Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2365
Views
0
Helpful
19
Replies

Cisco VPN Getting Error 412

raja_illayarajah
Level 1
Level 1

‎05-10-2021 11:56 AM - edited ‎05-10-2021 12:59 PM

Just setup a new cisco asa and set it up for vpn connection, keep getting 412: The Remote Peer is no longer responding. 
this router has not been deployed yet. This is my first time setting up a router like this. Any help is appreciated. 

It is a new setup and I currently just have it testing internally. 

 

ciscoasa(config)# show running-config
: Saved

:
: Serial Number: JAD3562709LN
: Hardware: ASA5516, 8192 MB RAM, CPU Atom C2000 series 2416 MHz, 1 CPU (8 cores)
:
ASA Version 9.14(2)
!
hostname ciscoasa
enable password ***** pbkdf2
service-module 1 keepalive-timeout 4
service-module 1 keepalive-counter 6
service-module sfr keepalive-timeout 4
service-module sfr keepalive-counter 6
names
no mac-address auto
ip local pool tunnelpool 10.10.10.130-10.10.10.139 mask 255.255.255.0

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 192.168.2.221 255.255.255.0
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
boot system disk0:/asa9-14-2-lfbff-k8.spa
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_10.10.10.128_28
subnet 10.10.10.128 255.255.255.240
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
no failover wait-disable
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-7141-48.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.10.10.128_28 NETWORK_OBJ_10.10.10.128_28 no-proxy-arp route-lookup
!
object network obj_any
nat (any,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 10.10.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 14
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 14
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 14
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 14
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption aes
hash sha
group 14
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 14
lifetime 86400
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 14
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 14
lifetime 86400
crypto ikev1 policy 130
authentication pre-share
encryption des
hash sha
group 14
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 14
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
ssh 10.10.10.0 255.255.255.0 inside
console timeout 0
dhcpd dns 10.10.10.1 8.8.8.8
dhcpd auto_config outside
dhcpd option 3 ip 10.10.10.1
!
dhcpd address 10.10.10.230-10.10.10.250 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy maintunnel internal
group-policy maintunnel attributes
vpn-tunnel-protocol ikev1
dynamic-access-policy-record DfltAccessPolicy
username john password ***** pbkdf2 privilege 15
username admin password ***** pbkdf2
username servant password ***** pbkdf2 privilege 0
username servant attributes
vpn-group-policy maintunnel
tunnel-group maintunnel type remote-access
tunnel-group maintunnel general-attributes
address-pool tunnelpool
default-group-policy maintunnel
tunnel-group maintunnel ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect snmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f27deb74b5f947a8f113acc11852f5fa
: end

Labels:
0 Helpful
19 Replies 19

balaji.bandi
Hall of Fame
Hall of Fame

‎05-10-2021 01:23 PM

how are you testing? is the ASA and Client in the same network?

 

where is ASA ? behind any FW ?  try https://ASAIP from PC see what you get ?

 

see 412 reason?

 

https://www.cisco.com/c/en/us/support/docs/security/vpn-client/48160-vpn-clnt-err-dict.html

 

try some tips :

 

https://community.cisco.com/t5/vpn/cisco-vpn-client-error-412-no-connection/m-p/4048346

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

raja_illayarajah
Level 1
Level 1
In response to balaji.bandi

‎05-10-2021 01:34 PM

Hi balaji.bandi,

This is currently being tested behind a firewall but the connection to this Asa is being initiated by another terminal on the same network. 

we have some VM's running behind the ASA we want to test. 

 

Regarding the configuration, is there anything that i'm missing that you can see. 

 

Thank you for the reply. 

Raja

 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to raja_illayarajah

‎05-10-2021 02:10 PM 

This is currently being tested behind a firewall but the connection to this Asa is being initiated by another terminal on the same network. 

we have some VM's running behind the ASA we want to test.

behind same ASA? i do not believe that works as expected. you need to initiate the connection always from external (outside).

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

raja_illayarajah
Level 1
Level 1

‎05-10-2021 04:05 PM

Hi balaji.bandi, 

its not behind the same ASA, not sure if I'm explaining it correctly. 

We have a Modem -> Router -> Current_ASA->Couple of VMS

We have another client, that is connected Router -> Client Computer. 

The Currnet_ASA and Client Computer are on the same subnet, I'm trying to connect to the ASA from that client[terminal0] to access the items behind it. 

 

Raja

 

Preview file
20 KB
0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to raja_illayarajah

‎05-11-2021 02:13 AM

as per the Diagram Terminal 0 trying to simulate the VPN connection? what is the outcome of https://ASAIP ?

 

what is the IP address of Terminal 0 ?

 

what Logs do you see in any connect client side?

what logs you see in ASA ?

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

raja_illayarajah
Level 1
Level 1
In response to balaji.bandi

‎05-11-2021 07:44 AM

The Terminal 0 IP is 192.168.2.145

The ASA Outside IP is 192.168.2.221

From the terminal HTTPS://192.168.2.221 does not load

 

ASA Inside ip range is 10.10.10.0/24

 

From within the 10.10.10.0/24 network I get the ASDM Launch page. 

0 Helpful

Rob Ingram
VIP
VIP
In response to raja_illayarajah

‎05-11-2021 07:53 AM

@raja_illayarajah 

I don't see the following configured:

 

webvpn
 enable outside

 

0 Helpful

raja_illayarajah
Level 1
Level 1
In response to Rob Ingram

‎05-11-2021 09:01 AM

Even though i'm not using webVPN?

I'm trying to use the Cisco VPN Client. 

0 Helpful

Rob Ingram
VIP
VIP
In response to raja_illayarajah

‎05-11-2021 09:09 AM

You said "HTTPS://192.168.2.221 does not load" - so I assume you've attempted to connect to the WebVPN page, which would require you to enable webvpn. If you enable it and it still doesn't work, turn on debugs and provide the output. Confirm you can ping the outside interface.

0 Helpful

raja_illayarajah
Level 1
Level 1
In response to Rob Ingram

‎05-11-2021 11:24 AM

Hi Rob, 

Balaji was asking about that so i sent that, didn't know the reason he was asking for. 

 

I have "crypto ikev1 enable outside" 

I'm not trying to use WebVPN. is there I'm missing in terms of using the VPN Client to connect. 

 

0 Helpful

Rob Ingram
VIP
VIP
In response to raja_illayarajah

‎05-11-2021 11:37 AM

@raja_illayarajah if you are connecting using ipsec instead of ssl, then you need to pre-configure an anyconnect profile to select ipsec. Without the anyconnect profile if you just enter the ip address/fqdn in anyconnect manually it will only attempt to connect using ssl/tls.

 

If you don't know how to create anyconnect profile, look at the last section of this guide.

0 Helpful

raja_illayarajah
Level 1
Level 1
In response to Rob Ingram

‎05-11-2021 11:43 AM

Hi Rob, 

Sorry, I'm not setting up a Anyconnect. Just a simple VPN using the VPN Client that cisco has. 

Am I missing something in my configuration that is preventing my attempt to connect. 

 

Raja

 

0 Helpful

Rob Ingram
VIP
VIP
In response to raja_illayarajah

‎05-11-2021 11:46 AM - edited ‎05-11-2021 11:48 AM

@raja_illayarajah AnyConnect is the only supported Cisco VPN client, the old Cisco VPN client was EOL years ago.

If you can't configure the VPN client to use ipsec, then use SSL.

0 Helpful

raja_illayarajah
Level 1
Level 1
In response to Rob Ingram

‎05-11-2021 11:51 AM

Hi Rob, 

We only have 4 licences for the AnyConnect and we have more users, hence i have to setup the older client. 

 

Raja

0 Helpful
Customers Also Viewed These Support Documents