L2TP/IPSEC NAT-T Remote Access VPN ASA/PIX - Multiple users behind one NAT address

sergej.tiurin · ‎10-28-2012

Hello,

We have l2tp/ipsec vpn configured on ASA 8.3 and with interface external IP serving as VPN connection point. (no pre-firewall natting)

NAT-T is enabled.

All works good as long as only one user is connected from any internet natted device. We can see in 'show vpn-sessiondb' and ipsec sa's that NAT-T is being used.

Every consecutive VPN connection from behind same NAT address is failing to establish. Phase 1 succeeds, but not the IPSEC.

We can also see from the debugging that NAT router properly PATs the source port for the new conenctions.

I must to mention that we have same configuration on PIX7.2 and it works fine!

Any ideas? Is this some kind of a known bug?

Some key exctracts from ipsec debugging:

Duplicate Phase 1 packet detected. Retransmitting last packet.

P1 Retransmit msg dispatched to MM FSM

Received encrypted packet with no matching SA, dropping

Edited initial post as I have mistaken about PIX behaviour, PIX is working fine but not the ASA.

Javier Portuguez · ‎10-28-2012

Hi,

If you turn on NAT-T is should take care of the proble.

Is NAT traversal enabled?

"show run crypto isakmp"

Thanks.

Portu.

Please rate any helpful posts

sergej.tiurin · ‎10-28-2012

Cheers jportugu, NAT-T is enabled.

vpn-sessiondb for active connections shows that l2tp session is running within nat-t ipsec.

Output as you requested

asa(config)# show run crypto isakmp

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 28800

crypto isakmp nat-traversal 15

Javier Portuguez · ‎10-28-2012

I see.

Have you tried with the Cisco VPN client?

Thanks.

sergej.tiurin · ‎10-29-2012

No, we have not tried it. This will not prove the concept, though. All our users use Windows CMAK generated VPN clients.

We did not have this issue until we upgraded from ASA7.24

olpeleri · ‎10-29-2012

7.2.4 is pretty old - Is there any reasons why we can't try the latest 8.2.5?

Javier Portuguez · ‎10-29-2012

You are experiencing the issue on 8.3, correct? It was working fine on 7.x, correct?

I would consider an upgrade to the latest 8.3.x release or an upgrade to 8.4.4.

On the other hand, we could also try with IPsec/TCP, but I am not sure if your client supports it.

"crypto isakmp ipsec-over-tcp port 10000"

Thanks.

Please rate any helpful posts

sergej.tiurin · ‎10-29-2012

Thanks for your resourceful input guys.

However, I need to stick to the current OS version (higher versions have further bugs with l2tp/vpn and cluster failover) and it must be L2TP/IPSEC VPN.

So I either need to find an evidence where cisco states this is a bug or just get this fixed!

I will have a look into bug tracker if my account is still eligible to view this.

Wonder if there is any configuration of identifying remote host.

i.e.

!for VPN HUB

crypto isakmp identity address

Is there a similar syntax on ASA that defines remote host identity to be used?

From debugging I can see that ASA simply confuses IKE of the new host with already connected host.So that rekeying is being initiated with the already connected host.