L2TP over IPSec RA VPN not working

Unanswered Question
Jun 8th, 2007
User Badges:

I have been trying to get an L2TP over IPSec VPN using pre-shared keys working, but it just keeps failing with the same errors. For some reason it claims that it can't find a valid tunnel group. I am trying to connect using Windows XP VPN. The client is behind a nat, but I have already applied the NAT-T registry fix, but it didn't help.


Jun 08 2007 21:35:07: %ASA-6-302015: Built inbound UDP connection 129881 for outside:mail.companyname.net/500 (mail.companyname.net/500) to NP Identity Ifc: (

Jun 08 2007 21:35:07: %ASA-4-713903: Group =, IP =, Can't find a valid tunnel group, aborting...!

Jun 08 2007 21:35:07: %ASA-3-713902: Group =, IP =, Removing peer from peer table failed, no match!

Jun 08 2007 21:35:07: %ASA-4-713903: Group =, IP =, Error: Unable to remove PeerTblEntry

router# show vers

Cisco Adaptive Security Appliance Software Version 7.2(2)

Device Manager Version 5.2(2)

Licensed features for this platform:

Maximum Physical Interfaces : 8

VLANs : 3, DMZ Restricted

Inside Hosts : 50

Failover : Disabled

VPN-DES : Enabled

VPN-3DES-AES : Enabled

VPN Peers : 10

WebVPN Peers : 2

Dual ISPs : Disabled

VLAN Trunk Ports : 0

This platform has a Base license.

I am attaching the config.

Thanks for your help!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jpginexi Wed, 06/13/2007 - 11:32
User Badges:

Ok, I was able to get this working by not trying to use user defined tunnel groups.

I modified the DefaultRAGroup and used it instead and was able to connect to a tunnel group. Is this a known issue?

However this only got me past Phase1. Phase2 kept erroring with the error "All IPSec SA proposals found unacceptable!".

To get past this error, I removed pfs and switched to use md5 from sha.

crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport

crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

Those two changes enabled Phase2 to complete successfully and the tunnel was set up.

l.jankok Sat, 08/04/2007 - 01:48
User Badges:

Thank you very much for the info.

To answer your question why only the default RA group is working:

Since the lt2p/ipsec client doesn't specify a group name the default values of the default RA group will be used. This is the reason why you have to use this group.


I also had some problems with l2tp being that the tunnel was ok but I was not able to access resources from the l2tp client to the remote site throught the tunnel.


This Discussion