Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Remote Access on ASA5510 version 7.1(2)

Hi folks,

I have surprising thing when firstly configure IPsec_ra on asa 5510 with asa version 7.1(2). I usually configure this on PIX platform and never failed.

I use standard VPN remote access configuration with using provided default tunnel group.

Bellow is the configuration:

username xxx password xxx

ip local pool VPN_POOL 192.168.21.1-192.168.21.100 mask 255.255.255.0

isakmp enable Outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map dyn1 1 set transform-set ESP-3DES-MD5

crypto map vpnmap 1 ipsec-isakmp dynamic dyn1

crypto map vpnmap interface Outside

tunnel-group DefaultRAGroup general-attributes

address-pool VPN_POOL

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key xxx

I have enable command "sysopt connection permit-vpn", here i didn't find "permit-ipsec". Are those the same thing?

I have issued debug crypto ipsec and isakmp but does not give me enough information for configuartion error.

Aug 13 11:07:33 [IKEv1]: Group = DefaultRAGroup, IP = **.**.**.**, Removing peer from peer table failed, no match!

Aug 13 11:07:33 [IKEv1]: Group = DefaultRAGroup, IP = **.**.**.**, Error: Unable to remove PeerTblEntry

What is missing here? Please advice...

fyi: I use cisco vpn client v4.8.

9 REPLIES
Silver

Re: VPN Remote Access on ASA5510 version 7.1(2)

New Member

Re: VPN Remote Access on ASA5510 version 7.1(2)

Dear All ,

Since last 8 days i am also facing the same problem while configuring Remote Access VPN on ASA 5510

Error Message from ASA syslog while client making requset to connect :-

Group = AUTOMATION_TG, IP = 210.212.172.91, Error: Unable to remove PeerTblEntry

Group = AUTOMATION_TG, IP = 210.212.172.91, Removing peer from peer table failed, no match!

================This is the show run of my running configuration =======================

: Saved

:

PIX Version 7.2(2)

!

hostname ciscoasa

domain-name default.domain.invalid

names

!

interface Ethernet0

nameif Inside

security-level 100

ip address 10.210.3.254 255.255.255.0

!

interface Ethernet1

nameif Outside

security-level 0

ip address 210.212.172.94 255.255.255.0

!

interface Ethernet2

shutdown

no nameif

no security-level

no ip address

!

boot system flash:/asa722-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list Inside_nat0_outbound extended permit ip 10.210.3.0 255.255.255.0 172.16.1.0 255.255.255.240

access-list AUTOMATION_TG_splitTunnelAcl standard permit 10.210.3.0 255.255.255.0

pager lines 24

mtu Inside 1500

mtu Outside 1500

ip local pool VPN_POOL 172.16.1.1-172.16.1.10 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image flash:/asdm-522.bin

no asdm history enable

arp timeout 14400

nat (Inside) 0 access-list Inside_nat0_outbound

route Outside 0.0.0.0 0.0.0.0 210.212.172.95 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

group-policy AUTOMATION_TG internal

group-policy AUTOMATION_TG attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value AUTOMATION_TG_splitTunnelAcl

username automation1 password auto1 privilege 0

username automation1 attributes

vpn-group-policy AUTOMATION_TG

username cisco password cisco

http server enable

http 10.15.1.0 255.255.255.0 Outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map Outside_dyn_map 20 set pfs

crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map Outside_dyn_map 40 set pfs

crypto dynamic-map Outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map

crypto map Outside_map interface Outside

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group AUTOMATION_TG type ipsec-ra

tunnel-group AUTOMATION_TG general-attributes

address-pool VPN_POOL

default-group-policy AUTOMATION_TG

tunnel-group AUTOMATION_TG ipsec-attributes

pre-shared-key automation

tunnel-group-map default-group AUTOMATION_TG

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

prompt hostname context

Rergards

Sandeep Kadam

Network Specialist

Bronze

Re: VPN Remote Access on ASA5510 version 7.1(2)

I once had the same problem when i configured VPN client access via the wizard in the ASDM.

The solution was to remove the following commands:

crypto dynamic-map Outside_dyn_map 20 set pfs, and

crypto dynamic-map Outside_dyn_map 40 set pfs

New Member

Re: VPN Remote Access on ASA5510 version 7.1(2)

Hi,

Aren't you coming from behind a device which is doing NAT?

You might try to enter (in global conifg mode):

isakmp nat-traversal 20

if this doesn't help, it would be great to see the debug messages, just right above the ones what you sent.

On the other hand You asked:

> I have enable command "sysopt connection permit-vpn", here i didn't find "permit-ipsec". Are those the same thing?

Yes, this is the same, only the naming has changed.

I hope this helps.

// Roland

Re: VPN Remote Access on ASA5510 version 7.1(2)

Hi,

I think you didn't specified the authentication mode for the clients.

Check http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml

Please rate if this helped.

Regards,

Daniel

New Member

Re: VPN Remote Access on ASA5510 version 7.1(2)

i 2nd that

New Member

Re: VPN Remote Access on ASA5510 version 7.1(2)

authentication mode is specified as pre-share so I don't think that is it. I have seen this problem as well using client 4.8. It doesn't seem to happen with lower versions but I am not 100% sure that the client is the problem. I am working on the exact same thing right now so I will update when I get more info.

New Member

Re: VPN Remote Access on ASA5510 version 7.1(2)

Try adding SHA in addition to MD5 in your crypto map. Create a transform set for ESP-3DES-SHA and add it to your dynamic-map statement.

Cisco Employee

Re: VPN Remote Access on ASA5510 version 7.1(2)

Hi,

First of all, create a separate group(other than DefaultRAGroup), bind the pool, and try connecting the clients to that.

That shud do it.

HTH,

-Kanishka

161
Views
0
Helpful
9
Replies
CreatePlease to create content