cisco vpn connection : error when trying to connect

Posted on 2004-08-26
Medium Priority
Last Modified: 2013-11-16
we just set up our cisco 506 pix and have enbale vpn connections. The group setup works fine, its when the user tries to login I keep getting and error saying Reason 413 user authentication failed. I checked to make sure users were added using the wr term cmd. The users exist but for some reason I cant login with any of the accounts I setup! I setup the vpn and the group using the PDM and added the users via the cli. Is this causing my problem?
Question by:digitalslavery
  • 3
  • 2
LVL 36

Expert Comment

ID: 11910859
Hi digitalslavery,
The PDM does not always do things correctly.
Can you login via telnet or ssh and use the 'show run' command to display the current configuration and paste it here and I will have a look for you.

Author Comment

ID: 11912116
Also I cant find anywhere in the PDM where my users are that I added, wierd.

Result of firewall command: "show run"
: Saved
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ************ encrypted
passwd ************ encrypted
hostname MyPix
domain-name alff.net
clock timezone MST -7
no fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 3389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
name Production
name Corporate
name PHX-FPS
name PHX-EXC
name PHX-DC
name PHX-EPO
name PHX-FPS2
object-group network SERVERS
  description Network servers
  network-object PHX-FPS
  network-object PHX-SCAN
  network-object PHX-DC
  network-object PHX-EXC
  network-object PHX-EPO
  network-object LG-TESTSERVER
  network-object LG-WEBSERVER
  network-object PHX-FPS2
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any host eq www
access-list outside_access_in permit tcp any host eq smtp
access-list inside_outbound_nat0_acl permit ip Corporate
access-list inside_outbound_nat0_acl permit ip SanSalvidor
access-list rdc_splitTunnelAcl permit ip Corporate any
access-list rdc_splitTunnelAcl permit ip SanSalvidor any
access-list outside_cryptomap_dyn_20 permit ip any
access-list inside_access_in remark
access-list inside_access_in permit ip any any
pager lines 24
logging on
logging console alerts
logging monitor alerts
logging buffered alerts
logging trap informational
logging device-id hostname
mtu outside 1500
mtu inside 1500
ip address outside
ip address inside
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm drop
ip audit attack action alarm drop
ip local pool CorporateRDC
ip local pool vpn_access
pdm location PHX-FPS2 inside
pdm location PHX-EXC inside
pdm location LG-WEBSERVER inside
pdm location outside
pdm location SanSalvidor inside
pdm location inside
pdm location outside
pdm location outside
pdm location outside
pdm location outside
pdm location PHX-FPS inside
pdm location PHX-SCAN inside
pdm location PHX-DC inside
pdm location PHX-EPO inside
pdm location LG-TESTSERVER inside
pdm location outside
pdm location outside
pdm group SERVERS inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0 0
static (inside,outside) PHX-EXC netmask 0 0
static (inside,outside) LG-WEBSERVER netmask 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 1
route inside Prodution 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http outside
http outside
http outside
http Corporate inside
snmp-server location Corporate
snmp-server contact Jason Lasby
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup rdc address-pool vpn_access
vpngroup rdc dns-server PHX-DC
vpngroup rdc default-domain alff
vpngroup rdc split-tunnel rdc_splitTunnelAcl
vpngroup rdc idle-time 1800
vpngroup rdc password ********
telnet Corporate inside
telnet timeout 5
ssh outside
ssh timeout 5
console timeout 20
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn username jason2 password *********
vpdn username jaughe password *********
vpdn username dvaldez password *********
vpdn username llevin password *********
vpdn username jdavis password *********
vpdn username jason password *********
vpdn enable outside
vpdn enable inside
terminal width 80
: end

LVL 36

Accepted Solution

grblades earned 1000 total points
ID: 11912407
You appear to have both PPTP and IPSEC based VPN connections enabled. Do you intend to use both?
Your IPSEC sections looks correct and all you are missing is the list of user accounts:-

username user1 password password1
username user2 password password2

Author Comment

ID: 11912963
We should be using IPsec connections only! how do I add the users? I see the users I thought I was enabling access to were acutally under the PPTP. the command I was using to add users was :

vpdn username employee password mypassword

What should it be?


Author Comment

ID: 11913001
oh right! my bad I didn't realize that was the command! You've just won 250 points!

Thanks! :)

Featured Post

Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
In this video I will demonstrate how to set up Nine, which I now consider the best alternative email app to Touchdown.

597 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question