alaa33
asked on
ASA 5505 after password reset problem VPN not working
after a password reset on the ASA 5505, the VPN tunnel is not working.
the error is related to : Rejecting IPSec tunnel: no matching crypto map entry for remote proxy.
the configuration was working perfectly before the password reset and now it is not working.
I need your help.
thank you
the error is related to : Rejecting IPSec tunnel: no matching crypto map entry for remote proxy.
the configuration was working perfectly before the password reset and now it is not working.
I need your help.
thank you
ASKER
I followed the standard procedure to reset the password (skipping boot... copy start run...).
there should be no change done to the config.
here is my config file:
ASA Version 8.0(3)
!
hostname router1
domain-name domain.local
names
name 192.168.92.0 OVPN
name 192.168.8.128 LAN
name 192.168.3.11 prods
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.126 255.255.255.128
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address 206.102.7.20 255.255.255.248
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa803-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name domain.local
access-list in_nat0_out extended permit ip any OVPN 255.255.255.240
access-list in_nat0_out extended permit ip LAN 255.255.255.192 host 192.168.54.204
access-list out_1_cryptomap extended permit ip host prods host 192.168.54.204
access-list out_nat_outbound extended permit ip OVPN 255.255.255.240 192.168.3.0 255.255.255.128
access-list out_nat_outbound extended permit ip host 192.168.54.204 host prods
access-list group1 standard permit 192.168.3.0 255.255.255.128
pager lines 24
logging enable
logging asdm-buffer-size 500
logging asdm errors
logging class auth asdm errors
logging class config asdm errors
logging class ids asdm errors
logging class ip asdm errors
logging class session asdm errors
logging class sys asdm errors
logging class vpn asdm errors
logging class vpnc asdm errors
mtu inside 1500
mtu outside 1500
ip local pool pool1 192.168.92.1-192.168.92.10 mask 255.255.255.240
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
asdm location prods 255.255.255.255 inside
no asdm history enable
arp timeout 14400
global (inside) 2 interface
global (outside) 1 interface
nat (inside) 0 access-list in_nat0_out
nat (outside) 2 access-list out_nat_outbound outside
!
router ospf 1
router-id 192.168.8.129
network LAN 255.255.255.192 area 0.0.0.0
area 0.0.0.0
log-adj-changes
redistribute static metric 20000 subnets tag 1921861061
!
route outside 0.0.0.0 0.0.0.0 206.102.7.17 1
route inside LAN 255.255.255.192 192.168.3.41 1
route outside OVPN 255.255.255.240 206.102.7.17 1
route outside 192.168.54.204 255.255.255.255 206.102.7.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-reco rd DfltAccessPolicy
nac-policy DfltGrpPolicy-nac-framewor k-create nac-framework
reval-period 36000
sq-period 300
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map out_d_map 20 set pfs
crypto dynamic-map out_d_map 20 set peer 201.25.72.142
crypto dynamic-map out_d_map 20 set transform-set ESP-AES-256-SHA
crypto map out_map 1 match address out_1_cryptomap
crypto map out_map 1 set pfs group5
crypto map out_map 1 set peer 201.25.72.142
crypto map out_map 1 set transform-set ESP-AES-256-SHA
crypto map out_map 65535 ipsec-isakmp dynamic out_d_map
crypto map out_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
group-policy DfltGrpPolicy attributes
ipsec-udp enable
nac-settings value DfltGrpPolicy-nac-framewor k-create
webvpn
svc keepalive none
svc dpd-interval client none
svc dpd-interval gateway none
customization value DfltCustomization
group-policy group1 internal
group-policy group1 attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value group1
address-pools value pool1
tunnel-group 201.25.72.142 type ipsec-l2l
tunnel-group 201.25.72.142 general-attributes
default-group-policy group1
tunnel-group 201.25.72.142 ipsec-attributes
pre-shared-key *
tunnel-group group1 type remote-access
tunnel-group group1 general-attributes
address-pool pool1
default-group-policy group1
tunnel-group group1 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
there should be no change done to the config.
here is my config file:
ASA Version 8.0(3)
!
hostname router1
domain-name domain.local
names
name 192.168.92.0 OVPN
name 192.168.8.128 LAN
name 192.168.3.11 prods
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.126 255.255.255.128
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address 206.102.7.20 255.255.255.248
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa803-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name domain.local
access-list in_nat0_out extended permit ip any OVPN 255.255.255.240
access-list in_nat0_out extended permit ip LAN 255.255.255.192 host 192.168.54.204
access-list out_1_cryptomap extended permit ip host prods host 192.168.54.204
access-list out_nat_outbound extended permit ip OVPN 255.255.255.240 192.168.3.0 255.255.255.128
access-list out_nat_outbound extended permit ip host 192.168.54.204 host prods
access-list group1 standard permit 192.168.3.0 255.255.255.128
pager lines 24
logging enable
logging asdm-buffer-size 500
logging asdm errors
logging class auth asdm errors
logging class config asdm errors
logging class ids asdm errors
logging class ip asdm errors
logging class session asdm errors
logging class sys asdm errors
logging class vpn asdm errors
logging class vpnc asdm errors
mtu inside 1500
mtu outside 1500
ip local pool pool1 192.168.92.1-192.168.92.10
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
asdm location prods 255.255.255.255 inside
no asdm history enable
arp timeout 14400
global (inside) 2 interface
global (outside) 1 interface
nat (inside) 0 access-list in_nat0_out
nat (outside) 2 access-list out_nat_outbound outside
!
router ospf 1
router-id 192.168.8.129
network LAN 255.255.255.192 area 0.0.0.0
area 0.0.0.0
log-adj-changes
redistribute static metric 20000 subnets tag 1921861061
!
route outside 0.0.0.0 0.0.0.0 206.102.7.17 1
route inside LAN 255.255.255.192 192.168.3.41 1
route outside OVPN 255.255.255.240 206.102.7.17 1
route outside 192.168.54.204 255.255.255.255 206.102.7.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-reco
nac-policy DfltGrpPolicy-nac-framewor
reval-period 36000
sq-period 300
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map out_d_map 20 set pfs
crypto dynamic-map out_d_map 20 set peer 201.25.72.142
crypto dynamic-map out_d_map 20 set transform-set ESP-AES-256-SHA
crypto map out_map 1 match address out_1_cryptomap
crypto map out_map 1 set pfs group5
crypto map out_map 1 set peer 201.25.72.142
crypto map out_map 1 set transform-set ESP-AES-256-SHA
crypto map out_map 65535 ipsec-isakmp dynamic out_d_map
crypto map out_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
group-policy DfltGrpPolicy attributes
ipsec-udp enable
nac-settings value DfltGrpPolicy-nac-framewor
webvpn
svc keepalive none
svc dpd-interval client none
svc dpd-interval gateway none
customization value DfltCustomization
group-policy group1 internal
group-policy group1 attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value group1
address-pools value pool1
tunnel-group 201.25.72.142 type ipsec-l2l
tunnel-group 201.25.72.142 general-attributes
default-group-policy group1
tunnel-group 201.25.72.142 ipsec-attributes
pre-shared-key *
tunnel-group group1 type remote-access
tunnel-group group1 general-attributes
address-pool pool1
default-group-policy group1
tunnel-group group1 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
The VPN config looks good. I don't see any issue with configuration
The error shows "Rejecting IPSec tunnel: no matching crypto map entry for remote proxy". Based on the configuration the remote peer ip address is 201.25.72.142, can you verify the remote peer ip address
The error shows "Rejecting IPSec tunnel: no matching crypto map entry for remote proxy". Based on the configuration the remote peer ip address is 201.25.72.142, can you verify the remote peer ip address
ASKER
I am testing with the vpn client using the tunnel group1.
The above error appears after the connection failed.
The above error appears after the connection failed.
There is no remote access vpn (client to site vpn) configuration on this ASA, Hence, you can't connect remote access vpn to this ASA
If you are able to connect before password reset, then I assume the remote access vpn config been lost after the password reset
If you are able to connect before password reset, then I assume the remote access vpn config been lost after the password reset
ASKER
Ok, can you please tell me what is missing from the configuration in order to connect via vpn client.
Apologies. I can see the remote access vpn config is present in your ASA
If its possible, I can take a look at your ASA logs thru teamviewer and I can help you to resolve the issue.
Config looks good.
If its possible, I can take a look at your ASA logs thru teamviewer and I can help you to resolve the issue.
Config looks good.
ASKER
I am sorry i cannot give you access to the router.
From the client side the following appears: DEL_REASON_IKE_NEG_FAILED.
Is it possible that after the password reset something went wrong and i need the clear all vpn configuration and enter it again?
Thank you for your help.
From the client side the following appears: DEL_REASON_IKE_NEG_FAILED.
Is it possible that after the password reset something went wrong and i need the clear all vpn configuration and enter it again?
Thank you for your help.
No need to change all passwords
Just remove and re add preshared key. It will work
Just remove and re add preshared key. It will work
The problem is that in a normal "show run" the pre-shared key is hidden, and displayed as an asterisk. When you copy and paste the config in after a password reset, the pre-shared key is lost. (Or, more precisely, set to an asterisk)
To see a config with the pre-shared key displayed, run "more system:running-config" instead of "show running-config." I recommend running this command, and saving an offline copy of the output, any time the pre-shared key is changed.
To see a config with the pre-shared key displayed, run "more system:running-config" instead of "show running-config." I recommend running this command, and saving an offline copy of the output, any time the pre-shared key is changed.
ASKER
I removed the preshared key and then added a new one, the problem still persistent.
actually the phase 1 is completed successfully, no problem with the preshared key.
here is the error again:
3 Oct 11 2015 06:43:49 713061 Group = group1, Username = user1, IP = 189.235.116.52, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.92.1/255.255.255.2 55/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
in vpn client, we have the following:
120 12:41:32.799 10/11/15 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:INVALID_ID_INFO) from 206.102.7.20
121 12:41:32.799 10/11/15 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 206.102.7.20
122 12:41:32.799 10/11/15 Sev=Info/4 IKE/0x63000049
Discarding IPsec SA negotiation, MsgID=98AD582F
123 12:41:32.799 10/11/15 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=2CF717C443868672 R_Cookie=E5BC1AC93332D0D2) reason = DEL_REASON_IKE_NEG_FAILED
124 12:41:32.815 10/11/15 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
125 12:41:32.815 10/11/15 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 206.102.7.20
126 12:41:32.815 10/11/15 Sev=Info/4 IKE/0x63000058
Received an ISAKMP message for a non-active SA, I_Cookie=2CF717C443868672 R_Cookie=E5BC1AC93332D0D2
127 12:41:32.815 10/11/15 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(Dropped) from 206.102.7.20
128 12:41:35.857 10/11/15 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=2CF717C443868672 R_Cookie=E5BC1AC93332D0D2) reason = DEL_REASON_IKE_NEG_FAILED
129 12:41:35.857 10/11/15 Sev=Info/4 CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED ". 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
actually the phase 1 is completed successfully, no problem with the preshared key.
here is the error again:
3 Oct 11 2015 06:43:49 713061 Group = group1, Username = user1, IP = 189.235.116.52, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.92.1/255.255.255.2
in vpn client, we have the following:
120 12:41:32.799 10/11/15 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:INVALID_ID_INFO) from 206.102.7.20
121 12:41:32.799 10/11/15 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 206.102.7.20
122 12:41:32.799 10/11/15 Sev=Info/4 IKE/0x63000049
Discarding IPsec SA negotiation, MsgID=98AD582F
123 12:41:32.799 10/11/15 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=2CF717C443868672
124 12:41:32.815 10/11/15 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
125 12:41:32.815 10/11/15 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 206.102.7.20
126 12:41:32.815 10/11/15 Sev=Info/4 IKE/0x63000058
Received an ISAKMP message for a non-active SA, I_Cookie=2CF717C443868672 R_Cookie=E5BC1AC93332D0D2
127 12:41:32.815 10/11/15 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(Dropped) from 206.102.7.20
128 12:41:35.857 10/11/15 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=2CF717C443868672
129 12:41:35.857 10/11/15 Sev=Info/4 CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED
ASKER
i also run the debug ipsec and isakmp.
it looks like it select the out_map 1 and directly reject the tunnel because the ACL without going to out_map 65535.
the static crypto map is always selected without looking at the other low priority maps.
it looks like it select the out_map 1 and directly reject the tunnel because the ACL without going to out_map 65535.
the static crypto map is always selected without looking at the other low priority maps.
Need to match the acl for the out-map-1
Can you recheck the acl for the respective crypto map
Can you recheck the acl for the respective crypto map
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Correction: the peer 201.25.72.142 is available.
why after the password reset there is this problem and when removing the peer ip it is working fine?
why after the password reset there is this problem and when removing the peer ip it is working fine?
I removed the preshared key and then added a new one, the problem still persistent.Did you set the pre-shared key on both ends?
Removing 201.25.71.142 as a peer might eliminate the errors in the log, but it doesn't mean that the VPN is up and working.
The out_d_map is not applied to an interface, and should have no effect on the operation of the VPN.
Did you take other actions? Did you remove and reapply the out_map to the interface?
It could have been an issue with an invalid SPI, where one end of the VPN still thinks the links the link is up. Might look into the invalid-spi recovery command.
good luck.
Did you take other actions? Did you remove and reapply the out_map to the interface?
It could have been an issue with an invalid SPI, where one end of the VPN still thinks the links the link is up. Might look into the invalid-spi recovery command.
good luck.
ASKER
just to clear one thing, there is two types of configuration on the ASA. site2site w client2site.
everything was working fine and all tunnels are up but when I reset the password then we lost the tunnels.
after removing the peer IP the vpn client is working and I tested the connection to inside network and it is ok. I am not looking at the other site configuration or status.
I will check the SPI issue.
everything was working fine and all tunnels are up but when I reset the password then we lost the tunnels.
after removing the peer IP the vpn client is working and I tested the connection to inside network and it is ok. I am not looking at the other site configuration or status.
I will check the SPI issue.
ASKER
the problem is fixed.
Can you compare your ASA config with before password reset
If possible you can post your ASA config here to analyze further