We help IT Professionals succeed at work.
Get Started

Problem with Remote Access VPN terminated by Cisco ASA 5505

Last Modified: 2012-05-05
I'm having trouble getting a remote access VPN  to work properly. I'm using an ASA 5505 running 7.2.4. Here's the setup...

The ASA is behind a ADSL modem/router combo, but the modem passes all traffic. I am positive that all traffic entering the outside interface gets forwarded to the inside. The inside of the modem/router has the address I have configured the ASA with outside interface and set a default route to forward to The inside of the ASA is

I have set up a remote access vpn. When I test it, it fails to connect. I stay in the perpetual 'contacting the security gateway at...' state. If I turn off isakmp nat-traversal on the ASA, I am able to connect to the  VPN successfully; however, I am unable to pass traffic.

I thought for sure that this was a routing problem. I was testing the remote access from behind another network. However, when I tried to connect from behind an entirely different subnet, I had the same results.

When I enable logging on the ASA, I see the message:
[IKEv1]: Group = RemoteAccess, IP = xx.x.x, Error: Unable to remove PeerTblEntry

What is going on here? I plan on replacing the modem/router combo with a modem. Will this fix it or is there something else going on?
ASA# sho run
: Saved
ASA Version 7.2(4)
hostname ASA
domain-name default.com
enable password XCBuNvamynPGu917 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
interface Vlan1
 no nameif
 no security-level
 no ip address
interface Vlan2
 no forward interface Vlan10
 no nameif
 no security-level
 no ip address
interface Vlan10
 nameif inside
 security-level 100
 ip address
interface Vlan11
 nameif outside
 security-level 0
 ip address
interface Ethernet0/0
 switchport access vlan 11
interface Ethernet0/1
 switchport access vlan 10
interface Ethernet0/2
 switchport access vlan 10
interface Ethernet0/3
 switchport access vlan 10
interface Ethernet0/4
 switchport access vlan 10
interface Ethernet0/5
 switchport access vlan 10
interface Ethernet0/6
 switchport access vlan 10
interface Ethernet0/7
 switchport access vlan 10
ftp mode passive
clock timezone cst -6
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended permit icmp any any time-exceeded
access-list outside_in extended permit icmp any any unreachable
access-list RemoteAccess_splitTunnelAcl standard permit 255.255.255.
access-list inside_nat0_outbound extended permit ip 19
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNpool mask
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1
access-group outside_in in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet timeout 5
ssh timeout 5
console timeout 0
ntp server
group-policy RemoteAccess internal
group-policy RemoteAccess attributes
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value RemoteAccess_splitTunnelAcl
username fac password ESl4cXhAb7HpWykT encrypted privilege 0
username fac attributes
 vpn-group-policy RemoteAccess
tunnel-group RemoteAccess type ipsec-ra
tunnel-group RemoteAccess general-attributes
 address-pool VPNpool
 default-group-policy RemoteAccess
tunnel-group RemoteAccess ipsec-attributes
 pre-shared-key *
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
service-policy global_policy global
prompt hostname context
: end

Open in new window

Watch Question
Systems Architect
Top Expert 2008
This problem has been solved!
Unlock 2 Answers and 3 Comments.
See Answers
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE