L2TP Traffic rejected on outside interface

Unanswered Question
May 26th, 2009
User Badges:


I have set up a L2TP VPN access on a Pix 501 running sw 6.3(5).

It stopped working one day, and I have the following error:

710005: UDP request discarded from <PEER_DYNAMIC_IP>/1701 to outside:<PIX_PUBLIC_STATIC_IP>/1701

What's missing?

Here is the configuration excerpt:

nameif ethernet0 outside security0

nameif ethernet1 inside security100


access-list inside_outbound_nat0_acl permit ip any host <L2TP IP>

access-list outside_cryptomap_dyn_20 permit ip any host

access-list outside_cryptomap_dyn_20 permit ip any host <L2TP IP>


ip local pool L2TPUSer <L2TP IP> mask


pdm location <L2TP IP> outside


global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0 0

route outside <PIX_PUBLIC_STATIC_IP> 1


aaa-server LOCAL protocol local


sysopt connection permit-ipsec

sysopt connection permit-l2tp


crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5


crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside


vpdn group L2TPgrp accept dialin l2tp

vpdn group L2TPgrp ppp authentication mschap

vpdn group L2TPgrp client configuration address local MyL2TPUser

vpdn group L2TPgrp client configuration dns x.x.x.x

vpdn group L2TPgrp client authentication local

vpdn group L2TPgrp l2tp tunnel hello 60

vpdn username MyL2TPUser password *********

vpdn enable outside

Thanks in advance


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
smalkeric Mon, 06/01/2009 - 14:09
User Badges:
  • Silver, 250 points or more

Explanation - This message appears when the security appliance does not have a UDP server that services the UDP request. The message can also indicate a TCP packet that does not belong to any session on the security appliance. In addition, this message appears (with the service snmp) when the security appliance receives an SNMP request with an empty payload, even if it is from an authorized host. When the service is snmp, this message occurs a maximum of 1 time every 10 seconds so that the log receiver is not overwhelmed.

Recommended Action - In networks that heavily utilize broadcasting services such as DHCP, RIP or NetBios, the frequency of this message can be high. If this message appears in excessive number, it may indicate an attack.


This Discussion