Problem with VPN on ASA 5505

Discussion in 'Cisco' started by thinkmassive, Nov 21, 2007.

  1. thinkmassive

    thinkmassive Guest

    I have configured my vpn using the wizard in ASDM, and everything
    works fine when I connect from a PC on the same subnet as the router's
    external interface. When I try to connect from a remote PC, phase 1
    doesn't even complete. The client is not responding to an IKE_DECODE
    SENDING Message unless it is plugged into the same switch as the ASA.
    Here is a diagram to explain the connections...

    works:
    LAN --- ASA 5505 ---- switch ---- VPN client

    broken:
    LAN --- ASA 5505 ---- switch ---- ISP ---- Internet --- VPN client

    Here are the first two lines from logs that differ between the working
    and non-working connections...
    working:
    7|Nov 21 2007|07:23:27|713236|||IP = x.x.x.x, IKE_DECODE RECEIVED
    Message (msgid=0) with payloads : HDR + HASH (8) + NOTIFY (11) + NAT-D
    (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total
    length : 168
    7|Nov 21 2007|07:23:27|713236|||IP = x.x.x.x, IKE_DECODE SENDING
    Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) +
    ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR
    (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE
    (0) total length : 440

    broken:
    6|Nov 21 2007|07:25:01|713905|||Group = vpngroup, IP = x.x.x.x, P1
    Retransmit msg dispatched to AM FSM
    5|Nov 21 2007|07:25:01|713201|||Group = vpngroup, IP = x.x.x.x,
    Duplicate Phase 1 packet detected. Retransmitting last packet.
    7|Nov 21 2007|07:24:56|713236|||IP = x.x.x.x, IKE_DECODE SENDING
    Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) +
    ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR
    (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE
    (0) total length : 440


    I know the client is configured correctly because it works fine when
    connected to the same subnet as the ASA. Any insight would be much
    appreciated.
    thinkmassive, Nov 21, 2007
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    1
    Views:
    3,354
  2. Replies:
    3
    Views:
    1,682
  3. lesniak81
    Replies:
    0
    Views:
    2,199
    lesniak81
    Jan 13, 2009
  4. Dogg Child

    Re: ASA 5505 behind ASA 5505

    Dogg Child, Jun 7, 2010, in forum: Cisco
    Replies:
    0
    Views:
    645
    Dogg Child
    Jun 7, 2010
  5. Dogg Child

    ASA 5550 behind ASA 5505

    Dogg Child, Jun 7, 2010, in forum: Cisco
    Replies:
    4
    Views:
    1,068
    Morph
    Jun 8, 2010
Loading...

Share This Page