Cisco 837 router EZVPN is not working

I have a Cisco 837 router that is setup at a remote location to use EZVPN to keep a constant VPN connection to our network. Nothing should have changed with my router config or switch config. I believe some settings were changed in my VPN 3000 Concentrator when I was fixing another issue. After looking at the config of this Cisco 837 router I saw that it was referencing a group in the VPN 3000 Concentrator. I set it up in a VPN client and attempted to log on. I saw that I could not log in with the username referenced. I used another group that I knew was working, and was able to log on with the AD user account referenced in the 837 config. I compared the settings on the VPN concentrator with the group that could log on to VPN to the group that was used in the 837 config. I documented the settings I changed. The main issue I saw was that I was only using IPSec and Web VPN as my tunneling protocols in the group that was used in the 837. I created another group and allowed PPTP, L2TP, and IPSec tunneling protocols on the 3000. I verified that I could log on to VPN using my VPN client with the AD account that is used in the 837. I changed the IPs in my config below before I posted it. All IPs have been changed consistently to where the ACLs and interfaces make sense. I inherited this and was not the person that set this up. Please double check my ACL and let me know if you notice anything that does not look right. One thing I have noticed that I will change is that my subnet at this remote location is set to /24. In the switch at corporate my route statement subnet is /16. This should be changed, but it should not be the source of the problem because it worked until my VPN 3000 Concentrator and ACS was changed when RADIUS authentication broke and I had to fix it. I am unable to get the 837 to log on to VPN and am getting a message preshared key for <ip> <subnet> already exists. 500 points to whoever can locate or point me in the right direction to fix my problem.

Current configuration : 2829 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cisco837
!
boot-start-marker
boot-end-marker
!
no logging console
enable secret 5 <hidden>
enable password 7 <hidden>
!
aaa new-model
!
!
aaa authentication login default group tacacs+ enable
aaa authorization config-commands  
aaa authorization exec default group tacacs+
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa authorization network default group tacacs+
aaa session-id common
ip subnet-zero
!
!
ip dhcp excluded-address 1.2.1.1
!
ip dhcp pool cisco837
   network 1.2.1.0 255.255.255.0
   default-router 1.2.1.1
   dns-server 1.0.1.2 1.0.1.3
   lease 2
!
!
ip name-server 1.0.1.2
ip name-server 1.0.1.3
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
crypto ipsec client ezvpn <name>
 connect auto
 group test key <hidden>
 mode network-extension
 peer <outside ip>
 username <user> password  <hidden>
!
!
!
interface Tunnel0
 no ip address
!
interface Ethernet0
 description Private Network
 ip address 1.2.1.1 255.255.255.0
 ip nat inside
ip virtual-reassembly
 shutdown
 crypto ipsec client ezvpn <name> inside
 hold-queue 32 in
!
interface Ethernet1
 description Internet Network
 ip address dhcp client-id Ethernet1
 ip nat outside
 ip virtual-reassembly
 shutdown
 duplex auto
 crypto ipsec client ezvpn <name>
!
interface FastEthernet1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 shutdown
duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet1
!
ip tacacs source-interface Ethernet0
ip http server
no ip http secure-server
ip nat inside source route-map nonat interface Ethernet1 overload
!
!
access-list 23 permit 1.2.1.0 0.0.0.255
access-list 110 deny   ip 1.2.0.0 0.0.255.255 1.0.0.0 0.255.255.255
access-list 110 deny   ip 1.2.0.0 0.0.255.255 <outside ip>
access-list 110 deny   ip 1.2.0.0 0.0.255.255 <outside ip>
access-list 110 deny   ip 1.2.0.0 0.0.255.255 <outside ip>
access-list 110 deny   ip 1.2.0.0  0.0.255.255 <outside ip>
access-list 110 deny   ip 1.2.0.0 0.0.255.255 <outside ip>
access-list 110 permit ip 1.2.0.0 0.0.255.255 any
route-map nonat permit 10
 match ip address 110
!
tacacs-server host 1.0.1.6
tacacs-server directed-request
tacacs-server key 7 <hidden>
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 password 7 <hidden>
!
scheduler max-task-time 5000
end
LVL 6
itnetworknAsked:
Who is Participating?
 
itnetworknAuthor Commented:
I had to reset the settings on my VPN Concentrator. Thanks for the assistance.
0
 
HalldorGCommented:
Why are the interfaced in shutdown?
You might try to do a clear crypto isakmp and reset it
Then try changing the preshared key if that does not work
0
 
itnetworknAuthor Commented:
Sorry, I did not edit that. I had to do a password break on this and I copied the config before I issued the "no shut" command on the interfaces. I will try your suggestion and will get back with you. Thanks!
0
 
itnetworknAuthor Commented:
HalldorG, please confirm that the command I would use to reset the VPN connection is; "clear crypto ipsec client ezvpn". To reset the pre shared key I would enter the command; "group test key <hidden>", correct? Thanks!
0
 
HalldorGCommented:
The
clear crypto isakmp
clears active connections
The group test key resets the key
that is correct
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.