01-18-2007 09:16 AM
If someone would be so kind, I need to see what a normal ASA 7.2 w/L2TP setup debug log looks like, with all the isakmp,ipsec,l2tp,ppp debug flags flying.
The configuration I've been most closely following this instruction set here with some mods (specifically, for now, I want LOCAL auth on the L2TP/PPP session, and no xauth.)
...that file stops short of showing anything past phase 2 completion and no l2tp debug -- and that's exactly where I get stuck.
My log says this, but of course who knows if the message about PPP aaa is the hanging-up point or just normal noise:
%ASA-6-302015: Built inbound UDP connection 210 for isp1:xx.xx.xx.33/1701 (xx.xx.xx.33/1701) to NP Identity Ifc:xx.xx.xx.210/1701 (xx.xx.xx.210/1701)
%ASA-4-403107: PPP virtual interface 1 missing aaa server group info
%ASA-7-713906: Group = DefaultRAGroup, IP = xx.xx.xx.33, IKE SA AM:1620bd99 rcv'd Terminate: state AM_ACTIVE flags 0x00010041, refcnt 1, tuncnt 1
%ASA-7-713906: Group = DefaultRAGroup, IP = xx.xx.xx.33, sending delete/delete with reason message
...now the L2TP debug messages seem to be interleaved and manage to make it out to the console faster than those from IPSEC, and they read as such:
L2TP LOWERLAYER: l2tp_add_classification_rules()...ip <xx.xx.xx.33> mask <255.255.255.255> port <1701>
L2TP LOWERLAYER: l2tp_add_fw_rule(): If 1, peer IP xx.xx.xx.33, peer port 1701
L2TP LOWERLAYER: np_classify_add_static(PERMIT) vpif_num<1> np_rule_id <0x4bd4c78>
L2TP LOWERLAYER: l2tp_add_punt_rule(): If 1, peer IP xx.xx.xx.33, peer port 1701
L2TP LOWERLAYER: np_classify_add_static(PUNT) vpif_num<1> np_rule_id <0x4c061a0>
L2TP LOWERLAYER: l2tp_punt_service_callback() ch:<0x172e950>, flow:<0x1a7836> inVpifNum<1:isp1> outVpifNum<0:NP Identity Ifc>
L2TP PACKET: vPifNum:<1> proto<UDP> saddr<xx.xx.xx.33> daddr<xx.xx.xx.210> sport<1701> dport<1701>
L2TP PACKET:
dest_ip <xx.xx.xx.33>, dest_port <1701>, ipsec_ident<0x39>, vPifNum <1:isp1>, channel: <0x172e8f0>
L2TP LOWERLAYER: PUNT CONSUMED!
(and these last few lines repeat a few times and then...)
L2TP LOWERLAYER: Succeed to delete classification rule: 0x4bd4c78
L2TP LOWERLAYER: Succeed to delete classification rule: 0x4c061a0
...On the other side, l2tpd seems to be working fine at first, it chats with the ASA for a while exchanging parameters and such, and then suddenly barfs this:
Jan 18 11:32:06 localhost l2tpd[2917]: result_code_avp: peer closing for reason
1 (Call disconnected due to loss of carrier), error = 0 (No Error)
Jan 18 11:32:06 localhost l2tpd[2917]: control_finish: Peer tried to disconnect
without specifying call ID
Jan 18 11:32:06 localhost l2tpd[2917]: check_control: control, cid = 0, Ns = 2,
Nr = 3
Jan 18 11:32:06 localhost l2tpd[2917]: handle_avps: handling avp's for tunnel 31
740, call 63497
Jan 18 11:32:06 localhost l2tpd[2917]: message_type_avp: message type 4 (Stop-Co
ntrol-Connection-Notification)
Jan 18 11:32:06 localhost l2tpd[2917]: assigned_tunnel_avp: using peer's tunnel
14
Jan 18 11:32:06 localhost l2tpd[2917]: result_code_avp: peer closing for reason
1 (General request to clear control connection), error = 0 (No Error)
I have:
tunnel-group DefaultRAGroup general-attributes
authentication-server-group LOCAL
authorization-server-group LOCAL
no accounting-server-group
...and
tunnel-group DefaultRAGroup ppp-attributes
no authentication pap
authentication chap
(P.S. What I am trying to build here is a baseline config from which to slowly test features one by one in a debugging evironment, so please no "you should do it some other way" posts -- I really do want no-xauth, PSK phase1 with LOCAL database authentication and transport/agressive mode L2TP, and yes I know that's lousy security-wise.)
01-20-2007 04:12 AM
As requested :)
And for PIX:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800942ad.shtml
Please rate if this helped.
Regards,
Daniel
01-22-2007 06:18 AM
Not quite -- the first link is pretty much the same as the one I've been working from and the log cuts off too soon. The second is PIX, and ASA debug output is only sometimes the same as what's on the PIX units (my understanding is the PIX units have better debug output.)
So I still don't know if the message about PPP missing aaa servers is just normal noise. I did try configuring a radius server (even though I don't have one) and the debug message is still there even after using the old-style vpdn command the manual for that error message recommends.
More info on this problem: I've traced the L2TP chat from the client side, and it goes like so:
client sends SCCRQ
asa sends SCCRP
client sends SCCCN
client sends ICRQ
asa sends a ZLB in response to the SCCCN
asa sends a CDN to tear down the L2TP session
client sends a StopCCN in response to the CDN
The L2TP chat seems normal as far as I can see, except for the fact that the ASA hangs up right after the tunnel is established.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide