Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3332
Views
0
Helpful
5
Replies

Help with ASA and remote access vpn w/Microsoft client

branfarm1
Level 4
Level 4

‎11-03-2009 02:49 PM - edited ‎02-21-2020 04:22 PM

Hi there,

I'm having a terrible time configuring a remote access VPN and was hoping someone could help. I want to be able to use the Microsoft client instead of the cisco client. I've attached the relevant parts of my config (I think I have it all) and an isakmp debug from one of my *many* attempts to connect. Can someone please help me out?

Thanks in advance,

Brandon

Labels:
Preview file
10 KB
Preview file
3 KB
0 Helpful
5 Replies 5

Herbert Baerten
Cisco Employee
Cisco Employee

‎11-04-2009 01:48 AM

These seem to be the relevant debugs:

Nov 03 2009 15:23:43: %ASA-6-713905: Group = DefaultRAGroup, IP = x.x.x.x, No valid authentication type found for the tunnel group

Nov 03 2009 15:23:43: %ASA-7-713906: Group = DefaultRAGroup, IP = x.x.x.x, peer is not authenticated by xauth - drop connection.

Can you try this:

tunnel-group DefaultRAGroup ipsec-attributes

isakmp ikev1-user-authentication xauth

I know it seems wrong since the L2TP client does not do xauth, but the ASA is intelligent enough to suppress xauth when it detects L2TP.

0 Helpful

branfarm1
Level 4
Level 4
In response to Herbert Baerten

‎11-04-2009 05:32 AM

Thanks for the response.

I changed the command to xauth and now I see this message in the debug:

Nov 04 2009 08:29:01: %ASA-7-713906: Group = DefaultRAGroup, IP = x.x.x.x, peer is not authenticated by xauth - drop connection.

Nov 04 2009 08:29:01: %ASA-3-713902: Group = DefaultRAGroup, IP = x.x.x.x, QM FSM error (P2 struct &0xd8e8a3b8, mess id 0x1)!

Nov 04 2009 08:29:01: %ASA-7-715065: Group = DefaultRAGroup, IP = x.x.x.x, IKE QM Responder FSM error history (struct &0xd8e8a3b8) , : QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH-->QM_BLD_MSG2, EV_VALIDATE_MSG-->QM_BLD_MSG2, EV_DECRYPT_OK-->QM_BLD_MSG2, NullEvent

Nov 04 2009 08:29:01: %ASA-7-713906: Group = DefaultRAGroup, IP = x.x.x.x, sending delete/delete with reason message

Nov 04 2009 08:29:01: %ASA-3-713902: Group = DefaultRAGroup, IP = x.x.x.x, Removing peer from correlator table failed, no match!

0 Helpful

Herbert Baerten
Cisco Employee
Cisco Employee
In response to branfarm1

‎11-04-2009 06:20 AM

Do you still have

isakmp ikev1-user-authentication (outside) none

?

If so, remove it (or change it to xauth as well) please.

If not, can you post the current config and the complete debugs please, including "debug crypto isakmp 10" and "debug crypto ipsec 10".

BTW which version of Pix/ASA is this?

0 Helpful

branfarm1
Level 4
Level 4
In response to Herbert Baerten

‎11-04-2009 06:48 AM

I removed that line and also tried it with isakmp ikev1-user-authentication (outside) xauth, but no luck on either try.

This is an ASA running v8.0(4).

I've attached the config and debugs.

Preview file
31 KB
0 Helpful

pawelnowakowski
Level 1
Level 1
In response to branfarm1

‎02-19-2010 04:39 AM

in your config

no crypto isakmp nat-traversal

log file


Nov 04 2009 09:45:51: %ASA-7-713025: Group = DefaultRAGroup, IP = x.x.x.x, Received remote Proxy Host data in ID Payload:  Address x.x.x.x, Protocol 17, Port 1701

check IP address

IP = x.x.x.x,  and  Address x.x.x.x

......

Nov 04 2009 09:45:51: %ASA-7-713906: Group = DefaultRAGroup, IP = x.x.x.x, peer is not authenticated by xauth - drop connection.

try

crypto isakmp nat-traversal 65535

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents