Re: ASA 5505 doesn't seems to recongize l2tp packets

On 28 Apr, 14:56, wci...@xxxxxxxxxxxxxx wrote:
Hi, I just configured L2TP-over-IPSec on a ASA5505 as described in the
Cisco Configuration Guideline.

When I try to connect from a Windowsmachine nothing happens. So I
captued udp1701 packets at the outside interface to see if these
packets arrive at the outside interface at all. In the capture I can
see the packets arriving as I thought they should. But the ASA doesn't
seems to be to interested in this packets because there is nothing
happening at all.

I tried any debug-command I could find in the cli-guide to check if
there's anything what might help me to debug but it's as though the
packets doesnt reach the ASA - but still I can see them arriving at
the outside interface.

On the ASA there also several l2l and vpnclients configured (static
crypto maps and one dynamic for the vpnclients) which work perfectly
well - perhaps there's something preventing the ASA from processing
these l2tp-packets? (Ethereal confirms that these packets are valid
l2tp on udp1701 when i fetch the capture file from the ASA)

Hope, anyone can give me a hint why the ASA doesn't like to process
the l2tp-packets, or either a hint how i can get some debug
information but without it I'm obviously not able to debug anything.
That doesn't mean that I didn't checked the config twice, three, four,
fivetimes so far.

Regards,
Heiko

Heiko,

Hello.

I had a look on the Cisco WWW site and the following link proved
really useful:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807213a7.shtml

A couple of key points:

Use only the default tunnel group and default group policy on the
Cisco PIX/ASA. User-defined policies and groups do not work

The security appliance does not establish an L2TP/IPsec tunnel with
Windows 2000 if either Cisco VPN Client 3.x or Cisco VPN 3000 Client
2.5 is installed.

Check it out, there is more detail to help you.

Regards

Darren

.

Relevant Pages

  • ASA 5505 doesnt seems to recongize l2tp packets
    ... Cisco Configuration Guideline. ... packets arrive at the outside interface at all. ... But the ASA doesn't ... there's anything what might help me to debug but it's as though the ...
    (comp.dcom.sys.cisco)
  • [NEWS] Cisco IOS Interface Blocked by IPv4 Packets
    ... Cisco routers and switches running Cisco IOSŪ software and configured to ... Multiple IPv4 packets with specific ... protocol fields sent directly to the device may cause the input interface ... device to incorrectly flag the input queue on an interface as full. ...
    (Securiteam)
  • [NEWS] Cisco Express Forwarding Leaks Packet Information
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... All Cisco devices running Cisco IOS and having Cisco Express Forwarding ... enabled leak information from previous packets that have been ... this vulnerability. ...
    (Securiteam)
  • [Full-Disclosure] [Fwd: RE: Cisco IOS exploit (44020)]
    ... Subject: Cisco IOS exploit ... various protocols and sends 19 packets ... DEBUG: Protocol: 53 ...
    (Full-Disclosure)
  • Re: [Full-Disclosure] Cisco Code Train matrix (mystery IOS vulnerability)
    ... All Cisco devices running Cisco IOS software and configured to process ... A vulnerability in many versions of Cisco IOS could allow an intruder to ... By sending specially crafted IPv4 packets to an interface on a vulnerable ...
    (Full-Disclosure)