Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

L2TP over IPSec RA VPN not working

I have been trying to get an L2TP over IPSec VPN using pre-shared keys working, but it just keeps failing with the same errors. For some reason it claims that it can't find a valid tunnel group. I am trying to connect using Windows XP VPN. The client is behind a nat, but I have already applied the NAT-T registry fix, but it didn't help.


Jun 08 2007 21:35:07: %ASA-6-302015: Built inbound UDP connection 129881 for ( to NP Identity Ifc: (

Jun 08 2007 21:35:07: %ASA-4-713903: Group =, IP =, Can't find a valid tunnel group, aborting...!

Jun 08 2007 21:35:07: %ASA-3-713902: Group =, IP =, Removing peer from peer table failed, no match!

Jun 08 2007 21:35:07: %ASA-4-713903: Group =, IP =, Error: Unable to remove PeerTblEntry

router# show vers

Cisco Adaptive Security Appliance Software Version 7.2(2)

Device Manager Version 5.2(2)

Licensed features for this platform:

Maximum Physical Interfaces : 8

VLANs : 3, DMZ Restricted

Inside Hosts : 50

Failover : Disabled

VPN-DES : Enabled

VPN-3DES-AES : Enabled

VPN Peers : 10

WebVPN Peers : 2

Dual ISPs : Disabled

VLAN Trunk Ports : 0

This platform has a Base license.

I am attaching the config.

Thanks for your help!

New Member

Re: L2TP over IPSec RA VPN not working

Ok, I was able to get this working by not trying to use user defined tunnel groups.

I modified the DefaultRAGroup and used it instead and was able to connect to a tunnel group. Is this a known issue?

However this only got me past Phase1. Phase2 kept erroring with the error "All IPSec SA proposals found unacceptable!".

To get past this error, I removed pfs and switched to use md5 from sha.

crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport

crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

Those two changes enabled Phase2 to complete successfully and the tunnel was set up.

New Member

Re: L2TP over IPSec RA VPN not working

This is the config that works:

New Member

Re: L2TP over IPSec RA VPN not working

Thank you very much for the info.

To answer your question why only the default RA group is working:

Since the lt2p/ipsec client doesn't specify a group name the default values of the default RA group will be used. This is the reason why you have to use this group.


I also had some problems with l2tp being that the tunnel was ok but I was not able to access resources from the l2tp client to the remote site throught the tunnel.

CreatePlease to create content