Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

L2TP Traffic rejected on outside interface

Hi,

I have set up a L2TP VPN access on a Pix 501 running sw 6.3(5).

It stopped working one day, and I have the following error:

710005: UDP request discarded from <PEER_DYNAMIC_IP>/1701 to outside:<PIX_PUBLIC_STATIC_IP>/1701

What's missing?

Here is the configuration excerpt:

nameif ethernet0 outside security0

nameif ethernet1 inside security100

[...]

access-list inside_outbound_nat0_acl permit ip any host <L2TP IP>

access-list outside_cryptomap_dyn_20 permit ip any host 10.21.0.20

access-list outside_cryptomap_dyn_20 permit ip any host <L2TP IP>

[...]

ip local pool L2TPUSer <L2TP IP> mask 255.255.255.255

[...]

pdm location <L2TP IP> 255.255.255.255 outside

[...]

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 <PIX_PUBLIC_STATIC_IP> 1

[...]

aaa-server LOCAL protocol local

[...]

sysopt connection permit-ipsec

sysopt connection permit-l2tp

[...]

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

[...]

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

[...]

vpdn group L2TPgrp accept dialin l2tp

vpdn group L2TPgrp ppp authentication mschap

vpdn group L2TPgrp client configuration address local MyL2TPUser

vpdn group L2TPgrp client configuration dns x.x.x.x

vpdn group L2TPgrp client authentication local

vpdn group L2TPgrp l2tp tunnel hello 60

vpdn username MyL2TPUser password *********

vpdn enable outside

Thanks in advance

Ciao

1 REPLY
Silver

Re: L2TP Traffic rejected on outside interface

Explanation - This message appears when the security appliance does not have a UDP server that services the UDP request. The message can also indicate a TCP packet that does not belong to any session on the security appliance. In addition, this message appears (with the service snmp) when the security appliance receives an SNMP request with an empty payload, even if it is from an authorized host. When the service is snmp, this message occurs a maximum of 1 time every 10 seconds so that the log receiver is not overwhelmed.

Recommended Action - In networks that heavily utilize broadcasting services such as DHCP, RIP or NetBios, the frequency of this message can be high. If this message appears in excessive number, it may indicate an attack.

176
Views
0
Helpful
1
Replies