ASA 5505 doesn't seems to recongize l2tp packets

Discussion in 'Cisco' started by wciibb, Apr 28, 2007.

  1. wciibb

    wciibb Guest

    Hi, I just configured L2TP-over-IPSec on a ASA5505 as described in the
    Cisco Configuration Guideline.

    When I try to connect from a Windowsmachine nothing happens. So I
    captued udp1701 packets at the outside interface to see if these
    packets arrive at the outside interface at all. In the capture I can
    see the packets arriving as I thought they should. But the ASA doesn't
    seems to be to interested in this packets because there is nothing
    happening at all.

    I tried any debug-command I could find in the cli-guide to check if
    there's anything what might help me to debug but it's as though the
    packets doesnt reach the ASA - but still I can see them arriving at
    the outside interface.

    On the ASA there also several l2l and vpnclients configured (static
    crypto maps and one dynamic for the vpnclients) which work perfectly
    well - perhaps there's something preventing the ASA from processing
    these l2tp-packets? (Ethereal confirms that these packets are valid
    l2tp on udp1701 when i fetch the capture file from the ASA)

    Hope, anyone can give me a hint why the ASA doesn't like to process
    the l2tp-packets, or either a hint how i can get some debug
    information but without it I'm obviously not able to debug anything.
    That doesn't mean that I didn't checked the config twice, three, four,
    fivetimes so far.

    wciibb, Apr 28, 2007
    1. Advertisements

  2. wciibb

    darrenfgreen Guest



    I had a look on the Cisco WWW site and the following link proved
    really useful:

    A couple of key points:

    Use only the default tunnel group and default group policy on the
    Cisco PIX/ASA. User-defined policies and groups do not work

    The security appliance does not establish an L2TP/IPsec tunnel with
    Windows 2000 if either Cisco VPN Client 3.x or Cisco VPN 3000 Client
    2.5 is installed.

    Check it out, there is more detail to help you.


    darrenfgreen, Apr 28, 2007
    1. Advertisements

  3. wciibb

    wciibb Guest

    On 28 Apr., 16:31, wrote:
    Hi Darren,

    thanks for your reply.
    Yes, that's the guide i used to configure the connection.
    Yeah, I checked it double that it's the default-Group and not any
    other, as it's for the vpn-clients. I even tried to configure the l2tp
    with the VPN-Wizard from the ASDM, but nothing changed whatsoever.
    The windows machine I used to connect to the ASA previously had an VPN-
    Client installed, but I removed it completely before testing, so I
    don't run into any strange issues just because of the vpn-client.

    I found an registry-key with which I can force the windows machine to
    log any ipsec-connection attempt into a logfile called C:\winnt\debug
    \oakley.log. What's interesting with it is that the only line in this
    logfile is "... Initialization ok" and that's all. Now I don't know
    wether windows' just didn't start anything else or wether it's because
    the ASA doesn't response to the packets, beucause the capture does not
    shows any reply packet for an incoming l2tp-packet on udp1701 on the
    wciibb, Apr 29, 2007
  4. wciibb Guest


    Im in exactly the same situation with an ASA 5505. I do appear to be
    getting a 792 error on the L2TP (Windows) client, but I'm not sure if
    this is a red herring. If you're able to progress this, I'd really
    appreciate any additional info you can give, and vice versa.

, Jun 7, 2007
  5. wciibb

    fullymeshed Guest

    Turn off PFS on your dynamic crypto map. I don't know why it can't be

    no crypto dynamic-map outside_dyn_map 20 set pfs
    fullymeshed, Jun 8, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.