Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1671
Views
0
Helpful
2
Replies

Phase 2 completes, but not L2TP (ASA7.2(2))

b.julin
Level 3
Level 3

‎01-18-2007 09:16 AM

If someone would be so kind, I need to see what a normal ASA 7.2 w/L2TP setup debug log looks like, with all the isakmp,ipsec,l2tp,ppp debug flags flying.

The configuration I've been most closely following this instruction set here with some mods (specifically, for now, I want LOCAL auth on the L2TP/PPP session, and no xauth.)

http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807213a7.shtml

...that file stops short of showing anything past phase 2 completion and no l2tp debug -- and that's exactly where I get stuck.

My log says this, but of course who knows if the message about PPP aaa is the hanging-up point or just normal noise:

%ASA-6-302015: Built inbound UDP connection 210 for isp1:xx.xx.xx.33/1701 (xx.xx.xx.33/1701) to NP Identity Ifc:xx.xx.xx.210/1701 (xx.xx.xx.210/1701)

%ASA-4-403107: PPP virtual interface 1 missing aaa server group info

%ASA-7-713906: Group = DefaultRAGroup, IP = xx.xx.xx.33, IKE SA AM:1620bd99 rcv'd Terminate: state AM_ACTIVE flags 0x00010041, refcnt 1, tuncnt 1

%ASA-7-713906: Group = DefaultRAGroup, IP = xx.xx.xx.33, sending delete/delete with reason message

...now the L2TP debug messages seem to be interleaved and manage to make it out to the console faster than those from IPSEC, and they read as such:

L2TP LOWERLAYER: l2tp_add_classification_rules()...ip <xx.xx.xx.33> mask <255.255.255.255> port <1701>

L2TP LOWERLAYER: l2tp_add_fw_rule(): If 1, peer IP xx.xx.xx.33, peer port 1701

L2TP LOWERLAYER: np_classify_add_static(PERMIT) vpif_num<1> np_rule_id <0x4bd4c78>

L2TP LOWERLAYER: l2tp_add_punt_rule(): If 1, peer IP xx.xx.xx.33, peer port 1701

L2TP LOWERLAYER: np_classify_add_static(PUNT) vpif_num<1> np_rule_id <0x4c061a0>

L2TP LOWERLAYER: l2tp_punt_service_callback() ch:<0x172e950>, flow:<0x1a7836> inVpifNum<1:isp1> outVpifNum<0:NP Identity Ifc>

L2TP PACKET: vPifNum:<1> proto<UDP> saddr<xx.xx.xx.33> daddr<xx.xx.xx.210> sport<1701> dport<1701>

L2TP PACKET:

dest_ip <xx.xx.xx.33>, dest_port <1701>, ipsec_ident<0x39>, vPifNum <1:isp1>, channel: <0x172e8f0>

L2TP LOWERLAYER: PUNT CONSUMED!

(and these last few lines repeat a few times and then...)

L2TP LOWERLAYER: Succeed to delete classification rule: 0x4bd4c78

L2TP LOWERLAYER: Succeed to delete classification rule: 0x4c061a0

...On the other side, l2tpd seems to be working fine at first, it chats with the ASA for a while exchanging parameters and such, and then suddenly barfs this:

Jan 18 11:32:06 localhost l2tpd[2917]: result_code_avp: peer closing for reason

1 (Call disconnected due to loss of carrier), error = 0 (No Error)

Jan 18 11:32:06 localhost l2tpd[2917]: control_finish: Peer tried to disconnect

without specifying call ID

Jan 18 11:32:06 localhost l2tpd[2917]: check_control: control, cid = 0, Ns = 2,

Nr = 3

Jan 18 11:32:06 localhost l2tpd[2917]: handle_avps: handling avp's for tunnel 31

740, call 63497

Jan 18 11:32:06 localhost l2tpd[2917]: message_type_avp: message type 4 (Stop-Co

ntrol-Connection-Notification)

Jan 18 11:32:06 localhost l2tpd[2917]: assigned_tunnel_avp: using peer's tunnel

14

Jan 18 11:32:06 localhost l2tpd[2917]: result_code_avp: peer closing for reason

1 (General request to clear control connection), error = 0 (No Error)

I have:

tunnel-group DefaultRAGroup general-attributes

authentication-server-group LOCAL

authorization-server-group LOCAL

no accounting-server-group

...and

tunnel-group DefaultRAGroup ppp-attributes

no authentication pap

authentication chap

(P.S. What I am trying to build here is a baseline config from which to slowly test features one by one in a debugging evironment, so please no "you should do it some other way" posts -- I really do want no-xauth, PSK phase1 with LOCAL database authentication and transport/agressive mode L2TP, and yes I know that's lousy security-wise.)

Labels:
0 Helpful
2 Replies 2

b.julin
Level 3
Level 3
In response to 5220

‎01-22-2007 06:18 AM

Not quite -- the first link is pretty much the same as the one I've been working from and the log cuts off too soon. The second is PIX, and ASA debug output is only sometimes the same as what's on the PIX units (my understanding is the PIX units have better debug output.)

So I still don't know if the message about PPP missing aaa servers is just normal noise. I did try configuring a radius server (even though I don't have one) and the debug message is still there even after using the old-style vpdn command the manual for that error message recommends.

More info on this problem: I've traced the L2TP chat from the client side, and it goes like so:

client sends SCCRQ

asa sends SCCRP

client sends SCCCN

client sends ICRQ

asa sends a ZLB in response to the SCCCN

asa sends a CDN to tear down the L2TP session

client sends a StopCCN in response to the CDN

The L2TP chat seems normal as far as I can see, except for the fact that the ASA hangs up right after the tunnel is established.

0 Helpful
Customers Also Viewed These Support Documents