Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ASA 5510 L2TP VPN

Status
Not open for further replies.
nogero

nogero

Programmer
Mar 1, 2007
43
US
I've just implemented an ASA 5510 (ASA 8.0(4), ASDM 6.1(5)) and am trying to get the remote vpn working with Windows L2TP clients. I am using the default RA group and have followed the instructions at
**note, that I had to use SHA instead of MD5**

In testing clients can connect from my DMZ, but clients cannot connect from the Public Internet. When they try to connect I can see on the ASDM log viewer that they get through to the firewall and the following errors come up.

IP=xxx.xxx.xxx.xxx, Header invalid, missing SA payload (next payload=4)

IP=xxx.xxx.xxx.xxx, Removing peer from peer table, no match

Group DefaultRAGroup, IP=xxx.xxx.xxx.xxx, Error: Unable to remove peer entry

Any help would be appreciated...
 
Sort by date Sort by votes
Post a full scrubbed config.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
For starters here is the error that is logged on the ASA when a user tries to login. Remember when a user logs in from my DMZ they can connect fine to the ASA. This error comes from a user on Internet.

4|Feb 10 2009|10:10:32|713903|||||Group = DefaultRAGroup, IP = 71.111.178.132, Error: Unable to remove PeerTblEntry

3|Feb 10 2009|10:10:32|713902|||||Group = DefaultRAGroup, IP = 71.111.178.132, Removing peer from peer table failed, no match!

7|Feb 10 2009|10:10:32|713236|||||IP = 71.111.178.132, IKE_DECODE SENDING Message (msgid=2cd862d9) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80

7|Feb 10 2009|10:10:32|715046|||||Group = DefaultRAGroup, IP = 71.111.178.132, constructing qm hash payload

7|Feb 10 2009|10:10:32|715046|||||Group = DefaultRAGroup, IP = 71.111.178.132, constructing IKE delete payload

7|Feb 10 2009|10:10:32|715046|||||Group = DefaultRAGroup, IP = 71.111.178.132, constructing blank hash payload

7|Feb 10 2009|10:10:32|713906|||||Group = DefaultRAGroup, IP = 71.111.178.132, sending delete/delete with reason message

7|Feb 10 2009|10:10:32|713906|||||Group = DefaultRAGroup, IP = 71.111.178.132, IKE SA MM:37445713 terminating: flags 0x01000002, refcnt 0, tuncnt 0

7|Feb 10 2009|10:10:32|715065|||||Group = DefaultRAGroup, IP = 71.111.178.132, IKE MM Responder FSM error history (struct &0xd5fbe528) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG5, EV_PROB_AUTH_FAIL-->MM_WAIT_MSG5, EV_TIMEOUT-->MM_WAIT_MSG5, NullEvent-->MM_SND_MSG4, EV_CRYPTO_ACTIVE-->MM_SND_MSG4, EV_SND_MSG-->MM_SND_MSG4, EV_START_TMR-->MM_SND_MSG4, EV_RESEND_MSG

7|Feb 10 2009|10:10:00|713236|||||IP = 71.111.178.132, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 304

7|Feb 10 2009|10:10:00|713906|||||Group = DefaultRAGroup, IP = 71.111.178.132, Generating keys for Responder...

7|Feb 10 2009|10:10:00|713906|||||IP = 71.111.178.132, Connection landed on tunnel_group DefaultRAGroup

7|Feb 10 2009|10:10:00|713906|||||IP = 71.111.178.132, computing NAT Discovery hash

7|Feb 10 2009|10:10:00|715046|||||IP = 71.111.178.132, constructing NAT-Discovery payload

7|Feb 10 2009|10:10:00|713906|||||IP = 71.111.178.132, computing NAT Discovery hash

7|Feb 10 2009|10:10:00|715046|||||IP = 71.111.178.132, constructing NAT-Discovery payload

7|Feb 10 2009|10:10:00|715048|||||IP = 71.111.178.132, Send Altiga/Cisco VPN3000/Cisco ASA GW VID

7|Feb 10 2009|10:10:00|715046|||||IP = 71.111.178.132, constructing VID payload

7|Feb 10 2009|10:10:00|715038|||||IP = 71.111.178.132, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)

7|Feb 10 2009|10:10:00|715048|||||IP = 71.111.178.132, Send IOS VID

7|Feb 10 2009|10:10:00|715046|||||IP = 71.111.178.132, constructing xauth V6 VID payload

7|Feb 10 2009|10:10:00|715046|||||IP = 71.111.178.132, constructing Cisco Unity VID payload

7|Feb 10 2009|10:10:00|715046|||||IP = 71.111.178.132, constructing nonce payload

7|Feb 10 2009|10:10:00|715046|||||IP = 71.111.178.132, constructing ke payload

7|Feb 10 2009|10:10:00|713906|||||IP = 71.111.178.132, computing NAT Discovery hash

7|Feb 10 2009|10:10:00|715047|||||IP = 71.111.178.132, processing NAT-Discovery payload

7|Feb 10 2009|10:10:00|713906|||||IP = 71.111.178.132, computing NAT Discovery hash

7|Feb 10 2009|10:10:00|715047|||||IP = 71.111.178.132, processing NAT-Discovery payload

7|Feb 10 2009|10:10:00|715047|||||IP = 71.111.178.132, processing nonce payload

7|Feb 10 2009|10:10:00|715047|||||IP = 71.111.178.132, processing ISA_KE payload

7|Feb 10 2009|10:10:00|715047|||||IP = 71.111.178.132, processing ke payload

7|Feb 10 2009|10:10:00|713236|||||IP = 71.111.178.132, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 232

7|Feb 10 2009|10:10:00|713236|||||IP = 71.111.178.132, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124

7|Feb 10 2009|10:10:00|715046|||||IP = 71.111.178.132, constructing Fragmentation VID + extended capabilities payload

7|Feb 10 2009|10:10:00|715046|||||IP = 71.111.178.132, constructing NAT-Traversal VID ver 02 payload

7|Feb 10 2009|10:10:00|715046|||||IP = 71.111.178.132, constructing ISAKMP SA payload

7|Feb 10 2009|10:10:00|715028|||||IP = 71.111.178.132, IKE SA Proposal # 1, Transform # 2 acceptable Matches global IKE entry # 3

7|Feb 10 2009|10:10:00|715047|||||IP = 71.111.178.132, processing IKE SA payload

7|Feb 10 2009|10:10:00|715047|||||IP = 71.111.178.132, processing VID payload

7|Feb 10 2009|10:10:00|715049|||||IP = 71.111.178.132, Received NAT-Traversal ver 02 VID

7|Feb 10 2009|10:10:00|715047|||||IP = 71.111.178.132, processing VID payload

7|Feb 10 2009|10:10:00|715049|||||IP = 71.111.178.132, Received Fragmentation VID

7|Feb 10 2009|10:10:00|715047|||||IP = 71.111.178.132, processing VID payload

7|Feb 10 2009|10:10:00|715047|||||IP = 71.111.178.132, processing VID payload

7|Feb 10 2009|10:10:00|713906|||||IP = 71.111.178.132, Oakley proposal is acceptable

7|Feb 10 2009|10:10:00|715047|||||IP = 71.111.178.132, processing SA payload

7|Feb 10 2009|10:10:00|713236|||||IP = 71.111.178.132, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 312
 
Upvote 0 Downvote
perhaps one device is having a problem with its dead peer detection...post your scrubbed config
 
Upvote 0 Downvote
I discovered through looking at the ASA logs and vpn client logs that UDP Port 4500 was being blocked by my ISP. Once they opened it, the Cisco VPN IPSEC client connected with no issues on a Windows XP and Windows Vista computer. For now using that client will work and eventually I may move over to the AnyConnect client.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
638
intel233
intel233
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
588
intel233
intel233
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
160
WhosYourDiffie
WhosYourDiffie
ITSUPPORTIT
  • Locked
  • Question
VPN from ASA 5510 and RV215W problem
Replies
0
Views
141
ITSUPPORTIT
ITSUPPORTIT
gkreg
  • Locked
  • Question
asa 5500-x url filtering
Replies
0
Views
450
gkreg
gkreg

Part and Inventory Search

Sponsor

Back
Top