ASA disconnects client due to XAUTH even though XAUTH is disabled

AlanStern79 · ‎01-06-2014

This question is similar to others that have been posted before. My ASA 5505 fails just after the end of Phase 1 with the error message "peer is not authenticated by xauth - drop connection." Unlike the earlier posts, I am trying to set up an IPSec-L2TP remote-access connection rather than an L2L tunnel, and therefore DefaultRAGroup is the correct tunnel group to use.

Here is (what I believe to be) the relevant part of the running config:

group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server value 10.160.0.2
dns-server value 10.160.0.2 10.160.0.3
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain value rowland.org

tunnel-group DefaultRAGroup general-attributes
address-pool l2tp
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
trust-point Rowland
isakmp ikev1-user-authentication none
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
no authentication chap
authentication ms-chap-v2

Even though a trust point is set, I'm using strictly PSK authentication.

Here's the log from a recent connection attempt, with debug isakmp at level 50. The extract starts at the successful conclusion of phase 1:

Jan 06 14:10:43 [IKEv1]: Group = DefaultRAGroup, IP = *.*.*.40, PHASE 1 COMPLETED
Jan 06 14:10:43 [IKEv1]: IP = *.*.*.40, Keep-alive type for this connection: DPD
Jan 06 14:10:43 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = *.*.*.40, Starting P1 rekey timer: 2700 seconds.
Jan 06 14:10:43 [IKEv1 DECODE]: IP = *.*.*.40, IKE Responder starting QM: msg id = e064bd02
Jan 06 14:10:43 [IKEv1]: IP = *.*.*.40, IKE_DECODE RECEIVED Message (msgid=e064bd02) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NAT-OA (131) + NAT-OA (131) + NONE (0) total length : 168
Jan 06 14:10:43 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = *.*.*.40, processing hash payload
Jan 06 14:10:43 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = *.*.*.40, processing SA payload
Jan 06 14:10:43 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = *.*.*.40, processing nonce payload
Jan 06 14:10:43 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = *.*.*.40, processing ID payload
Jan 06 14:10:43 [IKEv1 DECODE]: Group = DefaultRAGroup, IP = *.*.*.40, ID_IPV4_ADDR ID received
*.*.*.40
Jan 06 14:10:43 [IKEv1]: Group = DefaultRAGroup, IP = *.*.*.40, Received remote Proxy Host data in ID Payload: Address *.*.*.40, Protocol 0, Port 0
Jan 06 14:10:43 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = *.*.*.40, processing ID payload
Jan 06 14:10:43 [IKEv1 DECODE]: Group = DefaultRAGroup, IP = *.*.*.40, ID_IPV4_ADDR ID received
*.*.*.37
Jan 06 14:10:43 [IKEv1]: Group = DefaultRAGroup, IP = *.*.*.40, Received local Proxy Host data in ID Payload: Address *.*.*.37, Protocol 0, Port 0
Jan 06 14:10:43 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = *.*.*.40, processing NAT-Original-Address payload
Jan 06 14:10:43 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = *.*.*.40, processing NAT-Original-Address payload
Jan 06 14:10:43 [IKEv1]: Group = DefaultRAGroup, IP = *.*.*.40, peer is not authenticated by xauth - drop connection.
Jan 06 14:10:43 [IKEv1]: Group = DefaultRAGroup, IP = *.*.*.40, QM FSM error (P2 struct &0x39848a8, mess id 0xe064bd02)!

Although it's not apparent from the obscured IP addresses, this setup is a little unusual in that both client and server (the ASA) are on the same subnet. That's just for this testing session; the same thing happens when they are on different subnets. The client has been configured to force NAT processing and UDP/4500 encapsulation regardless.

Can anybody suggest what's going wrong here?