01-24-2012 07:55 AM
Hello,
I'm trying to connect an android tablet (asus transformer) to my ASA5510 ver 8.4(2)
I successfully configured to have "PHASE 2 COMPLETED"
But my droid give the message "user or password incorrect" and vpn isn't established.
I use local AAA authentification.
On the debug, I don't see anything or can't find the appropriate debug.
what can be wrong ?
Thx
my debug :
Jan 24 16:18:56 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = *.*.*.*, Generating Quick Mode Key!
Jan 24 16:18:56 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = *.*.*.*, NP encrypt rule look up for crypto map dyno 10 matching ACL Unknown: returned cs_id=ad6447a0; rule=00000000
Jan 24 16:18:56 [IKEv1]Group = DefaultRAGroup, IP = *.*.*.*, Security negotiation complete for User () Responder, Inbound SPI = 0x634fc2c8, Outbound SPI = 0x091a27f3
Jan 24 16:18:56 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = *.*.*.*, IKE got a KEY_ADD msg for SA: SPI = 0x091a27f3
Jan 24 16:18:56 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = *.*.*.*, Pitcher: received KEY_UPDATE, spi 0x634fc2c8
Jan 24 16:18:56 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = *.*.*.*, Starting P2 rekey timer: 24480 seconds.
Jan 24 16:18:56 [IKEv1]Group = DefaultRAGroup, IP = *.*.*.*, PHASE 2 COMPLETED (msgid=dff8cc1b)
Jan 24 16:18:56 [IKEv1]IKEQM_Active() Add L2TP classification rules: ip <*.*.*.*> mask <0xFFFFFFFF> port <28053>
%ASA-4-737013: IPAA: Error freeing address 0.0.0.0, not found
%ASA-4-113019: Group = DefaultRAGroup, Username = , IP = *.*.*.*, Session disconnected. Session Type: IPsecOverNatT, Duration: 0h:00m:02s, Bytes xmt: 803, Bytes rcv: 766, Reason: L2TP initiated
Jan 24 16:18:57 [IKEv1 DEBUG]
Group = DefaultRAGroup, IP = *.*.*.*, IKE SA MM:b2bec54b rcv'd Terminate: state MM_ACTIVE flags 0x00010042, refcnt 1, tuncnt 1
Jan 24 16:18:57 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = *.*.*.*, sending delete/delete with reason message
Jan 24 16:18:57 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = *.*.*.*, constructing blank hash payload
Jan 24 16:18:57 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = *.*.*.*, constructing IPSec delete payload
Jan 24 16:18:57 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = *.*.*.*, constructing qm hash pa
Jan 24 16:18:57 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = *.*.*.*, Active unit receives a delete event for remote peer *.*.*.*.
Jan 24 16:18:57 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = *.*.*.*, IKE Deleting SA: Remote Proxy *.*.*.*, Local Proxy 192.168.96.2
Jan 24 16:18:57 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = *.*.*.*, IKE SA MM:b2bec54b terminating: flags 0x01010002, refcnt 0, tuncnt 0
Jan 24 16:18:57 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = *.*.*.*, sending delete/delete with reason message
Jan 24 16:18:57 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = *.*.*.*, constructing blank hash payload
Jan 24 16:18:57 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = *.*.*.*, constructing IKE delete payload
Jan 24 16:18:57 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = *.*.*.*, constructing qm hash payload
Jan 24 16:18:57 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0x634fc2c8
Jan 24 16:18:57 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0x634fc2c8
Jan 24 16:18:57 [IKEv1]Group = DefaultRAGroup, IP = *.*.*.*, Session is being torn down. Reason: L2TP initiated
Jan 24 16:18:57 [IKEv1]Ignoring msg to mark SA with dsID 401408 dead because SA deleted
01-24-2012 08:07 AM
If you post there is:-
%ASA-4-113019: Group = DefaultRAGroup, Username = , IP = *.*.*.*, Session disconnected. Session Type: IPsecOverNatT, Duration: 0h:00m:02s, Bytes xmt: 803, Bytes rcv: 766, Reason: L2TP initiated
Check config of the ASA and the remote device.
01-24-2012 08:09 AM
Yes, but what to check ?
I don't see the problem
01-24-2012 08:19 AM
You're trying to establish an IPSec session but for some reason it looks like the phone or the ASA (likely the phone) is also trying to establish an L2TP connection once the tunnel is up. The IPsec session doesn't understand L2TP so it terminates the connection.
01-24-2012 08:26 AM
I'm trying an "l2tp/ipsec psk" connection.
I think it's normal there is l2tp and ipsec ?
01-24-2012 08:29 AM
Maybe someone else has other input but I've never seen those two used together.
01-24-2012 08:40 AM
it may be normal for the phone - but the ASA will not accept an L2TP connection without a valid profile. Since you phone is trying an IPSEC session - and this type of profile is configured, you will only get so far.
Again - check your configuration.
01-24-2012 09:03 AM
Once IPsec establishes, l2tp will negotiate parameters.
check "debug aaa common 100" and L2tp + PPP debugs on ASA to know a bit more. It might as well be an authentication problem as prompted on your phone.
01-25-2012 12:50 AM
Thx,
it's ok now
ppp authentification type was bad.
Must set to PAP. (cisco documentation for android say that we must use chaps or ms-chap and not pap ...)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide