I ran into this issue recently while trying to make a Remote Access VPN work on a Cisco ASA 5505 firewall. The VPN had been working at one point but was rarely used. When the end-user tried to use it again they kept getting the following error.
Secure VPN connection terminated locally by the Client.
Reason 412. The remote peer is no longer responding.
Now, this error could occur for many reasons. Including a firewall on the client-side, that is blocking the necessary UDP or TCP ports, or, an unstable internet connection, such as a mobile connection. But in my particular case, it was actually a configuration issue on the firewall itself.
On this particular firewall, there was a NAT statement that was translating everything from interface to a server on the private network. The syntax looked something like this.
static (inside,outside) tcp interface DALEK-KHAN mask 255.255.255.255
I’m not really a big fan of the interface syntax. The interface syntax is specified when you want to use the IP attached to the outside interface for PAT (Port Address Translation). I prefer to use a dedicated public IP for my Cisco device and keep address translation on their own IPs. However, for various reasons, whether it be cost-prohibitive, or, limited provider plans, there is a definite need for this syntax.
The problem with our code was that every TCP port was being translated from the external interface to an internal server. Even the ports required for VPN connectivity! This was the cause of our error.
Removing this NAT statement, and replacing it with just the PAT statements that the server actually needed, freed up the necessary VPN ports. So, for our server DALEK-KHAN, let’s make him a webserver, our code would end up looking like this.
static (inside,outside) tcp interface 80 DALEK-KHAN 80
mask 255.255.255.255static (inside,outside) tcp interface 443 DALEK-KHAN 443
mask 255.255.255.255
We saved the config, hit the connect button on our VPN client, and (Hey! Presto!) we connected.
Hope this helps! I would love to hear your fixes on this error as well.
Williams says
How do I locate this statement on firewall?
As i have similar challenge.
Thanks.
Willy says
I have the same challenge, please how can i logon to firewall to find this settings.
Kevin D says
Thanks.
I saw another article that mentions the PCF file setting for UseLegacyIKEPort=1…
“The client release notes anticipate this error and provide some work arounds. the one that5 worked for me was to add a line of code to the *.pcf profile as follows: UseLegacyIKEPort=1”
I’m about to test this but the end user didn’t have any internet 🙂
It’s amazing how many Fake articles there are trying to get you to install their “Fix” software.
Hamid says
i use this one line “UseLegacyIKEPort=1” in my pcf profile, its work for me. thanks a lot !!!
Gurumoorthy says
Can you please do a video tutorial on this.
jack says
I am getting the same error but dont know how to resolve. can you please guide me
Naveen says
what is the location of the configuration file? I am really not sure where to update the statement. I have the exact same issue mentioned in the blog.
Gareth Gudger says
Hi Naveen,
The problem for me was on the firewall itself. You would need to log onto the firewall to make these changes. The firewall was where all the VPN configuration was.
Naveen says
Thanks a lot Gareth! I will give a try and post the update
Josephyle says
Been a year but haven’t heard from you Naveen. We are still waiting because we need to go home now. It’s been a long time man.
Hie says
He might be died
Swapnil Patil says
HAHAHAHA!!!!!!