- Spinning my wheels for two lab sessions with this now. The first time I labbed this it worked. next two times it bombs. Dont know what Im doing wrong. Here is the config:
asa1(config-username)# sh run- Saved : ASA Version 7.2(2) ! hostname asa1 enable password 8Ry2YjIyt7RRXU24 encrypted names ! interface Ethernet0/0 nameif outside security-level 0 ip address 136.1.123.12 255.255.255.0 ! interface Ethernet0/1 nameif inside security-level 100 ip address 136.1.121.12 255.255.255.0 ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 shutdown no nameif no security-level no ip address ! passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive access-list split_tunnel standard permit 136.1.121.0 255.255.255.0 access-list OUTSIDE_IN extended permit udp any any eq isakmp access-list OUTSIDE_IN extended permit udp any any eq 4500 access-list OUTSIDE_IN extended permit esp any any pager lines 24 logging enable logging console debugging mtu outside 1500 mtu inside 1500 ip local pool mypool 20.0.0.1-20.0.0.254 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-522.bin no asdm history enable arp timeout 14400 access-group OUTSIDE_IN in interface outside ! router rip network 136.1.0.0 redistribute static metric 1 version 2 no auto-summary ! timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute aaa-server aaa protocol radius aaa-server aaa (outside) host 10.0.0.100 key CISCO radius-common-pw CISCO group-policy ezvpn external server-group aaa password CISCO username bcarroll password 8QAYyQeRI6l.X61w encrypted username bcarroll attributes vpn-group-policy ezvpn username cisoc password Bn4.yL6RmqN0ezJL encrypted username cisco password aKPiPFm6dYuj.C5/ encrypted username cisco attributes vpn-group-policy ezvpn no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set 3des_md5 esp-3des esp-md5-hmac crypto dynamic-map dynamic 10 set transform-set 3des_md5 crypto dynamic-map dynamic 10 set reverse-route crypto map vpn 10 ipsec-isakmp dynamic dynamic crypto map vpn interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 crypto isakmp policy 65535 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 tunnel-group ezvpn type ipsec-ra tunnel-group ezvpn general-attributes address-pool mypool default-group-policy ezvpn tunnel-group ezvpn ipsec-attributes pre-shared-key * telnet timeout 5 ssh timeout 5 console timeout 0 ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global prompt hostname context Cryptochecksum:9b2252bb685ae17c9b748c4034fbede9
- end
%ASA-7-111009: User 'enable_15' executed cmd: show running-config
asa1(config-username)#
Here is the error:
Here is the ACS Server- the group authenticates fine according to the passed authention logs:%ASA-7-715047: Group = ezvpn, Username = bcarroll, IP = 136.1.100.200, processing notify payload %Dec 02 06:26:33 [IKEAv1]: Group = ezvpn, Username = bcarroll, IP = 136.1.100.200S, Removing peer from peer table failed, no match!
Any one see what I am doing wrong? Thanks in advance to anyone that throws their thoughts in.
