cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9223
Views
5
Helpful
22
Replies

ASA 5510 remote access VPN

Ali Bahnam
Level 1
Level 1

Dears,

Good day,

Please I need your support on the following issue:-

I had configured remote access vpn on ASA 5510  as shwon on the attached configuration file.

The problem is when I'm trying to connect via cisco vpn client I got this error (secure vpn connection terminated locally by the client error 412)

Please can you support me in this issue.

Regards,

ASA Version 8.2(1)
!
hostname Active-ASA
enable password iwtL1y5uEVzS9Gp9 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 50
ip address 10.11.13.3 255.255.255.0 standby 10.11.13.4
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.4.2 255.255.255.0 standby 192.168.4.3
!
interface Ethernet0/2
description LAN Failover Interface
!
interface Ethernet0/3
shutdown
no nameif
security-level 50
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/824-k8.bin
boot system disk0:/824-k8.
boot system disk0:/asa821-k8.bin
ftp mode passive
access-list internal extended permit ip any any
access-list internal extended permit icmp any any
access-list internal extended permit udp any any eq isakmp
access-list internal extended permit udp any any eq 62515
access-list internal extended permit tcp any any
access-list internal extended permit udp any any eq 4500
access-list external extended permit icmp any any
access-list external extended permit ip any any
access-list external extended permit udp any any eq 62515
access-list external extended permit udp any any eq isakmp
access-list external extended permit tcp any any
access-list external extended permit udp any any eq 4500
access-list nat0 extended permit ip 192.168.4.0 255.255.255.0 192.168.77.0 255.
55.255.0
access-list nat0 extended permit ip 192.168.5.0 255.255.255.0 192.168.77.0 255.
55.255.0
access-list nat0 extended permit ip 10.11.13.0 255.255.255.0 192.168.77.0 255.2
5.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool babylon 192.168.77.1-192.168.77.33 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface failover Ethernet0/2
failover interface ip failover 10.8.8.1 255.255.255.252 standby 10.8.8.2
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nat0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 192.168.0.0 192.168.0.0 netmask 255.255.0.0
access-group internal in interface outside
access-group external in interface inside
route outside 0.0.0.0 0.0.0.0 10.11.13.100 1
route inside 192.168.5.0 255.255.255.0 192.168.4.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec transform-set test esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map bmap 10 set transform-set test
crypto dynamic-map bmap 10 set security-association lifetime seconds 288000
crypto dynamic-map bmap 10 set reverse-route
crypto map smap 10 ipsec-isakmp dynamic bmap
crypto map smap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy client internal
group-policy client attributes
vpn-simultaneous-logins 20
default-domain value babylon.com
user-authentication-idle-timeout none
username omar password Hu6b8CXoHv4DUaaV encrypted privilege 15
tunnel-group client type remote-access
tunnel-group client general-attributes
address-pool babylon
default-group-policy client
tunnel-group client ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:036b2f438b954f6aa8a5dd9286dcf66d
: end
Active-ASA#

1 Accepted Solution

Accepted Solutions

doesn't look like the complete output. can you please run the following debugs:

debug cry isa

debug cry ipsec

also logs from vpn client pls.

View solution in original post

22 Replies 22

Jennifer Halim
Cisco Employee
Cisco Employee

I can see that your outside interface ip address is a private IP which means you have a NAT device in front of the ASA. Is your NAT device doing a NAT or PAT, and I assume that it's static NAT? Also make sure that the device in front of the ASA does not have any firewall/access-list that might be blocking the VPN traffic.

If you run debugs on the ASA, which phase is it failing?

You can run:

debug cry isa

debug cry ipsec

Thank you for your response ,

Actually I have a router in front of the ASA where I configured a static NAT on it. (ip nat inside source static 10.11.13.3 109.224.52.14)

Regarding the Access list I configured an access list regarding the NAT.

below the debug that I collected:-

<--- More --->May 28 10:56:31 [IKEv1]: Group = client, IP = 109.127.97.14, Remov
ing peer from peer table failed, no match!
May 28 10:56:31 [IKEv1]: Group = client, IP = 109.127.97.14, Error: Unable to re
move PeerTblEntry
May 28 10:56:36 [IKEv1]: Group = client, IP = 109.127.97.14, Removing peer from
peer table failed, no match!
May 28 10:56:36 [IKEv1]: Group = client, IP = 109.127.97.14, Error: Unable to re
move PeerTblEntry
May 28 10:56:41 [IKEv1]: Group = client, IP = 109.127.97.14, Removing peer from
peer table failed, no match!
May 28 10:56:41 [IKEv1]: Group = client, IP = 109.127.97.14, Error: Unable to re
move PeerTblEntry
May 28 10:56:46 [IKEv1]: Group = client, IP = 109.127.97.14, Removing peer from
peer table failed, no match!
May 28 10:56:46 [IKEv1]: Group = client, IP = 109.127.97.14, Error: Unable to re
move PeerTblEntry

Appreciate your support.

Regards,

rizwanr74
Level 7
Level 7

Hi Ali,

Please try this...

crypto isakmp nat-traversal

Please let me know, if this helps.

thanks

Rizwan Rafeek

    hi,

    I tried this command but it didn't work I got the same error 412.

    Is there any access-list on the router that might be preventing the access?

    It seems like phase 1 is not even established.

    Please share the router configuration.

    Below the router configuration:-

    Active_Router#sh run
    Building configuration...


    Current configuration : 7281 bytes
    !
    ! Last configuration change at 06:47:13 UTC Tue May 29 2012
    !
    version 15.0
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname Active_Router
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 51200 warnings
    !
    no aaa new-model
    !
    !
    !
    !
    no ipv6 cef
    ip source-route
    ip cef
    !
    !
    !
    !
    ip domain name yourdomain.com
    !
    multilink bundle-name authenticated
    !
    !
    !
    !
    !
    !
    crypto pki trustpoint TP-self-signed-3449375863
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-3449375863
    revocation-check none
    rsakeypair TP-self-signed-3449375863
    !
    !
    crypto pki certificate chain TP-self-signed-3449375863
    certificate self-signed 01
      30820254 308201BD A0030201 02020101 300D0609 2A864886 F70D0101 04050030
      31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
      69666963 6174652D 33343439 33373538 3633301E 170D3132 30313138 30393432
      31365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
      4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34343933
      37353836 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
      8100EBAD 2AF80BBA 74D267B3 876D8FD0 6925D8B9 3E3C84FA 54C64F6B 63EA0534
      8236CF0F ED27DB94 11DA2A67 B2054D80 AAAB1300 A39612D2 264F0FE7 679737BC
      6C771037 C1ED27D7 F56F1A47 862F050E 3FBF4C38 ED20069C 2BB45BC6 9AEF29BE
      28B10A7D C8BFD47C 8747C0FD 4495B6EC 5C9448F3 D57B33E5 722A5E39 FD1097E8
      E2950203 010001A3 7C307A30 0F060355 1D130101 FF040530 030101FF 30270603
      551D1104 20301E82 1C416374 6976655F 526F7574 65722E79 6F757264 6F6D6169
      6E2E636F 6D301F06 03551D23 04183016 801420B0 DB69DE22 1247641D DC6CC8E3
      839EEC7F 7C5D301D 0603551D 0E041604 1420B0DB 69DE2212 47641DDC 6CC8E383
      9EEC7F7C 5D300D06 092A8648 86F70D01 01040500 03818100 8DCCEA7F 4494BB53
      91688CC2 AA59CEF4 6B8C2390 392E5537 14E8DB6E EB502D14 E9AF317E BACEC894
      6E0B9669 B89FD454 9ACEEF38 60DCBEA9 9FD91B92 4966FCCE 24DB9A59 DF559067
      BCC1ED70 0116CE7E B4663C13 C7EE8A44 46B56240 B3D57CAB E8BBDA78 039B90D5
      A49DE91F DFF109F7 B7FD54B4 A53F9CCA 856D5274 025B9F7C
            quit
    voice-card 0
    !
    !
    !
    !
    !
    !
    license udi pid CISCO2911/K9 sn FCZ150473W7
    hw-module pvdm 0/0
    !
    !
    !
    username cisco1 privilege 15 password 0 cisco1
    !
    redundancy
    !
    !
    !
    track 1 interface GigabitEthernet0/0 line-protocol
    !
    !
    !
    !
    !
    !
    !
    interface Tunnel3
    description To Baghdad
    ip address 60.60.60.2 255.255.255.0
    tunnel source GigabitEthernet0/0
    tunnel destination 109.224.49.106
    !
    !
    interface Tunnel5
    description Diraaya
    ip address 70.70.70.2 255.255.255.0
    tunnel source GigabitEthernet0/0
    tunnel destination 109.224.53.74
    !
    !
    interface Tunnel7
    description Jazera Branch
    ip address 80.80.80.2 255.255.255.0
    tunnel source GigabitEthernet0/0
    tunnel destination 109.224.53.82
    !
    !
    interface Tunnel9
    description Nisaa Branch
    ip address 90.90.90.2 255.255.255.0
    tunnel source GigabitEthernet0/0
    tunnel destination 109.224.53.90
    !
    !
    interface Tunnel11
    description Askary Branch
    ip address 100.100.100.2 255.255.255.0
    tunnel source GigabitEthernet0/0
    tunnel destination 109.224.53.58
    !
    !
    interface Tunnel13
    description Karbalaa
    ip address 110.110.110.2 255.255.255.0
    tunnel source GigabitEthernet0/0
    tunnel destination 109.224.50.130
    !
    !
    interface Tunnel15
    description Nassriya
    ip address 120.120.120.2 255.255.255.0
    tunnel source GigabitEthernet0/0
    tunnel destination 109.224.50.114
    !
    !
    interface GigabitEthernet0/0
    description Connected to Public
    ip address 109.224.52.12 255.255.255.248
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    !
    !
    interface GigabitEthernet0/1
    description Connected to ASA
    ip address 10.11.13.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    duplex auto
    speed auto
    standby 1 ip 10.11.13.100
    standby 1 priority 105
    standby 1 preempt
    standby 1 track 1 decrement 10
    !
    !
    interface GigabitEthernet0/2
    no ip address
    shutdown
    duplex auto
    speed auto
    !
    !
    ip forward-protocol nd
    !
    ip http server
    ip http access-class 23
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    !
    ip nat inside source list 10 interface GigabitEthernet0/0 overload
    ip nat inside source static 10.11.13.3 109.224.52.14
    ip route 0.0.0.0 0.0.0.0 109.224.52.9
    ip route 10.11.12.0 255.255.255.0 Tunnel3
    ip route 172.16.70.0 255.255.255.0 Tunnel5
    ip route 172.16.80.0 255.255.255.0 Tunnel5
    ip route 172.16.90.0 255.255.255.0 Tunnel7
    ip route 172.16.100.0 255.255.255.0 Tunnel7
    ip route 172.16.110.0 255.255.255.0 Tunnel9
    ip route 172.16.120.0 255.255.255.0 Tunnel9
    ip route 172.16.130.0 255.255.255.0 Tunnel11
    ip route 172.16.140.0 255.255.255.0 Tunnel11
    ip route 172.16.150.0 255.255.255.0 Tunnel13
    ip route 172.16.160.0 255.255.255.0 Tunnel13
    ip route 172.16.170.0 255.255.255.0 Tunnel15
    ip route 172.16.180.0 255.255.255.0 Tunnel15
    ip route 192.168.2.0 255.255.255.0 Tunnel3
    ip route 192.168.3.0 255.255.255.0 Tunnel3
    ip route 192.168.4.0 255.255.255.0 10.11.13.3
    ip route 192.168.5.0 255.255.255.0 10.11.13.3
    !
    access-list 10 permit 10.11.13.0 0.0.0.255
    access-list 10 permit 192.168.4.0 0.0.0.255
    access-list 10 permit 192.168.5.0 0.0.0.255
    !
    !
    !
    !
    !
    !
    control-plane
    !
    !
    !

    Regards,

    Config looks ok.

    Can you please add the following on the ASA:

    crypto isakmp policy 3

    authentication pre-share

    encryption 3des

    hash sha

    group 2

    crypto isakmp policy 5

    authentication pre-share

    encryption 3des

    hash md5

    group 2

    Dear,

    I can't use the 3des encryption on my ASA5510 (The 3DES/AES algorithms require a VPN-3DES-AES activation key).

    You can get the 3DES license for free from the following:

    https://tools.cisco.com/SWIFT/LicensingUI/loadDemoLicensee?FormId=139

    The link isnot working..........

    sorry link is working ( http. ).

    Dear ,

    I downloaded and installed the license (3des) on the ASA.

    The status now the ASA asked me for the username but after I inserted the username message appeared not connected.

    Below the debug that I collected:-

    Active-ASA# May 29 00:43:24 [IKEv1]: Group = client, Username = test1, IP = 93.9

    1.193.108, QM FSM error (P2 struct &0xac39e538, mess id 0x6d633d55)!

    May 29 00:43:24 [IKEv1]: Group = client, Username = test1, IP = 93.91.193.108, R

    emoving peer from correlator table failed, no match!

    by the way I have two ASA5510 after I installed the license the failover will be disabled please advise.

    Regards,

    Yes, you can generate the activation key for both ASA and apply the corresponding activation key with the serial# of the ASA.

    Username is the one configured on the ASA, and from what i can see the username is "omar". Otherwise you can configure a new username and password on the ASA for authentication.

    I created a new username but after I inserted the username the vpn client (securing communication channels then not connected) as shown in the below debug:

    Active-ASA# May 29 01:48:13 [IKEv1]: Group = client, Username = bank, IP = 93.91

    .193.108, QM FSM error (P2 struct &0xac393928, mess id 0x209bf69d)!

    May 29 01:48:13 [IKEv1]: Group = client, Username = bank, IP = 93.91.193.108, Re

    moving peer from correlator table failed, no match!

    Active-ASA# May 29 01:48:13 [IKEv1]: Group = client, Username = bank, IP = 93.91

    .193.108, QM FSM error (P2 struct &0xac393928, mess id 0x209bf69d)!

    May 29 01:48:13 [IKEv1]: Group = client, Username = bank, IP = 93.91.193.108, Re

    moving peer from correlator table failed, no match!

    Getting Started

    Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: