05-22-2008 07:45 AM
Good evening I'm writing you to solve a problem related to a IPSec tunnel between ASA5540 and a Cisco Client VPN ver.5.003.0530
Below there are few lines by ASA's log:
May 22 16:26:26 asa1a-inside asa1a %ASA-3-713902: Group = DefaultRAGroup, IP = Client_IPSec_Pubblic_IP, Removing peer from peer table failed, no match!
May 22 16:26:26 asa1a-inside asa1a %ASA-4-713903: Group = DefaultRAGroup, IP = Client_IPSec_Pubblic_IP, Error: Unable to remove PeerTblEntry
May 22 16:27:03 asa1a-inside asa1a %ASA-3-713902: Group = DefaultRAGroup, IP = Client_IPSec_Pubblic_IP, Removing peer from peer table failed, no match!
May 22 16:27:03 asa1a-inside asa1a %ASA-4-713903: Group = DefaultRAGroup, IP = Client_IPSec_Pubblic_IP, Error: Unable to remove PeerTblEntry
May 22 16:41:09 asa1a-inside asa1a %ASA-3-713902: Group = DefaultRAGroup, IP = Client_IPSec_Pubblic_IP, Removing peer from peer table failed, no match!
May 22 16:41:09 asa1a-inside asa1a %ASA-4-713903: Group = DefaultRAGroup, IP = Client_IPSec_Pubblic_IP, Error: Unable to remove PeerTblEntry
May 22 16:41:13 asa1a-inside asa1a %ASA-3-713902: Group = DefaultRAGroup, IP = Client_IPSec_Pubblic_IP, Removing peer from peer table failed, no match!
May 22 16:41:13 asa1a-inside asa1a %ASA-4-713903: Group = DefaultRAGroup, IP = Client_IPSec_Pubblic_IP, Error: Unable to remove PeerTblEntry
May 22 16:41:57 asa1a-inside asa1a %ASA-3-713902: Group = DefaultRAGroup, IP = Client_IPSec_Pubblic_IP, Removing peer from peer table failed, no match!
May 22 16:41:57 asa1a-inside asa1a %ASA-4-713903: Group = DefaultRAGroup, IP = Client_IPSec_Pubblic_IP, Error: Unable to remove PeerTblEntry
May 22 16:42:00 asa1a-inside asa1a %ASA-3-713902: Group = DefaultRAGroup, IP = Client_IPSec_Pubblic_IP, Removing peer from peer table failed, no match!
May 22 16:42:00 asa1a-inside asa1a %ASA-4-713903: Group = DefaultRAGroup, IP = Client_IPSec_Pubblic_IP, Error: Unable to remove PeerTblEntry
This is ASA'a tunnel configuration:
hostname(config)# isakmp policy 69 authentication pre-share
hostname(config)# isakmp policy 69 encryption 3des
hostname(config)# isakmp policy 69 hash sha
hostname(config)# isakmp policy 69 group 2
hostname(config)# isakmp policy 69 lifetime 43200
hostname(config)# isakmp enable outside
hostname(config)# ip local pool testpool 192.168.0.10-192.168.0.15
hostname(config)# username testuser password 12345678
hostname(config)# crypto ipsec transform set FirstSet esp-3des esp-md5-hmac
hostname(config)# tunnel-group testgroup type ipsec-ra
hostname(config)# tunnel-group testgroup general-attributes
hostname(config-general)# address-pool testpool
hostname(config)# tunnel-group testgroup ipsec-attributes
hostname(config-ipsec)# pre-shared-key xxx
hostname(config)# crypto dynamic-map dyn1 1 set transform-set FirstSet
hostname(config)# crypto dynamic-map dyn1 1 set reverse-route
hostname(config)# crypto map mymap 1 ipsec-isakmp dynamic dyn1
hostname(config)# crypto map mymap interface outside
hostname(config)# write memory
and the Client IPSec have "flag" on Group Authentication and IPSec over TCP
Can you suggest me a solution?
Any information that you can send me are welcomed.
Best Regards
--
Davide Sacca'
05-22-2008 11:27 AM
Davide, two questions for you.
1- When clients try connecting to tunnel are they getting prompted with tunnel authentication or not.
If you are not getting the tunnel authentication window it is possible the vpn client is configured for Ipsec over TCP instead of IPsec over UDP which is default settings , could you check that under vpn client transport tab.
Rgds
-Jorge
05-25-2008 01:01 PM
It seems the client is hitting DefaultRAGroup but we have configured the group as testgroup. Please check the group name in the connection entries on the client. Also please let us know if there are any site to site or dynamic to static tunnels already configured on the firewall. If this is the case bind the dynamic map dyn1 with high priority to the static map. eg crypto map mymap 65535 ipsec-isakmp dynamic dyn1
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide