cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3126
Views
0
Helpful
3
Replies

Remote Access VPN Issue

mirage__SK
Level 1
Level 1

Hi all!

I have remote access VPN issue, like this description (link is below):

Cisco Device: ASA 5510 Security plus

IOS: 9.1.(3)

It's a very common issue and generally happens when you try to  connect the VPN client from the same location which has a site to site  VPN with the device. For example if you try to connect the VPN client to  the ASA and your public Ip is 1.1.1.1 and on the same ASA if you have a  Site to Site VPN already connnect with an IP address 1.1.1.1 you will  see the following error in the debug:

"cannot match peerless map when peer found in previous map entry."

Here are error logs:

%ASA-6-713905: Group = UserGroup, Username = User, IP = A.A.A.A,  Skipping dynamic map SYSTEM_DEFAULT_CRYPTO_MAP sequence 65535: cannot  match peerless map when peer found in previous map entry.

%ASA-3-713061:  Group = UserGroup, Username = User, IP = A.A.A.A, Rejecting IPSec  tunnel: no matching crypto map entry for remote proxy 10.37.10.250/255.255.255.0//0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on  interface outside

https://supportforums.cisco.com/thread/2242812

Does anybody khows solution for this issue (both VPN-s are nesessary)?

3 Replies 3

mirage__SK
Level 1
Level 1

No any Ideas?

Hi Vakhtang!

I've got the same issue on ASA-SM (9.1(3)). As far as I know ASA can't create new ISAKMP SA try to connect by VPNclient from location which has a L2L VPN with ASA. It must uniquely identify remote peer at Phase 1 in order to create the SA phase 1 after peer authentication. I guess your issue is connecting with enabled NAT-T feature in Dynamic crypto. So what cisco talk about this:

"The ASA supports multiple IPsec peers behind a single NAT/PAT device operating in one of the following networks, but not both:

LAN-to-LAN

Remote access

In a mixed environment, the remote access tunnels fail the negotiation because all peers appear to be coming from the same public IP address, address of the NAT device. Also, remote access tunnels fail in a mixed environment because they often use the same name as the LAN-to-LAN tunnel group (that is, the IP address of the NAT device). This match can cause negotiation failures among multiple peers in a mixed LAN-to-LAN and remote access network of peers behind the NAT device."

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/vpn/asa_91_vpn_config/vpn_ike.html#wp1120836

So that behavior aren't abnormal, the ASA just work like this. I guess you'd better use another public ip address either remote vpn clients or Site2Site IPSec Tunnel.

Hi Roman!

Thanks for reply.

I have solved this issue via STATIC_NAT:

I create nat rule - when users try to connect via RA VPN - their IP is different from outside interface's address.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: