05-28-2012 04:03 AM
Dears,
Good day,
Please I need your support on the following issue:-
I had configured remote access vpn on ASA 5510 as shwon on the attached configuration file.
The problem is when I'm trying to connect via cisco vpn client I got this error (secure vpn connection terminated locally by the client error 412)
Please can you support me in this issue.
Regards,
ASA Version 8.2(1)
!
hostname Active-ASA
enable password iwtL1y5uEVzS9Gp9 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 50
ip address 10.11.13.3 255.255.255.0 standby 10.11.13.4
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.4.2 255.255.255.0 standby 192.168.4.3
!
interface Ethernet0/2
description LAN Failover Interface
!
interface Ethernet0/3
shutdown
no nameif
security-level 50
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/824-k8.bin
boot system disk0:/824-k8.
boot system disk0:/asa821-k8.bin
ftp mode passive
access-list internal extended permit ip any any
access-list internal extended permit icmp any any
access-list internal extended permit udp any any eq isakmp
access-list internal extended permit udp any any eq 62515
access-list internal extended permit tcp any any
access-list internal extended permit udp any any eq 4500
access-list external extended permit icmp any any
access-list external extended permit ip any any
access-list external extended permit udp any any eq 62515
access-list external extended permit udp any any eq isakmp
access-list external extended permit tcp any any
access-list external extended permit udp any any eq 4500
access-list nat0 extended permit ip 192.168.4.0 255.255.255.0 192.168.77.0 255.
55.255.0
access-list nat0 extended permit ip 192.168.5.0 255.255.255.0 192.168.77.0 255.
55.255.0
access-list nat0 extended permit ip 10.11.13.0 255.255.255.0 192.168.77.0 255.2
5.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool babylon 192.168.77.1-192.168.77.33 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface failover Ethernet0/2
failover interface ip failover 10.8.8.1 255.255.255.252 standby 10.8.8.2
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nat0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 192.168.0.0 192.168.0.0 netmask 255.255.0.0
access-group internal in interface outside
access-group external in interface inside
route outside 0.0.0.0 0.0.0.0 10.11.13.100 1
route inside 192.168.5.0 255.255.255.0 192.168.4.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec transform-set test esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map bmap 10 set transform-set test
crypto dynamic-map bmap 10 set security-association lifetime seconds 288000
crypto dynamic-map bmap 10 set reverse-route
crypto map smap 10 ipsec-isakmp dynamic bmap
crypto map smap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy client internal
group-policy client attributes
vpn-simultaneous-logins 20
default-domain value babylon.com
user-authentication-idle-timeout none
username omar password Hu6b8CXoHv4DUaaV encrypted privilege 15
tunnel-group client type remote-access
tunnel-group client general-attributes
address-pool babylon
default-group-policy client
tunnel-group client ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:036b2f438b954f6aa8a5dd9286dcf66d
: end
Active-ASA#
Solved! Go to Solution.
05-29-2012 05:04 AM
doesn't look like the complete output. can you please run the following debugs:
debug cry isa
debug cry ipsec
also logs from vpn client pls.
05-28-2012 05:16 AM
I can see that your outside interface ip address is a private IP which means you have a NAT device in front of the ASA. Is your NAT device doing a NAT or PAT, and I assume that it's static NAT? Also make sure that the device in front of the ASA does not have any firewall/access-list that might be blocking the VPN traffic.
If you run debugs on the ASA, which phase is it failing?
You can run:
debug cry isa
debug cry ipsec
05-28-2012 12:35 PM
Thank you for your response ,
Actually I have a router in front of the ASA where I configured a static NAT on it. (ip nat inside source static 10.11.13.3 109.224.52.14)
Regarding the Access list I configured an access list regarding the NAT.
below the debug that I collected:-
<--- More --->May 28 10:56:31 [IKEv1]: Group = client, IP = 109.127.97.14, Remov
ing peer from peer table failed, no match!
May 28 10:56:31 [IKEv1]: Group = client, IP = 109.127.97.14, Error: Unable to re
move PeerTblEntry
May 28 10:56:36 [IKEv1]: Group = client, IP = 109.127.97.14, Removing peer from
peer table failed, no match!
May 28 10:56:36 [IKEv1]: Group = client, IP = 109.127.97.14, Error: Unable to re
move PeerTblEntry
May 28 10:56:41 [IKEv1]: Group = client, IP = 109.127.97.14, Removing peer from
peer table failed, no match!
May 28 10:56:41 [IKEv1]: Group = client, IP = 109.127.97.14, Error: Unable to re
move PeerTblEntry
May 28 10:56:46 [IKEv1]: Group = client, IP = 109.127.97.14, Removing peer from
peer table failed, no match!
May 28 10:56:46 [IKEv1]: Group = client, IP = 109.127.97.14, Error: Unable to re
move PeerTblEntry
Appreciate your support.
Regards,
05-28-2012 12:46 PM
Hi Ali,
Please try this...
crypto isakmp nat-traversal
Please let me know, if this helps.
thanks
Rizwan Rafeek
05-28-2012 01:41 PM
hi,
I tried this command but it didn't work I got the same error 412.
05-28-2012 06:33 PM
Is there any access-list on the router that might be preventing the access?
It seems like phase 1 is not even established.
Please share the router configuration.
05-28-2012 11:51 PM
Below the router configuration:-
Active_Router#sh run
Building configuration...
Current configuration : 7281 bytes
!
! Last configuration change at 06:47:13 UTC Tue May 29 2012
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Active_Router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
!
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
ip domain name yourdomain.com
!
multilink bundle-name authenticated
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-3449375863
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3449375863
revocation-check none
rsakeypair TP-self-signed-3449375863
!
!
crypto pki certificate chain TP-self-signed-3449375863
certificate self-signed 01
30820254 308201BD A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33343439 33373538 3633301E 170D3132 30313138 30393432
31365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34343933
37353836 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100EBAD 2AF80BBA 74D267B3 876D8FD0 6925D8B9 3E3C84FA 54C64F6B 63EA0534
8236CF0F ED27DB94 11DA2A67 B2054D80 AAAB1300 A39612D2 264F0FE7 679737BC
6C771037 C1ED27D7 F56F1A47 862F050E 3FBF4C38 ED20069C 2BB45BC6 9AEF29BE
28B10A7D C8BFD47C 8747C0FD 4495B6EC 5C9448F3 D57B33E5 722A5E39 FD1097E8
E2950203 010001A3 7C307A30 0F060355 1D130101 FF040530 030101FF 30270603
551D1104 20301E82 1C416374 6976655F 526F7574 65722E79 6F757264 6F6D6169
6E2E636F 6D301F06 03551D23 04183016 801420B0 DB69DE22 1247641D DC6CC8E3
839EEC7F 7C5D301D 0603551D 0E041604 1420B0DB 69DE2212 47641DDC 6CC8E383
9EEC7F7C 5D300D06 092A8648 86F70D01 01040500 03818100 8DCCEA7F 4494BB53
91688CC2 AA59CEF4 6B8C2390 392E5537 14E8DB6E EB502D14 E9AF317E BACEC894
6E0B9669 B89FD454 9ACEEF38 60DCBEA9 9FD91B92 4966FCCE 24DB9A59 DF559067
BCC1ED70 0116CE7E B4663C13 C7EE8A44 46B56240 B3D57CAB E8BBDA78 039B90D5
A49DE91F DFF109F7 B7FD54B4 A53F9CCA 856D5274 025B9F7C
quit
voice-card 0
!
!
!
!
!
!
license udi pid CISCO2911/K9 sn FCZ150473W7
hw-module pvdm 0/0
!
!
!
username cisco1 privilege 15 password 0 cisco1
!
redundancy
!
!
!
track 1 interface GigabitEthernet0/0 line-protocol
!
!
!
!
!
!
!
interface Tunnel3
description To Baghdad
ip address 60.60.60.2 255.255.255.0
tunnel source GigabitEthernet0/0
tunnel destination 109.224.49.106
!
!
interface Tunnel5
description Diraaya
ip address 70.70.70.2 255.255.255.0
tunnel source GigabitEthernet0/0
tunnel destination 109.224.53.74
!
!
interface Tunnel7
description Jazera Branch
ip address 80.80.80.2 255.255.255.0
tunnel source GigabitEthernet0/0
tunnel destination 109.224.53.82
!
!
interface Tunnel9
description Nisaa Branch
ip address 90.90.90.2 255.255.255.0
tunnel source GigabitEthernet0/0
tunnel destination 109.224.53.90
!
!
interface Tunnel11
description Askary Branch
ip address 100.100.100.2 255.255.255.0
tunnel source GigabitEthernet0/0
tunnel destination 109.224.53.58
!
!
interface Tunnel13
description Karbalaa
ip address 110.110.110.2 255.255.255.0
tunnel source GigabitEthernet0/0
tunnel destination 109.224.50.130
!
!
interface Tunnel15
description Nassriya
ip address 120.120.120.2 255.255.255.0
tunnel source GigabitEthernet0/0
tunnel destination 109.224.50.114
!
!
interface GigabitEthernet0/0
description Connected to Public
ip address 109.224.52.12 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface GigabitEthernet0/1
description Connected to ASA
ip address 10.11.13.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
standby 1 ip 10.11.13.100
standby 1 priority 105
standby 1 preempt
standby 1 track 1 decrement 10
!
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 10 interface GigabitEthernet0/0 overload
ip nat inside source static 10.11.13.3 109.224.52.14
ip route 0.0.0.0 0.0.0.0 109.224.52.9
ip route 10.11.12.0 255.255.255.0 Tunnel3
ip route 172.16.70.0 255.255.255.0 Tunnel5
ip route 172.16.80.0 255.255.255.0 Tunnel5
ip route 172.16.90.0 255.255.255.0 Tunnel7
ip route 172.16.100.0 255.255.255.0 Tunnel7
ip route 172.16.110.0 255.255.255.0 Tunnel9
ip route 172.16.120.0 255.255.255.0 Tunnel9
ip route 172.16.130.0 255.255.255.0 Tunnel11
ip route 172.16.140.0 255.255.255.0 Tunnel11
ip route 172.16.150.0 255.255.255.0 Tunnel13
ip route 172.16.160.0 255.255.255.0 Tunnel13
ip route 172.16.170.0 255.255.255.0 Tunnel15
ip route 172.16.180.0 255.255.255.0 Tunnel15
ip route 192.168.2.0 255.255.255.0 Tunnel3
ip route 192.168.3.0 255.255.255.0 Tunnel3
ip route 192.168.4.0 255.255.255.0 10.11.13.3
ip route 192.168.5.0 255.255.255.0 10.11.13.3
!
access-list 10 permit 10.11.13.0 0.0.0.255
access-list 10 permit 192.168.4.0 0.0.0.255
access-list 10 permit 192.168.5.0 0.0.0.255
!
!
!
!
!
!
control-plane
!
!
!
Regards,
05-29-2012 01:03 AM
Config looks ok.
Can you please add the following on the ASA:
crypto isakmp policy 3
authentication pre-share
encryption 3des
hash sha
group 2
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash md5
group 2
05-29-2012 01:22 AM
Dear,
I can't use the 3des encryption on my ASA5510 (The 3DES/AES algorithms require a VPN-3DES-AES activation key).
05-29-2012 01:43 AM
You can get the 3DES license for free from the following:
https://tools.cisco.com/SWIFT/LicensingUI/loadDemoLicensee?FormId=139
05-29-2012 01:54 AM
The link isnot working..........
05-29-2012 02:00 AM
sorry link is working ( http. ).
05-29-2012 02:20 AM
Dear ,
I downloaded and installed the license (3des) on the ASA.
The status now the ASA asked me for the username but after I inserted the username message appeared not connected.
Below the debug that I collected:-
Active-ASA# May 29 00:43:24 [IKEv1]: Group = client, Username = test1, IP = 93.9
1.193.108, QM FSM error (P2 struct &0xac39e538, mess id 0x6d633d55)!
May 29 00:43:24 [IKEv1]: Group = client, Username = test1, IP = 93.91.193.108, R
emoving peer from correlator table failed, no match!
by the way I have two ASA5510 after I installed the license the failover will be disabled please advise.
Regards,
05-29-2012 03:13 AM
Yes, you can generate the activation key for both ASA and apply the corresponding activation key with the serial# of the ASA.
Username is the one configured on the ASA, and from what i can see the username is "omar". Otherwise you can configure a new username and password on the ASA for authentication.
05-29-2012 03:25 AM
I created a new username but after I inserted the username the vpn client (securing communication channels then not connected) as shown in the below debug:
Active-ASA# May 29 01:48:13 [IKEv1]: Group = client, Username = bank, IP = 93.91
.193.108, QM FSM error (P2 struct &0xac393928, mess id 0x209bf69d)!
May 29 01:48:13 [IKEv1]: Group = client, Username = bank, IP = 93.91.193.108, Re
moving peer from correlator table failed, no match!
Active-ASA# May 29 01:48:13 [IKEv1]: Group = client, Username = bank, IP = 93.91
.193.108, QM FSM error (P2 struct &0xac393928, mess id 0x209bf69d)!
May 29 01:48:13 [IKEv1]: Group = client, Username = bank, IP = 93.91.193.108, Re
moving peer from correlator table failed, no match!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide