Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA Help with VPN L2TP

Good Night,

I'm trying to connect to vpn using ASA 5510 with L2TP and the following message is displayed on log,someone has this problem.Sorry for english, i do not speak very well.

4|Jul 22 2009|16:41:47|113019|||Group = DefaultRAGroup, Username = , IP =, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch

3|Jul 22 2009|16:41:47|713902|||Group = DefaultRAGroup, IP =, Removing peer from correlator table failed, no match!

3|Jul 22 2009|16:41:47|713902|||Group = DefaultRAGroup, IP =, QM FSM error (P2 struct &0xd50889c8, mess id 0x1)!

5|Jul 22 2009|16:41:47|713904|||Group = DefaultRAGroup, IP =, All IPSec SA proposals found unacceptable!

3|Jul 22 2009|16:41:47|713122|||IP =, Keep-alives configured on but peer does not support keep-alives (type = None)

3|Jul 22 2009|16:41:47|713119|||Group = DefaultRAGroup, IP =, PHASE 1 COMPLETED

4|Jul 22 2009|16:41:47|713903|||Group = DefaultRAGroup, IP =, Freeing previously allocated memory for authorization-dn-attributes

New Member

Re: ASA Help with VPN L2TP

If the IPsec tunnel is not UP, check that the ISAKMP policies match with the remote peers. This ISAKMP policy is applicable to both the Site-to-Site (L2L) and Remote Access IPsec VPN.

If the Cisco VPN Clients or the Site-to-Site VPN are not able establish the tunnel with the remote-end device, check that the two peers contain the same encryption, hash, authentication, and Diffie-Hellman parameter values and when the remote peer policy specifies a lifetime less than or equal to the lifetime in the policy that the initiator sent. If the lifetimes are not identical, the security appliance uses the shorter lifetime. If no acceptable match exists, ISAKMP refuses negotiation, and the SA is not established.

"removing peer from peer table failed - no match"This message usually appears due to mismatched ISAKMP policies or a missing NAT 0 statement.

If the Cisco VPN Client is unable to connect the head-end device, the problem can be the mismatch of ISAKMP Policy. The head-end device must match with one of the IKE Proposals of the Cisco VPN Client.

Note: For the ISAKMP policy and IPsec Transform-set that is used on the PIX/ASA, the Cisco VPN client cannot use a policy with a combination of DES and SHA. If you use DES, you need to use MD5 for the hash algorithm, or you can use the other combinations, 3DES with SHA and 3DES with MD5.