cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2659
Views
10
Helpful
8
Replies

L2TP in 8.3(1) Broken?

Mark Clift
Level 1
Level 1

Hello,

I have been attempting to setup L2TP/IPSec for Mac OS X users on a ASA 5505 running 8.3(1)

After setting this up using the tips in the documentation included here --> http://cisco.biz/en/US/docs/security/asa/asa83/configuration/guide/l2tp_ips.html

And then completely clearing that and using the IPSec Wizard to set it up (adding the appropriate transform-set transport mode command) I arrived at the same problem.

Phase 1 completes and Phase 2 begins, I get the error in the debug logs that a duplicate packet is detected... which usually means traffic is not getting through somewhere. I continue troubleshooting by double checking the config for everything I can think of and then use the Packet Capture Wizard to have a look at what is going on at the network level. I can see the Main Mode packets going back and forth but as soon as Quick Mode starts the packets going from the ASA to the client are addressed to the IP address of the client not the firewall that is in front of the client (client is behind a NAT firewall - tried two complete different firewalls with the same results) So all the quick mode packets leaving the ASA are no getting to the client because they are privately addressed and getting drop at the ASAs default gateway...

I cannot see what if anything I have misconfigured.

Configuration bits follow along with other information I have gathered in troubleshooting:

First the relevent config bits:

ASA Version 8.3(1)

interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.146 255.255.255.248
!

boot system disk0:/asa831-k8.bin

object network obj_any
subnet 0.0.0.0 0.0.0.0

ip local pool vpnpool 192.168.0.200-192.168.0.215 mask 255.255.255.0

asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400

object network obj_any
nat (inside,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.145 1

dynamic-access-policy-record DfltAccessPolicy

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_3DES_SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 3600

group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.0.50
vpn-tunnel-protocol l2tp-ipsec
default-domain value shield.cx
tunnel-group DefaultRAGroup general-attributes
address-pool vpnpool
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group DefaultRAGroup type remote-access

The debug print out:

Jun 26 14:06:12 [IKEv1]: IP = xxx.xxx.xxx.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 300
Jun 26 14:06:12 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.2, processing SA payload
Jun 26 14:06:12 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.2, Oakley proposal is acceptable
Jun 26 14:06:12 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.2, processing VID payload
Jun 26 14:06:12 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.2, Received NAT-Traversal RFC VID
Jun 26 14:06:12 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.2, processing VID payload
Jun 26 14:06:12 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.2, processing VID payload
Jun 26 14:06:12 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.2, processing VID payload
Jun 26 14:06:12 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.2, processing VID payload
Jun 26 14:06:12 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.2, processing VID payload
Jun 26 14:06:12 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.2, processing VID payload
Jun 26 14:06:12 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.2, processing VID payload
Jun 26 14:06:12 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.2, Received NAT-Traversal ver 03 VID
Jun 26 14:06:12 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.2, processing VID payload
Jun 26 14:06:12 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.2, processing VID payload
Jun 26 14:06:12 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.2, Received NAT-Traversal ver 02 VID
Jun 26 14:06:12 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.2, processing VID payload
Jun 26 14:06:12 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.2, Received DPD VID
Jun 26 14:06:12 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.2, processing IKE SA payload
Jun 26 14:06:12 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.2, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 2
Jun 26 14:06:12 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.2, constructing ISAKMP SA payload
Jun 26 14:06:12 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.2, constructing NAT-Traversal VID ver 02 payload
Jun 26 14:06:12 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.2, constructing Fragmentation VID + extended capabilities payload
Jun 26 14:06:12 [IKEv1]: IP = xxx.xxx.xxx.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
Jun 26 14:06:12 [IKEv1]: IP = xxx.xxx.xxx.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 228
Jun 26 14:06:12 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.2, processing ke payload
Jun 26 14:06:12 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.2, processing ISA_KE payload
Jun 26 14:06:12 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.2, processing nonce payload
Jun 26 14:06:12 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.2, processing NAT-Discovery payload
Jun 26 14:06:12 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.2, computing NAT Discovery hash
Jun 26 14:06:12 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.2, processing NAT-Discovery payload
Jun 26 14:06:12 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.2, computing NAT Discovery hash
Jun 26 14:06:12 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.2, constructing ke payload
Jun 26 14:06:12 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.2, constructing nonce payload
Jun 26 14:06:12 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.2, constructing Cisco Unity VID payload
Jun 26 14:06:12 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.2, constructing xauth V6 VID payload
Jun 26 14:06:12 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.2, Send IOS VID
Jun 26 14:06:12 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.2, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jun 26 14:06:12 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.2, constructing VID payload
Jun 26 14:06:12 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.2, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jun 26 14:06:12 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.2, constructing NAT-Discovery payload
Jun 26 14:06:12 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.2, computing NAT Discovery hash
Jun 26 14:06:12 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.2, constructing NAT-Discovery payload
Jun 26 14:06:12 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.2, computing NAT Discovery hash
Jun 26 14:06:12 [IKEv1]: IP = xxx.xxx.xxx.2, Connection landed on tunnel_group DefaultRAGroup
Jun 26 14:06:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, Generating keys for Responder...
Jun 26 14:06:12 [IKEv1]: IP = xxx.xxx.xxx.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 304
Jun 26 14:06:12 [IKEv1]: IP = xxx.xxx.xxx.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
Jun 26 14:06:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, processing ID payload
Jun 26 14:06:12 [IKEv1 DECODE]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, ID_IPV4_ADDR ID received
192.168.70.30
Jun 26 14:06:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, processing hash payload
Jun 26 14:06:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, Computing hash for ISAKMP
Jun 26 14:06:12 [IKEv1]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, Automatic NAT Detection Status:     Remote end   IS   behind a NAT device     This   end is NOT behind a NAT device
Jun 26 14:06:12 [IKEv1]: IP = xxx.xxx.xxx.2, Connection landed on tunnel_group DefaultRAGroup
Jun 26 14:06:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, constructing ID payload
Jun 26 14:06:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, constructing hash payload
Jun 26 14:06:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, Computing hash for ISAKMP
Jun 26 14:06:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, constructing dpd vid payload
Jun 26 14:06:12 [IKEv1]: IP = xxx.xxx.xxx.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
Jun 26 14:06:12 [IKEv1]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, PHASE 1 COMPLETED
Jun 26 14:06:12 [IKEv1]: IP = xxx.xxx.xxx.2, Keep-alive type for this connection: DPD
Jun 26 14:06:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, Starting P1 rekey timer: 2700 seconds.
Jun 26 14:06:12 [IKEv1]: IP = xxx.xxx.xxx.2, IKE_DECODE RECEIVED Message (msgid=dc4c4e0e) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Jun 26 14:06:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, processing hash payload
Jun 26 14:06:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, processing notify payload
Jun 26 14:06:13 [IKEv1 DECODE]: IP = xxx.xxx.xxx.2, IKE Responder starting QM: msg id = ace94693
Jun 26 14:06:13 [IKEv1]: IP = xxx.xxx.xxx.2, IKE_DECODE RECEIVED Message (msgid=ace94693) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NAT-OA (131) + NAT-OA (131) + NONE (0) total length : 248
Jun 26 14:06:13 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, processing hash payload
Jun 26 14:06:13 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, processing SA payload
Jun 26 14:06:13 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, processing nonce payload
Jun 26 14:06:13 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, processing ID payload
Jun 26 14:06:13 [IKEv1 DECODE]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, ID_IPV4_ADDR ID received
192.168.70.30
Jun 26 14:06:13 [IKEv1]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, Received remote Proxy Host data in ID Payload:  Address 192.168.2.156, Protocol 17, Port 53567
Jun 26 14:06:13 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, processing ID payload
Jun 26 14:06:13 [IKEv1 DECODE]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, ID_IPV4_ADDR ID received
xxx.xxx.xxx.146
Jun 26 14:06:13 [IKEv1]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, Received local Proxy Host data in ID Payload:  Address xxx.xxx.xxx.146, Protocol 17, Port 1701
Jun 26 14:06:13 [IKEv1]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, L2TP/IPSec session detected.
Jun 26 14:06:13 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, processing NAT-Original-Address payload
Jun 26 14:06:13 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, processing NAT-Original-Address payload
Jun 26 14:06:13 [IKEv1]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, QM IsRekeyed old sa not found by addr
Jun 26 14:06:13 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, Selecting only UDP-Encapsulated-Tunnel and  UDP-Encapsulated-Transport modes defined by NAT-Traversal
Jun 26 14:06:13 [IKEv1]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, IKE Remote Peer configured for crypto map: SYSTEM_DEFAULT_CRYPTO_MAP
Jun 26 14:06:13 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, processing IPSec SA payload
Jun 26 14:06:13 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, IPSec SA Proposal # 1, Transform # 3 acceptable  Matches global IPSec SA entry # 65535
Jun 26 14:06:13 [IKEv1]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, IKE: requesting SPI!
IPSEC: New embryonic SA created @ 0xCA989BC0,
    SCB: 0xC9D81F80,
    Direction: inbound
    SPI      : 0xEED8C0C0
    Session ID: 0x0000A000
    VPIF num  : 0x00000003
    Tunnel type: ra
    Protocol   : esp
    Lifetime   : 240 seconds
Jun 26 14:06:13 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, IKE got SPI from key engine: SPI = 0xeed8c0c0
Jun 26 14:06:13 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, oakley constucting quick mode
Jun 26 14:06:13 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, constructing blank hash payload
Jun 26 14:06:13 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, constructing IPSec SA payload
Jun 26 14:06:13 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, constructing IPSec nonce payload
Jun 26 14:06:13 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, constructing proxy ID
Jun 26 14:06:13 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, Transmitting Proxy Id:
  Remote host: 192.168.2.156  Protocol 17  Port 0
  Local host:  xxx.xxx.xxx.146  Protocol 17  Port 1701
Jun 26 14:06:13 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, constructing NAT-Original-Address payload
Jun 26 14:06:13 [IKEv1]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, NAT-Traversal sending NAT-Original-Address payload
Jun 26 14:06:13 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, constructing qm hash payload
Jun 26 14:06:13 [IKEv1 DECODE]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, IKE Responder sending 2nd QM pkt: msg id = ace94693
Jun 26 14:06:13 [IKEv1]: IP = xxx.xxx.xxx.2, IKE_DECODE SENDING Message (msgid=ace94693) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NAT-OA (131) + NONE (0) total length : 164
Jun 26 14:06:16 [IKEv1]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, Duplicate Phase 2 packet detected.  Retransmitting last packet.
Jun 26 14:06:19 [IKEv1]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, Duplicate Phase 2 packet detected.  Retransmitting last packet.
Jun 26 14:06:22 [IKEv1]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, Duplicate Phase 2 packet detected.  Retransmitting last packet.
Jun 26 14:06:25 [IKEv1]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, Duplicate Phase 2 packet detected.  Retransmitting last packet.
Jun 26 14:06:25 [IKEv1]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, QM FSM error (P2 struct &0xca9d8af8, mess id 0xace94693)!
Jun 26 14:06:25 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, IKE QM Responder FSM error history (struct &0xca9d8af8)  <state>, <event>:  QM_DONE, EV_ERROR-->QM_WAIT_MSG3, EV_RESEND_MSG-->QM_WAIT_MSG3, NullEvent-->QM_SND_MSG2, EV_SND_MSG-->QM_SND_MSG2, EV_START_TMR-->QM_SND_MSG2, EV_RESEND_MSG-->QM_WAIT_MSG3, EV_RESEND_MSG-->QM_WAIT_MSG3, NullEvent
Jun 26 14:06:25 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, sending delete/delete with reason message
Jun 26 14:06:25 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, constructing blank hash payload
Jun 26 14:06:25 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, constructing IPSec delete payload
Jun 26 14:06:25 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, constructing qm hash payload
Jun 26 14:06:25 [IKEv1]: IP = xxx.xxx.xxx.2, IKE_DECODE SENDING Message (msgid=4e894603) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68
Jun 26 14:06:25 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, IKE Deleting SA: Remote Proxy 192.168.2.156, Local Proxy xxx.xxx.xxx.146
Jun 26 14:06:25 [IKEv1]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, Removing peer from correlator table failed, no match!
Jun 26 14:06:25 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, IKE SA MM:a8ff5a8d rcv'd Terminate: state MM_ACTIVE  flags 0x00010042, refcnt 1, tuncnt 0
Jun 26 14:06:25 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, IKE SA MM:a8ff5a8d terminating:  flags 0x01010002, refcnt 0, tuncnt 0
Jun 26 14:06:25 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, sending delete/delete with reason message
Jun 26 14:06:25 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, constructing blank hash payload
Jun 26 14:06:25 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, constructing IKE delete payload
Jun 26 14:06:25 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, constructing qm hash payload
Jun 26 14:06:25 [IKEv1]: IP = xxx.xxx.xxx.2, IKE_DECODE SENDING Message (msgid=22cce5a9) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Jun 26 14:06:25 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0xeed8c0c0
Jun 26 14:06:25 [IKEv1]: Group = DefaultRAGroup, IP = xxx.xxx.xxx.2, Session is being torn down. Reason: Lost Service
Jun 26 14:06:25 [IKEv1]: Ignoring msg to mark SA with dsID 40960 dead because SA deleted

The packet trace for the Quick Mode Response from the ASA to the client:

405 5.136697 xxx.xxx.xxx.146 192.168.2.156 ISAKMP Quick Mode

Notice the destination address!!! This packet after leaving the ASA hits the default gateway and goes nowhere (a trace at the destination confims this). I know this is the problem but I cannot figure out why and how to fix it. Incidently I get the exact same results from a Window client that can reach other L2TP connections. Help!!! 

8 Replies 8

Mark Clift
Level 1
Level 1

Bump, anyone?

Mark Clift
Level 1
Level 1

So thinking the problem was (and may still be) with NAT because of the destination address problem I changed the following:

object network obj_any
subnet 0.0.0.0 0.0.0.0

to

object network My_LAN

subnet 192.168.0.0 255.255.255.0

and

object network obj_any
nat (inside,outside) dynamic interface

to

object network My_LAN
nat (inside,outside) dynamic interface

Unfortunately this did not solve the problem but it does make the Dynamic PAT setup more concise.

Mark,

You can also upgrade to asa831-4-k8.bin that is actually available in Cisco Download Web Page. Find it under 8.2 (Interim) it is the second option. This is an option if you don't want to downgrade (in case you need one of the new features in the 8.3 versions.

I do not see that version available for the 5505.

Ok I do see that the interims are higher versions and 4 does cover the issue. 

I have finished the downgrade and as of yet I do not "need" the new features.

Thank you for pointing that out. Perhaps it will help someone else.

b.julin
Level 3
Level 3

Funny this -- 8.3(1) is not broken for Linux strongswan clients doing L2TP behind NAT-T.

But it does break builtin windows clients, which now fail to find a matching crypto

map entry despite my best efforts to ensure they should be able to both

with and without a dynamic ACL.

Jul 25 16:16:47 aegis %ASA-5-713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: G
roup 2
Jul 25 16:16:48 aegis %ASA-5-713201: Group = DefaultRAGroup, IP = 76.118.XX.XX, Duplicate Phase 1 packet detected.  Retransmitting last packet.
Jul 25 16:16:48 aegis %ASA-6-713905: Group = DefaultRAGroup, IP = 76.118.XX.XX, P1 Retransmit msg dispatched to MM FSM
Jul 25 16:16:48 aegis %ASA-6-302015: Built inbound UDP connection 11 for VPNoutside:76.118.XX.XX/4500 (76.118.XX.XX/4500) to identity: 140.XX.XX.XX/4500 (140.XX.XX.XX/4500)
Jul 25 16:16:48 aegis %ASA-6-713172: Group = DefaultRAGroup, IP = 76.118.XX.XX, Automatic NAT Detection Status:     Remote end   IS   behind a NAT device     This   end is NOT behind a NAT device
Jul 25 16:16:48 aegis %ASA-6-113009: AAA retrieved default group policy (DfltGrpPolicy) for user = DefaultRAGroup
Jul 25 16:16:48 aegis %ASA-5-713119: Group = DefaultRAGroup, IP = 76.118.XX.XX, PHASE 1 COMPLETED
Jul 25 16:16:48 aegis %ASA-3-713122: IP = 76.118.XX.XX, Keep-alives configured on but peer does not support keep-alives (type = None)
Jul 25 16:16:48 aegis %ASA-6-713177: Group = DefaultRAGroup, IP = 76.118.XX.XX, Received remote Proxy Host FQDN in ID Payload: Host Name: YYYYYYYY  Address 0.0.0.0, Protocol 17, Port 1701
Jul 25 16:16:48 aegis %ASA-3-713061: Group = DefaultRAGroup, IP = 76.118.XX.XX, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/17/0 local proxy 140.XX.XX.XX/255.255.255.255/17/1701 on interface VPNoutside

I'll see if I have options for an interim release load to try out.  Yay prerelease QA department!

Tried asa831-6-k8.bin and the problem magically disappears.  Yay.

Now if I could just figure out whether they broke split-tunnel-network list, or whether it's a new ACL thing I have to do to let those fake DHCP packets through from the clients.... sigh.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: