https://community.cisco.com/t5/network-security/tunnel-group-xauth/m-p/1583346#M593086 <P>My question is I cannot tell from the ASA's response if it actually took my no-xauth command</P><P></P><P>I started with this</P><P></P><P><SPAN style="font-family: 'courier new', courier;">tunnel-group 69.X.X.170 type ipsec-l2l</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">tunnel-group 69.X.X.170 ipsec-attributes</SPAN></P><P><SPAN style="font-family: 'courier new', courier;"> pre-shared-key *****</SPAN></P><P></P><P></P><P>issued these commands</P><P></P><P><SPAN style="font-family: 'courier new', courier;">tunnel-group 69.X.X.170 ipsec-attributes</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">isakmp peer ip 69.X.X.170 no-xauth</SPAN></P><P></P><P></P><P>and got this</P><P></P><P><SPAN style="font-family: 'courier new', courier;">tunnel-group 69.X.X.170 type ipsec-l2l</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">tunnel-group 69.X.X.170 general-attributes</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">tunnel-group 69.X.X.170 ipsec-attributes</SPAN></P><P><SPAN style="font-family: 'courier new', courier;"> pre-shared-key *****</SPAN></P><P></P><P></P><P>Does the addition of the general-attributes line mean the no-xauth is effective? </P> Mon, 11 Mar 2019 19:42:09 GMT lcaruso 2019-03-11T19:42:09Z https://community.cisco.com/t5/network-security/tunnel-group-xauth/m-p/1583346#M593086 <P>My question is I cannot tell from the ASA's response if it actually took my no-xauth command</P><P></P><P>I started with this</P><P></P><P><SPAN style="font-family: 'courier new', courier;">tunnel-group 69.X.X.170 type ipsec-l2l</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">tunnel-group 69.X.X.170 ipsec-attributes</SPAN></P><P><SPAN style="font-family: 'courier new', courier;"> pre-shared-key *****</SPAN></P><P></P><P></P><P>issued these commands</P><P></P><P><SPAN style="font-family: 'courier new', courier;">tunnel-group 69.X.X.170 ipsec-attributes</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">isakmp peer ip 69.X.X.170 no-xauth</SPAN></P><P></P><P></P><P>and got this</P><P></P><P><SPAN style="font-family: 'courier new', courier;">tunnel-group 69.X.X.170 type ipsec-l2l</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">tunnel-group 69.X.X.170 general-attributes</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">tunnel-group 69.X.X.170 ipsec-attributes</SPAN></P><P><SPAN style="font-family: 'courier new', courier;"> pre-shared-key *****</SPAN></P><P></P><P></P><P>Does the addition of the general-attributes line mean the no-xauth is effective? </P> Mon, 11 Mar 2019 19:42:09 GMT https://community.cisco.com/t5/network-security/tunnel-group-xauth/m-p/1583346#M593086 lcaruso 2019-03-11T19:42:09Z https://community.cisco.com/t5/network-security/tunnel-group-xauth/m-p/1583347#M593087 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>The no xauth is not effective.</P><P></P><P>By default the tunnel group has some general attributes, hence it will always come in the output of sh tunnel-group.</P><P></P><P>you need to configure the following to disable the xauth:</P><P><SPAN class="content"><PRE>ASA(config)#<STRONG>tunnel-group example-group ipsec-attributes</STRONG> ASA(config-tunnel-ipsec)#<STRONG>isakmp ikev1-user-authentication none</STRONG> </PRE></SPAN></P><P><BR />The following link will explain the same.</P><P><A href="http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution21">http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution21</A></P><P></P><P>Regards,</P><P>Anisha</P><P></P><P>P.S.: please mark this thread as answered if you feel your query is resolved.</P></BODY></HTML> Sun, 30 Jan 2011 17:33:31 GMT https://community.cisco.com/t5/network-security/tunnel-group-xauth/m-p/1583347#M593087 andamani 2011-01-30T17:33:31Z https://community.cisco.com/t5/network-security/tunnel-group-xauth/m-p/1583348#M593088 <HTML><HEAD></HEAD><BODY><P>Thank you!</P></BODY></HTML> Mon, 31 Jan 2011 00:43:41 GMT https://community.cisco.com/t5/network-security/tunnel-group-xauth/m-p/1583348#M593088 lcaruso 2011-01-31T00:43:41Z https://community.cisco.com/t5/network-security/tunnel-group-xauth/m-p/1583349#M593089 <HTML><HEAD></HEAD><BODY><P>Is it possible to have it show this is enabled somehow? </P></BODY></HTML> Wed, 02 Feb 2011 01:18:08 GMT https://community.cisco.com/t5/network-security/tunnel-group-xauth/m-p/1583349#M593089 lcaruso 2011-02-02T01:18:08Z https://community.cisco.com/t5/network-security/tunnel-group-xauth/m-p/1583350#M593090 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>If you read the link a bit more in detail. you will notice the following line:</P><P><SPAN class="content">If a LAN-to-LAN tunnel and a Remote Access VPN tunnel are configured on the same crypto map, the LAN-to-LAN peer is prompted for XAUTH information, and the LAN-to-LAN tunnel fails with "<STRONG><EM>CONF_XAUTH</EM></STRONG> " in the output of the <STRONG>show crypto isakmp sa</STRONG> command.</SPAN></P><P><SPAN class="content"></SPAN></P><P><SPAN class="content">So by default it will ask for xauth if the above condition is met.</SPAN></P><P><SPAN class="content"></SPAN></P><P><SPAN class="content">we can check the hidden configuration by the command "sh run all" or if you want to check the same for the tunnel group, you can input "sh run all tunnel-group <XYZ>".</XYZ></SPAN></P><P><SPAN class="content"></SPAN></P><P><SPAN class="content">Regards,</SPAN></P><P><SPAN class="content">Anisha</SPAN></P><P><SPAN class="content"></SPAN></P><P><SPAN class="content">P.S.: please rate helpful posts</SPAN></P></BODY></HTML> Wed, 02 Feb 2011 16:42:15 GMT https://community.cisco.com/t5/network-security/tunnel-group-xauth/m-p/1583350#M593090 andamani 2011-02-02T16:42:15Z