Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4008
Views
0
Helpful
5
Replies

Chromebook L2TP IPSEC VPN failure

caleb.dick
Level 1
Level 1

‎10-28-2014 09:52 AM - edited ‎02-21-2020 07:54 PM

Has anyone been successful in getting the VPN on the Chromebook to connect to an ASA?  Cant find any solutions online and it is a pretty basic setup.  All devices work except for the one Chromebook.  It appears to be a phase one issue based on the logs below.  Any ideas?

 

Oct 28 10:49:16 [IKEv1]: IP = 50.82.115.204, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 372

Oct 28 10:49:16 [IKEv1 DEBUG]: IP = 50.82.115.204, processing SA payload

Oct 28 10:49:16 [IKEv1 DEBUG]: IP = 50.82.115.204, processing ke payload

Oct 28 10:49:16 [IKEv1 DEBUG]: IP = 50.82.115.204, processing ISA_KE payload

Oct 28 10:49:16 [IKEv1 DEBUG]: IP = 50.82.115.204, processing nonce payload

Oct 28 10:49:16 [IKEv1 DEBUG]: IP = 50.82.115.204, processing ID payload

Oct 28 10:49:16 [IKEv1 DEBUG]: IP = 50.82.115.204, processing VID payload

Oct 28 10:49:16 [IKEv1 DEBUG]: IP = 50.82.115.204, Received xauth V6 VID

Oct 28 10:49:16 [IKEv1 DEBUG]: IP = 50.82.115.204, processing VID payload

Oct 28 10:49:16 [IKEv1 DEBUG]: IP = 50.82.115.204, Received DPD VID

Oct 28 10:49:16 [IKEv1 DEBUG]: IP = 50.82.115.204, processing VID payload

Oct 28 10:49:16 [IKEv1 DEBUG]: IP = 50.82.115.204, Received NAT-Traversal RFC VID

Oct 28 10:49:16 [IKEv1 DEBUG]: IP = 50.82.115.204, processing VID payload

Oct 28 10:49:16 [IKEv1 DEBUG]: IP = 50.82.115.204, Received NAT-Traversal ver 02 VID

Oct 28 10:49:16 [IKEv1]: IP = 50.82.115.204, Connection landed on tunnel_group RA-IPSEC

Oct 28 10:49:16 [IKEv1 DEBUG]: Group = RA-IPSEC, IP = 50.82.115.204, processing IKE SA payload

Oct 28 10:49:16 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2

Oct 28 10:49:16 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2

Oct 28 10:49:16 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2

Oct 28 10:49:16 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2

Oct 28 10:49:16 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2

Oct 28 10:49:16 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2

Oct 28 10:49:16 [IKEv1]: IP = 50.82.115.204, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 128

Oct 28 10:49:16 [IKEv1 DEBUG]: Group = RA-IPSEC, IP = 50.82.115.204, All SA proposals found unacceptable

Oct 28 10:49:16 [IKEv1]: IP = 50.82.115.204, All IKE SA proposals found unacceptable!

Oct 28 10:49:16 [IKEv1 DEBUG]: Group = RA-IPSEC, IP = 50.82.115.204, IKE AM Responder FSM error history (struct &0xb11e9f60)  <state>, <event>:  AM_DONE, EV_ERROR-->AM_BLD_MSG2, EV_PROCESS_SA-->AM_BLD_MSG2, EV_GROUP_LOOKUP-->AM_BLD_MSG2, EV_PROCESS_MSG-->AM_BLD_MSG2, EV_CREATE_TMR-->AM_START, EV_RCV_MSG-->AM_START, EV_START_AM-->AM_START, EV_START_AM

Oct 28 10:49:16 [IKEv1 DEBUG]: Group = RA-IPSEC, IP = 50.82.115.204, IKE SA AM:e90bf838 terminating:  flags 0x01008001, refcnt 0, tuncnt 0

Oct 28 10:49:16 [IKEv1 DEBUG]: Group = RA-IPSEC, IP = 50.82.115.204, sending delete/delete with reason message

2 people had this problem
Labels:
0 Helpful
5 Replies 5

tom.prins
Level 1
Level 1

‎10-30-2014 01:28 PM

Hi Caleb,

I had the exact same problem and was able to fix this just now. Documents that helped me were:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/vpn_l2tp_ipsec.html#wp1079517

And especially this one:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113572-1135272-technote-asa-l2tp-00.html

Make sure you use the DefaultRAGroup and not a custom one. You can use a custom group-policy.

Please let me know if you have any remaining questions.

Kind regards,

Tom 

0 Helpful

dhoman
Level 1
Level 1
In response to tom.prins

‎11-05-2014 09:37 AM

I'm having the same issue. I'm also using my own connection profile instead of the "DefaultRAGroup" connection profile. What's so special about the DefaultRAGroup that I can't seem to get it to work with my own custom Connection Profile?

0 Helpful

fredwittenberg
Level 1
Level 1
In response to dhoman

‎03-28-2015 07:10 AM

There is a type-o in the crypto mapping it should be 'crypto dynamic-map dyno 10 set transform-set trans and not 'crypto dynamic-map dyno 10 set transform-set set trans' (note the extra 'set').  If you're seeing phase 1 pass and phase 2 fail, this is likely the cause. Best of luck.

0 Helpful

Yuh-Fen Peng
Level 1
Level 1
In response to tom.prins

‎11-05-2014 12:48 PM

I'm still having the same problem.  I did notice that other devices (Windows and Android) has "Vendor ID Microsoft L2TP over IPSec" in the IKE proposal. The Chromebook I am testing doesn't have it in the proposal. Did the missing item in IKE proposal cause the failure?

0 Helpful

Andres Villarroel
Level 1
Level 1

‎05-25-2015 12:46 PM

Hello

First, according to Cisco documentation, they doesn't claim support for ChromeOS however it may/may not work since they don't deliberately stop the connection from Chrome L2TP/IPsec client.

On the following link you can find more details about supported L2TP/IPsec VPN clients for your reference:


http://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asa-vpn-compatibility.html#pgfId-157842

 

Second, you can see in your debugs that your L2TP connection is not landing in the DefaultRAGroup tunnel group. For this connection this is necessary.

 

Oct 28 10:49:16 [IKEv1]: IP = 50.82.115.204, Connection landed on tunnel_group RA-IPSEC

 

http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/l2tp_ips.html#wp1041903

 

Please, check your VPN configuration in your chromebook and try not to mention any of your configured tunnel-groups so the ASA places it in the DefaultRAGroup.

https://support.google.com/chromebook/answer/1282338?hl=en-419

 

If the issue persist, I recommend you to do the following:

- Run crypto debugs and isolate the problem to phase 1 or phase 2

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html

- Upgrade Chromebook OS software.

- Attempt a L2TP connection with a Windows machines and make sure this works properly.

 

0 Helpful
Customers Also Viewed These Support Documents