10-28-2014 09:52 AM - edited 02-21-2020 07:54 PM
Has anyone been successful in getting the VPN on the Chromebook to connect to an ASA? Cant find any solutions online and it is a pretty basic setup. All devices work except for the one Chromebook. It appears to be a phase one issue based on the logs below. Any ideas?
Oct 28 10:49:16 [IKEv1]: IP = 50.82.115.204, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 372
Oct 28 10:49:16 [IKEv1 DEBUG]: IP = 50.82.115.204, processing SA payload
Oct 28 10:49:16 [IKEv1 DEBUG]: IP = 50.82.115.204, processing ke payload
Oct 28 10:49:16 [IKEv1 DEBUG]: IP = 50.82.115.204, processing ISA_KE payload
Oct 28 10:49:16 [IKEv1 DEBUG]: IP = 50.82.115.204, processing nonce payload
Oct 28 10:49:16 [IKEv1 DEBUG]: IP = 50.82.115.204, processing ID payload
Oct 28 10:49:16 [IKEv1 DEBUG]: IP = 50.82.115.204, processing VID payload
Oct 28 10:49:16 [IKEv1 DEBUG]: IP = 50.82.115.204, Received xauth V6 VID
Oct 28 10:49:16 [IKEv1 DEBUG]: IP = 50.82.115.204, processing VID payload
Oct 28 10:49:16 [IKEv1 DEBUG]: IP = 50.82.115.204, Received DPD VID
Oct 28 10:49:16 [IKEv1 DEBUG]: IP = 50.82.115.204, processing VID payload
Oct 28 10:49:16 [IKEv1 DEBUG]: IP = 50.82.115.204, Received NAT-Traversal RFC VID
Oct 28 10:49:16 [IKEv1 DEBUG]: IP = 50.82.115.204, processing VID payload
Oct 28 10:49:16 [IKEv1 DEBUG]: IP = 50.82.115.204, Received NAT-Traversal ver 02 VID
Oct 28 10:49:16 [IKEv1]: IP = 50.82.115.204, Connection landed on tunnel_group RA-IPSEC
Oct 28 10:49:16 [IKEv1 DEBUG]: Group = RA-IPSEC, IP = 50.82.115.204, processing IKE SA payload
Oct 28 10:49:16 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
Oct 28 10:49:16 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
Oct 28 10:49:16 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
Oct 28 10:49:16 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
Oct 28 10:49:16 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
Oct 28 10:49:16 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
Oct 28 10:49:16 [IKEv1]: IP = 50.82.115.204, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 128
Oct 28 10:49:16 [IKEv1 DEBUG]: Group = RA-IPSEC, IP = 50.82.115.204, All SA proposals found unacceptable
Oct 28 10:49:16 [IKEv1]: IP = 50.82.115.204, All IKE SA proposals found unacceptable!
Oct 28 10:49:16 [IKEv1 DEBUG]: Group = RA-IPSEC, IP = 50.82.115.204, IKE AM Responder FSM error history (struct &0xb11e9f60) <state>, <event>: AM_DONE, EV_ERROR-->AM_BLD_MSG2, EV_PROCESS_SA-->AM_BLD_MSG2, EV_GROUP_LOOKUP-->AM_BLD_MSG2, EV_PROCESS_MSG-->AM_BLD_MSG2, EV_CREATE_TMR-->AM_START, EV_RCV_MSG-->AM_START, EV_START_AM-->AM_START, EV_START_AM
Oct 28 10:49:16 [IKEv1 DEBUG]: Group = RA-IPSEC, IP = 50.82.115.204, IKE SA AM:e90bf838 terminating: flags 0x01008001, refcnt 0, tuncnt 0
Oct 28 10:49:16 [IKEv1 DEBUG]: Group = RA-IPSEC, IP = 50.82.115.204, sending delete/delete with reason message
10-30-2014 01:28 PM
Hi Caleb,
I had the exact same problem and was able to fix this just now. Documents that helped me were:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/vpn_l2tp_ipsec.html#wp1079517
And especially this one:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113572-1135272-technote-asa-l2tp-00.html
Make sure you use the DefaultRAGroup and not a custom one. You can use a custom group-policy.
Please let me know if you have any remaining questions.
Kind regards,
Tom
11-05-2014 09:37 AM
I'm having the same issue. I'm also using my own connection profile instead of the "DefaultRAGroup" connection profile. What's so special about the DefaultRAGroup that I can't seem to get it to work with my own custom Connection Profile?
03-28-2015 07:10 AM
There is a type-o in the crypto mapping it should be 'crypto dynamic-map dyno 10 set transform-set trans and not 'crypto dynamic-map dyno 10 set transform-set set trans' (note the extra 'set'). If you're seeing phase 1 pass and phase 2 fail, this is likely the cause. Best of luck.
11-05-2014 12:48 PM
I'm still having the same problem. I did notice that other devices (Windows and Android) has "Vendor ID Microsoft L2TP over IPSec" in the IKE proposal. The Chromebook I am testing doesn't have it in the proposal. Did the missing item in IKE proposal cause the failure?
05-25-2015 12:46 PM
Hello caleb.dick,
First, according to Cisco documentation, they doesn't claim support for ChromeOS however it may/may not work since they don't deliberately stop the connection from Chrome L2TP/IPsec client.
On the following link you can find more details about supported L2TP/IPsec VPN clients for your reference:
Second, you can see in your debugs that your L2TP connection is not landing in the DefaultRAGroup tunnel group. For this connection this is necessary.
Oct 28 10:49:16 [IKEv1]: IP = 50.82.115.204, Connection landed on tunnel_group RA-IPSEC
Please, check your VPN configuration in your chromebook and try not to mention any of your configured tunnel-groups so the ASA places it in the DefaultRAGroup.
https://support.google.com/chromebook/answer/1282338?hl=en-419
If the issue persist, I recommend you to do the following:
- Run crypto debugs and isolate the problem to phase 1 or phase 2
- Upgrade Chromebook OS software.
- Attempt a L2TP connection with a Windows machines and make sure this works properly.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide