VPN to ASA from Cisco VPN Client Getting Error

Discussion in 'Cisco' started by K.J. 44, Oct 19, 2006.

  1. K.J. 44

    K.J. 44 Guest

    Hi,

    I am trying to set up remote access VPNs and am having trouble. I
    used:

    http://www.cisco.com/en/US/products...s_configuration_example09186a00806de37e.shtml

    as a guide as was recommended by someone in a previous post.

    When I connect from the Cisco VPN client I am getting an error:
    "Secure VPN Connection terminated locally by client. Reason 412: The
    remote peer is no longer responding."

    My network looks like this.

    Router-----ASA----LAN

    I can see the traffic getting through my router when I attempt to
    connect. The IP connecting to is my outside interface's IP on the ASA
    and is a public IP. It is also the IP that is nat'ed to my mail
    server. Does this cause a problem? (I hope not because I am out of
    IP's and I don't want to have to buy more).

    Please find the relevant part of my ASA config below. thanks for your
    help.

    Result of the command: "sh running"

    : Saved
    :
    ASA Version 7.0(5)
    !
    hostname
    domain-name
    enable password
    names
    dns-guard
    !
    interface Ethernet0/0
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    !
    interface Ethernet0/1
    nameif outside
    security-level 0
    ip address PUBLIC IP
    !
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Management0/0
    shutdown
    nameif management
    security-level 100
    ip address
    management-only
    !
    passwd SisLvDjB/rijelPS encrypted
    banner exec # You are logging into a corporate device. Unauthorized
    access is prohibited.
    banner motd # "We are what we repeatedly do. Excellence, then, is not
    an act, but a habit." - Aristotle #
    ftp mode passive
    clock timezone EST -5
    clock summer-time EDT recurring
    dns domain-lookup inside
    dns name-server
    object-group service NecessaryServices tcp
    port-object eq echo
    port-object eq www
    port-object eq domain
    port-object eq smtp
    port-object eq ftp-data
    port-object eq pop3
    port-object eq aol
    port-object eq ftp
    port-object eq https
    object-group service UDPServices udp
    port-object eq nameserver
    port-object eq www
    port-object eq isakmp
    port-object eq domain
    object-group service TCP-UDPServices tcp-udp
    port-object eq echo
    port-object eq www
    port-object eq domain

    pager lines 24
    logging enable
    logging timestamp
    logging list ASALog level notifications
    logging monitor notifications
    logging trap notifications
    logging asdm informational
    logging device-id hostname
    logging host inside
    mtu management 1500
    mtu inside 1500
    mtu outside 1500
    ip local pool vpnclient 192.168.10.1-192.168.10.254
    ip verify reverse-path interface inside
    ip verify reverse-path interface outside
    asdm image disk0:/asdm505.bin
    asdm history enable
    arp timeout 14400
    nat-control
    global (outside) 2 PUBLIC IP PAT netmask 255.255.255.255
    nat (inside) 0 access-list 110
    nat (inside) 2 PRIVATE IPS
    static (inside,outside) PUBLIC IP (outside interface) mailserver
    netmask 255.255.255.255
    access-group inside_access_in in interface inside
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 ROUTER INSIDE IP
    !
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
    timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server vpn protocol radius
    aaa-server vpn PRIVATE IP OF IAS SERVER
    key ****
    group-policy vpnUsers internal
    group-policy vpnUsers attributes
    banner value You are remotely accessing a corporate network. Any
    unauthorized use is strictly prohibited.
    dns-server value PRIVATE IP OF DNS SERVER
    webvpn
    username LOCAL USER ACCOUNT IN CASE IAS IS DOWN
    http server enable
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set RemoteVPNSet esp-aes-256 esp-sha-hmac
    crypto dynamic-map RemoteVPNDynmap 10 set transform-set RemoteVPNSet
    crypto dynamic-map RemoteVPNDynmap 10 set reverse-route
    crypto map RemoteVPNMap 10 ipsec-isakmp dynamic RemoteVPNDynmap
    crypto map RemoteVPNMap interface outside
    isakmp enable outside
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption aes-256
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 2000
    tunnel-group DefaultRAGroup general-attributes
    authentication-server-group (outside) vpn
    tunnel-group RemoteVPN type ipsec-ra
    tunnel-group RemoteVPN general-attributes
    address-pool vpnclient
    authentication-server-group vpn
    tunnel-group RemoteVPN ipsec-attributes
    pre-shared-key *
    console timeout 0
    dhcpd lease 3600
    dhcpd ping_timeout 50
    !
    class-map global-policy
    match default-inspection-traffic
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map global_policy
    class inspection_default
    inspect ftp
    inspect http
    policy-map global-policy
    class global-policy
    inspect http
    inspect icmp
    inspect ftp
    inspect dns
    inspect esmtp
    !
    service-policy global_policy global
    smtp-server PRIVATE IP MAIL SERVER
    Cryptochecksum:e4042ef4dbb31b13906ab838782ba7db
    : end


    Thanks again for any light you can shed on this.
     
    K.J. 44, Oct 19, 2006
    #1
    1. Advertisements

  2. K.J. 44

    K.J. 44 Guest

    Here is the debug output from the Cisco VPN Client when attempting to
    connect:

    Cisco Systems VPN Client Version 4.6.00.0049
    Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.
    Client Type(s): Windows, WinNT
    Running on: 5.1.2600 Service Pack 2

    1 13:05:16.656 10/19/06 Sev=Info/4 CM/0x63100002
    Begin connection process

    2 13:05:16.671 10/19/06 Sev=Info/4 CVPND/0xE3400001
    Microsoft IPSec Policy Agent service stopped successfully

    3 13:05:16.671 10/19/06 Sev=Info/4 CM/0x63100004
    Establish secure connection using Ethernet

    4 13:05:16.671 10/19/06 Sev=Info/4 CM/0x63100024
    Attempt connection with server "OUTSIDE PUBLIC IP OF ASA"

    5 13:05:17.671 10/19/06 Sev=Info/6 IKE/0x6300003B
    Attempting to establish a connection with OUTSIDE PUBLIC IP OF ASA

    6 13:05:17.687 10/19/06 Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd),
    VID(Nat-T), VID(Frag), VID(Unity)) to OUTSIDE PUBLIC IP OF ASA

    7 13:05:17.687 10/19/06 Sev=Info/4 IPSEC/0x63700008
    IPSec driver successfully started

    8 13:05:17.687 10/19/06 Sev=Info/4 IPSEC/0x63700014
    Deleted all keys

    9 13:05:23.031 10/19/06 Sev=Info/4 IKE/0x63000021
    Retransmitting last packet!

    10 13:05:23.031 10/19/06 Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK AG (Retransmission) to OUTSIDE PUBLIC IP OF ASA

    11 13:05:28.031 10/19/06 Sev=Info/4 IKE/0x63000021
    Retransmitting last packet!

    12 13:05:28.031 10/19/06 Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK AG (Retransmission) to OUTSIDE PUBLIC IP OF ASA

    13 13:05:33.031 10/19/06 Sev=Info/4 IKE/0x63000021
    Retransmitting last packet!

    14 13:05:33.031 10/19/06 Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK AG (Retransmission) to OUTSIDE PUBLIC IP OF ASA

    15 13:05:38.031 10/19/06 Sev=Info/4 IKE/0x63000017
    Marking IKE SA for deletion (I_Cookie=896EE55DE5545183
    R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

    16 13:05:38.531 10/19/06 Sev=Info/4 IKE/0x6300004A
    Discarding IKE SA negotiation (I_Cookie=896EE55DE5545183
    R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

    17 13:05:38.531 10/19/06 Sev=Info/4 CM/0x63100014
    Unable to establish Phase 1 SA with server "66.184.64.14" because of
    "DEL_REASON_PEER_NOT_RESPONDING"

    18 13:05:38.531 10/19/06 Sev=Info/5 CM/0x63100025
    Initializing CVPNDrv

    19 13:05:38.546 10/19/06 Sev=Info/4 IKE/0x63000001
    IKE received signal to terminate VPN connection

    20 13:05:38.562 10/19/06 Sev=Info/4 IKE/0x63000085
    Microsoft IPSec Policy Agent service started successfully

    21 13:05:38.562 10/19/06 Sev=Info/4 IPSEC/0x63700014
    Deleted all keys

    22 13:05:38.562 10/19/06 Sev=Info/4 IPSEC/0x63700014
    Deleted all keys

    23 13:05:38.562 10/19/06 Sev=Info/4 IPSEC/0x63700014
    Deleted all keys

    24 13:05:38.562 10/19/06 Sev=Info/4 IPSEC/0x6370000A
    IPSec driver successfully stopped


    The ASA is not responding. I can see the traffic getting through the
    router and I do not see any return traffic getting stopped. Will the
    return traffic be from the same port that the initiatiation was sent
    to?

    Please help. Thanks.
     
    K.J. 44, Oct 19, 2006
    #2
    1. Advertisements

  3. K.J. 44

    K.J. 44 Guest

    Is anyone out there that has an opinion?

    Please help and thank you.
     
    K.J. 44, Oct 20, 2006
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.