cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2861
Views
0
Helpful
14
Replies

Cisco ASA 5505 L2TP Pass through

robc00001
Level 1
Level 1

I am having trouble with L2TP pass through on an ASA 5505 device.

L2TP server: OSX 10.6

I can connect with any OSX system and it works fine straight away.

When connecting with a windows computer I get a 789 error.  "Error 789: The L2TP connection attempt failed because the security layer encountere a processing error during the initial negotiations with the remote computer."

I did not setup or configure the device to start with and apart from this issue its working fine so I am hessitant at trying to just mess around too much to try and find the problem.

I am using the ASDM 6.4 to manage the device.

Ports look to be forwarded correctly; 1701, 4500 & 500 UDP.

Im just looking for other common issues?

Rob

14 Replies 14

is it All windows computers you are experiencing this issue with or just one specific computer?  Did you use ASDM to configure the L2TP?

Could you post a full sanitized running configuration of your ASA please.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

It is all windows computers trying to connect to the L2TP server.

I didnt use ADSM to configure it I have inherited from someone else. So I am a little unsure how to use it as I am new to the cisco side of things.

As far as I can see L2TP pass through (port forwarding) is setup correctly to the Mac server doing the L2TP server.

The error seems to point to a NAT issue that is interupting the encrypted connection to the OSX server. But it works fine from any OSX computer.

Sorry for my stupidity but how do I do a full Sanitized configuration? Obviously I dont want to post any informaton that should not be seem to compromise security.

Rob

on the ASA issue the following command:

show running-configuration

Then go through the configuration and remove or X out any public IPs or passwords.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

I have the running config. But it is rather large and will take a while to remove ip / passwords.

Is there any specific bit you will be looking at? or will you need the entire running config?

shall I remove internal Ips as well public ips? If you want me to post the entire thing.

Rob

You do not need to remove the internal/private IPs...just the public ones.

we could start by looking at the crypto configuration, group-policy, tunnel-group

show run crypto

show run group-policy

show run tunnel-group

also include the following outputs please.

show vpn-sessiondb detail remote filter protocol L2TPOverIPsec

show vpn-sessiondb detail remote filter protocol L2TPOverIPsecOverNAT

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Below is the commands you wanted.

Where you see: IPNOTWHATIWASEXPECTING

This is an IP I dont know. possible and old IP address.

and

default-domain value domain-notcorrect.local

This is an old domain from years ago.

Result of the command: "show run crypto"

crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac

crypto ipsec transform-set aes-192-sha esp-aes-192 esp-sha-hmac

crypto ipsec transform-set aes-256-sha esp-aes-256 esp-sha-hmac

crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set transform-amzn esp-aes esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map map-dynamic 1 set pfs group5

crypto dynamic-map map-dynamic 1 set transform-set aes-256-sha aes-192-sha aes-sha 3des-sha

crypto dynamic-map map-dynamic 2 set pfs

crypto dynamic-map map-dynamic 2 set transform-set aes-256-sha aes-192-sha aes-sha 3des-sha

crypto dynamic-map map-dynamic 3 set pfs

crypto dynamic-map map-dynamic 3 set transform-set aes-256-sha aes-192-sha aes-sha 3des-sha

crypto dynamic-map map-dynamic 4 set transform-set aes-256-sha aes-192-sha aes-sha 3des-sha

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer IPNOTWHATIWASEXPECTING3

crypto map outside_map 1 set transform-set ESP-DES-SHA

crypto map outside_map 2 match address acl-amzn

crypto map outside_map 2 set pfs

crypto map outside_map 2 set peer IPNOTWHATIWASEXPECTING IPNOTWHATIWASEXPECTING

crypto map outside_map 2 set transform-set transform-amzn

crypto map outside_map 255 ipsec-isakmp dynamic map-dynamic

crypto map outside_map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

crypto isakmp policy 2

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 3

authentication pre-share

encryption aes-256

hash sha

group 1

lifetime 86400

crypto isakmp policy 11

authentication pre-share

encryption aes-192

hash sha

group 5

lifetime 86400

crypto isakmp policy 12

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 13

authentication pre-share

encryption aes-192

hash sha

group 1

lifetime 86400

crypto isakmp policy 21

authentication pre-share

encryption aes

hash sha

group 5

lifetime 86400

crypto isakmp policy 22

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 23

authentication pre-share

encryption aes

hash sha

group 1

lifetime 86400

crypto isakmp policy 31

authentication pre-share

encryption 3des

hash sha

group 5

lifetime 86400

crypto isakmp policy 32

authentication rsa-sig

encryption des

hash sha

group 1

lifetime 86400

crypto isakmp policy 33

authentication pre-share

encryption 3des

hash sha

group 1

lifetime 86400

crypto isakmp policy 34

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

Result of the command: "show run group-policy"

group-policy evertest internal

group-policy evertest attributes

dns-server value 10.100.25.252

vpn-idle-timeout 720

vpn-tunnel-protocol IPSec l2tp-ipsec

pfs enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value vpnsplittunnel

default-domain value domain-notcorrect.local

group-policy petero internal

group-policy petero attributes

dns-server value 10.100.25.252

vpn-idle-timeout 720

pfs enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value vpnsplittunnel

default-domain value domain-notcorrect.local

group-policy awsfilter internal

group-policy awsfilter attributes

vpn-filter value amzn-filter

group-policy vpnpptp internal

group-policy vpnpptp attributes

dns-server value 10.100.25.252

vpn-tunnel-protocol l2tp-ipsec

group-policy vanheelm internal

group-policy vanheelm attributes

dns-server value 10.100.25.252

vpn-idle-timeout 720

vpn-tunnel-protocol IPSec l2tp-ipsec

pfs enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value vpnsplittunnel

default-domain value domain-notcorrect.local

group-policy ciscoVPNuser internal

group-policy ciscoVPNuser attributes

dns-server value 10.100.25.10

vpn-idle-timeout 720

pfs enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value vpnsplittunnel

default-domain value domain-notcorrect.local

group-policy chauhanv2 internal

group-policy chauhanv2 attributes

dns-server value 10.100.25.252

vpn-idle-timeout 720

pfs enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value vpnsplittunnel

default-domain value domain-notcorrect.local

group-policy oterop internal

group-policy oterop attributes

dns-server value 10.100.25.252

vpn-idle-timeout 720

vpn-tunnel-protocol IPSec l2tp-ipsec

pfs enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value vpnsplittunnel

default-domain value domain-notcorrect.local

group-policy Oterop internal

group-policy Oterop attributes

dns-server value 10.100.25.252

vpn-idle-timeout 30

group-policy chauhanv internal

group-policy chauhanv attributes

dns-server value 10.100.25.252

vpn-idle-timeout 30

vpn-tunnel-protocol IPSec l2tp-ipsec

group-policy bnixon2 internal

group-policy bnixon2 attributes

dns-server value 10.100.25.252

vpn-idle-timeout 720

vpn-tunnel-protocol IPSec l2tp-ipsec

pfs enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value vpnsplittunnel

default-domain value domain-notcorrect.local

Result of the command: "show run tunnel-group"

tunnel-group ciscoVPNuser type remote-access

tunnel-group ciscoVPNuser general-attributes

address-pool vpnippool

default-group-policy ciscoVPNuser

tunnel-group ciscoVPNuser ipsec-attributes

pre-shared-key *****

tunnel-group petero type remote-access

tunnel-group petero general-attributes

address-pool vpnippool

default-group-policy petero

tunnel-group petero ipsec-attributes

pre-shared-key *****

tunnel-group oterop type remote-access

tunnel-group oterop general-attributes

address-pool vpnippool

default-group-policy oterop

tunnel-group oterop ipsec-attributes

pre-shared-key *****

tunnel-group vanheelm type remote-access

tunnel-group vanheelm general-attributes

address-pool vpnippool

default-group-policy vanheelm

tunnel-group vanheelm ipsec-attributes

pre-shared-key *****

tunnel-group chauhanv type remote-access

tunnel-group chauhanv general-attributes

default-group-policy chauhanv

tunnel-group Oterop type remote-access

tunnel-group Oterop general-attributes

default-group-policy Oterop

tunnel-group chauhanv2 type remote-access

tunnel-group chauhanv2 general-attributes

address-pool vpnippool

default-group-policy chauhanv2

tunnel-group chauhanv2 ipsec-attributes

pre-shared-key *****

tunnel-group bnixon2 type remote-access

tunnel-group bnixon2 general-attributes

address-pool vpnippool

default-group-policy bnixon2

tunnel-group bnixon2 ipsec-attributes

pre-shared-key *****

tunnel-group vpnpptp type remote-access

tunnel-group vpnpptp general-attributes

address-pool vpnippool

default-group-policy vpnpptp

tunnel-group IPNOTWHATIWASEXPECTING4 type ipsec-l2l

tunnel-group IPNOTWHATIWASEXPECTING4 ipsec-attributes

pre-shared-key *****

tunnel-group evertest type remote-access

tunnel-group evertest general-attributes

address-pool vpnippool

default-group-policy evertest

tunnel-group evertest ipsec-attributes

pre-shared-key *****

tunnel-group evertest ppp-attributes

authentication ms-chap-v2

tunnel-group IPNOTWHATIWASEXPECTING3 type ipsec-l2l

tunnel-group IPNOTWHATIWASEXPECTING3 ipsec-attributes

pre-shared-key *****

tunnel-group IPNOTWHATIWASEXPECTING2 type ipsec-l2l

tunnel-group IPNOTWHATIWASEXPECTING2 general-attributes

default-group-policy awsfilter

tunnel-group IPNOTWHATIWASEXPECTING2 ipsec-attributes

pre-shared-key *****

isakmp keepalive threshold 10 retry 3

tunnel-group IPNOTWHATIWASEXPECTING type ipsec-l2l

tunnel-group IPNOTWHATIWASEXPECTING general-attributes

default-group-policy awsfilter

tunnel-group IPNOTWHATIWASEXPECTING ipsec-attributes

pre-shared-key *****

isakmp keepalive threshold 10 retry 3

Result of the command: "show vpn-sessiondb detail remote filter protocol L2TPOverIPsec"

INFO: There are presently no active sessions of the type specified

---

Result of the command: "show vpn-sessiondb detail remote filter protocol L2TPOverIPsecOverNAT"

INFO: There are presently no active sessions of the type specified

Did you manage to have a look through this for me? Can you see anyuthing why it would stop it working on a Windows computer?

Thanks,

Rob

Could you post your ACL configuration and NAT statements please.

I am thinking this might be an issue with the OSX server and not the ASA.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Has this worked before?

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

This works perfectly fine from a Mac client. Just not from a windows one.

What are the commands for the NAT Statements and ACL configuration?

Im pushing to move it off the mac server and run it directly from the cisco device.

Rob

But the current setup that is having the issue is when connecting to the OSX server, correct?

show run access-list

show run nat

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

I am only having the issue  when Windows clients try to connect to the VPN seems to work fine with OSX clients.

Show run ACL:

Result of the command: "show run access-list"

access-list vpnsplittunnel extended permit ip 10.100.25.0 255.255.255.0 any
access-list acl-outside extended permit icmp any any unreachable
access-list acl-outside extended permit icmp any any echo-reply
access-list acl-outside extended permit tcp any host x.x.x.170 eq smtp
access-list acl-outside extended permit icmp any any source-quench
access-list acl-outside extended permit icmp any any time-exceeded
access-list acl-outside extended permit tcp any host x.x.x.170 eq www
access-list acl-outside extended permit tcp any host x.x.x.170 eq https
access-list acl-outside extended permit tcp any any eq imap4
access-list acl-outside extended permit tcp any any eq pop3
access-list acl-outside extended permit tcp any any eq 993
access-list acl-outside extended permit tcp host 216.66.35.71 any eq 3306
access-list acl-outside extended permit udp any any eq 993
access-list acl-outside extended permit tcp any any eq 995
access-list acl-outside extended permit tcp x.x.x.32 255.255.255.224 any eq 3389
access-list acl-outside extended permit tcp any host x.x.x.172 eq pptp
access-list acl-outside extended permit udp any host x.x.x.172 object-group DM_INLINE_UDP_1
access-list acl-outside extended permit udp any host x.x.x.172 eq isakmp
access-list acl-outside remark Host internal website to outside worlds.
access-list acl-outside remark Steves Project
access-list acl-outside extended permit tcp any host x.x.x.172 object-group DM_INLINE_TCP_1
access-list acl-outside extended permit ip host x.x.x.40 host x.x.x.174
access-list acl-outside extended permit ip host x.x.x.44 host x.x.x.174
access-list acl-inside extended permit tcp any any eq www
access-list acl-inside extended permit tcp any any eq https
access-list acl-inside extended permit icmp any any
access-list acl-inside extended permit udp any any eq ntp
access-list acl-inside extended permit tcp any any eq 993
access-list acl-inside extended permit tcp any any eq 587
access-list acl-inside extended permit tcp any any eq 1863
access-list acl-inside extended permit tcp any any eq 2020
access-list acl-inside extended permit tcp any any eq 995
access-list acl-inside extended permit tcp any any eq ssh
access-list acl-inside extended permit tcp any any eq pop3
access-list acl-inside extended permit udp any any eq domain
access-list acl-inside extended permit tcp any any eq imap4
access-list acl-inside extended permit tcp any any eq smtp
access-list acl-inside extended permit tcp any any eq ftp
access-list acl-inside extended permit tcp any any eq 5222
access-list acl-inside extended permit tcp any any eq 3389
access-list acl-inside extended permit tcp any any eq 465
access-list acl-inside extended permit tcp any any eq 8443
access-list acl-inside extended permit tcp any any eq ldap
access-list acl-inside extended permit udp any any eq isakmp
access-list acl-inside extended permit udp any any eq 4500
access-list acl-inside extended permit tcp any any eq domain
access-list acl-inside extended permit tcp any any eq 6522
access-list acl-inside extended permit udp any any eq 995
access-list acl-inside extended permit udp any any eq 993
access-list acl-inside extended permit tcp any any eq 5900
access-list acl-inside extended permit tcp any any eq 8081
access-list acl-inside extended permit tcp any any eq 10000
access-list acl-inside extended permit tcp any any eq aol
access-list acl-inside extended permit udp host 10.100.25.252 any eq domain
access-list acl-inside extended permit tcp host 10.100.25.252 any eq pop3
access-list acl-inside extended permit ip host 10.100.25.32 any
access-list acl-inside extended permit tcp host 10.100.25.252 any eq www
access-list acl-inside extended permit tcp 10.100.25.0 255.255.255.0 object-group Blackberry object-group Blackberry-TCP
access-list acl-inside extended permit tcp host 10.100.25.252 any eq smtp
access-list acl-inside extended permit tcp host 10.100.25.252 any eq https
access-list acl-inside extended permit tcp host 10.100.25.252 any eq telnet
access-list acl-inside extended permit tcp host 10.100.25.156 any eq smtp
access-list acl-inside extended permit ip host 10.100.25.249 any
access-list acl-inside extended permit ip host 10.100.25.157 any
access-list acl-inside extended permit ip host 10.100.25.156 any
access-list acl-inside extended permit tcp 10.100.25.0 255.255.255.0 host 65.218.239.10 eq 30003
access-list acl-inside extended permit tcp any host 84.19.126.38 eq 81
access-list acl-inside extended permit tcp 10.100.25.0 255.255.255.0 host 216.66.35.71 eq 3306
access-list acl-inside extended permit ip 10.100.25.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list acl-inside extended permit object-group DM_INLINE_SERVICE_1 any any
access-list acl-inside extended permit object-group TCPUDP any host x.x.x.55 object-group Port-2222
access-list acl-inside extended permit tcp any any object-group Gyro-8888
access-list acl-inside extended permit udp any any object-group L2TP
access-list allvpnsites extended permit ip 10.100.25.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list allvpnsites extended permit ip 10.100.25.0 255.255.255.0 object-group DM_INLINE_NETWORK_2
access-list allvpnsites extended permit ip 10.100.25.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list vpn-Sonic-HQ extended permit ip 10.100.25.0 255.255.255.0 10.100.1.0 255.255.255.0
access-list acl-VPLS extended permit ip any any
access-list acl-VPLS extended permit icmp any any
access-list outside_1_cryptomap extended permit ip 10.100.25.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list acl-amzn extended permit ip any 172.31.0.0 255.255.0.0
access-list amzn-filter extended permit icmp 172.31.0.0 255.255.0.0 host 10.100.1.1
access-list amzn-filter extended permit tcp 172.31.0.0 255.255.0.0 host 10.100.1.1 eq ldap
access-list amzn-filter extended deny ip any any


show run nat:
nat (inside) 0 access-list allvpnsites
nat (inside) 1 0.0.0.0 0.0.0.0
nat (VPLS) 0 access-list acl-amzn

At first glance I do not see anything wrong with the configuration and I am leaning towards that there is an issue between OSX server and Windows client.  Perhaps someone here who has had more experience with OSX can answer better.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

OK, Thanks for your help with this issue. I will let you know If I can determine the solution further down the line.

Rob

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: