Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3345
Views
0
Helpful
3
Replies

Remote Access VPN Issue

mirage__SK
Level 1
Level 1

‎12-12-2013 01:11 AM - edited ‎02-21-2020 07:23 PM

Hi all!

I have remote access VPN issue, like this description (link is below):

Cisco Device: ASA 5510 Security plus

IOS: 9.1.(3)

It's a very common issue and generally happens when you try to  connect the VPN client from the same location which has a site to site  VPN with the device. For example if you try to connect the VPN client to  the ASA and your public Ip is 1.1.1.1 and on the same ASA if you have a  Site to Site VPN already connnect with an IP address 1.1.1.1 you will  see the following error in the debug:

"cannot match peerless map when peer found in previous map entry."

Here are error logs:

%ASA-6-713905: Group = UserGroup, Username = User, IP = A.A.A.A,  Skipping dynamic map SYSTEM_DEFAULT_CRYPTO_MAP sequence 65535: cannot  match peerless map when peer found in previous map entry.

%ASA-3-713061:  Group = UserGroup, Username = User, IP = A.A.A.A, Rejecting IPSec  tunnel: no matching crypto map entry for remote proxy 10.37.10.250/255.255.255.0//0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on  interface outside

https://supportforums.cisco.com/thread/2242812

Does anybody khows solution for this issue (both VPN-s are nesessary)?

Labels:
0 Helpful
3 Replies 3

mirage__SK
Level 1
Level 1

‎12-13-2013 12:30 AM

No any Ideas?

0 Helpful

Roman Polyachkov
Level 1
Level 1
In response to mirage__SK

‎02-12-2014 03:20 AM

Hi Vakhtang!

I've got the same issue on ASA-SM (9.1(3)). As far as I know ASA can't create new ISAKMP SA try to connect by VPNclient from location which has a L2L VPN with ASA. It must uniquely identify remote peer at Phase 1 in order to create the SA phase 1 after peer authentication. I guess your issue is connecting with enabled NAT-T feature in Dynamic crypto. So what cisco talk about this:

"The ASA supports multiple IPsec peers behind a single NAT/PAT device operating in one of the following networks, but not both:

LAN-to-LAN

Remote access

In a mixed environment, the remote access tunnels fail the negotiation because all peers appear to be coming from the same public IP address, address of the NAT device. Also, remote access tunnels fail in a mixed environment because they often use the same name as the LAN-to-LAN tunnel group (that is, the IP address of the NAT device). This match can cause negotiation failures among multiple peers in a mixed LAN-to-LAN and remote access network of peers behind the NAT device."

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/vpn/asa_91_vpn_config/vpn_ike.html#wp1120836

So that behavior aren't abnormal, the ASA just work like this. I guess you'd better use another public ip address either remote vpn clients or Site2Site IPSec Tunnel.

0 Helpful

mirage__SK
Level 1
Level 1
In response to Roman Polyachkov

‎02-12-2014 05:31 AM

Hi Roman!

Thanks for reply.

I have solved this issue via STATIC_NAT:

I create nat rule - when users try to connect via RA VPN - their IP is different from outside interface's address.

0 Helpful
Customers Also Viewed These Support Documents