I have remote access VPN issue, like this description (link is below):
Cisco Device: ASA 5510 Security plus
It's a very common issue and generally happens when you try to connect the VPN client from the same location which has a site to site VPN with the device. For example if you try to connect the VPN client to the ASA and your public Ip is 184.108.40.206 and on the same ASA if you have a Site to Site VPN already connnect with an IP address 220.127.116.11 you will see the following error in the debug:
"cannot match peerless map when peer found in previous map entry."
Here are error logs:
%ASA-6-713905: Group = UserGroup, Username = User, IP = A.A.A.A, Skipping dynamic map SYSTEM_DEFAULT_CRYPTO_MAP sequence 65535: cannot match peerless map when peer found in previous map entry.
%ASA-3-713061: Group = UserGroup, Username = User, IP = A.A.A.A, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 10.37.10.250/255.255.255.0//0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
Does anybody khows solution for this issue (both VPN-s are nesessary)?
I've got the same issue on ASA-SM (9.1(3)). As far as I know ASA can't create new ISAKMP SA try to connect by VPNclient from location which has a L2L VPN with ASA. It must uniquely identify remote peer at Phase 1 in order to create the SA phase 1 after peer authentication. I guess your issue is connecting with enabled NAT-T feature in Dynamic crypto. So what cisco talk about this:
"The ASA supports multiple IPsec peers behind a single NAT/PAT device operating in one of the following networks, but not both:
In a mixed environment, the remote access tunnels fail the negotiation because all peers appear to be coming from the same public IP address, address of the NAT device. Also, remote access tunnels fail in a mixed environment because they often use the same name as the LAN-to-LAN tunnel group (that is, the IP address of the NAT device). This match can cause negotiation failures among multiple peers in a mixed LAN-to-LAN and remote access network of peers behind the NAT device."
So that behavior aren't abnormal, the ASA just work like this. I guess you'd better use another public ip address either remote vpn clients or Site2Site IPSec Tunnel.
Thanks for reply.
I have solved this issue via STATIC_NAT:
I create nat rule - when users try to connect via RA VPN - their IP is different from outside interface's address.