Can not establish L2TP-IPsec connections to remote location.

Unanswered Question
Sep 16th, 2010

Please help. I can not seem to establish a VPN tunnel from our clients to a remote network. I know it works fine from other locations so their end is taken care of. The VPN client is using L2TP-IPsec.

Here is my config if anyone has a suggestion.

ASA Version 8.2(2)19
!
hostname ****************
domain-name cisco.com
enable password ds4hdW4uvMnfKnfo encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.245.254.2 255.255.255.0
!
interface Ethernet0/1
shutdown
nameif Outside2
security-level 100
no ip address
!
interface Ethernet0/2
nameif inside
security-level 100
ip address 10.245.253.1 255.255.255.0
!
interface Ethernet0/3
shutdown
nameif Inside2
security-level 100
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 10.245.1.2 255.255.255.0
management-only
!
boot system disk0:/asa822-19-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name cisco.com
same-security-traffic permit inter-interface
access-list outside_access_in remark Access Rule to Allow ESP traffic
access-list outside_access_in remark Access Rule to allow ISAKMP to *****
access-list outside_access_in remark Access Rule to allow port 4500 (NAT-T) to ****
access-list outside_access_in remark Access Rule to allow port 1701 (L2TP) to ****
access-list outside_access_in extended permit esp any host x.x.x.x
access-list outside_access_in extended permit udp any eq isakmp host x.x.x.x
access-list outside_access_in extended permit udp any eq 4500 host x.x.x.x
access-list outside_access_in extended permit udp any eq 1701 host x.x.x.x
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu Outside2 1500
mtu inside 1500
mtu Inside2 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-632.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 101 0.0.0.0 0.0.0.0
nat (Inside2) 102 0.0.0.0 0.0.0.0
nat (management) 101 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.245.254.1 1
route inside 10.245.0.0 255.255.0.0 10.245.253.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.245.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=EASTON-DC-SR1-5510-1
crl configure
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.245.0.0 255.255.0.0 inside
ssh timeout 30
console timeout 30
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username sshuser1 password QeDXBFUts7/E3/zS encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect pptp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:b543d816efdf990fb43b2bde4b8f167a
: end

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
mundusrector Fri, 09/17/2010 - 05:42

I am trying to establish it outbound from the LAN behind this ASA. The ASA seems to be blocking L2TP to another location from this one.

Federico Coto F... Fri, 09/17/2010 - 06:50

L2TP uses these ports:
User Datagram Protocol (UDP) 500, UDP 1701
ESP - Internet Protocol (IP) protocol 50

The ACL that you have inside should permit this but remove it and try again.
clear config access-list traffic

If the problem persists, add the ICMP inspection and try to PING the L2TP address you're trying to connect to:
policy-map global_policy
  class inspection_default
    inspect icmp

If there's connectivity, you can trace the connection with packet-tracer:
packet-tracer input inside udp x.x.x.x 1024 y.y.y.y 500

x.x.x.x will be the internal IP of the machine trying to connect and
y.y.y.y the L2TP public IP.

If the results are fine, can check the logs:
sh logs to see any possible message

We can start with this, let us know how it goes.

Federico.

mundusrector Fri, 09/17/2010 - 07:39

Here is where I stand:

ASA Version 8.2(2)19
!
hostname ****************
domain-name cisco.com
enable password ds4hdW4uvMnfKnfo encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.245.254.2 255.255.255.0
!
interface Ethernet0/1
shutdown
nameif Outside2
security-level 100
no ip address
!
interface Ethernet0/2
nameif inside
security-level 100
ip address 10.245.253.1 255.255.255.0
!
interface Ethernet0/3
shutdown
nameif Inside2
security-level 100
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 10.245.1.2 255.255.255.0
management-only
!
boot system disk0:/asa822-19-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name cisco.com
same-security-traffic permit inter-interface
access-list outside_access_in remark Access Rule to Allow ESP traffic
access-list outside_access_in remark Access Rule to allow ISAKMP to *****
access-list outside_access_in remark Access Rule to allow port 4500 (NAT-T) to ****
access-list outside_access_in remark Access Rule to allow port 1701 (L2TP) to ****
access-list outside_access_in extended permit esp any host x.x.x.x
access-list outside_access_in extended permit udp any eq isakmp host x.x.x.x
access-list outside_access_in extended permit udp any eq 4500 host x.x.x.x
access-list outside_access_in extended permit udp any eq 1701 host x.x.x.x
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu Outside2 1500
mtu inside 1500
mtu Inside2 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-632.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 101 0.0.0.0 0.0.0.0
nat (Inside2) 102 0.0.0.0 0.0.0.0
nat (management) 101 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.245.254.1 1
route inside 10.245.0.0 255.255.0.0 10.245.253.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.245.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=EASTON-DC-SR1-5510-1
crl configure
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.245.0.0 255.255.0.0 inside
ssh timeout 30
console timeout 30
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username sshuser1 password QeDXBFUts7/E3/zS encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect pptp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:b543d816efdf990fb43b2bde4b8f167a
: end

Still no luck

Federico Coto F... Fri, 09/17/2010 - 10:12

Did you try the suggestions?

Can you PING the actual address you're trying to VPN to? (from the local PC).

Federico.

mundusrector Fri, 09/17/2010 - 10:17

It works if I connect to the network in front of the asa, but not behind it so I know it works. I can't ping it cause they have ICMP disabled on their end.

Federico Coto F... Fri, 09/17/2010 - 10:21

If it works in front of the ASA, then just need to check what's wrong with the ASA (obvious!! but that's good :-))

I don't see a need for this command:

static (inside,outside) interface 64.85.182.76 netmask 255.255.255.255

And also, what's the IP of the local PC that is trying to connect?

And what's the IP of the L2TP server? Or how do you try the connection?

Federico.

mundusrector Fri, 09/17/2010 - 11:00

Well I want to do it so anyone can access it, do I have to put in an entry for every single PC? That would make sense but kind of not be what i'm looking for at the same time.

The IP of the L2TP server is that 64.x.x.x address specified.

I updated to where my config is now at in this point in time. See previous config post.

Federico Coto F... Fri, 09/17/2010 - 11:22

You don't need the command, please remove it.

Try the L2TP connection again to the 64.x.x.x address.

Check with

sh xlate local x.x.x.x

to see if the internal PC is getting out to the Internet properly (x.x.x.x will be the IP of the internal machine where you're initiaing the L2TP connection).

Federico.

mundusrector Fri, 09/17/2010 - 11:25

I removed that static command. How can I get all the computers from this location to connect to the remote L2TP server without manually setting an ACL for each individual host?

Federico Coto F... Fri, 09/17/2010 - 11:29

You don't need an ACL at all.

This is because the L2TP connection is originated from a higher-security interface to a lower-security interface.

This traffic is already permitted by default.

The command I am asking you to remove is the static NAT command (where you have the 64.x.x.x) address.

That's not an ACL and is incorrect (and not needed).

Federico.

mundusrector Fri, 09/17/2010 - 11:32

I know, like I said I removed it.

Without the ACLs it did not work. With the ACLs it does not work....so im stumped.

Federico Coto F... Fri, 09/17/2010 - 11:35

I kinda gave you some troubleshooting tools or commands to try that should let us know what the problem is.

Federico.

mundusrector Fri, 09/17/2010 - 11:45

I rand the xlate command and got this:

46 in use, 173 most used

Any other tools you wanted me to run?

Federico Coto F... Fri, 09/17/2010 - 11:56

That was a tremendous step we just did.

No translations? So the computer is not going through the ASA it seems.

You have these commands:

global (outside) 101 interface
nat (inside) 101 0.0.0.0 0.0.0.0

That means that any computer on the internal network should be translated to the outside IP when going out.

Provide the following:

1. IP address of the PC

2. If you can PING the default gateway of the ASA from that PC (after enabling the ICMP inspection I told you before).

If we fix this, we will get the PCs out through the ASA and finally to where you want to go (the L2TP server).


Federico.

mundusrector Fri, 09/17/2010 - 12:54

The IP of the host PC is 10.245.2.56. I can already ping the internal IP of the ASA. When you say it has to ping the default gateway of the asa which interface do you mean? The outside interface or the internal interface of the next hop router?

That will determine how I should setup ICMP inspection.

Sorry for the confusion.

Federico Coto F... Fri, 09/17/2010 - 12:58

You can PING the ASA so there's connectivity between the PC and the ASA.

Now, to allow traffic to pass through let's test a PING to the ASA's default gateway 10.245.254.1

From the PC, PING 10.245.254.1

It will now work until you inspect ICMP.

But this will show us traffic is indeed passing through.

Federico.

mundusrector Fri, 09/17/2010 - 13:01

Ok, I added access-list outside_access_in permit icmp any any echo-reply and can now ping 10.245.254.1.

FYI...everyone here can get on the internet and do pretty much everything. It's just this L2TP client-based VPN connection to a remote location.

Federico Coto F... Fri, 09/17/2010 - 13:07

Traffic is passing through, the L2TP connection should work.

If still does not work, you can do a capture:

capture in interface inside match ip host 10.245.2.56 host 64.x.x.x
capture in interface inside match ip host 64.x.x.x host 10.245.2.56

capture out interface outside match ip host 10.245.254.2 host 64.x.x.x
capture out interface outside match ip host 64.x.x.x host 10.245.254.2

sh cap in


sh cap out

This will show us the communication between your PC and the L2TP server (from the ASA's perspective).

Try the show commands for the capture after attempting the L2TP connection.

Federico.

mundusrector Fri, 09/17/2010 - 13:26

Here are the results.

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

Sh in:

1: 13:06:58.415109 10.245.2.56.500 > 64.x.x.x.500:  udp 384

   2: 13:06:58.452170 64.x.x.x.500 > 10.245.2.56.500:  udp 148

   3: 13:06:58.458472 10.245.2.56.500 > 64.x.x.x.500:  udp 260

   4: 13:06:58.557008 64.x.x.x.500 > 10.245.2.56.500:  udp 232

   5: 13:06:58.560945 10.245.2.56.4500 > 64.x.x.x.4500:  udp 72

   6: 13:06:58.610564 64.x.x.x.4500 > 10.245.2.56.4500:  udp 72

   7: 13:06:58.613386 10.245.2.56.4500 > 64.x.x.x.4500:  udp 320

   8: 13:06:58.662746 64.x.x.x.4500 > 10.245.2.56.4500:  udp 184

   9: 13:06:58.664073 10.245.2.56.4500 > 64.x.x.x.4500:  udp 64

  10: 13:06:58.714165 64.x.x.x.4500 > 10.245.2.56.4500:  udp 88

  11: 13:06:58.716805 10.245.2.56.4500 > 64.x.x.x.4500:  udp 148

  12: 13:06:59.717263 10.245.2.56.4500 > 64.x.x.x.4500:  udp 148

  13: 13:07:01.717293 10.245.2.56.4500 > 64.x.x.x.4500:  udp 148

  14: 13:07:01.781530 64.x.x.x.4500 > 10.245.2.56.4500:  udp 156

  15: 13:07:01.782414 10.245.2.56.4500 > 64.x.x.x.4500:  udp 60

  16: 13:07:01.782521 10.245.2.56.4500 > 64.x.x.x.4500:  udp 108

  17: 13:07:01.834276 64.x.x.x.4500 > 10.245.2.56.4500:  udp 52

  18: 13:07:09.509205 64.x.x.x.4500 > 10.245.2.56.4500:  udp 68

  19: 13:07:09.510044 10.245.2.56.4500 > 64.x.x.x.4500:  udp 92

  20: 13:07:09.517154 10.245.2.56.4500 > 64.x.x.x.4500:  udp 100

  21: 13:07:09.572983 64.x.x.x.4500 > 10.245.2.56.4500:  udp 52

  22: 13:07:09.580002 64.x.x.x.4500 > 10.245.2.56.4500:  udp 108

  23: 13:07:09.580215 64.x.x.x.4500 > 10.245.2.56.4500:  udp 100

  24: 13:07:09.581039 10.245.2.56.4500 > 64.x.x.x.4500:  udp 60

  25: 13:07:09.626203 64.x.x.x.4500 > 10.245.2.56.4500:  udp 108

  26: 13:07:09.627134 10.245.2.56.4500 > 64.x.x.x.4500:  udp 60

  27: 13:07:09.688349 64.x.x.x.4500 > 10.245.2.56.4500:  udp 108

  28: 13:07:09.689310 10.245.2.56.4500 > 64.x.x.x.4500:  udp 108

  29: 13:07:09.689402 10.245.2.56.4500 > 64.x.x.x.4500:  udp 68

  30: 13:07:09.689432 10.245.2.56.4500 > 64.x.x.x.4500:  udp 76

  31: 13:07:09.689509 10.245.2.56.4500 > 64.x.x.x.4500:  udp 76

  32: 13:07:09.733345 64.x.x.x.4500 > 10.245.2.56.4500:  udp 84

  33: 13:07:09.735206 10.245.2.56.4500 > 64.x.x.x.4500:  udp 108

  34: 13:07:09.782735 64.x.x.x.4500 > 10.245.2.56.4500:  udp 100

  35: 13:07:09.783055 64.x.x.x.4500 > 10.245.2.56.4500:  udp 60

  36: 13:07:09.784184 10.245.2.56.4500 > 64.x.x.x.4500:  udp 60

  37: 13:07:09.839266 64.x.x.x.4500 > 10.245.2.56.4500:  udp 60

  38: 13:07:09.839998 10.245.2.56.4500 > 64.x.x.x.4500:  udp 60

  39: 13:07:09.840105 10.245.2.56.4500 > 64.x.x.x.4500:  udp 84

  40: 13:07:09.844774 64.x.x.x.4500 > 10.245.2.56.4500:  udp 60

  41: 13:07:09.844988 64.x.x.x.4500 > 10.245.2.56.4500:  udp 60

  42: 13:07:09.845430 10.245.2.56.4500 > 64.x.x.x.4500:  udp 60

  43: 13:07:09.845537 10.245.2.56.4500 > 64.x.x.x.4500:  udp 60

  44: 13:07:09.878097 64.x.x.x.4500 > 10.245.2.56.4500:  udp 60

  45: 13:07:09.883026 64.x.x.x.4500 > 10.245.2.56.4500:  udp 60

  46: 13:07:09.883972 10.245.2.56.4500 > 64.x.x.x.4500:  udp 76

  47: 13:07:09.950634 64.x.x.x.4500 > 10.245.2.56.4500:  udp 76

  48: 13:07:09.951763 10.245.2.56.4500 > 64.x.x.x.4500:  udp 76

  49: 13:07:09.995630 64.x.x.x.4500 > 10.245.2.56.4500:  udp 76

  50: 13:07:10.041745 10.245.2.56.4500 > 64.x.x.x.4500:  udp 188

  51: 13:07:13.042447 10.245.2.56.4500 > 64.x.x.x.4500:  udp 188

  52: 13:07:14.593520 10.245.2.56.4500 > 64.x.x.x.4500:  udp 140

  53: 13:07:14.593719 10.245.2.56.4500 > 64.x.x.x.4500:  udp 140

  54: 13:07:14.593871 10.245.2.56.4500 > 64.x.x.x.4500:  udp 140

  55: 13:07:14.954296 10.245.2.56.4500 > 64.x.x.x.4500:  udp 116

  56: 13:07:15.343182 10.245.2.56.4500 > 64.x.x.x.4500:  udp 140

  57: 13:07:15.343259 10.245.2.56.4500 > 64.x.x.x.4500:  udp 140

  58: 13:07:15.343289 10.245.2.56.4500 > 64.x.x.x.4500:  udp 140

  59: 13:07:15.704461 10.245.2.56.4500 > 64.x.x.x.4500:  udp 116

  60: 13:07:15.715432 10.245.2.56.4500 > 64.x.x.x.4500:  udp 116

  61: 13:07:16.093394 10.245.2.56.4500 > 64.x.x.x.4500:  udp 140

  62: 13:07:16.093623 10.245.2.56.4500 > 64.x.x.x.4500:  udp 140

  63: 13:07:16.093638 10.245.2.56.4500 > 64.x.x.x.4500:  udp 140

  64: 13:07:16.454062 10.245.2.56.4500 > 64.x.x.x.4500:  udp 116

  65: 13:07:16.465018 10.245.2.56.4500 > 64.x.x.x.4500:  udp 116

  66: 13:07:16.843248 10.245.2.56.4500 > 64.x.x.x.4500:  udp 140

  67: 13:07:16.843401 10.245.2.56.4500 > 64.x.x.x.4500:  udp 140

  68: 13:07:16.843431 10.245.2.56.4500 > 64.x.x.x.4500:  udp 140

  69: 13:07:16.893249 10.245.2.56.4500 > 64.x.x.x.4500:  udp 108

  70: 13:07:17.215351 10.245.2.56.4500 > 64.x.x.x.4500:  udp 116

  71: 13:07:17.537875 10.245.2.56.4500 > 64.x.x.x.4500:  udp 116

  72: 13:07:17.593490 10.245.2.56.4500 > 64.x.x.x.4500:  udp 140

  73: 13:07:18.266740 10.245.2.56.4500 > 64.x.x.x.4500:  udp 116

  74: 13:07:18.287201 10.245.2.56.4500 > 64.x.x.x.4500:  udp 116

  75: 13:07:18.343320 10.245.2.56.4500 > 64.x.x.x.4500:  udp 140

  76: 13:07:19.016356 10.245.2.56.4500 > 64.x.x.x.4500:  udp 116

  77: 13:07:19.037443 10.245.2.56.4500 > 64.x.x.x.4500:  udp 116

  78: 13:07:19.093317 10.245.2.56.4500 > 64.x.x.x.4500:  udp 140

  79: 13:07:19.612288 10.245.2.56.4500 > 64.x.x.x.4500:  udp 1

  80: 13:07:19.766241 10.245.2.56.4500 > 64.x.x.x.4500:  udp 116

  81: 13:07:19.805393 10.245.2.56.4500 > 64.x.x.x.4500:  udp 68

  82: 13:07:19.891814 64.x.x.x.4500 > 10.245.2.56.4500:  udp 68

  83: 13:07:19.893203 10.245.2.56.4500 > 64.x.x.x.4500:  udp 108

  84: 13:07:19.917280 10.245.2.56.4500 > 64.x.x.x.4500:  udp 76

  85: 13:07:19.965877 64.x.x.x.4500 > 10.245.2.56.4500:  udp 52

  86: 13:07:19.966441 10.245.2.56.4500 > 64.x.x.x.4500:  udp 76

  87: 13:07:20.014632 64.x.x.x.4500 > 10.245.2.56.4500:  udp 52

  88: 13:07:20.017607 10.245.2.56.4500 > 64.x.x.x.4500:  udp 128

  89: 13:07:20.017897 10.245.2.56.4500 > 64.x.x.x.4500:  udp 144

  90: 13:07:20.058575 64.x.x.x.4500 > 10.245.2.56.4500:  udp 96

  91: 13:07:20.059872 64.x.x.x.4500 > 10.245.2.56.4500:  udp 112

Sh out:

1: 13:06:58.415292 10.245.254.2.160 > 64.x.x.x.500:  udp 384

   2: 13:06:58.452140 64.x.x.x.500 > 10.245.254.2.160:  udp 148

   3: 13:06:58.458487 10.245.254.2.160 > 64.x.x.x.500:  udp 260

   4: 13:06:58.556993 64.x.x.x.500 > 10.245.254.2.160:  udp 232

   5: 13:06:58.561128 10.245.254.2.29565 > 64.x.x.x.4500:  udp 72

   6: 13:06:58.610533 64.x.x.x.4500 > 10.245.254.2.29565:  udp 72

   7: 13:06:58.613402 10.245.254.2.29565 > 64.x.x.x.4500:  udp 320

   8: 13:06:58.662731 64.x.x.x.4500 > 10.245.254.2.29565:  udp 184

   9: 13:06:58.664089 10.245.254.2.29565 > 64.x.x.x.4500:  udp 64

  10: 13:06:58.714165 64.x.x.x.4500 > 10.245.254.2.29565:  udp 88

  11: 13:06:58.716820 10.245.254.2.29565 > 64.x.x.x.4500:  udp 148

  12: 13:06:59.717278 10.245.254.2.29565 > 64.x.x.x.4500:  udp 148

  13: 13:07:01.717309 10.245.254.2.29565 > 64.x.x.x.4500:  udp 148

  14: 13:07:01.781514 64.x.x.x.4500 > 10.245.254.2.29565:  udp 156

  15: 13:07:01.782430 10.245.254.2.29565 > 64.x.x.x.4500:  udp 60

  16: 13:07:01.782537 10.245.254.2.29565 > 64.x.x.x.4500:  udp 108

  17: 13:07:01.834261 64.x.x.x.4500 > 10.245.254.2.29565:  udp 52

  18: 13:07:09.509189 64.x.x.x.4500 > 10.245.254.2.29565:  udp 68

  19: 13:07:09.510059 10.245.254.2.29565 > 64.x.x.x.4500:  udp 92

  20: 13:07:09.517154 10.245.254.2.29565 > 64.x.x.x.4500:  udp 100

  21: 13:07:09.572968 64.x.x.x.4500 > 10.245.254.2.29565:  udp 52

  22: 13:07:09.579987 64.x.x.x.4500 > 10.245.254.2.29565:  udp 108

  23: 13:07:09.580200 64.x.x.x.4500 > 10.245.254.2.29565:  udp 100

  24: 13:07:09.581039 10.245.254.2.29565 > 64.x.x.x.4500:  udp 60

  25: 13:07:09.626188 64.x.x.x.4500 > 10.245.254.2.29565:  udp 108

  26: 13:07:09.627149 10.245.254.2.29565 > 64.x.x.x.4500:  udp 60

  27: 13:07:09.688334 64.x.x.x.4500 > 10.245.254.2.29565:  udp 108

  28: 13:07:09.689325 10.245.254.2.29565 > 64.x.x.x.4500:  udp 108

  29: 13:07:09.689402 10.245.254.2.29565 > 64.x.x.x.4500:  udp 68

  30: 13:07:09.689432 10.245.254.2.29565 > 64.x.x.x.4500:  udp 76

  31: 13:07:09.689524 10.245.254.2.29565 > 64.x.x.x.4500:  udp 76

  32: 13:07:09.733329 64.x.x.x.4500 > 10.245.254.2.29565:  udp 84

  33: 13:07:09.735221 10.245.254.2.29565 > 64.x.x.x.4500:  udp 108

  34: 13:07:09.782735 64.x.x.x.4500 > 10.245.254.2.29565:  udp 100

  35: 13:07:09.783040 64.x.x.x.4500 > 10.245.254.2.29565:  udp 60

  36: 13:07:09.784200 10.245.254.2.29565 > 64.x.x.x.4500:  udp 60

  37: 13:07:09.839251 64.x.x.x.4500 > 10.245.254.2.29565:  udp 60

  38: 13:07:09.840013 10.245.254.2.29565 > 64.x.x.x.4500:  udp 60

  39: 13:07:09.840105 10.245.254.2.29565 > 64.x.x.x.4500:  udp 84

  40: 13:07:09.844759 64.x.x.x.4500 > 10.245.254.2.29565:  udp 60

  41: 13:07:09.844988 64.x.x.x.4500 > 10.245.254.2.29565:  udp 60

  42: 13:07:09.845445 10.245.254.2.29565 > 64.x.x.x.4500:  udp 60

  43: 13:07:09.845552 10.245.254.2.29565 > 64.x.x.x.4500:  udp 60

  44: 13:07:09.878082 64.x.x.x.4500 > 10.245.254.2.29565:  udp 60

  45: 13:07:09.883010 64.x.x.x.4500 > 10.245.254.2.29565:  udp 60

  46: 13:07:09.883987 10.245.254.2.29565 > 64.x.x.x.4500:  udp 76

  47: 13:07:09.950619 64.x.x.x.4500 > 10.245.254.2.29565:  udp 76

  48: 13:07:09.951778 10.245.254.2.29565 > 64.x.x.x.4500:  udp 76

  49: 13:07:09.995615 64.x.x.x.4500 > 10.245.254.2.29565:  udp 76

  50: 13:07:10.041745 10.245.254.2.29565 > 64.x.x.x.4500:  udp 188

  51: 13:07:13.042463 10.245.254.2.29565 > 64.x.x.x.4500:  udp 188

  52: 13:07:14.593536 10.245.254.2.29565 > 64.x.x.x.4500:  udp 140

  53: 13:07:14.593719 10.245.254.2.29565 > 64.x.x.x.4500:  udp 140

  54: 13:07:14.593887 10.245.254.2.29565 > 64.x.x.x.4500:  udp 140

  55: 13:07:14.954311 10.245.254.2.29565 > 64.x.x.x.4500:  udp 116

  56: 13:07:15.343198 10.245.254.2.29565 > 64.x.x.x.4500:  udp 140

  57: 13:07:15.343274 10.245.254.2.29565 > 64.x.x.x.4500:  udp 140

  58: 13:07:15.343289 10.245.254.2.29565 > 64.x.x.x.4500:  udp 140

  59: 13:07:15.704477 10.245.254.2.29565 > 64.x.x.x.4500:  udp 116

  60: 13:07:15.715447 10.245.254.2.29565 > 64.x.x.x.4500:  udp 116

  61: 13:07:16.093409 10.245.254.2.29565 > 64.x.x.x.4500:  udp 140

  62: 13:07:16.093638 10.245.254.2.29565 > 64.x.x.x.4500:  udp 140

  63: 13:07:16.093653 10.245.254.2.29565 > 64.x.x.x.4500:  udp 140

  64: 13:07:16.454078 10.245.254.2.29565 > 64.x.x.x.4500:  udp 116

  65: 13:07:16.465033 10.245.254.2.29565 > 64.x.x.x.4500:  udp 116

  66: 13:07:16.843263 10.245.254.2.29565 > 64.x.x.x.4500:  udp 140

  67: 13:07:16.843416 10.245.254.2.29565 > 64.x.x.x.4500:  udp 140

  68: 13:07:16.843446 10.245.254.2.29565 > 64.x.x.x.4500:  udp 140

  69: 13:07:16.893249 10.245.254.2.29565 > 64.x.x.x.4500:  udp 108

  70: 13:07:17.215381 10.245.254.2.29565 > 64.x.x.x.4500:  udp 116

  71: 13:07:17.537905 10.245.254.2.29565 > 64.x.x.x.4500:  udp 116

  72: 13:07:17.593505 10.245.254.2.29565 > 64.x.x.x.4500:  udp 140

  73: 13:07:18.266755 10.245.254.2.29565 > 64.x.x.x.4500:  udp 116

  74: 13:07:18.287201 10.245.254.2.29565 > 64.x.x.x.4500:  udp 116

  75: 13:07:18.343335 10.245.254.2.29565 > 64.x.x.x.4500:  udp 140

  76: 13:07:19.016371 10.245.254.2.29565 > 64.x.x.x.4500:  udp 116

  77: 13:07:19.037443 10.245.254.2.29565 > 64.x.x.x.4500:  udp 116

  78: 13:07:19.093333 10.245.254.2.29565 > 64.x.x.x.4500:  udp 140

  79: 13:07:19.612303 10.245.254.2.29565 > 64.x.x.x.4500:  udp 1

  80: 13:07:19.766241 10.245.254.2.29565 > 64.x.x.x.4500:  udp 116

  81: 13:07:19.805408 10.245.254.2.29565 > 64.x.x.x.4500:  udp 68

  82: 13:07:19.891784 64.x.x.x.4500 > 10.245.254.2.29565:  udp 68

  83: 13:07:19.893218 10.245.254.2.29565 > 64.x.x.x.4500:  udp 108

  84: 13:07:19.917280 10.245.254.2.29565 > 64.x.x.x.4500:  udp 76

  85: 13:07:19.965861 64.x.x.x.4500 > 10.245.254.2.29565:  udp 52

  86: 13:07:19.966441 10.245.254.2.29565 > 64.x.x.x.4500:  udp 76

  87: 13:07:20.014617 64.x.x.x.4500 > 10.245.254.2.29565:  udp 52

  88: 13:07:20.017622 10.245.254.2.29565 > 64.x.x.x.4500:  udp 128

  89: 13:07:20.017912 10.245.254.2.29565 > 64.x.x.x.4500:  udp 144

  90: 13:07:20.058560 64.x.x.x.4500 > 10.245.254.2.29565:  udp 96

  91: 13:07:20.059857 64.x.x.x.4500 > 10.245.254.2.29565:  udp 112

Federico Coto F... Fri, 09/17/2010 - 13:32

Great but did you run the capture when/after trying the L2TP connection?

The reason I ask is because I don't see UDP port 1701 in the list.

Federico.

mundusrector Fri, 09/17/2010 - 13:46

I ran the 4 commands, then tried to connect to the VPN, waited it for it to completely timeout, then did sh cap in and sh cap out.

Federico Coto F... Fri, 09/17/2010 - 15:26

Ok, the problem might be with PAT then.

Please do the following test to make sure:

static (in,out) 10.245.254.x 10.245.2.56

And try the connection again from PC 10.245.2.56

The idea is to create a one-to-one static NAT for the PC and try the L2TP connection.

The 10.245.254.x should be an unused IP belonging to network 10.245.254.0/24

Federico.

mundusrector Mon, 09/20/2010 - 05:54

No luck. I am going to try and take out the router in between the cable modem and just test without it.

mundusrector Tue, 09/21/2010 - 13:32

Wound up being the linksys that was in front of it all. Appreciate all your help!

Actions

This Discussion