Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1295
Views
0
Helpful
4
Replies

ASA5510 using LT2P/IPSec stuck between Phase1&2

icondie
Level 1
Level 1

‎06-06-2012 10:03 AM

I have recently configured our ASA 5510 to support L2TP remote access connections, however the connections seem to fail after Phase 1.

the basic error from the isakmp debugging is:

Jun 06 11:03:25 [IKEv1]: Group = DefaultRAGroup, IP = 166.248.0.43, QM FSM error (P2 struct &0xad6eab50, mess id 0xa3b43504)!

Jun 06 11:03:25 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 166.248.0.43, IKE QM Responder FSM error history (struct &0xad6eab50)  <state>, <event>:  QM_DONE, EV_ERROR-->QM_WAIT_MSG3, EV_RESEND_MSG-->QM_WAIT_MSG3, NullEvent-->QM_SND_MSG2, EV_SND_MSG-->QM_SND_MSG2, EV_START_TMR-->QM_SND_MSG2, EV_RESEND_MSG-->QM_WAIT_MSG3, EV_RESEND_MSG-->QM_WAIT_MSG3, NullEvent

Jun 06 11:03:25 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 166.248.0.43, IKE Deleting SA: Remote Proxy 10.190.146.32, Local Proxy My.Outside.IP.Here

Jun 06 11:03:25 [IKEv1]: Group = DefaultRAGroup, IP = 166.248.0.43, Removing peer from correlator table failed, no match!

Jun 06 11:03:25 [IKEv1]: Group = DefaultRAGroup, IP = 166.248.0.43, Session is being torn down. Reason: Lost Service

I used this guide: http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/l2tp_ips.html

I've tried to fix this problem using: http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

I've attached the full captured debug from asa side during a connection attempt with my phone.

I've also attached the pertinant running-config pieces from my asa.

Please help me! I don't know what else to try.

Labels:
129305-asa-8.3-crypto-isakmp-6.txt.zip
129315-cisco-asa-8.3-running-config.txt.zip
0 Helpful
4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

‎06-06-2012 08:14 PM

Under "tunnel-group DefaultRAGroup ppp-attributes", please enable PAP and MSCHAPv1:

authentication pap

authentication ms-chap-v1

From the debug output, it seems that IPSec is up, however, L2TP is failing.

0 Helpful

icondie
Level 1
Level 1
In response to Jennifer Halim

‎06-07-2012 08:24 AM

I've added authentication pap, authentication ms-chap-v1 and authentication chap however I get identical results.  Any other thoughts?

0 Helpful

icondie
Level 1
Level 1

‎06-10-2012 11:16 AM

Any other thoughts? I've tested from my phone (android) and from my home pc (windows 7) and both timeout on the client side.

0 Helpful

icondie
Level 1
Level 1

‎06-13-2012 08:29 AM

I've attached yesterday's attempts and running-config.  Config is the full config, just in case something I bleeped out before is important to help diagnose.

Cheers!

129718-asa-8.3-debug-001.log.zip
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents