[vpn-help] VPN no longer connects after ASA upgraded to 8.3(2)

Mon Apr 15 09:47:25 CDT 2013

Well, it appears I've answered my own question, so I'll post the
answer here for posterity.

It appears the problem is that 8.3(2) is very buggy WRT IPSec and NAT.
There were a few suspiciously familiar-sounding bugs in the "fixed"
list for the latest interim release - none mentioned ShrewSoft, of
course, but the Mac OS IPSec/L2TP client was mentioned. So, I upgraded
to 8.3(2)37 and my problems vanished. Based on the number of bug fixes
that are in 8.2(5) but are *not* in 8.3(2), I'd advise anyone who is
upgrading to 8.3 to go directly to the latest interim release.

It's still a mystery why the Mac OS X and vpnc clients were able to
connect (but suffered occasional connection drops), whereas the
ShrewSoft client was completely stymied - perhaps they have some
mechanism to detect and/or attempt to avoid NAT collisions?

Hope this saves someone else a headache.

On Thu, Mar 28, 2013 at 8:58 PM, Cory Bell <bellcr at gmail.com> wrote:
> Further investigation leads me to believe this may be NAT or NAT-T
> related - it appears that the first ShrewSoft client to connect from
> behind a NAT router is able to establish a VPN session. Any subsequent
> sessions will fail. I've tried the various NAT-T settings in the
> client, to no avail - "enabled" is what we had been using previously
> and seemed to work fine.
>
> I've also noticed that, while multiple vpnc and Mac OS X clients are
> able to connect from behind a single NAT router, we have been
> experiencing connection drops much more frequently since the upgrade
> to 8.3(2). There does not seem to be any clear pattern to when the
> disconnects occur, but multiple clients are affected when they do.
>
> On Tue, Mar 26, 2013 at 7:31 AM, Cory Bell <bellcr at gmail.com> wrote:
>> VPN Client Version: 2.1.7-release and 2.2.0-rc-2
>> Windows OS Version: 7
>> Gateway Make/Model: Cisco ASA
>> Gateway OS Version: 8.3(2)
>>
>> I've got a couple of ASAs that were both on 8.2(5) and working fine
>> with ShrewSoft 2.1.7. Recently, I upgraded one of them to 8.3(2) and
>> now the ShrewSoft client can no longer connect. I'm aware of the
>> "unidirectional" nat exclusion issue in 8.3(2) and have already
>> corrected it. The official Cisco client is able to connect, as is vpnc
>> on Linux and the integrated Cisco-compatible client in Mac OS X. The
>> same ShrewSoft clients that can't connect to the 8.3(2) ASA can still
>> connect to the 8.2(5) ASA (the tunnel-groups are identical).
>>
>> There's nothing exotic about my configuration, just your standard
>> IKEv1 with XAuth-PSK auth and NAT-T encapsulation. It's virtually
>> identical to the Cisco ASA example on the Support page, except that
>> the example is from a pretty old ASA version.
>>
>> I see two different failure modes - sometimes the ASA shows a "Failure
>> during phase 1 rekeying attempt due to collision" error and
>> immediately sends a DELETE to the client, at which point the
>> connection is terminated. Other times, the client will seemingly hang
>> after sending multiple config requests. I also gave the ShrewSoft
>> 2.2.0-rc-2 client a try, and it behaves exactly the same.
>>
>> Cisco TAC was about as helpful as you might expect, so I'm hoping
>> someone else has been through this and had better luck. I'm happy to
>> provide sanitized logs if it will help identify the issue. Thanks!