06-12-2007 08:11 AM - edited 02-21-2020 03:06 PM
I have gone through the "VPN Wizard" selected remote access and set up a client machine outside of the network. When I try to connect I get the following error: " Secure VPN Connection Terminated locally by the Client. Reason 412.
Any help appreciated.
06-12-2007 08:42 AM
thomas, would you like to post the config?
06-12-2007 08:48 AM
names
!
interface Vlan1
mac-address 0012.3f7f.9876
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
description NuVox T1
nameif outside
security-level 0
ip address xxxx.170.18 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
dns domain-lookup inside
dns server-group DefaultDNS
domain-name amcinc.us
object-group icmp-type icmp_grp
icmp-object echo-reply
icmp-object information-reply
icmp-object traceroute
access-list out2in extended permit tcp any host xxxx.170.18 eq smtp
access-list out2in extended permit tcp any host xxxx.170.20 eq smtp
access-list out2in extended permit tcp any host xxxx.170.18 eq https
access-list out2in extended permit tcp any host xxxx.170.18 eq 9850
access-list out2in extended permit tcp any host xxxx.170.18 eq 1677
access-list out2in extended permit tcp any host xxxx.170.18 eq 7205
access-list out2in extended permit icmp any any echo-reply
access-list cisco_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 209.165.201.0 255.255.255.224
access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0
access-list Cisco_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
mtu inside 1500
mtu outside 1500
ip local pool RemoteClientPool 209.165.201.1-209.165.201.20 mask 255.255.255.255
ip local pool ClientIPPool 192.168.1.100-192.168.1.149 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) xxxx.170.20 192.168.1.30 netmask 255.255.255.255
static (inside,outside) interface 192.168.1.50 netmask 255.255.255.255
access-group out2in in interface outside
route outside 0.0.0.0 0.0.0.0 xxxx.170.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy Cisco internal
group-policy Cisco attributes
dns-server value 64.89.70.2 64.89.74.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Cisco_splitTunnelAcl
default-domain value amcinc.us
username xxxx password xxx encrypted
username xxxxx password xxx encrypted privilege 15
username xxxxx password xxx encrypted privilege 15
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.114 255.255.255.255 inside
snmp-server host inside 192.168.1.1 community ASA5505
linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group Cisco type ipsec-ra
tunnel-group Cisco general-attributes
address-pool RemoteClientPool
default-group-policy Cisco
tunnel-group Cisco ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh 192.168.1.110 255.255.255.255 inside
ssh 192.168.1.114 255.255.255.255 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.100-192.168.1.149 inside
dhcpd dns 64.89.70.2 64.89.74.2 interface inside
dhcpd enable inside
06-13-2007 05:16 AM
So I have run the vpn "remote" wizard and setup "Cisco" as a group and tunnel. Do I need to use "Cisco" as the group name in the VPN client? Or do I use the ID for the user that I set up in the VPN client? If it is the group name then what is the password, as I did not set up one on the ASA?
06-13-2007 05:40 AM
Yes, Cisco would be the group name in the client. The password would be the "pre-shared key" under the attributes for the Cisco tunnel-group.
06-13-2007 05:46 AM
Ok,
I tried that with Cisco as the group name and the "pre-shared" key as the password. I still get the Reason: 412.
06-13-2007 06:03 AM
Windows firewall is running so I added cvpn to it and I am still having the problem.
06-13-2007 06:10 AM
Post a show run sysopt.
Also, could you log on asa with debug crypto isakmp 7?
06-13-2007 06:13 AM
ASA5505# show run sysopt
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
sysopt connection permit-vpn
How do I "log on asa with debug crypto isakmp 7"?
06-13-2007 06:33 AM
kk did "debug crypto isakmp 7".
06-13-2007 06:33 AM
"How do I "log on asa with debug crypto isakmp 7"?"
Depends how you are connecting to it...
console-
debug crypto isakmp 7
logging console debugging
telnet/ssh-
debug crypto isakmp 7
logging monitor debugging
ASDM-
debug crypto isakmp 7 from cli then launch monitor -> logging window
06-13-2007 06:40 AM
ASDM - Debug commands are not supported in CLI Window.
ssh - logging monitor = invalid input detected at monitor. Only option is savelog.
06-13-2007 06:49 AM
asa# config t
asa(config)# logging monitor debugging
asa(config)# logging on
asa(config)# debug crypto isakmp 7
or just(I would do this one)
asa(config)# debug crypto isakmp 7
then use ASDM logging window
06-13-2007 06:53 AM
Ok have done that and I retried the connection. I stil get the Reason 412. And I do not see anything in that SSH window.
06-13-2007 06:59 AM
How about the ASDM logging window, you see nothing from the vpn client? Is there another firewall in front of the ASA or anything which would be blocking vpn from the client?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide