ASA 8.x – L2TP & default Tunnel-groups

I recieved a lesson in research first, configure second today.

I was trying to configure l2tp over IPSEC on an ASA 5510 running version 8.0(2) software and for life of me couldn’t work out why it wasn’t working. I kept getting this error every time I tried to create the tunnel:

%ASA-4-713903: Group = x.x.x.x, IP = y.y.y.y, Can’t find a valid tunnel group, aborting…!
%ASA-3-713902: Group = x.x.x.x, IP = y.y.y.y, Removing peer from peer table failed, no match!
%ASA-4-713903: Group = x.x.x.x, IP = y.y.y.y, Error: Unable to remove PeerTblEntry
%ASA-4-713903: IP = x.x.x.x, Header invalid, missing SA payload! (next payload = 4)

Google didn’t really turn much information. OK, time to check cisco.com and I found this article.

I made the mistake of jumping straight down to the configuration example, which still left me stumped for as far as I could tell I had configured the ASA correctly.

Then I noticed this line:

Use only the default tunnel group and default group policy on the Cisco PIX/ASA. User-defined policies and groups do not work.”

Arrrgh! I switched the configuration to “tunnel-group DefaultRAGroup” and everything worked great.

Interestingly though I didn’t switch the group-policy from my user-defined policy and the configuration still worked fine.