Issue Remote Access VPN

oleg.serebryakov · ‎09-30-2013

Dear colleagues,

Remote access VPN with LDAP authentication via certificate was configured.

User logged, authenticated, taked IP address, vpn-filter ACL, and DAP.

Then dynamic cryptomap which been used for other users successfully couldn't apply for this user.

Could anybody explain me this behavior and point to root cause?

ASA version 9.1(2)

%ASA-7-714011: Group = UserGroup, Username = User, IP = A.A.A.A, ID_IPV4_ADDR_SUBNET ID received--0.0.0.0--0.0.0.0

%ASA-7-713034: Group = UserGroup, Username = User, IP = A.A.A.A, Received local IP Proxy Subnet data in ID Payload: Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0

%ASA-7-713906: Group = UserGroup, Username = User, IP = A.A.A.A, QM IsRekeyed old sa not found by addr

%ASA-7-713221: Group = UserGroup, Username = User, IP = A.A.A.A, Static Crypto Map check, checking map = GIN_map1, seq = 1...

%ASA-7-713222: Group = UserGroup, Username = User, IP = A.A.A.A, Static Crypto Map check, map = GIN_map1, seq = 1, ACL does not match proxy IDs src:10.101.62.65 dst:0.0.0.0

%ASA-7-713221: Group = UserGroup, Username = User, IP = A.A.A.A, Static Crypto Map check, checking map = GIN_map1, seq = 2...

%ASA-7-713222: Group = UserGroup, Username = User, IP = A.A.A.A, Static Crypto Map check, map = GIN_map1, seq = 2, ACL does not match proxy IDs src:10.101.62.65 dst:0.0.0.0

%ASA-7-713221: Group = UserGroup, Username = User, IP = A.A.A.A, Static Crypto Map check, checking map = GIN_map1, seq = 3...

%ASA-7-713222: Group = UserGroup, Username = User, IP = A.A.A.A, Static Crypto Map check, map = GIN_map1, seq = 3, ACL does not match proxy IDs src:10.101.62.65 dst:0.0.0.0

%ASA-7-713221: Group = UserGroup, Username = User, IP = A.A.A.A, Static Crypto Map check, checking map = GIN_map1, seq = 4...

%ASA-7-713222: Group = UserGroup, Username = User, IP = A.A.A.A, Static Crypto Map check, map = GIN_map1, seq = 4, ACL does not match proxy IDs src:10.101.62.65 dst:0.0.0.0

%ASA-6-713905: Group = UserGroup, Username = User, IP = A.A.A.A, Skipping dynamic map SYSTEM_DEFAULT_CRYPTO_MAP sequence 65535: cannot match peerless map when peer found in previous map entry.

%ASA-3-713061: Group = UserGroup, Username = User, IP = A.A.A.A, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 10.101.62.65/255.255.255.255/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface GIN

Jeet Kumar · ‎09-30-2013

Hi oleg,

It's a very common issue and generally happens when you try to connect the VPN client from the same location which has a site to site VPN with the device. For example if you try to connect the VPN client to the ASA and your public Ip is 1.1.1.1 and on the same ASA if you have a Site to Site VPN already connnect with an IP address 1.1.1.1 you will see the following error in the debug:

"cannot match peerless map when peer found in previous map entry."

Please check for the same, if thats the case you are hitting the following bug:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCuc75090

You needed a Cisco CCO id to check the link.

Thanks

Jeet Kumar

oleg.serebryakov · ‎10-01-2013

Hi Jeet,

Unfortunatelly we haven't s-2-s VPN with this location. It could resolve a couple of problems. )))

Those users always have access to our resources via Personal VPN.

mirage__SK · ‎12-13-2013

Does anybody have solution of these errors?

%ASA-6-713905: Group = UserGroup, Username = User, IP = A.A.A.A, Skipping dynamic map SYSTEM_DEFAULT_CRYPTO_MAP sequence 65535: cannot match peerless map when peer found in previous map entry.

%ASA-3-713061: Group = UserGroup, Username = User, IP = A.A.A.A, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 10.37.10.250/255.255.255.0//0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside