[c-nsp] ASA w/ 7.2.2 & VPN - can't connect

Garry gkg at gmx.de
Wed Dec 20 08:08:55 EST 2006 

Hi,

I've set up an ASA and multiple PIX firewalls up before, all without too 
many problems, and all acting as VPN terminators just fine. Anyway, 
having set up a new ASA (and required to use 7.2 due to PPPoE uplink), 
I've run into multiple problems, the latest being that I don't seem to 
be able to get any VPN connections up. The VPN client (tried 4.6, 4.7 
and 4.8, with both UDP and TCP) hangs when trying to contact the ASA, 
connections to the ASA arrive, but ASA reports e.g.:

6|Dec 20 2006 08:03:31|302015: Built inbound UDP connection 64774 for 
outside:212.y.y.y/500 (212.y.y.y/500) to NP Identity Ifc:212.x.x.x/500 
(212.x.x.x/500)
6|Dec 20 2006 08:03:31|713905: Group = vpn, IP = 212.y.y.y, No valid 
authentication type found for the tunnel group
3|Dec 20 2006 08:03:31|713902: Group = vpn, IP = 212.y.y.y, Removing 
peer from peer table failed, no match!
4|Dec 20 2006 08:03:31|713903: Group = vpn, IP = 212.y.y.y, Error: 
Unable to remove PeerTblEntry

I have checked, double-checked and re-entered the group password 
multiple times (hard to mis-type "xxx" though), the VPN had been set up 
using the VPN Wizard from ASDM (5.2.1), manual inspection inside the 
ASDM of the created entries resulted in no obvious errors.

Here's part of the config ... anybody have an idea?

group-policy DfltGrpPolicy attributes
  banner none
  wins-server none
  dns-server none
  dhcp-network-scope none
  vpn-access-hours none
  vpn-simultaneous-logins 3
  vpn-idle-timeout 30
  vpn-session-timeout none
  vpn-filter none
  vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
  password-storage enable
  ip-comp disable
  re-xauth disable
  group-lock none
  pfs disable
  ipsec-udp enable
  ipsec-udp-port 10000
  split-tunnel-policy tunnelall
  split-tunnel-network-list value inside_cryptomap
  default-domain none
  split-dns none
  intercept-dhcp 255.255.255.255 disable
  secure-unit-authentication disable
  user-authentication disable
  user-authentication-idle-timeout 30
  ip-phone-bypass disable
  leap-bypass disable
  nem disable
  backup-servers keep-client-config
  msie-proxy server none
  msie-proxy method no-modify
  msie-proxy except-list none
  msie-proxy local-bypass disable
  nac disable
  nac-sq-period 300
  nac-reval-period 36000
  nac-default-acl none
  address-pools none
  client-firewall none
  client-access-rule none
[..]
group-policy vpn internal
group-policy vpn attributes
  vpn-tunnel-protocol IPSec webvpn
  group-lock value vpn
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value inside_cryptomap
  default-domain value somedoma.in
  address-pools none
username vpnuser password XXXXXXXXX encrypted privilege 0
username vpnuser attributes
  vpn-group-policy vpn
  vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
[..]
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
  authentication pre-share
  encryption aes-256
  hash sha
  group 5
  lifetime 86400
crypto isakmp nat-traversal  20
crypto isakmp ipsec-over-tcp port 10000
tunnel-group vpn type ipsec-ra
tunnel-group vpn general-attributes
  address-pool vpn
  default-group-policy vpn
tunnel-group vpn ipsec-attributes
  pre-shared-key xxxx
  isakmp ikev1-user-authentication (outside) none

More information about the cisco-nsp mailing list