cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2254
Views
0
Helpful
33
Replies

Trouble connecting to ASA5505 VPN

thomas.estes
Level 1
Level 1

I have gone through the "VPN Wizard" selected remote access and set up a client machine outside of the network. When I try to connect I get the following error: " Secure VPN Connection Terminated locally by the Client. Reason 412.

Any help appreciated.

33 Replies 33

acomiskey
Level 10
Level 10

thomas, would you like to post the config?

names

!

interface Vlan1

mac-address 0012.3f7f.9876

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

description NuVox T1

nameif outside

security-level 0

ip address xxxx.170.18 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

dns domain-lookup inside

dns server-group DefaultDNS

domain-name amcinc.us

object-group icmp-type icmp_grp

icmp-object echo-reply

icmp-object information-reply

icmp-object traceroute

access-list out2in extended permit tcp any host xxxx.170.18 eq smtp

access-list out2in extended permit tcp any host xxxx.170.20 eq smtp

access-list out2in extended permit tcp any host xxxx.170.18 eq https

access-list out2in extended permit tcp any host xxxx.170.18 eq 9850

access-list out2in extended permit tcp any host xxxx.170.18 eq 1677

access-list out2in extended permit tcp any host xxxx.170.18 eq 7205

access-list out2in extended permit icmp any any echo-reply

access-list cisco_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 209.165.201.0 255.255.255.224

access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0

access-list Cisco_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

mtu inside 1500

mtu outside 1500

ip local pool RemoteClientPool 209.165.201.1-209.165.201.20 mask 255.255.255.255

ip local pool ClientIPPool 192.168.1.100-192.168.1.149 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) xxxx.170.20 192.168.1.30 netmask 255.255.255.255

static (inside,outside) interface 192.168.1.50 netmask 255.255.255.255

access-group out2in in interface outside

route outside 0.0.0.0 0.0.0.0 xxxx.170.17 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

group-policy Cisco internal

group-policy Cisco attributes

dns-server value 64.89.70.2 64.89.74.2

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Cisco_splitTunnelAcl

default-domain value amcinc.us

username xxxx password xxx encrypted

username xxxxx password xxx encrypted privilege 15

username xxxxx password xxx encrypted privilege 15

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.114 255.255.255.255 inside

snmp-server host inside 192.168.1.1 community ASA5505

linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 set pfs

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 60 set pfs

crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 20

tunnel-group Cisco type ipsec-ra

tunnel-group Cisco general-attributes

address-pool RemoteClientPool

default-group-policy Cisco

tunnel-group Cisco ipsec-attributes

pre-shared-key *

telnet timeout 5

ssh 192.168.1.110 255.255.255.255 inside

ssh 192.168.1.114 255.255.255.255 inside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.100-192.168.1.149 inside

dhcpd dns 64.89.70.2 64.89.74.2 interface inside

dhcpd enable inside

So I have run the vpn "remote" wizard and setup "Cisco" as a group and tunnel. Do I need to use "Cisco" as the group name in the VPN client? Or do I use the ID for the user that I set up in the VPN client? If it is the group name then what is the password, as I did not set up one on the ASA?

Yes, Cisco would be the group name in the client. The password would be the "pre-shared key" under the attributes for the Cisco tunnel-group.

Ok,

I tried that with Cisco as the group name and the "pre-shared" key as the password. I still get the Reason: 412.

Windows firewall is running so I added cvpn to it and I am still having the problem.

Post a show run sysopt.

Also, could you log on asa with debug crypto isakmp 7?

ASA5505# show run sysopt

no sysopt connection timewait

sysopt connection tcpmss 1380

sysopt connection tcpmss minimum 0

no sysopt nodnsalias inbound

no sysopt nodnsalias outbound

no sysopt radius ignore-secret

sysopt connection permit-vpn

How do I "log on asa with debug crypto isakmp 7"?

kk did "debug crypto isakmp 7".

"How do I "log on asa with debug crypto isakmp 7"?"

Depends how you are connecting to it...

console-

debug crypto isakmp 7

logging console debugging

telnet/ssh-

debug crypto isakmp 7

logging monitor debugging

ASDM-

debug crypto isakmp 7 from cli then launch monitor -> logging window

ASDM - Debug commands are not supported in CLI Window.

ssh - logging monitor = invalid input detected at monitor. Only option is savelog.

asa# config t

asa(config)# logging monitor debugging

asa(config)# logging on

asa(config)# debug crypto isakmp 7

or just(I would do this one)

asa(config)# debug crypto isakmp 7

then use ASDM logging window

Ok have done that and I retried the connection. I stil get the Reason 412. And I do not see anything in that SSH window.

How about the ASDM logging window, you see nothing from the vpn client? Is there another firewall in front of the ASA or anything which would be blocking vpn from the client?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: