10-28-2012 10:52 AM - edited 02-21-2020 06:26 PM
Hello,
We have l2tp/ipsec vpn configured on ASA 8.3 and with interface external IP serving as VPN connection point. (no pre-firewall natting)
NAT-T is enabled.
All works good as long as only one user is connected from any internet natted device. We can see in 'show vpn-sessiondb' and ipsec sa's that NAT-T is being used.
Every consecutive VPN connection from behind same NAT address is failing to establish. Phase 1 succeeds, but not the IPSEC.
We can also see from the debugging that NAT router properly PATs the source port for the new conenctions.
I must to mention that we have same configuration on PIX7.2 and it works fine!
Any ideas? Is this some kind of a known bug?
Some key exctracts from ipsec debugging:
Duplicate Phase 1 packet detected. Retransmitting last packet.
P1 Retransmit msg dispatched to MM FSM
Received encrypted packet with no matching SA, dropping
Edited initial post as I have mistaken about PIX behaviour, PIX is working fine but not the ASA.
10-28-2012 06:59 PM
Hi,
If you turn on NAT-T is should take care of the proble.
Is NAT traversal enabled?
"show run crypto isakmp"
Thanks.
Portu.
Please rate any helpful posts
10-28-2012 07:18 PM
Cheers jportugu, NAT-T is enabled.
vpn-sessiondb for active connections shows that l2tp session is running within nat-t ipsec.
Output as you requested
asa(config)# show run crypto isakmp
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto isakmp nat-traversal 15
10-28-2012 07:50 PM
I see.
Have you tried with the Cisco VPN client?
Thanks.
10-29-2012 01:01 AM
No, we have not tried it. This will not prove the concept, though. All our users use Windows CMAK generated VPN clients.
We did not have this issue until we upgraded from ASA7.24
10-29-2012 01:36 AM
7.2.4 is pretty old - Is there any reasons why we can't try the latest 8.2.5?
10-29-2012 05:20 AM
You are experiencing the issue on 8.3, correct? It was working fine on 7.x, correct?
I would consider an upgrade to the latest 8.3.x release or an upgrade to 8.4.4.
On the other hand, we could also try with IPsec/TCP, but I am not sure if your client supports it.
"crypto isakmp ipsec-over-tcp port 10000"
Thanks.
Please rate any helpful posts
10-29-2012 12:09 PM
Thanks for your resourceful input guys.
However, I need to stick to the current OS version (higher versions have further bugs with l2tp/vpn and cluster failover) and it must be L2TP/IPSEC VPN.
So I either need to find an evidence where cisco states this is a bug or just get this fixed!
I will have a look into bug tracker if my account is still eligible to view this.
Wonder if there is any configuration of identifying remote host.
i.e.
!for VPN HUB
crypto isakmp identity address
Is there a similar syntax on ASA that defines remote host identity to be used?
From debugging I can see that ASA simply confuses IKE of the new host with already connected host.So that rekeying is being initiated with the already connected host.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide