troubleshooting Question

Problem with Remote Access VPN terminated by Cisco ASA 5505

Avatar of FIFBA
FIFBA asked on
CiscoHardware FirewallsInternet Protocol Security
3 Comments2 Solutions425 ViewsLast Modified:
I'm having trouble getting a remote access VPN  to work properly. I'm using an ASA 5505 running 7.2.4. Here's the setup...

The ASA is behind a ADSL modem/router combo, but the modem passes all traffic. I am positive that all traffic entering the outside interface gets forwarded to the inside. The inside of the modem/router has the address I have configured the ASA with outside interface and set a default route to forward to The inside of the ASA is

I have set up a remote access vpn. When I test it, it fails to connect. I stay in the perpetual 'contacting the security gateway at...' state. If I turn off isakmp nat-traversal on the ASA, I am able to connect to the  VPN successfully; however, I am unable to pass traffic.

I thought for sure that this was a routing problem. I was testing the remote access from behind another network. However, when I tried to connect from behind an entirely different subnet, I had the same results.

When I enable logging on the ASA, I see the message:
[IKEv1]: Group = RemoteAccess, IP = xx.x.x, Error: Unable to remove PeerTblEntry

What is going on here? I plan on replacing the modem/router combo with a modem. Will this fix it or is there something else going on?
ASA# sho run
: Saved
ASA Version 7.2(4)
hostname ASA
enable password XCBuNvamynPGu917 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
interface Vlan1
 no nameif
 no security-level
 no ip address
interface Vlan2
 no forward interface Vlan10
 no nameif
 no security-level
 no ip address
interface Vlan10
 nameif inside
 security-level 100
 ip address
interface Vlan11
 nameif outside
 security-level 0
 ip address
interface Ethernet0/0
 switchport access vlan 11
interface Ethernet0/1
 switchport access vlan 10
interface Ethernet0/2
 switchport access vlan 10
interface Ethernet0/3
 switchport access vlan 10
interface Ethernet0/4
 switchport access vlan 10
interface Ethernet0/5
 switchport access vlan 10
interface Ethernet0/6
 switchport access vlan 10
interface Ethernet0/7
 switchport access vlan 10
ftp mode passive
clock timezone cst -6
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended permit icmp any any time-exceeded
access-list outside_in extended permit icmp any any unreachable
access-list RemoteAccess_splitTunnelAcl standard permit 255.255.255.
access-list inside_nat0_outbound extended permit ip 19
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNpool mask
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1
access-group outside_in in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet timeout 5
ssh timeout 5
console timeout 0
ntp server
group-policy RemoteAccess internal
group-policy RemoteAccess attributes
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value RemoteAccess_splitTunnelAcl
username fac password ESl4cXhAb7HpWykT encrypted privilege 0
username fac attributes
 vpn-group-policy RemoteAccess
tunnel-group RemoteAccess type ipsec-ra
tunnel-group RemoteAccess general-attributes
 address-pool VPNpool
 default-group-policy RemoteAccess
tunnel-group RemoteAccess ipsec-attributes
 pre-shared-key *
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
service-policy global_policy global
prompt hostname context
: end
Les Moore
Systems Architect

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Top Expert 2008

The Distinguished Expert awards are presented to the top veteran and rookie experts to earn the most points in the top 50 topics.

Join our community to see this answer!
Unlock 2 Answers and 3 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 2 Answers and 3 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros