Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Trouble connecting to ASA5505 VPN

I have gone through the "VPN Wizard" selected remote access and set up a client machine outside of the network. When I try to connect I get the following error: " Secure VPN Connection Terminated locally by the Client. Reason 412.

Any help appreciated.

33 REPLIES
Green

Re: Trouble connecting to ASA5505 VPN

thomas, would you like to post the config?

New Member

Re: Trouble connecting to ASA5505 VPN

names

!

interface Vlan1

mac-address 0012.3f7f.9876

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

description NuVox T1

nameif outside

security-level 0

ip address xxxx.170.18 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

dns domain-lookup inside

dns server-group DefaultDNS

domain-name amcinc.us

object-group icmp-type icmp_grp

icmp-object echo-reply

icmp-object information-reply

icmp-object traceroute

access-list out2in extended permit tcp any host xxxx.170.18 eq smtp

access-list out2in extended permit tcp any host xxxx.170.20 eq smtp

access-list out2in extended permit tcp any host xxxx.170.18 eq https

access-list out2in extended permit tcp any host xxxx.170.18 eq 9850

access-list out2in extended permit tcp any host xxxx.170.18 eq 1677

access-list out2in extended permit tcp any host xxxx.170.18 eq 7205

access-list out2in extended permit icmp any any echo-reply

access-list cisco_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 209.165.201.0 255.255.255.224

access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0

access-list Cisco_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

mtu inside 1500

mtu outside 1500

ip local pool RemoteClientPool 209.165.201.1-209.165.201.20 mask 255.255.255.255

ip local pool ClientIPPool 192.168.1.100-192.168.1.149 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) xxxx.170.20 192.168.1.30 netmask 255.255.255.255

static (inside,outside) interface 192.168.1.50 netmask 255.255.255.255

access-group out2in in interface outside

route outside 0.0.0.0 0.0.0.0 xxxx.170.17 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

group-policy Cisco internal

group-policy Cisco attributes

dns-server value 64.89.70.2 64.89.74.2

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Cisco_splitTunnelAcl

default-domain value amcinc.us

username xxxx password xxx encrypted

username xxxxx password xxx encrypted privilege 15

username xxxxx password xxx encrypted privilege 15

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.114 255.255.255.255 inside

snmp-server host inside 192.168.1.1 community ASA5505

linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 set pfs

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 60 set pfs

crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 20

tunnel-group Cisco type ipsec-ra

tunnel-group Cisco general-attributes

address-pool RemoteClientPool

default-group-policy Cisco

tunnel-group Cisco ipsec-attributes

pre-shared-key *

telnet timeout 5

ssh 192.168.1.110 255.255.255.255 inside

ssh 192.168.1.114 255.255.255.255 inside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.100-192.168.1.149 inside

dhcpd dns 64.89.70.2 64.89.74.2 interface inside

dhcpd enable inside

New Member

Re: Trouble connecting to ASA5505 VPN

So I have run the vpn "remote" wizard and setup "Cisco" as a group and tunnel. Do I need to use "Cisco" as the group name in the VPN client? Or do I use the ID for the user that I set up in the VPN client? If it is the group name then what is the password, as I did not set up one on the ASA?

Green

Re: Trouble connecting to ASA5505 VPN

Yes, Cisco would be the group name in the client. The password would be the "pre-shared key" under the attributes for the Cisco tunnel-group.

New Member

Re: Trouble connecting to ASA5505 VPN

Ok,

I tried that with Cisco as the group name and the "pre-shared" key as the password. I still get the Reason: 412.

New Member

Re: Trouble connecting to ASA5505 VPN

Windows firewall is running so I added cvpn to it and I am still having the problem.

Green

Re: Trouble connecting to ASA5505 VPN

Post a show run sysopt.

Also, could you log on asa with debug crypto isakmp 7?

New Member

Re: Trouble connecting to ASA5505 VPN

ASA5505# show run sysopt

no sysopt connection timewait

sysopt connection tcpmss 1380

sysopt connection tcpmss minimum 0

no sysopt nodnsalias inbound

no sysopt nodnsalias outbound

no sysopt radius ignore-secret

sysopt connection permit-vpn

How do I "log on asa with debug crypto isakmp 7"?

New Member

Re: Trouble connecting to ASA5505 VPN

kk did "debug crypto isakmp 7".

Green

Re: Trouble connecting to ASA5505 VPN

"How do I "log on asa with debug crypto isakmp 7"?"

Depends how you are connecting to it...

console-

debug crypto isakmp 7

logging console debugging

telnet/ssh-

debug crypto isakmp 7

logging monitor debugging

ASDM-

debug crypto isakmp 7 from cli then launch monitor -> logging window

New Member

Re: Trouble connecting to ASA5505 VPN

ASDM - Debug commands are not supported in CLI Window.

ssh - logging monitor = invalid input detected at monitor. Only option is savelog.

Green

Re: Trouble connecting to ASA5505 VPN

asa# config t

asa(config)# logging monitor debugging

asa(config)# logging on

asa(config)# debug crypto isakmp 7

or just(I would do this one)

asa(config)# debug crypto isakmp 7

then use ASDM logging window

New Member

Re: Trouble connecting to ASA5505 VPN

Ok have done that and I retried the connection. I stil get the Reason 412. And I do not see anything in that SSH window.

Green

Re: Trouble connecting to ASA5505 VPN

How about the ASDM logging window, you see nothing from the vpn client? Is there another firewall in front of the ASA or anything which would be blocking vpn from the client?

New Member

Re: Trouble connecting to ASA5505 VPN

No there are no other devices. I noticed when I re-ran the "VPN Wizard" that IKE defaults to DH Group 2. Should I set logging to group 2, or should I change the tunnel to use 7?

Green

Re: Trouble connecting to ASA5505 VPN

dh group 2 has nothing to do with logging level 7.

New Member

Re: Trouble connecting to ASA5505 VPN

asa# config t

asa(config)# logging monitor debugging

asa(config)# logging on

asa(config)# debug crypto isakmp 7

or just(I would do this one)

asa(config)# debug crypto isakmp 7

then use ASDM logging window

Which ASDM window? The real time log viewer? If do I am not seeing any additional information.

New Member

Re: Trouble connecting to ASA5505 VPN

also your vpn pool is the same as your LAN. to prevent ip address overlapping, it's recommended to use another ip subnet for vpn pool.

New Member

Re: Trouble connecting to ASA5505 VPN

I see in in the ASDM Real Time Log Viewer set to debug level that the remote IP address for the pc that I am trying to VPN in is trying to talk to the internal SMTP server. Do I need additional vpn server software running internally or does the ASA5505 handle that?

I am still getting the 412. I built a new tunnel and password, still no luck.

Green

Re: Trouble connecting to ASA5505 VPN

As city_index said, you should change your vpn client pool to another subnet, but this would not affect you establishing the vpn.

No, you do not need additional software. Is the client even getting prompted for username/password?

New Member

Re: Trouble connecting to ASA5505 VPN

No, I don't get that far.

New Member

Re: Trouble connecting to ASA5505 VPN

below is current running.

interface Vlan1

mac-address 0012.3f7f.9876

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

interface Vlan2

description NuVox T1

nameif outside

security-level 0

ip address xxxx.170.18 255.255.255.248

access-list out2in extended permit tcp any host xxxx.170.18 eq smtp

access-list out2in extended permit tcp any host xxxx.170.20 eq smtp

access-list out2in extended permit tcp any host xxxx.170.18 eq https

access-list out2in extended permit tcp any host xxxx.170.18 eq 9850

access-list out2in extended permit tcp any host xxxx.170.18 eq 1677

access-list out2in extended permit tcp any host xxxx.170.18 eq 7205

access-list out2in extended permit icmp any any echo-reply

access-list cisco_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 209.165.201.0 255.255.255.224

access-list inside_nat0_outbound extended permit ip any 209.165.201.0 255.255.255.224

access-list Amc_Reg_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

ip local pool RemoteClientPool 209.165.201.1-209.165.201.20 mask 255.255.255.255

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) xxxx.170.20 192.168.1.30 netmask 255.255.255.255

static (inside,outside) interface 192.168.1.50 netmask 255.255.255.255

access-group out2in in interface outside

route outside 0.0.0.0 0.0.0.0 xxxx.170.17 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

group-policy Amc_Reg internal

group-policy Amc_Reg attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Amc_Reg_splitTunnelAcl

username xxx password Fa9pU7nHkZDmAvdG encrypted

username xxx attributes

vpn-group-policy Amc_Reg

username xxx password pfaW5bAu431sHznu encrypted privilege 15

username xxx attributes

vpn-group-policy Amc_Reg

username xxx password elxohIfKpfwEfs0V encrypted privilege 15

username xxx attributes

vpn-group-policy Amc_Reg

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 set pfs

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 60 set pfs

crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 80 set pfs

crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 100 set pfs

crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 120 set pfs

crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 140 set pfs

crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 20

tunnel-group Amc_Reg type ipsec-ra

tunnel-group Amc_Reg general-attributes

address-pool RemoteClientPool

default-group-policy Amc_Reg

tunnel-group Amc_Reg ipsec-attributes

pre-shared-key *

telnet timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.100-192.168.1.149 inside

dhcpd dns 64.89.70.2 64.89.74.2 interface inside

dhcpd enable inside

Green

Re: Trouble connecting to ASA5505 VPN

You can get rid of these, the vpn wizards keeps adding them in there...

no crypto dynamic-map outside_dyn_map 40 set pfs

no crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

no crypto dynamic-map outside_dyn_map 60 set pfs

no crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA

no crypto dynamic-map outside_dyn_map 80 set pfs

no crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA

no crypto dynamic-map outside_dyn_map 100 set pfs

no crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA

no crypto dynamic-map outside_dyn_map 120 set pfs

no crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA

no crypto dynamic-map outside_dyn_map 140 set pfs

no crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-SHA

The config look OK, can you try another client, another client version, another OS, is another vpn client installed on same machine?

New Member

Re: Trouble connecting to ASA5505 VPN

the error you are getting is related to the asa not accepting your credentials your client is using. under cisco vpn client software, make sure under authentication the Name is exactly the same as the group name under the asa (one created by the vpn wizard) and also the preshared key as well. get the client to connect and monitor the traffic under asdm monitoring.

New Member

Re: Trouble connecting to ASA5505 VPN

i suggest for monitoring any type of traffic to make it easier on yourself, use the cisco ASDM (all graphical). it provides different logging level and you can just about monitor anything.

Green

Re: Trouble connecting to ASA5505 VPN

Green

Re: Trouble connecting to ASA5505 VPN

In your vpn client config, the host address needs to be the outside interface of your asa. Is this what you have?

New Member

Re: Trouble connecting to ASA5505 VPN

yes. I have the destination as the IP address for the outside interface.

New Member

Re: Trouble connecting to ASA5505 VPN

ASA5505# show crypto isakmp sa

There are no isakmp sas

Is this an issue?

454
Views
0
Helpful
33
Replies