Cisco ASA VPN logs

In order for a VPN connection to establish the IPSec Connection Profile must match exactly and is case-sensitive. Whilst trying to troubleshoot a recent VPN connection, from the client I would hit connect however, the connection would soon fail and the Cisco client logs didn’t give me much information.

When I checked the Cisco ASA logs this is what displayed:

Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv’d: Group 2  Cfg’d: Group 5

Group = DefaultRAGroup, IP = x.x.x.x, constructing ISAKMP SA payload

Group = DefaultRAGroup, IP = x.x.x.x, Received an un-encrypted INVALID_HASH_INFO notify message, dropping

Group = DefaultRAGroup, IP = x.x.x.x, Error, peer has indicated that something is wrong with our message.  This could indicate a pre-shared key mismatch.

I could see that there was a mismatch in the IPSec Connection Profile and after confirming the pre-shared key was correct, I checked the name of the IPSec Connection Profile and discovered that the casing was different. The connection was failing at this level and proceeded to try to use a default Group which failed.

After making the case changes, I received an authentication box and the connection successfully established.

The IPSec Connection Profile name is case-sensitive.

Cisco ASA VPN integration with Symantec VIP Access

I have been working on migrating the Cisco ASA VPN from an RSA key solution to a Symantec VIP Access solution that integrates with smart devices e.g. iPhone, iPad through an App.

For this to work I ran through the below:

Active Directory

  1. Create a service account for Symantec VIP to be able to read AD
  2. Create a group for enabled users to be able to access ASA-VIP VPN

Symantec VIP server

  1. Create a user store
  2. Attach the above AD group for enabled users
  3. Configure RADIUS Validation details including port and shared secret

Cisco ASA

  1. Create a new IPSec Connection Profile with a new Pre-shared key
  2. Configure a new AAA Server Group which used the RADIUS authentication protocol
  3. Create a AAA Server (the Symantec VIP server)
  4. Set the Server Authentication and Accounting ports as well as the RADIUS Server Secret Key and Common Password which were initially setup on the VIP server
  5. Assign the DHCP Servers
  6. Assign the Group Policy

Note: The IPSec Connection Profile is case-sensitive.

On the client machine, I changed the corresponding profile parameters e.g. Connection Profile and Pre-shared key. The destination address points to the Outside interface of the ASA. When you hit connect button, the authentication box appears followed by a prompt on the iPhone VIP App seeking approval for the access. When approval is granted, the VPN connection completes and the padlock is displayed within the Cisco VPN client.