I did put in the username and password but it still doesn't work. I

also did

local username with same result.

what username did you use? do you use "bosnsw" as the username with the corresponding password?

When you use local, did you configure the "bosnsw" username and password locally on the ezvpn client (router)?

Yes, i used bosnsw for both local and interactive mode.

Hi,

I am not sure if you have managed to get this working. In case you are still facing issues, please send the following debugs:

from ASA: "debug cry isa 127" and "debug cry ips 127"

from router: "debug cry isa", "debug cry ips" and "debug cry ipsec client ezvpn".

Also, fr the ASA, please get the output of "show run all group-policy".

Cheers,

Prapanch

The debugs are attached. Thanks

Hi,

Could you change the mode to xauth userid mode local, run the debugs again on both the ASA and the router and send over the outputs

Thanks,

Manasi

debugs commands would be the same as mentioned by prapanch in the post above !:)

Please find the debug attached. Did i miss any configuration on the router or firewall. Thanks

Hey ramlingam,

We see the following debugs

Dec 30 02:45:22 [IKEv1 DEBUG]: Group = bosnsw, Username = cisco, IP = 112.213.174.43, Processing cfg ACK attributes
Dec 30 02:45:22 [IKEv1]: Group = bosnsw, Username = cisco, IP = 112.213.174.43, Remote peer has failed user authentication -  check configured username and password

Do you have Cisco username and password configured on router ?

Or with user mode interactive, try using cisco and corresponding password and check if that works!!

Thanks,

Manasi

Hi,

I have the same username and password configured at both end;

router

=====

crypto ipsec client ezvpn BOS-BACKUP
connect auto
group bosnsw key clar3nc3
mode client
peer 202.47.85.1
username cisco password cisco
xauth userid mode local

BOS-NRD-IT-FW1# sh run username
username cisco password cisco

But i reconfigured the group on the router:

group DefaultRAGroup pass netstar

and now the debug show the router is trying to obtain IP address and sorts. We want the IP address to remain as it is on the router which would be the ISP assigned IP address. The debug cry isa 127 from the router is attached.

Can you paste the conf of DefaultRAGroup and the corresponding group policy

tunnel-group DefaultRAGroup type remote-access

tunnel-group DefaultRAGroup general-attributes

no address-pool

no ipv6-address-pool

authentication-server-group LOCAL

secondary-authentication-server-group none

no accounting-server-group

default-group-policy DfltGrpPolicy

no dhcp-server

no strip-realm

no password-management

no override-account-disable

no strip-group

no authorization-required

username-from-certificate CN OU

secondary-username-from-certificate CN OU

authentication-attr-from-server primary

authenticated-session-username primary

tunnel-group DefaultRAGroup webvpn-attributes

hic-fail-group-policy DfltGrpPolicy

customization DfltCustomization

authentication aaa

no override-svc-download

no radius-reject-message

no proxy-auth sdi

no pre-fill-username ssl-client

no pre-fill-username clientless

no secondary-pre-fill-username ssl-client

no secondary-pre-fill-username clientless

dns-group DefaultDNS

no without-csd

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

peer-id-validate req

no chain

no trust-point

isakmp keepalive threshold 300 retry 2

no radius-sdi-xauth

isakmp ikev1-user-authentication xauth

tunnel-group DefaultRAGroup ppp-attributes

no authentication pap

authentication chap

authentication ms-chap-v1

no authentication ms-chap-v2

no authentication eap-proxy

group-policy DfltGrpPolicy internal
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
ipv6-vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
msie-proxy pac-url none
vlan none
nac-settings none
address-pools none
ipv6-address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
  url-list none
  filter none
  homepage none
  html-content-filter none
  port-forward name Application Access
  port-forward disable
  http-proxy disable
  sso-server none
  svc dtls enable
  svc mtu 1406
  svc keep-installer installed
  svc keepalive 20
  svc rekey time none
  svc rekey method none
  svc dpd-interval client 30
  svc dpd-interval gateway 30
  svc compression none
  svc modules none
  svc profiles none
  svc ask none
  ike-retry-timeout 10
  ike-retry-count 3
  customization none
  keep-alive-ignore 4
  http-comp gzip
  download-max-size 2147483647
  upload-max-size 2147483647
  post-max-size 2147483647
  user-storage none
  storage-objects value cookies,credentials
  storage-key none
  hidden-shares none
  smart-tunnel disable
  activex-relay enable
  unix-auth-uid 65534
  unix-auth-gid 65534
  file-entry enable
  file-browsing enable
  url-entry enable

you are using client mode and so you need to have an address pool from which an IP address would be assigned to the

ezvpn client.

tunnel-group DefaultRAGroup type remote-access

tunnel-group DefaultRAGroup general-attributes

no address-pool

I request you to create a local pool and apply the pool in the DefaultRAGroup as follows

tunnel-group DefaultRAGroup general-attributes

address-pool BOS_CORPORATE

Thanks

Manasi