We help IT Professionals succeed at work.

Can't Make Cisco 5505 VPN Connection

Drafter421
Drafter421 asked
on
I am trying without any luck to establish a VPN for my users on a Cisco 5505.  

If I try to use a Cisco VPN Client to get into my network I just see it try to connect then say "Not Connected".

If I try Cisco AnyConnect I get:
The secure gateway has rejected the agent's VPN connect or reconnect request.  A new connection requires re-authentication and must be started manually.  The following message was received from the secure gateway: No address available for SVC connection"

I'm sorry if I've made a mess of this configuration; obviously I am not the expert here.  That's why I'm asking you!  I don't even know where to start with troubleshooting at this point and any help would be so greatly appreciated.

: Saved
:
ASA Version 8.2(5) 
!
hostname ciscoasa
domain-name xxxxxxxxxx.lan
enable password lHQxHwdBe5WuQL9p encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.1.6 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xx.xx.xx.xx 255.255.255.248 
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 10.0.1.2
 domain-name xxxxxxxxx.lan
object-group service DM_INLINE_SERVICE_1
 service-object ip 
 service-object tcp eq pptp 
access-list test extended permit icmp any any echo-reply 
access-list test extended permit icmp any any time-exceeded 
access-list test extended permit icmp any any unreachable 
access-list inside_nat0_outbound extended permit ip any 10.0.1.230 255.255.255.254 
access-list inside_nat0_outbound extended permit ip any 10.0.1.224 255.255.255.240 
access-list inside_nat0_outbound extended permit ip any 10.0.1.208 255.255.255.248 
access-list inside_nat0_outbound extended permit ip any 10.0.1.224 255.255.255.224 
access-list inside_access_in_1 extended permit ip any interface outside 
access-list inside_access_in_1 extended permit tcp any any eq pptp 
access-list inside_access_in_1 extended permit ip any any 
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any 
access-list outside_access_in extended permit tcp any any eq pptp 
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool testpool 10.0.1.230-10.0.1.235 mask 255.255.255.0
ip local pool tp2 10.0.1.210-10.0.1.215 mask 255.255.255.0
ip local pool tp4 10.0.1.236-10.0.1.238
ip local pool tp5 10.0.1.239-10.0.1.240 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit host xx.xx.xx.xx inside
icmp permit any outside
icmp permit host xx.xx.xx.xx outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in_1 in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server sg1 protocol nt
aaa-server sg1 (inside) host 10.0.1.2
 timeout 5
 nt-auth-domain-controller claritydc01
aaa authorization command LOCAL 
http server enable
http 10.0.1.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 5
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.0.1.10-10.0.1.254 inside
!

threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
 enable inside
 enable outside
 svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
 svc profiles 1 disk0:/1.xml
 svc enable
group-policy tg1 internal
group-policy tg1 attributes
 dns-server value 10.0.1.2 8.8.8.8
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 default-domain value clarityhealth.lan
group-policy tg2 internal
group-policy tg2 attributes
 dns-server value 10.0.1.2
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 default-domain value clarityhealth.lan
group-policy tg3 internal
group-policy tg3 attributes
 dns-server value 10.0.1.2
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 default-domain value clarityhealth.lan
group-policy DefaultRAGroup_2 internal
group-policy DefaultRAGroup_2 attributes
 dns-server value 10.0.1.2
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 default-domain value clarityhealth.lan
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 wins-server value 10.0.1.2
 dns-server value 10.0.1.2 8.8.8.8
 vpn-tunnel-protocol l2tp-ipsec 
 default-domain value clarityhealth.lan
 webvpn
  svc profiles value 1
group-policy DefaultRAGroup_1 internal
group-policy DefaultRAGroup_1 attributes
 wins-server value 10.0.1.2
 dns-server value 10.0.1.2 8.8.8.8
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 default-domain value clarityhealth.lan
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 webvpn
  svc ask none default webvpn
username ebean1 password nhyjEnn78yb2zr2h encrypted privilege 15
username ebean password nhyjEnn78yb2zr2h encrypted privilege 15
username ebean attributes
 vpn-group-policy DfltGrpPolicy
username jcormier password KyNRuhU3CB4xUr.T encrypted privilege 15
username dnutt password ha4goHg7oOS52cXA encrypted privilege 15
username dnutt attributes
 vpn-group-policy DfltGrpPolicy
tunnel-group DefaultRAGroup general-attributes
 address-pool (outside) tp4
 address-pool testpool
 address-pool tp2
 address-pool tp5
 authentication-server-group (inside) LOCAL
 default-group-policy DefaultRAGroup_2
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *****
tunnel-group tg1 type remote-access
tunnel-group tg1 general-attributes
 address-pool testpool
 default-group-policy tg1
tunnel-group tg1 ipsec-attributes
 pre-shared-key *****
tunnel-group tg2 type remote-access
tunnel-group tg2 general-attributes
 address-pool testpool
 default-group-policy tg2
tunnel-group tg2 ipsec-attributes
 pre-shared-key *****
tunnel-group tg3 type remote-access
tunnel-group tg3 general-attributes
 address-pool testpool
 default-group-policy tg3
tunnel-group ClientVPN type remote-access
tunnel-group ClientVPN general-attributes
 address-pool testpool
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:10657dc55ac14390aa07a61b5c32c36a
: end
asdm location xx.xx.xx.xx 255.255.255.255 inside
no asdm history enable

Open in new window

Comment
Watch Question

Hello,

As you said your config is really messy.
My suggestion is to clear all VPN stuff configured. And do VPN from beginning following this link:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml#disable

Same procedure is for 7.x and 8.2.5 version of ASA software.
It is fastest way to do it. Also you don't need VPN access on inside interface, so don't configure it.


Regards!
Commented:
Run the Monitor -> Debug screen in ADSM while connecting to see the error message