STUMPED! VPN into ASA5510 not working

Unanswered Question
Jun 6th, 2007
User Badges:

Trying to setup remote vpn into a 5510, ran through the wizard, have the preshare and usernames, along with the pool configured. No errors when uploaded, but the Cisco VPN client does not connect at all, Reason 412. I have all crypto debugs running and I got nothing when I try to connect. If I had fat fingered the preshare or the username, I would at least think I would see some debug info when I tried to connect, but I got nothing. I have done this type of setup via the CLI on PIX and have not had problems, but I am not familiar with the new commands, and all I can find are stinking gui examples.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
tahequivoice Wed, 06/06/2007 - 12:15
User Badges:

Well, I rebuilt from scratch through CLI, and at least now I have some debug output, but still stumped. Still get the same error with the client.


Jun 06 15:05:37 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Removing peer from peer table failed, no match!

Jun 06 15:05:37 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Error: Unable to remove PeerTblEntry

Jun 06 15:05:42 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Removing peer from peer table failed, no match!

Jun 06 15:05:42 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Error: Unable to remove PeerTblEntry

Jun 06 15:05:47 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Removing peer from peer table failed, no match!

Jun 06 15:05:47 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Error: Unable to remove PeerTblEntry

Jun 06 15:05:52 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Removing peer from peer table failed, no match!

Jun 06 15:05:52 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Error: Unable to remove PeerTblEntry




Attachment: 
acomiskey Wed, 06/06/2007 - 12:40
User Badges:
  • Green, 3000 points or more

You need nat exemption. Verify you are using correct groupname (iboundvpn) and shared key.


access-list nat0 extended permit ip 10.128.28.0 255.255.254.0 172.16.200.0 255.255.255.0

nat (inside) 0 access-list nat0

tahequivoice Wed, 06/06/2007 - 13:24
User Badges:

Well I tried that and also with a slight modification on names from this page


http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

Still no luck. I am thinking it has something to do with how I am networked here. I have the ASA in a lab environment with its permanent IP's routed through internally, and since I am not going out on the internet from my PC, it isnt being NATTED and I think that is where the problem is. WHen I get home I will try it from there and see if I can connected. I have a PIX out in service tht works just fine with the same configuration with the exception of the addressing that works fine, so I am thinking it has to be routing weird here.

m-ketchum Wed, 06/06/2007 - 19:56
User Badges:

I had trouble once getting the VPN client to work with a 3845. For some reason it didn't like that I was routing packets to my linksys first and then to the 3845. I took the linksys out of the equation and it worked great. Very strange because all was on the inside network before any NAT....that I know of.

tahequivoice Thu, 06/07/2007 - 05:08
User Badges:

That is what I am thinking is the problem. I have everything else programmed that needed to be programmed so I can go ahead and install this and hopefully once it is installed the VPN will work and all I will need to do is fine tune it for the specific user access rights.

Actions

This Discussion