L2TP/IPsec VPN Problem with Windows 2008 (r2) and ASA 5510

Unanswered Question
Jul 8th, 2010

Hi ,

I am not able to establish l2tp/ipsec connection from windows 2008 to asa 5510. I tested it from one client which is not behind NAT and I am getting following error(s):

3    07:45:46    Jul 08 2010    713048                    IP = 62.99.XXX.XXX, Error processing payload: Payload ID: 1

5    07:45:46    Jul 08 2010    713257                    Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2

Now with windows behind nat:

4    07:37:57    Jul 08 2010    113019                    Group = DefaultRAGroup, Username = , IP = 78.142.XXX.XXX, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: User Requested

5    07:37:57    Jul 08 2010    713259                    Group = DefaultRAGroup, IP = 78.142.XXX.XXX, Session is being torn down. Reason: User Requested

3    07:37:57    Jul 08 2010    713902                    Group = DefaultRAGroup, IP = 78.142.XXX.XXX, Removing peer from correlator table failed, no match!

5    07:37:57    Jul 08 2010    713050                    Group = DefaultRAGroup, IP = 78.142.XXX.XXX, Connection terminated for peer .  Reason: Peer Terminate  Remote Proxy 0.0.0.0, Local Proxy 0.0.0.0

3    07:37:57    Jul 08 2010    713122                    IP = 78.142.XXX.XXX, Keep-alives configured on but peer does not support keep-alives (type = None)

5    07:37:57    Jul 08 2010    713119                    Group = DefaultRAGroup, IP = 78.142.XXX.XXX, PHASE 1 COMPLETED

6    07:37:57    Jul 08 2010    113009                    AAA retrieved default group policy (DefaultRAGroup) for user = DefaultRAGroup

6    07:37:57    Jul 08 2010    713172                    Group = DefaultRAGroup, IP = 78.142.XXX.XXX, Automatic NAT Detection Status:     Remote end   IS   behind a NAT device     This   end is NOT behind a NAT device

5    07:37:57    Jul 08 2010    713257                    Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2

This is happening only if i use ASA 8.3 image(s). On ASA 8.2 image(s) this config is working nicely. Are there any known issues with vpn in 8.3 ? I tested it with windows xp also and I am getting phase 2 mismatch.

Here is my config from ASA5510:

: Saved
:
ASA Version 8.3(1)6
!
hostname iphwall10
enable password XXXXXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXXXXXXX encrypted
names
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 172.16.179.221 255.255.255.0
!
interface Ethernet0/1
no nameif
no security-level
no ip address
!
interface Ethernet0/1.1
vlan 22
nameif dmz
security-level 50
ip address 192.168.202.1 255.255.255.0
!
interface Ethernet0/2
nameif outside
security-level 0
ip address 83.6X.XXX.XXX 255.255.255.224
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa831-6-k8.bin
ftp mode passive
object network NETWORK_OBJ_10.13.37.0_24
subnet 10.13.37.0 255.255.255.0
object network NETWORK_OBJ_172.16.179.0_24
subnet 172.16.179.0 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit 172.16.179.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu dmz 1500
mtu outside 1500
mtu management 1500
ip local pool VPN_Pool 10.13.37.100-10.13.37.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_172.16.179.0_24 NETWORK_OBJ_172.16.179.0_24 destination static NETWORK_OBJ_10.13.37.0_24 NETWORK_OBJ_10.13.37.0_24
route outside 0.0.0.0 0.0.0.0 83.6X.XXX.XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server SECDOM_NPS protocol radius
aaa-server SECDOM_NPS (inside) host 172.16.179.3
key XXXXXXXXXX
http server enable
http 192.168.1.0 255.255.255.0 management
http 172.16.179.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_3DES_MD5 TRANS_ESP_3DES_SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 172.16.179.2 172.16.179.3
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value iphos.local
tunnel-group DefaultRAGroup general-attributes
address-pool VPN_Pool
authentication-server-group SECDOM_NPS
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key XXXXXXXXXXXX
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:c451ff7d9c6a25526fdca0f71c0853d2
: end

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
E.Mahmutbegovic... Fri, 07/09/2010 - 09:04

Hi Marcin,

Thank you for your reply. That bug issue is "fixed" in version 8.3(1.3) . I did my tests on 8.3(1.6) and it is still there.

Best Regards

Emir

Marcin Latosiewicz Fri, 07/09/2010 - 10:05

Emir,

Please collect "deb cry isa 127" "deb cry ipsec 100".

If it works with everything else but 2008 maybe the problem is on 2008? ;-)

Marcin

b.julin Mon, 07/26/2010 - 19:37

I think you have two issues: 8.3(1.6) fixed the phase 2 failures for me, so you may want

to test XP again.  As to the Win2008 bug, I have not seen it yet.

E.Mahmutbegovic... Wed, 07/28/2010 - 07:24

Hi,

I am now able to connect from: Windows XP SP3 (behind NAT) , Windows 7 / Server 2008 (no NAT - Public IP) , iphone (over umts/edge/gprs - NAT).

BUT I am not able to connect from Windows 7 / Server 2008 behind NAT. I attached debug log.

Best regards

b.julin Wed, 07/28/2010 - 09:56

I can verify.  In the debug log on the windows client you get DwQueryIkeStatus retcode 0 and status 0x3645, then everything

from there on goes south.

I tried this even though only the client is behind NAT:

http://support.microsoft.com/kb/926179

...didn't work.  Was a long shot anyway.

So I'll be seeing if my Windows techs can find a client-side fix, considering every single other client in the world

that I've tested (even Windows Mobile) seems to work with 8.3(1.6)

b.julin Thu, 07/29/2010 - 08:06

OK, no dice on my most recent attempt.  I noticed the release date on 8.3(1.4) was later than

the release date on 8.3(1.6) so I decided to try that out.  Same results: Win7 connects

fine without NAT, and Win7 hangs up on us after we send our "2nd QM packet" when trying

with NAT-T.  All other clients that I've tested seem to work fine.

Do you happen to have a debug log of a successful Win7 8.2(x) NAT-T session handy?

b.julin Mon, 08/02/2010 - 14:14

They just released 8.3.2 and it fixed it (bonus: it even says so in the release notes.)  And as far as I can tell so far nothing else got broke in the process.  Tested W32, W7, Striongswan and OSX from both behind a NAT and not.  All worked.

Of course, they uploaded the fix exactly the same time I finished downgrading to 8.2.2, which was like a four-hour session of rebuilding access-lists with group objects instead of objects, undoing typos, reflashing, etc.  Murphy's law, sigh.  At least I'm prepped if I need to fall back for some other reason.

How did you  solve this problem? I am having a similar issue but running ASA ver 8.2.(3). Cisco client VPN and SSL VPN are connecting fine but I have a problem with L2TP-IPSEC users on any Win2k platform.

Sep 01 08:15:59 [IKEv1]: Phase 2 failure:  Mismatched attribute types for class Encapsulation Mode:  Rcv'd: UDP Transport  Cfg'd: UDP Tunnel(NAT-T)
Sep 01 08:15:59 [IKEv1]: Group = DefaultRAGroup, IP = 63.x.x.x, All IPSec SA proposals found unacceptable!
Sep 01 08:15:59 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 63.x.x.x., sending notify message
Sep 01 08:15:59 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 63.x.x.x., constructing blank hash payload
Sep 01 08:15:59 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 63.x.x.x., constructing ipsec notify payload for msg id 1
Sep 01 08:15:59 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 63.x.x.x., constructing qm hash payload
Sep 01 08:15:59 [IKEv1]: IP = 63.x.x.x., IKE_DECODE SENDING Message (msgid=998fcdf0) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0

Thanks,

b.julin Wed, 09/01/2010 - 06:40

That looks like a different issue than what is described here.  Are you sure L2TP works at all?

Looks like what wold happen if the crypto map was missing a transport mode set statement.

It appears that I resolved the phase 2 issue but the windows client is now getting error 691 (access denied because of username and /or password you specified is invalid....). This is weird because I am using the same authentication server for the cisco VPN clients and SSL.

group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol IPSec l2tp-ipsec
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RAVPN_Split_Tunnel

tunnel-group DefaultRAGroup general-attributes
address-pool CARTVPN
authentication-server-group NJ1
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2

Actions

This Discussion

Related Content