Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

STUMPED! VPN into ASA5510 not working

Trying to setup remote vpn into a 5510, ran through the wizard, have the preshare and usernames, along with the pool configured. No errors when uploaded, but the Cisco VPN client does not connect at all, Reason 412. I have all crypto debugs running and I got nothing when I try to connect. If I had fat fingered the preshare or the username, I would at least think I would see some debug info when I tried to connect, but I got nothing. I have done this type of setup via the CLI on PIX and have not had problems, but I am not familiar with the new commands, and all I can find are stinking gui examples.

6 REPLIES
Green

Re: STUMPED! VPN into ASA5510 not working

Post config or check windows firewall.

Here's a good doc on common vpn problems...

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

New Member

Re: STUMPED! VPN into ASA5510 not working

Well, I rebuilt from scratch through CLI, and at least now I have some debug output, but still stumped. Still get the same error with the client.

Jun 06 15:05:37 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Removing peer from peer table failed, no match!

Jun 06 15:05:37 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Error: Unable to remove PeerTblEntry

Jun 06 15:05:42 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Removing peer from peer table failed, no match!

Jun 06 15:05:42 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Error: Unable to remove PeerTblEntry

Jun 06 15:05:47 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Removing peer from peer table failed, no match!

Jun 06 15:05:47 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Error: Unable to remove PeerTblEntry

Jun 06 15:05:52 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Removing peer from peer table failed, no match!

Jun 06 15:05:52 [IKEv1]: Group = DefaultRAGroup, IP = 10.15.1.121, Error: Unable to remove PeerTblEntry

Green

Re: STUMPED! VPN into ASA5510 not working

You need nat exemption. Verify you are using correct groupname (iboundvpn) and shared key.

access-list nat0 extended permit ip 10.128.28.0 255.255.254.0 172.16.200.0 255.255.255.0

nat (inside) 0 access-list nat0

New Member

Re: STUMPED! VPN into ASA5510 not working

Well I tried that and also with a slight modification on names from this page

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

Still no luck. I am thinking it has something to do with how I am networked here. I have the ASA in a lab environment with its permanent IP's routed through internally, and since I am not going out on the internet from my PC, it isnt being NATTED and I think that is where the problem is. WHen I get home I will try it from there and see if I can connected. I have a PIX out in service tht works just fine with the same configuration with the exception of the addressing that works fine, so I am thinking it has to be routing weird here.

New Member

Re: STUMPED! VPN into ASA5510 not working

I had trouble once getting the VPN client to work with a 3845. For some reason it didn't like that I was routing packets to my linksys first and then to the 3845. I took the linksys out of the equation and it worked great. Very strange because all was on the inside network before any NAT....that I know of.

New Member

Re: STUMPED! VPN into ASA5510 not working

That is what I am thinking is the problem. I have everything else programmed that needed to be programmed so I can go ahead and install this and hopefully once it is installed the VPN will work and all I will need to do is fine tune it for the specific user access rights.

215
Views
0
Helpful
6
Replies