Help with ASA and remote access vpn w/Microsoft client

Unanswered Question
Nov 3rd, 2009

Hi there,


I'm having a terrible time configuring a remote access VPN and was hoping someone could help. I want to be able to use the Microsoft client instead of the cisco client. I've attached the relevant parts of my config (I think I have it all) and an isakmp debug from one of my *many* attempts to connect. Can someone please help me out?


Thanks in advance,


Brandon



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Herbert Baerten Wed, 11/04/2009 - 01:48

These seem to be the relevant debugs:


Nov 03 2009 15:23:43: %ASA-6-713905: Group = DefaultRAGroup, IP = x.x.x.x, No valid authentication type found for the tunnel group


Nov 03 2009 15:23:43: %ASA-7-713906: Group = DefaultRAGroup, IP = x.x.x.x, peer is not authenticated by xauth - drop connection.



Can you try this:


tunnel-group DefaultRAGroup ipsec-attributes

isakmp ikev1-user-authentication xauth


I know it seems wrong since the L2TP client does not do xauth, but the ASA is intelligent enough to suppress xauth when it detects L2TP.

branfarm1 Wed, 11/04/2009 - 05:32

Thanks for the response.


I changed the command to xauth and now I see this message in the debug:


Nov 04 2009 08:29:01: %ASA-7-713906: Group = DefaultRAGroup, IP = x.x.x.x, peer is not authenticated by xauth - drop connection.

Nov 04 2009 08:29:01: %ASA-3-713902: Group = DefaultRAGroup, IP = x.x.x.x, QM FSM error (P2 struct &0xd8e8a3b8, mess id 0x1)!

Nov 04 2009 08:29:01: %ASA-7-715065: Group = DefaultRAGroup, IP = x.x.x.x, IKE QM Responder FSM error history (struct &0xd8e8a3b8) , : QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH-->QM_BLD_MSG2, EV_VALIDATE_MSG-->QM_BLD_MSG2, EV_DECRYPT_OK-->QM_BLD_MSG2, NullEvent

Nov 04 2009 08:29:01: %ASA-7-713906: Group = DefaultRAGroup, IP = x.x.x.x, sending delete/delete with reason message

Nov 04 2009 08:29:01: %ASA-3-713902: Group = DefaultRAGroup, IP = x.x.x.x, Removing peer from correlator table failed, no match!



Herbert Baerten Wed, 11/04/2009 - 06:20

Do you still have


isakmp ikev1-user-authentication (outside) none


?

If so, remove it (or change it to xauth as well) please.


If not, can you post the current config and the complete debugs please, including "debug crypto isakmp 10" and "debug crypto ipsec 10".


BTW which version of Pix/ASA is this?

pawelnowakowski Fri, 02/19/2010 - 04:39

in your config


no crypto isakmp nat-traversal


log file



Nov 04 2009 09:45:51: %ASA-7-713025: Group = DefaultRAGroup, IP = x.x.x.x, Received remote Proxy Host data in ID Payload:  Address x.x.x.x, Protocol 17, Port 1701


check IP address

IP = x.x.x.x,  and  Address x.x.x.x


......

Nov 04 2009 09:45:51: %ASA-7-713906: Group = DefaultRAGroup, IP = x.x.x.x, peer is not authenticated by xauth - drop connection.



try


crypto isakmp nat-traversal 65535

Actions

This Discussion