Problem with VPN on ASA 5505

Discussion in 'Cisco' started by thinkmassive, Nov 21, 2007.

  1. thinkmassive

    thinkmassive Guest

    I have configured my vpn using the wizard in ASDM, and everything
    works fine when I connect from a PC on the same subnet as the router's
    external interface. When I try to connect from a remote PC, phase 1
    doesn't even complete. The client is not responding to an IKE_DECODE
    SENDING Message unless it is plugged into the same switch as the ASA.
    Here is a diagram to explain the connections...

    works:
    LAN --- ASA 5505 ---- switch ---- VPN client

    broken:
    LAN --- ASA 5505 ---- switch ---- ISP ---- Internet --- VPN client

    Here are the first two lines from logs that differ between the working
    and non-working connections...
    working:
    7|Nov 21 2007|07:23:27|713236|||IP = x.x.x.x, IKE_DECODE RECEIVED
    Message (msgid=0) with payloads : HDR + HASH (8) + NOTIFY (11) + NAT-D
    (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total
    length : 168
    7|Nov 21 2007|07:23:27|713236|||IP = x.x.x.x, IKE_DECODE SENDING
    Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) +
    ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR
    (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE
    (0) total length : 440

    broken:
    6|Nov 21 2007|07:25:01|713905|||Group = vpngroup, IP = x.x.x.x, P1
    Retransmit msg dispatched to AM FSM
    5|Nov 21 2007|07:25:01|713201|||Group = vpngroup, IP = x.x.x.x,
    Duplicate Phase 1 packet detected. Retransmitting last packet.
    7|Nov 21 2007|07:24:56|713236|||IP = x.x.x.x, IKE_DECODE SENDING
    Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) +
    ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR
    (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE
    (0) total length : 440


    I know the client is configured correctly because it works fine when
    connected to the same subnet as the ASA. Any insight would be much
    appreciated.
     
    thinkmassive, Nov 21, 2007
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.