Error 412 whilst using ASA5520 for VPN

rmanktelow · ‎10-19-2007

Hi

Hope somebody can help. I'm trying to use a new ASA 5520 to terminate my remote access VPN's. The remote clients use the cisco VPN client V5. I'm using the configuration below and testing using a laptop directly connected into the same VLAN as the outside interface. I can ping the outside interface, but when I try to connect using the client I get Error 412: Peer not responding. Debugging ISAKMP on the ASA shows no attempt to connect. The laptop will connect to our existing VPN without a problem.

Does anyone have any ideas that may help me out.

Many Thanks

Rob

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address

passwd encrypted

boot system disk0:/asa722-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name

access-list 101 extended permit tcp any host *eq https

access-list 101 extended permit tcp any host * eq smtp

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu management 1500

ip local pool pool 192.168.0.10-192.168.0.15

failover

failover lan unit primary

failover lan interface failover GigabitEthernet0/3

failover key *****

failover link failover GigabitEthernet0/3

failover interface ip failover 192.168.20.1 255.255.255.0 standby 192.168.20.2

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

asdm history enable

arp timeout 14400

nat-control

global (outside) 1 * netmask 255.255.255.0

nat (inside) 1 * 255.255.0.0

static (inside,outside) netmask 255.255.255.255

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 * 1

route inside * 255.255.0.0 * 1

group-policy csmavpn internal

group-policy csmavpn attributes

dns-server value *

vpn-tunnel-protocol IPSec

default-domain value *

client-firewall none

username testuser password * encrypted

service resetoutside

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map Outside_dyn_map 1 set transform-set ESP-3DES-SHA

crypto dynamic-map Outside_dyn_map 1 set security-association lifetime seconds 288000

crypto map Outside_map 1 ipsec-isakmp dynamic Outside_dyn_map

crypto map Outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

crypto isakmp ipsec-over-tcp port 10000

tunnel-group vpn1 type ipsec-ra

tunnel-group vpn1 general-attributes

address-pool pool

tunnel-group vpn1 ipsec-attributes

pre-shared-key *

peer-id-validate nocheck

isakmp ikev1-user-authentication none

telnet * 255.255.255.255 management

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

ntp server * source dmz prefer

prompt hostname context

MBeppler · ‎11-05-2007

We have the same Problem with VPN-Client V5. But the Version 4.8 ist OK.

The only difference between this two Versions is, that V4.8 uses Port 500 as Source Port and V5 uses Port 1501 as Source Port. Both Versions uses the same pcf-File.

I have captured the packets and this was the only difference in both Packets.

But I don't know, how I can fix this Problem.

Do you get a solution since your posting?

Michael