cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6161
Views
0
Helpful
9
Replies

SA520 VPN complaining about mode config

Richard Cain
Level 1
Level 1

I have configured our SA520 device to use IPSEC VPN. After configuring everything and trying to connect using a cisco vpn client. The logs complain:

2009-11-27 12:32:56: ERROR:  Local configuration for x.x.x.x[500] does not have mode config
2009-11-27 12:32:56: ERROR:  Local configuration for x.x.x.x[500] does not have mode config
2009-11-27 12:32:56: ERROR:  Local configuration for x.x.x.x[500] does not have mode config
2009-11-27 12:32:56: ERROR:  Local configuration for x.x.x.x[500] does not have mode config
2009-11-27 12:32:56: ERROR:  Local configuration for x.x.x.x[500] does not have mode config
2009-11-27 12:32:56: ERROR:  Local configuration for x.x.x.x[500] does not have mode config
2009-11-27 12:32:56: ERROR:  Local configuration for x.x.x.x[500] does not have mode config

The connection is aborted and I have no idea why.

I looked all around the forum but didn't find any useful info. Any help would be greatly appreciated.

9 Replies 9

Ivan Martinon
Level 7
Level 7

Richard, can you please post your show run, you can delete the keys if you want, I would like to see if there is anything missing on it.

Ivan

This appliance has web only access as far as I know. I can post a screen shot at best. But the admin documentation can be found here:

http://www.cisco.com/en/US/docs/security/multi_function_security/multi_function_security_appliance/sa_500/administration/guide/SA_500_Series_AG_OL-19114-01.pdf

The web interface has some noticable bugs. Looks like they hacked it together pretty quickly. I attached a screen shot of the web ike and vpn policy.

Richard,

Thanks for the screenshots, is there any where in that device where you define the group name that the client is going to use? I am assuming this is for Remote access vpn right? meaning a vpn client will connect to this box? that is where the mode config is defined.

Not exactly. I think the appliance uses the "Remote Endpoint" under the VPN policy as the Group name. If my Group Name on the Cisco VPN Client doesn't match that Remote Endpoint name. I get the following error in the logs on the SA520:

2009-12-02 10:25:53: ERROR:  Could not find configuration for x.x.x.x[1460]
2009-12-02 10:25:58: ERROR:  Could not find configuration for x.x.x.x[1460]
2009-12-02 10:26:03: ERROR:  Could not find configuration for x.x.x.x[1460]
2009-12-02 10:26:08: ERROR:  Could not find configuration for x.x.x.x[1460]

Well I wish I could have been more helpful but I can't find anywhere in the docs where to define mode config, we are missing pool definition, dns wins... and stuff like that, I guess I will leave others with more experience on the platform to answer this.

Has anyone out there ever purchased one of these horrible boxes? What it boils down to is there is no where to specify your ip

pool for VPN users. That's what the Cisco VPN client complains about "Peer did not assign a private IP address".

Does Cisco even have QA or do they just throw these boxes together and hope somebody buys them?

I would give this box a 0.1/5, the .1 because it can handle traffic (which a $50 Linksys can do)

jwrooks
Level 1
Level 1

I have the exact same problem connecting to the IPSec VPN with iPhone. The Enterprise Deployment Configuration guide from Apple states in the CISCO VPN Server section that Mode Config must be enabled on the server to connect the iPhone VPN client. I'm assuming this setting must be available in other CISCO products, but not in the SA520. Any suggestions would be appreciated.

My advice... throw the SA520 in the garbage and either go buy a cheaper linksys, or build your own custom router using Openswan (that's what I'm doing). I had tickets open with Cisco support and the guy from support told me he Cisco professional client doesn't even work with the SA520. Only their QuickVPN client works (only on Windows). He said SSL VPN works but you have to pay $30/license!

So basically, XAUTH on the SA520 doesn't work. I tried every client possible with no results. Cisco support confirmed that for me when they told me their own client doesn't even work.

Yea, these units are definitely different than any other Cisco device.  I think they're meant to be in a class all of their own.  From the looks of it, the remote access vpn option is solely the ssl vpn.  Also, Richard, you can export the config, (although don't expect it to look like a normal IOS config).

It will be a text file (called SA520W.cfg for example) with attribute/value pairs, or variables with their relative assignments.  These units are just Linux machines Cisco is polishing it up for a specific segment, and a specific set of network functions to cater to small businesses.  To expect it to do everything a normal IOS router (or vpn device, or firewall) is really unrealistic.  These are meant for branch offices mostly, of under 100 users.