Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1279
Views
0
Helpful
1
Replies

Windows 7 L2TP/IPSEC connects but im. disconnects

newbone1976
Level 1
Level 1

‎06-17-2010 07:28 AM - edited ‎02-21-2020 04:42 PM

Hi!

Anyone have an idea what's wrong in my setup. Im setting up VPN from windows 7 client to ASA5505 but gets disconnected at once.

console :

4|Jun 17 2010|17:26:06|113019|||Group = DefaultRAGroup, Username = , IP = xx.xxx.x.xxx, Session disconnected. Session Type: IPSecOverNatT, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: User Requested
6|Jun 17 2010|17:26:06|602304|||IPSEC: An outbound remote access SA (SPI= 0x1E17A2C0) between xx.xxx.x.xxx and xx.xxx.x.xxx (user= DefaultRAGroup) has been deleted.
6|Jun 17 2010|17:26:06|602304|||IPSEC: An inbound remote access SA (SPI= 0x38B99AF5) between xx.xxx.x.xxx and xx.xxx.x.xxx (user= DefaultRAGroup) has been deleted.
5|Jun 17 2010|17:26:06|713050|||Group = DefaultRAGroup, IP = xx.xxx.x.xxx, Connection terminated for peer .  Reason: Peer Terminate  Remote Proxy xx.xxx.x.xxx, Local Proxy xx.xxx.x.xxx
5|Jun 17 2010|17:26:06|713120|||Group = DefaultRAGroup, IP = xx.xxx.x.xxx, PHASE 2 COMPLETED (msgid=00000001)
6|Jun 17 2010|17:26:06|602303|||IPSEC: An inbound remote access SA (SPI= 0x38B99AF5) between xx.xxx.x.xxx and xx.xxx.x.xxx (user= DefaultRAGroup) has been created.
5|Jun 17 2010|17:26:06|713049|||Group = DefaultRAGroup, IP = xx.xxx.x.xxx, Security negotiation complete for User ()  Responder, Inbound SPI = 0x38b99af5, Outbound SPI = 0x1e17a2c0
6|Jun 17 2010|17:26:06|602303|||IPSEC: An outbound remote access SA (SPI= 0x1E17A2C0) between xx.xxx.x.xxx and xx.xxx.x.xxx (user= DefaultRAGroup) has been created.
3|Jun 17 2010|17:26:06|713122|||IP = xx.xxx.x.xxx, Keep-alives configured on but peer does not support keep-alives (type = None)
3|Jun 17 2010|17:26:06|713119|||Group = DefaultRAGroup, IP = xx.xxx.x.xxx, PHASE 1 COMPLETED
6|Jun 17 2010|17:26:06|113009|||AAA retrieved default group policy (DefaultRAGroup) for user = DefaultRAGroup
4|Jun 17 2010|17:26:06|713903|||Group = DefaultRAGroup, IP = xx.xxx.x.xxx, Freeing previously allocated memory for authorization-dn-attributes
6|Jun 17 2010|17:26:06|713172|||Group = DefaultRAGroup, IP = xx.xxx.x.xxx, Automatic NAT Detection Status:     Remote end   IS   behind a NAT device     This   end is NOT behind a NAT device

log:

ciscoasa# Jun 17 17:12:47 [IKEv1]: IP = xx.xxx.x.xxx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 384
Jun 17 17:12:47 [IKEv1 DEBUG]: IP = xx.xxx.x.xxx, processing SA payload
Jun 17 17:12:47 [IKEv1 DEBUG]: IP = xx.xxx.x.xxx, Oakley proposal is acceptable
Jun 17 17:12:47 [IKEv1 DEBUG]: IP = xx.xxx.x.xxx, processing VID payload
Jun 17 17:12:47 [IKEv1 DEBUG]: IP = xx.xxx.x.xxx, processing VID payload
Jun 17 17:12:47 [IKEv1 DEBUG]: IP = xx.xxx.x.xxx, Received NAT-Traversal RFC VID
Jun 17 17:12:47 [IKEv1 DEBUG]: IP = xx.xxx.x.xxx, processing VID payload
Jun 17 17:12:47 [IKEv1 DEBUG]: IP = xx.xxx.x.xxx, Received NAT-Traversal ver 02 VID
Jun 17 17:12:47 [IKEv1 DEBUG]: IP = xx.xxx.x.xxx, processing VID payload
Jun 17 17:12:47 [IKEv1 DEBUG]: IP = xx.xxx.x.xxx, Received Fragmentation VID
Jun 17 17:12:47 [IKEv1 DEBUG]: IP = xx.xxx.x.xxx, processing VID payload
Jun 17 17:12:47 [IKEv1 DEBUG]: IP = xx.xxx.x.xxx, processing VID payload
Jun 17 17:12:47 [IKEv1 DEBUG]: IP = xx.xxx.x.xxx, processing VID payload
Jun 17 17:12:47 [IKEv1 DEBUG]: IP = xx.xxx.x.xxx, processing IKE SA payload
Jun 17 17:12:47 [IKEv1 DEBUG]: IP = xx.xxx.x.xxx, IKE SA Proposal # 1, Transform # 5 acceptable  Matches global IKE entry # 2
Jun 17 17:12:47 [IKEv1 DEBUG]: IP = xx.xxx.x.xxx, constructing ISAKMP SA payload
Jun 17 17:12:47 [IKEv1 DEBUG]: IP = xx.xxx.x.xxx, constructing NAT-Traversal VID ver 02 payload
Jun 17 17:12:47 [IKEv1 DEBUG]: IP = xx.xxx.x.xxx, constructing Fragmentation VID + extended capabilities payload
Jun 17 17:12:47 [IKEv1]: IP = xx.xxx.x.xxx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
Jun 17 17:12:47 [IKEv1]: IP = xx.xxx.x.xxx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 260
Jun 17 17:12:47 [IKEv1 DEBUG]: IP = xx.xxx.x.xxx, processing ke payload
Jun 17 17:12:47 [IKEv1 DEBUG]: IP = xx.xxx.x.xxx, processing ISA_KE payload
Jun 17 17:12:47 [IKEv1 DEBUG]: IP = xx.xxx.x.xxx, processing nonce payload
Jun 17 17:12:47 [IKEv1 DEBUG]: IP = xx.xxx.x.xxx, processing NAT-Discovery payload
Jun 17 17:12:47 [IKEv1 DEBUG]: IP = xx.xxx.x.xxx, computing NAT Discovery hash
Jun 17 17:12:47 [IKEv1 DEBUG]: IP = xx.xxx.x.xxx, processing NAT-Discovery payload
Jun 17 17:12:47 [IKEv1 DEBUG]: IP = xx.xxx.x.xxx, computing NAT Discovery hash
Jun 17 17:12:47 [IKEv1 DEBUG]: IP = xx.xxx.x.xxx, constructing ke payload
Jun 17 17:12:47 [IKEv1 DEBUG]: IP = xx.xxx.x.xxx, constructing nonce payload
Jun 17 17:12:47 [IKEv1 DEBUG]: IP = xx.xxx.x.xxx, constructing Cisco Unity VID payload
Jun 17 17:12:47 [IKEv1 DEBUG]: IP = xx.xxx.x.xxx, constructing xauth V6 VID payload
Jun 17 17:12:47 [IKEv1 DEBUG]: IP = xx.xxx.x.xxx, Send IOS VID
Jun 17 17:12:47 [IKEv1 DEBUG]: IP = xx.xxx.x.xxx, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jun 17 17:12:47 [IKEv1 DEBUG]: IP = xx.xxx.x.xxx, constructing VID payload
Jun 17 17:12:47 [IKEv1 DEBUG]: IP = xx.xxx.x.xxx, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jun 17 17:12:47 [IKEv1 DEBUG]: IP = xx.xxx.x.xxx, constructing NAT-Discovery payload
Jun 17 17:12:47 [IKEv1 DEBUG]: IP = xx.xxx.x.xxx, computing NAT Discovery hash
Jun 17 17:12:47 [IKEv1 DEBUG]: IP = xx.xxx.x.xxx, constructing NAT-Discovery payload
Jun 17 17:12:47 [IKEv1 DEBUG]: IP = xx.xxx.x.xxx, computing NAT Discovery hash
Jun 17 17:12:47 [IKEv1]: IP = xx.xxx.x.xxx, Connection landed on tunnel_group DefaultRAGroup
Jun 17 17:12:47 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, Generating keys for Responder...
Jun 17 17:12:47 [IKEv1]: IP = xx.xxx.x.xxx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 304
Jun 17 17:12:47 [IKEv1]: IP = xx.xxx.x.xxx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
Jun 17 17:12:47 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, processing ID payload
Jun 17 17:12:47 [IKEv1 DECODE]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, ID_IPV4_ADDR ID received
xx.xxx.x.xxx
Jun 17 17:12:47 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, processing hash payload
Jun 17 17:12:47 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, Computing hash for ISAKMP
Jun 17 17:12:47 [IKEv1]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, Automatic NAT Detection Status:     Remote end   IS   behind a NAT device     This   end is NOT behind a NAT device
Jun 17 17:12:47 [IKEv1]: IP = xx.xxx.x.xxx, Connection landed on tunnel_group DefaultRAGroup
Jun 17 17:12:47 [IKEv1]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, Freeing previously allocated memory for authorization-dn-attributes
Jun 17 17:12:47 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, constructing ID payload
Jun 17 17:12:47 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, constructing hash payload
Jun 17 17:12:47 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, Computing hash for ISAKMP
Jun 17 17:12:47 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, constructing dpd vid payload
Jun 17 17:12:47 [IKEv1]: IP = xx.xxx.x.xxx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
Jun 17 17:12:47 [IKEv1]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, PHASE 1 COMPLETED
Jun 17 17:12:47 [IKEv1]: IP = xx.xxx.x.xxx, Keep-alive type for this connection: None
Jun 17 17:12:47 [IKEv1]: IP = xx.xxx.x.xxx, Keep-alives configured on but peer does not support keep-alives (type = None)
Jun 17 17:12:47 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, Starting P1 rekey timer: 21600 seconds.
Jun 17 17:12:47 [IKEv1 DECODE]: IP = xx.xxx.x.xxx, IKE Responder starting QM: msg id = 00000001
Jun 17 17:12:47 [IKEv1]: IP = xx.xxx.x.xxx, IKE_DECODE RECEIVED Message (msgid=1) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NAT-OA (131) + NONE (0) total length : 312
Jun 17 17:12:47 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, processing hash payload
Jun 17 17:12:47 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, processing SA payload
Jun 17 17:12:47 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, processing nonce payload
Jun 17 17:12:47 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, processing ID payload
Jun 17 17:12:47 [IKEv1 DECODE]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, ID_IPV4_ADDR ID received
xx.xxx.x.xxx
Jun 17 17:12:47 [IKEv1]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, Received remote Proxy Host data in ID Payload:  Address xx.xxx.x.xxx, Protocol 17, Port 1701
Jun 17 17:12:47 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, processing ID payload
Jun 17 17:12:47 [IKEv1 DECODE]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, ID_IPV4_ADDR ID received
xx.xxx.x.xxx
Jun 17 17:12:47 [IKEv1]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, Received local Proxy Host data in ID Payload:  Address xx.xxx.x.xxx, Protocol 17, Port 1701
Jun 17 17:12:47 [IKEv1]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, L2TP/IPSec session detected.
Jun 17 17:12:47 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, processing NAT-Original-Address payload
Jun 17 17:12:47 [IKEv1]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, QM IsRekeyed old sa not found by addr
Jun 17 17:12:47 [IKEv1]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, Static Crypto Map check, checking map = outside_map, seq = 10...
Jun 17 17:12:47 [IKEv1]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, Static Crypto Map check, map = outside_map, seq = 10, ACL does not match proxy IDs src:xx.xxx.x.xxx dst:xx.xxx.x.xxx
Jun 17 17:12:47 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, Selecting only UDP-Encapsulated-Tunnel and  UDP-Encapsulated-Transport modes defined by NAT-Traversal
Jun 17 17:12:47 [IKEv1]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, IKE Remote Peer configured for crypto map: outside_dyn_map
Jun 17 17:12:47 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, processing IPSec SA payload
Jun 17 17:12:47 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, IPSec SA Proposal # 2, Transform # 1 acceptable  Matches global IPSec SA entry # 5
Jun 17 17:12:47 [IKEv1]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, IKE: requesting SPI!
IPSEC: New embryonic SA created @ 0x03EF7090,
    SCB: 0x0396EBD0,
    Direction: inbound
    SPI      : 0x224D487B
    Session ID: 0x00000009
    VPIF num  : 0x00000002
    Tunnel type: ra
    Protocol   : esp
    Lifetime   : 240 seconds
Jun 17 17:12:47 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, IKE got SPI from key engine: SPI = 0x224d487b
Jun 17 17:12:47 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, oakley constucting quick mode
Jun 17 17:12:47 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, constructing blank hash payload
Jun 17 17:12:47 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, constructing IPSec SA payload
Jun 17 17:12:47 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, constructing IPSec nonce payload
Jun 17 17:12:47 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, constructing proxy ID
Jun 17 17:12:47 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, Transmitting Proxy Id:
  Remote host: xx.xxx.x.xxx  Protocol 17  Port 0
  Local host:  xx.xxx.x.xxx  Protocol 17  Port 1701
Jun 17 17:12:47 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, constructing NAT-Original-Address payload
Jun 17 17:12:47 [IKEv1]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, NAT-Traversal sending NAT-Original-Address payload
Jun 17 17:12:47 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, constructing qm hash payload
Jun 17 17:12:47 [IKEv1 DECODE]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, IKE Responder sending 2nd QM pkt: msg id = 00000001
Jun 17 17:12:47 [IKEv1]: IP = xx.xxx.x.xxx, IKE_DECODE SENDING Message (msgid=1) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NAT-OA (131) + NONE (0) total length : 172
Jun 17 17:12:47 [IKEv1]: IP = xx.xxx.x.xxx, IKE_DECODE RECEIVED Message (msgid=1) with payloads : HDR + HASH (8) + NONE (0) total length : 52
Jun 17 17:12:47 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, processing hash payload
Jun 17 17:12:47 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, loading all IPSEC SAs
Jun 17 17:12:47 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, Generating Quick Mode Key!
Jun 17 17:12:47 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, Generating Quick Mode Key!
IPSEC: New embryonic SA created @ 0x0175CE20,
    SCB: 0x0175CD60,
    Direction: outbound
    SPI      : 0xA5C3B052
    Session ID: 0x00000009
    VPIF num  : 0x00000002
    Tunnel type: ra
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC: Completed host OBSA update, SPI 0xA5C3B052
IPSEC: Creating outbound VPN context, SPI 0xA5C3B052
    Flags: 0x00000225
    SA   : 0x0175CE20
    SPI  : 0xA5C3B052
    MTU  : 1500 bytes
    VCID : 0x00000000
    Peer : 0x00000000
    SCB  : 0x0175CD60
    Channel: 0x0174FC00
IPSEC: Completed outbound VPN context, SPI 0xA5C3B052
    VPN handle: 0x0023E0C4
IPSEC: New outbound encrypt rule, SPI 0xA5C3B052
    Src addr: xx.xxx.x.xxx
    Src mask: 255.255.255.255
    Dst addr: xx.xxx.x.xxx
    Dst mask: 255.255.255.255
    Src ports
      Upper: 1701
      Lower: 1701
      Op   : equal
    Dst ports
      Upper: 4500
      Lower: 4500
      Op   : equal
    Protocol: 17
    Use protocol: true
    SPI: 0x00000000
    Use SPI: false
IPSEC: Completed outbound encrypt rule, SPI 0xA5C3B052
    Rule ID: 0x0396EC60
IPSEC: New outbound permit rule, SPI 0xA5C3B052
    Src addr: xx.xxx.x.xxx
    Src mask: 255.255.255.255
    Dst addr: xx.xxx.x.xxx
    Dst mask: 255.255.255.255
    Src ports
      Upper: 4500
      Lower: 4500
      Op   : equal
    Dst ports
      Upper: 4500
      Lower: 4500
      Op   : equal
    Protocol: 17
    Use protocol: true
    SPI: 0x00000000
    Use SPI: false
IPSEC: Completed outbound permit rule, SPI 0xA5C3B052
    Rule ID: 0x0175DAA0
Jun 17 17:12:47 [IKEv1]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, Security negotiation complete for User ()  Responder, Inbound SPI = 0x224d487b, Outbound SPI = 0xa5c3b052
Jun 17 17:12:47 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, IKE got a KEY_ADD msg for SA: SPI = 0xa5c3b052
IPSEC: Completed host IBSA update, SPI 0x224D487B
IPSEC: Creating inbound VPN context, SPI 0x224D487B
    Flags: 0x00000226
    SA   : 0x03EF7090
    SPI  : 0x224D487B
    MTU  : 0 bytes
    VCID : 0x00000000
    Peer : 0x0023E0C4
    SCB  : 0x0396EBD0
    Channel: 0x0174FC00
IPSEC: Completed inbound VPN context, SPI 0x224D487B
    VPN handle: 0x00252C5C
IPSEC: Updating outbound VPN context 0x0023E0C4, SPI 0xA5C3B052
    Flags: 0x00000225
    SA   : 0x0175CE20
    SPI  : 0xA5C3B052
    MTU  : 1500 bytes
    VCID : 0x00000000
    Peer : 0x00252C5C
    SCB  : 0x0175CD60
    Channel: 0x0174FC00
IPSEC: Completed outbound VPN context, SPI 0xA5C3B052
    VPN handle: 0x0023E0C4
IPSEC: Completed outbound inner rule, SPI 0xA5C3B052
    Rule ID: 0x0396EC60
IPSEC: Completed outbound outer SPD rule, SPI 0xA5C3B052
    Rule ID: 0x0175DAA0
IPSEC: New inbound tunnel flow rule, SPI 0x224D487B
    Src addr: xx.xxx.x.xxx
    Src mask: 255.255.255.255
    Dst addr: xx.xxx.x.xxx
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 1701
      Lower: 1701
      Op   : equal
    Protocol: 17
    Use protocol: true
    SPI: 0x00000000
    Use SPI: false
IPSEC: Completed inbound tunnel flow rule, SPI 0x224D487B
    Rule ID: 0x0396DF48
IPSEC: New inbound decrypt rule, SPI 0x224D487B
    Src addr: xx.xxx.x.xxx
    Src mask: 255.255.255.255
    Dst addr: xx.xxx.x.xxx
    Dst mask: 255.255.255.255
    Src ports
      Upper: 4500
      Lower: 4500
      Op   : equal
    Dst ports
      Upper: 4500
      Lower: 4500
      Op   : equal
    Protocol: 17
    Use protocol: true
    SPI: 0x00000000
    Use SPI: false
IPSEC: Completed inbound decrypt rule, SPI 0x224D487B
    Rule ID: 0x01B1C268
IPSEC: New inbound permit rule, SPI 0x224D487B
    Src addr: xx.xxx.x.xxx
    Src mask: 255.255.255.255
    Dst addr: xx.xxx.x.xxx
    Dst mask: 255.255.255.255
    Src ports
      Upper: 4500
      Lower: 4500
      Op   : equal
    Dst ports
      Upper: 4500
      Lower: 4500
      Op   : equal
    Protocol: 17
    Use protocol: true
    SPI: 0x00000000
    Use SPI: false
IPSEC: Completed inbound permit rule, SPI 0x224D487B
    Rule ID: 0x0175C7F8
Jun 17 17:12:47 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, Pitcher: received KEY_UPDATE, spi 0x224d487b
Jun 17 17:12:47 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, Starting P2 rekey timer: 3420 seconds.
Jun 17 17:12:47 [IKEv1]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, PHASE 2 COMPLETED (msgid=00000001)
Jun 17 17:12:47 [IKEv1]: IKEQM_Active() Add L2TP classification rules: ip <xx.xxx.x.xxx> mask <0xFFFFFFFF> port <4500>
Jun 17 17:12:47 [IKEv1]: IP = xx.xxx.x.xxx, IKE_DECODE RECEIVED Message (msgid=e4a0acba) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68
Jun 17 17:12:47 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, processing hash payload
Jun 17 17:12:47 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, processing delete
Jun 17 17:12:47 [IKEv1]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, Connection terminated for peer .  Reason: Peer Terminate  Remote Proxy xx.xxx.x.xxx, Local Proxy xx.xxx.x.xxx
Jun 17 17:12:47 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, Active unit receives a delete event for remote peer xx.xxx.x.xxx.

Jun 17 17:12:47 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, IKE Deleting SA: Remote Proxy xx.xxx.x.xxx, Local Proxy xx.xxx.x.xxx
Jun 17 17:12:47 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, IKE SA MM:96ad4cb0 rcv'd Terminate: state MM_ACTIVE  flags 0x00000042, refcnt 1, tuncnt 0
Jun 17 17:12:47 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, IKE SA MM:96ad4cb0 terminating:  flags 0x01000002, refcnt 0, tuncnt 0
Jun 17 17:12:47 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, sending delete/delete with reason message
IPSEC: Deleted inbound decrypt rule, SPI 0x224D487B
    Rule ID: 0x01B1C268
IPSEC: Deleted inbound permit rule, SPI 0x224D487B
    Rule ID: 0x0175C7F8
IPSEC: Deleted inbound tunnel flow rule, SPI 0x224D487B
    Rule ID: 0x0396DF48
IPSEC: Deleted inbound VPN context, SPI 0x224D487B
    VPN handle: 0x00252C5C
IPSEC: Deleted outbound encrypt rule, SPI 0xA5C3B052
    Rule ID: 0x0396EC60
IPSEC: Deleted outbound permit rule, SPI 0xA5C3B052
    Rule ID: 0x0175DAA0
IPSEC: Deleted outbound VPN context, SPI 0xA5C3B052
    VPN handle: 0x0023E0C4
Jun 17 17:12:47 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, constructing blank hash payload
Jun 17 17:12:47 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, constructing IKE delete payload
Jun 17 17:12:47 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xxx.x.xxx, constructing qm hash payload
Jun 17 17:12:47 [IKEv1]: IP = xx.xxx.x.xxx, IKE_DECODE SENDING Message (msgid=55be33f9) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Jun 17 17:12:47 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0x224d487b
Jun 17 17:12:47 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0xa5c3b052

Labels:
0 Helpful
1 Reply 1

jackdobiash
Level 1
Level 1

‎07-09-2010 04:26 PM

I too would like to chime in on this issue, I am having the exact same problem.   My ASA 5505 came with 8.3(1) and I was unable to establish a L2TP/IPSEC connection with either Windows 7 or Windows XP.  I found out that they had supposedly fixed this issue in an interim release of 8.3(1) so I tried it out, it seemed to fix it for Windows XP but Windows 7 still didn't work.  The only way I've been able to get a Windows 7 client to connect via L2TP is to downgrade the IOS back to 8.2(2), then it works fine.

If anyone from Cisco reads this, could you check into why Windows 7 (and possibly Vista) clients are still having issues even with the latest interim version? (8.3(1)-6).  Thanks!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents