ASA 5505 after password reset problem VPN not working

after a password reset on the ASA 5505, the VPN tunnel is not working.
the error is related to : Rejecting IPSec tunnel: no matching crypto map entry for remote proxy.

the configuration was working perfectly before the password reset and now it is not working.

I need your help.

thank you
alaa33Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
It seems your vpn config been lost from your ASA

Can you compare your ASA config with before password reset

If possible you can post your ASA config here to analyze further
0
alaa33Author Commented:
I followed the standard procedure to reset the password (skipping boot... copy start run...).
there should be no change done to the config.

here is my config file:
ASA Version 8.0(3)
!
hostname router1
domain-name domain.local
names
name 192.168.92.0 OVPN
name 192.168.8.128 LAN
name 192.168.3.11 prods
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.3.126 255.255.255.128
 ospf cost 10
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 206.102.7.20 255.255.255.248
 ospf cost 10
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa803-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name domain.local
access-list in_nat0_out extended permit ip any OVPN 255.255.255.240
access-list in_nat0_out extended permit ip LAN 255.255.255.192 host 192.168.54.204
access-list out_1_cryptomap extended permit ip host prods host 192.168.54.204
access-list out_nat_outbound extended permit ip OVPN 255.255.255.240 192.168.3.0 255.255.255.128
access-list out_nat_outbound extended permit ip host 192.168.54.204 host prods
access-list group1 standard permit 192.168.3.0 255.255.255.128
pager lines 24
logging enable
logging asdm-buffer-size 500
logging asdm errors
logging class auth asdm errors
logging class config asdm errors
logging class ids asdm errors
logging class ip asdm errors
logging class session asdm errors
logging class sys asdm errors
logging class vpn asdm errors
logging class vpnc asdm errors
mtu inside 1500
mtu outside 1500
ip local pool pool1 192.168.92.1-192.168.92.10 mask 255.255.255.240
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
asdm location prods 255.255.255.255 inside
no asdm history enable
arp timeout 14400
global (inside) 2 interface
global (outside) 1 interface
nat (inside) 0 access-list in_nat0_out
nat (outside) 2 access-list out_nat_outbound outside
!
router ospf 1
 router-id 192.168.8.129
 network LAN 255.255.255.192 area 0.0.0.0
 area 0.0.0.0
 log-adj-changes
 redistribute static metric 20000 subnets tag 1921861061
!
route outside 0.0.0.0 0.0.0.0 206.102.7.17 1
route inside LAN 255.255.255.192 192.168.3.41 1
route outside OVPN 255.255.255.240 206.102.7.17 1
route outside 192.168.54.204 255.255.255.255 206.102.7.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
 reval-period 36000
 sq-period 300
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map out_d_map 20 set pfs
crypto dynamic-map out_d_map 20 set peer 201.25.72.142
crypto dynamic-map out_d_map 20 set transform-set ESP-AES-256-SHA
crypto map out_map 1 match address out_1_cryptomap
crypto map out_map 1 set pfs group5
crypto map out_map 1 set peer 201.25.72.142
crypto map out_map 1 set transform-set ESP-AES-256-SHA
crypto map out_map 65535 ipsec-isakmp dynamic out_d_map
crypto map out_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
group-policy DfltGrpPolicy attributes
 ipsec-udp enable
 nac-settings value DfltGrpPolicy-nac-framework-create
 webvpn
  svc keepalive none
  svc dpd-interval client none
  svc dpd-interval gateway none
  customization value DfltCustomization
group-policy group1 internal
group-policy group1 attributes
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value group1
 address-pools value pool1
tunnel-group 201.25.72.142 type ipsec-l2l
tunnel-group 201.25.72.142 general-attributes
 default-group-policy group1
tunnel-group 201.25.72.142 ipsec-attributes
 pre-shared-key *
tunnel-group group1 type remote-access
tunnel-group group1 general-attributes
 address-pool pool1
 default-group-policy group1
tunnel-group group1 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!
0
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
The VPN config looks good.  I don't see any issue with configuration

The error shows "Rejecting IPSec tunnel: no matching crypto map entry for remote proxy". Based on the configuration the remote peer ip address is 201.25.72.142, can you verify the remote peer ip address
0
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

alaa33Author Commented:
I am testing with the vpn client using the tunnel group1.
The above error appears after the connection failed.
0
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
There is no remote access vpn (client to site vpn) configuration on this ASA, Hence, you can't connect remote access vpn to this ASA

If you are able to connect before password reset, then I assume the remote access vpn config been lost after the password reset
0
alaa33Author Commented:
Ok, can you please tell me what is missing from the configuration in order to connect via vpn client.
0
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
Apologies. I can see the remote access vpn config is present in your ASA

If its possible, I can take a look at your ASA logs thru teamviewer and I can help you to resolve the issue.

Config looks good.
0
alaa33Author Commented:
I am sorry i cannot give you access to the router.
From the client side the following appears: DEL_REASON_IKE_NEG_FAILED.
Is it possible that after the password reset something went wrong and i need the clear all vpn configuration and enter it again?

Thank you for your help.
0
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
No need to change all passwords

Just remove and re add preshared key. It will work
0
asavenerCommented:
The problem is that in a normal "show run" the pre-shared key is hidden, and displayed as an asterisk.  When you copy and paste the config in after a password reset, the pre-shared key is lost.  (Or, more precisely, set to an asterisk)

To see a config with the pre-shared key displayed, run "more system:running-config" instead of "show running-config."  I recommend running this command, and saving an offline copy of the output, any time the pre-shared key is changed.
1
alaa33Author Commented:
I removed the preshared key and then added a new one, the problem still persistent.

actually the phase 1 is completed successfully, no problem with the preshared key.

here is the error again:
3      Oct 11 2015      06:43:49      713061 Group = group1, Username = user1, IP = 189.235.116.52, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.92.1/255.255.255.255/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside

in vpn client, we have the following:
120    12:41:32.799  10/11/15  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:INVALID_ID_INFO) from 206.102.7.20

121    12:41:32.799  10/11/15  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 206.102.7.20

122    12:41:32.799  10/11/15  Sev=Info/4      IKE/0x63000049
Discarding IPsec SA negotiation, MsgID=98AD582F

123    12:41:32.799  10/11/15  Sev=Info/4      IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=2CF717C443868672 R_Cookie=E5BC1AC93332D0D2) reason = DEL_REASON_IKE_NEG_FAILED

124    12:41:32.815  10/11/15  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

125    12:41:32.815  10/11/15  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 206.102.7.20

126    12:41:32.815  10/11/15  Sev=Info/4      IKE/0x63000058
Received an ISAKMP message for a non-active SA, I_Cookie=2CF717C443868672 R_Cookie=E5BC1AC93332D0D2

127    12:41:32.815  10/11/15  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(Dropped) from 206.102.7.20

128    12:41:35.857  10/11/15  Sev=Info/4      IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=2CF717C443868672 R_Cookie=E5BC1AC93332D0D2) reason = DEL_REASON_IKE_NEG_FAILED

129    12:41:35.857  10/11/15  Sev=Info/4      CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
0
alaa33Author Commented:
i also run the debug ipsec and isakmp.
it looks like it select the out_map 1 and directly reject the tunnel because the ACL without going to out_map 65535.
the static crypto map is always selected without looking at the other low priority maps.
0
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
Need to match the acl for the out-map-1

Can you recheck the acl for the respective crypto map
0
alaa33Author Commented:
I found the problem, it is not related to the shared key or the ACL-crypto map matching at least not the local one.

the out_d_map 20 is configured with peer authentication:
crypto dynamic-map out_d_map 20 set peer 201.25.72.142

currently the peer is not connected, therefore the authentication is not possible.
I removed the peer authentication and it is working now.
I will rely on the local ACL until the peer is connected again.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
alaa33Author Commented:
Correction: the peer 201.25.72.142 is available.

why after the password reset there is this problem and when removing the peer ip it is working fine?
0
asavenerCommented:
I removed the preshared key and then added a new one, the problem still persistent.
Did you set the pre-shared key on both ends?

Removing 201.25.71.142 as a peer might eliminate the errors in the log, but it doesn't mean that the VPN is up and working.
0
asavenerCommented:
The out_d_map is not applied to an interface, and should have no effect on the operation of the VPN.

Did you take other actions?  Did you remove and reapply the out_map to the interface?

It could have been an issue with an invalid SPI, where one end of the VPN still thinks the links the link is up.  Might look into the invalid-spi recovery command.

good luck.
0
alaa33Author Commented:
just to clear one thing, there is two types of configuration on the ASA. site2site w client2site.
everything was working fine and all tunnels are up but when I reset the password then we lost the tunnels.

after removing the peer IP the vpn client is working and I tested the connection to inside network and it is ok. I am not looking at the other site configuration or status.

I will check the SPI issue.
0
alaa33Author Commented:
the problem is fixed.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.