Cisco 5510 VPN client setup

Posted on 2010-11-17
Last Modified: 2012-05-10
I used the wizard to try and quickly configure our ASA5510 to accept VPN connections from the Cisco VPN client.

Here is the current config.

ASA Version 8.2(1)
hostname ASA
domain-name default.domain.invalid
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
interface Ethernet0/3
 no nameif    
 no security-level
 no ip address
interface Management0/0
 no nameif    
 no security-level
 no ip address
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list Outside-In extended permit icmp any any
access-list 101 extended permit ip any
access-list 101 extended permit ip
access-list 101 extended permit ip
access-list 101 extended permit ip
access-list 102 extended permit ip
access-list 103 extended permit ip
access-list vpn3000_splitTunnelAcl standard permit
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
ip local pool VPNPool mask
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Inside) 0 access-list 101
nat (Inside) 1
static (Inside,Outside) netmask
access-group Outside-In in interface Outside
route Outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set GGS esp-des esp-md5-hmac
crypto ipsec transform-set Vestal esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 10 set transform-set GGS
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map VPNMAP 125 match address 102
crypto map VPNMAP 125 set peer
crypto map VPNMAP 125 set transform-set GGS
crypto map VPNMAP 126 match address 103
crypto map VPNMAP 126 set peer
crypto map VPNMAP 126 set transform-set Vestal
crypto map VPNMAP 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map VPNMAP interface Outside
crypto isakmp identity address
crypto isakmp enable Outside
crypto isakmp policy 60
 authentication pre-share
 encryption des
 hash md5    
 group 1      
 lifetime 86400
crypto isakmp policy 70
 authentication pre-share
 encryption des
 hash md5    
 group 1      
 lifetime 11000
crypto isakmp policy 90
 authentication pre-share
 encryption 3des
 hash md5    
 group 1      
 lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh Outside
ssh timeout 10
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy vpn3000 internal
group-policy vpn3000 attributes
 dns-server value
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpn3000_splitTunnelAcl
 default-domain value ggs.corp
username user1 password XXXXXXXXXXXXXXX encrypted privilege 15
username user2 password XXXXXXXXXXXXXXX encrypted privilege 0
username user2 attributes
 vpn-group-policy vpn3000
username user3 password XXXXXXXXXXXXXX encrypted privilege 0
username user3 attributes
 vpn-group-policy vpn3000
tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
 pre-shared-key *
tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
 pre-shared-key *
tunnel-group vpn3000 type remote-access
tunnel-group vpn3000 general-attributes
 address-pool VPNPool
 default-group-policy vpn3000
tunnel-group vpn3000 ipsec-attributes
 pre-shared-key *
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
service-policy global_policy global
prompt hostname context
: end

When I run the client and try to connect the log file returns:

Cisco Systems VPN Client Version
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2

48     21:18:40.106  11/17/10  Sev=Info/4      CM/0x63100002
Begin connection process

49     21:18:40.123  11/17/10  Sev=Info/4      CM/0x63100004
Establish secure connection

50     21:18:40.123  11/17/10  Sev=Info/4      CM/0x63100024
Attempt connection with server ""

51     21:18:40.127  11/17/10  Sev=Info/6      IKE/0x6300003B
Attempting to establish a connection with

52     21:18:40.133  11/17/10  Sev=Info/4      IKE/0x63000001
Starting IKE Phase 1 Negotiation

53     21:18:40.137  11/17/10  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to

54     21:18:40.280  11/17/10  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer =

55     21:18:40.280  11/17/10  Sev=Info/4      IKE/0x63000014

56     21:18:40.280  11/17/10  Sev=Info/4      IPSEC/0x63700008
IPSec driver successfully started

57     21:18:40.281  11/17/10  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

58     21:18:40.281  11/17/10  Sev=Info/4      IPSEC/0x6370000D
Key(s) deleted by Interface (

59     21:18:40.281  11/17/10  Sev=Info/4      IPSEC/0x6370000D
Key(s) deleted by Interface (

60     21:18:40.281  11/17/10  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer =

61     21:18:40.281  11/17/10  Sev=Info/4      IKE/0x63000014

62     21:18:40.282  11/17/10  Sev=Info/5      IKE/0x63000073
All fragments received.

63     21:18:40.282  11/17/10  Sev=Warning/2      IKE/0xE300009B
Invalid SPI size (PayloadNotify:116)

64     21:18:40.282  11/17/10  Sev=Info/4      IKE/0xE30000A6
Invalid payload: Stated payload length, 568, is not sufficient for Notification:(PayloadList:149)

65     21:18:40.282  11/17/10  Sev=Warning/3      IKE/0xA3000058
Received malformed message or negotiation no longer active (message id: 0x00000000)

66     21:18:45.224  11/17/10  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

67     21:18:45.224  11/17/10  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to

68     21:18:45.348  11/17/10  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer =

69     21:18:45.348  11/17/10  Sev=Warning/2      IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)

70     21:18:45.351  11/17/10  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer =

71     21:18:45.351  11/17/10  Sev=Warning/2      IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)

72     21:18:50.294  11/17/10  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

73     21:18:50.294  11/17/10  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to

74     21:18:50.417  11/17/10  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer =

75     21:18:50.417  11/17/10  Sev=Warning/2      IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)

76     21:18:50.418  11/17/10  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer =

77     21:18:50.418  11/17/10  Sev=Warning/2      IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)

78     21:18:55.369  11/17/10  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

79     21:18:55.369  11/17/10  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to

80     21:18:55.537  11/17/10  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer =

81     21:18:55.537  11/17/10  Sev=Warning/2      IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)

82     21:18:55.537  11/17/10  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer =

83     21:18:55.537  11/17/10  Sev=Warning/2      IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)

84     21:19:00.433  11/17/10  Sev=Info/4      IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=A7B6807CE57AB138 R_Cookie=5F49D32CA22C3F93) reason = DEL_REASON_PEER_NOT_RESPONDING

85     21:19:00.947  11/17/10  Sev=Info/4      IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=A7B6807CE57AB138 R_Cookie=5F49D32CA22C3F93) reason = DEL_REASON_PEER_NOT_RESPONDING

86     21:19:00.947  11/17/10  Sev=Info/4      CM/0x63100014
Unable to establish Phase 1 SA with server "" because of "DEL_REASON_PEER_NOT_RESPONDING"

87     21:19:00.947  11/17/10  Sev=Info/5      CM/0x63100025
Initializing CVPNDrv

88     21:19:00.963  11/17/10  Sev=Info/6      CM/0x63100046
Set tunnel established flag in registry to 0.

89     21:19:00.963  11/17/10  Sev=Info/4      IKE/0x63000001
IKE received signal to terminate VPN connection

90     21:19:01.966  11/17/10  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

91     21:19:01.966  11/17/10  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

92     21:19:01.966  11/17/10  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

93     21:19:01.966  11/17/10  Sev=Info/4      IPSEC/0x6370000A
IPSec driver successfully stopped

The VPN client never asks for  a password.

Need some help to make this work.
Question by:stuart100
  • 2
LVL 11

Expert Comment

ID: 34161716
LVL 57

Accepted Solution

Pete Long earned 500 total points
ID: 34163818
heres the problem

I notice all your phase 1 policies have DH group 1 - you might want to try group 2

Author Closing Comment

ID: 34164417
Group 2 setting did it.
LVL 57

Expert Comment

by:Pete Long
ID: 34165003
:) thanq

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question