Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Remote Access VPN Issue

Hi all!

I have remote access VPN issue, like this description (link is below):

Cisco Device: ASA 5510 Security plus

IOS: 9.1.(3)

It's a very common issue and generally happens when you try to  connect the VPN client from the same location which has a site to site  VPN with the device. For example if you try to connect the VPN client to  the ASA and your public Ip is 1.1.1.1 and on the same ASA if you have a  Site to Site VPN already connnect with an IP address 1.1.1.1 you will  see the following error in the debug:

"cannot match peerless map when peer found in previous map entry."

Here are error logs:

%ASA-6-713905: Group = UserGroup, Username = User, IP = A.A.A.A,  Skipping dynamic map SYSTEM_DEFAULT_CRYPTO_MAP sequence 65535: cannot  match peerless map when peer found in previous map entry.

%ASA-3-713061:  Group = UserGroup, Username = User, IP = A.A.A.A, Rejecting IPSec  tunnel: no matching crypto map entry for remote proxy 10.37.10.250/255.255.255.0//0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on  interface outside

https://supportforums.cisco.com/thread/2242812

Does anybody khows solution for this issue (both VPN-s are nesessary)?

3 REPLIES
New Member

Remote Access VPN Issue

No any Ideas?

New Member

Remote Access VPN Issue

Hi Vakhtang!

I've got the same issue on ASA-SM (9.1(3)). As far as I know ASA can't create new ISAKMP SA try to connect by VPNclient from location which has a L2L VPN with ASA. It must uniquely identify remote peer at Phase 1 in order to create the SA phase 1 after peer authentication. I guess your issue is connecting with enabled NAT-T feature in Dynamic crypto. So what cisco talk about this:

"The ASA supports multiple IPsec peers behind a single NAT/PAT device operating in one of the following networks, but not both:

LAN-to-LAN

Remote access

In a mixed environment, the remote access tunnels fail the negotiation because all peers appear to be coming from the same public IP address, address of the NAT device. Also, remote access tunnels fail in a mixed environment because they often use the same name as the LAN-to-LAN tunnel group (that is, the IP address of the NAT device). This match can cause negotiation failures among multiple peers in a mixed LAN-to-LAN and remote access network of peers behind the NAT device."

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/vpn/asa_91_vpn_config/vpn_ike.html#wp1120836

So that behavior aren't abnormal, the ASA just work like this. I guess you'd better use another public ip address either remote vpn clients or Site2Site IPSec Tunnel.

New Member

Re: Remote Access VPN Issue

Hi Roman!

Thanks for reply.

I have solved this issue via STATIC_NAT:

I create nat rule - when users try to connect via RA VPN - their IP is different from outside interface's address.

1802
Views
0
Helpful
3
Replies
CreatePlease login to create content