Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
95046
Views
0
Helpful
4
Replies

Error "Secure VPN Connection terminated locally by the Client. Reason 412: The remote peer is no longer responding"

chaqif801
Level 1
Level 1

‎12-22-2012 02:39 AM - edited ‎02-21-2020 06:34 PM

Dear all,

TOPOLOGY :

LAN ----------(10.0.101.200/24) ASA(5505) (XX.XX.129.21/30)------------ (XX.XX.129.22/30) ROUTER(ISP) (XX.XX.197.13/24) --------- INTERNET

I try to configure my CISCO ASA 5505 for remote access vpn, and I encounter the following issue :

Secure VPN Connection terminated locally by the Client. Reason 412: The remote peer is no longer responding

I apreciete any help.

This is my ASA configuration :

ASA Version 8.2(5)

!

hostname ciscoasa

enable password dmIRMJoxbk2LGaPq encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 10.0.101.200 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address XX.XX.129.21 255.255.255.252

!

ftp mode passive

same-security-traffic permit intra-interface

access-list acl-outside extended permit tcp any host XX.XX.129.21 eq 500

access-list acl-outside extended permit tcp any host XX.XX.129.21 eq 4500

access-list acl-outside extended permit tcp any host XX.XX.129.21 eq 10000

access-list acl-outside extended permit udp any host XX.XX.129.21 eq 10000

access-list acl-outside extended permit udp any host XX.XX.129.21 eq 4500

access-list acl-outside extended permit udp any host XX.XX.129.21 eq isakmp

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

ip local pool TRSNpool 10.0.20.10-10.0.20.20 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group acl-outside in interface outside

route outside 0.0.0.0 0.0.0.0 XX.XX.129.22 1

route inside 10.0.5.0 255.255.255.0 10.0.101.254 1

route inside 10.0.8.0 255.255.255.0 10.0.101.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.0.101.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set TRSNSet esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map cdm1 1 set transform-set TRSNSet

crypto dynamic-map cdm1 1 set reverse-route

crypto map cm1 1 ipsec-isakmp dynamic cdm1

crypto map cm1 interface outside

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption des

hash sha

group 2

lifetime 43200

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

ipsec-udp enable

username mkoudia password H5yVYb.t1U9VDEn4 encrypted

tunnel-group TRSN type remote-access

tunnel-group TRSN general-attributes

address-pool TRSNpool

tunnel-group TRSN ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect ipsec-pass-thru

!

service-policy global_policy global

prompt hostname context

call-home reporting anonymous

Cryptochecksum:c23648ed8819a562ade2af871cfb4993

: end

2 people had this problem
Labels:
0 Helpful
4 Replies 4

grabonlee
Level 4
Level 4

‎12-23-2012 03:32 PM

Hi

There are many reasons for the error and they are as follows:

  • The user is behind a firewall that is blocking ports UDP 4500/500 and/or ESP.
  • The VPN client is using connecting on TCP and the default TCP port 10000 for NAT is blocked.
  • The internet connection is not stable and some packets are not reaching the ASA or the replies from the ASA aren’t getting to the client, hence the client thinks the server is no longer available.
  • The VPN client is behind a NAT device and the ASA doesn’t have NAT-T enabled. In this case the user will not be able to send or receive traffic at all. It will be able to connect but that’s all. After some time the software client deletes the VPN tunnel.

Suggested solutions:

  • If you are using wireless, try to connect with cable
  • Turn your firewall off, then test the connection to see whether the problem still occurs. If it doesn’t then you can turn your firewall back on, add exception rules for port 500, port 4500 and the ESP protocol in your firewall
  • Turn on NAT-T/TCP in your profile ( remember to unblock port 10000 in your firewall)
  • Edit your profile with your editor and change ForceKeepAlive=0 to 1
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to grabonlee

‎12-24-2012 04:00 PM

The original poster does not tell us whether the session got established and then dropped with this message or whether the session never gets established and they get this message. It would be important to know in what situation the message is generated.

I notice that there is an extended access list configured and assigned on the outside interface. This interface has multiple lines to permit various forms of ISAKMP but has nothing to permit ESP. When Remote Access VPN is properly configured an access list on the outside interface should not be needed. And if an access list is configured then it should permit the IPSec protocols in addition to ISAKMP.

HTH

Rick

HTH

Rick
0 Helpful

Gareth Gudger
Level 1
Level 1

‎01-15-2014 12:24 AM

This may not be a problem with the client side at all, but with the firewall configuration itself. I had this same error code and it turned out to be a problem with a NAT statement on the ASA I was trying to VPN to.

Check here for more info.

http://supertekboy.com/2014/01/15/cisco-vpn-reason-412-the-remote-peer-is-no-longer-responding/

0 Helpful

nakshitech
Level 1
Level 1

‎02-12-2024 05:24 PM

Hi, to fix the issue please check the video:

https://youtu.be/UJqTrtyhER0?si=TWpa6lJTZCmVvDcl

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents