09-01-2010 11:23 PM - edited 02-21-2020 04:49 PM
Dear All,
I recently configure an ASA 5510 K8 as a remote access VPN. I use the wizzard from ASDM to configure it.
When i try to connect via Cisco VPN client, i can authenticate the tunnel group and PSK successfully. But when i put my username and password for user authentication, the VPN suddenly terminated with error reason 433: VPN connection terminated by peer.
I try to debug crypto isakmp and debug crypto ipsec, this is what i get:
[IKEv1]: Group = xxxx Username = yyyy, IP = 125.166.x.x, Removing peer from peer table failed, no match!
[IKEv1]: Group = xxxx, Username = yyyy, IP = 125.166.x.x, Error: Unable to remove PeerTblEntry
It seem that the IKE phase 1 negotiation failed. I already checked from datasheet, my ASA only support DES encyrption, with MD5 hashing, and Diffie Hellman group 2. Here is the configuration for ISAKMP:
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
Here is the configuration for IPSEC:
crypto ipsec transform-set ESP-DES-SHA esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 5 set transform-set ESP-DES-MD5 ESP-DES-SHA
crypto dynamic-map outside_dyn_map 5 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 5 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 10 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
FYI my ASA software is version 7.0
Every respond are appreciated
Tq
Imad
09-01-2010 11:45 PM
For additional information i use ASA local database to provide username and password.
Here is the configuration on tunnel-group:
tunnel-group xxxx general-attributes
address-pool VPN-CITI
default-group-policy xxxx
tunnel-group xxxx ipsec-attributes
pre-shared-key *
09-02-2010 07:41 AM
Hey,
Based on your description, it either seems to be an issue with authentication or Phase 2. the fact that you are getting till the username/password prompt means Phase 1 is working fine.
Try adding the following command to ensure we have the commands for authentication necessary:
tunnel-group xxxx general-attributes
authentication-server-group LOCAL
Enable the following debugs on the ASA "debug crypto isakmp 127" and "debug crypto ipsec 127" and try connecting to the VPN and send the entore debug output.
Thanks and Regards,
Prapanch
09-05-2010 06:56 PM
Hi Prapanch,
I already add this configuration on the ASA:
tunnel-group xxx general-attributes
authentication-server-group local
I also add acl to permit any traffic from outside to VPN pool. I apply it on dynamic map for the crypto. Here is the config:
access-list outside_cryptomap_dyn_5 extended permit ip any 192.168.13.0 255.255.255.0
crypto dynamic-map outside_dyn_map 5 match address outside_cryptomap_dyn_5
I also add the NAT 0 for VPN traffic. here is the configuation
nat (inside) 0 access-list inside_nat0_outbound
access-list inside_nat0_outbound extended permit ip any 192.168.13.0 255.255.255.0
It seem that the same problem still exist.
For the debug, i have been able to provide to you yet since i am still out of office.
Namaste
Imad
09-05-2010 07:27 PM
Hello,
Can you please try to change the keyword local to all caps local?
tunnel-group xxx general-attributes
no authentication-server-group local
authentication-server-group LOCAL
Hope this helps.
Regards,
NT
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide