11-11-2011 09:28 AM
I have a ASA 5510 behind a 2911 router. I've trying to configure a remote access and site to site vpn tunnel. I've started on the remote access, and I have it setup, but I'm getting this error message with trying to authenicate from the VPN client (412 error) has anyone come across this before?
Nov 11 09:52:45 [IKEv1]: IP = 68.51.100.192, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 428
Nov 11 09:52:51 [IKEv1]: Group = tfx-tg, IP = 68.51.100.192, Duplicate Phase 1 packet detected. Retransmitting last packet.
Nov 11 09:52:51 [IKEv1]: Group = tfx-tg, IP = 68.51.100.192, P1 Retransmit msg dispatched to AM FSM
Nov 11 09:52:56 [IKEv1]: Group = tfx-tg, IP = 68.51.100.192, Duplicate Phase 1 packet detected. Retransmitting last packet.
Nov 11 09:52:56 [IKEv1]: Group = tfx-tg, IP = 68.51.100.192, P1 Retransmit msg dispatched to AM FSM
Nov 11 09:53:01 [IKEv1]: Group = tfx-tg, IP = 68.51.100.192, Duplicate Phase 1 packet detected. Retransmitting last packet.
Nov 11 09:53:01 [IKEv1]: Group = tfx-tg, IP = 68.51.100.192, P1 Retransmit msg dispatched to AM FSM
Nov 11 09:53:09 [IKEv1 DEBUG]: Group = tfx-tg, IP = 68.51.100.192, IKE AM Responder FSM error history (struct &0xab58c9a0) <state>, <event>: AM_DONE, EV_ERROR-->AM_WAIT_MSG3, EV_PROB_AUTH_FAIL-->AM_WAIT_MSG3, EV_TIMEOUT-->AM_WAIT_MSG3, NullEvent-->AM_SND_MSG2, EV_CRYPTO_ACTIVE-->AM_SND_MSG2, EV_SND_MSG-->AM_SND_MSG2, EV_START_TMR-->AM_SND_MSG2, EV_RESEND_MSG
Nov 11 09:53:09 [IKEv1 DEBUG]: Group = tfx-tg, IP = 68.51.100.192, IKE SA AM:c666551f terminating: flags 0x0104c001, refcnt 0, tuncnt 0
Nov 11 09:53:09 [IKEv1 DEBUG]: Group = tfx-tg, IP = 68.51.100.192, sending delete/delete with reason message
Nov 11 09:53:09 [IKEv1 DEBUG]: Group = tfx-tg, IP = 68.51.100.192, constructing blank hash payload
Nov 11 09:53:09 [IKEv1 DEBUG]: Group = tfx-tg, IP = 68.51.100.192, constructing IKE delete payload
Nov 11 09:53:09 [IKEv1 DEBUG]: Group = tfx-tg, IP = 68.51.100.192, constructing qm hash payload
Nov 11 09:53:09 [IKEv1]: IP = 68.51.100.192, IKE_DECODE SENDING Message (msgid=8582ab0c) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
Nov 11 09:53:09 [IKEv1]: Group = tfx-tg, IP = 68.51.100.192, Removing peer from peer table failed, no match!
Nov 11 09:53:09 [IKEv1]: Group = tfx-tg, IP = 68.51.100.192, Error: Unable to remove PeerTblEntry
11-11-2011 12:08 PM
hi .
please attach the full debugs , and also the configuration .
regards.
11-11-2011 12:14 PM
I have attached my ASA config and the debug of what of what I'm getting when trying to connec to the VPN
11-14-2011 04:01 AM
If static and dynamic peers are configured on the same crypto map, the order of the crypto map entries is very important. The sequence number of the dynamic crypto map entry must be higher than all of the other static crypto map entries. If the static entries are numbered higher than the dynamic entry, connections with those peers will fail.
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution18
11-14-2011 10:46 PM
Hi,
Usually I have group-policy defined for it...but this one doesn't have it...Are the vpn-client prompting username and password for authentication ?
HTH,
Vikram
11-21-2011 09:20 AM
Hi all, sorry I'm late in responding. I'm beginning to think this is a design issue on my end, which actually is going to bring me to my next question. Currently how my network was before the ASA was as follows:
Cisco 2911 Router -> Cisco 2960 Switch the router houses the vlans and then I just use the switch for provinding access to the VLANs. I had the the ASA plugged into the switch, but it wasn't getting a return route, this is probably because I just realized the 2960 doesn't allow for routing because when I logged onto the ASA I would get a gateway of last resort not set (even though I had one set).
So would it be better that I plug the ASA into the free interface (gi0/2) on the router? If that is even possible.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide