Re: ASA VPN problem

Yes, that's it. I upgraded to 8.0.5 and works just fine. Thanks for
your assistance.

Regards

On Sun, Jan 17, 2010 at 5:18 PM, Ryan West <rwest_at_zyedge.com> wrote:
> Ivan,
>
> Pretty sure this is your problem:
>
> CSCsw25955
>
> ASA ignores vpn-group-policy under username attributes
>
> Symptom:
> When group-policy is assigned with vpn-group-policy command under username attributes, the ASA ignores it and puts particular user into default group-policy for that tunnel-group.
>
> Conditions:
> - ASA software 8.0.4.12
> - Group-policy assigned under username attribute
>
> Workaround:
> 1. Assign group-policy as a default group-policy under tunnel-group if possible or create another tunnel-group with a default group-policy
> or
> 2. Upgrade to 8.0.4.16
>
> -----------------
>
> They recommend 8.0.4(16), but I would strongly recommend just moving to 8.0.5, which is stable and has all the fixes from 8.0.4(32) rolled into it.
>
> Thanks,
>
> -ryan
>
>> -----Original Message-----
>> From: Ivan Hrvatska [mailto:ivanzghr_at_gmail.com]
>> Sent: Sunday, January 17, 2010 6:29 AM
>> To: Farrukh Haroon
>> Cc: Ryan West; Cisco certification
>> Subject: Re: ASA VPN problem
>>
>> I tried that. Nothing. When I remove default group policy from the
>> tunnel group it cannot establish connection with peer at all.
>>
>> Cisco Adaptive Security Appliance Software Version 8.0(4)12
>>
>> ASA is on remote site, customer site, in production, and that is the
>> reason why I cannot erase config, reload it, and start from beginning.
>> My colleagues experienced some problems with version 8, some basic
>> things didn't work. So they deleted startup config, reload it, and
>> configure it. It helped.
>>
>>
>> Regards
>>
>> On Sun, Jan 17, 2010 at 6:50 AM, Farrukh Haroon
>> <farrukhharoon_at_gmail.com> wrote:
>> > Can you try removing the default group policy from the tunnel group
>> and then
>> > try? (it will default to the default group-policy)
>> >
>> > Also what version of code are you running?
>> >
>> > Regards
>> >
>> > Farrukh
>> >
>> > On Sun, Jan 17, 2010 at 12:39 AM, Ivan Hrvatska <ivanzghr_at_gmail.com>
>> wrote:
>> >>
>> >> ASA# show vpn-sessiondb remote
>> >>
>> >> Session Type: IPsec
>> >>
>> >> Username : sapadmin Index : 84
>> >> Assigned IP : 172.17.1.8 Public IP : X.X.X.X
>> >> Protocol : IKE IPsec
>> >> License : IPsec
>> >> Encryption : AES256 Hashing : SHA1
>> >> Bytes Tx : 0 Bytes Rx : 0
>> >> Group Policy : Tunnel Group : GROUP
>> >> Login Time : 13:01:03 UTC Sat Jan 16 2010
>> >> Duration : 0h:00m:27s
>> >> NAC Result : Unknown
>> >> VLAN Mapping : N/A VLAN : none
>> >>
>> >> Group Policy is empty.
>> >>
>> >> On Sat, Jan 16, 2010 at 3:41 PM, Ivan Hrvatska <ivanzghr_at_gmail.com>
>> wrote:
>> >> > part of configuration:
>> >> >
>> >> > !
>> >> > hostname ASA
>> >> > domain-name default.domain.invalid
>> >> > enable password LnGnWLhfZ8O2Q/GB encrypted
>> >> > passwd 2KFQnbNIdI.2KYOU encrypted
>> >> > names
>> >> > dns-guard
>> >> > pager lines 24
>> >> > logging enable
>> >> > logging buffered errors
>> >> > logging asdm informational
>> >> > mtu outside 1500
>> >> > mtu VPN 1492
>> >> > mtu Serveri 1500
>> >> > mtu LAN 1500
>> >> > mtu Procesni 1500
>> >> > mtu management 1500
>> >> > ip local pool POOL1 172.17.1.1-172.17.1.31 mask 255.255.255.224
>> >> > ip local pool POOL2 172.17.1.33-172.17.1.62 mask 255.255.255.224
>> >> > ip local pool POOL3 172.17.1.65-172.17.1.94 mask 255.255.255.224
>> >> > no failover
>> >> > icmp unreachable rate-limit 1 burst-size 1
>> >> > asdm image disk0:/asdm-613.bin
>> >> > no asdm history enable
>> >> > arp timeout 14400
>> >> > timeout xlate 3:00:00
>> >> > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
>> >> > timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
>> mgcp-pat
>> >> > 0:05:00
>> >> > timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
>> disconnect
>> >> > 0:02:00
>> >> > timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
>> >> > timeout tcp-proxy-reassembly 0:01:00
>> >> > dynamic-access-policy-record DfltAccessPolicy
>> >> > aaa authentication ssh console LOCAL
>> >> > aaa authentication http console LOCAL
>> >> > aaa authentication telnet console LOCAL
>> >> > no snmp-server location
>> >> > no snmp-server contact
>> >> > snmp-server enable traps snmp authentication linkup linkdown
>> coldstart
>> >> > crypto ipsec transform-set T1 esp-aes-256 esp-sha-hmac
>> >> > crypto ipsec transform-set T2 esp-aes-192 esp-md5-hmac
>> >> > crypto ipsec transform-set T3 esp-aes esp-sha-hmac
>> >> > crypto ipsec transform-set T4 esp-3des esp-sha-hmac
>> >> > crypto ipsec transform-set T5 esp-3des esp-md5-hmac
>> >> > crypto ipsec security-association lifetime seconds 28800
>> >> > crypto ipsec security-association lifetime kilobytes 4608000
>> >> > crypto dynamic-map DM1 10 set transform-set T1 T2 T3 T4 T5
>> >> > crypto dynamic-map DM1 10 set security-association lifetime
>> seconds
>> >> > 28800
>> >> > crypto dynamic-map DM1 10 set security-association lifetime
>> kilobytes
>> >> > 4608000
>> >> > crypto dynamic-map DM1 10 set reverse-route
>> >> > crypto map MAP 10 ipsec-isakmp dynamic DM1
>> >> > crypto map MAP interface outside
>> >> > crypto isakmp identity hostname
>> >> > crypto isakmp enable outside
>> >> > crypto isakmp policy 10
>> >> > authentication pre-share
>> >> > encryption aes-256
>> >> > hash sha
>> >> > group 2
>> >> > lifetime 43200
>> >> > no crypto isakmp nat-traversal
>> >> > no vpn-addr-assign dhcp
>> >> > telnet timeout 5
>> >> > ssh timeout 5
>> >> > ssh version 2
>> >> > console timeout 5
>> >> > management-access management
>> >> > !
>> >> > threat-detection basic-threat
>> >> > threat-detection statistics access-list
>> >> > no threat-detection statistics tcp-intercept
>> >> > group-policy POLICY3 internal
>> >> > group-policy POLICY3 attributes
>> >> > vpn-idle-timeout 60
>> >> > vpn-filter value
>> >> > vpn-tunnel-protocol IPSec
>> >> > address-pools value POOL3
>> >> > group-policy DfltGrpPolicy attributes
>> >> > vpn-tunnel-protocol IPSec webvpn
>> >> > group-policy POLICY1 internal
>> >> > group-policy POLICY1 attributes
>> >> > vpn-idle-timeout 180
>> >> > vpn-session-timeout none
>> >> > vpn-tunnel-protocol IPSec
>> >> > password-storage enable
>> >> > split-tunnel-policy tunnelspecified
>> >> > split-tunnel-network-list value NONAT
>> >> > user-authentication enable
>> >> > address-pools value POOL1
>> >> > group-policy POLICY2 internal
>> >> > group-policy POLICY2 attributes
>> >> > vpn-simultaneous-logins 7
>> >> > vpn-idle-timeout 60
>> >> > vpn-filter value FILTER2
>> >> > vpn-tunnel-protocol IPSec
>> >> > password-storage enable
>> >> > address-pools value POOL2
>> >> > username USER3 password g9O3SBOu.Lds9mV4 encrypted
>> >> > username USER3 attributes
>> >> > vpn-group-policy POLICY3
>> >> > username USER1 password cNH.ND6XX2p2UgNJ encrypted privilege 15
>> >> > username USER1 attributes
>> >> > vpn-group-policy POLICY1
>> >> > username USER2 password jcSAXHlsFLpnIf2H encrypted
>> >> > username USER2 attributes
>> >> > vpn-group-policy POLICY2
>> >> > tunnel-group GROUP type remote-access
>> >> > tunnel-group GROUP general-attributes
>> >> > authorization-server-group LOCAL
>> >> > default-group-policy POLICY1
>> >> > tunnel-group GROUP ipsec-attributes
>> >> > pre-shared-key *
>> >> > !
>> >> > class-map inspection_default
>> >> > match default-inspection-traffic
>> >> > !
>> >> > !
>> >> > policy-map type inspect dns migrated_dns_map_1
>> >> > parameters
>> >> > message-length maximum 512
>> >> > policy-map global_policy
>> >> > class inspection_default
>> >> > inspect dns migrated_dns_map_1
>> >> > inspect ftp
>> >> > inspect h323 h225
>> >> > inspect h323 ras
>> >> > inspect rsh
>> >> > inspect rtsp
>> >> > inspect esmtp
>> >> > inspect sqlnet
>> >> > inspect skinny
>> >> > inspect sunrpc
>> >> > inspect xdmcp
>> >> > inspect sip
>> >> > inspect netbios
>> >> > inspect tftp
>> >> > !
>> >> > service-policy global_policy global
>> >> > prompt hostname context
>> >> > Cryptochecksum:b5616d07c0d269f2f5d1621435eecfa9
>> >> > : end
>> >> >
>> >> >
>> >> > AAA output shows that my USER2, which should retrieve POLICY2,
>> gets
>> >> > default policy POLICY1:
>> >> >
>> >> > %ASA-6-113012: AAA user authentication Successful : local database
>> :
>> >> > user = USER2
>> >> > %ASA-6-113004: AAA user authorization Successful : server = LOCAL
>> :
>> >> > user = USER2
>> >> > %ASA-6-113009: AAA retrieved default group policy (POLICY1) for
>> user =
>> >> > USER2
>> >> > %ASA-6-113008: AAA transaction status ACCEPT : user = USER2
>> >> >
>> >> > Regards
>> >> >
>> >> >
>> >> >
>> >> >
>> >> > On Fri, Jan 15, 2010 at 11:53 PM, Ryan West <rwest_at_zyedge.com>
>> wrote:
>> >> >> Ivan,
>> >> >>
>> >> >> I would take a step back and see if you can get it working with
>> the
>> >> >> most basic settings and then maybe you can narrow down what's
>> blocking you.
>> >> >>
>> >> >> I replicated basic settings on a 5510 running 7.2(4)33, so I'm
>> missing
>> >> >> the service-type setting under the username attributes. I have
>> this
>> >> >> configured in other environments on 8.2(1)11 with fallback local
>> >> >> authorization. Here are my results:
>> >> >>
>> >> >> s ver | i 7.2
>> >> >> Cisco Adaptive Security Appliance Software Version 7.2(4)33
>> >> >>
>> >> >> show run | i group-policy|tunnel-group|ip local pool|access-list
>> >> >> test[12]
>> >> >> access-list test1 extended deny ip any host 192.168.98.3
>> >> >> access-list test1 extended permit ip any any
>> >> >> access-list test2 extended permit ip any any
>> >> >> ip local pool vpnpool 192.168.100.1-192.168.100.20
>> >> >> group-policy test2 internal
>> >> >> group-policy test2 attributes
>> >> >> group-policy test1 internal
>> >> >> group-policy test1 attributes
>> >> >> tunnel-group testing type ipsec-ra
>> >> >> tunnel-group testing general-attributes
>> >> >> default-group-policy test1
>> >> >> tunnel-group testing ipsec-attributes
>> >> >>
>> >> >> You'll want to watch for the AAA output when you connect:
>> >> >>
>> >> >> Jan 15 2010 17:50:02 : %ASA-6-113012: AAA user authentication
>> >> >> Successful : local database : user = test2
>> >> >> Jan 15 2010 17:50:02 : %ASA-6-113003: AAA group policy for user
>> test2
>> >> >> is being set to test2
>> >> >> Jan 15 2010 17:50:02 : %ASA-6-113011: AAA retrieved user
>> specific
>> >> >> group policy (test2) for user = test2
>> >> >> Jan 15 2010 17:50:02 : %ASA-6-113009: AAA retrieved default
>> group
>> >> >> policy (test1) for user = test2
>> >> >> Jan 15 2010 17:50:02 : %ASA-6-113008: AAA transaction status
>> ACCEPT :
>> >> >> user = test2
>> >> >>
>> >> >> show vpn-sessiondb remote | i Username|Group
>> >> >> Username : test2
>> >> >> Group Policy : test2
>> >> >> Tunnel Group : testing
>> >> >>
>> >> >> HTH,
>> >> >>
>> >> >> -ryan
>> >> >>
>> >> >>> -----Original Message-----
>> >> >>> From: Ivan Hrvatska [mailto:ivanzghr_at_gmail.com]
>> >> >>> Sent: Friday, January 15, 2010 1:51 PM
>> >> >>> To: Ryan West
>> >> >>> Cc: Cisco certification
>> >> >>> Subject: Re: ASA VPN problem
>> >> >>>
>> >> >>> Nothing. Same thing.
>> >> >>>
>> >> >>> On Fri, Jan 15, 2010 at 5:13 PM, Ryan West <rwest_at_zyedge.com>
>> wrote:
>> >> >>> > Ivan,
>> >> >>> >
>> >> >>> >> -----Original Message-----
>> >> >>> >> From: Ivan Hrvatska [mailto:ivanzghr_at_gmail.com]
>> >> >>> >> Sent: Thursday, January 14, 2010 5:37 PM
>> >> >>> >> To: Ryan West
>> >> >>> >>
>> >> >>> >> ASA# sh run tunnel-group
>> >> >>> >> tunnel-group GROUP1 type remote-access
>> >> >>> >> tunnel-group GROUP1 general-attributes
>> >> >>> >> default-group-policy POLICY3
>> >> >>> >> tunnel-group GROUP1 ipsec-attributes
>> >> >>> >> pre-shared-key *
>> >> >>> >
>> >> >>> > Try adding this to your tunnel-group GROUP1 general-
>> attributes:
>> >> >>> > authorization-server-group LOCAL
>> >> >>> >
>> >> >>> > -ryan
>> >>
>> >>
>> >> Blogs and organic groups at http://www.ccie.net
>> >>
>> >>
>> _______________________________________________________________________
>> >> Subscription information may be found at:
>> >> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Sun Jan 17 2010 - 23:04:40 ART