lol ... many problems can be solved with a upgrade and reload!
;-)
Thanks for such an in depth thread ... you all rock!
Andrew Lee Lissitz
.
On Sun, Jan 17, 2010 at 5:04 PM, Ivan Hrvatska <ivanzghr_at_gmail.com> wrote:
> Yes, that's it. I upgraded to 8.0.5 and works just fine. Thanks for
> your assistance.
>
> Regards
>
> On Sun, Jan 17, 2010 at 5:18 PM, Ryan West <rwest_at_zyedge.com> wrote:
> > Ivan,
> >
> > Pretty sure this is your problem:
> >
> > CSCsw25955
> >
> > ASA ignores vpn-group-policy under username attributes
> >
> > Symptom:
> > When group-policy is assigned with vpn-group-policy command under
> username attributes, the ASA ignores it and puts particular user into
> default group-policy for that tunnel-group.
> >
> > Conditions:
> > - ASA software 8.0.4.12
> > - Group-policy assigned under username attribute
> >
> > Workaround:
> > 1. Assign group-policy as a default group-policy under tunnel-group if
> possible or create another tunnel-group with a default group-policy
> > or
> > 2. Upgrade to 8.0.4.16
> >
> > -----------------
> >
> > They recommend 8.0.4(16), but I would strongly recommend just moving to
> 8.0.5, which is stable and has all the fixes from 8.0.4(32) rolled into it.
> >
> > Thanks,
> >
> > -ryan
> >
> >> -----Original Message-----
> >> From: Ivan Hrvatska [mailto:ivanzghr_at_gmail.com]
> >> Sent: Sunday, January 17, 2010 6:29 AM
> >> To: Farrukh Haroon
> >> Cc: Ryan West; Cisco certification
> >> Subject: Re: ASA VPN problem
> >>
> >> I tried that. Nothing. When I remove default group policy from the
> >> tunnel group it cannot establish connection with peer at all.
> >>
> >> Cisco Adaptive Security Appliance Software Version 8.0(4)12
> >>
> >> ASA is on remote site, customer site, in production, and that is the
> >> reason why I cannot erase config, reload it, and start from beginning.
> >> My colleagues experienced some problems with version 8, some basic
> >> things didn't work. So they deleted startup config, reload it, and
> >> configure it. It helped.
> >>
> >>
> >> Regards
> >>
> >> On Sun, Jan 17, 2010 at 6:50 AM, Farrukh Haroon
> >> <farrukhharoon_at_gmail.com> wrote:
> >> > Can you try removing the default group policy from the tunnel group
> >> and then
> >> > try? (it will default to the default group-policy)
> >> >
> >> > Also what version of code are you running?
> >> >
> >> > Regards
> >> >
> >> > Farrukh
> >> >
> >> > On Sun, Jan 17, 2010 at 12:39 AM, Ivan Hrvatska <ivanzghr_at_gmail.com>
> >> wrote:
> >> >>
> >> >> ASA# show vpn-sessiondb remote
> >> >>
> >> >> Session Type: IPsec
> >> >>
> >> >> Username : sapadmin Index : 84
> >> >> Assigned IP : 172.17.1.8 Public IP : X.X.X.X
> >> >> Protocol : IKE IPsec
> >> >> License : IPsec
> >> >> Encryption : AES256 Hashing : SHA1
> >> >> Bytes Tx : 0 Bytes Rx : 0
> >> >> Group Policy : Tunnel Group : GROUP
> >> >> Login Time : 13:01:03 UTC Sat Jan 16 2010
> >> >> Duration : 0h:00m:27s
> >> >> NAC Result : Unknown
> >> >> VLAN Mapping : N/A VLAN : none
> >> >>
> >> >> Group Policy is empty.
> >> >>
> >> >> On Sat, Jan 16, 2010 at 3:41 PM, Ivan Hrvatska <ivanzghr_at_gmail.com>
> >> wrote:
> >> >> > part of configuration:
> >> >> >
> >> >> > !
> >> >> > hostname ASA
> >> >> > domain-name default.domain.invalid
> >> >> > enable password LnGnWLhfZ8O2Q/GB encrypted
> >> >> > passwd 2KFQnbNIdI.2KYOU encrypted
> >> >> > names
> >> >> > dns-guard
> >> >> > pager lines 24
> >> >> > logging enable
> >> >> > logging buffered errors
> >> >> > logging asdm informational
> >> >> > mtu outside 1500
> >> >> > mtu VPN 1492
> >> >> > mtu Serveri 1500
> >> >> > mtu LAN 1500
> >> >> > mtu Procesni 1500
> >> >> > mtu management 1500
> >> >> > ip local pool POOL1 172.17.1.1-172.17.1.31 mask 255.255.255.224
> >> >> > ip local pool POOL2 172.17.1.33-172.17.1.62 mask 255.255.255.224
> >> >> > ip local pool POOL3 172.17.1.65-172.17.1.94 mask 255.255.255.224
> >> >> > no failover
> >> >> > icmp unreachable rate-limit 1 burst-size 1
> >> >> > asdm image disk0:/asdm-613.bin
> >> >> > no asdm history enable
> >> >> > arp timeout 14400
> >> >> > timeout xlate 3:00:00
> >> >> > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> >> >> > timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
> >> mgcp-pat
> >> >> > 0:05:00
> >> >> > timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
> >> disconnect
> >> >> > 0:02:00
> >> >> > timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
> >> >> > timeout tcp-proxy-reassembly 0:01:00
> >> >> > dynamic-access-policy-record DfltAccessPolicy
> >> >> > aaa authentication ssh console LOCAL
> >> >> > aaa authentication http console LOCAL
> >> >> > aaa authentication telnet console LOCAL
> >> >> > no snmp-server location
> >> >> > no snmp-server contact
> >> >> > snmp-server enable traps snmp authentication linkup linkdown
> >> coldstart
> >> >> > crypto ipsec transform-set T1 esp-aes-256 esp-sha-hmac
> >> >> > crypto ipsec transform-set T2 esp-aes-192 esp-md5-hmac
> >> >> > crypto ipsec transform-set T3 esp-aes esp-sha-hmac
> >> >> > crypto ipsec transform-set T4 esp-3des esp-sha-hmac
> >> >> > crypto ipsec transform-set T5 esp-3des esp-md5-hmac
> >> >> > crypto ipsec security-association lifetime seconds 28800
> >> >> > crypto ipsec security-association lifetime kilobytes 4608000
> >> >> > crypto dynamic-map DM1 10 set transform-set T1 T2 T3 T4 T5
> >> >> > crypto dynamic-map DM1 10 set security-association lifetime
> >> seconds
> >> >> > 28800
> >> >> > crypto dynamic-map DM1 10 set security-association lifetime
> >> kilobytes
> >> >> > 4608000
> >> >> > crypto dynamic-map DM1 10 set reverse-route
> >> >> > crypto map MAP 10 ipsec-isakmp dynamic DM1
> >> >> > crypto map MAP interface outside
> >> >> > crypto isakmp identity hostname
> >> >> > crypto isakmp enable outside
> >> >> > crypto isakmp policy 10
> >> >> > authentication pre-share
> >> >> > encryption aes-256
> >> >> > hash sha
> >> >> > group 2
> >> >> > lifetime 43200
> >> >> > no crypto isakmp nat-traversal
> >> >> > no vpn-addr-assign dhcp
> >> >> > telnet timeout 5
> >> >> > ssh timeout 5
> >> >> > ssh version 2
> >> >> > console timeout 5
> >> >> > management-access management
> >> >> > !
> >> >> > threat-detection basic-threat
> >> >> > threat-detection statistics access-list
> >> >> > no threat-detection statistics tcp-intercept
> >> >> > group-policy POLICY3 internal
> >> >> > group-policy POLICY3 attributes
> >> >> > vpn-idle-timeout 60
> >> >> > vpn-filter value
> >> >> > vpn-tunnel-protocol IPSec
> >> >> > address-pools value POOL3
> >> >> > group-policy DfltGrpPolicy attributes
> >> >> > vpn-tunnel-protocol IPSec webvpn
> >> >> > group-policy POLICY1 internal
> >> >> > group-policy POLICY1 attributes
> >> >> > vpn-idle-timeout 180
> >> >> > vpn-session-timeout none
> >> >> > vpn-tunnel-protocol IPSec
> >> >> > password-storage enable
> >> >> > split-tunnel-policy tunnelspecified
> >> >> > split-tunnel-network-list value NONAT
> >> >> > user-authentication enable
> >> >> > address-pools value POOL1
> >> >> > group-policy POLICY2 internal
> >> >> > group-policy POLICY2 attributes
> >> >> > vpn-simultaneous-logins 7
> >> >> > vpn-idle-timeout 60
> >> >> > vpn-filter value FILTER2
> >> >> > vpn-tunnel-protocol IPSec
> >> >> > password-storage enable
> >> >> > address-pools value POOL2
> >> >> > username USER3 password g9O3SBOu.Lds9mV4 encrypted
> >> >> > username USER3 attributes
> >> >> > vpn-group-policy POLICY3
> >> >> > username USER1 password cNH.ND6XX2p2UgNJ encrypted privilege 15
> >> >> > username USER1 attributes
> >> >> > vpn-group-policy POLICY1
> >> >> > username USER2 password jcSAXHlsFLpnIf2H encrypted
> >> >> > username USER2 attributes
> >> >> > vpn-group-policy POLICY2
> >> >> > tunnel-group GROUP type remote-access
> >> >> > tunnel-group GROUP general-attributes
> >> >> > authorization-server-group LOCAL
> >> >> > default-group-policy POLICY1
> >> >> > tunnel-group GROUP ipsec-attributes
> >> >> > pre-shared-key *
> >> >> > !
> >> >> > class-map inspection_default
> >> >> > match default-inspection-traffic
> >> >> > !
> >> >> > !
> >> >> > policy-map type inspect dns migrated_dns_map_1
> >> >> > parameters
> >> >> > message-length maximum 512
> >> >> > policy-map global_policy
> >> >> > class inspection_default
> >> >> > inspect dns migrated_dns_map_1
> >> >> > inspect ftp
> >> >> > inspect h323 h225
> >> >> > inspect h323 ras
> >> >> > inspect rsh
> >> >> > inspect rtsp
> >> >> > inspect esmtp
> >> >> > inspect sqlnet
> >> >> > inspect skinny
> >> >> > inspect sunrpc
> >> >> > inspect xdmcp
> >> >> > inspect sip
> >> >> > inspect netbios
> >> >> > inspect tftp
> >> >> > !
> >> >> > service-policy global_policy global
> >> >> > prompt hostname context
> >> >> > Cryptochecksum:b5616d07c0d269f2f5d1621435eecfa9
> >> >> > : end
> >> >> >
> >> >> >
> >> >> > AAA output shows that my USER2, which should retrieve POLICY2,
> >> gets
> >> >> > default policy POLICY1:
> >> >> >
> >> >> > %ASA-6-113012: AAA user authentication Successful : local database
> >> :
> >> >> > user = USER2
> >> >> > %ASA-6-113004: AAA user authorization Successful : server = LOCAL
> >> :
> >> >> > user = USER2
> >> >> > %ASA-6-113009: AAA retrieved default group policy (POLICY1) for
> >> user =
> >> >> > USER2
> >> >> > %ASA-6-113008: AAA transaction status ACCEPT : user = USER2
> >> >> >
> >> >> > Regards
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >> > On Fri, Jan 15, 2010 at 11:53 PM, Ryan West <rwest_at_zyedge.com>
> >> wrote:
> >> >> >> Ivan,
> >> >> >>
> >> >> >> I would take a step back and see if you can get it working with
> >> the
> >> >> >> most basic settings and then maybe you can narrow down what's
> >> blocking you.
> >> >> >>
> >> >> >> I replicated basic settings on a 5510 running 7.2(4)33, so I'm
> >> missing
> >> >> >> the service-type setting under the username attributes. I have
> >> this
> >> >> >> configured in other environments on 8.2(1)11 with fallback local
> >> >> >> authorization. Here are my results:
> >> >> >>
> >> >> >> s ver | i 7.2
> >> >> >> Cisco Adaptive Security Appliance Software Version 7.2(4)33
> >> >> >>
> >> >> >> show run | i group-policy|tunnel-group|ip local pool|access-list
> >> >> >> test[12]
> >> >> >> access-list test1 extended deny ip any host 192.168.98.3
> >> >> >> access-list test1 extended permit ip any any
> >> >> >> access-list test2 extended permit ip any any
> >> >> >> ip local pool vpnpool 192.168.100.1-192.168.100.20
> >> >> >> group-policy test2 internal
> >> >> >> group-policy test2 attributes
> >> >> >> group-policy test1 internal
> >> >> >> group-policy test1 attributes
> >> >> >> tunnel-group testing type ipsec-ra
> >> >> >> tunnel-group testing general-attributes
> >> >> >> default-group-policy test1
> >> >> >> tunnel-group testing ipsec-attributes
> >> >> >>
> >> >> >> You'll want to watch for the AAA output when you connect:
> >> >> >>
> >> >> >> Jan 15 2010 17:50:02 : %ASA-6-113012: AAA user authentication
> >> >> >> Successful : local database : user = test2
> >> >> >> Jan 15 2010 17:50:02 : %ASA-6-113003: AAA group policy for user
> >> test2
> >> >> >> is being set to test2
> >> >> >> Jan 15 2010 17:50:02 : %ASA-6-113011: AAA retrieved user
> >> specific
> >> >> >> group policy (test2) for user = test2
> >> >> >> Jan 15 2010 17:50:02 : %ASA-6-113009: AAA retrieved default
> >> group
> >> >> >> policy (test1) for user = test2
> >> >> >> Jan 15 2010 17:50:02 : %ASA-6-113008: AAA transaction status
> >> ACCEPT :
> >> >> >> user = test2
> >> >> >>
> >> >> >> show vpn-sessiondb remote | i Username|Group
> >> >> >> Username : test2
> >> >> >> Group Policy : test2
> >> >> >> Tunnel Group : testing
> >> >> >>
> >> >> >> HTH,
> >> >> >>
> >> >> >> -ryan
> >> >> >>
> >> >> >>> -----Original Message-----
> >> >> >>> From: Ivan Hrvatska [mailto:ivanzghr_at_gmail.com]
> >> >> >>> Sent: Friday, January 15, 2010 1:51 PM
> >> >> >>> To: Ryan West
> >> >> >>> Cc: Cisco certification
> >> >> >>> Subject: Re: ASA VPN problem
> >> >> >>>
> >> >> >>> Nothing. Same thing.
> >> >> >>>
> >> >> >>> On Fri, Jan 15, 2010 at 5:13 PM, Ryan West <rwest_at_zyedge.com>
> >> wrote:
> >> >> >>> > Ivan,
> >> >> >>> >
> >> >> >>> >> -----Original Message-----
> >> >> >>> >> From: Ivan Hrvatska [mailto:ivanzghr_at_gmail.com]
> >> >> >>> >> Sent: Thursday, January 14, 2010 5:37 PM
> >> >> >>> >> To: Ryan West
> >> >> >>> >>
> >> >> >>> >> ASA# sh run tunnel-group
> >> >> >>> >> tunnel-group GROUP1 type remote-access
> >> >> >>> >> tunnel-group GROUP1 general-attributes
> >> >> >>> >> default-group-policy POLICY3
> >> >> >>> >> tunnel-group GROUP1 ipsec-attributes
> >> >> >>> >> pre-shared-key *
> >> >> >>> >
> >> >> >>> > Try adding this to your tunnel-group GROUP1 general-
> >> attributes:
> >> >> >>> > authorization-server-group LOCAL
> >> >> >>> >
> >> >> >>> > -ryan
> >> >>
> >> >>
> >> >> Blogs and organic groups at http://www.ccie.net
> >> >>
> >> >>
> >> _______________________________________________________________________
> >> >> Subscription information may be found at:
> >> >> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
-- Andrew Lee Lissitz all.from.nj_at_gmail.com Blogs and organic groups at http://www.ccie.netReceived on Tue Jan 19 2010 - 09:47:25 ART
This archive was generated by hypermail 2.2.0 : Thu Feb 04 2010 - 20:28:41 ART