VPN client to site connection

bill_baxter · ‎05-27-2008

I receive this error message in ASDM when a VPN client tries to connect.

Group = DefaultRAGroup, IP = x.x.x.x, Error: Unable to remove PeerTblEntry

Group = DefaultRAGroup, IP = x.x.x.x, Removing peer from peer table failed, no match!

I have created a tunnel group called VPNTunnel, but the connection seems to be trying to use the DefaultRAGroup.

For the client config, what should i have in the name and password field for group authentication? I think this is where my proglem lies.

Thanks, Bill

andrew.prince · ‎05-28-2008

Bill,

Can you post your config - sanitised of course?

bill_baxter · ‎05-28-2008

Andrew, here is the config.

Thanks, Bill

: Saved

:

ASA Version 7.2(3)

!

hostname DPPASA5505

domain-name .com

enable password xxx

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

passwd xxx

ftp mode passive

dns server-group DefaultDNS

domain-name .com

access-list VPNTunnel_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.1.224 255.255.255.224

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool VPNPool 192.168.1.231-192.168.1.250 mask 255.255.255.0

no failover

monitor-interface inside

monitor-interface outside

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 x.x.x.x1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

group-policy VPNTunnel internal

group-policy VPNTunnel attributes

dns-server value 192.168.1.11

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPNTunnel_splitTunnelAcl

default-domain value .COM

username whbaxter password eCtuA/0MCMYZ4AXN encrypted privilege 0

username whbaxter attributes

vpn-group-policy VPNTunnel

tunnel-group VPNTunnel type ipsec-ra

tunnel-group VPNTunnel general-attributes

address-pool VPNPool

default-group-policy VPNTunnel

tunnel-group VPNTunnel ipsec-attributes

pre-shared-key *

prompt hostname context

Cryptochecksum:xxx

: end

asdm image disk0:/asdm-523.bin

no asdm history enable

andrew.prince · ‎05-28-2008

Bill,

Add the below:-

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

Give it a whirl and test!

andrew.prince · ‎05-28-2008

Forgot this as well

crypto isakmp identity address

bill_baxter · ‎05-28-2008

Andrew,

I am a little confused. this is already in my config, but the one differnece is:

crypto map outside_map 65535 ipsec-isakmp

dynamic outside_dyn_map

crypto isakmp policy 65535

should i just be modifying the one line?

Thanks, Bill

andrew.prince · ‎05-28-2008

in the past I had issues getting remote VPN's working - and putting in the policy # that matched the dynamic crypto map # worked. Never got to the bottom of why - bug I suspect.

I have just put all your config in my lab pix, and added my suggestions - and a VPN client can connect no issues.

bill_baxter · ‎05-28-2008

Andrew,

Thanks for you help. I was just wondering if I needed to add your suggestions addition to the config or just modify the config to match your suggesstions. I will test tonight and let you know how things work out.

Bill.

bill_baxter · ‎05-28-2008

issue resolved. i was using the wrong information for the group authentication. i needed to put in the tunnel name and preshare key instead of a username and password.