ASA 8.x – L2TP & default Tunnel-groups

I recieved a lesson in research first, configure second today.

I was trying to configure l2tp over IPSEC on an ASA 5510 running version 8.0(2) software and for life of me couldn’t work out why it wasn’t working. I kept getting this error every time I tried to create the tunnel:

%ASA-4-713903: Group = x.x.x.x, IP = y.y.y.y, Can’t find a valid tunnel group, aborting…!
%ASA-3-713902: Group = x.x.x.x, IP = y.y.y.y, Removing peer from peer table failed, no match!
%ASA-4-713903: Group = x.x.x.x, IP = y.y.y.y, Error: Unable to remove PeerTblEntry
%ASA-4-713903: IP = x.x.x.x, Header invalid, missing SA payload! (next payload = 4)

Google didn’t really turn much information. OK, time to check cisco.com and I found this article.

I made the mistake of jumping straight down to the configuration example, which still left me stumped for as far as I could tell I had configured the ASA correctly.

Then I noticed this line:

Use only the default tunnel group and default group policy on the Cisco PIX/ASA. User-defined policies and groups do not work.”

Arrrgh! I switched the configuration to “tunnel-group DefaultRAGroup” and everything worked great.

Interestingly though I didn’t switch the group-policy from my user-defined policy and the configuration still worked fine.

Advertisements

3 thoughts on “ASA 8.x – L2TP & default Tunnel-groups

  1. The reason that your defined tunnel-group doesn’t work is that the tunnel group name should be the same as the submitted attribute by XP or win2000 group which is usually the host IP. Hence if you want it to work, you have to create a tunnel-group HOST_IP where HOST_IP= 192.168.1.20 for example. If no match was found for the tunnel-group , the default DefaultRAGroup will be assumed.

  2. I have ASA 5510 with Version 8.2(1). the issue still persists in this version too.
    does anybody knows when it will be solved, in what version of software?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s