01-06-2014 03:41 AM - edited 02-21-2020 07:25 PM
Hello,
i am having trouble getting a chromebook to establish a Remote Access VPN connection using L2TP/IPsec to a Cisco ASA 5510 running 7.2(5)12.
Running a debug crypto isakmp 5 i am seeing the following logs (ip's changed...)
Jan 06 09:58:06 [IKEv1 DEBUG]: IP = 1.1.1.1, Oakley proposal is acceptable
Jan 06 09:58:06 [IKEv1 DEBUG]: IP = 1.1.1.1, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 4
Jan 06 09:58:06 [IKEv1]: IP = 1.1.1.1, Connection landed on tunnel_group DefaultRAGroup
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, Automatic NAT Detection Status: Remote end IS behind a NAT device This end is NOT behind a NAT device
Jan 06 09:58:06 [IKEv1]: IP = 1.1.1.1, Connection landed on tunnel_group DefaultRAGroup
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, Freeing previously allocated memory for authorization-dn-attributes
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, PHASE 1 COMPLETED
Jan 06 09:58:06 [IKEv1]: IP = 1.1.1.1, Keep-alive type for this connection: DPD
Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, Starting P1 rekey timer: 8100 seconds.
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, PHASE 1 COMPLETED
Jan 06 09:58:06 [IKEv1]: IP = 1.1.1.1, Keep-alive type for this connection: DPD
Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, Starting P1 rekey timer: 8100 seconds.
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, Received remote Proxy Host data in ID Payload: Address 3.3.3.3, Protocol 17, Port 1701
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, Received local Proxy Host data in ID Payload: Address 2.2.2.2, Protocol 17, Port 1701
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, L2TP/IPSec session detected.
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, QM IsRekeyed old sa not found by addr
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, Static Crypto Map check, checking map = outside_map, seq = 1...
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, Static Crypto Map check, map = outside_map, seq = 1, ACL does not match proxy IDs src:1.1.1.1 dst:2.2.2.2
Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, IKE Remote Peer configured for crypto map: outside_dyn_map0
Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, processing IPSec SA payload
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, All IPSec SA proposals found unacceptable!
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, QM FSM error (P2 struct &0x3d48800, mess id 0xce12c3dc)!
Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, IKE QM Responder FSM error history (struct &0x3d48800) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, Removing peer from correlator table failed, no match!
1.1.1.1 = Remote NAT address for chromebook
2.2.2.2 = ASA 5510 acting as Remote Access termintaion point
3.3.3.3 = Chromebook private address
i noticed that the Chromebook is appearing as the remote proxy ID but later on it is looking for the NAT address applied to the Chromebook. Not sure if this is the cause or how to fix it if it is.
Can someone advise please
Thanks
Ryan
Solved! Go to Solution.
01-15-2014 04:06 PM
7.2 is ancient code. You may want to re-test with 9.0.x or 9.1.x.
01-15-2014 10:02 AM
Same exact error that I'm getting Ryan.
01-15-2014 04:06 PM
7.2 is ancient code. You may want to re-test with 9.0.x or 9.1.x.
01-15-2014 04:18 PM
same problem as Ryan as well, and we're running 8.2.5 code.
01-15-2014 04:30 PM
Unfortunately neither 7.2.x nor 8.2.x are current and therefore are missing a lot of code changes. We have resolved numerous L2TP/IPsec compatibility issues with Android (which were also present in Chrome) and these changes are present in 9.0.x and 9.1.x (we recommend the latest MRs of either). You can probably get away with the latest and greatest 8.4.x as well since most of these changes also went in to 8.4.x, but you can't get away with older ASA code.
01-16-2014 05:24 AM
Peter, we are on 8.4.11 and still having the same issue. We will upgrde to 9.0 sometime this week, I will let you know what the outcome is.
01-16-2014 12:42 PM
hey here, just to let you know I stepped our ASA up to release 9.1 and hey presto works fine, hopefully will for you too.
good luck
ryan
12-23-2014 12:34 PM
Ryan, what specific release of 9.1 did you use? I upgraded my pair of 5585-X from 8.4.7.15 to 9.1.5 yesterday, and I still get the "All IKE SA proposals found unacceptable!" result. Debug shows the Chromebook sends two proposals-
3DES-CBC / SHA1 / DH-2 / Preshared key and
AES-CBC-128 / MD5 / DH-Unknown / Preshared key.
One of my IKEv1 policies is
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
It seems like that should match the first proposal. Or if it's talking about the transform sets, I think I have that covered, too:
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set L2TP esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set L2TP mode transport
crypto dynamic-map sfDYN-MAP 5 set ikev1 transform-set ESP-3DES-SHA sfSET AES-SHA L2TP 3DES-MD5 3DES-MD5-TSPT
And that dynamic map is incorporated into the static map.
I'm using a specific tunnel-group instead of the DefaultRAGroup, but the log shows that the connection is landing on the correct group.
Any suggestions?
01-06-2015 04:59 AM
Hi Brian, apologies for late reply, Christmas etc
we are running 9.1(3) and all is ok, I am pretty sure I tried 9.1(4) and it did not go well, from what I remember it only allowed a single L2TP connection....
let me know if you need any other info
thanks
Ryan
01-06-2015 06:47 AM
Thanks. I can't even get one session working with 9.1.5. Do the ikev1 policy and transform set I posted look similar to yours? Your initial post shows that you are using the DefaultRAGroup. Have you tried using a non-default group?
FWIW, recovery from failover seems to be broken in 9.1.5. Transition from secondary back to primary used to be seamless. I've tried it twice since the upgrade, and it dropped some, but not all, connections and VPN sessions both times. The initial failover is okay, as far as I can tell.
Unfortunately, there is some problem with our support contract status between Cisco, our reseller, and us, so I'll have to wait until my manager gets that sorted out before I can download 9.1.3 to try it.
01-06-2015 02:34 PM
I will check policy and transform sets when next in office and let you know.
I vaguley remember when setting this up that it was dictated you had to use the DefaultRAGroup. I have had a look round though and cant find any reference to this now, not sure if this has changed or my memory is playing tricks on me. The link i followed is as below
https://support.google.com/chromebook/answer/2382577
Will let you know once i have reviews policy etc
02-05-2015 08:01 AM
really sorry for late reply but not been around too much to check config, not sure if you still have issue but we have no reference to LT2P in any Transform Set or Dynamic map, clearly later code release must set it up differently. Let me know if you are still having issues and I will post up our policies, sets and maps
Ryan
02-05-2015 12:20 PM
I was able to get a session connected using DefaultRAGroup. But then I ran into the same problem I get with other L2TP connections (Mac/Android) ever since I upgraded from 8.4.(4)5- the tunnel connects, but I can't access anything behind the firewall. "capture asp type asp-drop" shows packets from the client being dropped. I've had a TAC case open about this for over a year. IPSec and AnyConnect connections work fine, so I can use those for Macs and Androids, but those aren't options for Chromebooks.
Do you use IPSec as well as L2TP on the same interface?
BTW, I tried to connect a second CB session, and it failed, just like you found with 9.1(4). I haven't tried downgrading to 9.1(2) yet.
02-05-2015 03:03 PM
The ASA we have for the Chrome devices is purley used for L2TP, no IPsec configured at all.
01-16-2014 12:41 PM
hey here, stepped our ASA up to release 9.1 and hey presto works fine..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide