Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
888
Views
0
Helpful
0
Replies

L2TP VPN with CHAP/MS-CHAP

Melany Nolan
Level 1
Level 1

‎01-29-2013 06:33 AM - edited ‎03-11-2019 05:53 PM

Hi, I have a ASA 5520 which is intended to use as a VPN for clients using PDA, I think the PDA is a very old product that the VPN only support CHAP/MS-CHAP, but seems it cannot connect the VPN, it will prompt "invalid username and password" (but in fact the username and password is valid when using PAP), below is the log i captured from the ASDM when the PDA is connecting the VPN.

when i tried to connect it in windows PC, I also have the same issue if the VPN setting is using MS-CHAP, if I choose PAP, it can connect with no problem. But the PDA has no option of PAP. Any expert can help me to have a look to see what is going wrong? Thanks!!!

                

5 Jan 29 2013 14:50:36      IP = 192.168.21.101, Received encrypted packet with no matching SA, dropping

4 Jan 29 2013 14:50:36      Group = DefaultRAGroup, Username = , IP = 192.168.21.101, Session disconnected. Session Type: IPsec, Duration: 0h:00m:05s, Bytes xmt: 0, Bytes rcv: 264, Reason: User Requested

5 Jan 29 2013 14:50:36      Group = DefaultRAGroup, IP = 192.168.21.101, Session is being torn down. Reason: User Requested

6 Jan 29 2013 14:50:36      IPSEC: An inbound remote access SA (SPI= 0x87828531) between 192.168.21.101 and 192.168.21.1 (user= DefaultRAGroup) has been deleted.

6 Jan 29 2013 14:50:36      IPSEC: An outbound remote access SA (SPI= 0x010E1930) between 192.168.21.1 and 192.168.21.101 (user= DefaultRAGroup) has been deleted.

5 Jan 29 2013 14:50:36      Group = DefaultRAGroup, IP = 192.168.21.101, Connection terminated for peer .  Reason: Peer Terminate  Remote Proxy 192.168.21.101, Local Proxy 192.168.21.1

6 Jan 29 2013 14:50:33  192.168.21.101 1701 192.168.21.1 1701 Built inbound UDP connection 4921 for outside:192.168.21.101/1701 (192.168.21.101/1701) to identity:192.168.21.1/1701 (192.168.21.1/1701)

6 Jan 29 2013 14:50:32  192.168.21.101 1701 192.168.21.1 1701 Teardown UDP connection 4918 for outside:192.168.21.101/1701 to identity:192.168.21.1/1701 duration 0:00:02 bytes 4675 Jan 29 2013 14:50:31      Group = DefaultRAGroup, IP = 192.168.21.101, PHASE 2 COMPLETED (msgid=75224ee5)

6 Jan 29 2013 14:50:31      IPSEC: An inbound remote access SA (SPI= 0x87828531) between 192.168.21.1 and 192.168.21.101 (user= DefaultRAGroup) has been created.

6 Jan 29 2013 14:50:31      IPSEC: An outbound remote access SA (SPI= 0x010E1930) between 192.168.21.1 and 192.168.21.101 (user= DefaultRAGroup) has been created.

5 Jan 29 2013 14:50:31      Group = DefaultRAGroup, IP = 192.168.21.101, Security negotiation complete for User ()  Responder, Inbound SPI = 0x87828531, Outbound SPI = 0x010e1930

3 Jan 29 2013 14:50:31      IP = 192.168.21.101, Keep-alives configured on but peer does not support keep-alives (type = None)5 Jan 29 2013 14:50:31      Group = DefaultRAGroup, IP = 192.168.21.101, PHASE 1 COMPLETED

6 Jan 29 2013 14:50:31      AAA retrieved default group policy (DefaultRAGroup) for user = DefaultRAGroup

6 Jan 29 2013 14:50:31      Group = DefaultRAGroup, IP = 192.168.21.101, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device

5 Jan 29 2013 14:50:31      Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card