L2TP Over IPSec on ASA

Unanswered Question
Sep 25th, 2009
User Badges:

Am unable to establish tunnel to ASA from Microsoft client using L2TP-Over-IPSec. ASA log shows port 1701 being discarded on Outside interface - even though ACL is there to permit.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Yudong Wu Fri, 09/25/2009 - 08:03
User Badges:
  • Gold, 750 points or more

It looks like your client is using L2TP directly instead of using L2tp-over-IPsec. On asa, you can check the ipsec status by "show crypto isa sa" and "show crypto ipsec sa". If there is no any output, it indicates that your client did not initiate IPSec at all. You need check your client's configuration.

Jack Dixon Fri, 09/25/2009 - 08:55
User Badges:

Yes, I am not getting any output from either of those two show commands, which made me realize that the client was not getting anywhere! However, when I look at the Real-Time ASA log, it shows that the ASA Outside interface is discarding the packets coming from the client on UDP port 1701. That would suggest that the client is initiating the IPSec tunnel, but it isn't being processed by the ASA. The XP client screen indicates that I have "L2TP IPSec VPN" selected. Is there another way to verify that the client is really sending L2TP-Over-IPSec?




This Discussion