Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
818
Views
0
Helpful
1
Replies

l2tp over ipsec asa 5505 %ASA-6-110003 error

Go to solution
Antoniotorres1
Level 1
Level 1

‎08-16-2013 05:37 AM - edited ‎02-21-2020 07:05 PM

Hi,

First of all, apologies for my lack of awareness. It's hard managing Cisco routers when you are newbie. I am learning Cisco as far as I can.

My issue is that I'm trying to setup a l2tp over ipsec vpn connection in my company in order to provide a secure connection however I was not successfully so far. By the time I establish a connection from my home I get this info from ASA:

> show crypto isakmp sa:

4   IKE Peer: 188.76.164.162

    Type    : user            Role    : responder

    Rekey   : no              State   : MM_WAIT_MSG3

> Log Viewer

6          Aug 16 2013          14:11:14          110003          87.216.165.41          500          188.76.164.162          500          Routing failed to locate next hop for UDP from identity:87.216.165.41/500 to outside:188.76.164.162/500

Clientes SO: Windows 7/8 (Services: IKE and AutIP IPSec and IPsec Policy Ageng enabled as well, firewall windows off)

I've tried to find out what’s is wrong making search on google and forums however I couldn’t find the solution.

Attached is my running config.

any help is more than wellcome

Best,

Antonio

Labels:
15365813-configASA.txt.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
malshbou
Level 1
Level 1

‎08-16-2013 09:55 AM

Hi Antonio,

It is a routing problem in your ASA.

route outside-other 0.0.0.0 0.0.0.0 192.168.4.1 100

route outside-backup 0.0.0.0 0.0.0.0 192.168.0.1 200

But you terminate the VPN at the outside interface (pppoe) which doesn't have a default route to send traffic back to the L2TP client.

Rule of thumb: Have a default route at the same interface where you terminate remote-access VPN. 

To make the test from (188.76.164.162) work, you can add the following route:

route outside 188.76.164.162 255.255.255.255 87.216.40.1  1 

But such specific route will not be a solution if you expect vpn users to come from different locations. A default route is needed or alternatively you may move the crypto map to the interface which has the default route.

Regards.
Mashal Alshboul

------------------ Mashal Shboul

View solution in original post

0 Helpful
1 Reply 1

Go to solution
malshbou
Level 1
Level 1

‎08-16-2013 09:55 AM

Hi Antonio,

It is a routing problem in your ASA.

route outside-other 0.0.0.0 0.0.0.0 192.168.4.1 100

route outside-backup 0.0.0.0 0.0.0.0 192.168.0.1 200

But you terminate the VPN at the outside interface (pppoe) which doesn't have a default route to send traffic back to the L2TP client.

Rule of thumb: Have a default route at the same interface where you terminate remote-access VPN. 

To make the test from (188.76.164.162) work, you can add the following route:

route outside 188.76.164.162 255.255.255.255 87.216.40.1  1 

But such specific route will not be a solution if you expect vpn users to come from different locations. A default route is needed or alternatively you may move the crypto map to the interface which has the default route.

Regards.
Mashal Alshboul

------------------ Mashal Shboul
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents