×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASA 5510 behind NAT router (412 error)

Unanswered Question
Nov 11th, 2011
User Badges:

I have a ASA 5510 behind a 2911 router. I've trying to configure a remote access and site to site vpn tunnel. I've started on the remote access, and I have it setup, but I'm getting this error message with trying to authenicate from the VPN client (412 error) has anyone come across this before?


Nov 11 09:52:45 [IKEv1]: IP = 68.51.100.192, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 428

Nov 11 09:52:51 [IKEv1]: Group = tfx-tg, IP = 68.51.100.192, Duplicate Phase 1 packet detected.  Retransmitting last packet.

Nov 11 09:52:51 [IKEv1]: Group = tfx-tg, IP = 68.51.100.192, P1 Retransmit msg dispatched to AM FSM

Nov 11 09:52:56 [IKEv1]: Group = tfx-tg, IP = 68.51.100.192, Duplicate Phase 1 packet detected.  Retransmitting last packet.

Nov 11 09:52:56 [IKEv1]: Group = tfx-tg, IP = 68.51.100.192, P1 Retransmit msg dispatched to AM FSM

Nov 11 09:53:01 [IKEv1]: Group = tfx-tg, IP = 68.51.100.192, Duplicate Phase 1 packet detected.  Retransmitting last packet.

Nov 11 09:53:01 [IKEv1]: Group = tfx-tg, IP = 68.51.100.192, P1 Retransmit msg dispatched to AM FSM

Nov 11 09:53:09 [IKEv1 DEBUG]: Group = tfx-tg, IP = 68.51.100.192, IKE AM Responder FSM error history (struct &0xab58c9a0)  <state>, <event>:  AM_DONE, EV_ERROR-->AM_WAIT_MSG3, EV_PROB_AUTH_FAIL-->AM_WAIT_MSG3, EV_TIMEOUT-->AM_WAIT_MSG3, NullEvent-->AM_SND_MSG2, EV_CRYPTO_ACTIVE-->AM_SND_MSG2, EV_SND_MSG-->AM_SND_MSG2, EV_START_TMR-->AM_SND_MSG2, EV_RESEND_MSG

Nov 11 09:53:09 [IKEv1 DEBUG]: Group = tfx-tg, IP = 68.51.100.192, IKE SA AM:c666551f terminating:  flags 0x0104c001, refcnt 0, tuncnt 0

Nov 11 09:53:09 [IKEv1 DEBUG]: Group = tfx-tg, IP = 68.51.100.192, sending delete/delete with reason message

Nov 11 09:53:09 [IKEv1 DEBUG]: Group = tfx-tg, IP = 68.51.100.192, constructing blank hash payload

Nov 11 09:53:09 [IKEv1 DEBUG]: Group = tfx-tg, IP = 68.51.100.192, constructing IKE delete payload

Nov 11 09:53:09 [IKEv1 DEBUG]: Group = tfx-tg, IP = 68.51.100.192, constructing qm hash payload

Nov 11 09:53:09 [IKEv1]: IP = 68.51.100.192, IKE_DECODE SENDING Message (msgid=8582ab0c) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76

Nov 11 09:53:09 [IKEv1]: Group = tfx-tg, IP = 68.51.100.192, Removing peer from peer table failed, no match!

Nov 11 09:53:09 [IKEv1]: Group = tfx-tg, IP = 68.51.100.192, Error: Unable to remove PeerTblEntry

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Mohammad Alhyari Fri, 11/11/2011 - 12:08
User Badges:
  • Cisco Employee,

hi .

please attach the full debugs , and also the configuration .

regards.

browe-tfx Fri, 11/11/2011 - 12:14
User Badges:

I have attached my ASA config and the debug of what of what I'm getting when trying to connec to the VPN

talisman1310 Mon, 11/14/2011 - 04:01
User Badges:

If static and dynamic peers are configured on the  same crypto map, the order of the crypto map entries is very important.  The sequence number of the dynamic crypto map entry must be higher than all of the other static crypto map entries. If the static  entries are numbered higher than the dynamic entry, connections with  those peers will fail.


http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution18

vikz230884 Mon, 11/14/2011 - 22:46
User Badges:


Hi,


Usually I have group-policy defined for it...but this one doesn't have it...Are the vpn-client prompting username and password for authentication ?



HTH,


Vikram

browe-tfx Mon, 11/21/2011 - 09:20
User Badges:

Hi all, sorry I'm late in responding. I'm beginning to think this is a design issue on my end, which actually is going to bring me to my next question. Currently how my network was before the ASA was as follows:


Cisco 2911 Router -> Cisco 2960 Switch the router houses the vlans and then I just use the switch for provinding access to the VLANs. I had the the ASA plugged into the switch, but it wasn't getting a return route, this is probably because I just realized the 2960 doesn't allow for routing because when I logged onto the ASA I would get a gateway of last resort not set (even though I had one set).


So would it be better that I plug the ASA into the free interface (gi0/2) on the router? If that is even possible.

Actions

This Discussion