Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3750
Views
0
Helpful
4
Replies

Android vpn client can't connect to ASA

Go to solution
allahverdiyev
Level 1
Level 1

‎08-23-2016 12:18 AM

secHello, I have problem with android client. So I solved several problems and finally could get PHASE 1 and PHASE 1 COMPLETED messages in logs :). Anyhow, I have different problem, although phase 1 and 2 completed client can't connect yet. Here are logs:

****|21456|****|500|Built inbound UDP connection 600577524 for Outside:****/21456 (****/21456) to identity:****/500 (****/500)
****|27262|****|4500|Built inbound UDP connection 600577567 for Outside:****/27262 (****/27262) to identity:****/4500 (****/4500)
Group = ANDROID_PROF, IP = ****, Automatic NAT Detection Status: Remote end IS behind a NAT device This end IS behind a NAT device
Group = ANDROID_PROF, IP = ****, Floating NAT-T from **** port 21456 to **** port 27262
Group = ANDROID_PROF, IP = ****, PHASE 1 COMPLETED
Group = ANDROID_PROF, IP = ****, Overriding Initiator's IPSec rekeying duration from 0 to 4608000 Kbs
IPSEC: An outbound remote access SA (SPI= 0x0429CEA7) between **** and **** (user= ANDROID_PROF) has been created.
Group = ANDROID_PROF, IP = ****, Security negotiation complete for User () Responder, Inbound SPI = 0xc95803fc, Outbound SPI = 0x0429cea7
IPSEC: An inbound remote access SA (SPI= 0xC95803FC) between **** and **** (user= ANDROID_PROF) has been created.
Group = ANDROID_PROF, IP = ****, PHASE 2 COMPLETED (msgid=9aab13ed)
****|27262|****|1701|Built inbound UDP connection 600577657 for Outside:****/27262 (****/27262) to identity:****/1701 (****/1701)
L2TP Tunnel created, tunnel_id is 24, remote_peer_ip is ****, ppp_virtual_interface_id is 1, client_dynamic_ip is 0.0.0.0, username is *****
L2TP Tunnel deleted, tunnel_id = 24, remote_peer_ip = ****
IPSEC: An outbound remote access SA (SPI= 0x0429CEA7) between **** and **** (user= ANDROID_PROF) has been deleted.
IPSEC: An inbound remote access SA (SPI= 0xC95803FC) between **** and **** (user= ANDROID_PROF) has been deleted.
Group = ANDROID_PROF, IP = ****, Session is being torn down. Reason: User Requested
Group = ANDROID_PROF, Username = , IP = ****, Session disconnected. Session Type: IPsecOverNatT, Duration: 0h:00m:07s, Bytes xmt: 1021, Bytes rcv: 955, Reason: User Requested

As you see session is torn down immediately, Android says unsuccesfull. Android settings:
Name: ANDROID_PROF

Type: L2TP/IPsec Psk

IPsec identifier: ANDROID_PROF

IPsec pre-shared key: cisco

ASA config:

tunnel-group ANDROID_PROF general-attributes
address-pool IPSEC_RA_POOL
authentication-server-group LDAP LOCAL
authorization-server-group LDAP
default-group-policy NOACCESS
tunnel-group ANDROID_PROF ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group ANDROID_PROF ppp-attributes
authentication chap
authentication ms-chap-v2

group-policy ANDROID_PROF_GP attributes
dns-server value ****
vpn-simultaneous-logins 4
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ANDROID_PROF_USERS
default-domain value cisco.local
address-pools value IPSEC_RA_POOL

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Vishnu Sharma
Level 1
Level 1

‎09-05-2016 12:08 AM

Hi,

Your issue is with Android L2TP/IPsec client connecting to ASA was caused by: CSCug60492 (Android phone disconnected from l2tpoveripsec and connect again asa hung)

This is actually Android issue, not an ASA bug. Resolution of it relies on Android.

Hope this helps.

Thanks,

Vishnu

View solution in original post

0 Helpful
4 Replies 4

Go to solution
pjain2
Cisco Employee
Cisco Employee

‎08-24-2016 08:32 PM

can you attach the debug output for "debug l2tp 255" as well with the ipsec debugs

0 Helpful

Go to solution
asmlicense
Level 1
Level 1
In response to pjain2

‎09-04-2016 11:42 PM

Sorry for the late. Here is output in the attachment.

There is also incompatibility in vpn configuration with PCs and phones. When I delete crypto dynamic-map CMAP 65535 set pfs command, android phone completes PHASE 2. But then PCs can not connect to vpn. When I run crypto dynamic-map CMAP 65535 set pfs command, android phone mismatchen PHASE 2 and PCs can connect.

Preview file
9 KB
0 Helpful

Go to solution
Vishnu Sharma
Level 1
Level 1

‎09-05-2016 12:08 AM

Hi,

Your issue is with Android L2TP/IPsec client connecting to ASA was caused by: CSCug60492 (Android phone disconnected from l2tpoveripsec and connect again asa hung)

This is actually Android issue, not an ASA bug. Resolution of it relies on Android.

Hope this helps.

Thanks,

Vishnu

0 Helpful

Go to solution
allahverdiyev
Level 1
Level 1

‎09-09-2016 04:18 AM

Yes, there is problem with android native client. I tried with different app VPNcilla. it worked perfeclty. 
Thank you all

0 Helpful
Customers Also Viewed These Support Documents