Trouble connecting to ASA5505 VPN

Unanswered Question
Jun 12th, 2007

I have gone through the "VPN Wizard" selected remote access and set up a client machine outside of the network. When I try to connect I get the following error: " Secure VPN Connection Terminated locally by the Client. Reason 412.

Any help appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
thomas.estes Tue, 06/12/2007 - 08:48

names

!

interface Vlan1

mac-address 0012.3f7f.9876

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

description NuVox T1

nameif outside

security-level 0

ip address xxxx.170.18 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

dns domain-lookup inside

dns server-group DefaultDNS

domain-name amcinc.us

object-group icmp-type icmp_grp

icmp-object echo-reply

icmp-object information-reply

icmp-object traceroute

access-list out2in extended permit tcp any host xxxx.170.18 eq smtp

access-list out2in extended permit tcp any host xxxx.170.20 eq smtp

access-list out2in extended permit tcp any host xxxx.170.18 eq https

access-list out2in extended permit tcp any host xxxx.170.18 eq 9850

access-list out2in extended permit tcp any host xxxx.170.18 eq 1677

access-list out2in extended permit tcp any host xxxx.170.18 eq 7205

access-list out2in extended permit icmp any any echo-reply

access-list cisco_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 209.165.201.0 255.255.255.224

access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0

access-list Cisco_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

mtu inside 1500

mtu outside 1500

ip local pool RemoteClientPool 209.165.201.1-209.165.201.20 mask 255.255.255.255

ip local pool ClientIPPool 192.168.1.100-192.168.1.149 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) xxxx.170.20 192.168.1.30 netmask 255.255.255.255

static (inside,outside) interface 192.168.1.50 netmask 255.255.255.255

access-group out2in in interface outside

route outside 0.0.0.0 0.0.0.0 xxxx.170.17 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

group-policy Cisco internal

group-policy Cisco attributes

dns-server value 64.89.70.2 64.89.74.2

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Cisco_splitTunnelAcl

default-domain value amcinc.us

username xxxx password xxx encrypted

username xxxxx password xxx encrypted privilege 15

username xxxxx password xxx encrypted privilege 15

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.114 255.255.255.255 inside

snmp-server host inside 192.168.1.1 community ASA5505

linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 set pfs

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 60 set pfs

crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 20

tunnel-group Cisco type ipsec-ra

tunnel-group Cisco general-attributes

address-pool RemoteClientPool

default-group-policy Cisco

tunnel-group Cisco ipsec-attributes

pre-shared-key *

telnet timeout 5

ssh 192.168.1.110 255.255.255.255 inside

ssh 192.168.1.114 255.255.255.255 inside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.100-192.168.1.149 inside

dhcpd dns 64.89.70.2 64.89.74.2 interface inside

dhcpd enable inside

thomas.estes Wed, 06/13/2007 - 05:16

So I have run the vpn "remote" wizard and setup "Cisco" as a group and tunnel. Do I need to use "Cisco" as the group name in the VPN client? Or do I use the ID for the user that I set up in the VPN client? If it is the group name then what is the password, as I did not set up one on the ASA?

acomiskey Wed, 06/13/2007 - 05:40

Yes, Cisco would be the group name in the client. The password would be the "pre-shared key" under the attributes for the Cisco tunnel-group.

thomas.estes Wed, 06/13/2007 - 05:46

Ok,

I tried that with Cisco as the group name and the "pre-shared" key as the password. I still get the Reason: 412.

thomas.estes Wed, 06/13/2007 - 06:03

Windows firewall is running so I added cvpn to it and I am still having the problem.

acomiskey Wed, 06/13/2007 - 06:10

Post a show run sysopt.

Also, could you log on asa with debug crypto isakmp 7?

thomas.estes Wed, 06/13/2007 - 06:13

ASA5505# show run sysopt

no sysopt connection timewait

sysopt connection tcpmss 1380

sysopt connection tcpmss minimum 0

no sysopt nodnsalias inbound

no sysopt nodnsalias outbound

no sysopt radius ignore-secret

sysopt connection permit-vpn

How do I "log on asa with debug crypto isakmp 7"?

acomiskey Wed, 06/13/2007 - 06:33

"How do I "log on asa with debug crypto isakmp 7"?"

Depends how you are connecting to it...

console-

debug crypto isakmp 7

logging console debugging

telnet/ssh-

debug crypto isakmp 7

logging monitor debugging

ASDM-

debug crypto isakmp 7 from cli then launch monitor -> logging window

thomas.estes Wed, 06/13/2007 - 06:40

ASDM - Debug commands are not supported in CLI Window.

ssh - logging monitor = invalid input detected at monitor. Only option is savelog.

acomiskey Wed, 06/13/2007 - 06:49

asa# config t

asa(config)# logging monitor debugging

asa(config)# logging on

asa(config)# debug crypto isakmp 7

or just(I would do this one)

asa(config)# debug crypto isakmp 7

then use ASDM logging window

thomas.estes Wed, 06/13/2007 - 06:53

Ok have done that and I retried the connection. I stil get the Reason 412. And I do not see anything in that SSH window.

acomiskey Wed, 06/13/2007 - 06:59

How about the ASDM logging window, you see nothing from the vpn client? Is there another firewall in front of the ASA or anything which would be blocking vpn from the client?

thomas.estes Wed, 06/13/2007 - 07:02

No there are no other devices. I noticed when I re-ran the "VPN Wizard" that IKE defaults to DH Group 2. Should I set logging to group 2, or should I change the tunnel to use 7?

thomas.estes Wed, 06/13/2007 - 07:45

asa# config t

asa(config)# logging monitor debugging

asa(config)# logging on

asa(config)# debug crypto isakmp 7

or just(I would do this one)

asa(config)# debug crypto isakmp 7

then use ASDM logging window

Which ASDM window? The real time log viewer? If do I am not seeing any additional information.

city_index Wed, 06/13/2007 - 07:19

also your vpn pool is the same as your LAN. to prevent ip address overlapping, it's recommended to use another ip subnet for vpn pool.

thomas.estes Wed, 06/13/2007 - 07:27

I see in in the ASDM Real Time Log Viewer set to debug level that the remote IP address for the pc that I am trying to VPN in is trying to talk to the internal SMTP server. Do I need additional vpn server software running internally or does the ASA5505 handle that?

I am still getting the 412. I built a new tunnel and password, still no luck.

acomiskey Wed, 06/13/2007 - 07:53

As city_index said, you should change your vpn client pool to another subnet, but this would not affect you establishing the vpn.

No, you do not need additional software. Is the client even getting prompted for username/password?

thomas.estes Wed, 06/13/2007 - 08:03

below is current running.

interface Vlan1

mac-address 0012.3f7f.9876

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

interface Vlan2

description NuVox T1

nameif outside

security-level 0

ip address xxxx.170.18 255.255.255.248

access-list out2in extended permit tcp any host xxxx.170.18 eq smtp

access-list out2in extended permit tcp any host xxxx.170.20 eq smtp

access-list out2in extended permit tcp any host xxxx.170.18 eq https

access-list out2in extended permit tcp any host xxxx.170.18 eq 9850

access-list out2in extended permit tcp any host xxxx.170.18 eq 1677

access-list out2in extended permit tcp any host xxxx.170.18 eq 7205

access-list out2in extended permit icmp any any echo-reply

access-list cisco_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 209.165.201.0 255.255.255.224

access-list inside_nat0_outbound extended permit ip any 209.165.201.0 255.255.255.224

access-list Amc_Reg_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

ip local pool RemoteClientPool 209.165.201.1-209.165.201.20 mask 255.255.255.255

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) xxxx.170.20 192.168.1.30 netmask 255.255.255.255

static (inside,outside) interface 192.168.1.50 netmask 255.255.255.255

access-group out2in in interface outside

route outside 0.0.0.0 0.0.0.0 xxxx.170.17 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

group-policy Amc_Reg internal

group-policy Amc_Reg attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Amc_Reg_splitTunnelAcl

username xxx password Fa9pU7nHkZDmAvdG encrypted

username xxx attributes

vpn-group-policy Amc_Reg

username xxx password pfaW5bAu431sHznu encrypted privilege 15

username xxx attributes

vpn-group-policy Amc_Reg

username xxx password elxohIfKpfwEfs0V encrypted privilege 15

username xxx attributes

vpn-group-policy Amc_Reg

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 set pfs

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 60 set pfs

crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 80 set pfs

crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 100 set pfs

crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 120 set pfs

crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 140 set pfs

crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 20

tunnel-group Amc_Reg type ipsec-ra

tunnel-group Amc_Reg general-attributes

address-pool RemoteClientPool

default-group-policy Amc_Reg

tunnel-group Amc_Reg ipsec-attributes

pre-shared-key *

telnet timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.100-192.168.1.149 inside

dhcpd dns 64.89.70.2 64.89.74.2 interface inside

dhcpd enable inside

acomiskey Wed, 06/13/2007 - 08:10

You can get rid of these, the vpn wizards keeps adding them in there...

no crypto dynamic-map outside_dyn_map 40 set pfs

no crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

no crypto dynamic-map outside_dyn_map 60 set pfs

no crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA

no crypto dynamic-map outside_dyn_map 80 set pfs

no crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA

no crypto dynamic-map outside_dyn_map 100 set pfs

no crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA

no crypto dynamic-map outside_dyn_map 120 set pfs

no crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA

no crypto dynamic-map outside_dyn_map 140 set pfs

no crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-SHA

The config look OK, can you try another client, another client version, another OS, is another vpn client installed on same machine?

city_index Wed, 06/13/2007 - 06:57

the error you are getting is related to the asa not accepting your credentials your client is using. under cisco vpn client software, make sure under authentication the Name is exactly the same as the group name under the asa (one created by the vpn wizard) and also the preshared key as well. get the client to connect and monitor the traffic under asdm monitoring.

city_index Wed, 06/13/2007 - 07:03

i suggest for monitoring any type of traffic to make it easier on yourself, use the cisco ASDM (all graphical). it provides different logging level and you can just about monitor anything.

acomiskey Wed, 06/13/2007 - 07:07

In your vpn client config, the host address needs to be the outside interface of your asa. Is this what you have?

thomas.estes Wed, 06/13/2007 - 07:11

yes. I have the destination as the IP address for the outside interface.

acomiskey Wed, 06/13/2007 - 07:16

try..

no crypto dynamic-map outside_dyn_map 20 set pfs

no crypto dynamic-map outside_dyn_map 40 set pfs

no crypto dynamic-map outside_dyn_map 60 set pfs

thomas.estes Thu, 06/14/2007 - 04:42

The log is showing the following error DEL_REASON_PEER_NOT_RESPONDING

I have done the following:

no crypto map outside_map interface outside

no isakmp enable outside

crypto map outside_map interface outside

isakmp enable outside

clear xlate

still no luck.

Actions

This Discussion