Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Easy VPN access - Connection failure

I have configured my ASA to recieve EASY VPN connections from 877 and 871 routers. All routers eventually connect but the ASA is throwing up these messages when 'debug crypto isakmp' is set off:

Nov 28 14:15:15 [IKEv1]: Group = DefaultRAGroup, Username = remuser1, IP = 60.x.x.230, Error: Unable to remove PeerTblEntry

Nov 28 14:15:16 [IKEv1]: Group = DefaultRAGroup, Username = remuser1, IP = 60.x.x.230, Removing peer from peer table failed, no match!

Nov 28 14:15:16 [IKEv1]: Group = DefaultRAGroup, Username = remuser1, IP = 60.x.x.230, Error: Unable to remove PeerTblEntry

Nov 28 14:15:17 [IKEv1]: Group = DefaultRAGroup, Username = remuser1, IP = 60.x.x.230, Removing peer from peer table failed, no match!

Nov 28 14:17:05 [IKEv1]: Group = DefaultRAGroup, Username = remuser1, IP = 58.105.25.1, Removing peer from peer table failed, no match!

Nov 28 14:17:39 [IKEv1]: Group = DefaultRAGroup, IP = 58.105.25.1, Removing peer from peer table failed, no match!

Nov 28 14:17:39 [IKEv1]: Group = DefaultRAGroup, IP = 58.105.25.1, Error: Unable to remove PeerTblEntry

The authentication for the easy vpn is via a radius server and the username and password is held on there for the end routers connecting.

This is leading to the connection attempts continuing for hours and it is happening every 1 second for some of these routers. Not exactly pushing the Radius server hard but something it could do without.

Thoughts anyone?

4 REPLIES
Cisco Employee

Re: Easy VPN access - Connection failure

Can you cenable the following on the ASA

"deb cry isa 128" "deb cry ipsec 128"

And on the router side:

"deb cry isa"

"deb cry ipsec"

Collect those and let me take a look at why this is happening.

Thanks

Gilbert

New Member

Re: Easy VPN access - Connection failure

Gilbert,

The above info is from the ASA debug crypto isakmp...

Rick

New Member

Re: Easy VPN access - Connection failure

More debug from the ASA using

debug crypto isakmp 128

Cisco Employee

Re: Easy VPN access - Connection failure

Hi,

Thanks for sending the debugs from the ASA. I understand that you have the routers configured for EzVPN connection to the ASA.

If that be the case, do you have a specific group configured for the EzVPN clients on the ASA.

If you do, then the connections for the EzVPN should be landing on the group configured for EzVPN connections and not on the DefaultRAGroup.

Seems like there is something wrong on the ASA configuration.

Please check the ASA configuration.

- Gilbert

488
Views
0
Helpful
4
Replies