[vpn-help] VPN no longer connects after ASA upgraded to 8.3(2)
Cory Bell
bellcr at gmail.com
Thu Mar 28 22:58:23 CDT 2013
Further investigation leads me to believe this may be NAT or NAT-T
related - it appears that the first ShrewSoft client to connect from
behind a NAT router is able to establish a VPN session. Any subsequent
sessions will fail. I've tried the various NAT-T settings in the
client, to no avail - "enabled" is what we had been using previously
and seemed to work fine.
I've also noticed that, while multiple vpnc and Mac OS X clients are
able to connect from behind a single NAT router, we have been
experiencing connection drops much more frequently since the upgrade
to 8.3(2). There does not seem to be any clear pattern to when the
disconnects occur, but multiple clients are affected when they do.
On Tue, Mar 26, 2013 at 7:31 AM, Cory Bell <bellcr at gmail.com> wrote:
> VPN Client Version: 2.1.7-release and 2.2.0-rc-2
> Windows OS Version: 7
> Gateway Make/Model: Cisco ASA
> Gateway OS Version: 8.3(2)
>
> I've got a couple of ASAs that were both on 8.2(5) and working fine
> with ShrewSoft 2.1.7. Recently, I upgraded one of them to 8.3(2) and
> now the ShrewSoft client can no longer connect. I'm aware of the
> "unidirectional" nat exclusion issue in 8.3(2) and have already
> corrected it. The official Cisco client is able to connect, as is vpnc
> on Linux and the integrated Cisco-compatible client in Mac OS X. The
> same ShrewSoft clients that can't connect to the 8.3(2) ASA can still
> connect to the 8.2(5) ASA (the tunnel-groups are identical).
>
> There's nothing exotic about my configuration, just your standard
> IKEv1 with XAuth-PSK auth and NAT-T encapsulation. It's virtually
> identical to the Cisco ASA example on the Support page, except that
> the example is from a pretty old ASA version.
>
> I see two different failure modes - sometimes the ASA shows a "Failure
> during phase 1 rekeying attempt due to collision" error and
> immediately sends a DELETE to the client, at which point the
> connection is terminated. Other times, the client will seemingly hang
> after sending multiple config requests. I also gave the ShrewSoft
> 2.2.0-rc-2 client a try, and it behaves exactly the same.
>
> Cisco TAC was about as helpful as you might expect, so I'm hoping
> someone else has been through this and had better luck. I'm happy to
> provide sanitized logs if it will help identify the issue. Thanks!
More information about the vpn-help
mailing list