Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Problem with VPN on ASA 5505

Reply
Thread Tools

Problem with VPN on ASA 5505

 
 
thinkmassive
Guest
Posts: n/a
 
      11-21-2007
I have configured my vpn using the wizard in ASDM, and everything
works fine when I connect from a PC on the same subnet as the router's
external interface. When I try to connect from a remote PC, phase 1
doesn't even complete. The client is not responding to an IKE_DECODE
SENDING Message unless it is plugged into the same switch as the ASA.
Here is a diagram to explain the connections...

works:
LAN --- ASA 5505 ---- switch ---- VPN client

broken:
LAN --- ASA 5505 ---- switch ---- ISP ---- Internet --- VPN client

Here are the first two lines from logs that differ between the working
and non-working connections...
working:
7|Nov 21 2007|07:23:27|713236|||IP = x.x.x.x, IKE_DECODE RECEIVED
Message (msgid=0) with payloads : HDR + HASH ( + NOTIFY (11) + NAT-D
(130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total
length : 168
7|Nov 21 2007|07:23:27|713236|||IP = x.x.x.x, IKE_DECODE SENDING
Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) +
ID (5) + HASH ( + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR
(13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE
(0) total length : 440

broken:
6|Nov 21 2007|07:25:01|713905|||Group = vpngroup, IP = x.x.x.x, P1
Retransmit msg dispatched to AM FSM
5|Nov 21 2007|07:25:01|713201|||Group = vpngroup, IP = x.x.x.x,
Duplicate Phase 1 packet detected. Retransmitting last packet.
7|Nov 21 2007|07:24:56|713236|||IP = x.x.x.x, IKE_DECODE SENDING
Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) +
ID (5) + HASH ( + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR
(13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE
(0) total length : 440


I know the client is configured correctly because it works fine when
connected to the same subnet as the ASA. Any insight would be much
appreciated.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ASA 5550 behind ASA 5505 Dogg Child Cisco 4 06-08-2010 06:56 PM
Re: ASA 5505 behind ASA 5505 Dogg Child Cisco 0 06-07-2010 12:13 PM
asa 5505 + l2l vpn + cisco client vpn lesniak81 Cisco 0 01-13-2009 09:59 AM
ASA 5505 VPN making crazy. How to build single VPN on ATT dynIP/static IP pool system pclposts@yahoo.com Cisco 3 12-11-2007 03:11 AM
ASA 5505 as hardware vpn client to PIX 501 or ASA 5505 with network extension mode activated bjorn@kumlait.se Cisco 1 06-17-2007 12:43 PM



Advertisments