Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6699
Views
10
Helpful
2
Replies

ASA 5505 Remote Access VPN

Go to solution
Conor Cunningham
Level 1
Level 1

‎12-09-2009 02:39 AM - edited ‎02-21-2020 04:24 PM

Hi All,

I've been reading http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5505/quick/guide/rem_acc.html and following the steps to create a remote Access VPN. At the end of this post is the config delivered to the FW.

I am testing the connection on a Cisco Remote VPN Client for Windows with plans on migrating the profile to my Linux laptop. What I am seeing is an error message when running 'debug cryptop isa 129' of

Dec 09 10:10:03 [IKEv1]: Group = DefaultRAGroup, IP = 83.109.134.21, Removing peer from peer table failed, no match!
Dec 09 10:10:03 [IKEv1]: Group = DefaultRAGroup, IP = 83.109.134.21, Error: Unable to remove PeerTblEntry

What strikes me as strange is that I have a Group Policy and an IPSec Connection Profile 'RemoteHome' configured, yet it is not referenced in the debug output. I have searched through my config for DefaultRAGroup but to no avail. I have however found it in the ASDM under IPSec Connection Profiles.

I have configured the FW to use LOCAL authentication and have configured the VPN Client with the correct username and password.

So, basically, I am at a loss as to how to resolve my error. Any help much appreciated.

Following the FW config is the full output from debug crypto isa 129.

Cheers,

Conor

      access-list RemoteHome_splitTunnelAcl standard permit host 10.2.2.2
      access-list RemoteHome_splitTunnelAcl standard permit 172.16.0.0 255.255.0.0
      access-list RemoteHome_splitTunnelAcl standard permit 10.3.3.0 255.255.255.0
      access-list RemoteHome_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
      access-list INSIDE_nat0_outbound line 1 extended permit ip host 10.2.2.2 192.168.2.64 255.255.255.192
      access-list INSIDE_nat0_outbound line 2 extended permit ip 172.16.0.0 255.255.0.0 192.168.2.64 255.255.255.192
      access-list INSIDE_nat0_outbound line 3 extended permit ip 10.3.3.0 255.255.255.0 192.168.2.64 255.255.255.192
      access-list INSIDE_nat0_outbound line 4 extended permit ip 192.168.2.0 255.255.255.0 192.168.2.64 255.255.255.192
      ip local pool VPN_REMOTE_POOL 192.168.2.90-192.168.2.99 mask 255.255.255.0
      group-policy RemoteHome internal
      group-policy RemoteHome attributes
        vpn-tunnel-protocol IPSec
        split-tunnel-policy   tunnelspecified
        split-tunnel-network-list value RemoteHome_splitTunnelAcl
        dns-server value * *
        default-domain value cunningtek.com
      tunnel-group RemoteHome type remote-access
      tunnel-group RemoteHome general-attributes
        default-group-policy RemoteHome
        address-pool  VPN_REMOTE_POOL
      tunnel-group RemoteHome ipsec-attributes
        pre-shared-key **********
      crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
      nat (INSIDE) 0 access-list INSIDE_nat0_outbound  tcp 0 0 udp 0

firewall# Dec 09 10:10:03 [IKEv1]: IP = 83.109.134.21, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VEND
OR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 849
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, processing SA payload
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, processing ke payload
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, processing ISA_KE payload
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, processing nonce payload
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, processing ID payload
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, processing VID payload
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, Received xauth V6 VID
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, processing VID payload
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, Received DPD VID
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, processing VID payload
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, Received Fragmentation VID
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  False
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, processing VID payload
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, Received NAT-Traversal ver 02 VID
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, processing VID payload
Dec 09 10:10:03 [IKEv1 DEBUG]: IP = 83.109.134.21, Received Cisco Unity client VID
Dec 09 10:10:03 [IKEv1]: IP = 83.109.134.21, Received ISAKMP Aggressive Mode message 1 with unknown tunnel group name 'conor'.
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, processing IKE SA payload
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, IKE SA Proposal # 1, Transform # 5 acceptable  Matches global IKE entry # 1
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, constructing ISAKMP SA payload
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, constructing ke payload
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, constructing nonce payload
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, Generating keys for Responder...
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, constructing ID payload
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, constructing hash payload
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, Computing hash for ISAKMP
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, constructing Cisco Unity VID payload
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, constructing xauth V6 VID payload
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, constructing NAT-Traversal VID ver 02 payload
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, constructing NAT-Discovery payload
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, computing NAT Discovery hash
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, constructing NAT-Discovery payload
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, computing NAT Discovery hash
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, constructing Fragmentation VID + extended capabilities payload
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, constructing VID payload
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Dec 09 10:10:03 [IKEv1]: IP = 83.109.134.21, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VEND
OR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 424
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, IKE AM Responder FSM error history (struct &0xd8d3bed8)  <state>, <event>:  AM_DONE, EV_ERROR-->AM_SND_MSG2, EV_
SND_MSG-->AM_SND_MSG2, EV_START_TMR-->AM_BLD_MSG2, EV_BLD_MSG2_TRL-->AM_BLD_MSG2, EV_SKEYID_OK-->AM_BLD_MSG2, NullEvent-->AM_BLD_MSG2, EV_GEN_SKEYID-->AM_BLD_MSG2, EV_BLD_MSG2_HDR
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, IKE SA AM:7ff48db9 terminating:  flags 0x0104c001, refcnt 0, tuncnt 0
Dec 09 10:10:03 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 83.109.134.21, sending delete/delete with reason message
Dec 09 10:10:03 [IKEv1]: Group = DefaultRAGroup, IP = 83.109.134.21, Removing peer from peer table failed, no match!
Dec 09 10:10:03 [IKEv1]: Group = DefaultRAGroup, IP = 83.109.134.21, Error: Unable to remove PeerTblEntry

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
acomiskey
Level 10
Level 10

‎12-09-2009 07:42 AM

I think this is the beginning of your issue.

Received ISAKMP Aggressive Mode message 1 with unknown tunnel group name 'conor'.

In the vpn client, you need to enter the group name, RemoteHome and pre shared key, NOT your username. You will be prompted for your username after you connect.

Since the group name conor does not exist, it is defaulting to the DefaultRAGroup

View solution in original post

2 Replies 2

Go to solution
acomiskey
Level 10
Level 10

‎12-09-2009 07:42 AM

I think this is the beginning of your issue.

Received ISAKMP Aggressive Mode message 1 with unknown tunnel group name 'conor'.

In the vpn client, you need to enter the group name, RemoteHome and pre shared key, NOT your username. You will be prompted for your username after you connect.

Since the group name conor does not exist, it is defaulting to the DefaultRAGroup

Go to solution
Conor Cunningham
Level 1
Level 1
In response to acomiskey

‎12-09-2009 09:06 AM

acomiskey,

Problem solved and working nicely with my linux boxes, too. Thanks a million - bloody good show! I'll have to throw a few stars your way!

Many thanks,

Conor

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents