asked on

Remote VPN connection issues with ASA 5505

Hi,
testing cisco SRP527 to establish a remote VPN connection with ASA 5505, Below is the configuration of the ASA. Please see the error message and tell me what needs to be modified.
Thank you.

ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xxx.xx.xx.189 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
speed 100
duplex full
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list inside_nat0_outbound extended permit ip interface inside 10.100.0.0 255.255.255.240
pager lines 24
logging enable
logging asdm notifications
mtu inside 1500
mtu outside 1500
ip local pool remote_vpn 10.100.0.1-10.100.0.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 xxx.xx.xx.161 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
ssh version 2
console timeout 0
dhcpd dns 209.244.0.3 209.244.0.4
!
dhcpd address 10.10.10.20-10.10.10.30 inside
dhcpd enable inside
!

group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 209.244.0.3 209.244.0.4
vpn-tunnel-protocol l2tp-ipsec
username sean password 9d/Qyoz1Af5/dRaz encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool remote_vpn
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d4616985be2791f03ef06c6cce17c9e4
: end

Sean

ASKER

Sorry, here is the debug:

Apr 28 17:38:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 75.210.161.228, constructing ID payload
Apr 28 17:38:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 75.210.161.228, constructing hash payload
Apr 28 17:38:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 75.210.161.228, Computing hash for ISAKMP
Apr 28 17:38:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 75.210.161.228, constructing dpd vid payload
Apr 28 17:38:06 [IKEv1]: IP = 75.210.161.228, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 75.210.161.228, constructing blank hash payload
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 75.210.161.228, constructing qm hash payload
Apr 28 17:38:07 [IKEv1]: IP = 75.210.161.228, IKE_DECODE SENDING Message (msgid=bfe80e33) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 72
Apr 28 17:38:07 [IKEv1]: IP = 75.210.161.228, IKE_DECODE RECEIVED Message (msgid=bfe80e33) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 84
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 75.210.161.228, process_attr(): Enter!
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 75.210.161.228, Processing MODE_CFG Reply attributes.
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, IKEGetUserAttributes: primary DNS = 209.244.0.3
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, IKEGetUserAttributes: secondary DNS = 209.244.0.4
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, IKEGetUserAttributes: primary WINS = cleared
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, IKEGetUserAttributes: secondary WINS = cleared
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, IKEGetUserAttributes: IP Compression = disabled
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, IKEGetUserAttributes: Split Tunneling Policy = Disabled
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, IKEGetUserAttributes: Browser Proxy Setting = no-modify
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, IKEGetUserAttributes: Browser Proxy Bypass Local = disable
Apr 28 17:38:07 [IKEv1]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, User (sean) authenticated.
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, constructing blank hash payload
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, constructing qm hash payload
Apr 28 17:38:07 [IKEv1]: IP = 75.210.161.228, IKE_DECODE SENDING Message (msgid=c73abf56) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 64
Apr 28 17:38:07 [IKEv1]: IP = 75.210.161.228, IKE_DECODE RECEIVED Message (msgid=c73abf56) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 64
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, process_attr(): Enter!
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, Processing cfg ACK attributes
Apr 28 17:38:07 [IKEv1 DECODE]: IP = 75.210.161.228, IKE Responder starting QM: msg id = 2a662c3a
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, Delay Quick Mode processing, Cert/Trans Exch/RM DSID in progress
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, Resume Quick Mode processing, Cert/Trans Exch/RM DSID completed
Apr 28 17:38:07 [IKEv1]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, PHASE 1 COMPLETED
Apr 28 17:38:07 [IKEv1]: IP = 75.210.161.228, Keep-alive type for this connection: DPD
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, Starting P1 rekey timer: 64766 seconds.
Apr 28 17:38:07 [IKEv1]: IP = 75.210.161.228, IKE_DECODE RECEIVED Message (msgid=2a662c3a) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total length : 288
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, processing hash payload
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, processing SA payload
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, processing nonce payload
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, processing ke payload
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, processing ISA_KE for PFS in phase 2
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, processing ID payload
Apr 28 17:38:07 [IKEv1 DECODE]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, ID_IPV4_ADDR_SUBNET ID received--10.100.0.0--255.255.255.240
Apr 28 17:38:07 [IKEv1]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, Received remote IP Proxy Subnet data in ID Payload: Address 10.100.0.0, Mask 255.255.255.240, Protocol 0, Port 0
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, processing ID payload
Apr 28 17:38:07 [IKEv1 DECODE]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, ID_IPV4_ADDR_SUBNET ID received--10.10.10.0--255.255.255.0
Apr 28 17:38:07 [IKEv1]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, Received local IP Proxy Subnet data in ID Payload: Address 10.10.10.0, Mask 255.255.255.0, Protocol 0, Port 0
Apr 28 17:38:07 [IKEv1]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, Tunnel Rejected: Conflicting protocols specified by tunnel-group and group-policy
Apr 28 17:38:07 [IKEv1]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, QM FSM error (P2 struct &0x40600b0, mess id 0x2a662c3a)!
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, IKE QM Responder FSM error history (struct &0x40600b0) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH-->QM_BLD_MSG2, EV_VALIDATE_MSG-->QM_BLD_MSG2, EV_DECRYPT_OK-->QM_BLD_MSG2, NullEvent
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, sending delete/delete with reason message
Apr 28 17:38:07 [IKEv1]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, Removing peer from correlator table failed, no match!
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, IKE SA MM:0db3a1ff rcv'd Terminate: state MM_ACTIVE flags 0x00008042, refcnt 1, tuncnt 0
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, IKE SA MM:0db3a1ff terminating: flags 0x01008002, refcnt 0, tuncnt 0
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, sending delete/delete with reason message
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, constructing blank hash payload
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, constructing IKE delete payload
Apr 28 17:38:07 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, constructing qm hash payload
Apr 28 17:38:07 [IKEv1]: IP = 75.210.161.228, IKE_DECODE SENDING Message (msgid=9a65227e) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Apr 28 17:38:08 [IKEv1]: IP = 75.210.161.228, Received encrypted packet with no matching SA, dropping
Apr 28 17:38:17 [IKEv1]: IP = 75.210.161.228, Received encrypted packet with no matching SA, dropping

gheist

Apr 28 17:38:07 [IKEv1]: Group = DefaultRAGroup, Username = sean, IP = 75.210.161.228, Tunnel Rejected: Conflicting protocols specified by tunnel-group and group-policy

ASKER CERTIFIED SOLUTION

anoopkmr

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Sean

ASKER

Thank you