Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
999
Views
0
Helpful
2
Replies

CISCO ASA5510-Unable to establish VPN connection.Getting Reason 433 Error in VPN client.

secureIT
Level 4
Level 4

‎03-16-2015 10:03 AM

CISCO ASA5510-Unable to establish remote access VPN connection. Getting Reason 433 Error in VPN client.

We have configured VPN idle time out as none, disabled threat detection, enabled NAT traversal also.But still the issue persists.

The currently running IOS image is 8.2.3.  

ERROR: IKE failed trying to create a session manager entry

IKE AM Responder FSM error history (struct &0xdcda0858)  <state>, <event>:  AM_DONE, EV_ERROR-->AM_TM_PEND_QM, EV_ADD_SESS-->AM_TM_PEND_QM, EV_INIT_FIREWALL-->AM_TM_PEND_QM, EV_TM_OK-->AM_TM_PEND_QM, NullEvent-->AM_TM_INIT_MODECFG_V6H, EV_SND_MSG_TO_TM-->AM_TM_INIT_MODECFG_V6H, EV_RCV_NEW_QM_MSG-->AM_TM_INIT_MODECFG_V6H, NullEvent

 

Please help to resolve this issue

Labels:
0 Helpful
2 Replies 2

Adeolu Owokade
Level 1
Level 1

‎03-19-2015 09:18 AM

Please post the relevant part of your configuration.

If you can also get and post the debug output while initiating the VPN tunnel, that would be great.

0 Helpful

secureIT
Level 4
Level 4
In response to Adeolu Owokade

‎03-25-2015 04:52 AM

Hi Adeolu,

Please see configuration part as below.

 

 

 

configuration:-

crypto ipsec transform-set *** esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map dyn_map 1 set transform-set ***

crypto dynamic-map dyn_map 1 set security-association lifetime seconds 28800

crypto dynamic-map dyn_map 1 set security-association lifetime kilobytes 4608000

crypto map test 500 ipsec-isakmp dynamic dyn_map

crypto map test interface DMZ

crypto isakmp identity hostname

crypto isakmp enable DMZ

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal

 

************

 

tunnel-group *** type remote-access

tunnel-group *** general-attributes

address-pool Pool

authentication-server-group radius_server

default-group-policy VPN

tunnel-group *** ipsec-attributes

pre-shared-key ***

isakmp keepalive threshold 20 retry 5

 

***

 

group-policy ** internal

group-policy ** attributes

vpn-filter value vpn_list

 

tunnel-group *** type remote-access

tunnel-group *** general-attributes

address-pool ***

authentication-server-group radius_server

default-group-policy ***

tunnel-group *** ipsec-attributes

pre-shared-key ***

isakmp keepalive threshold 20 retry 5

 

 

 

Logs:-

please find enclosed in the attachment.

%ASA-5-713904: IP = x.x.x.x, Received encrypted packet with no matching SA, dropping

 

 

 

 

Preview file
28 KB
0 Helpful
Customers Also Viewed These Support Documents