VPN - IKEv1 - Session is being torn down. Reason: L2TP initiated

Unanswered Question
Dec 11th, 2012
User Badges:

Hi guys,

I am trying to configure my ASA 5520 to allow internal staff to work from remote via VPN. I need them to authenticate via Radius to MYCOMPANY-DC1 and allow them to access only if they are part of the Windows group VPNusers.

Using the VPN wizard I've created the (purged) configuration below. Now when I try to connect, the debug returns the following error.

Dec 12 02:57:28 [IKEv1]: Group = DefaultRAGroup, IP =, Session is being torn down. Reason: L2TP initiated

I haven't found where to define the name of the Windows gouup the users have to be part of in order to have the access granted and I guess that this missing configuration is the cause of the problem. Can you please tell me where is the error on my config and where I do have to add the missing configuration?

object-group network DM_INLINE_NETWORK_5

network-object LAN-network

access-list INTERNAL_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_5

aaa-server windows_DC protocol radius

aaa-server windows_DC (INTERNAL) host MYCOMPANY-DC1

timeout 5

key *****

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000


crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map OUTSIDE_map interface OUTSIDE

crypto isakmp enable OUTSIDE

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

wins-server value

dns-server value

vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

default-domain value mycompanycorp.com.au

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

tunnel-group DefaultRAGroup general-attributes

address-pool VPN_Cisco_Pool

authentication-server-group windows_DC

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *****

tunnel-group DefaultRAGroup ppp-attributes

authentication pap

authentication ms-chap-v2

authentication eap-proxy

On the Windows Server side, I have the following event:

User myuser was denied access.

Fully-Qualified-User-Name = myuser

NAS-IP-Address =

NAS-Identifier = <not present>

Called-Station-Identifier = <not present>

Calling-Station-Identifier = <not present>

Client-Friendly-Name = ASA5520

Client-IP-Address =

NAS-Port-Type = Virtual

NAS-Port = 94208

Proxy-Policy-Name = Use Windows authentication for all users

Authentication-Provider = Windows

Authentication-Server = <undetermined>

Policy-Name = <undetermined>

Authentication-Type = MS-CHAPv2

EAP-Type = <undetermined>

Reason-Code = 48

Reason = The connection attempt did not match any remote access policy.


Dario Vanin

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Andrejchek Wed, 06/25/2014 - 02:34
User Badges:



What configuration was missing? I have the same problem.

Dario Francesco... Wed, 06/25/2014 - 17:52
User Badges:

Unfortunately I did not manage Windows Server, so I can't help you on that.

The ASA was correctly configured and the problem was on the Windows policies.


This Discussion