Re: ASA VPN problem

Here, I found the solution on Cisco site:

ASA ignores vpn-group-policy under username attributes

Symptom:
When group-policy is assigned with vpn-group-policy command under
username attributes, the ASA ignores it and puts particular user into
default group-policy for that tunnel-group.

Conditions:
- ASA software 8.0.4.12
- Group-policy assigned under username attribute

Workaround:
1. Assign group-policy as a default group-policy under tunnel-group if
possible or create another tunnel-group with a default group-policy
or
2. Upgrade to 8.0.4.16

I will try upgrade it. I'll let you know the result.

Regards

On Sun, Jan 17, 2010 at 12:28 PM, Ivan Hrvatska <ivanzghr_at_gmail.com> wrote:
> I tried that. Nothing. When I remove default group policy from the
> tunnel group it cannot establish connection with peer at all.
>
> Cisco Adaptive Security Appliance Software Version 8.0(4)12
>
> ASA is on remote site, customer site, in production, and that is the
> reason why I cannot erase config, reload it, and start from beginning.
> My colleagues experienced some problems with version 8, some basic
> things didn't work. So they deleted startup config, reload it, and
> configure it. It helped.
>
>
> Regards
>
> On Sun, Jan 17, 2010 at 6:50 AM, Farrukh Haroon <farrukhharoon_at_gmail.com> wrote:
>> Can you try removing the default group policy from the tunnel group and then
>> try? (it will default to the default group-policy)
>>
>> Also what version of code are you running?
>>
>> Regards
>>
>> Farrukh
>>
>> On Sun, Jan 17, 2010 at 12:39 AM, Ivan Hrvatska <ivanzghr_at_gmail.com> wrote:
>>>
>>> ASA# show vpn-sessiondb remote
>>>
>>> Session Type: IPsec
>>>
>>> Username : sapadmin Index : 84
>>> Assigned IP : 172.17.1.8 Public IP : X.X.X.X
>>> Protocol : IKE IPsec
>>> License : IPsec
>>> Encryption : AES256 Hashing : SHA1
>>> Bytes Tx : 0 Bytes Rx : 0
>>> Group Policy : Tunnel Group : GROUP
>>> Login Time : 13:01:03 UTC Sat Jan 16 2010
>>> Duration : 0h:00m:27s
>>> NAC Result : Unknown
>>> VLAN Mapping : N/A VLAN : none
>>>
>>> Group Policy is empty.
>>>
>>> On Sat, Jan 16, 2010 at 3:41 PM, Ivan Hrvatska <ivanzghr_at_gmail.com> wrote:
>>> > part of configuration:
>>> >
>>> > !
>>> > hostname ASA
>>> > domain-name default.domain.invalid
>>> > enable password LnGnWLhfZ8O2Q/GB encrypted
>>> > passwd 2KFQnbNIdI.2KYOU encrypted
>>> > names
>>> > dns-guard
>>> > pager lines 24
>>> > logging enable
>>> > logging buffered errors
>>> > logging asdm informational
>>> > mtu outside 1500
>>> > mtu VPN 1492
>>> > mtu Serveri 1500
>>> > mtu LAN 1500
>>> > mtu Procesni 1500
>>> > mtu management 1500
>>> > ip local pool POOL1 172.17.1.1-172.17.1.31 mask 255.255.255.224
>>> > ip local pool POOL2 172.17.1.33-172.17.1.62 mask 255.255.255.224
>>> > ip local pool POOL3 172.17.1.65-172.17.1.94 mask 255.255.255.224
>>> > no failover
>>> > icmp unreachable rate-limit 1 burst-size 1
>>> > asdm image disk0:/asdm-613.bin
>>> > no asdm history enable
>>> > arp timeout 14400
>>> > timeout xlate 3:00:00
>>> > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
>>> > timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
>>> > 0:05:00
>>> > timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
>>> > 0:02:00
>>> > timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
>>> > timeout tcp-proxy-reassembly 0:01:00
>>> > dynamic-access-policy-record DfltAccessPolicy
>>> > aaa authentication ssh console LOCAL
>>> > aaa authentication http console LOCAL
>>> > aaa authentication telnet console LOCAL
>>> > no snmp-server location
>>> > no snmp-server contact
>>> > snmp-server enable traps snmp authentication linkup linkdown coldstart
>>> > crypto ipsec transform-set T1 esp-aes-256 esp-sha-hmac
>>> > crypto ipsec transform-set T2 esp-aes-192 esp-md5-hmac
>>> > crypto ipsec transform-set T3 esp-aes esp-sha-hmac
>>> > crypto ipsec transform-set T4 esp-3des esp-sha-hmac
>>> > crypto ipsec transform-set T5 esp-3des esp-md5-hmac
>>> > crypto ipsec security-association lifetime seconds 28800
>>> > crypto ipsec security-association lifetime kilobytes 4608000
>>> > crypto dynamic-map DM1 10 set transform-set T1 T2 T3 T4 T5
>>> > crypto dynamic-map DM1 10 set security-association lifetime seconds
>>> > 28800
>>> > crypto dynamic-map DM1 10 set security-association lifetime kilobytes
>>> > 4608000
>>> > crypto dynamic-map DM1 10 set reverse-route
>>> > crypto map MAP 10 ipsec-isakmp dynamic DM1
>>> > crypto map MAP interface outside
>>> > crypto isakmp identity hostname
>>> > crypto isakmp enable outside
>>> > crypto isakmp policy 10
>>> > authentication pre-share
>>> > encryption aes-256
>>> > hash sha
>>> > group 2
>>> > lifetime 43200
>>> > no crypto isakmp nat-traversal
>>> > no vpn-addr-assign dhcp
>>> > telnet timeout 5
>>> > ssh timeout 5
>>> > ssh version 2
>>> > console timeout 5
>>> > management-access management
>>> > !
>>> > threat-detection basic-threat
>>> > threat-detection statistics access-list
>>> > no threat-detection statistics tcp-intercept
>>> > group-policy POLICY3 internal
>>> > group-policy POLICY3 attributes
>>> > vpn-idle-timeout 60
>>> > vpn-filter value
>>> > vpn-tunnel-protocol IPSec
>>> > address-pools value POOL3
>>> > group-policy DfltGrpPolicy attributes
>>> > vpn-tunnel-protocol IPSec webvpn
>>> > group-policy POLICY1 internal
>>> > group-policy POLICY1 attributes
>>> > vpn-idle-timeout 180
>>> > vpn-session-timeout none
>>> > vpn-tunnel-protocol IPSec
>>> > password-storage enable
>>> > split-tunnel-policy tunnelspecified
>>> > split-tunnel-network-list value NONAT
>>> > user-authentication enable
>>> > address-pools value POOL1
>>> > group-policy POLICY2 internal
>>> > group-policy POLICY2 attributes
>>> > vpn-simultaneous-logins 7
>>> > vpn-idle-timeout 60
>>> > vpn-filter value FILTER2
>>> > vpn-tunnel-protocol IPSec
>>> > password-storage enable
>>> > address-pools value POOL2
>>> > username USER3 password g9O3SBOu.Lds9mV4 encrypted
>>> > username USER3 attributes
>>> > vpn-group-policy POLICY3
>>> > username USER1 password cNH.ND6XX2p2UgNJ encrypted privilege 15
>>> > username USER1 attributes
>>> > vpn-group-policy POLICY1
>>> > username USER2 password jcSAXHlsFLpnIf2H encrypted
>>> > username USER2 attributes
>>> > vpn-group-policy POLICY2
>>> > tunnel-group GROUP type remote-access
>>> > tunnel-group GROUP general-attributes
>>> > authorization-server-group LOCAL
>>> > default-group-policy POLICY1
>>> > tunnel-group GROUP ipsec-attributes
>>> > pre-shared-key *
>>> > !
>>> > class-map inspection_default
>>> > match default-inspection-traffic
>>> > !
>>> > !
>>> > policy-map type inspect dns migrated_dns_map_1
>>> > parameters
>>> > message-length maximum 512
>>> > policy-map global_policy
>>> > class inspection_default
>>> > inspect dns migrated_dns_map_1
>>> > inspect ftp
>>> > inspect h323 h225
>>> > inspect h323 ras
>>> > inspect rsh
>>> > inspect rtsp
>>> > inspect esmtp
>>> > inspect sqlnet
>>> > inspect skinny
>>> > inspect sunrpc
>>> > inspect xdmcp
>>> > inspect sip
>>> > inspect netbios
>>> > inspect tftp
>>> > !
>>> > service-policy global_policy global
>>> > prompt hostname context
>>> > Cryptochecksum:b5616d07c0d269f2f5d1621435eecfa9
>>> > : end
>>> >
>>> >
>>> > AAA output shows that my USER2, which should retrieve POLICY2, gets
>>> > default policy POLICY1:
>>> >
>>> > %ASA-6-113012: AAA user authentication Successful : local database :
>>> > user = USER2
>>> > %ASA-6-113004: AAA user authorization Successful : server = LOCAL :
>>> > user = USER2
>>> > %ASA-6-113009: AAA retrieved default group policy (POLICY1) for user =
>>> > USER2
>>> > %ASA-6-113008: AAA transaction status ACCEPT : user = USER2
>>> >
>>> > Regards
>>> >
>>> >
>>> >
>>> >
>>> > On Fri, Jan 15, 2010 at 11:53 PM, Ryan West <rwest_at_zyedge.com> wrote:
>>> >> Ivan,
>>> >>
>>> >> I would take a step back and see if you can get it working with the
>>> >> most basic settings and then maybe you can narrow down what's blocking you.
>>> >>
>>> >> I replicated basic settings on a 5510 running 7.2(4)33, so I'm missing
>>> >> the service-type setting under the username attributes. I have this
>>> >> configured in other environments on 8.2(1)11 with fallback local
>>> >> authorization. Here are my results:
>>> >>
>>> >> s ver | i 7.2
>>> >> Cisco Adaptive Security Appliance Software Version 7.2(4)33
>>> >>
>>> >> show run | i group-policy|tunnel-group|ip local pool|access-list
>>> >> test[12]
>>> >> access-list test1 extended deny ip any host 192.168.98.3
>>> >> access-list test1 extended permit ip any any
>>> >> access-list test2 extended permit ip any any
>>> >> ip local pool vpnpool 192.168.100.1-192.168.100.20
>>> >> group-policy test2 internal
>>> >> group-policy test2 attributes
>>> >> group-policy test1 internal
>>> >> group-policy test1 attributes
>>> >> tunnel-group testing type ipsec-ra
>>> >> tunnel-group testing general-attributes
>>> >> default-group-policy test1
>>> >> tunnel-group testing ipsec-attributes
>>> >>
>>> >> You'll want to watch for the AAA output when you connect:
>>> >>
>>> >> Jan 15 2010 17:50:02 : %ASA-6-113012: AAA user authentication
>>> >> Successful : local database : user = test2
>>> >> Jan 15 2010 17:50:02 : %ASA-6-113003: AAA group policy for user test2
>>> >> is being set to test2
>>> >> Jan 15 2010 17:50:02 : %ASA-6-113011: AAA retrieved user specific
>>> >> group policy (test2) for user = test2
>>> >> Jan 15 2010 17:50:02 : %ASA-6-113009: AAA retrieved default group
>>> >> policy (test1) for user = test2
>>> >> Jan 15 2010 17:50:02 : %ASA-6-113008: AAA transaction status ACCEPT :
>>> >> user = test2
>>> >>
>>> >> show vpn-sessiondb remote | i Username|Group
>>> >> Username : test2
>>> >> Group Policy : test2
>>> >> Tunnel Group : testing
>>> >>
>>> >> HTH,
>>> >>
>>> >> -ryan
>>> >>
>>> >>> -----Original Message-----
>>> >>> From: Ivan Hrvatska [mailto:ivanzghr_at_gmail.com]
>>> >>> Sent: Friday, January 15, 2010 1:51 PM
>>> >>> To: Ryan West
>>> >>> Cc: Cisco certification
>>> >>> Subject: Re: ASA VPN problem
>>> >>>
>>> >>> Nothing. Same thing.
>>> >>>
>>> >>> On Fri, Jan 15, 2010 at 5:13 PM, Ryan West <rwest_at_zyedge.com> wrote:
>>> >>> > Ivan,
>>> >>> >
>>> >>> >> -----Original Message-----
>>> >>> >> From: Ivan Hrvatska [mailto:ivanzghr_at_gmail.com]
>>> >>> >> Sent: Thursday, January 14, 2010 5:37 PM
>>> >>> >> To: Ryan West
>>> >>> >>
>>> >>> >> ASA# sh run tunnel-group
>>> >>> >> tunnel-group GROUP1 type remote-access
>>> >>> >> tunnel-group GROUP1 general-attributes
>>> >>> >> default-group-policy POLICY3
>>> >>> >> tunnel-group GROUP1 ipsec-attributes
>>> >>> >> pre-shared-key *
>>> >>> >
>>> >>> > Try adding this to your tunnel-group GROUP1 general-attributes:
>>> >>> > authorization-server-group LOCAL
>>> >>> >
>>> >>> > -ryan
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Sun Jan 17 2010 - 12:52:27 ART