Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
754
Views
0
Helpful
2
Replies

new VPN tunnel won't work

Everose.Aliviado
Level 1
Level 1

‎06-15-2014 10:59 PM

we setup an IPsec VPN tunnel in ASDM 7.1 (for ASA 5515-X version 9.11) through a wizard... it was working fine for a while and then connection could no longer be established. we made a new tunnel through the wizard again and deleted the old tunnel. it still won't work. we are getting a:

Secure VPN Connection terminated locally by the Client. Reason 412: The remote peer is no longer responding. (this is on VPN Client Version 5.0.07.0290)

I've already turned off Windows Firewall.

Need your expertise! Thank you so much!

the "show run" config is attached for your reference with the public IP edited out!

 

Labels:
Preview file
18 KB
0 Helpful
2 Replies 2

nkarthikeyan
Level 7
Level 7

‎06-16-2014 12:51 AM

Hi Everose,

 

You have created multiple tunnel which is confusing in troubleshooting. You can refer the below mentioned sample configs to understand and configure for your network.

 

Configuration Examples for Remote Access IPsec VPNs

The following example shows how to configure a remote access IPsec/IKEv1 VPN:

 

 

hostname(config)# interface ethernet0
hostname(config-if)# ip address 10.10.4.200 255.255.0.0
hostname(config-if)# nameif outside
hostname(config-if)# no shutdown
hostname(config)# crypto ikev1 policy 1
hostname(config-ikev1-policy)# authentication pre-share
hostname(config-ikev1-policy)# encryption 3des
hostname(config-ikev1-policy)# hash sha
hostname(config-ikev1-policy)# group 2
hostname(config-ikev1-policy)# lifetime 43200
hostname(config)# crypto ikev1 outside
hostname(config)# ip local pool testpool 192.168.0.10-192.168.0.15
hostname(config)# username testuser password 12345678
hostname(config)# crypto ipsec ikev1 transform set FirstSet esp-3des esp-md5-hmac
hostname(config)# tunnel-group testgroup type remote-access
hostname(config)# tunnel-group testgroup general-attributes
hostname(config-general)# address-pool testpool
hostname(config)# tunnel-group testgroup ipsec-attributes
hostname(config-ipsec)# ikev1 pre-shared-key 44kkaol59636jnfx
hostname(config)# crypto dynamic-map dyn1 1 set ikev1 transform-set FirstSet
hostname(config)# crypto dynamic-map dyn1 1 set reverse-route
hostname(config)# crypto map mymap 1 ipsec-isakmp dynamic dyn1
hostname(config)# crypto map mymap interface outside
hostname(config)# write memory
 

The following example shows how to configure a remote access IPsec/IKEv2 VPN:

 

 

hostname(config)# interface ethernet0
hostname(config-if)# ip address 10.10.4.200 255.255.0.0
hostname(config-if)# nameif outside
hostname(config-if)# no shutdown
hostname(config)# crypto ikev2 policy 1
hostname(config-ikev2-policy)# group 2
hostname(config-ikev2-policy)# integrity sha
hostname(config-ikev2-policy)# lifetime 43200
hostname(config-ikev2-policy)# prf sha
hostname(config)# crypto ikev2 outside
hostname(config)# ip local pool testpool 192.168.0.10-192.168.0.15
hostname(config)# username testuser password 12345678
hostname(config)# crypto ipsec ikev2 ipsec-proposal FirstSet
hostname(config-ipsec-proposal)# protocol esp encryption 3des aes
hostname(config)# tunnel-group testgroup type remote-access
hostname(config)# tunnel-group testgroup general-attributes
hostname(config-general)# address-pool testpool
hostname(config)# tunnel-group testgroup webvpn-attributes
hostname(config-webvpn)# authentication aaa certificate
hostname(config)# crypto dynamic-map dyn1 1 set ikev2 ipsec-proposal FirstSet
hostname(config)# crypto dynamic-map dyn1 1 set reverse-route
hostname(config)# crypto map mymap 1 ipsec-isakmp dynamic dyn1
hostname(config)# crypto map mymap interface outside
hostname(config)# write memory
 
 
Apart from these there are some other reasons behind for getting such error.
 
  • The user is behind a firewall that is blocking ports UDP 4500/500 and/or ESP.
  • The VPN client is using connecting on TCP and the default TCP port 10000 for NAT is blocked.
  • The internet connection is not stable and some packets are not reaching the ASA or the replies from the ASA aren’t getting to the client, hence the client thinks the server is no longer available.
  • The VPN client is behind a NAT device and the ASA doesn’t have NAT-T enabled. In this case the user will not be able to send or receive traffic at all. It will be able to connect but that’s all. After some time the software client deletes the VPN tunnel.

Suggested solutions:

  • If you are using wireless, try to connect with cable
  • Turn your firewall off, then test the connection to see whether the problem still occurs. If it doesn’t then you can turn your firewall back on, add exception rules for port 500, port 4500 and the ESP protocol in your firewall
  • Turn on NAT-T/TCP in your profile ( remember to unblock port 10000 in your firewall)
  • Edit your profile with your editor and change ForceKeepAlive=0 to 1

Hope this helps.

Regards

Karthik

0 Helpful

Marius Gunnerud
VIP
VIP

‎06-16-2014 12:54 AM

Have you checked the logs on the ASA while you are trying to connect to the VPN?

Could you also debug the VPN connection when trying to connect.

debug crypto ikev1 ipsec sa

debug crypto isakmp sa

Although these commands should not have an impact on your ASA's performance, it is always best to do these types of tests in a service window.

--

Please select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents