10-28-2014 09:52 AM - edited 02-21-2020 07:54 PM
Has anyone been successful in getting the VPN on the Chromebook to connect to an ASA? Cant find any solutions online and it is a pretty basic setup. All devices work except for the one Chromebook. It appears to be a phase one issue based on the logs below. Any ideas?
Oct 28 10:49:16 [IKEv1]: IP = 50.82.115.204, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 372
Oct 28 10:49:16 [IKEv1 DEBUG]: IP = 50.82.115.204, processing SA payload
Oct 28 10:49:16 [IKEv1 DEBUG]: IP = 50.82.115.204, processing ke payload
Oct 28 10:49:16 [IKEv1 DEBUG]: IP = 50.82.115.204, processing ISA_KE payload
Oct 28 10:49:16 [IKEv1 DEBUG]: IP = 50.82.115.204, processing nonce payload
Oct 28 10:49:16 [IKEv1 DEBUG]: IP = 50.82.115.204, processing ID payload
Oct 28 10:49:16 [IKEv1 DEBUG]: IP = 50.82.115.204, processing VID payload
Oct 28 10:49:16 [IKEv1 DEBUG]: IP = 50.82.115.204, Received xauth V6 VID
Oct 28 10:49:16 [IKEv1 DEBUG]: IP = 50.82.115.204, processing VID payload
Oct 28 10:49:16 [IKEv1 DEBUG]: IP = 50.82.115.204, Received DPD VID
Oct 28 10:49:16 [IKEv1 DEBUG]: IP = 50.82.115.204, processing VID payload
Oct 28 10:49:16 [IKEv1 DEBUG]: IP = 50.82.115.204, Received NAT-Traversal RFC VID
Oct 28 10:49:16 [IKEv1 DEBUG]: IP = 50.82.115.204, processing VID payload
Oct 28 10:49:16 [IKEv1 DEBUG]: IP = 50.82.115.204, Received NAT-Traversal ver 02 VID
Oct 28 10:49:16 [IKEv1]: IP = 50.82.115.204, Connection landed on tunnel_group RA-IPSEC
Oct 28 10:49:16 [IKEv1 DEBUG]: Group = RA-IPSEC, IP = 50.82.115.204, processing IKE SA payload
Oct 28 10:49:16 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
Oct 28 10:49:16 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
Oct 28 10:49:16 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
Oct 28 10:49:16 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
Oct 28 10:49:16 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
Oct 28 10:49:16 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
Oct 28 10:49:16 [IKEv1]: IP = 50.82.115.204, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 128
Oct 28 10:49:16 [IKEv1 DEBUG]: Group = RA-IPSEC, IP = 50.82.115.204, All SA proposals found unacceptable
Oct 28 10:49:16 [IKEv1]: IP = 50.82.115.204, All IKE SA proposals found unacceptable!
Oct 28 10:49:16 [IKEv1 DEBUG]: Group = RA-IPSEC, IP = 50.82.115.204, IKE AM Responder FSM error history (struct &0xb11e9f60) <state>, <event>: AM_DONE, EV_ERROR-->AM_BLD_MSG2, EV_PROCESS_SA-->AM_BLD_MSG2, EV_GROUP_LOOKUP-->AM_BLD_MSG2, EV_PROCESS_MSG-->AM_BLD_MSG2, EV_CREATE_TMR-->AM_START, EV_RCV_MSG-->AM_START, EV_START_AM-->AM_START, EV_START_AM
Oct 28 10:49:16 [IKEv1 DEBUG]: Group = RA-IPSEC, IP = 50.82.115.204, IKE SA AM:e90bf838 terminating: flags 0x01008001, refcnt 0, tuncnt 0
Oct 28 10:49:16 [IKEv1 DEBUG]: Group = RA-IPSEC, IP = 50.82.115.204, sending delete/delete with reason message
10-30-2014 01:28 PM
Hi Caleb,
I had the exact same problem and was able to fix this just now. Documents that helped me were:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/vpn_l2tp_ipsec.html#wp1079517
And especially this one:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113572-1135272-technote-asa-l2tp-00.html
Make sure you use the DefaultRAGroup and not a custom one. You can use a custom group-policy.
Please let me know if you have any remaining questions.
Kind regards,
Tom
11-05-2014 09:37 AM
I'm having the same issue. I'm also using my own connection profile instead of the "DefaultRAGroup" connection profile. What's so special about the DefaultRAGroup that I can't seem to get it to work with my own custom Connection Profile?
03-28-2015 07:10 AM
There is a type-o in the crypto mapping it should be 'crypto dynamic-map dyno 10 set transform-set trans and not 'crypto dynamic-map dyno 10 set transform-set set trans' (note the extra 'set'). If you're seeing phase 1 pass and phase 2 fail, this is likely the cause. Best of luck.
11-05-2014 12:48 PM
I'm still having the same problem. I did notice that other devices (Windows and Android) has "Vendor ID Microsoft L2TP over IPSec" in the IKE proposal. The Chromebook I am testing doesn't have it in the proposal. Did the missing item in IKE proposal cause the failure?
05-25-2015 12:46 PM
Hello caleb.dick,
First, according to Cisco documentation, they doesn't claim support for ChromeOS however it may/may not work since they don't deliberately stop the connection from Chrome L2TP/IPsec client.
On the following link you can find more details about supported L2TP/IPsec VPN clients for your reference:
Second, you can see in your debugs that your L2TP connection is not landing in the DefaultRAGroup tunnel group. For this connection this is necessary.
Oct 28 10:49:16 [IKEv1]: IP = 50.82.115.204, Connection landed on tunnel_group RA-IPSEC
Please, check your VPN configuration in your chromebook and try not to mention any of your configured tunnel-groups so the ASA places it in the DefaultRAGroup.
https://support.google.com/chromebook/answer/1282338?hl=en-419
If the issue persist, I recommend you to do the following:
- Run crypto debugs and isolate the problem to phase 1 or phase 2
- Upgrade Chromebook OS software.
- Attempt a L2TP connection with a Windows machines and make sure this works properly.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: