Zauwazyłem ciekawy przypadek, firewall asa ktory konfiguruje pod vpn clienta miala zastapic router ktory robil za serwer vpn do tej pory. Jak dotąd wszystko działało na routerze wzorowo, jednak pewnego dnia vpn client zaprzestal komunikacji z siecia wewnetrzna routera mimo ze polaczenie nawiazuje. czyli sytuacja dokładnie taka jak na tej asie co ją konfiguruje.
Wg sugestii wypróbowałem innego klienta VPN (SHREW), z routerem komunikacja wróciła, jednak ASA dalej nie chce gadać. Tunel sie zestawia ale bez dostępu do inside.
Czy ma to może jakiś związek z ogłoszeniem end of life i end of sale dla Cisco VPN Client?
Na XP nie sprawdzalem bo do tej pory wszystko działalo tak jak powinno na Win7.
Dołączam log z VPN Client z poziomem logowania "High"
Kod: Zaznacz cały
Cisco Systems VPN Client Version 5.0.07.0440
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7601 Service Pack 1
1 15:43:43.421 03/21/13 Sev=Info/4 CM/0x63100002
Begin connection process
2 15:43:43.440 03/21/13 Sev=Info/4 CM/0x63100004
Establish secure connection
3 15:43:43.440 03/21/13 Sev=Info/4 CM/0x63100024
Attempt connection with server "xxx.xxx.xxx.xxx"
4 15:43:43.443 03/21/13 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with xxx.xxx.xxx.xxx.
5 15:43:43.449 03/21/13 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation
6 15:43:43.455 03/21/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to xxx.xxx.xxx.xxx
7 15:43:43.486 03/21/13 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
8 15:43:43.486 03/21/13 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
9 15:43:43.486 03/21/13 Sev=Info/6 IPSEC/0x6370002C
Sent 66 packets, 0 were fragmented.
10 15:43:43.486 03/21/13 Sev=Info/4 IPSEC/0x6370000D
Key(s) deleted by Interface (192.168.66.100)
11 15:43:43.535 03/21/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xxx.xxx.xxx.xxx
12 15:43:43.535 03/21/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from xxx.xxx.xxx.xxx
13 15:43:43.535 03/21/13 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
14 15:43:43.535 03/21/13 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
15 15:43:43.535 03/21/13 Sev=Info/5 IKE/0x63000001
Peer supports DPD
16 15:43:43.535 03/21/13 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
17 15:43:43.535 03/21/13 Sev=Info/5 IKE/0x63000001
Peer supports IKE fragmentation payloads
18 15:43:43.544 03/21/13 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
19 15:43:43.544 03/21/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to xxx.xxx.xxx.xxx
20 15:43:43.545 03/21/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
21 15:43:43.545 03/21/13 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0xCB1A, Remote Port = 0x1194
22 15:43:43.545 03/21/13 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device
23 15:43:43.545 03/21/13 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
24 15:43:43.602 03/21/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xxx.xxx.xxx.xxx
25 15:43:43.602 03/21/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from xxx.xxx.xxx.xxx
26 15:43:43.602 03/21/13 Sev=Info/4 CM/0x63100015
Launch xAuth application
27 15:43:43.604 03/21/13 Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 6h.
28 15:43:47.666 03/21/13 Sev=Info/4 CM/0x63100017
xAuth application returned
29 15:43:47.666 03/21/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to xxx.xxx.xxx.xxx
30 15:43:47.721 03/21/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xxx.xxx.xxx.xxx
31 15:43:47.721 03/21/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from xxx.xxx.xxx.xxx
32 15:43:47.721 03/21/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to xxx.xxx.xxx.xxx
33 15:43:47.721 03/21/13 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
34 15:43:47.725 03/21/13 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator
35 15:43:47.725 03/21/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to xxx.xxx.xxx.xxx
36 15:43:47.782 03/21/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xxx.xxx.xxx.xxx
37 15:43:47.782 03/21/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from xxx.xxx.xxx.xxx
38 15:43:47.782 03/21/13 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 192.168.66.101
39 15:43:47.782 03/21/13 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0
40 15:43:47.782 03/21/13 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000
41 15:43:47.782 03/21/13 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001
42 15:43:47.782 03/21/13 Sev=Info/5 IKE/0x6300000F
SPLIT_NET #1
subnet = 192.168.64.0
mask = 255.255.255.0
protocol = 0
src port = 0
dest port=0
43 15:43:47.782 03/21/13 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
44 15:43:47.782 03/21/13 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5505 Version 9.0(1) built by builders on Fri 26-Oct-12 16:36
45 15:43:47.782 03/21/13 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT: , value = 0x00000001
46 15:43:47.782 03/21/13 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194
47 15:43:47.783 03/21/13 Sev=Info/4 CM/0x63100019
Mode Config data received
48 15:43:47.790 03/21/13 Sev=Info/4 IKE/0x63000056
Received a key request from Driver: Local IP = 192.168.66.101, GW IP = xxx.xxx.xxx.xxx, Remote IP = 0.0.0.0
49 15:43:47.791 03/21/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to xxx.xxx.xxx.xxx
50 15:43:47.872 03/21/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xxx.xxx.xxx.xxx
51 15:43:47.873 03/21/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from xxx.xxx.xxx.xxx
52 15:43:47.873 03/21/13 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86000 seconds
53 15:43:47.873 03/21/13 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 4 seconds, setting expiry to 85996 seconds from now
54 15:43:47.875 03/21/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xxx.xxx.xxx.xxx
55 15:43:47.875 03/21/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NOTIFY:STATUS_RESP_LIFETIME) from xxx.xxx.xxx.xxx
56 15:43:47.875 03/21/13 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 28800 seconds
57 15:43:47.875 03/21/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH) to xxx.xxx.xxx.xxx
58 15:43:47.875 03/21/13 Sev=Info/5 IKE/0x63000059
Loading IPsec SA (MsgID=FA7D9F64 OUTBOUND SPI = 0x57B3853D INBOUND SPI = 0x36DAECB8)
59 15:43:47.876 03/21/13 Sev=Info/5 IKE/0x63000025
Loaded OUTBOUND ESP SPI: 0x57B3853D
60 15:43:47.876 03/21/13 Sev=Info/5 IKE/0x63000026
Loaded INBOUND ESP SPI: 0x36DAECB8
61 15:43:47.908 03/21/13 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.0.1 10.0.0.13 25
10.0.0.0 255.255.255.0 10.0.0.13 10.0.0.13 281
10.0.0.13 255.255.255.255 10.0.0.13 10.0.0.13 281
10.0.0.255 255.255.255.255 10.0.0.13 10.0.0.13 281
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306
127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306
127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306
224.0.0.0 240.0.0.0 10.0.0.13 10.0.0.13 281
255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
255.255.255.255 255.255.255.255 10.0.0.13 10.0.0.13 281
62 15:43:48.226 03/21/13 Sev=Info/6 CVPND/0x63400001
Launch VAInst64 to control IPSec Virtual Adapter
63 15:43:48.609 03/21/13 Sev=Info/4 CM/0x63100034
The Virtual Adapter was enabled:
IP=192.168.66.101/255.255.255.0
DNS=0.0.0.0,0.0.0.0
WINS=0.0.0.0,0.0.0.0
Domain=
Split DNS Names=
64 15:43:48.651 03/21/13 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.0.1 10.0.0.13 25
10.0.0.0 255.255.255.0 10.0.0.13 10.0.0.13 281
10.0.0.13 255.255.255.255 10.0.0.13 10.0.0.13 281
10.0.0.255 255.255.255.255 10.0.0.13 10.0.0.13 281
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306
127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306
127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306
224.0.0.0 240.0.0.0 10.0.0.13 10.0.0.13 281
224.0.0.0 240.0.0.0 0.0.0.0 0.0.0.0 281
255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
255.255.255.255 255.255.255.255 10.0.0.13 10.0.0.13 281
255.255.255.255 255.255.255.255 0.0.0.0 0.0.0.0 281
65 15:43:49.568 03/21/13 Sev=Warning/3 CLI/0xA3900004
Unable to purge old log files. Function returned -4.
66 15:43:51.696 03/21/13 Sev=Info/4 CM/0x63100038
Successfully saved route changes to file.
67 15:43:51.697 03/21/13 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.0.1 10.0.0.13 25
10.0.0.0 255.255.255.0 10.0.0.13 10.0.0.13 281
10.0.0.1 255.255.255.255 10.0.0.13 10.0.0.13 100
10.0.0.13 255.255.255.255 10.0.0.13 10.0.0.13 281
10.0.0.255 255.255.255.255 10.0.0.13 10.0.0.13 281
xxx.xxx.xxx.xxx 255.255.255.255 10.0.0.1 10.0.0.13 100
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 306
127.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 306
127.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
192.168.64.0 255.255.255.0 192.168.66.1 192.168.66.101 100
192.168.66.0 255.255.255.0 192.168.66.101 192.168.66.101 281
192.168.66.101 255.255.255.255 192.168.66.101 192.168.66.101 281
192.168.66.255 255.255.255.255 192.168.66.101 192.168.66.101 281
224.0.0.0 240.0.0.0 127.0.0.1 127.0.0.1 306
224.0.0.0 240.0.0.0 10.0.0.13 10.0.0.13 281
224.0.0.0 240.0.0.0 192.168.66.101 192.168.66.101 281
255.255.255.255 255.255.255.255 127.0.0.1 127.0.0.1 306
255.255.255.255 255.255.255.255 10.0.0.13 10.0.0.13 281
255.255.255.255 255.255.255.255 192.168.66.101 192.168.66.101 281
68 15:43:51.697 03/21/13 Sev=Info/6 CM/0x63100036
The routing table was updated for the Virtual Adapter
69 15:43:51.713 03/21/13 Sev=Info/4 CM/0x6310001A
One secure connection established
70 15:43:51.747 03/21/13 Sev=Info/4 CM/0x6310003B
Address watch added for 10.0.0.13. Current hostname: profelektronix2, Current address(es): 192.168.66.101, 10.0.0.13.
71 15:43:51.751 03/21/13 Sev=Info/4 CM/0x6310003B
Address watch added for 192.168.66.101. Current hostname: profelektronix2, Current address(es): 192.168.66.101, 10.0.0.13.
72 15:43:51.751 03/21/13 Sev=Info/5 CM/0x63100001
Did not find the Smartcard to watch for removal
73 15:43:51.751 03/21/13 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
74 15:43:51.751 03/21/13 Sev=Info/4 IPSEC/0x63700010
Created a new key structure
75 15:43:51.751 03/21/13 Sev=Info/4 IPSEC/0x6370000F
Added key with SPI=0x3d85b357 into key list
76 15:43:51.751 03/21/13 Sev=Info/4 IPSEC/0x63700010
Created a new key structure
77 15:43:51.751 03/21/13 Sev=Info/4 IPSEC/0x6370000F
Added key with SPI=0xb8ecda36 into key list
78 15:43:51.751 03/21/13 Sev=Info/4 IPSEC/0x6370002F
Assigned VA private interface addr 192.168.66.101
79 15:43:51.751 03/21/13 Sev=Info/4 IPSEC/0x63700037
Configure public interface: 10.0.0.13. SG: xxx.xxx.xxx.xxx
80 15:43:51.753 03/21/13 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 1.
81 15:43:51.796 03/21/13 Sev=Info/4 CLI/0x63900002
Started vpnclient:
Cisco Systems VPN Client Version 5.0.07.0440
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7601 Service Pack 1
82 15:43:52.915 03/21/13 Sev=Warning/3 CLI/0xA3900004
Unable to purge old log files. Function returned -4.
83 15:43:53.627 03/21/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
84 15:43:54.632 03/21/13 Sev=Warning/3 CLI/0xA3900004
Unable to purge old log files. Function returned -4.
85 15:43:57.712 03/21/13 Sev=Warning/3 CLI/0xA3900004
Unable to purge old log files. Function returned -4.
86 15:43:58.187 03/21/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to xxx.xxx.xxx.xxx
87 15:43:58.187 03/21/13 Sev=Info/6 IKE/0x6300003D
Sending DPD request to xxx.xxx.xxx.xxx, our seq# = 3386867157
88 15:43:58.241 03/21/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xxx.xxx.xxx.xxx
89 15:43:58.241 03/21/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from xxx.xxx.xxx.xxx
90 15:43:58.241 03/21/13 Sev=Info/5 IKE/0x63000040
Received DPD ACK from xxx.xxx.xxx.xxx, seq# received = 3386867157, seq# expected = 3386867157
91 15:43:58.792 03/21/13 Sev=Warning/3 CLI/0xA3900004
Unable to purge old log files. Function returned -4.
92 15:43:58.792 03/21/13 Sev=Info/4 CLI/0x63900002