cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1788
Views
0
Helpful
5
Replies

ASA 5510 behind NAT router (412 error)

browe-tfx
Level 1
Level 1

I have a ASA 5510 behind a 2911 router. I've trying to configure a remote access and site to site vpn tunnel. I've started on the remote access, and I have it setup, but I'm getting this error message with trying to authenicate from the VPN client (412 error) has anyone come across this before?

Nov 11 09:52:45 [IKEv1]: IP = 68.51.100.192, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 428

Nov 11 09:52:51 [IKEv1]: Group = tfx-tg, IP = 68.51.100.192, Duplicate Phase 1 packet detected.  Retransmitting last packet.

Nov 11 09:52:51 [IKEv1]: Group = tfx-tg, IP = 68.51.100.192, P1 Retransmit msg dispatched to AM FSM

Nov 11 09:52:56 [IKEv1]: Group = tfx-tg, IP = 68.51.100.192, Duplicate Phase 1 packet detected.  Retransmitting last packet.

Nov 11 09:52:56 [IKEv1]: Group = tfx-tg, IP = 68.51.100.192, P1 Retransmit msg dispatched to AM FSM

Nov 11 09:53:01 [IKEv1]: Group = tfx-tg, IP = 68.51.100.192, Duplicate Phase 1 packet detected.  Retransmitting last packet.

Nov 11 09:53:01 [IKEv1]: Group = tfx-tg, IP = 68.51.100.192, P1 Retransmit msg dispatched to AM FSM

Nov 11 09:53:09 [IKEv1 DEBUG]: Group = tfx-tg, IP = 68.51.100.192, IKE AM Responder FSM error history (struct &0xab58c9a0)  <state>, <event>:  AM_DONE, EV_ERROR-->AM_WAIT_MSG3, EV_PROB_AUTH_FAIL-->AM_WAIT_MSG3, EV_TIMEOUT-->AM_WAIT_MSG3, NullEvent-->AM_SND_MSG2, EV_CRYPTO_ACTIVE-->AM_SND_MSG2, EV_SND_MSG-->AM_SND_MSG2, EV_START_TMR-->AM_SND_MSG2, EV_RESEND_MSG

Nov 11 09:53:09 [IKEv1 DEBUG]: Group = tfx-tg, IP = 68.51.100.192, IKE SA AM:c666551f terminating:  flags 0x0104c001, refcnt 0, tuncnt 0

Nov 11 09:53:09 [IKEv1 DEBUG]: Group = tfx-tg, IP = 68.51.100.192, sending delete/delete with reason message

Nov 11 09:53:09 [IKEv1 DEBUG]: Group = tfx-tg, IP = 68.51.100.192, constructing blank hash payload

Nov 11 09:53:09 [IKEv1 DEBUG]: Group = tfx-tg, IP = 68.51.100.192, constructing IKE delete payload

Nov 11 09:53:09 [IKEv1 DEBUG]: Group = tfx-tg, IP = 68.51.100.192, constructing qm hash payload

Nov 11 09:53:09 [IKEv1]: IP = 68.51.100.192, IKE_DECODE SENDING Message (msgid=8582ab0c) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76

Nov 11 09:53:09 [IKEv1]: Group = tfx-tg, IP = 68.51.100.192, Removing peer from peer table failed, no match!

Nov 11 09:53:09 [IKEv1]: Group = tfx-tg, IP = 68.51.100.192, Error: Unable to remove PeerTblEntry

5 Replies 5

Mohammad Alhyari
Cisco Employee
Cisco Employee

hi .

please attach the full debugs , and also the configuration .

regards.

I have attached my ASA config and the debug of what of what I'm getting when trying to connec to the VPN

If static and dynamic peers are configured on the  same crypto map, the order of the crypto map entries is very important.  The sequence number of the dynamic crypto map entry must be higher than all of the other static crypto map entries. If the static  entries are numbered higher than the dynamic entry, connections with  those peers will fail.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution18

vikz230884
Level 1
Level 1


Hi,

Usually I have group-policy defined for it...but this one doesn't have it...Are the vpn-client prompting username and password for authentication ?

HTH,

Vikram

Hi all, sorry I'm late in responding. I'm beginning to think this is a design issue on my end, which actually is going to bring me to my next question. Currently how my network was before the ASA was as follows:

Cisco 2911 Router -> Cisco 2960 Switch the router houses the vlans and then I just use the switch for provinding access to the VLANs. I had the the ASA plugged into the switch, but it wasn't getting a return route, this is probably because I just realized the 2960 doesn't allow for routing because when I logged onto the ASA I would get a gateway of last resort not set (even though I had one set).

So would it be better that I plug the ASA into the free interface (gi0/2) on the router? If that is even possible.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: