Re: Secure VPN Connection Terminated by Peer

kevinshkong11 · ‎09-30-2013

I am facing an issue that when connecting to Cisco ASA 5510 using Cisco VPN Client, prompt up error message.

Secure VPN Connection Terminated by Peer.

Reason 433: (Reason Not Specified by Peer)

ciscoasa# sh run

: Saved

:

ASA Version 8.0(4)

!

hostname ciscoasa

domain-name xxxxxx

enable password 7fTgB/sKwfNkRaFs encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 168.168.168.246 Exchange-IP

name xx.xx.xx.xx Outside-IP

name 168.168.168.234 CCTV-IP

!

interface Ethernet0/0

nameif outside

security-level 0

ip address XXX.XXX.XXX.XXX 255.255.255.252

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 168.168.168.99 255.255.255.0

!

interface Ethernet0/2

nameif guest

security-level 40

ip address 168.168.169.99 255.255.255.0

!

interface Ethernet0/3

shutdown

nameif outside1

security-level 0

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

dns domain-lookup outside

dns domain-lookup inside

dns server-group DefaultDNS

name-server 202.188.1.5

name-server 202.188.0.133

domain-name ciscoasa.benkert.com.my

object-group service CCTV-Protocol tcp-udp

port-object eq 11095

object-group service MS-RDP tcp

port-object eq 3389

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service DM_INLINE_TCPUDP_1 tcp-udp

group-object CCTV-Protocol

port-object eq 11001

object-group service L2TP-VPN tcp

port-object eq 47

port-object eq pptp

object-group service DM_INLINE_TCP_1 tcp

port-object eq ftp

port-object eq www

port-object eq pop3

port-object eq smtp

access-list outbound1 extended permit ip any any

access-list inbound1 extended permit ip any any

access-list outside_access_in extended permit tcp any any eq smtp

access-list outside_access_in extended permit tcp any any eq https

access-list outside_access_in extended permit tcp any any eq pop3

access-list outside_access_in extended permit tcp any any object-group MS-RDP

access-list outside_access_in extended permit object-group TCPUDP any any object-group DM_INLINE_TCPUDP_1

access-list outside_access_in extended permit tcp any any eq 8443

access-list outside_access_in extended permit ip 168.168.168.0 255.255.255.0 172.16.0.0 255.255.0.0

access-list outside_access_in extended permit tcp any any eq 3128

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit tcp any any eq www

access-list outside_access_in extended permit ip 16.16.16.0 255.255.255.0 168.168.168.0 255.255.255.0

access-list outside_access_in extended permit ip 168.168.168.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 168.168.168.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 168.168.168.0 255.255.255.0 172.16.0.0 255.255.0.0

access-list inside_nat0_outbound extended permit ip 168.168.168.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 168.168.168.0 255.255.255.0 16.16.16.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 168.168.168.0 255.255.255.0 168.168.169.0 255.255.255.0

access-list global_mpc extended permit tcp any any object-group DM_INLINE_TCP_1

access-list RemoteVPN_splitTunnelAcl standard permit 168.168.168.0 255.255.255.0

access-list BENKERTVPN_splitTunnelAcl standard permit 168.168.168.0 255.255.255.0

access-list outside_cryptomap_dyn_20 extended permit ip any 168.168.168.0 255.255.255.0

access-list outside_cryptomap_dyn_40 extended permit ip any 168.168.168.0 255.255.255.0

access-list inside_access_in extended permit ip host Exchange-IP any

access-list inside_access_in extended permit ip host 168.168.168.251 any

access-list inside_access_in extended deny tcp any any eq smtp

access-list inside_access_in extended permit ip any any

access-list outside_2_cryptomap extended permit ip 168.168.168.0 255.255.255.0 172.16.0.0 255.255.0.0

access-list outside_cryptomap extended permit ip 168.168.168.0 255.255.255.0 192.168.0.0 255.255.255.0

pager lines 24

logging enable

logging asdm debugging

mtu outside 1500

mtu inside 1500

mtu guest 1500

mtu outside1 1500

ip local pool vpn-ip-pool 168.168.168.100-168.168.168.200 mask 255.255.255.0

ip local pool VPNPOOL 172.16.0.1-172.16.0.100 mask 255.255.255.0

ip local pool RemoteVPN 16.16.16.1-16.16.16.100 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

icmp permit any outside1

asdm image disk0:/asdm-615.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

nat (guest) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 3389 Exchange-IP 3389 netmask 255.255.255.255

static (inside,outside) udp interface 11001 CCTV-IP 11001 netmask 255.255.255.255

static (inside,outside) tcp interface 8443 168.168.168.199 8443 netmask 255.255.255.255

static (inside,outside) tcp interface 3128 168.168.168.247 3128 netmask 255.255.255.255

static (inside,outside) tcp interface www CCTV-IP www netmask 255.255.255.255

static (inside,outside) tcp interface smtp Exchange-IP smtp netmask 255.255.255.255

static (inside,outside) tcp interface pop3 Exchange-IP pop3 netmask 255.255.255.255

static (inside,outside) tcp interface https Exchange-IP https netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 219.92.38.165 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa-server WIN2008 protocol radius

aaa-server WIN2008 (inside) host 168.168.168.249

key BENKERT

radius-common-pw BENKERT

aaa authentication ssh console LOCAL

http server enable

http 168.168.168.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set pfs group1

crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_DES_SHA

crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 40 set pfs group1

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set pfs

crypto map outside_map 2 set peer 212.185.65.4

crypto map outside_map 2 set transform-set TRANS_ESP_DES_SHA

crypto map outside_map 2 set security-association lifetime seconds 28800

crypto map outside_map 2 set security-association lifetime kilobytes 4608000

crypto map outside_map 3 match address outside_cryptomap

crypto map outside_map 3 set peer 80.168.187.195

crypto map outside_map 3 set transform-set ESP-DES-MD5

crypto map outside_map 3 set security-association lifetime seconds 28800

crypto map outside_map 3 set security-association lifetime kilobytes 4608000

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto isakmp policy 2

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 3

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 4

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

crypto isakmp ipsec-over-tcp port 10000

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 168.168.168.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

dhcpd address 168.168.168.100-168.168.168.248 inside

dhcpd domain benkert.com.my interface inside

!

dhcpd address 168.168.169.100-168.168.169.248 guest

dhcpd dns 8.8.8.8 8.8.4.4 interface guest

dhcpd option 3 ip 168.168.169.99 interface guest

dhcpd enable guest

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ssl encryption rc4-sha1

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

dns-server value 168.168.168.249

vpn-tunnel-protocol IPSec l2tp-ipsec

group-policy BENKERTVPN internal

group-policy BENKERTVPN attributes

dns-server value 168.168.168.249

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value BENKERTVPN_splitTunnelAcl

group-policy RemoteVPN internal

group-policy RemoteVPN attributes

dns-server value 168.168.168.249

vpn-tunnel-protocol IPSec svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value RemoteVPN_splitTunnelAcl

group-policy L2TP-Tunnel internal

group-policy L2TP-Tunnel attributes

dns-server value 168.168.168.249

vpn-tunnel-protocol IPSec l2tp-ipsec svc

username josadmin password hPSq6j22Cs1upxbJ encrypted privilege 15

username vpnuser2 password iEb36u6PsRetBr3YMLdYbA== nt-encrypted privilege 0

username vpnuser2 attributes

vpn-group-policy DefaultRAGroup

username vpnuser1 password JZrBb1aoTNkI.eel encrypted privilege 0

username vpnuser1 attributes

vpn-group-policy BENKERTVPN

service-type remote-access

tunnel-group DefaultRAGroup general-attributes

address-pool vpn-ip-pool

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

tunnel-group DefaultRAGroup ppp-attributes

no authentication ms-chap-v1

authentication ms-chap-v2

tunnel-group L2TP-Tunnel type remote-access

tunnel-group L2TP-Tunnel general-attributes

address-pool vpn-ip-pool

default-group-policy L2TP-Tunnel

tunnel-group L2TP-Tunnel ipsec-attributes

pre-shared-key *

tunnel-group RemoteVPN type remote-access

tunnel-group RemoteVPN general-attributes

address-pool VPNPOOL

default-group-policy RemoteVPN

tunnel-group RemoteVPN ipsec-attributes

pre-shared-key *

tunnel-group BENKERTVPN type remote-access

tunnel-group BENKERTVPN general-attributes

address-pool RemoteVPN

authentication-server-group WIN2008

default-group-policy BENKERTVPN

tunnel-group BENKERTVPN ipsec-attributes

pre-shared-key *

tunnel-group 212.185.65.4 type ipsec-l2l

tunnel-group 212.185.65.4 ipsec-attributes

pre-shared-key *

tunnel-group 80.168.187.195 type ipsec-l2l

tunnel-group 80.168.187.195 ipsec-attributes

pre-shared-key *

!

class-map global-class

match access-list global_mpc

class-map inspection_default

match default-inspection-traffic

class-map guest-class

match any

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

class global-class

csc fail-open

policy-map guest-policy

class guest-class

police input 5000000 2500

police output 5000000 2500

!

service-policy global_policy global

service-policy guest-policy interface guest

prompt hostname context

Cryptochecksum:b7599eb670f9e1192460c32bb80b6d2a

: end

Kindly advise.

andrew.prince · ‎09-30-2013

If the remote end VPN user gets this message once in a while - in my experiance 100% of the time it is a connectivity issue from the users remote network and or Internet connectivity.

However if they cannot connect or have never been able to connect then check here:-

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#intro

HTH./

kevinshkong11 · ‎10-02-2013

There is no network connectivity issue.

When I did debug crypto isakamp 127, i saw these log.

Oct 02 14:03:09 [IKEv1]: IP = 212.185.65.4, IKE_DECODE SENDING Message (msgid=e5ede766) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80

Oct 02 14:03:24 [IKEv1]: Group = BENKERTVPN, Username = regina, IP = 60.53.6.0, Remote peer has failed user authentication - check configured username and password

Oct 02 14:03:24 [IKEv1 DEBUG]: Group = BENKERTVPN, Username = regina, IP = 60.53.6.0, IKE TM V6 FSM error history (struct &0xd882d378) , : TM_DONE, EV_ERROR-->TM_AUTH, EV_AUTH_FAIL-->TM_AUTH, NullEvent-->TM_AUTH, EV_DO_AUTH-->TM_WAIT_REPLY, EV_CHK_MSCHAPV2-->TM_WAIT_REPLY, EV_PROC_MSG-->TM_WAIT_REPLY, EV_HASH_OK-->TM_WAIT_REPLY, NullEvent

Oct 02 14:03:24 [IKEv1 DEBUG]: Group = BENKERTVPN, Username = regina, IP = 60.53.6.0, IKE AM Responder FSM error history (struct &0xd8896e48) , : AM_DONE, EV_ERROR-->AM_TM_INIT_XAUTH_V6H, EV_TM_FAIL-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_START_TM-->AM_TM_INIT_XAUTH, EV_START_TM-->AM_PROC_MSG3, EV_TEST_TM_H6

Oct 02 14:03:24 [IKEv1 DEBUG]: Group = BENKERTVPN, Username = regina, IP = 60.53.6.0, IKE SA AM:4f45583e terminating: flags 0x0105c001, refcnt 0, tuncnt 0

Oct 02 14:03:24 [IKEv1 DEBUG]: Group = BENKERTVPN, Username = regina, IP = 60.53.6.0, sending delete/delete with reason message

Oct 02 14:03:24 [IKEv1 DEBUG]: Group = BENKERTVPN, Username = regina, IP = 60.53.6.0, constructing blank hash payload

Oct 02 14:03:24 [IKEv1 DEBUG]: Group = BENKERTVPN, Username = regina, IP = 60.53.6.0, constructing IKE delete payload

Oct 02 14:03:24 [IKEv1 DEBUG]: Group = BENKERTVPN, Username = regina, IP = 60.53.6.0, constructing qm hash payload

Oct 02 14:03:24 [IKEv1]: IP = 60.53.6.0, IKE_DECODE SENDING Message (msgid=66f0bee0) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76

Oct 02 14:03:24 [IKEv1]: Group = BENKERTVPN, Username = regina, IP = 60.53.6.0, Removing peer from peer table failed, no match!

Oct 02 14:03:24 [IKEv1]: Group = BENKERTVPN, Username = regina, IP = 60.53.6.0, Error: Unable to remove PeerTblEntry

Customer said that there is no configuration change in radius server. It happend since last weekend.

andrew.prince · ‎10-02-2013

There is the issue

Oct 02 14:03:24 [IKEv1]: Group = BENKERTVPN, Username = regina, IP = 60.53.6.0, Remote peer has failed user authentication - check configured username and password

I think it could be one of three things:-

1- The PSK for the group authentication is incorrect in the client config

2- The username/password in Radius has changed or requires to be changed due to password aging policy

3- The ASA is no longer able to query and pass on auth requests to the Radius server

HTH.

kevinshkong11 · ‎10-02-2013

Thanks. Problem was solved. DNS should point to AD server instead of public DNS.