Remote Access VPN error on ASA5510

m.imaduddin · ‎09-01-2010

Dear All,

I recently configure an ASA 5510 K8 as a remote access VPN. I use the wizzard from ASDM to configure it.

When i try to connect via Cisco VPN client, i can authenticate the tunnel group and PSK successfully. But when i put my username and password for user authentication, the VPN suddenly terminated with error reason 433: VPN connection terminated by peer.

I try to debug crypto isakmp and debug crypto ipsec, this is what i get:

[IKEv1]: Group = xxxx Username = yyyy, IP = 125.166.x.x, Removing peer from peer table failed, no match!

[IKEv1]: Group = xxxx, Username = yyyy, IP = 125.166.x.x, Error: Unable to remove PeerTblEntry

It seem that the IKE phase 1 negotiation failed. I already checked from datasheet, my ASA only support DES encyrption, with MD5 hashing, and Diffie Hellman group 2. Here is the configuration for ISAKMP:

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

Here is the configuration for IPSEC:

crypto ipsec transform-set ESP-DES-SHA esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 5 set transform-set ESP-DES-MD5 ESP-DES-SHA
crypto dynamic-map outside_dyn_map 5 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 5 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 10 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside

FYI my ASA software is version 7.0

Every respond are appreciated

Tq

Imad

m.imaduddin · ‎09-01-2010

For additional information i use ASA local database to provide username and password.

Here is the configuration on tunnel-group:

tunnel-group xxxx general-attributes
address-pool VPN-CITI
default-group-policy xxxx
tunnel-group xxxx ipsec-attributes
pre-shared-key *

praprama · ‎09-02-2010

Hey,

Based on your description, it either seems to be an issue with authentication or Phase 2. the fact that you are getting till the username/password prompt means Phase 1 is working fine.

Try adding the following command to ensure we have the commands for authentication necessary:

tunnel-group xxxx general-attributes

authentication-server-group LOCAL

Enable the following debugs on the ASA "debug crypto isakmp 127" and "debug crypto ipsec 127" and try connecting to the VPN and send the entore debug output.

Thanks and Regards,

Prapanch

m.imaduddin · ‎09-05-2010

Hi Prapanch,

I already add this configuration on the ASA:

tunnel-group xxx general-attributes
authentication-server-group local

I also add acl to permit any traffic from outside to VPN pool. I apply it on dynamic map for the crypto. Here is the config:

access-list outside_cryptomap_dyn_5 extended permit ip any 192.168.13.0 255.255.255.0
crypto dynamic-map outside_dyn_map 5 match address outside_cryptomap_dyn_5

I also add the NAT 0 for VPN traffic. here is the configuation

nat (inside) 0 access-list inside_nat0_outbound
access-list inside_nat0_outbound extended permit ip any 192.168.13.0 255.255.255.0

It seem that the same problem still exist.

For the debug, i have been able to provide to you yet since i am still out of office.

Namaste

Imad

Nagaraja Thanthry · ‎09-05-2010

Hello,

Can you please try to change the keyword local to all caps local?

tunnel-group xxx general-attributes

no authentication-server-group local

authentication-server-group LOCAL

Hope this helps.

Regards,

NT