1. Home
  2. Cisco Systems
  3. VPN to ASA from Cisco VPN Client Getting Error

VPN to ASA from Cisco VPN Client Getting Error

Hi,

I am trying to set up remote access VPNs and am having trouble. I used:

formatting link
as a guide as was recommended by someone in a previous post.

When I connect from the Cisco VPN client I am getting an error: "Secure VPN Connection terminated locally by client. Reason 412: The remote peer is no longer responding."

My network looks like this.

Router-----ASA----LAN

I can see the traffic getting through my router when I attempt to connect. The IP connecting to is my outside interface's IP on the ASA and is a public IP. It is also the IP that is nat'ed to my mail server. Does this cause a problem? (I hope not because I am out of IP's and I don't want to have to buy more).

Please find the relevant part of my ASA config below. thanks for your help.

Result of the command: "sh running"

: Saved : ASA Version 7.0(5) ! hostname domain-name enable password names dns-guard ! interface Ethernet0/0 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Ethernet0/1 nameif outside security-level 0 ip address PUBLIC IP ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Management0/0 shutdown nameif management security-level 100 ip address management-only ! passwd SisLvDjB/rijelPS encrypted banner exec # You are logging into a corporate device. Unauthorized access is prohibited. banner motd # "We are what we repeatedly do. Excellence, then, is not an act, but a habit." - Aristotle # ftp mode passive clock timezone EST -5 clock summer-time EDT recurring dns domain-lookup inside dns name-server object-group service NecessaryServices tcp port-object eq echo port-object eq www port-object eq domain port-object eq smtp port-object eq ftp-data port-object eq pop3 port-object eq aol port-object eq ftp port-object eq https object-group service UDPServices udp port-object eq nameserver port-object eq www port-object eq isakmp port-object eq domain object-group service TCP-UDPServices tcp-udp port-object eq echo port-object eq www port-object eq domain

pager lines 24 logging enable logging timestamp logging list ASALog level notifications logging monitor notifications logging trap notifications logging asdm informational logging device-id hostname logging host inside mtu management 1500 mtu inside 1500 mtu outside 1500 ip local pool vpnclient 192.168.10.1-192.168.10.254 ip verify reverse-path interface inside ip verify reverse-path interface outside asdm image disk0:/asdm505.bin asdm history enable arp timeout 14400 nat-control global (outside) 2 PUBLIC IP PAT netmask 255.255.255.255 nat (inside) 0 access-list 110 nat (inside) 2 PRIVATE IPS static (inside,outside) PUBLIC IP (outside interface) mailserver netmask 255.255.255.255 access-group inside_access_in in interface inside access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 ROUTER INSIDE IP ! timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server vpn protocol radius aaa-server vpn PRIVATE IP OF IAS SERVER key **** group-policy vpnUsers internal group-policy vpnUsers attributes banner value You are remotely accessing a corporate network. Any unauthorized use is strictly prohibited. dns-server value PRIVATE IP OF DNS SERVER webvpn username LOCAL USER ACCOUNT IN CASE IAS IS DOWN http server enable no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set RemoteVPNSet esp-aes-256 esp-sha-hmac crypto dynamic-map RemoteVPNDynmap 10 set transform-set RemoteVPNSet crypto dynamic-map RemoteVPNDynmap 10 set reverse-route crypto map RemoteVPNMap 10 ipsec-isakmp dynamic RemoteVPNDynmap crypto map RemoteVPNMap interface outside isakmp enable outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption aes-256 isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 2000 tunnel-group DefaultRAGroup general-attributes authentication-server-group (outside) vpn tunnel-group RemoteVPN type ipsec-ra tunnel-group RemoteVPN general-attributes address-pool vpnclient authentication-server-group vpn tunnel-group RemoteVPN ipsec-attributes pre-shared-key * console timeout 0 dhcpd lease 3600 dhcpd ping_timeout 50 ! class-map global-policy match default-inspection-traffic class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect ftp inspect http policy-map global-policy class global-policy inspect http inspect icmp inspect ftp inspect dns inspect esmtp ! service-policy global_policy global smtp-server PRIVATE IP MAIL SERVER Cryptochecksum:e4042ef4dbb31b13906ab838782ba7db : end

Thanks again for any light you can shed on this.

Reply to
K.J. 44
Loading thread data ...

Here is the debug output from the Cisco VPN Client when attempting to connect:

Cisco Systems VPN Client Version 4.6.00.0049 Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved. Client Type(s): Windows, WinNT Running on: 5.1.2600 Service Pack 2

1 13:05:16.656 10/19/06 Sev=Info/4 CM/0x63100002 Begin connection process

2 13:05:16.671 10/19/06 Sev=Info/4 CVPND/0xE3400001 Microsoft IPSec Policy Agent service stopped successfully

3 13:05:16.671 10/19/06 Sev=Info/4 CM/0x63100004 Establish secure connection using Ethernet

4 13:05:16.671 10/19/06 Sev=Info/4 CM/0x63100024 Attempt connection with server "OUTSIDE PUBLIC IP OF ASA"

5 13:05:17.671 10/19/06 Sev=Info/6 IKE/0x6300003B Attempting to establish a connection with OUTSIDE PUBLIC IP OF ASA

6 13:05:17.687 10/19/06 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to OUTSIDE PUBLIC IP OF ASA

7 13:05:17.687 10/19/06 Sev=Info/4 IPSEC/0x63700008 IPSec driver successfully started

8 13:05:17.687 10/19/06 Sev=Info/4 IPSEC/0x63700014 Deleted all keys

9 13:05:23.031 10/19/06 Sev=Info/4 IKE/0x63000021 Retransmitting last packet!

10 13:05:23.031 10/19/06 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK AG (Retransmission) to OUTSIDE PUBLIC IP OF ASA

11 13:05:28.031 10/19/06 Sev=Info/4 IKE/0x63000021 Retransmitting last packet!

12 13:05:28.031 10/19/06 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK AG (Retransmission) to OUTSIDE PUBLIC IP OF ASA

13 13:05:33.031 10/19/06 Sev=Info/4 IKE/0x63000021 Retransmitting last packet!

14 13:05:33.031 10/19/06 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK AG (Retransmission) to OUTSIDE PUBLIC IP OF ASA

15 13:05:38.031 10/19/06 Sev=Info/4 IKE/0x63000017 Marking IKE SA for deletion (I_Cookie=896EE55DE5545183 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

16 13:05:38.531 10/19/06 Sev=Info/4 IKE/0x6300004A Discarding IKE SA negotiation (I_Cookie=896EE55DE5545183 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

17 13:05:38.531 10/19/06 Sev=Info/4 CM/0x63100014 Unable to establish Phase 1 SA with server "66.184.64.14" because of "DEL_REASON_PEER_NOT_RESPONDING"

18 13:05:38.531 10/19/06 Sev=Info/5 CM/0x63100025 Initializing CVPNDrv

19 13:05:38.546 10/19/06 Sev=Info/4 IKE/0x63000001 IKE received signal to terminate VPN connection

20 13:05:38.562 10/19/06 Sev=Info/4 IKE/0x63000085 Microsoft IPSec Policy Agent service started successfully

21 13:05:38.562 10/19/06 Sev=Info/4 IPSEC/0x63700014 Deleted all keys

22 13:05:38.562 10/19/06 Sev=Info/4 IPSEC/0x63700014 Deleted all keys

23 13:05:38.562 10/19/06 Sev=Info/4 IPSEC/0x63700014 Deleted all keys

24 13:05:38.562 10/19/06 Sev=Info/4 IPSEC/0x6370000A IPSec driver successfully stopped

The ASA is not responding. I can see the traffic getting through the router and I do not see any return traffic getting stopped. Will the return traffic be from the same port that the initiatiation was sent to?

Please help. Thanks.

K.J. 44 wrote:

formatting link

Reply to
K.J. 44

formatting link
>

Reply to
K.J. 44

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.