ASA Firewall VPN Client Error

Syed Farhan Ali · ‎03-11-2014

Dear Techies,

Following messages are generating on ASA and when it starts generating our VPN client (remote users) failed to pass thourgh IKE phase and VPN client get a message "VPN CLIENT ERROR".

We clear all vpn session and also reapply cryto map for remote vpns and also shutdown the outside interface but all in vain as nothing change and same error was generating. After rebooting the ASA problems get resolved which is not the permanent solution. Your help is required to find a solution to this issue. Attached are the logs which were generating on ASA related to this issue.

2014-03-10 11:56:07 Local4.Critical Firewall Mar 10 2014 11:53:43 172.16.208.1 : %ASA-2-713901: Group = test_tunnel, Username = khiap, IP = 119.160.51.248, Can't create conn entry!

2014-03-10 11:56:07 Local4.Critical Firewall Mar 10 2014 11:53:44 172.16.208.1 : %ASA-2-713901: Group = test_tunnel, Username = shwcrm, IP = 182.185.169.162, Can't create conn entry!

2014-03-10 11:56:07 Local4.Critical Firewall Mar 10 2014 11:53:44 172.16.208.1 : %ASA-2-713901: Group = test_tunnel, Username = lhrap, IP = 182.185.239.172, Can't create conn entry!
2014-03-10 11:56:07 Local4.Critical Firewall Mar 10 2014 11:53:44 172.16.208.1 : %ASA-2-713901: Group = test_tunnel, Username = pshdmr, IP = 175.107.56.173, Can't create conn entry!
2014-03-10 11:56:07 Local4.Critical Firewall Mar 10 2014 11:53:44 172.16.208.1 : %ASA-2-713901: Group = test_tunnel, Username = islrm, IP = 115.186.137.197, Can't create conn entry!

2014-03-10 11:56:08 Local4.Critical Firewall Mar 10 2014 11:53:44 172.16.208.1 : %ASA-2-713901: Group = test_tunnel, Username = inkot, IP = 182.186.112.233, Can't create conn entry!
2014-03-10 11:56:08 Local4.Critical Firewall Mar 10 2014 11:53:45 172.16.208.1 : %ASA-2-713901: Group = test_tunnel, Username = khiap, IP = 119.73.92.220, Can't create conn entry!

2014-03-10 11:56:09 Local4.Critical Firewall Mar 10 2014 11:53:45 172.16.208.1 : %ASA-2-713901: Group = test_tunnel, Username = muldmr, IP = 182.185.169.162, Can't create conn entry!
2014-03-10 11:56:09 Local4.Critical Firewall Mar 10 2014 11:53:45 172.16.208.1 : %ASA-2-713901: Group = test_tunnel, Username = khiap, IP = 119.73.92.220, Can't create conn entry!
2014-03-10 11:56:09 Local4.Critical Firewall Mar 10 2014 11:53:46 172.16.208.1 : %ASA-2-713901: Group = test_tunnel, Username = dikdmr, IP = 182.181.238.131, Can't create conn entry!

2014-03-10 11:56:09 Local4.Error Firewall Mar 10 2014 11:53:46 172.16.208.1 : %ASA-3-713203: IKE Receiver: Error reading from socket.

2014-03-10 12:05:57 Local4.Error Firewall Mar 10 2014 12:03:34 172.16.208.1 : %ASA-3-713232: IP = 182.181.238.131, SA lock refCnt = 1, bitmask = 00000002, p1_decrypt_cb = 0, qm_decrypt_cb = 0, qm_hash_cb = 0, qm_spi_ok_cb = 0, qm_dh_cb = 0, qm_secret_key_cb = 0, qm_encrypt_cb = 0

2014-03-10 12:06:03 Local4.Debug Firewall Mar 10 2014 12:03:39 172.16.208.1 : %ASA-7-713052: Group = test_tunnel, Username = lhrcrm1, IP = 182.185.151.238, User (lhrcrm1) authenticated.
2014-03-10 12:06:03 Local4.Debug Firewall Mar 10 2014 12:03:39 172.16.208.1 : %ASA-7-713052: Group = test_tunnel, Username = sukdmr, IP = 39.51.65.61, User (sukdmr) authenticated.
2014-03-10 12:06:03 Local4.Warning Firewall Mar 10 2014 12:03:40 172.16.208.1 : %ASA-4-713903: Group = test_tunnel, Username = lhrcrm1, IP = 182.185.151.238, ERROR: IKE failed trying to create a session manager entry
2014-03-10 12:06:03 Local4.Warning Firewall Mar 10 2014 12:03:40 172.16.208.1 : %ASA-4-713903: Group = test_tunnel, Username = sukdmr, IP = 39.51.65.61, ERROR: IKE failed trying to create a session manager entry

2014-03-10 14:18:47 Local4.Error Firewall Mar 10 2014 14:16:24 172.16.208.1 : %ASA-3-713232: IP = 182.181.238.131, SA lock refCnt = 1, bitmask = 00000002, p1_decrypt_cb = 0, qm_decrypt_cb = 0, qm_hash_cb = 0, qm_spi_ok_cb = 0, qm_dh_cb = 0, qm_secret_key_cb = 0, qm_encrypt_cb = 0
2014-03-10 14:18:47 Local4.Error Firewall Mar 10 2014 14:16:24 172.16.208.1 : %ASA-3-713232: IP = 182.186.27.230, SA lock refCnt = 1, bitmask = 00000002, p1_decrypt_cb = 0, qm_decrypt_cb = 0, qm_hash_cb = 0, qm_spi_ok_cb = 0, qm_dh_cb = 0, qm_secret_key_cb = 0, qm_encrypt_cb = 0

2014-03-10 18:53:07 Local4.Warning Firewall Mar 10 2014 18:50:44 172.16.208.1 : %ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0xA81E0AFF, sequence number= 0x57D) from 202.47.94.1 (user= 202.47.94.1) to 125.209.115.240. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as 125.209.115.240, its source as 202.47.94.1, and its protocol as 1. The SA specifies its local proxy as 172.16.192.116/255.255.255.255/0/0 and its remote_proxy as 192.168.232.51/255.255.255.255/0/0.
2014-03-10 18:53:16 Local4.Warning Firewall Mar 10 2014 18:50:54 172.16.208.1 : %ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0xA81E0AFF, sequence number= 0x57E) from 202.47.94.1 (user= 202.47.94.1) to 125.209.115.240. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as 125.209.115.240, its source as 202.47.94.1, and its protocol as 1. The SA specifies its local proxy as 172.16.192.116/255.255.255.255/0/0 and its remote_proxy as 192.168.232.51/255.255.255.255/0/0.
2014-03-10 18:53:18 Local4.Warning Firewall Mar 10 2014 18:50:56 172.16.208.1 : %ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0x637D43E2, sequence number= 0x22C) from 202.47.94.1 (user= 202.47.94.1) to 125.209.115.240. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as 125.209.115.240, its source as 202.47.94.1, and its protocol as 1. The SA specifies its local proxy as 10.10.9.2/255.255.255.255/0/0 and its remote_proxy as 192.168.232.51/255.255.255.255/0/0.
2014-03-10 18:53:26 Local4.Warning Firewall Mar 10 2014 18:51:04 172.16.208.1 : %ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0xA81E0AFF, sequence number= 0x57F) from 202.47.94.1 (user= 202.47.94.1) to 125.209.115.240. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as 125.209.115.240, its source as 202.47.94.1, and its protocol as 1. The SA specifies its local proxy as 172.16.192.116/255.255.255.255/0/0 and its remote_proxy as 192.168.232.51/255.255.255.255/0/0.
2014-03-10 18:53:28 Local4.Warning Firewall Mar 10 2014 18:51:06 172.16.208.1 : %ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0x637D43E2, sequence number= 0x22D) from 202.47.94.1 (user= 202.47.94.1) to 125.209.115.240. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as 125.209.115.240, its source as 202.47.94.1, and its protocol as 1. The SA specifies its local proxy as 10.10.9.2/255.255.255.255/0/0 and its remote_proxy as 192.168.232.51/255.255.255.255/0/0.
2014-03-10 18:53:36 Local4.Warning Firewall Mar 10 2014 18:51:14 172.16.208.1 : %ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0xA81E0AFF, sequence number= 0x580) from 202.47.94.1 (user= 202.47.94.1) to 125.209.115.240. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as 125.209.115.240, its source as 202.47.94.1, and its protocol as 1. The SA specifies its local proxy as 172.16.192.116/255.255.255.255/0/0 and its remote_proxy as 192.168.232.51/255.255.255.255/0/0.
2014-03-10 18:53:38 Local4.Warning Firewall Mar 10 2014 18:51:16 172.16.208.1 : %ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0x637D43E2, sequence number= 0x22E) from 202.47.94.1 (user= 202.47.94.1) to 125.209.115.240. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as 125.209.115.240, its source as 202.47.94.1, and its protocol as 1. The SA specifies its local proxy as 10.10.9.2/255.255.255.255/0/0 and its remote_proxy as 192.168.232.51/255.255.255.255/0/0.
2014-03-10 18:53:46 Local4.Warning Firewall Mar 10 2014 18:51:24 172.16.208.1 : %ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0xA81E0AFF, sequence number= 0x581) from 202.47.94.1 (user= 202.47.94.1) to 125.209.115.240. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as 125.209.115.240, its source as 202.47.94.1, and its protocol as 1. The SA specifies its local proxy as 172.16.192.116/255.255.255.255/0/0 and its remote_proxy as 192.168.232.51/255.255.255.255/0/0.
2014-03-10 18:53:56 Local4.Warning Firewall Mar 10 2014 18:51:34 172.16.208.1 : %ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0xA81E0AFF, sequence number= 0x582) from 202.47.94.1 (user= 202.47.94.1) to 125.209.115.240. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as 125.209.115.240, its source as 202.47.94.1, and its protocol as 1. The SA specifies its local proxy as 172.16.192.116/255.255.255.255/0/0 and its remote_proxy as 192.168.232.51/255.255.255.255/0/0.
2014-03-10 18:54:06 Local4.Warning Firewall Mar 10 2014 18:51:44 172.16.208.1 : %ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0xA81E0AFF, sequence number= 0x583) from 202.47.94.1 (user= 202.47.94.1) to 125.209.115.240. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as 125.209.115.240, its source as 202.47.94.1, and its protocol as 1. The SA specifies its local proxy as 172.16.192.116/255.255.255.255/0/0 and its remote_proxy as 192.168.232.51/255.255.255.255/0/0.
2014-03-10 18:54:08 Local4.Warning Firewall Mar 10 2014 18:51:46 172.16.208.1 : %ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0x637D43E2, sequence number= 0x232) from 202.47.94.1 (user= 202.47.94.1) to 125.209.115.240. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as 125.209.115.240, its source as 202.47.94.1, and its protocol as 1. The SA specifies its local proxy as 10.10.9.2/255.255.255.255/0/0 and its remote_proxy as 192.168.232.51/255.255.255.255/0/0.
2014-03-10 18:54:16 Local4.Warning Firewall Mar 10 2014 18:51:54 172.16.208.1 : %ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0xA81E0AFF, sequence number= 0x584) from 202.47.94.1 (user= 202.47.94.1) to 125.209.115.240. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as 125.209.115.240, its source as 202.47.94.1, and its protocol as 1. The SA specifies its local proxy as 172.16.192.116/255.255.255.255/0/0 and its remote_proxy as 192.168.232.51/255.255.255.255/0/0.

ASA# sh vpn-sessiondb remote

Session Type: IPsec

Username : bwpdmr Index : 29424
Assigned IP : 192.168.x.x Public IP : x.x.x.x
Protocol : IKE IPsecOverNatT
License : IPsec
Encryption : 3DES Hashing : MD5 SHA1
Bytes Tx : 0 Bytes Rx : 0
Group Policy : DfltGrpPolicy Tunnel Group : test_tunnel
Login Time : 14:18:59 UTC Mon Mar 10 2014
Duration : 0h:00m:22s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none

Username : muldmr Index : 29425
Assigned IP : 192.168.172.207 Public IP : 182.185.169.162
Protocol : IKE IPsecOverNatT
License : IPsec
Encryption : 3DES Hashing : MD5 SHA1
Bytes Tx : 0 Bytes Rx : 641
Group Policy : DfltGrpPolicy Tunnel Group : test_tunnel
Login Time : 14:19:00 UTC Mon Mar 10 2014
Duration : 0h:00m:21s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none

ASA# show memory
Free memory: 94703144 bytes (18%)
Used memory: 442167768 bytes (82%)
------------- ----------------
Total memory: 536870912 bytes (100%)

Please help me in this issue.

Regards,

Farhan.

nigel doe · ‎03-13-2014

Can you post your config?