topic Re: ASA L2TP/IPSec issue with windows client in Network Security

ASA L2TP/IPSec issue with windows client

razzaque003 — Fri, 21 Feb 2020 16:52:02 GMT

Configuration on ASA 5506 and windows 10 client is pretty standard but the debug shows that the session drops after completing phase 2

What could be the issue? I have tried all registry fix as suggested on other discussions but it didn't help. Below is the debug output.

Feb 26 15:41:39 [IKEv1]Group = DefaultRAGroup, IP = <client ip>, PHASE 2 COMPLETED (msgid=00000001)

Feb 26 15:42:14 [IKEv1]IP = <client ip>, IKE_DECODE RECEIVED Message (msgid=d2c7e844) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Feb 26 15:42:14 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = <client ip>, processing hash payload
Feb 26 15:42:14 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = <client ip>, processing delete
Feb 26 15:42:14 [IKEv1]Group = DefaultRAGroup, IP = <client ip>, Connection terminated for peer . Reason: Peer Terminate Remote Proxy 0.0.0.0, Local Proxy 0.0.0.0
Feb 26 15:42:14 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = <client ip>, Active unit receives a delete event for remote peer <client ip>.

Feb 26 15:42:14 [IKEv1]Group = DefaultRAGroup, IP = <client ip>, Remove from IKEv1 Tunnel Table succeeded for SA with logicalId 389120
Feb 26 15:42:14 [IKEv1]Group = DefaultRAGroup, IP = <client ip>, Remove from IKEv1 MIB Table succeeded for SA with logical ID 389120
Feb 26 15:42:14 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = <client ip>, IKE Deleting SA: Remote Proxy <client ip>, Local Proxy <ASA IP>
Feb 26 15:42:14 [IKEv1]MSG_FSM_QM lookup failed (handle 1)!
Feb 26 15:42:14 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = <client ip>, IKE SA MM:83dac607 terminating: flags 0x01000802, refcnt 0, tuncnt 0
Feb 26 15:42:14 [IKEv1]Group = DefaultRAGroup, IP = <client ip>, Session is being torn down. Reason: User Requested
Feb 26 15:42:14 [IKEv1]Ignoring msg to mark SA with dsID 389120 dead because SA deleted
Feb 26 15:42:14 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0xdcaca6e5
Feb 26 15:42:14 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0xdcaca6e5

Please note that there is no manual request from user to terminate the session.

Re: ASA L2TP/IPSec issue with windows client

razzaque003 — Tue, 26 Feb 2019 13:36:06 GMT

Windows 10 fails to connect to the VPN. Message given is "The network connection between your computer and the VPN server could not be established because the remote server is not responding. This could be because one of the network devices between you and the remote server is not configured to allow VPN connections. This is Error 809 (NAT-T)
Tried all fixes for this error from windows side but nothing worked.

Re: ASA L2TP/IPSec issue with windows client

LaFerrari — Tue, 26 Feb 2019 20:25:28 GMT

What happens if you use a different client like the shrew client? I had problems with an IPSec IKEv1 tunnel the other day and used shew and had to set it for a psk and xauth and then I got my tunnel working.

Re: ASA L2TP/IPSec issue with windows client

razzaque003 — Wed, 27 Feb 2019 06:43:34 GMT

Hi,

I tried using shew client. Can you please send me the settings of this client? I tried but it gives different errors with different settings.

Re: ASA L2TP/IPSec issue with windows client

LaFerrari — Wed, 27 Feb 2019 18:54:55 GMT

Sorry about the wait. In my notes I have this:

Shrew VPN Config:

IP
Authentication Mutual PSK + Xauth

Local Identity > FQDN > String is the connection tunnel
Credentials > Pre Shared Key > Add the PSK of the VPN tunnel