1. Home
  2. Cisco Systems
  3. ASA 5505 doesn't seems to recongize l2tp packets

ASA 5505 doesn't seems to recongize l2tp packets

Hi, I just configured L2TP-over-IPSec on a ASA5505 as described in the Cisco Configuration Guideline.

When I try to connect from a Windowsmachine nothing happens. So I captued udp1701 packets at the outside interface to see if these packets arrive at the outside interface at all. In the capture I can see the packets arriving as I thought they should. But the ASA doesn't seems to be to interested in this packets because there is nothing happening at all.

I tried any debug-command I could find in the cli-guide to check if there's anything what might help me to debug but it's as though the packets doesnt reach the ASA - but still I can see them arriving at the outside interface.

On the ASA there also several l2l and vpnclients configured (static crypto maps and one dynamic for the vpnclients) which work perfectly well - perhaps there's something preventing the ASA from processing these l2tp-packets? (Ethereal confirms that these packets are valid l2tp on udp1701 when i fetch the capture file from the ASA)

Hope, anyone can give me a hint why the ASA doesn't like to process the l2tp-packets, or either a hint how i can get some debug information but without it I'm obviously not able to debug anything. That doesn't mean that I didn't checked the config twice, three, four, fivetimes so far.

Regards, Heiko

Reply to
wciibb
Loading thread data ...

Heiko,

Hello.

I had a look on the Cisco WWW site and the following link proved really useful:

formatting link
A couple of key points:

Use only the default tunnel group and default group policy on the Cisco PIX/ASA. User-defined policies and groups do not work

The security appliance does not establish an L2TP/IPsec tunnel with Windows 2000 if either Cisco VPN Client 3.x or Cisco VPN 3000 Client

2.5 is installed.

Check it out, there is more detail to help you.

Regards

Darren

Reply to
darrenfgreen

On 28 Apr., 16:31, snipped-for-privacy@tiscali.co.uk wrote: Hi Darren,

thanks for your reply.

Yes, that's the guide i used to configure the connection.

Yeah, I checked it double that it's the default-Group and not any other, as it's for the vpn-clients. I even tried to configure the l2tp with the VPN-Wizard from the ASDM, but nothing changed whatsoever.

The windows machine I used to connect to the ASA previously had an VPN- Client installed, but I removed it completely before testing, so I don't run into any strange issues just because of the vpn-client.

I found an registry-key with which I can force the windows machine to log any ipsec-connection attempt into a logfile called C:\\winnt\\debug \\oakley.log. What's interesting with it is that the only line in this logfile is "... Initialization ok" and that's all. Now I don't know wether windows' just didn't start anything else or wether it's because the ASA doesn't response to the packets, beucause the capture does not shows any reply packet for an incoming l2tp-packet on udp1701 on the asa.

Reply to
wciibb

Hi,

Im in exactly the same situation with an ASA 5505. I do appear to be getting a 792 error on the L2TP (Windows) client, but I'm not sure if this is a red herring. If you're able to progress this, I'd really appreciate any additional info you can give, and vice versa.

Thanks, Rich

Reply to
rich.green

Turn off PFS on your dynamic crypto map. I don't know why it can't be on.

example: no crypto dynamic-map outside_dyn_map 20 set pfs

Reply to
fullymeshed

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.