Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA5510 using LT2P/IPSec stuck between Phase1&2

I have recently configured our ASA 5510 to support L2TP remote access connections, however the connections seem to fail after Phase 1.

the basic error from the isakmp debugging is:

Jun 06 11:03:25 [IKEv1]: Group = DefaultRAGroup, IP = 166.248.0.43, QM FSM error (P2 struct &0xad6eab50, mess id 0xa3b43504)!

Jun 06 11:03:25 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 166.248.0.43, IKE QM Responder FSM error history (struct &0xad6eab50)  <state>, <event>:  QM_DONE, EV_ERROR-->QM_WAIT_MSG3, EV_RESEND_MSG-->QM_WAIT_MSG3, NullEvent-->QM_SND_MSG2, EV_SND_MSG-->QM_SND_MSG2, EV_START_TMR-->QM_SND_MSG2, EV_RESEND_MSG-->QM_WAIT_MSG3, EV_RESEND_MSG-->QM_WAIT_MSG3, NullEvent

Jun 06 11:03:25 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 166.248.0.43, IKE Deleting SA: Remote Proxy 10.190.146.32, Local Proxy My.Outside.IP.Here

Jun 06 11:03:25 [IKEv1]: Group = DefaultRAGroup, IP = 166.248.0.43, Removing peer from correlator table failed, no match!

Jun 06 11:03:25 [IKEv1]: Group = DefaultRAGroup, IP = 166.248.0.43, Session is being torn down. Reason: Lost Service

I used this guide: http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/l2tp_ips.html

I've tried to fix this problem using: http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

I've attached the full captured debug from asa side during a connection attempt with my phone.

I've also attached the pertinant running-config pieces from my asa.

Please help me! I don't know what else to try.

4 REPLIES
Super Bronze

ASA5510 using LT2P/IPSec stuck between Phase1&2

Under "tunnel-group DefaultRAGroup ppp-attributes", please enable PAP and MSCHAPv1:

authentication pap

authentication ms-chap-v1

From the debug output, it seems that IPSec is up, however, L2TP is failing.

New Member

ASA5510 using LT2P/IPSec stuck between Phase1&2

I've added authentication pap, authentication ms-chap-v1 and authentication chap however I get identical results.  Any other thoughts?

New Member

ASA5510 using LT2P/IPSec stuck between Phase1&2

Any other thoughts? I've tested from my phone (android) and from my home pc (windows 7) and both timeout on the client side.

New Member

Re: ASA5510 using LT2P/IPSec stuck between Phase1&2

I've attached yesterday's attempts and running-config.  Config is the full config, just in case something I bleeped out before is important to help diagnose.

Cheers!

987
Views
0
Helpful
4
Replies