Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1095
Views
0
Helpful
2
Replies

ASA 5540 VPN RA

sercopi
Level 1
Level 1

‎05-22-2008 07:45 AM

Good evening I'm writing you to solve a problem related to a IPSec tunnel between ASA5540 and a Cisco Client VPN ver.5.003.0530

Below there are few lines by ASA's log:

May 22 16:26:26 asa1a-inside asa1a %ASA-3-713902: Group = DefaultRAGroup, IP = Client_IPSec_Pubblic_IP, Removing peer from peer table failed, no match!

May 22 16:26:26 asa1a-inside asa1a %ASA-4-713903: Group = DefaultRAGroup, IP = Client_IPSec_Pubblic_IP, Error: Unable to remove PeerTblEntry

May 22 16:27:03 asa1a-inside asa1a %ASA-3-713902: Group = DefaultRAGroup, IP = Client_IPSec_Pubblic_IP, Removing peer from peer table failed, no match!

May 22 16:27:03 asa1a-inside asa1a %ASA-4-713903: Group = DefaultRAGroup, IP = Client_IPSec_Pubblic_IP, Error: Unable to remove PeerTblEntry

May 22 16:41:09 asa1a-inside asa1a %ASA-3-713902: Group = DefaultRAGroup, IP = Client_IPSec_Pubblic_IP, Removing peer from peer table failed, no match!

May 22 16:41:09 asa1a-inside asa1a %ASA-4-713903: Group = DefaultRAGroup, IP = Client_IPSec_Pubblic_IP, Error: Unable to remove PeerTblEntry

May 22 16:41:13 asa1a-inside asa1a %ASA-3-713902: Group = DefaultRAGroup, IP = Client_IPSec_Pubblic_IP, Removing peer from peer table failed, no match!

May 22 16:41:13 asa1a-inside asa1a %ASA-4-713903: Group = DefaultRAGroup, IP = Client_IPSec_Pubblic_IP, Error: Unable to remove PeerTblEntry

May 22 16:41:57 asa1a-inside asa1a %ASA-3-713902: Group = DefaultRAGroup, IP = Client_IPSec_Pubblic_IP, Removing peer from peer table failed, no match!

May 22 16:41:57 asa1a-inside asa1a %ASA-4-713903: Group = DefaultRAGroup, IP = Client_IPSec_Pubblic_IP, Error: Unable to remove PeerTblEntry

May 22 16:42:00 asa1a-inside asa1a %ASA-3-713902: Group = DefaultRAGroup, IP = Client_IPSec_Pubblic_IP, Removing peer from peer table failed, no match!

May 22 16:42:00 asa1a-inside asa1a %ASA-4-713903: Group = DefaultRAGroup, IP = Client_IPSec_Pubblic_IP, Error: Unable to remove PeerTblEntry

This is ASA'a tunnel configuration:

hostname(config)# isakmp policy 69 authentication pre-share

hostname(config)# isakmp policy 69 encryption 3des

hostname(config)# isakmp policy 69 hash sha

hostname(config)# isakmp policy 69 group 2

hostname(config)# isakmp policy 69 lifetime 43200

hostname(config)# isakmp enable outside

hostname(config)# ip local pool testpool 192.168.0.10-192.168.0.15

hostname(config)# username testuser password 12345678

hostname(config)# crypto ipsec transform set FirstSet esp-3des esp-md5-hmac

hostname(config)# tunnel-group testgroup type ipsec-ra

hostname(config)# tunnel-group testgroup general-attributes

hostname(config-general)# address-pool testpool

hostname(config)# tunnel-group testgroup ipsec-attributes

hostname(config-ipsec)# pre-shared-key xxx

hostname(config)# crypto dynamic-map dyn1 1 set transform-set FirstSet

hostname(config)# crypto dynamic-map dyn1 1 set reverse-route

hostname(config)# crypto map mymap 1 ipsec-isakmp dynamic dyn1

hostname(config)# crypto map mymap interface outside

hostname(config)# write memory

and the Client IPSec have "flag" on Group Authentication and IPSec over TCP

Can you suggest me a solution?

Any information that you can send me are welcomed.

Best Regards

--

Davide Sacca'

Labels:
0 Helpful
2 Replies 2

JORGE RODRIGUEZ
Level 10
Level 10

‎05-22-2008 11:27 AM

Davide, two questions for you.

1- When clients try connecting to tunnel are they getting prompted with tunnel authentication or not.

If you are not getting the tunnel authentication window it is possible the vpn client is configured for Ipsec over TCP instead of IPsec over UDP which is default settings , could you check that under vpn client transport tab.

Rgds

-Jorge

Jorge Rodriguez
0 Helpful

nitinaga
Level 1
Level 1

‎05-25-2008 01:01 PM

It seems the client is hitting DefaultRAGroup but we have configured the group as testgroup. Please check the group name in the connection entries on the client. Also please let us know if there are any site to site or dynamic to static tunnels already configured on the firewall. If this is the case bind the dynamic map dyn1 with high priority to the static map. eg crypto map mymap 65535 ipsec-isakmp dynamic dyn1

0 Helpful
Customers Also Viewed These Support Documents