安全 : Cisco IOS Easy VPN

EzVPN登陆失败

2012 年 1 月 18 日 - 原创文档
其他版本: PDFpdf | 反馈

目录

故障描述
网络拓扑
网络设备配置
故障排除

故障描述

客户有三个分支点EzVPN 工作一直正常, 最近客户增加了新的分公司.虽然EzVPN客户端的配置和其它分公司一样,但是VPN总是登陆不成功。

网络拓扑

ASA5505 OS version :8.3(1)

ASA5520 OS version :7.0(7)

网络设备配置

1. ASA5505配置

ASA Version 8.3(1)
!
hostname asa5505
domain-name cisco.com
enable password 
passwd 
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.101.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group cisco
ip address pppoe setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
-Omitted-
vpdn group cisco request dialout pppoe
vpdn group cisco localname 40041111
vpdn group cisco ppp authentication pap
vpdn username 40041111 password *****
dhcpd auto_config outside
!
vpnclient server 211.101.1.89
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup mytunnel password *****
vpnclient username cisco password ***** 

2. ASA5520 配置

ASA Version 7.0(7)
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 211.101.1.89 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.5.1 255.255.255.0
!
access-list ADSL extended permit ip 192.168.5.0 255.255.255.0
192.168.101.0 255.255.255.0
group-policy tunnel internal
group-policy tunnel attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ADSL
nem enable
username cisco password xWh.sOL10ki7Ia5G encrypted
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto dynamic-map ezvpn 30 set transform-set myset
crypto map outside_map 65535 ipsec-isakmp dynamic ezvpn
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group mytunnel type ipsec-ra
tunnel-group mytunnel general-attributes
default-group-policy tunnel
tunnel-group mytunnel ipsec-attributes
pre-shared-key *
-Omitted- 

故障排除

1. EzVPN client 失败登陆的输出

ciscoasa# show vpnclient
 
LOCAL CONFIGURATION
vpnclient server 211.101.1.89
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup mytunnel password *****
vpnclient username cisco password *****
vpnclient enable
 
MISCELLANEOUS INFORMATION
- Key exchange is based on Pre-Shared Key
- Connection attempt will be automatically initiated

2. 收集EzVPN server 段系统日志

通常我们一旦确认配置无误后,首先要从EzVPN server 端的系统日志入手.

将日志级别调成informational 级别:

Logging on
Logging buffered informational

从Syslog message 输出我们可以得到如下信息

%ASA-6-113013: AAA unable to complete the request Error : reason = Simultaneous logins exceeded for user : user = Cisco

该日志信息表明用户名为 "cisco" 的VPN并发连接数超过了最大限制.

此时我们基本可以找到问题根源是同一vpn 用户的并发登陆数量被限制了.

通过 " show vpn-sessiondb remote | include cisco" 我们可以看到有3个用户 "cisco"成功登陆.

ciscoasa(config)# show vpn-sessiondb remote | include cisco
Username : cisco
Username : cisco
Username : cisco   

此时我们就已经得到了问题的答案,在ASA IPSEC Remote VPN 中同一用户允许同时登陆的默认数量为3个, 所以我们将这个默认数值更改就可以解决此问题

3. 解决问题

我们将此默认并发值设为4个,修改命令如下:

group-policy tunnel internal
group-policy tunnel attributes
vpn-simultaneous-logins 4 

此时再次验证EzVPN client 登陆情况:

ciscoasa# show vpnclient 

LOCAL CONFIGURATION 
vpnclient server 10.75.61.179 
vpnclient mode network-extension-mode 
vpnclient nem-st-autoconnect 
vpnclient vpngroup mytunnel password ***** 
vpnclient username cisco password ***** 
vpnclient enable 

DOWNLOADED DYNAMIC POLICY 
Current Server : 211.101.1.89 
PFS Enabled : No 
Secure Unit Authentication Enabled : No 
User Authentication Enabled : No 
Split Tunnel Networks : 192.168.5.0/255.255.255.0 
Backup Servers : None 

此时我们发现EzVPN登陆成功.