04-13-2015 05:26 AM
Hi
We are running an ASA 5505 firewall version 8.4(4)1. The ASDM version is 6.4(9).
The problem is when creating the remote access VPN connection, it works fine for about 2-3 days.
After that the VPN client cant connect anymore and gives the error code 789.
The VPN clients in this case are Windows 7 clients from different remote networks with the same problem scenario.
Windows 8.1 clients cant connect at all and show the same error code...
All the connections go throught the defaultragroup and preshare keys match on both sides.
When the user attemps to connect i get the following in the ASDM log:
Solved! Go to Solution.
04-14-2015 08:18 AM
Hi there,
If you are using local authentication (username and password on the ASA), then why you would require these below line?
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
!
Remove it and try.
04-13-2015 08:31 AM
Please post your config for easier trouble shooting purpose.
thanks
04-14-2015 12:00 AM
Ok, here it is.
Just realized it got prtty messed up after all configuration attempts...
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_192.168.168.0_28
subnet 192.168.168.0 255.255.255.240
object network STATIC-PAT
object network PORT-FORWARD
host 192.168.30.160
object network NETWORK_OBJ_192.168.168.8_29
subnet 192.168.168.8 255.255.255.248
object network NETWORK_OBJ_192.168.168.12_30
subnet 192.168.168.12 255.255.255.252
object network NETWORK_OBJ_192.168.168.0_27
subnet 192.168.168.0 255.255.255.224
object network NETWORK_OBJ_192.168.168.16_29
subnet 192.168.168.16 255.255.255.248
object network NETWORK_OBJ_192.168.168.24_30
subnet 192.168.168.24 255.255.255.252
object network NETWORK_OBJ_192.168.168.16_30
subnet 192.168.168.16 255.255.255.252
object network NETWORK_OBJ_192.168.168.20_30
subnet 192.168.168.20 255.255.255.252
object-group network DM_INLINE_NETWORK_1
network-object host 195.178.163.235
network-object host 212.116.95.172
network-object host 62.20.109.66
network-object host 62.20.109.72
access-list WAN-IN extended permit tcp host 192.168.30.160 object PORT-FORWARD eq 3389
access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 object PORT-FORWARD eq 3389
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool marie 192.168.168.11-192.168.168.12 mask 255.255.255.0
ip local pool jiota 192.168.168.15-192.168.168.16 mask 255.255.255.0
ip local pool pool-vpn 192.168.168.17-192.168.168.18 mask 255.255.255.0
ip local pool vpn-pool 192.168.168.1-192.168.168.10 mask 255.255.255.0
ip local pool sto_vpnpool 192.168.168.13-192.168.168.14 mask 255.255.255.0
ip local pool dcgvpn 192.168.168.20-192.168.168.22 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.168.0_28 NETWORK_OBJ_192.168.168.0_28 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.168.8_29 NETWORK_OBJ_192.168.168.8_29 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.168.12_30 NETWORK_OBJ_192.168.168.12_30 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.168.0_27 NETWORK_OBJ_192.168.168.0_27 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.168.16_29 NETWORK_OBJ_192.168.168.16_29 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.168.24_30 NETWORK_OBJ_192.168.168.24_30 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.168.16_30 NETWORK_OBJ_192.168.168.16_30 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.168.20_30 NETWORK_OBJ_192.168.168.20_30 no-proxy-arp route-lookup
!
object network obj_any
nat (inside,outside) dynamic interface
object network PORT-FORWARD
nat (inside,outside) static interface service tcp 3389 3389
!
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 195.67.24.249 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.30.0 255.255.255.0 inside
http 85.197.154.4 255.255.255.255 outside
http 85.197.154.1 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sysopt noproxyarp outside
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set TRANS_ESP_3DES_SHA
crypto map outside_map 10000 set pfs
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.30.0 255.255.255.0 inside
ssh 85.197.154.4 255.255.255.255 outside
ssh 85.197.154.1 255.255.255.255 outside
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.30.10-192.168.30.99 inside
dhcpd dns 192.168.30.151 195.67.199.27 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.36.134.17 source outside prefer
webvpn
group-policy DefaultRAGroup_6 internal
group-policy DefaultRAGroup_6 attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec
group-policy DefaultRAGroup_4 internal
group-policy DefaultRAGroup_4 attributes
vpn-tunnel-protocol l2tp-ipsec
group-policy DefaultRAGroup_5 internal
group-policy DefaultRAGroup_5 attributes
vpn-tunnel-protocol l2tp-ipsec
group-policy DefaultRAGroup_2 internal
group-policy DefaultRAGroup_2 attributes
vpn-tunnel-protocol l2tp-ipsec
group-policy DefaultRAGroup_3 internal
group-policy DefaultRAGroup_3 attributes
vpn-tunnel-protocol l2tp-ipsec
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec
group-policy DefaultRAGroup_1 internal
group-policy DefaultRAGroup_1 attributes
vpn-tunnel-protocol l2tp-ipsec
username sandrak password Hrh7qYe9JbnaQ0G7/v0itA== nt-encrypted privilege 0
username sandrak attributes
vpn-group-policy DefaultRAGroup_5
username bardnorden_marcus password dkcxs3E9NvSyv4hm8u8VWQ== nt-encrypted
username bardnorden_marcus attributes
service-type remote-access
username dcg_butikgbg password vDl0JI2t5OShh0wiK8YWag== nt-encrypted
username dcg_butikgbg attributes
service-type remote-access
username dcgjiota password jghEPfWYGg9USa8EuDb0wg== nt-encrypted privilege 0
username dcgjiota attributes
vpn-group-policy DefaultRAGroup_6
username dcgsto password 7fZhsWwzDXXSnV+NVCX6OQ== nt-encrypted privilege 0
username dcgsto attributes
vpn-group-policy DefaultRAGroup_4
username netcon_robert password YuA6XRNwArfEFjzFQnnHFA== nt-encrypted privilege 15
username netcon_robert attributes
service-type admin
username magle_maw password woNUIxggW5iI8RMFkvDoTQ== nt-encrypted privilege 15
username magle_fo password r6WjF41WKWU+DPnQqvi4HA== nt-encrypted
username magle_fo attributes
service-type remote-access
username marie_itero password nKesn20rgr8oESOq6zULlg== nt-encrypted privilege 0
username marie_itero attributes
vpn-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup general-attributes
address-pool vpn-pool
address-pool marie
address-pool jiota
address-pool sto_vpnpool
address-pool pool-vpn
address-pool dcgvpn
default-group-policy DefaultRAGroup_6
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:ed7a9a6a157068859b3ce90afea884df
: end
no asdm history enable
04-14-2015 08:18 AM
Hi there,
If you are using local authentication (username and password on the ASA), then why you would require these below line?
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
!
Remove it and try.
04-15-2015 02:45 AM
Hi and thanks for your reply,
I thought I needed for the tunnel group (defaultRAgroup), pre shared key and authentication for the clients. But I will check this suggestion.
Thanks!
04-18-2015 02:45 PM
Make sure defaultRAgroup and defaultL2Lgroup dnt have the same pre-shared key. According to loggs you were hitting DefaultL2Lgroup instead of defaultRAgroup.
ASA checks defaultL2Lgroup first, then defultRAgroup as last resource. thats why we should not use the same key for both.
let me know if that helps.
04-20-2015 06:50 AM
Thanks, I will check it out! The VPN connection from the test clients with this new conf seems still to be working.
But my issue now is that only the Windows 7 clients can establish VPN connection but not the Windows 8.1 clients. I get error code 789 in Windows 8.1.
Any ideas?
04-16-2015 05:29 AM
Hi,
I added new users without the ppp-attributes and the VPN-connection works fine
at the moment. But I will have to wait 2-3 days to verify if it works.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide