ASA 5510 remote access VPN

Answered Question
May 28th, 2012

Dears,

Good day,

Please I need your support on the following issue:-

I had configured remote access vpn on ASA 5510  as shwon on the attached configuration file.

The problem is when I'm trying to connect via cisco vpn client I got this error (secure vpn connection terminated locally by the client error 412)

Please can you support me in this issue.

Regards,

ASA Version 8.2(1)
!
hostname Active-ASA
enable password iwtL1y5uEVzS9Gp9 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 50
ip address 10.11.13.3 255.255.255.0 standby 10.11.13.4
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.4.2 255.255.255.0 standby 192.168.4.3
!
interface Ethernet0/2
description LAN Failover Interface
!
interface Ethernet0/3
shutdown
no nameif
security-level 50
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/824-k8.bin
boot system disk0:/824-k8.
boot system disk0:/asa821-k8.bin
ftp mode passive
access-list internal extended permit ip any any
access-list internal extended permit icmp any any
access-list internal extended permit udp any any eq isakmp
access-list internal extended permit udp any any eq 62515
access-list internal extended permit tcp any any
access-list internal extended permit udp any any eq 4500
access-list external extended permit icmp any any
access-list external extended permit ip any any
access-list external extended permit udp any any eq 62515
access-list external extended permit udp any any eq isakmp
access-list external extended permit tcp any any
access-list external extended permit udp any any eq 4500
access-list nat0 extended permit ip 192.168.4.0 255.255.255.0 192.168.77.0 255.
55.255.0
access-list nat0 extended permit ip 192.168.5.0 255.255.255.0 192.168.77.0 255.
55.255.0
access-list nat0 extended permit ip 10.11.13.0 255.255.255.0 192.168.77.0 255.2
5.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool babylon 192.168.77.1-192.168.77.33 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface failover Ethernet0/2
failover interface ip failover 10.8.8.1 255.255.255.252 standby 10.8.8.2
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nat0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 192.168.0.0 192.168.0.0 netmask 255.255.0.0
access-group internal in interface outside
access-group external in interface inside
route outside 0.0.0.0 0.0.0.0 10.11.13.100 1
route inside 192.168.5.0 255.255.255.0 192.168.4.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec transform-set test esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map bmap 10 set transform-set test
crypto dynamic-map bmap 10 set security-association lifetime seconds 288000
crypto dynamic-map bmap 10 set reverse-route
crypto map smap 10 ipsec-isakmp dynamic bmap
crypto map smap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy client internal
group-policy client attributes
vpn-simultaneous-logins 20
default-domain value babylon.com
user-authentication-idle-timeout none
username omar password Hu6b8CXoHv4DUaaV encrypted privilege 15
tunnel-group client type remote-access
tunnel-group client general-attributes
address-pool babylon
default-group-policy client
tunnel-group client ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:036b2f438b954f6aa8a5dd9286dcf66d
: end
Active-ASA#

I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 1 year 10 months ago

doesn't look like the complete output. can you please run the following debugs:

debug cry isa

debug cry ipsec

also logs from vpn client pls.

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (2 ratings)
Jennifer Halim Mon, 05/28/2012 - 05:16

I can see that your outside interface ip address is a private IP which means you have a NAT device in front of the ASA. Is your NAT device doing a NAT or PAT, and I assume that it's static NAT? Also make sure that the device in front of the ASA does not have any firewall/access-list that might be blocking the VPN traffic.

If you run debugs on the ASA, which phase is it failing?

You can run:

debug cry isa

debug cry ipsec

AliBahnam Mon, 05/28/2012 - 12:35

Thank you for your response ,

Actually I have a router in front of the ASA where I configured a static NAT on it. (ip nat inside source static 10.11.13.3 109.224.52.14)

Regarding the Access list I configured an access list regarding the NAT.

below the debug that I collected:-

<--- More --->May 28 10:56:31 [IKEv1]: Group = client, IP = 109.127.97.14, Remov
ing peer from peer table failed, no match!
May 28 10:56:31 [IKEv1]: Group = client, IP = 109.127.97.14, Error: Unable to re
move PeerTblEntry
May 28 10:56:36 [IKEv1]: Group = client, IP = 109.127.97.14, Removing peer from
peer table failed, no match!
May 28 10:56:36 [IKEv1]: Group = client, IP = 109.127.97.14, Error: Unable to re
move PeerTblEntry
May 28 10:56:41 [IKEv1]: Group = client, IP = 109.127.97.14, Removing peer from
peer table failed, no match!
May 28 10:56:41 [IKEv1]: Group = client, IP = 109.127.97.14, Error: Unable to re
move PeerTblEntry
May 28 10:56:46 [IKEv1]: Group = client, IP = 109.127.97.14, Removing peer from
peer table failed, no match!
May 28 10:56:46 [IKEv1]: Group = client, IP = 109.127.97.14, Error: Unable to re
move PeerTblEntry

Appreciate your support.

Regards,

rizwanr74 Mon, 05/28/2012 - 12:46

Hi Ali,

Please try this...

crypto isakmp nat-traversal

Please let me know, if this helps.

thanks

Rizwan Rafeek

      AliBahnam Mon, 05/28/2012 - 13:41

      hi,

      I tried this command but it didn't work I got the same error 412.

      Jennifer Halim Mon, 05/28/2012 - 18:33

      Is there any access-list on the router that might be preventing the access?

      It seems like phase 1 is not even established.

      Please share the router configuration.

      AliBahnam Mon, 05/28/2012 - 23:51

      Below the router configuration:-

      Active_Router#sh run
      Building configuration...


      Current configuration : 7281 bytes
      !
      ! Last configuration change at 06:47:13 UTC Tue May 29 2012
      !
      version 15.0
      service timestamps debug datetime msec
      service timestamps log datetime msec
      no service password-encryption
      !
      hostname Active_Router
      !
      boot-start-marker
      boot-end-marker
      !
      logging buffered 51200 warnings
      !
      no aaa new-model
      !
      !
      !
      !
      no ipv6 cef
      ip source-route
      ip cef
      !
      !
      !
      !
      ip domain name yourdomain.com
      !
      multilink bundle-name authenticated
      !
      !
      !
      !
      !
      !
      crypto pki trustpoint TP-self-signed-3449375863
      enrollment selfsigned
      subject-name cn=IOS-Self-Signed-Certificate-3449375863
      revocation-check none
      rsakeypair TP-self-signed-3449375863
      !
      !
      crypto pki certificate chain TP-self-signed-3449375863
      certificate self-signed 01
        30820254 308201BD A0030201 02020101 300D0609 2A864886 F70D0101 04050030
        31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
        69666963 6174652D 33343439 33373538 3633301E 170D3132 30313138 30393432
        31365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
        4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34343933
        37353836 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
        8100EBAD 2AF80BBA 74D267B3 876D8FD0 6925D8B9 3E3C84FA 54C64F6B 63EA0534
        8236CF0F ED27DB94 11DA2A67 B2054D80 AAAB1300 A39612D2 264F0FE7 679737BC
        6C771037 C1ED27D7 F56F1A47 862F050E 3FBF4C38 ED20069C 2BB45BC6 9AEF29BE
        28B10A7D C8BFD47C 8747C0FD 4495B6EC 5C9448F3 D57B33E5 722A5E39 FD1097E8
        E2950203 010001A3 7C307A30 0F060355 1D130101 FF040530 030101FF 30270603
        551D1104 20301E82 1C416374 6976655F 526F7574 65722E79 6F757264 6F6D6169
        6E2E636F 6D301F06 03551D23 04183016 801420B0 DB69DE22 1247641D DC6CC8E3
        839EEC7F 7C5D301D 0603551D 0E041604 1420B0DB 69DE2212 47641DDC 6CC8E383
        9EEC7F7C 5D300D06 092A8648 86F70D01 01040500 03818100 8DCCEA7F 4494BB53
        91688CC2 AA59CEF4 6B8C2390 392E5537 14E8DB6E EB502D14 E9AF317E BACEC894
        6E0B9669 B89FD454 9ACEEF38 60DCBEA9 9FD91B92 4966FCCE 24DB9A59 DF559067
        BCC1ED70 0116CE7E B4663C13 C7EE8A44 46B56240 B3D57CAB E8BBDA78 039B90D5
        A49DE91F DFF109F7 B7FD54B4 A53F9CCA 856D5274 025B9F7C
              quit
      voice-card 0
      !
      !
      !
      !
      !
      !
      license udi pid CISCO2911/K9 sn FCZ150473W7
      hw-module pvdm 0/0
      !
      !
      !
      username cisco1 privilege 15 password 0 cisco1
      !
      redundancy
      !
      !
      !
      track 1 interface GigabitEthernet0/0 line-protocol
      !
      !
      !
      !
      !
      !
      !
      interface Tunnel3
      description To Baghdad
      ip address 60.60.60.2 255.255.255.0
      tunnel source GigabitEthernet0/0
      tunnel destination 109.224.49.106
      !
      !
      interface Tunnel5
      description Diraaya
      ip address 70.70.70.2 255.255.255.0
      tunnel source GigabitEthernet0/0
      tunnel destination 109.224.53.74
      !
      !
      interface Tunnel7
      description Jazera Branch
      ip address 80.80.80.2 255.255.255.0
      tunnel source GigabitEthernet0/0
      tunnel destination 109.224.53.82
      !
      !
      interface Tunnel9
      description Nisaa Branch
      ip address 90.90.90.2 255.255.255.0
      tunnel source GigabitEthernet0/0
      tunnel destination 109.224.53.90
      !
      !
      interface Tunnel11
      description Askary Branch
      ip address 100.100.100.2 255.255.255.0
      tunnel source GigabitEthernet0/0
      tunnel destination 109.224.53.58
      !
      !
      interface Tunnel13
      description Karbalaa
      ip address 110.110.110.2 255.255.255.0
      tunnel source GigabitEthernet0/0
      tunnel destination 109.224.50.130
      !
      !
      interface Tunnel15
      description Nassriya
      ip address 120.120.120.2 255.255.255.0
      tunnel source GigabitEthernet0/0
      tunnel destination 109.224.50.114
      !
      !
      interface GigabitEthernet0/0
      description Connected to Public
      ip address 109.224.52.12 255.255.255.248
      ip nat outside
      ip virtual-reassembly
      duplex auto
      speed auto
      !
      !
      interface GigabitEthernet0/1
      description Connected to ASA
      ip address 10.11.13.1 255.255.255.0
      ip nat inside
      ip virtual-reassembly
      duplex auto
      speed auto
      standby 1 ip 10.11.13.100
      standby 1 priority 105
      standby 1 preempt
      standby 1 track 1 decrement 10
      !
      !
      interface GigabitEthernet0/2
      no ip address
      shutdown
      duplex auto
      speed auto
      !
      !
      ip forward-protocol nd
      !
      ip http server
      ip http access-class 23
      ip http authentication local
      ip http secure-server
      ip http timeout-policy idle 60 life 86400 requests 10000
      !
      ip nat inside source list 10 interface GigabitEthernet0/0 overload
      ip nat inside source static 10.11.13.3 109.224.52.14
      ip route 0.0.0.0 0.0.0.0 109.224.52.9
      ip route 10.11.12.0 255.255.255.0 Tunnel3
      ip route 172.16.70.0 255.255.255.0 Tunnel5
      ip route 172.16.80.0 255.255.255.0 Tunnel5
      ip route 172.16.90.0 255.255.255.0 Tunnel7
      ip route 172.16.100.0 255.255.255.0 Tunnel7
      ip route 172.16.110.0 255.255.255.0 Tunnel9
      ip route 172.16.120.0 255.255.255.0 Tunnel9
      ip route 172.16.130.0 255.255.255.0 Tunnel11
      ip route 172.16.140.0 255.255.255.0 Tunnel11
      ip route 172.16.150.0 255.255.255.0 Tunnel13
      ip route 172.16.160.0 255.255.255.0 Tunnel13
      ip route 172.16.170.0 255.255.255.0 Tunnel15
      ip route 172.16.180.0 255.255.255.0 Tunnel15
      ip route 192.168.2.0 255.255.255.0 Tunnel3
      ip route 192.168.3.0 255.255.255.0 Tunnel3
      ip route 192.168.4.0 255.255.255.0 10.11.13.3
      ip route 192.168.5.0 255.255.255.0 10.11.13.3
      !
      access-list 10 permit 10.11.13.0 0.0.0.255
      access-list 10 permit 192.168.4.0 0.0.0.255
      access-list 10 permit 192.168.5.0 0.0.0.255
      !
      !
      !
      !
      !
      !
      control-plane
      !
      !
      !

      Regards,

      Jennifer Halim Tue, 05/29/2012 - 01:03

      Config looks ok.

      Can you please add the following on the ASA:

      crypto isakmp policy 3

      authentication pre-share

      encryption 3des

      hash sha

      group 2

      crypto isakmp policy 5

      authentication pre-share

      encryption 3des

      hash md5

      group 2

      AliBahnam Tue, 05/29/2012 - 01:22

      Dear,

      I can't use the 3des encryption on my ASA5510 (The 3DES/AES algorithms require a VPN-3DES-AES activation key).

      AliBahnam Tue, 05/29/2012 - 02:20

      Dear ,

      I downloaded and installed the license (3des) on the ASA.

      The status now the ASA asked me for the username but after I inserted the username message appeared not connected.

      Below the debug that I collected:-

      Active-ASA# May 29 00:43:24 [IKEv1]: Group = client, Username = test1, IP = 93.9

      1.193.108, QM FSM error (P2 struct &0xac39e538, mess id 0x6d633d55)!

      May 29 00:43:24 [IKEv1]: Group = client, Username = test1, IP = 93.91.193.108, R

      emoving peer from correlator table failed, no match!

      by the way I have two ASA5510 after I installed the license the failover will be disabled please advise.

      Regards,

      Jennifer Halim Tue, 05/29/2012 - 03:13

      Yes, you can generate the activation key for both ASA and apply the corresponding activation key with the serial# of the ASA.

      Username is the one configured on the ASA, and from what i can see the username is "omar". Otherwise you can configure a new username and password on the ASA for authentication.

      AliBahnam Tue, 05/29/2012 - 03:25

      I created a new username but after I inserted the username the vpn client (securing communication channels then not connected) as shown in the below debug:

      Active-ASA# May 29 01:48:13 [IKEv1]: Group = client, Username = bank, IP = 93.91

      .193.108, QM FSM error (P2 struct &0xac393928, mess id 0x209bf69d)!

      May 29 01:48:13 [IKEv1]: Group = client, Username = bank, IP = 93.91.193.108, Re

      moving peer from correlator table failed, no match!

      Active-ASA# May 29 01:48:13 [IKEv1]: Group = client, Username = bank, IP = 93.91

      .193.108, QM FSM error (P2 struct &0xac393928, mess id 0x209bf69d)!

      May 29 01:48:13 [IKEv1]: Group = client, Username = bank, IP = 93.91.193.108, Re

      moving peer from correlator table failed, no match!

      Jennifer Halim Tue, 05/29/2012 - 04:27

      Also missing the split tunnel policy:

      access-list split-acl permit 192.168.4.0 255.255.255.0

      access-list split-acl permit 192.168.5.0 255.255.255.0

      access-list split-acl permit 10.11.13.0 255.255.255.0

      group-policy client attributes

        split-tunnel-policy tunnelspecified

        split-tunnel-network-list value split-acl

      AliBahnam Tue, 05/29/2012 - 04:52

      I added the split tunneling but the same issue as shown in the below debug:-

      Active-ASA# May 29 03:13:42 [IKEv1]: Group = client, Username = bank, IP = 93.91

      .193.108, QM FSM error (P2 struct &0xac399d28, mess id 0x8a3d3ca3)!

      May 29 03:13:42 [IKEv1]: Group = client, Username = bank, IP = 93.91.193.108, Re

      moving peer from correlator table failed, no match! Active-ASA# May 29 03:13:42 [IKEv1]: Group = client, Username = bank, IP = 93.91
      .193.108, QM FSM error (P2 struct &0xac399d28, mess id 0x8a3d3ca3)!
      May 29 03:13:42 [IKEv1]: Group = client, Username = bank, IP = 93.91.193.108, Re
      moving peer from correlator table failed, no match!

      Jennifer Halim Tue, 05/29/2012 - 04:56

      can you please share the complete debug outputs from the beginning as you connect to it. Thanks.

      AliBahnam Tue, 05/29/2012 - 05:02

      Active-ASA# May 29 03:26:06 [IKEv1]: Group = client, Username = bank, IP = 93.91

      .193.108, QM FSM error (P2 struct &0xac399670, mess id 0x5964d318)!

      May 29 03:26:06 [IKEv1]: Group = client, Username = bank, IP = 93.91.193.108, Re

      moving peer from correlator table failed, no match!

      Correct Answer
      Jennifer Halim Tue, 05/29/2012 - 05:04

      doesn't look like the complete output. can you please run the following debugs:

      debug cry isa

      debug cry ipsec

      also logs from vpn client pls.

      Actions

      Login or Register to take actions

      This Discussion

      Posted May 28, 2012 at 4:03 AM
      Stats:
      Replies:22 Avg. Rating:5
      Views:5963 Votes:0
      Shares:0

      Related Content

      Discussions Leaderboard