Ivan,
Pretty sure this is your problem:
CSCsw25955
ASA ignores vpn-group-policy under username attributes
Symptom:
When group-policy is assigned with vpn-group-policy command under username attributes, the ASA ignores it and puts particular user into default group-policy for that tunnel-group.
Conditions:
- ASA software 8.0.4.12
- Group-policy assigned under username attribute
Workaround:
1. Assign group-policy as a default group-policy under tunnel-group if possible or create another tunnel-group with a default group-policy
or
2. Upgrade to 8.0.4.16
-----------------
They recommend 8.0.4(16), but I would strongly recommend just moving to 8.0.5, which is stable and has all the fixes from 8.0.4(32) rolled into it.
Thanks,
-ryan
> -----Original Message-----
> From: Ivan Hrvatska [mailto:ivanzghr_at_gmail.com]
> Sent: Sunday, January 17, 2010 6:29 AM
> To: Farrukh Haroon
> Cc: Ryan West; Cisco certification
> Subject: Re: ASA VPN problem
>
> I tried that. Nothing. When I remove default group policy from the
> tunnel group it cannot establish connection with peer at all.
>
> Cisco Adaptive Security Appliance Software Version 8.0(4)12
>
> ASA is on remote site, customer site, in production, and that is the
> reason why I cannot erase config, reload it, and start from beginning.
> My colleagues experienced some problems with version 8, some basic
> things didn't work. So they deleted startup config, reload it, and
> configure it. It helped.
>
>
> Regards
>
> On Sun, Jan 17, 2010 at 6:50 AM, Farrukh Haroon
> <farrukhharoon_at_gmail.com> wrote:
> > Can you try removing the default group policy from the tunnel group
> and then
> > try? (it will default to the default group-policy)
> >
> > Also what version of code are you running?
> >
> > Regards
> >
> > Farrukh
> >
> > On Sun, Jan 17, 2010 at 12:39 AM, Ivan Hrvatska <ivanzghr_at_gmail.com>
> wrote:
> >>
> >> ASA# show vpn-sessiondb remote
> >>
> >> Session Type: IPsec
> >>
> >> Username : sapadmin Index : 84
> >> Assigned IP : 172.17.1.8 Public IP : X.X.X.X
> >> Protocol : IKE IPsec
> >> License : IPsec
> >> Encryption : AES256 Hashing : SHA1
> >> Bytes Tx : 0 Bytes Rx : 0
> >> Group Policy : Tunnel Group : GROUP
> >> Login Time : 13:01:03 UTC Sat Jan 16 2010
> >> Duration : 0h:00m:27s
> >> NAC Result : Unknown
> >> VLAN Mapping : N/A VLAN : none
> >>
> >> Group Policy is empty.
> >>
> >> On Sat, Jan 16, 2010 at 3:41 PM, Ivan Hrvatska <ivanzghr_at_gmail.com>
> wrote:
> >> > part of configuration:
> >> >
> >> > !
> >> > hostname ASA
> >> > domain-name default.domain.invalid
> >> > enable password LnGnWLhfZ8O2Q/GB encrypted
> >> > passwd 2KFQnbNIdI.2KYOU encrypted
> >> > names
> >> > dns-guard
> >> > pager lines 24
> >> > logging enable
> >> > logging buffered errors
> >> > logging asdm informational
> >> > mtu outside 1500
> >> > mtu VPN 1492
> >> > mtu Serveri 1500
> >> > mtu LAN 1500
> >> > mtu Procesni 1500
> >> > mtu management 1500
> >> > ip local pool POOL1 172.17.1.1-172.17.1.31 mask 255.255.255.224
> >> > ip local pool POOL2 172.17.1.33-172.17.1.62 mask 255.255.255.224
> >> > ip local pool POOL3 172.17.1.65-172.17.1.94 mask 255.255.255.224
> >> > no failover
> >> > icmp unreachable rate-limit 1 burst-size 1
> >> > asdm image disk0:/asdm-613.bin
> >> > no asdm history enable
> >> > arp timeout 14400
> >> > timeout xlate 3:00:00
> >> > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> >> > timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
> mgcp-pat
> >> > 0:05:00
> >> > timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
> disconnect
> >> > 0:02:00
> >> > timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
> >> > timeout tcp-proxy-reassembly 0:01:00
> >> > dynamic-access-policy-record DfltAccessPolicy
> >> > aaa authentication ssh console LOCAL
> >> > aaa authentication http console LOCAL
> >> > aaa authentication telnet console LOCAL
> >> > no snmp-server location
> >> > no snmp-server contact
> >> > snmp-server enable traps snmp authentication linkup linkdown
> coldstart
> >> > crypto ipsec transform-set T1 esp-aes-256 esp-sha-hmac
> >> > crypto ipsec transform-set T2 esp-aes-192 esp-md5-hmac
> >> > crypto ipsec transform-set T3 esp-aes esp-sha-hmac
> >> > crypto ipsec transform-set T4 esp-3des esp-sha-hmac
> >> > crypto ipsec transform-set T5 esp-3des esp-md5-hmac
> >> > crypto ipsec security-association lifetime seconds 28800
> >> > crypto ipsec security-association lifetime kilobytes 4608000
> >> > crypto dynamic-map DM1 10 set transform-set T1 T2 T3 T4 T5
> >> > crypto dynamic-map DM1 10 set security-association lifetime
> seconds
> >> > 28800
> >> > crypto dynamic-map DM1 10 set security-association lifetime
> kilobytes
> >> > 4608000
> >> > crypto dynamic-map DM1 10 set reverse-route
> >> > crypto map MAP 10 ipsec-isakmp dynamic DM1
> >> > crypto map MAP interface outside
> >> > crypto isakmp identity hostname
> >> > crypto isakmp enable outside
> >> > crypto isakmp policy 10
> >> > authentication pre-share
> >> > encryption aes-256
> >> > hash sha
> >> > group 2
> >> > lifetime 43200
> >> > no crypto isakmp nat-traversal
> >> > no vpn-addr-assign dhcp
> >> > telnet timeout 5
> >> > ssh timeout 5
> >> > ssh version 2
> >> > console timeout 5
> >> > management-access management
> >> > !
> >> > threat-detection basic-threat
> >> > threat-detection statistics access-list
> >> > no threat-detection statistics tcp-intercept
> >> > group-policy POLICY3 internal
> >> > group-policy POLICY3 attributes
> >> > vpn-idle-timeout 60
> >> > vpn-filter value
> >> > vpn-tunnel-protocol IPSec
> >> > address-pools value POOL3
> >> > group-policy DfltGrpPolicy attributes
> >> > vpn-tunnel-protocol IPSec webvpn
> >> > group-policy POLICY1 internal
> >> > group-policy POLICY1 attributes
> >> > vpn-idle-timeout 180
> >> > vpn-session-timeout none
> >> > vpn-tunnel-protocol IPSec
> >> > password-storage enable
> >> > split-tunnel-policy tunnelspecified
> >> > split-tunnel-network-list value NONAT
> >> > user-authentication enable
> >> > address-pools value POOL1
> >> > group-policy POLICY2 internal
> >> > group-policy POLICY2 attributes
> >> > vpn-simultaneous-logins 7
> >> > vpn-idle-timeout 60
> >> > vpn-filter value FILTER2
> >> > vpn-tunnel-protocol IPSec
> >> > password-storage enable
> >> > address-pools value POOL2
> >> > username USER3 password g9O3SBOu.Lds9mV4 encrypted
> >> > username USER3 attributes
> >> > vpn-group-policy POLICY3
> >> > username USER1 password cNH.ND6XX2p2UgNJ encrypted privilege 15
> >> > username USER1 attributes
> >> > vpn-group-policy POLICY1
> >> > username USER2 password jcSAXHlsFLpnIf2H encrypted
> >> > username USER2 attributes
> >> > vpn-group-policy POLICY2
> >> > tunnel-group GROUP type remote-access
> >> > tunnel-group GROUP general-attributes
> >> > authorization-server-group LOCAL
> >> > default-group-policy POLICY1
> >> > tunnel-group GROUP ipsec-attributes
> >> > pre-shared-key *
> >> > !
> >> > class-map inspection_default
> >> > match default-inspection-traffic
> >> > !
> >> > !
> >> > policy-map type inspect dns migrated_dns_map_1
> >> > parameters
> >> > message-length maximum 512
> >> > policy-map global_policy
> >> > class inspection_default
> >> > inspect dns migrated_dns_map_1
> >> > inspect ftp
> >> > inspect h323 h225
> >> > inspect h323 ras
> >> > inspect rsh
> >> > inspect rtsp
> >> > inspect esmtp
> >> > inspect sqlnet
> >> > inspect skinny
> >> > inspect sunrpc
> >> > inspect xdmcp
> >> > inspect sip
> >> > inspect netbios
> >> > inspect tftp
> >> > !
> >> > service-policy global_policy global
> >> > prompt hostname context
> >> > Cryptochecksum:b5616d07c0d269f2f5d1621435eecfa9
> >> > : end
> >> >
> >> >
> >> > AAA output shows that my USER2, which should retrieve POLICY2,
> gets
> >> > default policy POLICY1:
> >> >
> >> > %ASA-6-113012: AAA user authentication Successful : local database
> :
> >> > user = USER2
> >> > %ASA-6-113004: AAA user authorization Successful : server = LOCAL
> :
> >> > user = USER2
> >> > %ASA-6-113009: AAA retrieved default group policy (POLICY1) for
> user =
> >> > USER2
> >> > %ASA-6-113008: AAA transaction status ACCEPT : user = USER2
> >> >
> >> > Regards
> >> >
> >> >
> >> >
> >> >
> >> > On Fri, Jan 15, 2010 at 11:53 PM, Ryan West <rwest_at_zyedge.com>
> wrote:
> >> >> Ivan,
> >> >>
> >> >> I would take a step back and see if you can get it working with
> the
> >> >> most basic settings and then maybe you can narrow down what's
> blocking you.
> >> >>
> >> >> I replicated basic settings on a 5510 running 7.2(4)33, so I'm
> missing
> >> >> the service-type setting under the username attributes. I have
> this
> >> >> configured in other environments on 8.2(1)11 with fallback local
> >> >> authorization. Here are my results:
> >> >>
> >> >> s ver | i 7.2
> >> >> Cisco Adaptive Security Appliance Software Version 7.2(4)33
> >> >>
> >> >> show run | i group-policy|tunnel-group|ip local pool|access-list
> >> >> test[12]
> >> >> access-list test1 extended deny ip any host 192.168.98.3
> >> >> access-list test1 extended permit ip any any
> >> >> access-list test2 extended permit ip any any
> >> >> ip local pool vpnpool 192.168.100.1-192.168.100.20
> >> >> group-policy test2 internal
> >> >> group-policy test2 attributes
> >> >> group-policy test1 internal
> >> >> group-policy test1 attributes
> >> >> tunnel-group testing type ipsec-ra
> >> >> tunnel-group testing general-attributes
> >> >> default-group-policy test1
> >> >> tunnel-group testing ipsec-attributes
> >> >>
> >> >> You'll want to watch for the AAA output when you connect:
> >> >>
> >> >> Jan 15 2010 17:50:02 : %ASA-6-113012: AAA user authentication
> >> >> Successful : local database : user = test2
> >> >> Jan 15 2010 17:50:02 : %ASA-6-113003: AAA group policy for user
> test2
> >> >> is being set to test2
> >> >> Jan 15 2010 17:50:02 : %ASA-6-113011: AAA retrieved user
> specific
> >> >> group policy (test2) for user = test2
> >> >> Jan 15 2010 17:50:02 : %ASA-6-113009: AAA retrieved default
> group
> >> >> policy (test1) for user = test2
> >> >> Jan 15 2010 17:50:02 : %ASA-6-113008: AAA transaction status
> ACCEPT :
> >> >> user = test2
> >> >>
> >> >> show vpn-sessiondb remote | i Username|Group
> >> >> Username : test2
> >> >> Group Policy : test2
> >> >> Tunnel Group : testing
> >> >>
> >> >> HTH,
> >> >>
> >> >> -ryan
> >> >>
> >> >>> -----Original Message-----
> >> >>> From: Ivan Hrvatska [mailto:ivanzghr_at_gmail.com]
> >> >>> Sent: Friday, January 15, 2010 1:51 PM
> >> >>> To: Ryan West
> >> >>> Cc: Cisco certification
> >> >>> Subject: Re: ASA VPN problem
> >> >>>
> >> >>> Nothing. Same thing.
> >> >>>
> >> >>> On Fri, Jan 15, 2010 at 5:13 PM, Ryan West <rwest_at_zyedge.com>
> wrote:
> >> >>> > Ivan,
> >> >>> >
> >> >>> >> -----Original Message-----
> >> >>> >> From: Ivan Hrvatska [mailto:ivanzghr_at_gmail.com]
> >> >>> >> Sent: Thursday, January 14, 2010 5:37 PM
> >> >>> >> To: Ryan West
> >> >>> >>
> >> >>> >> ASA# sh run tunnel-group
> >> >>> >> tunnel-group GROUP1 type remote-access
> >> >>> >> tunnel-group GROUP1 general-attributes
> >> >>> >> default-group-policy POLICY3
> >> >>> >> tunnel-group GROUP1 ipsec-attributes
> >> >>> >> pre-shared-key *
> >> >>> >
> >> >>> > Try adding this to your tunnel-group GROUP1 general-
> attributes:
> >> >>> > authorization-server-group LOCAL
> >> >>> >
> >> >>> > -ryan
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >>
> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Sun Jan 17 2010 - 16:18:58 ART
This archive was generated by hypermail 2.2.0 : Thu Feb 04 2010 - 20:28:41 ART