remote access vpn problem in ASA5510

Unanswered Question
Oct 17th, 2008

We are facing issue connecting to remote access VPN in Cisco ASA firewall, When connecting to the firewall through remote access VPN, we are receiving error as “ Error 412 : The Remote peer no longer responding”.

Even after performing the troubleshooting the below steps.

1.Removed and applied the crypto map applied on the external interface of the firewall.

2.Rebooted the primary Cisco ASA firewall for further troubleshooting. After rebooting Primary Cisco ASA firewall, applications were not working through the primary ASA firewall and hence switchover to secondary firewall. Applications started working fine after switching over to Secondary ASA firewall. We were not able to connect remote access VPN even after switching to Secondary Cisco ASA firewall.

3.Removed entire configuration of remote access VPN in the firewall and reconfigured from the scratch for remote access VPN. But still the issue persists.

4.We are able to see the connections in the internet router on port UDP 500 for remote access VPN but not able to see single debug isakmp packet of remote access VPN in the firewall. But all the other site to site VPN tunnel configured in the firewall are working fine.

5.We also tried connecting from the machine to Remote Access VPN directly connecting to the external switch which has IP address of same subnet assigned to the external interface of the firewall. But still we are not able to see single debug isakmp packet of remote access VPN in the firewall.

6.We also configured ISAKMP over TCP port 10000 in the firewall. When we see the VPN client logs while connecting to remote access VPN, we are receiving TCP RST packet on port 10000 and ISAKMP parameters are not getting exchanged.

Assistance required to troubleshoot the same.

Thanks Naveen

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Farrukh Haroon Sun, 10/19/2008 - 23:10

Can you post your configurations?

Or at least:

show run sysopt

show run nat

show run access-list

show run crypto

show run all tunnel-group

show run all group-policy



Naveen kumar Wed, 10/22/2008 - 04:38

hi Farrukh,

sorryyy for the delay in providing the required info.please provide ur mail ID so that i can send u any furhter info if required.

Farrukh Haroon Wed, 10/22/2008 - 05:03

The configuration is pretty big and difficult to analyze, what is the IP of the pool?

show run pool

Its better to use a standard ACL for split tunneling. The source IPs will be the addresses BEHIND the firewall and not the ones for the VPN pool. Same for the NAT0 ACL, source will be BEHIND the firewall and destination will be the VPN POOL.

Also debugs would help

debug crypto engine

debug crypto isakmp 125

debug crypto ipsec 125




This Discussion