06-06-2007 11:12 AM - edited 02-21-2020 03:05 PM
Trying to setup remote vpn into a 5510, ran through the wizard, have the preshare and usernames, along with the pool configured. No errors when uploaded, but the Cisco VPN client does not connect at all, Reason 412. I have all crypto debugs running and I got nothing when I try to connect. If I had fat fingered the preshare or the username, I would at least think I would see some debug info when I tried to connect, but I got nothing. I have done this type of setup via the CLI on PIX and have not had problems, but I am not familiar with the new commands, and all I can find are stinking gui examples.
06-06-2007 11:23 AM
Post config or check windows firewall.
Here's a good doc on common vpn problems...
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml
06-06-2007 12:15 PM
Well, I rebuilt from scratch through CLI, and at least now I have some debug output, but still stumped. Still get the same error with the client.
Jun 06 15:05:37 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Removing peer from peer table failed, no match!
Jun 06 15:05:37 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Error: Unable to remove PeerTblEntry
Jun 06 15:05:42 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Removing peer from peer table failed, no match!
Jun 06 15:05:42 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Error: Unable to remove PeerTblEntry
Jun 06 15:05:47 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Removing peer from peer table failed, no match!
Jun 06 15:05:47 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Error: Unable to remove PeerTblEntry
Jun 06 15:05:52 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Removing peer from peer table failed, no match!
Jun 06 15:05:52 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Error: Unable to remove PeerTblEntry
06-06-2007 12:40 PM
You need nat exemption. Verify you are using correct groupname (iboundvpn) and shared key.
access-list nat0 extended permit ip 10.128.28.0 255.255.254.0 172.16.200.0 255.255.255.0
nat (inside) 0 access-list nat0
06-06-2007 01:24 PM
Well I tried that and also with a slight modification on names from this page
Still no luck. I am thinking it has something to do with how I am networked here. I have the ASA in a lab environment with its permanent IP's routed through internally, and since I am not going out on the internet from my PC, it isnt being NATTED and I think that is where the problem is. WHen I get home I will try it from there and see if I can connected. I have a PIX out in service tht works just fine with the same configuration with the exception of the addressing that works fine, so I am thinking it has to be routing weird here.
06-06-2007 07:56 PM
I had trouble once getting the VPN client to work with a 3845. For some reason it didn't like that I was routing packets to my linksys first and then to the 3845. I took the linksys out of the equation and it worked great. Very strange because all was on the inside network before any NAT....that I know of.
06-07-2007 05:08 AM
That is what I am thinking is the problem. I have everything else programmed that needed to be programmed so I can go ahead and install this and hopefully once it is installed the VPN will work and all I will need to do is fine tune it for the specific user access rights.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide