12-30-2013 03:58 AM - edited 03-11-2019 08:23 PM
I am having trouble with L2TP pass through on an ASA 5505 device.
L2TP server: OSX 10.6
I can connect with any OSX system and it works fine straight away.
When connecting with a windows computer I get a 789 error. "Error 789: The L2TP connection attempt failed because the security layer encountere a processing error during the initial negotiations with the remote computer."
I did not setup or configure the device to start with and apart from this issue its working fine so I am hessitant at trying to just mess around too much to try and find the problem.
I am using the ASDM 6.4 to manage the device.
Ports look to be forwarded correctly; 1701, 4500 & 500 UDP.
Im just looking for other common issues?
Rob
01-03-2014 02:54 AM
is it All windows computers you are experiencing this issue with or just one specific computer? Did you use ASDM to configure the L2TP?
Could you post a full sanitized running configuration of your ASA please.
--
Please remember to rate and select a correct answer
01-03-2014 03:14 AM
It is all windows computers trying to connect to the L2TP server.
I didnt use ADSM to configure it I have inherited from someone else. So I am a little unsure how to use it as I am new to the cisco side of things.
As far as I can see L2TP pass through (port forwarding) is setup correctly to the Mac server doing the L2TP server.
The error seems to point to a NAT issue that is interupting the encrypted connection to the OSX server. But it works fine from any OSX computer.
Sorry for my stupidity but how do I do a full Sanitized configuration? Obviously I dont want to post any informaton that should not be seem to compromise security.
Rob
01-03-2014 03:27 AM
on the ASA issue the following command:
show running-configuration
Then go through the configuration and remove or X out any public IPs or passwords.
--
Please remember to rate and select a correct answer
01-07-2014 02:22 AM
I have the running config. But it is rather large and will take a while to remove ip / passwords.
Is there any specific bit you will be looking at? or will you need the entire running config?
shall I remove internal Ips as well public ips? If you want me to post the entire thing.
Rob
01-07-2014 11:22 PM
You do not need to remove the internal/private IPs...just the public ones.
we could start by looking at the crypto configuration, group-policy, tunnel-group
show run crypto
show run group-policy
show run tunnel-group
also include the following outputs please.
show vpn-sessiondb detail remote filter protocol L2TPOverIPsec
show vpn-sessiondb detail remote filter protocol L2TPOverIPsecOverNAT
--
Please remember to rate and select a correct answer
01-08-2014 01:39 AM
Below is the commands you wanted.
Where you see: IPNOTWHATIWASEXPECTING
This is an IP I dont know. possible and old IP address.
and
default-domain value domain-notcorrect.local
This is an old domain from years ago.
Result of the command: "show run crypto"
crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac
crypto ipsec transform-set aes-192-sha esp-aes-192 esp-sha-hmac
crypto ipsec transform-set aes-256-sha esp-aes-256 esp-sha-hmac
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set transform-amzn esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map map-dynamic 1 set pfs group5
crypto dynamic-map map-dynamic 1 set transform-set aes-256-sha aes-192-sha aes-sha 3des-sha
crypto dynamic-map map-dynamic 2 set pfs
crypto dynamic-map map-dynamic 2 set transform-set aes-256-sha aes-192-sha aes-sha 3des-sha
crypto dynamic-map map-dynamic 3 set pfs
crypto dynamic-map map-dynamic 3 set transform-set aes-256-sha aes-192-sha aes-sha 3des-sha
crypto dynamic-map map-dynamic 4 set transform-set aes-256-sha aes-192-sha aes-sha 3des-sha
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer IPNOTWHATIWASEXPECTING3
crypto map outside_map 1 set transform-set ESP-DES-SHA
crypto map outside_map 2 match address acl-amzn
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer IPNOTWHATIWASEXPECTING IPNOTWHATIWASEXPECTING
crypto map outside_map 2 set transform-set transform-amzn
crypto map outside_map 255 ipsec-isakmp dynamic map-dynamic
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 2
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 3
authentication pre-share
encryption aes-256
hash sha
group 1
lifetime 86400
crypto isakmp policy 11
authentication pre-share
encryption aes-192
hash sha
group 5
lifetime 86400
crypto isakmp policy 12
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 13
authentication pre-share
encryption aes-192
hash sha
group 1
lifetime 86400
crypto isakmp policy 21
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
crypto isakmp policy 22
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 23
authentication pre-share
encryption aes
hash sha
group 1
lifetime 86400
crypto isakmp policy 31
authentication pre-share
encryption 3des
hash sha
group 5
lifetime 86400
crypto isakmp policy 32
authentication rsa-sig
encryption des
hash sha
group 1
lifetime 86400
crypto isakmp policy 33
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp policy 34
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
Result of the command: "show run group-policy"
group-policy evertest internal
group-policy evertest attributes
dns-server value 10.100.25.252
vpn-idle-timeout 720
vpn-tunnel-protocol IPSec l2tp-ipsec
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnsplittunnel
default-domain value domain-notcorrect.local
group-policy petero internal
group-policy petero attributes
dns-server value 10.100.25.252
vpn-idle-timeout 720
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnsplittunnel
default-domain value domain-notcorrect.local
group-policy awsfilter internal
group-policy awsfilter attributes
vpn-filter value amzn-filter
group-policy vpnpptp internal
group-policy vpnpptp attributes
dns-server value 10.100.25.252
vpn-tunnel-protocol l2tp-ipsec
group-policy vanheelm internal
group-policy vanheelm attributes
dns-server value 10.100.25.252
vpn-idle-timeout 720
vpn-tunnel-protocol IPSec l2tp-ipsec
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnsplittunnel
default-domain value domain-notcorrect.local
group-policy ciscoVPNuser internal
group-policy ciscoVPNuser attributes
dns-server value 10.100.25.10
vpn-idle-timeout 720
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnsplittunnel
default-domain value domain-notcorrect.local
group-policy chauhanv2 internal
group-policy chauhanv2 attributes
dns-server value 10.100.25.252
vpn-idle-timeout 720
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnsplittunnel
default-domain value domain-notcorrect.local
group-policy oterop internal
group-policy oterop attributes
dns-server value 10.100.25.252
vpn-idle-timeout 720
vpn-tunnel-protocol IPSec l2tp-ipsec
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnsplittunnel
default-domain value domain-notcorrect.local
group-policy Oterop internal
group-policy Oterop attributes
dns-server value 10.100.25.252
vpn-idle-timeout 30
group-policy chauhanv internal
group-policy chauhanv attributes
dns-server value 10.100.25.252
vpn-idle-timeout 30
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy bnixon2 internal
group-policy bnixon2 attributes
dns-server value 10.100.25.252
vpn-idle-timeout 720
vpn-tunnel-protocol IPSec l2tp-ipsec
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnsplittunnel
default-domain value domain-notcorrect.local
Result of the command: "show run tunnel-group"
tunnel-group ciscoVPNuser type remote-access
tunnel-group ciscoVPNuser general-attributes
address-pool vpnippool
default-group-policy ciscoVPNuser
tunnel-group ciscoVPNuser ipsec-attributes
pre-shared-key *****
tunnel-group petero type remote-access
tunnel-group petero general-attributes
address-pool vpnippool
default-group-policy petero
tunnel-group petero ipsec-attributes
pre-shared-key *****
tunnel-group oterop type remote-access
tunnel-group oterop general-attributes
address-pool vpnippool
default-group-policy oterop
tunnel-group oterop ipsec-attributes
pre-shared-key *****
tunnel-group vanheelm type remote-access
tunnel-group vanheelm general-attributes
address-pool vpnippool
default-group-policy vanheelm
tunnel-group vanheelm ipsec-attributes
pre-shared-key *****
tunnel-group chauhanv type remote-access
tunnel-group chauhanv general-attributes
default-group-policy chauhanv
tunnel-group Oterop type remote-access
tunnel-group Oterop general-attributes
default-group-policy Oterop
tunnel-group chauhanv2 type remote-access
tunnel-group chauhanv2 general-attributes
address-pool vpnippool
default-group-policy chauhanv2
tunnel-group chauhanv2 ipsec-attributes
pre-shared-key *****
tunnel-group bnixon2 type remote-access
tunnel-group bnixon2 general-attributes
address-pool vpnippool
default-group-policy bnixon2
tunnel-group bnixon2 ipsec-attributes
pre-shared-key *****
tunnel-group vpnpptp type remote-access
tunnel-group vpnpptp general-attributes
address-pool vpnippool
default-group-policy vpnpptp
tunnel-group IPNOTWHATIWASEXPECTING4 type ipsec-l2l
tunnel-group IPNOTWHATIWASEXPECTING4 ipsec-attributes
pre-shared-key *****
tunnel-group evertest type remote-access
tunnel-group evertest general-attributes
address-pool vpnippool
default-group-policy evertest
tunnel-group evertest ipsec-attributes
pre-shared-key *****
tunnel-group evertest ppp-attributes
authentication ms-chap-v2
tunnel-group IPNOTWHATIWASEXPECTING3 type ipsec-l2l
tunnel-group IPNOTWHATIWASEXPECTING3 ipsec-attributes
pre-shared-key *****
tunnel-group IPNOTWHATIWASEXPECTING2 type ipsec-l2l
tunnel-group IPNOTWHATIWASEXPECTING2 general-attributes
default-group-policy awsfilter
tunnel-group IPNOTWHATIWASEXPECTING2 ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 10 retry 3
tunnel-group IPNOTWHATIWASEXPECTING type ipsec-l2l
tunnel-group IPNOTWHATIWASEXPECTING general-attributes
default-group-policy awsfilter
tunnel-group IPNOTWHATIWASEXPECTING ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 10 retry 3
Result of the command: "show vpn-sessiondb detail remote filter protocol L2TPOverIPsec"
INFO: There are presently no active sessions of the type specified
---
Result of the command: "show vpn-sessiondb detail remote filter protocol L2TPOverIPsecOverNAT"
INFO: There are presently no active sessions of the type specified
01-20-2014 12:59 AM
Did you manage to have a look through this for me? Can you see anyuthing why it would stop it working on a Windows computer?
Thanks,
Rob
01-20-2014 01:05 AM
Could you post your ACL configuration and NAT statements please.
I am thinking this might be an issue with the OSX server and not the ASA.
--
Please remember to rate and select a correct answer
01-20-2014 01:06 AM
Has this worked before?
--
Please remember to rate and select a correct answer
01-20-2014 03:49 AM
This works perfectly fine from a Mac client. Just not from a windows one.
What are the commands for the NAT Statements and ACL configuration?
Im pushing to move it off the mac server and run it directly from the cisco device.
Rob
01-20-2014 03:51 AM
But the current setup that is having the issue is when connecting to the OSX server, correct?
show run access-list
show run nat
--
Please remember to rate and select a correct answer
01-20-2014 04:01 AM
I am only having the issue when Windows clients try to connect to the VPN seems to work fine with OSX clients.
Show run ACL:
Result of the command: "show run access-list"
access-list vpnsplittunnel extended permit ip 10.100.25.0 255.255.255.0 any
access-list acl-outside extended permit icmp any any unreachable
access-list acl-outside extended permit icmp any any echo-reply
access-list acl-outside extended permit tcp any host x.x.x.170 eq smtp
access-list acl-outside extended permit icmp any any source-quench
access-list acl-outside extended permit icmp any any time-exceeded
access-list acl-outside extended permit tcp any host x.x.x.170 eq www
access-list acl-outside extended permit tcp any host x.x.x.170 eq https
access-list acl-outside extended permit tcp any any eq imap4
access-list acl-outside extended permit tcp any any eq pop3
access-list acl-outside extended permit tcp any any eq 993
access-list acl-outside extended permit tcp host 216.66.35.71 any eq 3306
access-list acl-outside extended permit udp any any eq 993
access-list acl-outside extended permit tcp any any eq 995
access-list acl-outside extended permit tcp x.x.x.32 255.255.255.224 any eq 3389
access-list acl-outside extended permit tcp any host x.x.x.172 eq pptp
access-list acl-outside extended permit udp any host x.x.x.172 object-group DM_INLINE_UDP_1
access-list acl-outside extended permit udp any host x.x.x.172 eq isakmp
access-list acl-outside remark Host internal website to outside worlds.
access-list acl-outside remark Steves Project
access-list acl-outside extended permit tcp any host x.x.x.172 object-group DM_INLINE_TCP_1
access-list acl-outside extended permit ip host x.x.x.40 host x.x.x.174
access-list acl-outside extended permit ip host x.x.x.44 host x.x.x.174
access-list acl-inside extended permit tcp any any eq www
access-list acl-inside extended permit tcp any any eq https
access-list acl-inside extended permit icmp any any
access-list acl-inside extended permit udp any any eq ntp
access-list acl-inside extended permit tcp any any eq 993
access-list acl-inside extended permit tcp any any eq 587
access-list acl-inside extended permit tcp any any eq 1863
access-list acl-inside extended permit tcp any any eq 2020
access-list acl-inside extended permit tcp any any eq 995
access-list acl-inside extended permit tcp any any eq ssh
access-list acl-inside extended permit tcp any any eq pop3
access-list acl-inside extended permit udp any any eq domain
access-list acl-inside extended permit tcp any any eq imap4
access-list acl-inside extended permit tcp any any eq smtp
access-list acl-inside extended permit tcp any any eq ftp
access-list acl-inside extended permit tcp any any eq 5222
access-list acl-inside extended permit tcp any any eq 3389
access-list acl-inside extended permit tcp any any eq 465
access-list acl-inside extended permit tcp any any eq 8443
access-list acl-inside extended permit tcp any any eq ldap
access-list acl-inside extended permit udp any any eq isakmp
access-list acl-inside extended permit udp any any eq 4500
access-list acl-inside extended permit tcp any any eq domain
access-list acl-inside extended permit tcp any any eq 6522
access-list acl-inside extended permit udp any any eq 995
access-list acl-inside extended permit udp any any eq 993
access-list acl-inside extended permit tcp any any eq 5900
access-list acl-inside extended permit tcp any any eq 8081
access-list acl-inside extended permit tcp any any eq 10000
access-list acl-inside extended permit tcp any any eq aol
access-list acl-inside extended permit udp host 10.100.25.252 any eq domain
access-list acl-inside extended permit tcp host 10.100.25.252 any eq pop3
access-list acl-inside extended permit ip host 10.100.25.32 any
access-list acl-inside extended permit tcp host 10.100.25.252 any eq www
access-list acl-inside extended permit tcp 10.100.25.0 255.255.255.0 object-group Blackberry object-group Blackberry-TCP
access-list acl-inside extended permit tcp host 10.100.25.252 any eq smtp
access-list acl-inside extended permit tcp host 10.100.25.252 any eq https
access-list acl-inside extended permit tcp host 10.100.25.252 any eq telnet
access-list acl-inside extended permit tcp host 10.100.25.156 any eq smtp
access-list acl-inside extended permit ip host 10.100.25.249 any
access-list acl-inside extended permit ip host 10.100.25.157 any
access-list acl-inside extended permit ip host 10.100.25.156 any
access-list acl-inside extended permit tcp 10.100.25.0 255.255.255.0 host 65.218.239.10 eq 30003
access-list acl-inside extended permit tcp any host 84.19.126.38 eq 81
access-list acl-inside extended permit tcp 10.100.25.0 255.255.255.0 host 216.66.35.71 eq 3306
access-list acl-inside extended permit ip 10.100.25.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list acl-inside extended permit object-group DM_INLINE_SERVICE_1 any any
access-list acl-inside extended permit object-group TCPUDP any host x.x.x.55 object-group Port-2222
access-list acl-inside extended permit tcp any any object-group Gyro-8888
access-list acl-inside extended permit udp any any object-group L2TP
access-list allvpnsites extended permit ip 10.100.25.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list allvpnsites extended permit ip 10.100.25.0 255.255.255.0 object-group DM_INLINE_NETWORK_2
access-list allvpnsites extended permit ip 10.100.25.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list vpn-Sonic-HQ extended permit ip 10.100.25.0 255.255.255.0 10.100.1.0 255.255.255.0
access-list acl-VPLS extended permit ip any any
access-list acl-VPLS extended permit icmp any any
access-list outside_1_cryptomap extended permit ip 10.100.25.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list acl-amzn extended permit ip any 172.31.0.0 255.255.0.0
access-list amzn-filter extended permit icmp 172.31.0.0 255.255.0.0 host 10.100.1.1
access-list amzn-filter extended permit tcp 172.31.0.0 255.255.0.0 host 10.100.1.1 eq ldap
access-list amzn-filter extended deny ip any any
show run nat:
nat (inside) 0 access-list allvpnsites
nat (inside) 1 0.0.0.0 0.0.0.0
nat (VPLS) 0 access-list acl-amzn
01-20-2014 06:34 AM
At first glance I do not see anything wrong with the configuration and I am leaning towards that there is an issue between OSX server and Windows client. Perhaps someone here who has had more experience with OSX can answer better.
--
Please remember to rate and select a correct answer
01-20-2014 06:41 AM
OK, Thanks for your help with this issue. I will let you know If I can determine the solution further down the line.
Rob
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide