• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1914
  • Last Modified:

Remote VPN connection issues with ASA 5505


Hi,
testing cisco SRP527 to establish a remote VPN connection with ASA 5505, Below is the configuration of the ASA.  Please see the error message and tell me what  needs to be modified.
Thank you.



ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.10.10.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xxx.xx.xx.189 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
 speed 100
 duplex full
!
interface Ethernet0/1
 speed 100
 duplex full
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list inside_nat0_outbound extended permit ip interface inside 10.100.0.0 255.255.255.240
pager lines 24
logging enable
logging asdm notifications
mtu inside 1500
mtu outside 1500
ip local pool remote_vpn 10.100.0.1-10.100.0.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 xxx.xx.xx.161 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
ssh version 2
console timeout 0
dhcpd dns 209.244.0.3 209.244.0.4
!
dhcpd address 10.10.10.20-10.10.10.30 inside
dhcpd enable inside
!

group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 209.244.0.3 209.244.0.4
 vpn-tunnel-protocol l2tp-ipsec
username sean password 9d/Qyoz1Af5/dRaz encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
 address-pool remote_vpn
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d4616985be2791f03ef06c6cce17c9e4
: end
0
Sean
Asked:
Sean
  • 2
1 Solution
 
SeanAuthor Commented:

Sorry, here is the debug:



Apr 28 17:38:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 75.210.161.228, constructing ID payload
Apr 28 17:38:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 75.210.161.228, constructing hash payload
Apr 28 17:38:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 75.210.161.228, Computing hash for ISAKMP
Apr 28 17:38:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 75.210.161.228, constructing dpd vid payload
Apr 28 17:38:06 [IKEv1]: IP = 75.210.161.228, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 75.210.161.228, constructing blank hash payload
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 75.210.161.228, constructing qm hash payload
Apr 28 17:38:07 [IKEv1]: IP = 75.210.161.228, IKE_DECODE SENDING Message (msgid=bfe80e33) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 72
Apr 28 17:38:07 [IKEv1]: IP = 75.210.161.228, IKE_DECODE RECEIVED Message (msgid=bfe80e33) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 84
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 75.210.161.228, process_attr(): Enter!
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 75.210.161.228, Processing MODE_CFG Reply attributes.
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, IKEGetUserAttributes: primary DNS = 209.244.0.3
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, IKEGetUserAttributes: secondary DNS = 209.244.0.4
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, IKEGetUserAttributes: primary WINS = cleared
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, IKEGetUserAttributes: secondary WINS = cleared
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, IKEGetUserAttributes: IP Compression = disabled
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, IKEGetUserAttributes: Split Tunneling Policy = Disabled
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, IKEGetUserAttributes: Browser Proxy Setting = no-modify
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, IKEGetUserAttributes: Browser Proxy Bypass Local = disable
Apr 28 17:38:07 [IKEv1]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, User (sean) authenticated.
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, constructing blank hash payload
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, constructing qm hash payload
Apr 28 17:38:07 [IKEv1]: IP = 75.210.161.228, IKE_DECODE SENDING Message (msgid=c73abf56) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 64
Apr 28 17:38:07 [IKEv1]: IP = 75.210.161.228, IKE_DECODE RECEIVED Message (msgid=c73abf56) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 64
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, process_attr(): Enter!
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, Processing cfg ACK attributes
Apr 28 17:38:07 [IKEv1 DECODE]: IP = 75.210.161.228, IKE Responder starting QM: msg id = 2a662c3a
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, Delay Quick Mode processing, Cert/Trans Exch/RM DSID in progress
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, Resume Quick Mode processing, Cert/Trans Exch/RM DSID completed
Apr 28 17:38:07 [IKEv1]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, PHASE 1 COMPLETED
Apr 28 17:38:07 [IKEv1]: IP = 75.210.161.228, Keep-alive type for this connection: DPD
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, Starting P1 rekey timer: 64766 seconds.
Apr 28 17:38:07 [IKEv1]: IP = 75.210.161.228, IKE_DECODE RECEIVED Message (msgid=2a662c3a) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total length : 288
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, processing hash payload
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, processing SA payload
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, processing nonce payload
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, processing ke payload
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, processing ISA_KE for PFS in phase 2
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, processing ID payload
Apr 28 17:38:07 [IKEv1 DECODE]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, ID_IPV4_ADDR_SUBNET ID received--10.100.0.0--255.255.255.240
Apr 28 17:38:07 [IKEv1]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, Received remote IP Proxy Subnet data in ID Payload:   Address 10.100.0.0, Mask 255.255.255.240, Protocol 0, Port 0
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, processing ID payload
Apr 28 17:38:07 [IKEv1 DECODE]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, ID_IPV4_ADDR_SUBNET ID received--10.10.10.0--255.255.255.0
Apr 28 17:38:07 [IKEv1]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, Received local IP Proxy Subnet data in ID Payload:   Address 10.10.10.0, Mask 255.255.255.0, Protocol 0, Port 0
Apr 28 17:38:07 [IKEv1]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, Tunnel Rejected: Conflicting protocols specified by tunnel-group and group-policy
Apr 28 17:38:07 [IKEv1]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, QM FSM error (P2 struct &0x40600b0, mess id 0x2a662c3a)!
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, IKE QM Responder FSM error history (struct &0x40600b0)  <state>, <event>:  QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH-->QM_BLD_MSG2, EV_VALIDATE_MSG-->QM_BLD_MSG2, EV_DECRYPT_OK-->QM_BLD_MSG2, NullEvent
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, sending delete/delete with reason message
Apr 28 17:38:07 [IKEv1]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, Removing peer from correlator table failed, no match!
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, IKE SA MM:0db3a1ff rcv'd Terminate: state MM_ACTIVE  flags 0x00008042, refcnt 1, tuncnt 0
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, IKE SA MM:0db3a1ff terminating:  flags 0x01008002, refcnt 0, tuncnt 0
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, sending delete/delete with reason message
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, constructing blank hash payload
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, constructing IKE delete payload
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, constructing qm hash payload
Apr 28 17:38:07 [IKEv1]: IP = 75.210.161.228, IKE_DECODE SENDING Message (msgid=9a65227e) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Apr 28 17:38:08 [IKEv1]: IP = 75.210.161.228, Received encrypted packet with no matching SA, dropping
Apr 28 17:38:17 [IKEv1]: IP = 75.210.161.228, Received encrypted packet with no matching SA, dropping
0
 
gheistCommented:
Apr 28 17:38:07 [IKEv1]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, Tunnel Rejected: Conflicting protocols specified by tunnel-group and group-policy
0
 
anoopkmrCommented:
try like below

group-policy DefaultRAGroup attributes
 no  vpn-tunnel-protocol l2tp-ipsec
vpn-tunnel-protocol ipsec

0
 
SeanAuthor Commented:
Thank you
0

Featured Post

Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now