09-30-2013 05:29 AM - edited 02-21-2020 07:11 PM
Dear colleagues,
Remote access VPN with LDAP authentication via certificate was configured.
User logged, authenticated, taked IP address, vpn-filter ACL, and DAP.
Then dynamic cryptomap which been used for other users successfully couldn't apply for this user.
Could anybody explain me this behavior and point to root cause?
ASA version 9.1(2)
%ASA-7-714011: Group = UserGroup, Username = User, IP = A.A.A.A, ID_IPV4_ADDR_SUBNET ID received--0.0.0.0--0.0.0.0
%ASA-7-713034: Group = UserGroup, Username = User, IP = A.A.A.A, Received local IP Proxy Subnet data in ID Payload: Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0
%ASA-7-713906: Group = UserGroup, Username = User, IP = A.A.A.A, QM IsRekeyed old sa not found by addr
%ASA-7-713221: Group = UserGroup, Username = User, IP = A.A.A.A, Static Crypto Map check, checking map = GIN_map1, seq = 1...
%ASA-7-713222: Group = UserGroup, Username = User, IP = A.A.A.A, Static Crypto Map check, map = GIN_map1, seq = 1, ACL does not match proxy IDs src:10.101.62.65 dst:0.0.0.0
%ASA-7-713221: Group = UserGroup, Username = User, IP = A.A.A.A, Static Crypto Map check, checking map = GIN_map1, seq = 2...
%ASA-7-713222: Group = UserGroup, Username = User, IP = A.A.A.A, Static Crypto Map check, map = GIN_map1, seq = 2, ACL does not match proxy IDs src:10.101.62.65 dst:0.0.0.0
%ASA-7-713221: Group = UserGroup, Username = User, IP = A.A.A.A, Static Crypto Map check, checking map = GIN_map1, seq = 3...
%ASA-7-713222: Group = UserGroup, Username = User, IP = A.A.A.A, Static Crypto Map check, map = GIN_map1, seq = 3, ACL does not match proxy IDs src:10.101.62.65 dst:0.0.0.0
%ASA-7-713221: Group = UserGroup, Username = User, IP = A.A.A.A, Static Crypto Map check, checking map = GIN_map1, seq = 4...
%ASA-7-713222: Group = UserGroup, Username = User, IP = A.A.A.A, Static Crypto Map check, map = GIN_map1, seq = 4, ACL does not match proxy IDs src:10.101.62.65 dst:0.0.0.0
%ASA-6-713905: Group = UserGroup, Username = User, IP = A.A.A.A, Skipping dynamic map SYSTEM_DEFAULT_CRYPTO_MAP sequence 65535: cannot match peerless map when peer found in previous map entry.
%ASA-3-713061: Group = UserGroup, Username = User, IP = A.A.A.A, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 10.101.62.65/255.255.255.255/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface GIN
09-30-2013 09:39 AM
Hi oleg,
It's a very common issue and generally happens when you try to connect the VPN client from the same location which has a site to site VPN with the device. For example if you try to connect the VPN client to the ASA and your public Ip is 1.1.1.1 and on the same ASA if you have a Site to Site VPN already connnect with an IP address 1.1.1.1 you will see the following error in the debug:
"cannot match peerless map when peer found in previous map entry."
Please check for the same, if thats the case you are hitting the following bug:
You needed a Cisco CCO id to check the link.
Thanks
Jeet Kumar
10-01-2013 12:31 AM
Hi Jeet,
Unfortunatelly we haven't s-2-s VPN with this location. It could resolve a couple of problems. )))
Those users always have access to our resources via Personal VPN.
12-13-2013 03:51 AM
Does anybody have solution of these errors?
%ASA-6-713905: Group = UserGroup, Username = User, IP = A.A.A.A, Skipping dynamic map SYSTEM_DEFAULT_CRYPTO_MAP sequence 65535: cannot match peerless map when peer found in previous map entry.
%ASA-3-713061: Group = UserGroup, Username = User, IP = A.A.A.A, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 10.37.10.250/255.255.255.0//0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide