ASA vpn client configuration

Posted on 2007-09-27
Last Modified: 2011-10-03
I am setting up a new ASA 5520. I am having a little bit of trouble getting the vpn connection up and going I tried both CLI and ASDM VPN wizard with no luck. So I removed everything and tried again from CLI still no luck. Hopefully someone can point out what I am missing. Here is what I currently have for the VPN config. Right now I don't care about split-tunnel so I have left it out.

access-list no-nat extended permit ip any
ip local pool tech mask
group-policy vpngroup internal
group-policy vpngroup attributes
 ipsec-udp enable
crypto ipsec transform-set 3DES/MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set AES/MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set DES/MD5 esp-des esp-md5-hmac
crypto ipsec transform-set 3DES/SHA esp-3des esp-sha-hmac
crypto ipsec transform-set AES/256 esp-aes-256 esp-sha-hmac
crypto dynamic-map dynmap 20 set transform-set 3DES/SHA
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp identity address
isakmp enable outside
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption 3des
isakmp policy 2 hash sha
isakmp policy 2 group 2
isakmp policy 2 lifetime 86400
isakmp nat-traversal  20
isakmp am-disable
tunnel-group tech type ipsec-ra
tunnel-group tech general-attributes
 address-pool tech
 default-group-policy vpngroup
tunnel-group tech ipsec-attributes
 pre-shared-key *
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
Question by:wilsj
    LVL 79

    Expert Comment

    How are you testing, and what are your symptoms.
    Are you testing from actually outside the firewall?
    What version client are you using?
    Do you get connected at all? If not, what error messages do you get?
    LVL 5

    Author Comment

    I am trying to connect from outside the network with cisco vpn client version 4.800.0.440. I don't get any error messages the client just tries to connec and eventually stops trying and says not connected.
    LVL 79

    Expert Comment

    Can you ping the public IP of the ASA from the client PC?
    Open the log window on the client when you try to connect and post the result.
    LVL 5

    Author Comment

    I can ping the ASA's outside interface. Here is what the log says

    1      20:21:00.466  09/03/01  Sev=Info/4      CM/0x63100002
    Begin connection process

    2      20:21:00.486  09/03/01  Sev=Info/4      CVPND/0xE3400001
    Microsoft IPSec Policy Agent service stopped successfully

    3      20:21:00.486  09/03/01  Sev=Info/4      CM/0x63100004
    Establish secure connection using Ethernet

    4      20:21:00.486  09/03/01  Sev=Info/4      CM/0x63100024
    Attempt connection with server ""

    5      20:21:01.527  09/03/01  Sev=Info/6      IKE/0x6300003B
    Attempting to establish a connection with

    6      20:21:01.547  09/03/01  Sev=Info/4      IKE/0x63000013
    SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to

    7      20:21:01.557  09/03/01  Sev=Info/4      IPSEC/0x63700008
    IPSec driver successfully started

    8      20:21:01.557  09/03/01  Sev=Info/4      IPSEC/0x63700014
    Deleted all keys

    9      20:21:06.615  09/03/01  Sev=Info/4      IKE/0x63000021
    Retransmitting last packet!

    10     20:21:06.615  09/03/01  Sev=Info/4      IKE/0x63000013
    SENDING >>> ISAKMP OAK AG (Retransmission) to

    11     20:21:11.622  09/03/01  Sev=Info/4      IKE/0x63000021
    Retransmitting last packet!

    12     20:21:11.622  09/03/01  Sev=Info/4      IKE/0x63000013
    SENDING >>> ISAKMP OAK AG (Retransmission) to

    13     20:21:16.629  09/03/01  Sev=Info/4      IKE/0x63000021
    Retransmitting last packet!

    14     20:21:16.629  09/03/01  Sev=Info/4      IKE/0x63000013
    SENDING >>> ISAKMP OAK AG (Retransmission) to

    15     20:21:21.636  09/03/01  Sev=Info/4      IKE/0x63000017
    Marking IKE SA for deletion  (I_Cookie=49EB544214EF4382 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

    16     20:21:22.147  09/03/01  Sev=Info/4      IKE/0x6300004B
    Discarding IKE SA negotiation (I_Cookie=49EB544214EF4382 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

    17     20:21:22.147  09/03/01  Sev=Info/4      CM/0x63100014
    Unable to establish Phase 1 SA with server "" because of "DEL_REASON_PEER_NOT_RESPONDING"

    18     20:21:22.157  09/03/01  Sev=Info/5      CM/0x63100025
    Initializing CVPNDrv

    19     20:21:22.167  09/03/01  Sev=Info/4      IKE/0x63000001
    IKE received signal to terminate VPN connection

    20     20:21:22.187  09/03/01  Sev=Info/4      IKE/0x63000086
    Microsoft IPSec Policy Agent service started successfully

    21     20:21:22.668  09/03/01  Sev=Info/4      IPSEC/0x63700014
    Deleted all keys

    22     20:21:22.668  09/03/01  Sev=Info/4      IPSEC/0x63700014
    Deleted all keys

    23     20:21:22.668  09/03/01  Sev=Info/4      IPSEC/0x63700014
    Deleted all keys

    24     20:21:22.668  09/03/01  Sev=Info/4      IPSEC/0x6370000A
    IPSec driver successfully stopped

    LVL 79

    Accepted Solution

    Try this:
      no isakmp am-disable
    LVL 79

    Expert Comment

    Do you have any acls on the router in front of this ASA? I'm assuming this is followup to an earlier thread with same configuration?
    LVL 5

    Author Comment

    lol i just took out the isakmp am-disable and it worked. Thanks again for your help.
    LVL 79

    Expert Comment

    Woo hoo!

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Join & Write a Comment

    Suggested Solutions

    Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
    This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now