×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

l2tp over ipsec asa 5505 %ASA-6-110003 error

Answered Question
Aug 16th, 2013
User Badges:

Hi,


First of all, apologies for my lack of awareness. It's hard managing Cisco routers when you are newbie. I am learning Cisco as far as I can.


My issue is that I'm trying to setup a l2tp over ipsec vpn connection in my company in order to provide a secure connection however I was not successfully so far. By the time I establish a connection from my home I get this info from ASA:


> show crypto isakmp sa:


4   IKE Peer: 188.76.164.162

    Type    : user            Role    : responder

    Rekey   : no              State   : MM_WAIT_MSG3



> Log Viewer


6          Aug 16 2013          14:11:14          110003          87.216.165.41          500          188.76.164.162          500          Routing failed to locate next hop for UDP from identity:87.216.165.41/500 to outside:188.76.164.162/500


Clientes SO: Windows 7/8 (Services: IKE and AutIP IPSec and IPsec Policy Ageng enabled as well, firewall windows off)


I've tried to find out what’s is wrong making search on google and forums however I couldn’t find the solution.


Attached is my running config.


any help is more than wellcome


Best,


Antonio

Correct Answer by malshbou about 4 years 3 days ago

Hi Antonio,


It is a routing problem in your ASA.


route outside-other 0.0.0.0 0.0.0.0 192.168.4.1 100

route outside-backup 0.0.0.0 0.0.0.0 192.168.0.1 200


But you terminate the VPN at the outside interface (pppoe) which doesn't have a default route to send traffic back to the L2TP client.


Rule of thumb: Have a default route at the same interface where you terminate remote-access VPN. 


To make the test from (188.76.164.162) work, you can add the following route:


route outside 188.76.164.162 255.255.255.255 87.216.40.1  1 


But such specific route will not be a solution if you expect vpn users to come from different locations. A default route is needed or alternatively you may move the crypto map to the interface which has the default route.


Regards.
Mashal Alshboul

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
malshbou Fri, 08/16/2013 - 09:55
User Badges:
  • Cisco Employee,

Hi Antonio,


It is a routing problem in your ASA.


route outside-other 0.0.0.0 0.0.0.0 192.168.4.1 100

route outside-backup 0.0.0.0 0.0.0.0 192.168.0.1 200


But you terminate the VPN at the outside interface (pppoe) which doesn't have a default route to send traffic back to the L2TP client.


Rule of thumb: Have a default route at the same interface where you terminate remote-access VPN. 


To make the test from (188.76.164.162) work, you can add the following route:


route outside 188.76.164.162 255.255.255.255 87.216.40.1  1 


But such specific route will not be a solution if you expect vpn users to come from different locations. A default route is needed or alternatively you may move the crypto map to the interface which has the default route.


Regards.
Mashal Alshboul

Actions

This Discussion

Related Content