VPN mysteriously stopped working.

Unanswered Question

I have been running a L2TP over IPSEC VPN for awhile now with no problems. For some reason it mysteriously stopped working at 6:45pm CST yesterday. Posted below is the debug log for crypto isakmp and ipsec. Attached is the debug output. 71.40.x.x is the ip address of remote office where the machines remoting in using windows vpn client. 72.5.x.x will equal where the cisco asa 5520 resides.





Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Pravin Phadte Wed, 07/02/2008 - 07:21
User Badges:
  • Silver, 250 points or more

Hi,


You need to check the extended authentication config (Xauth) and the Access Control List (ACL) or crypto ACL on both sides.


Regards,


Pravin

ggilbert Wed, 07/02/2008 - 07:36
User Badges:
  • Cisco Employee,

According to the debugs, it says that the peer is not authenticated when doing username & password entry.


Jul 01 16:20:43 [IKEv1]: Group = DefaultRAGroup, IP = 71.40.x.x, peer is not authenticated by xauth - drop connection


What kind of authentication method are you using on the ASA for the L2TP clients? Is it local or RADIUS or no authentication.

I am doing local authentication.

Will it do LOCAL authenticationby default. I went to double checkand noticed that nder the tunnel-group general attributes there was no authentication methid specified. When I tried to specify it again using the authentication-server-group LOCAL it seems like it will not hold the command.


ggilbert Wed, 07/02/2008 - 08:26
User Badges:
  • Cisco Employee,

You have to issue the command


sh run all tunnel-group DefaultRAGroup


You will see the authentication set to LOCAL at that point. Since it is default, it doesnt show up.



This is what i see when i run that command.


asa1# sh running-config tunnel-group DefaultRAGroup

tunnel-group DefaultRAGroup general-attributes

address-pool vpnpool

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key ****

tunnel-group DefaultRAGroup ppp-attributes

no authentication chap

authentication ms-chap-v2

ggilbert Wed, 07/09/2008 - 06:55
User Badges:
  • Cisco Employee,

Since it doesnt not show up, I believe the authentication method used is LOCAL at the moment.


sh run all tunnel-group DefaultRAGroup


The above command will give you all the information on the tunnel-group.


Gilbert

ggilbert Wed, 07/09/2008 - 06:57
User Badges:
  • Cisco Employee,

Since your debug says that the peer is not authenticated by XAUTH - can you please collect the debugs for


deb aaa common 255 --this debug will give us more information as to why the authentication failed.


Thanks

Gilbert

pandooliza Thu, 07/10/2008 - 09:04
User Badges:

If you are running Windows and have installed the 07/08 security update KB951748 you might uninstall / reinstall the VPN and see if this resolves your problem. I had the same issue happen after the MS update and this fixed it for me.

Actions

This Discussion