Announcement

Collapse
No announcement yet.

Microsoft VPN Client to ASA 5505 fails with 792 error

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Microsoft VPN Client to ASA 5505 fails with 792 error

    When connecting to Cisco asa 5505 from Microsoft XP client, i get the following errors:

    On XP:
    Error 792: The L2TP connection attempt failed because security negotiation timed out. & Event ID 547: IKE Security Association negotiation failed. Key Exchange Mode (Main Mode), No response from peer.

    On ASA: IP: xxx.xxx.xxx.xxx Table Peer entry match Failed

    Below is the ASA config:


    ASA Version 7.2(3)
    !
    hostname Gateway
    domain-name xxxxxx.com
    enable password /NwxNan8blmERMal encrypted
    names
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.xxx.xxx.1 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address 12.xxx.xxx.99 255.255.255.224
    !
    interface Vlan3
    shutdown
    no forward interface Vlan1
    nameif dmz
    security-level 50
    no ip address
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    passwd 2KFQnbNIdI.2KYOU encrypted
    ftp mode passive
    clock timezone CST -6
    clock summer-time CDT recurring
    dns server-group DefaultDNS
    domain-name xxxxxx.com
    access-list outside_access_in extended permit tcp any host 12.xxx.xxx.126 eq https
    access-list outside_access_in extended permit tcp any host 12.xxx.xxx.126 eq www
    access-list outside_access_in extended permit tcp any host 12.xxx.xxx.126 eq pop3
    access-list outside_access_in extended permit tcp any host 12.xxx.xxx.126 eq smtp
    access-list outside_access_in extended permit tcp any host 12.xxx.xxx.126 eq 995
    access-list outside_access_in extended permit tcp any host 12.xxx.xxx.122 eq ftp
    access-list DefaultRAGroup_splitTunnelAcl standard permit 192.xxx.xxx.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 192.xxx.xxx.0 255.255.255.0 192.xxx.xxx.128 255.255.255.128
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    mtu dmz 1500
    ip local pool xxxxxx-VPN-DHCP 192.xxx.xxx.175-192.xxx.xxx.199 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-523.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) 12.xxx.xxx.122 192.xxx.xxx.22 netmask 255.255.255.255
    static (inside,outside) 12.xxx.xxx.126 192.xxx.xxx.24 netmask 255.255.255.255
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 12.xxx.xxx.97 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server xxxxxx-DC protocol nt
    aaa-server xxxxxx-DC host 192.xxx.xxx.3
    timeout 5
    nt-auth-domain-controller Earth1
    http server enable
    http 192.xxx.xxx.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac
    crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport
    crypto dynamic-map outside_dyn_map 20 set pfs
    crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_DES_SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp nat-traversal 20
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    !
    dhcpd address 192.xxx.xxx.2-192.xxx.xxx.129 inside
    !

    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    group-policy DefaultRAGroup internal
    group-policy DefaultRAGroup attributes
    dns-server value 192.xxx.xxx.3 192.xxx.xxx.4
    vpn-tunnel-protocol l2tp-ipsec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
    default-domain value xxxxxx.com
    username vpnuser password iEb36uxxxxxxBr3YMLdYbA== nt-encrypted privilege 0
    username vpnuser attributes
    vpn-group-policy DefaultRAGroup
    tunnel-group DefaultRAGroup general-attributes
    address-pool xxxxxx-VPN-DHCP
    default-group-policy DefaultRAGroup
    tunnel-group DefaultRAGroup ipsec-attributes
    pre-shared-key *
    tunnel-group DefaultRAGroup ppp-attributes
    authentication ms-chap-v2
    prompt hostname context
    Cryptochecksum:6c0754c160a80cf08a158ff89ef7ca7e
    : end
    asdm image disk0:/asdm-523.bin
    no asdm history enable

  • #2
    Re: Microsoft VPN Client to ASA 5505 fails with 792 error

    moved to cisco security.
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment

    Working...
    X