Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

L2TP IPsec doesn,t work on ASA 5510

Hey, im nearly to gettin crazy.

I'm trying to setup a L2TP VPN Connection on my ASA 5510 to connect with Android/Windows (Native Clients).

I'm using the newest Releases:

Cisco Adaptive Security Appliance Software Version 8.3(2)
Device Manager Version 6.3(5)

My asa config just the interesting part:

crypto ipsec transform-set trans esp-3des esp-sha-hmac
crypto ipsec transform-set trans mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyno 10 set transform-set trans
crypto map vpn 20 ipsec-isakmp dynamic dyno
crypto map vpn interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal

l2tp tunnel hello 100

group-policy sales_policy internal
group-policy sales_policy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec

tunnel-group DefaultRAGroup general-attributes
address-pool client-pool
default-group-policy sales_policy
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****

If i try to connect with a Windows 7 Client (NOT behind NAT) I get the Error 691.

I see that Phase 1/2 are working with debug:

Dec 22 16:32:16 [IKEv1]: Group = DefaultRAGroup, IP = XXXXXX, PHASE 1 COMPLETED

Dec 22 16:51:25 [IKEv1]: Group = DefaultRAGroup, IP = XXXXXX, PHASE 2 COMPLETED (msgid=00000001)

Then I see this "Error":

Dec 22 16:51:26 [IKEv1]: Group = DefaultRAGroup, IP = XXXXX, Session is being torn down. Reason: L2TP initiated

I don't understand why it doens't work....

I tried many templates from the net but nothings works.

can someone give me an advice?

Super Bronze

Re: L2TP IPsec doesn,t work on ASA 5510

Seems to be missing the "ppp-attributes" from the configuration. Please kindly add "pap" as the authentication and test again.

I would also turn the NAT-T on: crypto isakmp nat-traversal 20

Here is the sample config for your reference:

New Member

Re: L2TP IPsec doesn,t work on ASA 5510

Hey Jennifer

I tried that also before with pap authentication and also the nat-traversal. but it still get the same error:

Dec 23 08:19:25 [IKEv1]: Group = DefaultRAGroup, IP =, Session is being torn down. Reason: L2TP initiated

I reconfigured the whole VPN Stuff from the reference config but without the AAA and nat settings because i use local login and the IP's from the same subnet as attached to the inside interface.

New Member

Re: L2TP IPsec doesn,t work on ASA 5510

Has anyone been able to resolve this? I have the exact same issue with a DroidX client.

Sent from Cisco Technical Support iPad App

New Member

Re: L2TP IPsec doesn,t work on ASA 5510

Yeah i solved it.

The only problem was the wrong parameters for my usernames.

i have had to use nt-encryptet at the end:

username righter password xyyz nt-encrypted.

after that it works.

New Member

Re: L2TP IPsec doesn,t work on ASA 5510

Thanks, I will give this a try later. Dont have access to a Droid right now to test it, but went ahead and setup the user as described. 

New Member

The below change worked for

The below change worked for me.

tunnel-group DefaultRAGroup ppp-attributes
no authentication pap
authentication chap
authentication ms-chap-v1
authentication ms-chap-v2

And added the user 

Username <name> password <passwd> mschap