Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
376
Views
0
Helpful
6
Replies

Getting 413 errors on a 5505 firewall.

tlfurlow1
Level 1
Level 1

‎06-06-2014 01:19 PM

     I am very new to Cisco 5505 firewalls and have been trying to troubleshoot a VPN connectivity issue over the past few days. Recently the AT&T router was tested and nothing is being blocked from it. Since I do not know much about the firewall, I am unsure if there is an issue with the config or if the problem lies elsewhere. When I initially log in into the firewall I noticed that the DMZ interface shows Line down, Link down. The other interfaces, inside and outside, both show up, up. I am not sure if the DMZ should show down, down or not. I was not the tech that set this firewall up so checking the config really does not tell me much as I am unfamiliar with what I am looking at. The config has been posted below. Any help would be greatly appreciated!!

: Saved
:
ASA Version 8.2(5) 
!
hostname xxxfw01
domain-name xxxxxx.lcl
enable password zgDyB1JJR5jIt22C encrypted
passwd 5nswNE6Ndj.ogXD4 encrypted
names
name 192.168.1.30 ideacom-adtran-router
name 12.179.58.67 outside-voip
name 10.0.4.0 inside-secondary
name 10.0.0.0 inside-primary
name 12.179.58.68 outside-secondary1
name 12.179.58.69 outside-secondary2
name 12.179.58.70 outside-secondary3
name 192.9.200.0 inside-old
name 12.179.58.71 outside-secondary4
name 12.179.58.72 outside-secondary5
name 12.179.58.73 outside-secondary6
name 12.179.58.74 outside-secondary7
name 12.179.58.75 outside-secondary8
name 12.179.58.126 outside-web-server
name 12.179.58.76 ouside-secondary9
name 12.179.58.77 outside-secondary10
name 12.179.58.78 outside-secondary11
name 12.179.58.79 outside-secondary12
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
 switchport access vlan 2
!
interface Ethernet0/6
 switchport access vlan 2
!
interface Ethernet0/7
 switchport access vlan 3
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.1.11 255.255.255.0 
 ospf cost 10
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 12.179.58.66 255.255.255.192 
 ospf cost 10
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 192.168.1.10 255.255.255.0 
 ospf cost 10
!
pim accept-register list PIM_ACCPTREG_ACL
banner motd ATTENTION:
banner motd You are about to log into a private network.  Unauthorized access is strictly prohibited.
banner motd Any attempts to do so will result in prosecution to the fullest extent of the law.
banner asdm ATTENTION:
banner asdm You are about to log into a private network.  Unauthorized access is strictly prohibited.
banner asdm Any attempts to do so will result in prosecution to the fullest extent of the law.
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 10.0.2.106
 name-server 10.0.2.57
 domain-name xxxxxxx.lcl
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network outside-ideacom-voip
 network-object host 204.14.39.36
 network-object host 204.16.49.4
 network-object host 204.16.53.4
 network-object host 204.16.57.4
object-group service ideacom-tcp-voip tcp
 port-object range h323 1728
 port-object range sip 5061
object-group service ideacom-udp-voip udp
 port-object range 1024 65535
object-group network outside-secondary-range
 network-object host outside-secondary1
 network-object host outside-secondary2
 network-object host outside-secondary3
 network-object host outside-secondary4
object-group icmp-type DM_INLINE_ICMP_1
 icmp-object echo
 icmp-object echo-reply
access-list PIM_ACCPTREG_ACL extended permit ip 12.179.58.64 255.255.255.192 10.0.1.0 255.255.255.0 inactive 
access-list inside_nat_outbound extended permit ip inside-secondary 255.255.255.0 any 
access-list outside_access_in extended permit tcp object-group outside-ideacom-voip host ideacom-adtran-router object-group ideacom-tcp-voip inactive 
access-list outside_access_in extended permit udp object-group outside-ideacom-voip host ideacom-adtran-router object-group ideacom-udp-voip inactive 
access-list outside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1 
access-list xxxxxxx-VPN_splitTunnelAcl standard permit inside-primary 255.255.0.0 
access-list inside_nat0_outbound extended permit ip inside-primary 255.255.0.0 10.1.1.0 255.255.255.0 
access-list DefaultRAGroup_splitTunnelAcl standard permit inside-primary 255.255.0.0 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool VPN-Pool 10.1.1.1-10.1.1.253 mask 255.255.255.0
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (outside) 2 outside-secondary1-outside-secondary12 netmask 255.0.0.0
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 2 access-list inside_nat_outbound norandomseq
nat (inside) 1 inside-primary 255.255.0.0
static (dmz,outside) outside-voip ideacom-adtran-router netmask 255.255.255.255 norandomseq 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 12.179.58.65 1
route inside inside-primary 255.255.0.0 10.0.1.10 1
timeout xlate 0:20:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 10.0.2.106
 key *****
aaa authentication telnet console LOCAL 
aaa authentication ssh console LOCAL 
http server enable
http inside-primary 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps entity config-change
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-128-SHA ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map dmz_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map dmz_map interface dmz
crypto ca server 
 shutdown
crypto isakmp enable outside
crypto isakmp enable dmz
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh inside-primary 255.255.0.0 inside
ssh timeout 5
ssh version 2
console timeout 10
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 76.169.237.141 source outside
ntp server 69.31.13.15 source outside
ntp server 66.187.224.4 source outside
ntp server 10.0.2.106 source inside prefer
ntp server 75.13.24.211 source outside
ntp server 216.70.13.134 source outside
ntp server 66.102.105.230 source outside
ntp server 207.5.137.134 source outside
ntp server 66.93.39.87 source outside
ntp server 63.111.165.21 source outside
ntp server 67.52.51.34 source outside
ntp server 72.25.103.52 source outside
ntp server 72.3.133.147 source outside
ntp server 72.1.138.113 source outside
ntp server 68.227.90.101 source outside
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 10.0.2.106 10.0.2.56
 vpn-tunnel-protocol l2tp-ipsec 
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain value xxxxxxx.lcl
group-policy DfltGrpPolicy attributes
 group-lock value DefaultWEBVPNGroup
group-policy xxxxxxx-VPN internal
group-policy xxxxxxx-VPN attributes
 dns-server value 10.0.2.106 10.0.2.56
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value xxxxxxx-VPN_splitTunnelAcl
 default-domain value hlgroup.lcl
username hlgvpn password GAfBJJMk5EnKUdM+KyBXfQ== nt-encrypted
username hlgvpn attributes
 vpn-group-policy DefaultRAGroup
username admin password tU0js1787OyO3ldQ encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
 address-pool VPN-Pool
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
 authentication pap
 authentication ms-chap-v2
tunnel-group xxxxxxx-VPN type remote-access
tunnel-group xxxxxxx-VPN general-attributes
 address-pool VPN-Pool
 authentication-server-group RADIUS
 default-group-policy xxxxxxx-VPN
 password-management
tunnel-group xxxxxxx-VPN ipsec-attributes
 pre-shared-key *****
tunnel-group xxxxxxx-VPN ppp-attributes
 no authentication chap
 no authentication ms-chap-v1
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect netbios 
  inspect tftp 
  inspect icmp 
  inspect icmp error 
  inspect ctiqbe 
  inspect dcerpc 
  inspect dns 
  inspect ils 
  inspect ipsec-pass-thru 
  inspect mgcp 
  inspect pptp 
  inspect snmp 
  inspect waas 
  inspect sip  
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:ca21fc44d2f9d0485564fb474bceeb51
: end
asdm image disk0:/asdm-631.bin
asdm location ideacom-adtran-router 255.255.255.255 inside
asdm location outside-voip 255.255.255.255 inside
asdm location outside-secondary1 255.255.255.255 inside
asdm location inside-secondary 255.255.255.0 inside
asdm location inside-primary 255.255.0.0 inside
asdm location outside-secondary2 255.255.255.255 inside
asdm location outside-secondary3 255.255.255.255 inside
asdm location outside-secondary4 255.255.255.255 inside
asdm location outside-secondary5 255.255.255.255 inside
asdm location outside-secondary6 255.255.255.255 inside
asdm location outside-secondary7 255.255.255.255 inside
asdm location outside-secondary8 255.255.255.255 inside
asdm location outside-web-server 255.255.255.255 inside
asdm location ouside-secondary9 255.255.255.255 inside
asdm location outside-secondary10 255.255.255.255 inside
asdm location outside-secondary11 255.255.255.255 inside
asdm location outside-secondary12 255.255.255.255 inside
no asdm history enable
Labels:
0 Helpful
6 Replies 6

Marius Gunnerud
VIP
VIP

‎06-11-2014 09:37 AM

Has this VPN setup ever worked prior to you taking over?  If so, do you know of any changes that have been don't to the firewall configuration that could possibly have caused the issue?

Another thing to check out is why the DMZ interface is enabled for VPN.

I suggest making the following change and then test to see if the VPN comes up

no crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

If that solves the problem, next I would check your company's security policy to see if they require a Diffie Hellman group to be used during phase 2 of the VPN setup.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

tlfurlow1
Level 1
Level 1
In response to Marius Gunnerud

‎06-11-2014 01:53 PM

Thank you for your response Marius. I made the change you suggested and still get the 413 error of User Authentication Failed. I believe the last time this worked was perhaps back in Feb, obviously it does not get used often. There were no changes to the firewall that I am aware of as I am the only IT person on staff and made no changes. According to the Interface Status page, the DMZ interface shows down, down so I did not think it was enabled at all.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to tlfurlow1

‎06-11-2014 03:42 PM

Try creating a new username (like "vpntest in the example below) with a known good password and assigning it to the DefaultRAGroup. Then use it to try your login.

i.e.:

username vpntest password <password>
username vpntest attributes
 vpn-group-policy DefaultRAGroup
0 Helpful

Marius Gunnerud
VIP
VIP
In response to Marvin Rhoads

‎06-12-2014 01:49 AM

Check the logs on your RADIUS server to see if there is any indication there to the authentication failure.

Also check the logs on the ASA when you try to connect.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

tlfurlow1
Level 1
Level 1
In response to Marvin Rhoads

‎06-12-2014 07:39 AM

Thank you for the response Marvin. I have entered what you suggested and get an error response "Invalid input detected at marker" which points to the "v" in vpn-group-policy...Any thoughts? I assumed I should have entered this via CLI, if that is incorrect I can retry where you suggest.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to tlfurlow1

‎06-12-2014 08:02 AM

You should be at the CLI in configuration mode and withing the config-user submode (based on having entered the 

username vpntest attributes

command just prior). The command should work - it's already present in your config above and the command reference confirms it (link).

0 Helpful
Customers Also Viewed These Support Documents