Re: ASA VPN problem

Yes, that's true. The sad part is that such trivial and old features
doesn't work in new software releases because they introduce so much
new features and produce bugs for all and well known features :)

R

On Tue, Jan 19, 2010 at 3:47 PM, ALL From_NJ <all.from.nj_at_gmail.com> wrote:
> lol ... many problems can be solved with a upgrade and reload!
>
> ;-)
>
> Thanks for such an in depth thread ... you all rock!
>
> Andrew Lee Lissitz
>
>
> .
>
> On Sun, Jan 17, 2010 at 5:04 PM, Ivan Hrvatska <ivanzghr_at_gmail.com> wrote:
>>
>> Yes, that's it. I upgraded to 8.0.5 and works just fine. Thanks for
>> your assistance.
>>
>> Regards
>>
>> On Sun, Jan 17, 2010 at 5:18 PM, Ryan West <rwest_at_zyedge.com> wrote:
>> > Ivan,
>> >
>> > Pretty sure this is your problem:
>> >
>> > CSCsw25955
>> >
>> > ASA ignores vpn-group-policy under username attributes
>> >
>> > Symptom:
>> > When group-policy is assigned with vpn-group-policy command under
>> > username attributes, the ASA ignores it and puts particular user into
>> > default group-policy for that tunnel-group.
>> >
>> > Conditions:
>> > - ASA software 8.0.4.12
>> > - Group-policy assigned under username attribute
>> >
>> > Workaround:
>> > 1. Assign group-policy as a default group-policy under tunnel-group if
>> > possible or create another tunnel-group with a default group-policy
>> > or
>> > 2. Upgrade to 8.0.4.16
>> >
>> > -----------------
>> >
>> > They recommend 8.0.4(16), but I would strongly recommend just moving to
>> > 8.0.5, which is stable and has all the fixes from 8.0.4(32) rolled into it.
>> >
>> > Thanks,
>> >
>> > -ryan
>> >
>> >> -----Original Message-----
>> >> From: Ivan Hrvatska [mailto:ivanzghr_at_gmail.com]
>> >> Sent: Sunday, January 17, 2010 6:29 AM
>> >> To: Farrukh Haroon
>> >> Cc: Ryan West; Cisco certification
>> >> Subject: Re: ASA VPN problem
>> >>
>> >> I tried that. Nothing. When I remove default group policy from the
>> >> tunnel group it cannot establish connection with peer at all.
>> >>
>> >> Cisco Adaptive Security Appliance Software Version 8.0(4)12
>> >>
>> >> ASA is on remote site, customer site, in production, and that is the
>> >> reason why I cannot erase config, reload it, and start from beginning.
>> >> My colleagues experienced some problems with version 8, some basic
>> >> things didn't work. So they deleted startup config, reload it, and
>> >> configure it. It helped.
>> >>
>> >>
>> >> Regards
>> >>
>> >> On Sun, Jan 17, 2010 at 6:50 AM, Farrukh Haroon
>> >> <farrukhharoon_at_gmail.com> wrote:
>> >> > Can you try removing the default group policy from the tunnel group
>> >> and then
>> >> > try? (it will default to the default group-policy)
>> >> >
>> >> > Also what version of code are you running?
>> >> >
>> >> > Regards
>> >> >
>> >> > Farrukh
>> >> >
>> >> > On Sun, Jan 17, 2010 at 12:39 AM, Ivan Hrvatska <ivanzghr_at_gmail.com>
>> >> wrote:
>> >> >>
>> >> >> ASA# show vpn-sessiondb remote
>> >> >>
>> >> >> Session Type: IPsec
>> >> >>
>> >> >> Username : sapadmin Index : 84
>> >> >> Assigned IP : 172.17.1.8 Public IP : X.X.X.X
>> >> >> Protocol : IKE IPsec
>> >> >> License : IPsec
>> >> >> Encryption : AES256 Hashing : SHA1
>> >> >> Bytes Tx : 0 Bytes Rx : 0
>> >> >> Group Policy : Tunnel Group : GROUP
>> >> >> Login Time : 13:01:03 UTC Sat Jan 16 2010
>> >> >> Duration : 0h:00m:27s
>> >> >> NAC Result : Unknown
>> >> >> VLAN Mapping : N/A VLAN : none
>> >> >>
>> >> >> Group Policy is empty.
>> >> >>
>> >> >> On Sat, Jan 16, 2010 at 3:41 PM, Ivan Hrvatska <ivanzghr_at_gmail.com>
>> >> wrote:
>> >> >> > part of configuration:
>> >> >> >
>> >> >> > !
>> >> >> > hostname ASA
>> >> >> > domain-name default.domain.invalid
>> >> >> > enable password LnGnWLhfZ8O2Q/GB encrypted
>> >> >> > passwd 2KFQnbNIdI.2KYOU encrypted
>> >> >> > names
>> >> >> > dns-guard
>> >> >> > pager lines 24
>> >> >> > logging enable
>> >> >> > logging buffered errors
>> >> >> > logging asdm informational
>> >> >> > mtu outside 1500
>> >> >> > mtu VPN 1492
>> >> >> > mtu Serveri 1500
>> >> >> > mtu LAN 1500
>> >> >> > mtu Procesni 1500
>> >> >> > mtu management 1500
>> >> >> > ip local pool POOL1 172.17.1.1-172.17.1.31 mask 255.255.255.224
>> >> >> > ip local pool POOL2 172.17.1.33-172.17.1.62 mask 255.255.255.224
>> >> >> > ip local pool POOL3 172.17.1.65-172.17.1.94 mask 255.255.255.224
>> >> >> > no failover
>> >> >> > icmp unreachable rate-limit 1 burst-size 1
>> >> >> > asdm image disk0:/asdm-613.bin
>> >> >> > no asdm history enable
>> >> >> > arp timeout 14400
>> >> >> > timeout xlate 3:00:00
>> >> >> > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
>> >> >> > timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
>> >> mgcp-pat
>> >> >> > 0:05:00
>> >> >> > timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
>> >> disconnect
>> >> >> > 0:02:00
>> >> >> > timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
>> >> >> > timeout tcp-proxy-reassembly 0:01:00
>> >> >> > dynamic-access-policy-record DfltAccessPolicy
>> >> >> > aaa authentication ssh console LOCAL
>> >> >> > aaa authentication http console LOCAL
>> >> >> > aaa authentication telnet console LOCAL
>> >> >> > no snmp-server location
>> >> >> > no snmp-server contact
>> >> >> > snmp-server enable traps snmp authentication linkup linkdown
>> >> coldstart
>> >> >> > crypto ipsec transform-set T1 esp-aes-256 esp-sha-hmac
>> >> >> > crypto ipsec transform-set T2 esp-aes-192 esp-md5-hmac
>> >> >> > crypto ipsec transform-set T3 esp-aes esp-sha-hmac
>> >> >> > crypto ipsec transform-set T4 esp-3des esp-sha-hmac
>> >> >> > crypto ipsec transform-set T5 esp-3des esp-md5-hmac
>> >> >> > crypto ipsec security-association lifetime seconds 28800
>> >> >> > crypto ipsec security-association lifetime kilobytes 4608000
>> >> >> > crypto dynamic-map DM1 10 set transform-set T1 T2 T3 T4 T5
>> >> >> > crypto dynamic-map DM1 10 set security-association lifetime
>> >> seconds
>> >> >> > 28800
>> >> >> > crypto dynamic-map DM1 10 set security-association lifetime
>> >> kilobytes
>> >> >> > 4608000
>> >> >> > crypto dynamic-map DM1 10 set reverse-route
>> >> >> > crypto map MAP 10 ipsec-isakmp dynamic DM1
>> >> >> > crypto map MAP interface outside
>> >> >> > crypto isakmp identity hostname
>> >> >> > crypto isakmp enable outside
>> >> >> > crypto isakmp policy 10
>> >> >> > authentication pre-share
>> >> >> > encryption aes-256
>> >> >> > hash sha
>> >> >> > group 2
>> >> >> > lifetime 43200
>> >> >> > no crypto isakmp nat-traversal
>> >> >> > no vpn-addr-assign dhcp
>> >> >> > telnet timeout 5
>> >> >> > ssh timeout 5
>> >> >> > ssh version 2
>> >> >> > console timeout 5
>> >> >> > management-access management
>> >> >> > !
>> >> >> > threat-detection basic-threat
>> >> >> > threat-detection statistics access-list
>> >> >> > no threat-detection statistics tcp-intercept
>> >> >> > group-policy POLICY3 internal
>> >> >> > group-policy POLICY3 attributes
>> >> >> > vpn-idle-timeout 60
>> >> >> > vpn-filter value
>> >> >> > vpn-tunnel-protocol IPSec
>> >> >> > address-pools value POOL3
>> >> >> > group-policy DfltGrpPolicy attributes
>> >> >> > vpn-tunnel-protocol IPSec webvpn
>> >> >> > group-policy POLICY1 internal
>> >> >> > group-policy POLICY1 attributes
>> >> >> > vpn-idle-timeout 180
>> >> >> > vpn-session-timeout none
>> >> >> > vpn-tunnel-protocol IPSec
>> >> >> > password-storage enable
>> >> >> > split-tunnel-policy tunnelspecified
>> >> >> > split-tunnel-network-list value NONAT
>> >> >> > user-authentication enable
>> >> >> > address-pools value POOL1
>> >> >> > group-policy POLICY2 internal
>> >> >> > group-policy POLICY2 attributes
>> >> >> > vpn-simultaneous-logins 7
>> >> >> > vpn-idle-timeout 60
>> >> >> > vpn-filter value FILTER2
>> >> >> > vpn-tunnel-protocol IPSec
>> >> >> > password-storage enable
>> >> >> > address-pools value POOL2
>> >> >> > username USER3 password g9O3SBOu.Lds9mV4 encrypted
>> >> >> > username USER3 attributes
>> >> >> > vpn-group-policy POLICY3
>> >> >> > username USER1 password cNH.ND6XX2p2UgNJ encrypted privilege 15
>> >> >> > username USER1 attributes
>> >> >> > vpn-group-policy POLICY1
>> >> >> > username USER2 password jcSAXHlsFLpnIf2H encrypted
>> >> >> > username USER2 attributes
>> >> >> > vpn-group-policy POLICY2
>> >> >> > tunnel-group GROUP type remote-access
>> >> >> > tunnel-group GROUP general-attributes
>> >> >> > authorization-server-group LOCAL
>> >> >> > default-group-policy POLICY1
>> >> >> > tunnel-group GROUP ipsec-attributes
>> >> >> > pre-shared-key *
>> >> >> > !
>> >> >> > class-map inspection_default
>> >> >> > match default-inspection-traffic
>> >> >> > !
>> >> >> > !
>> >> >> > policy-map type inspect dns migrated_dns_map_1
>> >> >> > parameters
>> >> >> > message-length maximum 512
>> >> >> > policy-map global_policy
>> >> >> > class inspection_default
>> >> >> > inspect dns migrated_dns_map_1
>> >> >> > inspect ftp
>> >> >> > inspect h323 h225
>> >> >> > inspect h323 ras
>> >> >> > inspect rsh
>> >> >> > inspect rtsp
>> >> >> > inspect esmtp
>> >> >> > inspect sqlnet
>> >> >> > inspect skinny
>> >> >> > inspect sunrpc
>> >> >> > inspect xdmcp
>> >> >> > inspect sip
>> >> >> > inspect netbios
>> >> >> > inspect tftp
>> >> >> > !
>> >> >> > service-policy global_policy global
>> >> >> > prompt hostname context
>> >> >> > Cryptochecksum:b5616d07c0d269f2f5d1621435eecfa9
>> >> >> > : end
>> >> >> >
>> >> >> >
>> >> >> > AAA output shows that my USER2, which should retrieve POLICY2,
>> >> gets
>> >> >> > default policy POLICY1:
>> >> >> >
>> >> >> > %ASA-6-113012: AAA user authentication Successful : local database
>> >> :
>> >> >> > user = USER2
>> >> >> > %ASA-6-113004: AAA user authorization Successful : server = LOCAL
>> >> :
>> >> >> > user = USER2
>> >> >> > %ASA-6-113009: AAA retrieved default group policy (POLICY1) for
>> >> user =
>> >> >> > USER2
>> >> >> > %ASA-6-113008: AAA transaction status ACCEPT : user = USER2
>> >> >> >
>> >> >> > Regards
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> > On Fri, Jan 15, 2010 at 11:53 PM, Ryan West <rwest_at_zyedge.com>
>> >> wrote:
>> >> >> >> Ivan,
>> >> >> >>
>> >> >> >> I would take a step back and see if you can get it working with
>> >> the
>> >> >> >> most basic settings and then maybe you can narrow down what's
>> >> blocking you.
>> >> >> >>
>> >> >> >> I replicated basic settings on a 5510 running 7.2(4)33, so I'm
>> >> missing
>> >> >> >> the service-type setting under the username attributes. I have
>> >> this
>> >> >> >> configured in other environments on 8.2(1)11 with fallback local
>> >> >> >> authorization. Here are my results:
>> >> >> >>
>> >> >> >> s ver | i 7.2
>> >> >> >> Cisco Adaptive Security Appliance Software Version 7.2(4)33
>> >> >> >>
>> >> >> >> show run | i group-policy|tunnel-group|ip local pool|access-list
>> >> >> >> test[12]
>> >> >> >> access-list test1 extended deny ip any host 192.168.98.3
>> >> >> >> access-list test1 extended permit ip any any
>> >> >> >> access-list test2 extended permit ip any any
>> >> >> >> ip local pool vpnpool 192.168.100.1-192.168.100.20
>> >> >> >> group-policy test2 internal
>> >> >> >> group-policy test2 attributes
>> >> >> >> group-policy test1 internal
>> >> >> >> group-policy test1 attributes
>> >> >> >> tunnel-group testing type ipsec-ra
>> >> >> >> tunnel-group testing general-attributes
>> >> >> >> default-group-policy test1
>> >> >> >> tunnel-group testing ipsec-attributes
>> >> >> >>
>> >> >> >> You'll want to watch for the AAA output when you connect:
>> >> >> >>
>> >> >> >> Jan 15 2010 17:50:02 : %ASA-6-113012: AAA user authentication
>> >> >> >> Successful : local database : user = test2
>> >> >> >> Jan 15 2010 17:50:02 : %ASA-6-113003: AAA group policy for user
>> >> test2
>> >> >> >> is being set to test2
>> >> >> >> Jan 15 2010 17:50:02 : %ASA-6-113011: AAA retrieved user
>> >> specific
>> >> >> >> group policy (test2) for user = test2
>> >> >> >> Jan 15 2010 17:50:02 : %ASA-6-113009: AAA retrieved default
>> >> group
>> >> >> >> policy (test1) for user = test2
>> >> >> >> Jan 15 2010 17:50:02 : %ASA-6-113008: AAA transaction status
>> >> ACCEPT :
>> >> >> >> user = test2
>> >> >> >>
>> >> >> >> show vpn-sessiondb remote | i Username|Group
>> >> >> >> Username : test2
>> >> >> >> Group Policy : test2
>> >> >> >> Tunnel Group : testing
>> >> >> >>
>> >> >> >> HTH,
>> >> >> >>
>> >> >> >> -ryan
>> >> >> >>
>> >> >> >>> -----Original Message-----
>> >> >> >>> From: Ivan Hrvatska [mailto:ivanzghr_at_gmail.com]
>> >> >> >>> Sent: Friday, January 15, 2010 1:51 PM
>> >> >> >>> To: Ryan West
>> >> >> >>> Cc: Cisco certification
>> >> >> >>> Subject: Re: ASA VPN problem
>> >> >> >>>
>> >> >> >>> Nothing. Same thing.
>> >> >> >>>
>> >> >> >>> On Fri, Jan 15, 2010 at 5:13 PM, Ryan West <rwest_at_zyedge.com>
>> >> wrote:
>> >> >> >>> > Ivan,
>> >> >> >>> >
>> >> >> >>> >> -----Original Message-----
>> >> >> >>> >> From: Ivan Hrvatska [mailto:ivanzghr_at_gmail.com]
>> >> >> >>> >> Sent: Thursday, January 14, 2010 5:37 PM
>> >> >> >>> >> To: Ryan West
>> >> >> >>> >>
>> >> >> >>> >> ASA# sh run tunnel-group
>> >> >> >>> >> tunnel-group GROUP1 type remote-access
>> >> >> >>> >> tunnel-group GROUP1 general-attributes
>> >> >> >>> >> default-group-policy POLICY3
>> >> >> >>> >> tunnel-group GROUP1 ipsec-attributes
>> >> >> >>> >> pre-shared-key *
>> >> >> >>> >
>> >> >> >>> > Try adding this to your tunnel-group GROUP1 general-
>> >> attributes:
>> >> >> >>> > authorization-server-group LOCAL
>> >> >> >>> >
>> >> >> >>> > -ryan
>> >> >>
>> >> >>
>> >> >> Blogs and organic groups at http://www.ccie.net
>> >> >>
>> >> >>
>> >> _______________________________________________________________________
>> >> >> Subscription information may be found at:
>> >> >> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>
>
>
> --
> Andrew Lee Lissitz
> all.from.nj_at_gmail.com

Blogs and organic groups at http://www.ccie.net
Received on Fri Jan 22 2010 - 16:17:01 ART