cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
55785
Views
10
Helpful
8
Replies

cisco asa vpn Error processing payload: Payload ID: 1

Nikhil Patil
Level 1
Level 1

Hi,

      I have configure L2TP vpn using ASDM and now i am not able to connect my Cisco ASA 5505.

      it's showing error message

3Jul 07 201118:57:38




IP = *.*.*.*, Error processing payload: Payload ID: 1

Please suggest me how to solve this problem (Using ASDM)

Thanks

2 Accepted Solutions

Accepted Solutions

Hi Nikhil,

Your config seems incomplete, command " vpn-tunnel-protocol IPSec l2tp-ipsec" is missing, which is required for L2tp connection. Try to reconfigure your firewall using following link:-

http://www.cisco.com/en/US/customer/docs/security/asa/asa80/configuration/guide/l2tp_ips.html

Hope this helps,

Parminder Sian

View solution in original post

Nikhil,

According to me config should look like following, in your config, I dont see any crypto maps:-

ip local pool sales_addresses x.x.x.x-x.x.x.x

group-policy sales_policy internal

group-policy sales_policy attributes

    vpn-tunnel-protocol l2tp-ipsec

tunnel-group DefaultRAGroup general-attributes

    default-group-policy sales_policy

    address-pool sales_addresses

tunnel-group DefaultRAGroup ipsec-attributes

    pre-shared-key *

tunnel-group DefaultRAGroup ppp-attributes

    no authentication pap

    authentication chap

    authentication ms-chap-v1

    authentication ms-chap-v2

crypto ipsec transform-set trans esp-3des esp-sha-hmac

crypto ipsec transform-set trans mode transport

crypto dynamic-map dyno 10 set transform-set set trans

crypto map vpn 20 ipsec-isakmp dynamic dyno

crypto map vpn interface outside

crypto isakmp enable outside

crypto isakmp policy 10

    authentication pre-share

    encryption 3des

    hash sha

    group 2

    lifetime 86400

Try the following config.

Parminder Sian

View solution in original post

8 Replies 8

Parminder Sian
Level 1
Level 1

Hi ,

Usually this mesesage comes up for IPSEC VPN tunnel when isakmp policies do not match. Here's a link for your referance.

http://www.cisco.com/en/US/partner/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution15

Can we have a look at the config?

Parminder Sian

Hello Parmindar,

                   I  am sending my firewall configuration.

                   I have configure this firewall using ASDM. So can you please guide me through ASDM.

                  or suggest me cli configuration.

Thanks,

Nikhil.

nnikhil.patil@gmail.com

Result of the command: "show startup config"

show startup config

             ^

ERROR: % Invalid input detected at '^' marker.

Result of the command: "show startu"

: Saved

: Written by enable_15 at 12:26:07.115 IST Tue Jul 12 2011

!

ASA Version 8.2(5)

!

hostname ciscoasa

domain-name ******.net

enable password 9p9RlVCQln.VPpnz encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

dns-guard

!

interface Ethernet0/0

switchport access vlan 337

switchport trunk allowed vlan 337

speed 100

duplex full

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

switchport access vlan 20

!

interface Vlan1

nameif inside

security-level 50

ip address 10.0.0.1 255.255.255.0

!

interface Vlan20

nameif DMZ

security-level 50

ip address 172.16.0.1 255.255.0.0

!

interface Vlan337

nameif outside

security-level 0

ip address Router-Outside 255.255.255.252

!

boot system disk0:/asa825-k8.bin

ftp mode passive

clock timezone IST 5 30

dns domain-lookup inside

dns server-group DefaultDNS

name-server Sg-dc1-int

name-server *.*.*.*

name-server *.*.*.*

name-server *.*.*.*

domain-name spheregen.net

same-security-traffic permit inter-interface

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list inside_access_out extended permit gre any any

access-list inside_access_out extended permit tcp any any eq pptp

access-list outside_access_in extended permit gre any any

access-list outside_access_in extended permit tcp any any eq pptp

access-list outside_access_in extended permit object-group TCPUDP any host epost-ext eq www

access-list outside_access_in extended permit ip 10.0.0.0 255.255.255.0 any

access-list outside_access_in remark outside to DMZ access

access-list outside_access_in extended permit ip any interface DMZ

access-list outside_access_out extended permit gre any any

access-list outside_access_out extended permit tcp any any eq pptp

access-list outside_access_out extended permit ip interface outside any

access-list inside_access_in extended permit ip 10.0.0.0 255.255.255.0 any

access-list inside_access_in remark inside to DMZ access

access-list inside_access_in extended permit ip interface inside interface DMZ

access-list inside_access_in extended permit tcp any any eq pptp

access-list inside_access_in extended permit gre any any

access-list DMZ_access_in remark DMZ to inside access

access-list DMZ_access_in extended permit ip interface DMZ interface inside

access-list inside_nat0_outbound extended permit ip any 192.168.40.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.0

pager lines 24

logging enable

logging asdm warnings

mtu inside 1500

mtu DMZ 1500

mtu outside 1500

ip local pool vpnpool 192.168.40.1-192.168.40.254 mask 255.255.255.0

ip local pool vpnpool2 192.168.50.1-192.168.50.200 mask 255.255.255.0

ip verify reverse-path interface inside

ip verify reverse-path interface DMZ

ip verify reverse-path interface outside

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-643.bin

asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 10.0.0.0 255.255.255.0

access-group inside_access_in in interface inside

access-group inside_access_out out interface inside

access-group DMZ_access_in in interface DMZ

access-group outside_access_in in interface outside

access-group outside_access_out out interface outside

route outside 0.0.0.0 0.0.0.0 *.*.*.*

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt noproxyarp inside

sysopt noproxyarp outside

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

ssh version 2

console timeout 0

dhcpd dns Sg-dc1-int 10.0.0.2 interface inside

!

dhcpd dns Sg-dc1-int 202.54.10.2 interface outside

!

dhcprelay server 10.0.0.2 inside

dhcprelay server Sg-dc1-int inside

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

enable outside

group-policy DfltGrpPolicy attributes

dns-server value *.*.*.* *.*.*.*

default-domain value .net

username test1 password qs0S0nyHysj8C4U4rtbwWA== nt-encrypted

tunnel-group DefaultRAGroup general-attributes

address-pool vpnpool2

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

isakmp keepalive threshold 3600 retry 2

tunnel-group DefaultRAGroup ppp-attributes

no authentication chap

authentication ms-chap-v2

!

class-map Unblock

match access-list inside_mpc_1

class-map type inspect http match-all BlockDomainsClass

match request header host regex class DomainBlockList

class-map inspection_default

match default-inspection-traffic

class-map type inspect http match-all AppHeaderClass

match response header regex contenttype regex applicationheader

class-map httptraffic

match access-list inside_mpc

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map type inspect http http_inspection_policy

parameters

  protocol-violation action drop-connection

match request method connect

  drop-connection log

class AppHeaderClass

  drop-connection log

class BlockDomainsClass

  reset log

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect pptp

policy-map inside-policy

class Unblock

  inspect http

class httptraffic

  inspect http http_inspection_policy

!

service-policy global_policy global

service-policy inside-policy interface inside

smtp-server 10.0.0.9

prompt hostname

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:ee3e6d0eefe95b0f7f4986120f30c3f2

Hi Nikhil,

Your config seems incomplete, command " vpn-tunnel-protocol IPSec l2tp-ipsec" is missing, which is required for L2tp connection. Try to reconfigure your firewall using following link:-

http://www.cisco.com/en/US/customer/docs/security/asa/asa80/configuration/guide/l2tp_ips.html

Hope this helps,

Parminder Sian

Hi Parmindar,

           I have configure ASA  using CLI.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/l2tp_ips.html

and its still showing error. I hv 8.2 ios on ASA.

ASA Version 8.2(5)

!

hostname ciscoasa

domain-name spheregen.net

enable password 9p9RlVCQln.VPpnz encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

!

interface Ethernet0/0

switchport access vlan 337

switchport trunk allowed vlan 337

speed 100

duplex full

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

switchport access vlan 20

!

interface Vlan1

nameif inside

security-level 50

ip address 10.0.0.1 255.255.255.0

!

interface Vlan20

nameif DMZ

security-level 50

ip address 172.16.0.1 255.255.0.0

!

interface Vlan337

nameif outside

security-level 0

ip address Router-Outside 255.255.255.252

ftp mode passive

clock timezone IST 5 30

dns domain-lookup inside

dns server-group DefaultDNS

name-server Sg-dc1-int

name-server 121.242.190.211

name-server 202.54.10.2

name-server 202.144.10.50

domain-name spheregen.net

same-security-traffic permit inter-interface

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group network Trusted-Users

network-object host Ashish-Machine

network-object host Ani-Machine

network-object host Anija-Machine

network-object host Mathew-Machine

network-object host tfs2008-int

network-object host SMTPServer-int

network-object host Sg-dc1-int

network-object host Ani2-Machine

network-object host Utkarsh-Machine

object-group service SMTP-MSOnline tcp

port-object eq 587

object-group service TFSPorts tcp

port-object eq 8080

port-object eq www

object-group service RDP tcp

port-object eq 3389

access-list inside_access_out extended permit gre any any

access-list inside_access_out extended permit tcp any any eq pptp

access-list inside_access_out extended permit object-group TCPUDP any host epost

-int eq www

access-list outside_access_in extended permit gre any any

access-list outside_access_in extended permit tcp any any eq pptp

access-list outside_access_in extended permit tcp any host Development-ext objec

t-group RDP inactive

access-list outside_access_in extended permit object-group TCPUDP any host tfs20

08-ext eq www

access-list outside_access_in remark outside to DMZ access

access-list outside_access_in extended permit ip any interface DMZ

access-list outside_access_out extended permit gre any any

access-list outside_access_out extended permit tcp any any eq pptp

access-list outside_access_out extended permit tcp any any object-group SMTP-MSO

nline

access-list outside_access_out extended permit tcp host tfs2008-int any object-g

roup SMTP-MSOnline

access-list outside_access_out extended permit tcp host SMTPServer-int any objec

t-group SMTP-MSOnline

access-list outside_access_out extended permit ip interface outside any

access-list inside_access_in extended permit ip 10.0.0.0 255.255.255.0 any

access-list inside_access_in remark inside to DMZ access

access-list inside_access_in extended permit ip interface inside interface DMZ

access-list inside_access_in extended permit tcp any any eq pptp

access-list inside_access_in extended permit gre any any

access-list inside_mpc extended permit object-group TCPUDP any any eq www

access-list inside_mpc_1 extended permit object-group TCPUDP object-group Truste

d-Users any eq www

access-list inside_mpc_1 extended permit tcp object-group Trusted-Users any eq h

ttps

access-list DMZ_access_in remark DMZ to inside access

access-list DMZ_access_in extended permit ip interface DMZ interface inside

access-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255

.192

pager lines 24

logging enable

logging asdm warnings

logging from-address noreply@cisco.com

logging recipient-address ni@cisco.com level errors

mtu inside 1500

mtu DMZ 1500

mtu outside 1500

ip local pool vpn-pool 192.168.50.1-192.168.50.60 mask 255.255.255.0

ip verify reverse-path interface inside

ip verify reverse-path interface DMZ

ip verify reverse-path interface outside

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-643.bin

asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 10.0.0.0 255.255.255.0

static (inside,outside) epost-ext epost-int netmask 255.255.255.255 dns

static (inside,outside) timesheet-ext timesheet-int netmask 255.255.255.255 dns

static (inside,outside) tfs2008-ext tfs2008-int netmask 255.255.255.255 dns

static (inside,outside) tfs2010-ext tfs2010-int netmask 255.255.255.255

static (inside,outside) Development-ext Development-int netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group inside_access_out out interface inside

access-group DMZ_access_in in interface DMZ

access-group outside_access_in in interface outside

access-group outside_access_out out interface outside

route outside 0.0.0.0 0.0.0.0 121.241.66.218 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt connection preserve-vpn-flows

sysopt noproxyarp inside

sysopt noproxyarp outside

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set my-transform-set esp-des esp-sha-hmac

crypto ipsec transform-set my-transform-set mode transport

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 5

lifetime 86400

crypto isakmp nat-traversal 1500

no vpn-addr-assign dhcp

telnet timeout 5

ssh timeout 5

ssh version 2

console timeout 0

l2tp tunnel hello 100

dhcpd dns Sg-dc1-int 10.0.0.2 interface inside

!

dhcpd dns Sg-dc1-int 202.54.10.2 interface outside

!

dhcprelay server 10.0.0.2 inside

dhcprelay server Sg-dc1-int inside

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 averag

e-rate 200

webvpn

enable outside

group-policy DfltGrpPolicy attributes

dns-server value *.*.*.* *.*.*.*

vpn-idle-timeout none

vpn-tunnel-protocol l2tp-ipsec

default-domain value spheregen.net

username test1 password qs0S0nyHysj8C4U4rtbwWA== nt-encrypted

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

isakmp keepalive threshold 3600 retry 2

tunnel-group DefaultRAGroup ppp-attributes

authentication ms-chap-v2

tunnel-group sales-tunnel type remote-access

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map type inspect http http_inspection_policy

parameters

  protocol-violation action drop-connection

match request method connect

  drop-connection log

class AppHeaderClass

  drop-connection log

class BlockDomainsClass

  reset log

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect pptp

policy-map inside-policy

class Unblock

  inspect http

class httptraffic

  inspect http http_inspection_policy

!

service-policy global_policy global

service-policy inside-policy interface inside

smtp-server 10.0.0.9

prompt hostname

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DD

CEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:f22458f824bb5a517918a8998b594b46

ciscoasa#

ciscoasa# show crypto isakmp sa

There are no isakmp sas

Nikhil,

According to me config should look like following, in your config, I dont see any crypto maps:-

ip local pool sales_addresses x.x.x.x-x.x.x.x

group-policy sales_policy internal

group-policy sales_policy attributes

    vpn-tunnel-protocol l2tp-ipsec

tunnel-group DefaultRAGroup general-attributes

    default-group-policy sales_policy

    address-pool sales_addresses

tunnel-group DefaultRAGroup ipsec-attributes

    pre-shared-key *

tunnel-group DefaultRAGroup ppp-attributes

    no authentication pap

    authentication chap

    authentication ms-chap-v1

    authentication ms-chap-v2

crypto ipsec transform-set trans esp-3des esp-sha-hmac

crypto ipsec transform-set trans mode transport

crypto dynamic-map dyno 10 set transform-set set trans

crypto map vpn 20 ipsec-isakmp dynamic dyno

crypto map vpn interface outside

crypto isakmp enable outside

crypto isakmp policy 10

    authentication pre-share

    encryption 3des

    hash sha

    group 2

    lifetime 86400

Try the following config.

Parminder Sian

vpn is working  fine.

thanks parminder.

problem is solved

Prashobcv93
Level 1
Level 1

Why is the L2TP relying only on the 3DES policy which is the weakest?

Is there any other option to make it connect to a stronger policy?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: