09-30-2013 05:28 PM
I am facing an issue that when connecting to Cisco ASA 5510 using Cisco VPN Client, prompt up error message.
Secure VPN Connection Terminated by Peer.
Reason 433: (Reason Not Specified by Peer)
ciscoasa# sh run
: Saved
:
ASA Version 8.0(4)
!
hostname ciscoasa
domain-name xxxxxx
enable password 7fTgB/sKwfNkRaFs encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 168.168.168.246 Exchange-IP
name xx.xx.xx.xx Outside-IP
name 168.168.168.234 CCTV-IP
!
interface Ethernet0/0
nameif outside
security-level 0
ip address XXX.XXX.XXX.XXX 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 168.168.168.99 255.255.255.0
!
interface Ethernet0/2
nameif guest
security-level 40
ip address 168.168.169.99 255.255.255.0
!
interface Ethernet0/3
shutdown
nameif outside1
security-level 0
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 202.188.1.5
name-server 202.188.0.133
domain-name ciscoasa.benkert.com.my
object-group service CCTV-Protocol tcp-udp
port-object eq 11095
object-group service MS-RDP tcp
port-object eq 3389
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_TCPUDP_1 tcp-udp
group-object CCTV-Protocol
port-object eq 11001
object-group service L2TP-VPN tcp
port-object eq 47
port-object eq pptp
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq www
port-object eq pop3
port-object eq smtp
access-list outbound1 extended permit ip any any
access-list inbound1 extended permit ip any any
access-list outside_access_in extended permit tcp any any eq smtp
access-list outside_access_in extended permit tcp any any eq https
access-list outside_access_in extended permit tcp any any eq pop3
access-list outside_access_in extended permit tcp any any object-group MS-RDP
access-list outside_access_in extended permit object-group TCPUDP any any object-group DM_INLINE_TCPUDP_1
access-list outside_access_in extended permit tcp any any eq 8443
access-list outside_access_in extended permit ip 168.168.168.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list outside_access_in extended permit tcp any any eq 3128
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any any eq www
access-list outside_access_in extended permit ip 16.16.16.0 255.255.255.0 168.168.168.0 255.255.255.0
access-list outside_access_in extended permit ip 168.168.168.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 168.168.168.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 168.168.168.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 168.168.168.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 168.168.168.0 255.255.255.0 16.16.16.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 168.168.168.0 255.255.255.0 168.168.169.0 255.255.255.0
access-list global_mpc extended permit tcp any any object-group DM_INLINE_TCP_1
access-list RemoteVPN_splitTunnelAcl standard permit 168.168.168.0 255.255.255.0
access-list BENKERTVPN_splitTunnelAcl standard permit 168.168.168.0 255.255.255.0
access-list outside_cryptomap_dyn_20 extended permit ip any 168.168.168.0 255.255.255.0
access-list outside_cryptomap_dyn_40 extended permit ip any 168.168.168.0 255.255.255.0
access-list inside_access_in extended permit ip host Exchange-IP any
access-list inside_access_in extended permit ip host 168.168.168.251 any
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit ip any any
access-list outside_2_cryptomap extended permit ip 168.168.168.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list outside_cryptomap extended permit ip 168.168.168.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm debugging
mtu outside 1500
mtu inside 1500
mtu guest 1500
mtu outside1 1500
ip local pool vpn-ip-pool 168.168.168.100-168.168.168.200 mask 255.255.255.0
ip local pool VPNPOOL 172.16.0.1-172.16.0.100 mask 255.255.255.0
ip local pool RemoteVPN 16.16.16.1-16.16.16.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any outside1
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (guest) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 Exchange-IP 3389 netmask 255.255.255.255
static (inside,outside) udp interface 11001 CCTV-IP 11001 netmask 255.255.255.255
static (inside,outside) tcp interface 8443 168.168.168.199 8443 netmask 255.255.255.255
static (inside,outside) tcp interface 3128 168.168.168.247 3128 netmask 255.255.255.255
static (inside,outside) tcp interface www CCTV-IP www netmask 255.255.255.255
static (inside,outside) tcp interface smtp Exchange-IP smtp netmask 255.255.255.255
static (inside,outside) tcp interface pop3 Exchange-IP pop3 netmask 255.255.255.255
static (inside,outside) tcp interface https Exchange-IP https netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 219.92.38.165 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server WIN2008 protocol radius
aaa-server WIN2008 (inside) host 168.168.168.249
key BENKERT
radius-common-pw BENKERT
aaa authentication ssh console LOCAL
http server enable
http 168.168.168.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_DES_SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 212.185.65.4
crypto map outside_map 2 set transform-set TRANS_ESP_DES_SHA
crypto map outside_map 2 set security-association lifetime seconds 28800
crypto map outside_map 2 set security-association lifetime kilobytes 4608000
crypto map outside_map 3 match address outside_cryptomap
crypto map outside_map 3 set peer 80.168.187.195
crypto map outside_map 3 set transform-set ESP-DES-MD5
crypto map outside_map 3 set security-association lifetime seconds 28800
crypto map outside_map 3 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 2
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 3
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 4
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
crypto isakmp ipsec-over-tcp port 10000
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 168.168.168.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 168.168.168.100-168.168.168.248 inside
dhcpd domain benkert.com.my interface inside
!
dhcpd address 168.168.169.100-168.168.169.248 guest
dhcpd dns 8.8.8.8 8.8.4.4 interface guest
dhcpd option 3 ip 168.168.169.99 interface guest
dhcpd enable guest
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl encryption rc4-sha1
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 168.168.168.249
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy BENKERTVPN internal
group-policy BENKERTVPN attributes
dns-server value 168.168.168.249
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value BENKERTVPN_splitTunnelAcl
group-policy RemoteVPN internal
group-policy RemoteVPN attributes
dns-server value 168.168.168.249
vpn-tunnel-protocol IPSec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemoteVPN_splitTunnelAcl
group-policy L2TP-Tunnel internal
group-policy L2TP-Tunnel attributes
dns-server value 168.168.168.249
vpn-tunnel-protocol IPSec l2tp-ipsec svc
username josadmin password hPSq6j22Cs1upxbJ encrypted privilege 15
username vpnuser2 password iEb36u6PsRetBr3YMLdYbA== nt-encrypted privilege 0
username vpnuser2 attributes
vpn-group-policy DefaultRAGroup
username vpnuser1 password JZrBb1aoTNkI.eel encrypted privilege 0
username vpnuser1 attributes
vpn-group-policy BENKERTVPN
service-type remote-access
tunnel-group DefaultRAGroup general-attributes
address-pool vpn-ip-pool
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group L2TP-Tunnel type remote-access
tunnel-group L2TP-Tunnel general-attributes
address-pool vpn-ip-pool
default-group-policy L2TP-Tunnel
tunnel-group L2TP-Tunnel ipsec-attributes
pre-shared-key *
tunnel-group RemoteVPN type remote-access
tunnel-group RemoteVPN general-attributes
address-pool VPNPOOL
default-group-policy RemoteVPN
tunnel-group RemoteVPN ipsec-attributes
pre-shared-key *
tunnel-group BENKERTVPN type remote-access
tunnel-group BENKERTVPN general-attributes
address-pool RemoteVPN
authentication-server-group WIN2008
default-group-policy BENKERTVPN
tunnel-group BENKERTVPN ipsec-attributes
pre-shared-key *
tunnel-group 212.185.65.4 type ipsec-l2l
tunnel-group 212.185.65.4 ipsec-attributes
pre-shared-key *
tunnel-group 80.168.187.195 type ipsec-l2l
tunnel-group 80.168.187.195 ipsec-attributes
pre-shared-key *
!
class-map global-class
match access-list global_mpc
class-map inspection_default
match default-inspection-traffic
class-map guest-class
match any
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
class global-class
csc fail-open
policy-map guest-policy
class guest-class
police input 5000000 2500
police output 5000000 2500
!
service-policy global_policy global
service-policy guest-policy interface guest
prompt hostname context
Cryptochecksum:b7599eb670f9e1192460c32bb80b6d2a
: end
Kindly advise.
09-30-2013 11:39 PM
If the remote end VPN user gets this message once in a while - in my experiance 100% of the time it is a connectivity issue from the users remote network and or Internet connectivity.
However if they cannot connect or have never been able to connect then check here:-
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#intro
HTH./
10-02-2013 02:29 AM
There is no network connectivity issue.
When I did debug crypto isakamp 127, i saw these log.
Oct 02 14:03:09 [IKEv1]: IP = 212.185.65.4, IKE_DECODE SENDING Message (msgid=e5ede766) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Oct 02 14:03:24 [IKEv1]: Group = BENKERTVPN, Username = regina, IP = 60.53.6.0, Remote peer has failed user authentication - check configured username and password
Oct 02 14:03:24 [IKEv1 DEBUG]: Group = BENKERTVPN, Username = regina, IP = 60.53.6.0, IKE TM V6 FSM error history (struct &0xd882d378)
Oct 02 14:03:24 [IKEv1 DEBUG]: Group = BENKERTVPN, Username = regina, IP = 60.53.6.0, IKE AM Responder FSM error history (struct &0xd8896e48)
Oct 02 14:03:24 [IKEv1 DEBUG]: Group = BENKERTVPN, Username = regina, IP = 60.53.6.0, IKE SA AM:4f45583e terminating: flags 0x0105c001, refcnt 0, tuncnt 0
Oct 02 14:03:24 [IKEv1 DEBUG]: Group = BENKERTVPN, Username = regina, IP = 60.53.6.0, sending delete/delete with reason message
Oct 02 14:03:24 [IKEv1 DEBUG]: Group = BENKERTVPN, Username = regina, IP = 60.53.6.0, constructing blank hash payload
Oct 02 14:03:24 [IKEv1 DEBUG]: Group = BENKERTVPN, Username = regina, IP = 60.53.6.0, constructing IKE delete payload
Oct 02 14:03:24 [IKEv1 DEBUG]: Group = BENKERTVPN, Username = regina, IP = 60.53.6.0, constructing qm hash payload
Oct 02 14:03:24 [IKEv1]: IP = 60.53.6.0, IKE_DECODE SENDING Message (msgid=66f0bee0) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
Oct 02 14:03:24 [IKEv1]: Group = BENKERTVPN, Username = regina, IP = 60.53.6.0, Removing peer from peer table failed, no match!
Oct 02 14:03:24 [IKEv1]: Group = BENKERTVPN, Username = regina, IP = 60.53.6.0, Error: Unable to remove PeerTblEntry
Customer said that there is no configuration change in radius server. It happend since last weekend.
10-02-2013 02:58 AM
There is the issue
Oct 02 14:03:24 [IKEv1]: Group = BENKERTVPN, Username = regina, IP = 60.53.6.0, Remote peer has failed user authentication - check configured username and password
I think it could be one of three things:-
1- The PSK for the group authentication is incorrect in the client config
2- The username/password in Radius has changed or requires to be changed due to password aging policy
3- The ASA is no longer able to query and pass on auth requests to the Radius server
HTH.
10-02-2013 05:30 PM
Thanks. Problem was solved. DNS should point to AD server instead of public DNS.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide