Solved

Cisco VPN client Reason 413: user authentication failed

Posted on 2006-06-24
4
31,379 Views
Last Modified: 2013-11-16
We just added and configured a new Cisco ASA 5510. The VPN worked for a few days. Now, it doesn’t work (it may be some configurations changed). Whenever the VPN client (v3.6) tries to access the VPN, it displays the login screen. After entering the username and password, you will receive “Secure VPN connection terminated locally. Reason 413: user authentication failed”. Any suggestions?

ASA Version 7.0(5)
!
hostname chicagotech
domain-name default.domain.invalid
enable password BXdBI/nCX9W8gnaT encrypted
names
name 192.168.0.114 Chicagotech
name 192.168.0.112 IBM
name 192.168.0.117 Outer
name 192.168.102.0 DMZ
name 192.168.0.213 Color
name 192.168.0.95 USA8200
dns-guard
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address x.x.x.37 255.255.255.248
!
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address 192.168.0.250 255.255.255.0
!
interface Ethernet0/2
 nameif DMZ
 security-level 50
 ip address 192.168.102.250 255.255.255.0
!
interface Management0/0
 nameif management
 security-level 100
 no ip address
 management-only
!
ftp mode passive
access-list tac extended permit ip any host x.x.x.10
access-list tac extended permit ip host x.x.x.10 any
access-list out_to_inside extended permit tcp any host x.x.x.34 eq www
access-list out_to_inside extended permit tcp any host x.x.x.34 eq 8080
access-list out_to_inside extended permit tcp any host x.x.x.34 eq 8383
access-list out_to_inside extended permit tcp any host x.x.x.36 eq www
access-list out_to_inside extended permit tcp any host x.x.x.34 eq smtp
access-list out_to_inside extended permit tcp any host x.x.x.34 eq pop3
access-list out_to_inside extended permit tcp any host x.x.x.34 eq 3389
access-list out_to_inside extended permit tcp any host x.x.x.34 eq 13001
access-list out_to_inside extended permit tcp any host x.x.x.36 eq 13001
access-list out_to_inside extended permit tcp any host x.x.x.36 eq 3389
access-list out_to_inside extended permit tcp any host x.x.x.36 eq pop3
access-list out_to_inside extended permit tcp any host x.x.x.36 eq smtp
access-list out_to_inside extended permit tcp any host x.x.x.36 eq 8383
access-list out_to_inside extended permit icmp any any
access-list out_to_inside extended permit tcp any host x.x.x.35 eq www
access-list out_to_inside extended permit tcp any host x.x.x.38 eq www
access-list out_to_inside extended permit tcp any host x.x.x.35 eq 8383
access-list out_to_inside extended permit tcp any host x.x.x.35 eq smtp
access-list out_to_inside extended permit tcp any host x.x.x.35 eq pop3
access-list out_to_inside extended permit tcp any host 1x.x.x.36 eq pptp
access-list Inside_nat0_outbound extended permit ip any 192.168.101.0 255.255.25
5.0
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu DMZ 1500
mtu management 1500
ip local pool 101 192.168.101.1-192.168.101.254 mask 255.255.255.0
asdm image disk0:/asdm505.bin
no asdm history enable
arp timeout 14400
global (Outside) 10 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 10 0.0.0.0 0.0.0.0
nat (management) 10 0.0.0.0 0.0.0.0
static (Inside,Outside) x.x.x.36 IBM netmask 255.255.255.255 dns
static (Inside,Outside) x.x.x.34 Colormyrug netmask 255.255.255.255 dns
static (Inside,Outside) x.x.x.35 Chicagotech netmask 255.255.255.255 dns
static (Inside,Outside) x.x.x.38 Outerlogic netmask 255.255.255.255 dns
static (Inside,Outside) 1x.x.x.36 USA8200 netmask 255.255.255.255
access-group out_to_inside in interface Outside
route Outside 0.0.0.0 0.0.0.0 x.x.x.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy PPTPVPN internal
group-policy PPTPVPN attributes
 wins-server value 192.168.0.231
 dns-server value 192.168.0.231 4.2.2.1
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value PPTPVPN_splitTunnelAcl
 default-domain value cm.local
 webvpn
http server enable
http x.x.x.81 255.255.255.255 Outside
http 192.168.0.0 255.255.255.0 Inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
isakmp enable Outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group PPTPVPN type ipsec-ra
tunnel-group PPTPVPN general-attributes
 address-pool 101
 default-group-policy PPTPVPN
tunnel-group PPTPVPN ipsec-attributes
 pre-shared-key *
telnet 192.168.0.0 255.255.255.0 Inside
telnet timeout 10
ssh x.x.x.81 255.255.255.255 Outside
ssh x.x.x.246 255.255.255.255 Outside
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global

0
Comment
Question by:blin2000
  • 3
4 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 40 total points
ID: 16978500
> the VPN client (v3.6)
Wow.. 3.6 is so old I'm surprised it works at all with the ASA.
Highly suggest updating. Latest is 4.8

>static (Inside,Outside) x.x.x.36 IBM netmask 255.255.255.255 dns
>static (Inside,Outside) 1x.x.x.36 USA8200 netmask 255.255.255.255
Do you have 2 statics tot he same external IP? I see the "1" to differentiate the 2nd one, but what is that public IP coming from?

>name 192.168.0.114 Chicagotech
Ouch! 192.168.0.x for your internal LAN? What happens when a VPN client tries to connect and they also have 192.168.0.0 as their LAN?

Try this script:

no access-list Inside_nat0_outbound extended permit ip any 192.168.101.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.101.0 255.255.255.0
nat (Inside) 0 access-list Inside_nat0_outbound
access-list Outside_dynmap permit ip 192.168.0.0 255.255.255.0 192.168.101.0 255.255.255.0
crypto dynamic-map Outside_dyn_map 20 match address Outside_dynmap
crypto map Outside_map interface Outside
isakmp nat-traversal 20
isakmp identity address
access-list PPTPVPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
group-policy PPTPVPN attributes
   split-tunnel-network-list value PPTPVPN_splitTunnelAcl


0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16979084
Are you sure this Q is only worth 40 points?
0
 
LVL 7

Author Comment

by:blin2000
ID: 16988176
Irmoore,

This Q is worth more than 500 points. However, that is all I had.

1. Sorry, it is v4.6.

2. static (Inside,Outside) x.x.x.36 IBM netmask 255.255.255.255 dns
static (Inside,Outside) 1x.x.x.36 USA8200 netmask 255.255.255.255

Thank you. IBM should be removed.

3. 192.168.0.0: You are correct. However, they host multiple web sites and many computers are using the static IP. I will have them to change to different Ip arrange when they are ready.

4. I belive the issue is the group policy. After changing the group PPTPVPN to DfltGrpPloicy, it works.

thank you.

thank you very much.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16988276
Glad to help....
Don't you have Premium access as an esteemed expert? Looks like you've made your monthly minimum - or have you been away for awhile and have to start over?

0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now