Cisco VPN Getting Error 412 - Page 2

raja_illayarajah · ‎05-10-2021

Just setup a new cisco asa and set it up for vpn connection, keep getting 412: The Remote Peer is no longer responding.
this router has not been deployed yet. This is my first time setting up a router like this. Any help is appreciated.

It is a new setup and I currently just have it testing internally.

ciscoasa(config)# show running-config
: Saved

:
: Serial Number: JAD3562709LN
: Hardware: ASA5516, 8192 MB RAM, CPU Atom C2000 series 2416 MHz, 1 CPU (8 cores)
:
ASA Version 9.14(2)
!
hostname ciscoasa
enable password ***** pbkdf2
service-module 1 keepalive-timeout 4
service-module 1 keepalive-counter 6
service-module sfr keepalive-timeout 4
service-module sfr keepalive-counter 6
names
no mac-address auto
ip local pool tunnelpool 10.10.10.130-10.10.10.139 mask 255.255.255.0

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 192.168.2.221 255.255.255.0
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
boot system disk0:/asa9-14-2-lfbff-k8.spa
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_10.10.10.128_28
subnet 10.10.10.128 255.255.255.240
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
no failover wait-disable
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-7141-48.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.10.10.128_28 NETWORK_OBJ_10.10.10.128_28 no-proxy-arp route-lookup
!
object network obj_any
nat (any,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 10.10.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 14
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 14
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 14
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 14
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption aes
hash sha
group 14
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 14
lifetime 86400
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 14
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 14
lifetime 86400
crypto ikev1 policy 130
authentication pre-share
encryption des
hash sha
group 14
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 14
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
ssh 10.10.10.0 255.255.255.0 inside
console timeout 0
dhcpd dns 10.10.10.1 8.8.8.8
dhcpd auto_config outside
dhcpd option 3 ip 10.10.10.1
!
dhcpd address 10.10.10.230-10.10.10.250 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy maintunnel internal
group-policy maintunnel attributes
vpn-tunnel-protocol ikev1
dynamic-access-policy-record DfltAccessPolicy
username john password ***** pbkdf2 privilege 15
username admin password ***** pbkdf2
username servant password ***** pbkdf2 privilege 0
username servant attributes
vpn-group-policy maintunnel
tunnel-group maintunnel type remote-access
tunnel-group maintunnel general-attributes
address-pool tunnelpool
default-group-policy maintunnel
tunnel-group maintunnel ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect snmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f27deb74b5f947a8f113acc11852f5fa
: end

Rob Ingram · ‎05-11-2021

@raja_illayarajah

The minimum AnyConnect licenses to purchase is 25, no idea how you only have 4 licenses! I suggest you purchase AnyConnect licenses. instead of running the old unsupported client.

There doesn't appear to be much Cisco VPN client documentation on the internet, if you can find it using google then find out how you can configure IPSec protocol. Or just enable SSL/TLS on the ASA like I previously suggested....using AnyConnect it doesn't require modifying the client, so hopefully for you it'll work aswell.

raja_illayarajah · ‎05-11-2021

On the Router under, SH VER

it shows that i have 4 AnyConnect Premium Peers.

balaji.bandi · ‎05-11-2021

I may have mislead the post @rob, i was in impression webvpn to test, make sure he has reachability,. after reading the thread again, Looks like any connect IPSec.

by default, ASA comes with 5 License.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

raja_illayarajah · ‎05-12-2021

@balaji.bandi @Rob Ingram

Thanks for the help guys, I'm going to reset it and start from scratch.

raja_illayarajah · ‎05-11-2021

Hi Rob,

We only have 4 licences for the AnyConnect and we have more users, hence i have to setup the older client.

Raja