Solved: Re: Unable to connect via Cisco VPN Client

tech_trac · ‎09-28-2009

Hello,

I have configured Remote Access VPN on ASA and am trying to connect via the Cisco VPN Client 5.0

I am not able to connect and the log on the ASA shows

ASA-3-713902: Group = xxxxx, IP = x.x.x.x, Removing peer from peer table filed, no match!

ASA-4-713903: Group = xxxxx, IP x.x.x.x, Error: Unable to rmeove PeerTblEntry

ASA does not support K9 i.e. VPN-DES is enabled and VPN-3DES-AES is disabled.

What could be the reason.

Regards

bastien.migette · ‎10-20-2009

Hi there, I had this same problem, here the solution:

when you do a debug crypto isakmp 255, then you see that cisco vpn client doesn't handle SHA + DES, you have to use MD5 + DES, or sha with 3DES/AES.

Be careful, this debug is very verbose, but that's the only way i found to get SA Proposal on debug.

Well, modify your isakmp policy using MD5/DES would do the trick.

View solution in original post

Yudong Wu · ‎09-28-2009

Please post your config and the following debug output.

"debug crypto isa"

"debug crypto ipsec"

tech_trac · ‎10-01-2009

interface GigabitEthernet0/0

nameif OUTSIDE-INTERFACE

security-level 0

ip address 2.2.2.130 255.255.255.224 standby 2.2.2.131

no pim

!

interface GigabitEthernet0/1

nameif INSIDE-INTERFACE

security-level 100

ip address 10.4.4.1 255.255.255.0 standby 10.4.4.2

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association life time seconds 28800

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association life time kilobytes 4608000

crypto map OUTSIDE-INTERFACE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO _MAP

crypto map OUTSIDE-INTERFACE_map interface OUTSIDE-INTERFACE

crypto isakmp enable OUTSIDE-INTERFACE

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

tunnel-group Cisco type remote-access

tunnel-group Cisco general-attributes

address-pool ClientPool

default-group-policy GroupPolicy1

tunnel-group Cisco ipsec-attributes

pre-shared-key *

group-policy GroupPolicy1 internal

group-policy GroupPolicy1 attributes

vpn-tunnel-protocol IPSec

address-pools value ClientPool

ip local pool ClientPool 10.4.4.155-10.4.4.165 mask 255.255.255.0

-------

debug crypto ipsec did not give any output.

Output for 'debug crypto isakmp' is below

Oct 01 16:52:10 [IKEv1]: Group = Cisco, IP = 81.23.110.120, Removing peer from peer table failed, no match!

Oct 01 16:52:10 [IKEv1]: Group = Cisco, IP = 81.23.110.120, Error: Unable to remove PeerTblEntry

Oct 01 16:52:15 [IKEv1]: Group = Cisco, IP = 81.23.110.120, Removing peer from peer table failed, no match!

Oct 01 16:52:15 [IKEv1]: Group = Cisco, IP = 81.23.110.120, Error: Unable to remove PeerTblEntry

Oct 01 16:52:20 [IKEv1]: Group = Cisco, IP = 81.23.110.120, Removing peer from peer table failed, no match!

Oct 01 16:52:20 [IKEv1]: Group = Cisco, IP = 81.23.110.120, Error: Unable to remove PeerTblEntry

Oct 01 16:52:25 [IKEv1]: Group = Cisco, IP = 81.23.110.120, Removing peer from peer table failed, no match!

Oct 01 16:52:25 [IKEv1]: Group = Cisco, IP = 81.23.110.120, Error: Unable to remove PeerTblEntry

Yudong Wu · ‎10-01-2009

So, the above was the only output of "debug crypto isa" when the client initiated VPN connection?

From the config, the only thing which might cause the issue would be the address pool. VPN client's IP address pool is in the same subnet as the inside interface. Could you try to use a different one?

tech_trac · ‎10-19-2009

But I have configured another ASA with Remote Access VPN with same address pool as inside interface and it

works fine. Which other address pool should I use. Should it be from the subnet of one of the interfaces

or anything else.

tech_trac · ‎10-20-2009

I changed some configuration and now I am getting "All IPSec SA proposals found unacceptable!" and "Reason: Phase 2 Mismatch" and "Received encrypted packet with no matching SA, dropping"

ASA has K8 license only and 3DES is not supported.

Following is the crypto configs

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA

crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 40 set pfs

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-MD5

crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000

bastien.migette · ‎10-20-2009

Hi there, I had this same problem, here the solution:

when you do a debug crypto isakmp 255, then you see that cisco vpn client doesn't handle SHA + DES, you have to use MD5 + DES, or sha with 3DES/AES.

Be careful, this debug is very verbose, but that's the only way i found to get SA Proposal on debug.

Well, modify your isakmp policy using MD5/DES would do the trick.

Yudong Wu · ‎10-20-2009

if it says "phase 2 mismatch", you need to change your transform set configuration, Bastien pointed to the right direction.