Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3663
Views
0
Helpful
9
Replies

L2TP/IPSec Error 720

rmujeeb81
Level 1
Level 1

‎07-01-2013 09:46 PM - edited ‎02-21-2020 06:59 PM

Dear All,

I am trying to establish L2TP/IPSec VPN using ASA 8.4(2) and Windows 7 (64-bit) but getting error 720 while trying to connect from windows 7 pc.

Kindly find the attached configuration and error snap shot.

Labels:
Preview file
74 KB
15363341-L2TP Over IPSec Conf.zip
0 Helpful
9 Replies 9

rmujeeb81
Level 1
Level 1

‎07-02-2013 11:52 AM

Dear All,

Kindly advice, what could be the root cause ?

Thanks for your support.

0 Helpful

czaja0000
Level 1
Level 1

‎07-02-2013 04:38 PM

Hi,

1. ASAs configuration looks correct, but I don't understand why you use a DHCP server if you indicate VPN pool.

tunnel-group DefaultRAGroup general-attributes
 address-pool VPN
 default-group-policy DefaultRAGroup
 dhcp-server 10.10.1.6

2. Verify that the addresses of VPN pool don't overlap with the local address of your computer.

3. Maybe the cause is in the Windows 7. Check it out.

Rebuild the TCP/IP stack by opening an command prompt and entering the following command:

netsh int ip reset >> ResetIP.log

Next restart the computer and try again establish L2TP connectin.

________________

Best regards,
MB

________________ Best regards, MB
0 Helpful

rmujeeb81
Level 1
Level 1
In response to czaja0000

‎07-03-2013 01:07 AM

Hi ,

Yes dhcp was unnecessary and there is no overlap between VPN pool and local network.

I tried point # 3 as well but no luck , same error is appearing.

Regards,

MS

0 Helpful

Andrew Phirsov
Level 7
Level 7
In response to rmujeeb81

‎07-03-2013 04:07 AM

Usually debugging is used in these kind of situations.

Do the

debug crypto ikev1

debug crypto ipsec

and see what's happenning when you're trying to establish connection.

Plus, though it's not critical, I wouldn't rely on the default tunnel-group/group-policy configurations. It's allwas better to create some new, and tune them.

0 Helpful

Shaoqin Li
Level 3
Level 3

‎07-03-2013 09:41 AM

get debug or set buffer log to debug and past the log here. 720 looks like a phase 1 policy mismatch.

Sent from Cisco Technical Support iPhone App

0 Helpful

rmujeeb81
Level 1
Level 1
In response to Shaoqin Li

‎07-03-2013 10:28 AM

Hi Shaogin,

Kindly find the attached output of 'debug crypto ikev1' and nothing is coming against 'debug crypto ipsec'.

Regards,

Mujeeb

15363478-Debug IKE1.zip
0 Helpful

Andrew Phirsov
Level 7
Level 7
In response to rmujeeb81

‎07-03-2013 10:34 PM

In the debug provided, username test is used for connection.

The only username that may be used, having what's in your running config, is l2tp:

username l2tp password 31XddrF4FUa04JqfYDr2Jw== nt-encrypted

So, check again what username/password is used for the connection, and change it to l2tp/password-for-l2tp-user

0 Helpful

rmujeeb81
Level 1
Level 1
In response to Andrew Phirsov

‎07-04-2013 11:34 AM

Hi Andrew,

The problem was due to "no vpn-addr-assign local" command which was mistakenly part of the configuration.

Regards,

Mujeeb

0 Helpful

Andrew Phirsov
Level 7
Level 7
In response to rmujeeb81

‎07-04-2013 10:11 PM

Ok, good to know.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents