Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA disconnects client due to XAUTH even though XAUTH is disabled

This question is similar to others that have been posted before.  My ASA 5505 fails just after the end of Phase 1 with the error message "peer is not authenticated by xauth - drop connection."  Unlike the earlier posts, I am trying to set up an IPSec-L2TP remote-access connection rather than an L2L tunnel, and therefore DefaultRAGroup is the correct tunnel group to use.

Here is (what I believe to be) the relevant part of the running config:

group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server value 10.160.0.2
dns-server value 10.160.0.2 10.160.0.3
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain value rowland.org

tunnel-group DefaultRAGroup general-attributes
address-pool l2tp
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
trust-point Rowland
isakmp ikev1-user-authentication none
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
no authentication chap
authentication ms-chap-v2

Even though a trust point is set, I'm using strictly PSK authentication.

Here's the log from a recent connection attempt, with debug isakmp at level 50.  The extract starts at the successful conclusion of phase 1:

Jan 06 14:10:43 [IKEv1]: Group = DefaultRAGroup, IP = *.*.*.40, PHASE 1 COMPLETED
Jan 06 14:10:43 [IKEv1]: IP = *.*.*.40, Keep-alive type for this connection: DPD
Jan 06 14:10:43 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = *.*.*.40, Starting P1 rekey timer: 2700 seconds.
Jan 06 14:10:43 [IKEv1 DECODE]: IP = *.*.*.40, IKE Responder starting QM: msg id = e064bd02
Jan 06 14:10:43 [IKEv1]: IP = *.*.*.40, IKE_DECODE RECEIVED Message (msgid=e064bd02) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NAT-OA (131) + NAT-OA (131) + NONE (0) total length : 168
Jan 06 14:10:43 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = *.*.*.40, processing hash payload
Jan 06 14:10:43 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = *.*.*.40, processing SA payload
Jan 06 14:10:43 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = *.*.*.40, processing nonce payload
Jan 06 14:10:43 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = *.*.*.40, processing ID payload
Jan 06 14:10:43 [IKEv1 DECODE]: Group = DefaultRAGroup, IP = *.*.*.40, ID_IPV4_ADDR ID received
*.*.*.40
Jan 06 14:10:43 [IKEv1]: Group = DefaultRAGroup, IP = *.*.*.40, Received remote Proxy Host data in ID Payload:  Address *.*.*.40, Protocol 0, Port 0
Jan 06 14:10:43 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = *.*.*.40, processing ID payload
Jan 06 14:10:43 [IKEv1 DECODE]: Group = DefaultRAGroup, IP = *.*.*.40, ID_IPV4_ADDR ID received
*.*.*.37
Jan 06 14:10:43 [IKEv1]: Group = DefaultRAGroup, IP = *.*.*.40, Received local Proxy Host data in ID Payload:  Address *.*.*.37, Protocol 0, Port 0
Jan 06 14:10:43 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = *.*.*.40, processing NAT-Original-Address payload
Jan 06 14:10:43 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = *.*.*.40, processing NAT-Original-Address payload
Jan 06 14:10:43 [IKEv1]: Group = DefaultRAGroup, IP = *.*.*.40, peer is not authenticated by xauth - drop connection.
Jan 06 14:10:43 [IKEv1]: Group = DefaultRAGroup, IP = *.*.*.40, QM FSM error (P2 struct &0x39848a8, mess id 0xe064bd02)!

Although it's not apparent from the obscured IP addresses, this setup is a little unusual in that both client and server (the ASA) are on the same subnet.  That's just for this testing session; the same thing happens when they are on different subnets.  The client has been configured to force NAT processing and UDP/4500 encapsulation regardless.

Can anybody suggest what's going wrong here?


Everyone's tags (2)
242
Views
0
Helpful
0
Replies
CreatePlease to create content