-7-713236: IP = x.x.x.x, IKE_DECODE SENDING Message
(msgid=f31387ed) with payloads : HDR + HASH (8) + SA (1) + NONCE (10)
+ ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 184
%ASA-7-713236: IP = x.x.x.x, IKE_DECODE RECEIVED Message
(msgid=f31387ed) with payloads : HDR + HASH (8) + NONE (0) total
length : 52
%ASA-7-715047: Group = GROUP1, Username = USER1, IP = x.x.x.x,
processing hash payload
%ASA-7-713906: Group = GROUP1, Username = USER1, IP = x.x.x.x, loading
all IPSEC SAs
%ASA-7-715001: Group = GROUP1, Username = USER1, IP = x.x.x.x,
Generating Quick Mode Key!
%ASA-7-715001: Group = GROUP1, Username = USER1, IP = x.x.x.x,
Generating Quick Mode Key!
%ASA-6-602303: IPSEC: An outbound remote access SA (SPI= 0xBA7BA967)
between y.y.y.y and x.x.x.x (user= USER1) has been created.
%ASA-5-713049: Group = GROUP1, Username = USER1, IP = x.x.x.x,
Security negotiation complete for User (USER1) Responder, Inbound SPI
= 0x28a4eeca, Outbound SPI = 0xba7ba967
%ASA-7-715007: Group = GROUP1, Username = USER1, IP = x.x.x.x, IKE got
a KEY_ADD msg for SA: SPI = 0xba7ba967
%ASA-6-602303: IPSEC: An inbound remote access SA (SPI= 0x28A4EECA)
between y.y.y.y and x.x.x.x (user= USER1) has been created.
%ASA-7-715077: Group = GROUP1, Username = USER1, IP = x.x.x.x,
Pitcher: received KEY_UPDATE, spi 0x28a4eeca
%ASA-7-715080: Group = GROUP1, Username = USER1, IP = x.x.x.x,
Starting P2 rekey timer: 27360 seconds.
%ASA-7-713204: Group = GROUP1, Username = USER1, IP = x.x.x.x, Adding
static route for client address: 172.17.1.1
%ASA-5-713120: Group = GROUP1, Username = USER1, IP = x.x.x.x, PHASE 2
COMPLETED (msgid=f31387ed)

On Wed, Jan 13, 2010 at 10:24 PM, Ryan West <rwest_at_zyedge.com> wrote:
> Ivan,
>
>> -----Original Message-----
>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
>> Ivan Hrvatska
>> Sent: Wednesday, January 13, 2010 3:54 PM
>>
>> Hello,
>>
>> i have problem with mapping group policies to users defined in local
>> database. It seems that users are still mapped to default policy which
>> is defined under tunnel group:
>>
>> one group policy:
>>
>> group-policy POLICY1 attributes
>> vpn-simultaneous-logins 7
>> vpn-idle-timeout 60
>> vpn-filter value FILTER1
>> vpn-tunnel-protocol IPSec
>> password-storage enable
>> group-lock value GROUP1
>
> Try disabling the group-lock value, I've not needed this section to accomplish what you're trying.
>
>> address-pools value POOL1
>>
>> tunnel-group GROUP1 type remote-access
>> tunnel-group GROUP1 general-attributes
>> default-group-policy POLICY5 - can you avoid this, NOT to define
>> default group policy??
>>
>> username USER1 password PASS encrypted
>> username USER1 attributes
>> vpn-group-policy POLICY1
>> service-type remote-access
>
> You can safely remove the service-type here as well. Do you have any access hours defined in the default group policy? I've found if you enable this for a bad time range, as to disable non-authorized users for LDAP authorization, you have to enable a valid time range for the negotiated group-policy.
>
>>
>> I don't get address from pool defined in group policy POLICY1, filter
>> isn't applied....I get address from default policy. When I remove
>> default policy from tunnel group, I cannot established VPN connection.
>>
>> The idea is to have one tunnel group, couple of group-policies and to
>> map that policies to specific users.
>>
>> Thanks
>>
>>
>
> Try adding this:
>
> logging class vpn monitor debugging and enable term mon, post that information if you're still having issues.
>
> Thanks,
>
> -ryan
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Thu Jan 14 2010 - 09:32:46 ART

This archive was generated by hypermail 2.2.0 : Thu Feb 04 2010 - 20:28:41 ART