STUMPED! VPN into ASA5510 not working

tahequivoice · ‎06-06-2007

Trying to setup remote vpn into a 5510, ran through the wizard, have the preshare and usernames, along with the pool configured. No errors when uploaded, but the Cisco VPN client does not connect at all, Reason 412. I have all crypto debugs running and I got nothing when I try to connect. If I had fat fingered the preshare or the username, I would at least think I would see some debug info when I tried to connect, but I got nothing. I have done this type of setup via the CLI on PIX and have not had problems, but I am not familiar with the new commands, and all I can find are stinking gui examples.

acomiskey · ‎06-06-2007

Post config or check windows firewall.

Here's a good doc on common vpn problems...

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

tahequivoice · ‎06-06-2007

Well, I rebuilt from scratch through CLI, and at least now I have some debug output, but still stumped. Still get the same error with the client.

Jun 06 15:05:37 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Removing peer from peer table failed, no match!

Jun 06 15:05:37 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Error: Unable to remove PeerTblEntry

Jun 06 15:05:42 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Removing peer from peer table failed, no match!

Jun 06 15:05:42 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Error: Unable to remove PeerTblEntry

Jun 06 15:05:47 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Removing peer from peer table failed, no match!

Jun 06 15:05:47 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Error: Unable to remove PeerTblEntry

Jun 06 15:05:52 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Removing peer from peer table failed, no match!

Jun 06 15:05:52 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Error: Unable to remove PeerTblEntry

acomiskey · ‎06-06-2007

You need nat exemption. Verify you are using correct groupname (iboundvpn) and shared key.

access-list nat0 extended permit ip 10.128.28.0 255.255.254.0 172.16.200.0 255.255.255.0

nat (inside) 0 access-list nat0

tahequivoice · ‎06-06-2007

Well I tried that and also with a slight modification on names from this page

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

Still no luck. I am thinking it has something to do with how I am networked here. I have the ASA in a lab environment with its permanent IP's routed through internally, and since I am not going out on the internet from my PC, it isnt being NATTED and I think that is where the problem is. WHen I get home I will try it from there and see if I can connected. I have a PIX out in service tht works just fine with the same configuration with the exception of the addressing that works fine, so I am thinking it has to be routing weird here.

m-ketchum · ‎06-06-2007

I had trouble once getting the VPN client to work with a 3845. For some reason it didn't like that I was routing packets to my linksys first and then to the 3845. I took the linksys out of the equation and it worked great. Very strange because all was on the inside network before any NAT....that I know of.

tahequivoice · ‎06-07-2007

That is what I am thinking is the problem. I have everything else programmed that needed to be programmed so I can go ahead and install this and hopefully once it is installed the VPN will work and all I will need to do is fine tune it for the specific user access rights.