cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2488
Views
0
Helpful
14
Replies

Cisco ASA 5520 Configuration to Allow L2TP Configured on Windows Server 2019

Cash2106
Level 1
Level 1

Hi there,

i have configured port forwarding for L2TP vpn which is configured in Windows server 2019,

i have created two access rules in which i have allowed two services of TCP 1701 & UDP 500 destination ports, and i have created two NAT rules in which i have mentioned services of TCP 1701 & UDP 500 source ports, but when i am trying to connect VPN from any computer outside from this network my firewall is getting hits from that client but i am getting one error which is given below


6 Mar 19 2021 02:44:20 302016 202.*.*.* 24576 192.168.2.5 500 Teardown UDP connection 99272 for Outside-Fiberlink:202.*.*.*/24576 to Inside-LAN:192.168.2.5/500 duration 0:02:58 bytes 1136


can you please help me what this error is saying and how to resolve this issue please...............

14 Replies 14

balaji.bandi
Hall of Fame
Hall of Fame

I would suggest checking any FW in Windows Server, disable for testing and later allow required ports for VPN connection coming in.

 

Also check on the Server Event logs what you see, did you see the packet come to windows servers?

 

follow the below thread to help you :

 

https://community.cisco.com/t5/vpn/how-to-allow-pptp-vpn-access-through-asa/td-p/1993827

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

@balaji.bandithanks, the firewall is already disabled, and pptp inspection is already enable, i can connect through pptp vpn from the other networks, but when i am trying to connect through L2TP its giving me the above error on cisco asa, and on the host machine which is connecting vpn the error given below

 

the L2TP connection attempt failed because the security layer encountered a processing error during intitial negotiation with the remote computer,

 

until we get deep logs hard to asses what is wrong here - we need more information and Logs - until we see full logs we are not sure waht is failed,

 

post ASA  full logs from the start to end of initiation, also see if we can get any Logs in windows event viewer

 

provide - show run from ASA ( tell us what is the Windows Server IP address)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

@balaji.bandihi there, i have replaced my outside IP with 1.1.1.1 in this config file and rest are the same settings, and my vpn server IP is 192.168.2.5 which is created as an object called VPN-Client, attached file is for the config file. please check and tell me what is missing.

 

when i am trying to connect from outside through L2TP its giving me error (The L2TP connection attempt failed because the security layer encountered a processing error during intitial negotiation with the remote computer)

when i am seeing in the firewall monitor log i am getting different error which is given below for your kind consideration.

 

4Mar 22 202112:38:40713903    Group = 5.5.5.5, IP = 5.5.5.5, Can't find a valid tunnel group, aborting...!
4Mar 22 202112:38:41713903    IP = 5.5.5.5, Header invalid, missing SA payload! (next payload = 4)

 

please check and help me.

just to clarify is this LAB or real deployment ?  why i have asked 1.1.1.1 IP address not commonly we see for DSL ot ISP provider IP address ?

 

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

this configuration is from the real deployment, i have saved these settings from my firewall and pasted it here. and i have replaced my ISP IP with the 1.1.1.1 named Outside-Fiberlink, and the one replaced with 2.2.2.2 is for the peer ip for my site-to-site vpn which i believe is not concerned in this scenario.

 

 

@balaji.bandi  any hope for me ?

@balaji.bandi  seems like there is no solution for this thing,

@balaji.bandi

 

main thing which is confusing me, do i have to allow the UDP ports 1701, 500, 4500. or TCP ports 1701,500,4500

 

please also do let me know. and i have also permit the AH and ESP services as well in the Acl.

 

when i have added TCP ports 1701,500,4500 in ACL and NAT rules for thse TCP ports the error is different which is given below.

 

5Mar 22 202112:53:38713904    IP = 5.5.5.5, Received encrypted packet with no matching SA, dropping

 

but when i have added the UDP ports 1701, 500, 4500 in ACL permit, and in NAT rules with the same UDP ports, the error is different which is also given below.

 

 Mar 22 202112:38:40713903    Group = 5.5.5.5, IP = 5.5.5.5, Can't find a valid tunnel group, aborting...!
4Mar 22 202112:38:41713903    IP = 5.5.5.5, Header invalid, missing SA payload! (next payload = 4)

 

i am confused which ports i should use to allow L2TP, i have tried both TCP and UDP. but in both i am unlucky

These ports required to allow :

 

500, 4500, 1701

 

i will review the config later - I am a bit confused about your IP address, is this IP address real or removed from orginal to 1.1.1.1 2.2.2.2 5.5.55. 7.7.7,7

 

what you see the logs on windows server ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

i have replaced these IP's with real IP's . and i have allowed these three ports but i am not able to connect.

 

1.1.1.1 is for my outside interface named Outside-Fiberlink

2.2.2.2 is the IP which is the Peer IP address for my site-to-site vpn configured in firewall.

in windows logs i am not getting any error when i am connecting the L2TP vpn

i dont see any 5.5.5.5 and 7.7.7.7 IP's in my config file, let me share you the config file again.

Cash2106
Level 1
Level 1

seems like no one is interested in helping for this thing

Cash2106
Level 1
Level 1

IS THERE ANYONE WHO CAN HELP ME WITH THAT PROBLEM PLEASEEEE!!!!!!!!!!!!!!!!

Cash2106
Level 1
Level 1

ANYONE CAN HELP ME WITH THIS ISSUE PLEASE!!!!!!!!!!!!!!!!!!

Review Cisco Networking for a $25 gift card