cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2541
Views
0
Helpful
10
Replies
Highlighted
Beginner

VPN Connection error

Hi,

I needed urgent help here.

I  configure a IPSec Remote Access VPN on my Cisco ASA. After configuring, I  tried connecting using Cisco VPN client. I managed to get connected  with the configured username and password on the Cisco ASA but I can't  ping any trusted LAN host. I did a check on the Cisco VPN client and  found these errors:

Cisco Systems VPN Client Version 5.0.03.0560

Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 6.1.7601 Service Pack 1

Config file directory: C:\Program Files\Cisco Systems\VPN Client\

1      16:34:09.412  10/09/12  Sev=Warning/2    CVPND/0xE3400013

AddRoute failed to add a route: code 160

    Destination    192.168.0.255

    Netmask    255.255.255.255

    Gateway    192.168.10.1

    Interface    192.168.10.10

2      16:34:09.412  10/09/12  Sev=Warning/2    CM/0xA3100024

Unable to add route. Network: c0a800ff, Netmask: ffffffff, Interface: c0a80a0a, Gateway: c0a80a01.

3      16:34:09.412  10/09/12  Sev=Warning/2    CVPND/0xE3400013

AddRoute failed to add a route: code 5010

    Destination    0.0.0.0

    Netmask    0.0.0.0

    Gateway    192.168.10.1

    Interface    192.168.10.10

I  configure the Cisco ASA with a tunnel and a group policy. I configured a  local user account and a local dhcp pool for the VPN client.

Can anyone help on this?

Thanks

10 REPLIES 10
Highlighted

Hello Bernard,

What is the destination lan address, can you do a ' route print' on you client PC's command prompt after connecting VPN and see whether the route towards the remote LAN subnet is present in the PC's routing table

regards

Harish.

Highlighted

I changed my dhcp pool to 10.27.165.10 - 128 /24

i get this error:

1      18:47:29.550  10/09/12  Sev=Warning/2    CVPND/0xE3400013

AddRoute failed to add a route: code 160

    Destination    192.168.0.255

    Netmask    255.255.255.255

    Gateway    10.27.165.1

    Interface    10.27.165.2

2      18:47:29.550  10/09/12  Sev=Warning/2    CM/0xA3100024

Unable to add route. Network: c0a800ff, Netmask: ffffffff, Interface: a1ba502, Gateway: a1ba501.

3      18:47:29.550  10/09/12  Sev=Warning/2    CVPND/0xE3400013

AddRoute failed to add a route: code 5010

    Destination    0.0.0.0

    Netmask    0.0.0.0

    Gateway    10.27.165.1

    Interface    10.27.165.2

4      18:47:29.550  10/09/12  Sev=Warning/2    CM/0xA3100024

Unable to add route. Network: 0, Netmask: 0, Interface: a1ba502, Gateway: a1ba501.

5      18:47:29.565  10/09/12  Sev=Warning/2    CVPND/0xA3400019

Error binding socket: -21. (DRVIFACE:2962)

6      18:47:29.565  10/09/12  Sev=Warning/2    CM/0xE3100009

Failed to register public interface

7      18:47:29.721  10/09/12  Sev=Warning/2    CVPND/0xA3400015

Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=10.27.165.2, error 0

8      18:47:30.751  10/09/12  Sev=Warning/2    CVPND/0xA3400015

Error with call to IpHlpApi.DLL: CleanUpVASettings: Was able to delete all VA settings after all, error 0

9      18:47:31.423  10/09/12  Sev=Warning/2    IKE/0xE300009B

Failed to active IPSec SA: Unable to enable Virtual Adapter (NavigatorQM:936)

10     18:47:31.423  10/09/12  Sev=Warning/2    IKE/0xE30000A7

Unexpected SW error occurred while processing Quick Mode negotiator:(Navigator:2238)

Highlighted

Hello Bernard,

Can you try VPN version 5.0.04.0300 and see the result

regards

Harish.

Highlighted

After I upgraded my Cisco VPN software, I don't have any more error:

Cisco Systems VPN Client Version 5.0.07.0410

Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 5.1.2600 Service Pack 3

Config file directory: C:\Program Files\Cisco Systems\VPN Client\

But I still cannot access the trusted lan

Just a roundup of my Cisco ASA configuration...

1) Configure remote access IPSec VPN

2) Group Policies - vpntesting

3) AES256 SHA DH group 5

4) Configure local user vpntesting

5) Configure dhcp pool - 10.27.165.2 to 10.27.165.128 mask /24

5) open access on outside interface

A) Did I miss anything?

B) For example, there is a LAN segment - 10.27.40.x/24 on the trusted leg of the Cisco ASA but I can't access it. Do I need to create access lists to allow my VPN session to access the trust LANs?

C) Any good guide for configuring remote access VPN using ASDM?

Highlighted

Hello Bernad,

Glad to hear that the error is disappeared .. well it seems you have another duplicate post for this second issue,,

here you go

Did you create the split tunnel and specified the network which VPN wants to access and also.. if you have a nat configured for internet access, for your lan , then you need to have a 'no nat ' configured

for this VPN communication..

please post your config so that, i can help you out if there some other playing a role

Harish,

Highlighted

I have set up a test scenario...

PC (VPN client) <----> Router <----> ASA 5505

PC (VPN Client) is connected to Fa0/1 of Router

Fa0/1 Interface IP 58.145.230.10 255.255.255.240

ASA 5505 is connected to Fa0/0 of Router

Fa0/0 Interface IP 202.42.224.185 255.255.255.240

I got a template from internet on ASA and I reuse it, below is my ASA 5505 config:

Cryptochecksum: 40ff331b 6a16a4ff 578ae2c9 64b0ed48

: Saved

: Written by admin at 12:42:00.379 SGT Wed Oct 10 2012

!

ASA Version 8.4(4)1

!

hostname HQ-ASA

domain-name xxx

enable password xxx encrypted

passwd xxx encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 3

!

interface Ethernet0/2

switchport access vlan 4

!

interface Ethernet0/3

switchport access vlan 100

!

interface Ethernet0/4

switchport access vlan 5

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

interface Vlan2

nameif outside

security-level 0

ip address 202.42.224.186 255.255.255.224

!

interface Vlan3

nameif DMZ1

security-level 20

ip address 202.42.224.65 255.255.255.192

!

interface Vlan4

nameif DMZ01

security-level 30

ip address 10.27.66.1 255.255.255.0

!

interface Vlan5

nameif VOIP

security-level 60

ip address 10.27.40.1 255.255.255.0

!

interface Vlan100

nameif inside

security-level 100

ip address 10.27.101.1 255.255.255.0

!

ftp mode passive

clock timezone SGT 8

dns server-group DefaultDNS

domain-name xxx

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network DMZ1_NWK

subnet 202.42.224.64 255.255.255.192

access-list AnyConnect_Client_Local_Print extended deny ip any any

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd

access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631

access-list AnyConnect_Client_Local_Print remark Windows' printing port

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100

access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol

access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353

access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol

access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355

access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137

access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns

pager lines 24

logging enable

logging asdm informational

mtu management 1500

mtu outside 1500

mtu DMZ1 1500

mtu DMZ01 1500

mtu VOIP 1500

mtu inside 1500

ip local pool phonetest 10.27.165.2-10.27.165.128 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

!

object network obj_any

nat (management,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 202.42.224.169 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 10.0.0.0 255.0.0.0 inside

http 202.42.224.64 255.255.255.192 DMZ01

http 10.27.101.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map1 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map1 interface outside

crypto ikev1 enable outside

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

management-access inside

dhcpd address 192.168.1.5-192.168.1.254 management

dhcpd enable management

!

dhcpd address 202.42.224.75-202.42.224.80 DMZ1

dhcpd enable DMZ1

!

dhcpd address 10.27.66.75-10.27.66.80 DMZ01

dhcpd enable DMZ01

!

dhcpd address 10.27.40.75-10.27.40.80 VOIP

dhcpd enable VOIP

!

dhcpd address 10.27.101.75-10.27.101.80 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy GroupPolicy2 internal

group-policy GroupPolicy2 attributes

vpn-tunnel-protocol ikev1 l2tp-ipsec

group-policy GroupPolicy1 internal

group-policy GroupPolicy1 attributes

vpn-tunnel-protocol ikev1

group-policy phonetest internal

group-policy phonetest attributes

dns-server value 10.27.101.81 10.27.101.82

vpn-tunnel-protocol ikev1

default-domain value xxx

username phone password DSebDxcT7KH24UWn encrypted privilege 0

username phone attributes

vpn-group-policy phonetest

tunnel-group phonetest type remote-access

tunnel-group phonetest general-attributes

address-pool phonetest

default-group-policy phonetest

tunnel-group phonetest ipsec-attributes

ikev1 pre-shared-key phonetest

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:40ff331b6a16a4ff578ae2c964b0ed48

: end

Thanks.

Highlighted

Hello Bernard,

I hope are trying to access 10.27.40.0/24 network from VPN, is so, please do the following configuration

access-list SPLIT standard permit 10.27.40.0 255.255.255.0

group-policy phonetest attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLIT

then reconnect the vpn and try to access it from VPN client. if you are gettign it through get me a 'route print' from the pc afte connecting the vpn

regards

Harish.

Highlighted

10.27.40.0/24 network is on the dmz/trusted leg of the ASA 5505. The vpn client is connecting via internet to the ASA 5505 to access the 10.27.40.0/24 network.

I will be configuring as per your advice but only 10 to 11 hours from now as it is night time here in Singapore. Wonder how do I get hold of you by then?

Thanks for your kind assistance, as I am a newbie to ASA and VPN.

Highlighted

No worries dude, plz apply those and test.. we will cya tomorrow..

Good night!

Harish.

Highlighted

My VPN client cannot connect to ASA 5505... with error:

Secure VPN Connection terminated locally by the Client.

Reason 412: The remote peer is no longer responding.

Connection terminated on: xxxxxxxx Duration: 0 day(s), 00:00.00

On the ASA 5505, there are many errors like this:

Severity: 5

Syslog ID: 713202

Description:

IP = 58.145.230.10, Duplicate first packet detected. Ignoring packet