Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1213
Views
0
Helpful
4
Replies

Easy VPN access - Connection failure

r-frank
Level 1
Level 1

‎11-28-2006 10:34 PM - edited ‎03-11-2019 02:02 AM

I have configured my ASA to recieve EASY VPN connections from 877 and 871 routers. All routers eventually connect but the ASA is throwing up these messages when 'debug crypto isakmp' is set off:

Nov 28 14:15:15 [IKEv1]: Group = DefaultRAGroup, Username = remuser1, IP = 60.x.x.230, Error: Unable to remove PeerTblEntry

Nov 28 14:15:16 [IKEv1]: Group = DefaultRAGroup, Username = remuser1, IP = 60.x.x.230, Removing peer from peer table failed, no match!

Nov 28 14:15:16 [IKEv1]: Group = DefaultRAGroup, Username = remuser1, IP = 60.x.x.230, Error: Unable to remove PeerTblEntry

Nov 28 14:15:17 [IKEv1]: Group = DefaultRAGroup, Username = remuser1, IP = 60.x.x.230, Removing peer from peer table failed, no match!

Nov 28 14:17:05 [IKEv1]: Group = DefaultRAGroup, Username = remuser1, IP = 58.105.25.1, Removing peer from peer table failed, no match!

Nov 28 14:17:39 [IKEv1]: Group = DefaultRAGroup, IP = 58.105.25.1, Removing peer from peer table failed, no match!

Nov 28 14:17:39 [IKEv1]: Group = DefaultRAGroup, IP = 58.105.25.1, Error: Unable to remove PeerTblEntry

The authentication for the easy vpn is via a radius server and the username and password is held on there for the end routers connecting.

This is leading to the connection attempts continuing for hours and it is happening every 1 second for some of these routers. Not exactly pushing the Radius server hard but something it could do without.

Thoughts anyone?

Labels:
0 Helpful
4 Replies 4

ggilbert
Cisco Employee
Cisco Employee

‎11-29-2006 12:34 PM

Can you cenable the following on the ASA

"deb cry isa 128" "deb cry ipsec 128"

And on the router side:

"deb cry isa"

"deb cry ipsec"

Collect those and let me take a look at why this is happening.

Thanks

Gilbert

0 Helpful

r-frank
Level 1
Level 1
In response to ggilbert

‎11-29-2006 01:56 PM

Gilbert,

The above info is from the ASA debug crypto isakmp...

Rick

0 Helpful

r-frank
Level 1
Level 1
In response to ggilbert

‎11-29-2006 11:06 PM

More debug from the ASA using

debug crypto isakmp 128

Preview file
11 KB
0 Helpful

ggilbert
Cisco Employee
Cisco Employee
In response to r-frank

‎11-30-2006 06:54 AM

Hi,

Thanks for sending the debugs from the ASA. I understand that you have the routers configured for EzVPN connection to the ASA.

If that be the case, do you have a specific group configured for the EzVPN clients on the ASA.

If you do, then the connections for the EzVPN should be landing on the group configured for EzVPN connections and not on the DefaultRAGroup.

Seems like there is something wrong on the ASA configuration.

Please check the ASA configuration.

- Gilbert

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card