Re: Trouble connecting to ASA5505 VPN - Page 2

thomas.estes · ‎06-12-2007

I have gone through the "VPN Wizard" selected remote access and set up a client machine outside of the network. When I try to connect I get the following error: " Secure VPN Connection Terminated locally by the Client. Reason 412.

Any help appreciated.

thomas.estes · ‎06-13-2007

No there are no other devices. I noticed when I re-ran the "VPN Wizard" that IKE defaults to DH Group 2. Should I set logging to group 2, or should I change the tunnel to use 7?

acomiskey · ‎06-13-2007

dh group 2 has nothing to do with logging level 7.

thomas.estes · ‎06-13-2007

asa# config t

asa(config)# logging monitor debugging

asa(config)# logging on

asa(config)# debug crypto isakmp 7

or just(I would do this one)

asa(config)# debug crypto isakmp 7

then use ASDM logging window

Which ASDM window? The real time log viewer? If do I am not seeing any additional information.

city_index · ‎06-13-2007

also your vpn pool is the same as your LAN. to prevent ip address overlapping, it's recommended to use another ip subnet for vpn pool.

thomas.estes · ‎06-13-2007

I see in in the ASDM Real Time Log Viewer set to debug level that the remote IP address for the pc that I am trying to VPN in is trying to talk to the internal SMTP server. Do I need additional vpn server software running internally or does the ASA5505 handle that?

I am still getting the 412. I built a new tunnel and password, still no luck.

acomiskey · ‎06-13-2007

As city_index said, you should change your vpn client pool to another subnet, but this would not affect you establishing the vpn.

No, you do not need additional software. Is the client even getting prompted for username/password?

thomas.estes · ‎06-13-2007

No, I don't get that far.

thomas.estes · ‎06-13-2007

below is current running.

interface Vlan1

mac-address 0012.3f7f.9876

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

interface Vlan2

description NuVox T1

nameif outside

security-level 0

ip address xxxx.170.18 255.255.255.248

access-list out2in extended permit tcp any host xxxx.170.18 eq smtp

access-list out2in extended permit tcp any host xxxx.170.20 eq smtp

access-list out2in extended permit tcp any host xxxx.170.18 eq https

access-list out2in extended permit tcp any host xxxx.170.18 eq 9850

access-list out2in extended permit tcp any host xxxx.170.18 eq 1677

access-list out2in extended permit tcp any host xxxx.170.18 eq 7205

access-list out2in extended permit icmp any any echo-reply

access-list cisco_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 209.165.201.0 255.255.255.224

access-list inside_nat0_outbound extended permit ip any 209.165.201.0 255.255.255.224

access-list Amc_Reg_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

ip local pool RemoteClientPool 209.165.201.1-209.165.201.20 mask 255.255.255.255

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) xxxx.170.20 192.168.1.30 netmask 255.255.255.255

static (inside,outside) interface 192.168.1.50 netmask 255.255.255.255

access-group out2in in interface outside

route outside 0.0.0.0 0.0.0.0 xxxx.170.17 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

group-policy Amc_Reg internal

group-policy Amc_Reg attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Amc_Reg_splitTunnelAcl

username xxx password Fa9pU7nHkZDmAvdG encrypted

username xxx attributes

vpn-group-policy Amc_Reg

username xxx password pfaW5bAu431sHznu encrypted privilege 15

username xxx attributes

vpn-group-policy Amc_Reg

username xxx password elxohIfKpfwEfs0V encrypted privilege 15

username xxx attributes

vpn-group-policy Amc_Reg

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 set pfs

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 60 set pfs

crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 80 set pfs

crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 100 set pfs

crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 120 set pfs

crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 140 set pfs

crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 20

tunnel-group Amc_Reg type ipsec-ra

tunnel-group Amc_Reg general-attributes

address-pool RemoteClientPool

default-group-policy Amc_Reg

tunnel-group Amc_Reg ipsec-attributes

pre-shared-key *

telnet timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.100-192.168.1.149 inside

dhcpd dns 64.89.70.2 64.89.74.2 interface inside

dhcpd enable inside

acomiskey · ‎06-13-2007

You can get rid of these, the vpn wizards keeps adding them in there...

no crypto dynamic-map outside_dyn_map 40 set pfs

no crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

no crypto dynamic-map outside_dyn_map 60 set pfs

no crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA

no crypto dynamic-map outside_dyn_map 80 set pfs

no crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA

no crypto dynamic-map outside_dyn_map 100 set pfs

no crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA

no crypto dynamic-map outside_dyn_map 120 set pfs

no crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA

no crypto dynamic-map outside_dyn_map 140 set pfs

no crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-SHA

The config look OK, can you try another client, another client version, another OS, is another vpn client installed on same machine?

city_index · ‎06-13-2007

the error you are getting is related to the asa not accepting your credentials your client is using. under cisco vpn client software, make sure under authentication the Name is exactly the same as the group name under the asa (one created by the vpn wizard) and also the preshared key as well. get the client to connect and monitor the traffic under asdm monitoring.

city_index · ‎06-13-2007

i suggest for monitoring any type of traffic to make it easier on yourself, use the cisco ASDM (all graphical). it provides different logging level and you can just about monitor anything.

acomiskey · ‎06-13-2007

try here...

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

acomiskey · ‎06-13-2007

In your vpn client config, the host address needs to be the outside interface of your asa. Is this what you have?

thomas.estes · ‎06-13-2007

yes. I have the destination as the IP address for the outside interface.

thomas.estes · ‎06-13-2007

ASA5505# show crypto isakmp sa

There are no isakmp sas

Is this an issue?