• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 911
  • Last Modified:

L2TP fails after a few days but only for one remote branch office

I spent all last week digging through articles here, Google, Cisco, etc. I found a lot of information - but none that really addresses my problem.

My Cisco ASA 5505 'terminates' - i.e. acts as the L2TP server (via RADIUS to an internal domain controller) for multiple remote acces clients throughout the state. They all use Windows operating systems (usually XP Pro or Vista) and the native Windows L2TP capability.

Everything was running fine for at least two weeks then the problem started. After an average of 2 days, all remote L2TP clients AT ONE SPECIFIC BRANCH OFFICE fail to connect. They receive the classic error "remote computer is not responding". During this time, I can see via ASA logs that the connection attempts reach the ASA and seem to complete hand shake as far as the ASA can tell. But the end result is a failed connection. Also, during this time, ANYONE else outside of that branch office - but just as remote - CAN in fact connect via L2TP.

A reload of the ASA gets everything working again for another couple of days then the problem starts again.

The two things that really bug me about it are (1) a reload of the ASA temporarily corrects the problem; and (2) it only affects one branch office. I have no administrative control over the branch office, and as such cannot manipulate their NetScreen firewall. They are a business-class DSL subscriber, and all outgoing connections to the internet fill appear to be sourced from the same IP - not a proxy like some. Below is the 'scrubbed' config. Many thanks to anyone with advice.

sh run
: Saved
ASA Version 8.0(3)
hostname myhost
domain-name myhost.local
enable password blablabla encrypted
<a bunch of names>
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name myhost.local
same-security-traffic permit intra-interface
object-group network www-servers
 network-object host web035-out
 network-object host web036-out
 network-object host testserver-out
object-group icmp-type icmp-traffic
 icmp-object source-quench
 icmp-object unreachable
 icmp-object time-exceeded
 icmp-object echo-reply
 icmp-object echo
access-list out-to-in extended permit icmp any any object-group icmp-traffic
access-list out-to-in extended permit tcp any object-group www-servers eq 3389
access-list out-to-in extended permit tcp any object-group www-servers eq www
access-list out-to-in extended permit tcp any object-group www-servers eq https
access-list inside-networks extended permit ip any
access-list DefaultRAGroup_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any
pager lines 24
logging enable
logging buffer-size 10000
logging asdm debugging
mtu inside 1500
mtu outside 1500
ip local pool vpnpool mask
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 access-list inside-networks
nat (inside) 1
nat (outside) 1
static (inside,outside) web035-out web035-in netmask
static (inside,outside) web036-out web036-in netmask
static (inside,outside) testserver-out testserver-in netmask
access-group out-to-in in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server IAS protocol radius
aaa-server IAS host web035-in
 key jupiter
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
http testserver-in inside
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal 30
telnet timeout 5
ssh inside
ssh outside
ssh timeout 30
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
 default-domain value nrhosting.local
username user1 password blabla1 encrypted privilege 15
username user2 password blabla1 encrypted privilege 15
username user3 password blabla1 encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
 address-pool vpnpool
 authentication-server-group IAS
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
 no authentication ms-chap-v1
 authentication ms-chap-v2
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect sqlnet
service-policy global_policy global
prompt hostname context
: end

Open in new window

  • 4
  • 3
1 Solution

Can you please provide a "sh ver" output from the firewall ?

Witch ASA version are you using ? Is the Asa version is the same than the VPN peer?
Is the licensing is the same as the VPN peer?


neilpage99Author Commented:
Here's my "sh ver"

fw1(config)# sh ver

Cisco Adaptive Security Appliance Software Version 8.0(3)
Device Manager Version 6.0(3)

Compiled on Tue 06-Nov-07 22:59 by builders
System image file is "disk0:/asa803-k8.bin"
Config file at boot was "startup-config"

fw1 up 1 day 23 hours

Hardware:   ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.01
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04
 0: Int: Internal-Data0/0    : address is 001f.ca7c.d878, irq 11
 1: Ext: Ethernet0/0         : address is 001f.ca7c.d870, irq 255
 2: Ext: Ethernet0/1         : address is 001f.ca7c.d871, irq 255
 3: Ext: Ethernet0/2         : address is 001f.ca7c.d872, irq 255
 4: Ext: Ethernet0/3         : address is 001f.ca7c.d873, irq 255
 5: Ext: Ethernet0/4         : address is 001f.ca7c.d874, irq 255
 6: Ext: Ethernet0/5         : address is 001f.ca7c.d875, irq 255
 7: Ext: Ethernet0/6         : address is 001f.ca7c.d876, irq 255
 8: Ext: Ethernet0/7         : address is 001f.ca7c.d877, irq 255
 9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces  : 8
VLANs                        : 3, DMZ Restricted
Inside Hosts                 : Unlimited
Failover                     : Disabled
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
VPN Peers                    : 10
WebVPN Peers                 : 2
Dual ISPs                    : Disabled
VLAN Trunk Ports             : 0
AnyConnect for Mobile        : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled

This platform has a Base license.

Serial Number: blah blah blah
Running Activation Key: <some long key>
Configuration register is 0x1
Configuration has not been modified since last system restart.

This is a remote access style VPN - so no device (peer) on the other end, the clients are using native L2TP from their operating system, which is Win XP Pro and Vista 32-bit.
Have you tried reloading the ASA ? there is a bug in the ASA version you have that causes this to happen. Check out this link you will need to log in. It may or may not apply to your ASA but if you reload both ASA's and it works then . .

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

neilpage99Author Commented:
I don't have an account or SmartNet with Cisco so I can't log in.

I have read about L2L (Site-to-Site) VPN's needing their ASA's reloaded - but not where it refers to L2TP. Also, as I noted in my first post, this only affects hosts from one specific remote site. As this is a remote access style VPN, many hosts from different parts of the state are roaming and using the L2TP feature. When the problem occurs, it only affects host at one particular remote site.

Yes it is suspicious that rebooting the ASA fixes it temporarily. But it is equally suspicious that it only affects remote users in one particular location. In fact, when that particular location experiences this problem, other remote hosts are still able to connect without a problem.
*First i would update to the latest version of ASA 8.0(4) [publicly available, there are newer releases but tac has to offer it]  in the release notes there are a few patches/updates in the Remote Access area among other things.
*When i first experienced this issue I like you realized that somethings worked and some things didnt for remote access. Very odd and to make things most complicated my configurations were spot on. After speaking with TAC they said there isnt anything they can do but have a Senior Engineer have a look at the configurations and suggest a work around.  That equals there is no solution. . .
*Since after rebooting the ASA's traffic works the way you want it to the configuration is correct (remember the asa either permits traffic or denies it theres no in between)
Here is the the output from the bug posting on Ciscos website
I should also mention they claim its been fixed but it really hasnt been. . .

Duplicate ASP table entry causes FW to encrypt traffic with invalid SPI  

- Remote Access clients can successfully connect but not access resources on the internal network
- Packets destined for the remote side of an L2L tunnel are not being encrypted
- Traffic is not encrypted with correct SPI


- "show crypto ipsec sa" shows decrypts, but no encrypts
- "show asp table classify crypto" show multiple entries for traffic
- vpn-context from "show asp table vpn-context det" that matches asp table entry with hitcounts increasing has a SPI that isn't valid (it isn't found in "show crypto ipsec sa")
- vpn-context with valid SPI isn't used
- Packet capture on outside interface shows encrypted packets going to remote peer


- Reload the PIX/ASA
- Fixed by change for CSCsh66576. Refer to that bug number for availability.  
Problem: With roughly 1500 L2TP/IPSec sessions established, you may see cases when isolated clients can no longer connect to the ASA. The error on the client states:' 678 unable to connect.'
Workaround: In such cases, you may need to reload the ASA.




Further Problem Description:
neilpage99Author Commented:
leonjs:  while this doesn't exactly explain what I'm experiencing, it gets close and may be related. No one else has really tried, so thank you for the solution. The only thing that bugs me about it is - why are other hosts able to connect without issue while this one and only one remote location has trouble? A reload of the ASA allows that failing remote location to work again for a while - but they are the only ones that experience the failure. Anyway - I'll hunt for ver 8.0(4). Thanks again.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now