Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2295
Views
0
Helpful
4
Replies

Remote Access VPN KO Unsupported Attributes and no Crypto Map Policy found

ssambourg
Level 1
Level 1

‎07-17-2017 02:26 AM - edited ‎02-21-2020 09:22 PM

Hello,

Since a few days I'm unable to connect with RA VPN IKEv1.

I see these logs :

5|Jul 17 2017|11:13:08|713904|||||IP = 88.165.X.X, Received encrypted packet with no matching SA, dropping
4|Jul 17 2017|11:13:07|113019|||||Group = Utilisateurs, Username = ravpnuser, IP = 88.165.X.X, Session disconnected. Session Type: IKEv1, Duration: 0h:00m:06s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found
5|Jul 17 2017|11:13:07|713259|||||Group = Utilisateurs, Username = ravpnuser, IP = 88.165.X.X, Session is being torn down. Reason: crypto map policy not found
3|Jul 17 2017|11:13:07|713902|||||Group = Utilisateurs, Username = ravpnuser, IP = 88.165.X.X, Removing peer from correlator table failed, no match!
3|Jul 17 2017|11:13:07|713902|||||Group = Utilisateurs, Username = ravpnuser, IP = 88.165.X.X, QM FSM error (P2 struct &0x00002aaac17c4ab0, mess id 0xb08fc164)!
3|Jul 17 2017|11:13:07|713061|||||Group = Utilisateurs, Username = ravpnuser, IP = 88.165.X.X, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.97.10/255.255.255.255/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
6|Jul 17 2017|11:13:07|713905|||||Group = Utilisateurs, Username = ravpnuser, IP = 88.165.X.X, Skipping dynamic map SYSTEM_DEFAULT_CRYPTO_MAP sequence 65535: access-list mismatch.
5|Jul 17 2017|11:13:07|713119|||||Group = Utilisateurs, Username = ravpnuser, IP = 88.165.X.X, PHASE 1 COMPLETED
6|Jul 17 2017|11:13:07|713228|||||Group = Utilisateurs, Username = ravpnuser, IP = 88.165.X.X, Assigned private IP address 192.168.97.10 to remote user
6|Jul 17 2017|11:13:07|713184|||||Group = Utilisateurs, Username = ravpnuser, IP = 88.165.X.X, Client Type: WinNT Client Application Version: 5.0.07.0440
5|Jul 17 2017|11:13:07|713130|||||Group = Utilisateurs, Username = ravpnuser, IP = 88.165.X.X, Received unsupported transaction mode attribute: 5
6|Jul 17 2017|11:13:07|734001|||||DAP: User ravpnuser, Addr 88.165.X.X, Connection IPSec: The following DAP records were selected for this connection: DfltAccessPolicy
6|Jul 17 2017|11:13:02|713905|||||Group = Utilisateurs, IP = 88.165.X.X, Floating NAT-T from 88.165.X.X port 49907 to 88.165.X.X port 49908
6|Jul 17 2017|11:13:02|713172|||||Group = Utilisateurs, IP = 88.165.X.X, Automatic NAT Detection Status: Remote end IS behind a NAT device This end is NOT behind a NAT device
6|Jul 17 2017|11:13:02|302015|88.165.X.X|49908|193.251.X.X|4500|Built inbound UDP connection 2522097 for outside:88.165.X.X/49908 (88.165.X.X/49908) to identity:193.251.X.X/4500 (193.251.X.X/4500)
6|Jul 17 2017|11:13:02|302015|88.165.X.X|49907|193.251.X.X|500|Built inbound UDP connection 2522095 for outside:88.165.X.X/49907 (88.165.X.X/49907) to identity:193.251.X.X/500 (193.251.X.X/500)

Please correct me if I'm wrong :

Received unsupported transaction mode attribute: 5 = DH Group Attributes not supported by transform-set associated with this connection profile ?

SYSTEM_DEFAULT_CRYPTO_MAP sequence 65535: access-list mismatch. &  Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.97.10 = No matching crypto-map for the connection's settings

My configuration has always worked and from a few days I can't get a remote access from AnyConnect (connection drop after securing communication channels, which match the previous logs).

I created a new RA VPN with VPN Wizard and got errors when ASDM try to apply map : Unable to initialized crypto map entry

I think this is the root cause of this issue because of non corresponding crypto-map for securing data channel, but why ?

Anyone has some ideas ? 

Labels:
0 Helpful
4 Replies 4

Rahul Govindan
VIP Alumni
VIP Alumni

‎07-17-2017 06:33 PM

Are you using the Anyconnect or the Cisco IPsec VPN client? The logs above show a ikev1 vpn connect- meaning Cisco IPsec VPN client. 

SYSTEM_DEFAULT_CRYPTO_MAP sequence 65535: access-list mismatch.

This shows you have an ACL on the last crypto map entry, which is usually tied to a dynamic map. You do not need an ACL in the crypto map for RA VPN. If you are not using the crypto map for any other tunnels, I would remove it. 

0 Helpful

ssambourg
Level 1
Level 1
In response to Rahul Govindan

‎07-18-2017 05:02 AM

Hello,

I've got on S2S VPN tunnel which is OK.

Is there some modification to bring on this ACL in the crypto MAP ? I don't think so, it's most usefull for RA VPN or may I have to authorize my RA VPN pool so as to match this default crypto map ACL ?

0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to ssambourg

‎07-18-2017 05:05 AM

Could you share your crypto and VPN pool config? 

You do not need a crypto ACL for RA VPN, but you can use it if you want. 

0 Helpful

ssambourg
Level 1
Level 1
In response to Rahul Govindan

‎07-18-2017 05:36 AM

Yes, i've attached the file.

Preview file
12 KB
0 Helpful
Customers Also Viewed These Support Documents