06-12-2007 08:11 AM - edited 02-21-2020 03:06 PM
I have gone through the "VPN Wizard" selected remote access and set up a client machine outside of the network. When I try to connect I get the following error: " Secure VPN Connection Terminated locally by the Client. Reason 412.
Any help appreciated.
06-13-2007 07:02 AM
No there are no other devices. I noticed when I re-ran the "VPN Wizard" that IKE defaults to DH Group 2. Should I set logging to group 2, or should I change the tunnel to use 7?
06-13-2007 07:04 AM
dh group 2 has nothing to do with logging level 7.
06-13-2007 07:45 AM
asa# config t
asa(config)# logging monitor debugging
asa(config)# logging on
asa(config)# debug crypto isakmp 7
or just(I would do this one)
asa(config)# debug crypto isakmp 7
then use ASDM logging window
Which ASDM window? The real time log viewer? If do I am not seeing any additional information.
06-13-2007 07:19 AM
also your vpn pool is the same as your LAN. to prevent ip address overlapping, it's recommended to use another ip subnet for vpn pool.
06-13-2007 07:27 AM
I see in in the ASDM Real Time Log Viewer set to debug level that the remote IP address for the pc that I am trying to VPN in is trying to talk to the internal SMTP server. Do I need additional vpn server software running internally or does the ASA5505 handle that?
I am still getting the 412. I built a new tunnel and password, still no luck.
06-13-2007 07:53 AM
As city_index said, you should change your vpn client pool to another subnet, but this would not affect you establishing the vpn.
No, you do not need additional software. Is the client even getting prompted for username/password?
06-13-2007 07:54 AM
No, I don't get that far.
06-13-2007 08:03 AM
below is current running.
interface Vlan1
mac-address 0012.3f7f.9876
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
description NuVox T1
nameif outside
security-level 0
ip address xxxx.170.18 255.255.255.248
access-list out2in extended permit tcp any host xxxx.170.18 eq smtp
access-list out2in extended permit tcp any host xxxx.170.20 eq smtp
access-list out2in extended permit tcp any host xxxx.170.18 eq https
access-list out2in extended permit tcp any host xxxx.170.18 eq 9850
access-list out2in extended permit tcp any host xxxx.170.18 eq 1677
access-list out2in extended permit tcp any host xxxx.170.18 eq 7205
access-list out2in extended permit icmp any any echo-reply
access-list cisco_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 209.165.201.0 255.255.255.224
access-list inside_nat0_outbound extended permit ip any 209.165.201.0 255.255.255.224
access-list Amc_Reg_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
ip local pool RemoteClientPool 209.165.201.1-209.165.201.20 mask 255.255.255.255
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) xxxx.170.20 192.168.1.30 netmask 255.255.255.255
static (inside,outside) interface 192.168.1.50 netmask 255.255.255.255
access-group out2in in interface outside
route outside 0.0.0.0 0.0.0.0 xxxx.170.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy Amc_Reg internal
group-policy Amc_Reg attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Amc_Reg_splitTunnelAcl
username xxx password Fa9pU7nHkZDmAvdG encrypted
username xxx attributes
vpn-group-policy Amc_Reg
username xxx password pfaW5bAu431sHznu encrypted privilege 15
username xxx attributes
vpn-group-policy Amc_Reg
username xxx password elxohIfKpfwEfs0V encrypted privilege 15
username xxx attributes
vpn-group-policy Amc_Reg
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 120 set pfs
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 140 set pfs
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group Amc_Reg type ipsec-ra
tunnel-group Amc_Reg general-attributes
address-pool RemoteClientPool
default-group-policy Amc_Reg
tunnel-group Amc_Reg ipsec-attributes
pre-shared-key *
telnet timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.100-192.168.1.149 inside
dhcpd dns 64.89.70.2 64.89.74.2 interface inside
dhcpd enable inside
06-13-2007 08:10 AM
You can get rid of these, the vpn wizards keeps adding them in there...
no crypto dynamic-map outside_dyn_map 40 set pfs
no crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
no crypto dynamic-map outside_dyn_map 60 set pfs
no crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
no crypto dynamic-map outside_dyn_map 80 set pfs
no crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
no crypto dynamic-map outside_dyn_map 100 set pfs
no crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
no crypto dynamic-map outside_dyn_map 120 set pfs
no crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
no crypto dynamic-map outside_dyn_map 140 set pfs
no crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-SHA
The config look OK, can you try another client, another client version, another OS, is another vpn client installed on same machine?
06-13-2007 06:57 AM
the error you are getting is related to the asa not accepting your credentials your client is using. under cisco vpn client software, make sure under authentication the Name is exactly the same as the group name under the asa (one created by the vpn wizard) and also the preshared key as well. get the client to connect and monitor the traffic under asdm monitoring.
06-13-2007 07:03 AM
i suggest for monitoring any type of traffic to make it easier on yourself, use the cisco ASDM (all graphical). it provides different logging level and you can just about monitor anything.
06-13-2007 07:06 AM
06-13-2007 07:07 AM
In your vpn client config, the host address needs to be the outside interface of your asa. Is this what you have?
06-13-2007 07:11 AM
yes. I have the destination as the IP address for the outside interface.
06-13-2007 07:14 AM
ASA5505# show crypto isakmp sa
There are no isakmp sas
Is this an issue?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide