Problem with VPN on ASA 5505
in [Cisco]
|
From: thinkmassive on 21 Nov 2007 15:49 I have configured my vpn using the wizard in ASDM, and everything works fine when I connect from a PC on the same subnet as the router's external interface. When I try to connect from a remote PC, phase 1 doesn't even complete. The client is not responding to an IKE_DECODE SENDING Message unless it is plugged into the same switch as the ASA. Here is a diagram to explain the connections... works: LAN --- ASA 5505 ---- switch ---- VPN client broken: LAN --- ASA 5505 ---- switch ---- ISP ---- Internet --- VPN client Here are the first two lines from logs that differ between the working and non-working connections... working: 7|Nov 21 2007|07:23:27|713236|||IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NOTIFY (11) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168 7|Nov 21 2007|07:23:27|713236|||IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 440 broken: 6|Nov 21 2007|07:25:01|713905|||Group = vpngroup, IP = x.x.x.x, P1 Retransmit msg dispatched to AM FSM 5|Nov 21 2007|07:25:01|713201|||Group = vpngroup, IP = x.x.x.x, Duplicate Phase 1 packet detected. Retransmitting last packet. 7|Nov 21 2007|07:24:56|713236|||IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 440 I know the client is configured correctly because it works fine when connected to the same subnet as the ASA. Any insight would be much appreciated.
|
Pages: 1 Prev: cisco 2801, ipsec problem with onboard accelerator Next: High CPU util on 3825 |