• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3118
  • Last Modified:

ASA vpn client configuration

I am setting up a new ASA 5520. I am having a little bit of trouble getting the vpn connection up and going I tried both CLI and ASDM VPN wizard with no luck. So I removed everything and tried again from CLI still no luck. Hopefully someone can point out what I am missing. Here is what I currently have for the VPN config. Right now I don't care about split-tunnel so I have left it out.

access-list no-nat extended permit ip any
ip local pool tech mask
group-policy vpngroup internal
group-policy vpngroup attributes
 ipsec-udp enable
crypto ipsec transform-set 3DES/MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set AES/MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set DES/MD5 esp-des esp-md5-hmac
crypto ipsec transform-set 3DES/SHA esp-3des esp-sha-hmac
crypto ipsec transform-set AES/256 esp-aes-256 esp-sha-hmac
crypto dynamic-map dynmap 20 set transform-set 3DES/SHA
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp identity address
isakmp enable outside
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption 3des
isakmp policy 2 hash sha
isakmp policy 2 group 2
isakmp policy 2 lifetime 86400
isakmp nat-traversal  20
isakmp am-disable
tunnel-group tech type ipsec-ra
tunnel-group tech general-attributes
 address-pool tech
 default-group-policy vpngroup
tunnel-group tech ipsec-attributes
 pre-shared-key *
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
  • 5
  • 3
1 Solution
How are you testing, and what are your symptoms.
Are you testing from actually outside the firewall?
What version client are you using?
Do you get connected at all? If not, what error messages do you get?
wilsjAuthor Commented:
I am trying to connect from outside the network with cisco vpn client version 4.800.0.440. I don't get any error messages the client just tries to connec and eventually stops trying and says not connected.
Can you ping the public IP of the ASA from the client PC?
Open the log window on the client when you try to connect and post the result.
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

wilsjAuthor Commented:
I can ping the ASA's outside interface. Here is what the log says

1      20:21:00.466  09/03/01  Sev=Info/4      CM/0x63100002
Begin connection process

2      20:21:00.486  09/03/01  Sev=Info/4      CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully

3      20:21:00.486  09/03/01  Sev=Info/4      CM/0x63100004
Establish secure connection using Ethernet

4      20:21:00.486  09/03/01  Sev=Info/4      CM/0x63100024
Attempt connection with server ""

5      20:21:01.527  09/03/01  Sev=Info/6      IKE/0x6300003B
Attempting to establish a connection with

6      20:21:01.547  09/03/01  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to

7      20:21:01.557  09/03/01  Sev=Info/4      IPSEC/0x63700008
IPSec driver successfully started

8      20:21:01.557  09/03/01  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

9      20:21:06.615  09/03/01  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

10     20:21:06.615  09/03/01  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to

11     20:21:11.622  09/03/01  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

12     20:21:11.622  09/03/01  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to

13     20:21:16.629  09/03/01  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

14     20:21:16.629  09/03/01  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to

15     20:21:21.636  09/03/01  Sev=Info/4      IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=49EB544214EF4382 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

16     20:21:22.147  09/03/01  Sev=Info/4      IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=49EB544214EF4382 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

17     20:21:22.147  09/03/01  Sev=Info/4      CM/0x63100014
Unable to establish Phase 1 SA with server "" because of "DEL_REASON_PEER_NOT_RESPONDING"

18     20:21:22.157  09/03/01  Sev=Info/5      CM/0x63100025
Initializing CVPNDrv

19     20:21:22.167  09/03/01  Sev=Info/4      IKE/0x63000001
IKE received signal to terminate VPN connection

20     20:21:22.187  09/03/01  Sev=Info/4      IKE/0x63000086
Microsoft IPSec Policy Agent service started successfully

21     20:21:22.668  09/03/01  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

22     20:21:22.668  09/03/01  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

23     20:21:22.668  09/03/01  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

24     20:21:22.668  09/03/01  Sev=Info/4      IPSEC/0x6370000A
IPSec driver successfully stopped

Try this:
  no isakmp am-disable
Do you have any acls on the router in front of this ASA? I'm assuming this is followup to an earlier thread with same configuration?
wilsjAuthor Commented:
lol i just took out the isakmp am-disable and it worked. Thanks again for your help.
Woo hoo!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now