05-06-2010 11:12 PM
I have an ASA5505 that I have configured properly to work with Windows XP's built in vpn client. I try to get Windows 7 up and running and I continually get an error 789 on the client itself. I also get the following on the ASA:
3 | May 07 2010 | 01:04:53 | 713119 | Group = DefaultRAGroup, IP = , PHASE 1 COMPLETED |
5 | May 07 2010 | 01:04:53 | 713904 | Group = DefaultRAGroup, IP = , All IPSec SA proposals found unacceptable! |
3 | May 07 2010 | 01:04:53 | 713902 | Group = DefaultRAGroup, IP = , QM FSM error (P2 struct &0x429a740, mess id 0x1)! |
3 | May 07 2010 | 01:04:53 | 713902 | Group = DefaultRAGroup, IP = , Removing peer from correlator table failed, no match! |
4 | May 07 2010 | 01:04:53 | 113019 | Group = DefaultRAGroup, Username = , IP =, Session disconnected. Session Type: IPSec, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch |
I was getting the same issue when with the xp client until I removed the PFS on the IPSec rule. I cannot seem to figure this one out...
Thank you very much in advance for everyone's help.
05-08-2010 07:16 PM
Hi Nick,
In the debugs, i see the message "Group = DefaultRAGroup, IP = , All IPSec SA proposals found unacceptable!"
Try using a transport mode transform set for this purpose. Use 3des-sha, if it does not bring in any luck then change the encryption from 3des to aes-128 and try again
---8<--------------------------------------------------------------------------
crypto ipsec transform-set l2tpsha esp-3des esp-sha-hmac
crypto ipsec transform-set l2tpsha mode transport
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set l2tpsha
---8<--------------------------------------------------------------------------
Other parameters to look into:-
1. Windows Vista L2TP/IPsec introduced some architectural changes that prohibited more than one simultaneous user from being connected to a head-end PIX/ASA. This behavior does not occur on Windows 2K/XP.
For mor details, please refer
http://support.microsoft.com/kb/942429
Vista PC Not Able to Connect
If the Windows Vista computer is not able to connect the L2TP server, then verify that you have configured ONLY mschap-v2 under the ppp-attributes on
the DefaultRAGroup.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807213a7.shtml#vist
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
NOTE: As per my knowledge i have any understanding that Windows Vista and Windows 7 got almost same built-in architecture.
2. Are you establishing VPN behind a NAT/PAT device?
If yes, then
---8<----------------------------------------------------------------
crypto isakmp nat-traversal 3600
---8<----------------------------------------------------------------
3. What code are you running on ASA ?
4. Make sure that "IKE and AuthIP IPsec Keying Modules" and "Ipsec Policy Agent' services are started.
5 While attempting l2tp/ipsec VPN connection, please do gather silmultaneous debugs for "debug l2tp event 1" , debug cry isa 127 and debug cry ipse 127
- For L2TP define new users like this:
---8<----------------------------------------------------------------
username
---8<----------------------------------------------------------------
6. If possible, post the new VPN configuration after modifying the old one as suggested above.
HTH...
Regards,
Mohit
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide