06-06-2007 11:12 AM - edited 02-21-2020 03:05 PM
Trying to setup remote vpn into a 5510, ran through the wizard, have the preshare and usernames, along with the pool configured. No errors when uploaded, but the Cisco VPN client does not connect at all, Reason 412. I have all crypto debugs running and I got nothing when I try to connect. If I had fat fingered the preshare or the username, I would at least think I would see some debug info when I tried to connect, but I got nothing. I have done this type of setup via the CLI on PIX and have not had problems, but I am not familiar with the new commands, and all I can find are stinking gui examples.
06-06-2007 11:23 AM
Post config or check windows firewall.
Here's a good doc on common vpn problems...
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml
06-06-2007 12:15 PM
Well, I rebuilt from scratch through CLI, and at least now I have some debug output, but still stumped. Still get the same error with the client.
Jun 06 15:05:37 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Removing peer from peer table failed, no match!
Jun 06 15:05:37 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Error: Unable to remove PeerTblEntry
Jun 06 15:05:42 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Removing peer from peer table failed, no match!
Jun 06 15:05:42 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Error: Unable to remove PeerTblEntry
Jun 06 15:05:47 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Removing peer from peer table failed, no match!
Jun 06 15:05:47 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Error: Unable to remove PeerTblEntry
Jun 06 15:05:52 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Removing peer from peer table failed, no match!
Jun 06 15:05:52 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Error: Unable to remove PeerTblEntry
06-06-2007 12:40 PM
You need nat exemption. Verify you are using correct groupname (iboundvpn) and shared key.
access-list nat0 extended permit ip 10.128.28.0 255.255.254.0 172.16.200.0 255.255.255.0
nat (inside) 0 access-list nat0
06-06-2007 01:24 PM
Well I tried that and also with a slight modification on names from this page
Still no luck. I am thinking it has something to do with how I am networked here. I have the ASA in a lab environment with its permanent IP's routed through internally, and since I am not going out on the internet from my PC, it isnt being NATTED and I think that is where the problem is. WHen I get home I will try it from there and see if I can connected. I have a PIX out in service tht works just fine with the same configuration with the exception of the addressing that works fine, so I am thinking it has to be routing weird here.
06-06-2007 07:56 PM
I had trouble once getting the VPN client to work with a 3845. For some reason it didn't like that I was routing packets to my linksys first and then to the 3845. I took the linksys out of the equation and it worked great. Very strange because all was on the inside network before any NAT....that I know of.
06-07-2007 05:08 AM
That is what I am thinking is the problem. I have everything else programmed that needed to be programmed so I can go ahead and install this and hopefully once it is installed the VPN will work and all I will need to do is fine tune it for the specific user access rights.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: