Friday, February 18, 2011

Problems with ASA5505 LDAP authentication. Error: Unable to remove PeerTblEntry, Removing peer from peer table failed, no match!

I ran into some problems when trying to authenticate to my Active Directory Server.  The problem was with the crypto.  I wanted to use AES 256, but I was getting error messages.  ASDM told me "Unable to contact the server or ip address".  The two messages the ASDM log were:

Error: Unable to remove PeerTblEntry
Removing peer from peer table failed, no match!

Here is what was in my show running config.

crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 10

Everything was configured correctly according to documentation.  But after spending a while searching google a user named zx10guy explained the problem.

I suggest you go through the ASDM VPN wizard. It makes it really easy to set things up. I'm going to assume you're going to use the highest level of encryption possible which would be settings like AES 256, SHA-1, etc. One word of warning. I don't think Cisco has fixed this issue yet. But when you select the Diffie Helmen Group number, you'll have a choice of 1 up to 7. Do not select anything higher than 2. The wizard is going to bark at you about not using a stronger group number. But this is incorrect. The Cisco VPN client only supports DH Group 2 as the highest. If you select anything higher in the wizard, you'll never get the tunnel to come up and the error messages you'll get won't point you to this. I figured it out through lots of pain, trial and error, and cursing.

Other things you'll need to set up are the remote client IP pools and the user
accounts for authentication. The IP pools get assigned when the connection is made. The IP pool addresses are what the remote client will be assigned on your local network. I would suggest using a set of privates which are NOT in your current subnet range. This will help in troubleshooting and provides some segregation. You need to make sure either the ASA is your default gateway as it will be the only device which knows how to route traffic back to the remote client or you can set up a static route rule on your current default gateway to point to the ASA to reach the remote clients.

You can set up the ASA to have a list of users which can then be assigned to specific VPN policy groups for authentication. With the number of users you're talking about, I think this is the best way and easiest. For my corporate network, I was able to tie in the PIX 515 to use our Active Directory
server for user authentication. Took some doing but I got it to work.

Other than that, you should create a PCF file which is the connection profile file used by the Cisco VPN client. You need to enter the hostname or IP address of the public registered to the ASA or the device which will forward the traffic to it. The group policy name you created in the wizard gets entered here. Also the preshared key you used to set up the group policy for initial Phase 1 negotiation would also be entered here. Once you create the PCF file in the VPN client, you can then copy the PCF file and distribute it to other users. The preshared key is hashed in the file so you won't be able to read in plain text.

I know there are problem some details I've left out, but this should get you started.
Source:  Link

Now what we learned from this was that the IPSec client doesn't like any group numbers higher then 2.  So I changed my configuration to this.

crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2

Now I am able to contact the server successfully while testing the AAA authentication!