Solved

Cisco VPN client Reason 413: user authentication failed

Posted on 2006-06-24
4
31,446 Views
Last Modified: 2013-11-16
We just added and configured a new Cisco ASA 5510. The VPN worked for a few days. Now, it doesn’t work (it may be some configurations changed). Whenever the VPN client (v3.6) tries to access the VPN, it displays the login screen. After entering the username and password, you will receive “Secure VPN connection terminated locally. Reason 413: user authentication failed”. Any suggestions?

ASA Version 7.0(5)
!
hostname chicagotech
domain-name default.domain.invalid
enable password BXdBI/nCX9W8gnaT encrypted
names
name 192.168.0.114 Chicagotech
name 192.168.0.112 IBM
name 192.168.0.117 Outer
name 192.168.102.0 DMZ
name 192.168.0.213 Color
name 192.168.0.95 USA8200
dns-guard
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address x.x.x.37 255.255.255.248
!
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address 192.168.0.250 255.255.255.0
!
interface Ethernet0/2
 nameif DMZ
 security-level 50
 ip address 192.168.102.250 255.255.255.0
!
interface Management0/0
 nameif management
 security-level 100
 no ip address
 management-only
!
ftp mode passive
access-list tac extended permit ip any host x.x.x.10
access-list tac extended permit ip host x.x.x.10 any
access-list out_to_inside extended permit tcp any host x.x.x.34 eq www
access-list out_to_inside extended permit tcp any host x.x.x.34 eq 8080
access-list out_to_inside extended permit tcp any host x.x.x.34 eq 8383
access-list out_to_inside extended permit tcp any host x.x.x.36 eq www
access-list out_to_inside extended permit tcp any host x.x.x.34 eq smtp
access-list out_to_inside extended permit tcp any host x.x.x.34 eq pop3
access-list out_to_inside extended permit tcp any host x.x.x.34 eq 3389
access-list out_to_inside extended permit tcp any host x.x.x.34 eq 13001
access-list out_to_inside extended permit tcp any host x.x.x.36 eq 13001
access-list out_to_inside extended permit tcp any host x.x.x.36 eq 3389
access-list out_to_inside extended permit tcp any host x.x.x.36 eq pop3
access-list out_to_inside extended permit tcp any host x.x.x.36 eq smtp
access-list out_to_inside extended permit tcp any host x.x.x.36 eq 8383
access-list out_to_inside extended permit icmp any any
access-list out_to_inside extended permit tcp any host x.x.x.35 eq www
access-list out_to_inside extended permit tcp any host x.x.x.38 eq www
access-list out_to_inside extended permit tcp any host x.x.x.35 eq 8383
access-list out_to_inside extended permit tcp any host x.x.x.35 eq smtp
access-list out_to_inside extended permit tcp any host x.x.x.35 eq pop3
access-list out_to_inside extended permit tcp any host 1x.x.x.36 eq pptp
access-list Inside_nat0_outbound extended permit ip any 192.168.101.0 255.255.25
5.0
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu DMZ 1500
mtu management 1500
ip local pool 101 192.168.101.1-192.168.101.254 mask 255.255.255.0
asdm image disk0:/asdm505.bin
no asdm history enable
arp timeout 14400
global (Outside) 10 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 10 0.0.0.0 0.0.0.0
nat (management) 10 0.0.0.0 0.0.0.0
static (Inside,Outside) x.x.x.36 IBM netmask 255.255.255.255 dns
static (Inside,Outside) x.x.x.34 Colormyrug netmask 255.255.255.255 dns
static (Inside,Outside) x.x.x.35 Chicagotech netmask 255.255.255.255 dns
static (Inside,Outside) x.x.x.38 Outerlogic netmask 255.255.255.255 dns
static (Inside,Outside) 1x.x.x.36 USA8200 netmask 255.255.255.255
access-group out_to_inside in interface Outside
route Outside 0.0.0.0 0.0.0.0 x.x.x.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy PPTPVPN internal
group-policy PPTPVPN attributes
 wins-server value 192.168.0.231
 dns-server value 192.168.0.231 4.2.2.1
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value PPTPVPN_splitTunnelAcl
 default-domain value cm.local
 webvpn
http server enable
http x.x.x.81 255.255.255.255 Outside
http 192.168.0.0 255.255.255.0 Inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
isakmp enable Outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group PPTPVPN type ipsec-ra
tunnel-group PPTPVPN general-attributes
 address-pool 101
 default-group-policy PPTPVPN
tunnel-group PPTPVPN ipsec-attributes
 pre-shared-key *
telnet 192.168.0.0 255.255.255.0 Inside
telnet timeout 10
ssh x.x.x.81 255.255.255.255 Outside
ssh x.x.x.246 255.255.255.255 Outside
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global

0
Comment
Question by:blin2000
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 40 total points
ID: 16978500
> the VPN client (v3.6)
Wow.. 3.6 is so old I'm surprised it works at all with the ASA.
Highly suggest updating. Latest is 4.8

>static (Inside,Outside) x.x.x.36 IBM netmask 255.255.255.255 dns
>static (Inside,Outside) 1x.x.x.36 USA8200 netmask 255.255.255.255
Do you have 2 statics tot he same external IP? I see the "1" to differentiate the 2nd one, but what is that public IP coming from?

>name 192.168.0.114 Chicagotech
Ouch! 192.168.0.x for your internal LAN? What happens when a VPN client tries to connect and they also have 192.168.0.0 as their LAN?

Try this script:

no access-list Inside_nat0_outbound extended permit ip any 192.168.101.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.101.0 255.255.255.0
nat (Inside) 0 access-list Inside_nat0_outbound
access-list Outside_dynmap permit ip 192.168.0.0 255.255.255.0 192.168.101.0 255.255.255.0
crypto dynamic-map Outside_dyn_map 20 match address Outside_dynmap
crypto map Outside_map interface Outside
isakmp nat-traversal 20
isakmp identity address
access-list PPTPVPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
group-policy PPTPVPN attributes
   split-tunnel-network-list value PPTPVPN_splitTunnelAcl


0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16979084
Are you sure this Q is only worth 40 points?
0
 
LVL 7

Author Comment

by:blin2000
ID: 16988176
Irmoore,

This Q is worth more than 500 points. However, that is all I had.

1. Sorry, it is v4.6.

2. static (Inside,Outside) x.x.x.36 IBM netmask 255.255.255.255 dns
static (Inside,Outside) 1x.x.x.36 USA8200 netmask 255.255.255.255

Thank you. IBM should be removed.

3. 192.168.0.0: You are correct. However, they host multiple web sites and many computers are using the static IP. I will have them to change to different Ip arrange when they are ready.

4. I belive the issue is the group policy. After changing the group PPTPVPN to DfltGrpPloicy, it works.

thank you.

thank you very much.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16988276
Glad to help....
Don't you have Premium access as an esteemed expert? Looks like you've made your monthly minimum - or have you been away for awhile and have to start over?

0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows Firewall - Rule created ports still not opemn 5 84
Logging pfSense on Kiwi 4 86
Do I need a hardware firewall? 12 99
Sonicwall tz215 internet speed slow  help 56 1,603
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question