[vpn-help] VPN no longer connects after ASA upgraded to 8.3(2)

[Kevin VPN]

Cory, thanks very much for posting the solution to the list, I'm sure 
there are people who will be able to use it.


On 04/15/2013 10:47 AM, Cory Bell wrote:
> Well, it appears I've answered my own question, so I'll post the
> answer here for posterity.
>
> It appears the problem is that 8.3(2) is very buggy WRT IPSec and NAT.
> There were a few suspiciously familiar-sounding bugs in the "fixed"
> list for the latest interim release - none mentioned ShrewSoft, of
> course, but the Mac OS IPSec/L2TP client was mentioned. So, I upgraded
> to 8.3(2)37 and my problems vanished. Based on the number of bug fixes
> that are in 8.2(5) but are *not* in 8.3(2), I'd advise anyone who is
> upgrading to 8.3 to go directly to the latest interim release.
>
> It's still a mystery why the Mac OS X and vpnc clients were able to
> connect (but suffered occasional connection drops), whereas the
> ShrewSoft client was completely stymied - perhaps they have some
> mechanism to detect and/or attempt to avoid NAT collisions?
>
> Hope this saves someone else a headache.
>
> On Thu, Mar 28, 2013 at 8:58 PM, Cory Bell <bellcr at gmail.com> wrote:
>> Further investigation leads me to believe this may be NAT or NAT-T
>> related - it appears that the first ShrewSoft client to connect from
>> behind a NAT router is able to establish a VPN session. Any subsequent
>> sessions will fail. I've tried the various NAT-T settings in the
>> client, to no avail - "enabled" is what we had been using previously
>> and seemed to work fine.
>>
>> I've also noticed that, while multiple vpnc and Mac OS X clients are
>> able to connect from behind a single NAT router, we have been
>> experiencing connection drops much more frequently since the upgrade
>> to 8.3(2). There does not seem to be any clear pattern to when the
>> disconnects occur, but multiple clients are affected when they do.
>>
>> On Tue, Mar 26, 2013 at 7:31 AM, Cory Bell <bellcr at gmail.com> wrote:
>>> VPN Client Version: 2.1.7-release and 2.2.0-rc-2
>>> Windows OS Version: 7
>>> Gateway Make/Model: Cisco ASA
>>> Gateway OS Version: 8.3(2)
>>>
>>> I've got a couple of ASAs that were both on 8.2(5) and working fine
>>> with ShrewSoft 2.1.7. Recently, I upgraded one of them to 8.3(2) and
>>> now the ShrewSoft client can no longer connect. I'm aware of the
>>> "unidirectional" nat exclusion issue in 8.3(2) and have already
>>> corrected it. The official Cisco client is able to connect, as is vpnc
>>> on Linux and the integrated Cisco-compatible client in Mac OS X. The
>>> same ShrewSoft clients that can't connect to the 8.3(2) ASA can still
>>> connect to the 8.2(5) ASA (the tunnel-groups are identical).
>>>
>>> There's nothing exotic about my configuration, just your standard
>>> IKEv1 with XAuth-PSK auth and NAT-T encapsulation. It's virtually
>>> identical to the Cisco ASA example on the Support page, except that
>>> the example is from a pretty old ASA version.
>>>
>>> I see two different failure modes - sometimes the ASA shows a "Failure
>>> during phase 1 rekeying attempt due to collision" error and
>>> immediately sends a DELETE to the client, at which point the
>>> connection is terminated. Other times, the client will seemingly hang
>>> after sending multiple config requests. I also gave the ShrewSoft
>>> 2.2.0-rc-2 client a try, and it behaves exactly the same.
>>>
>>> Cisco TAC was about as helpful as you might expect, so I'm hoping
>>> someone else has been through this and had better luck. I'm happy to
>>> provide sanitized logs if it will help identify the issue. Thanks!
> _______________________________________________
> vpn-help mailing list
> vpn-help at lists.shrew.net
> https://lists.shrew.net/mailman/listinfo/vpn-help
>
>