Cisco roaming VPN fails

Posted on 2014-08-13
Last Modified: 2014-09-11
Hi all,
I have an issue I can't fix. Have a Cisco ASA 5505 v9.0(3) which works fine with site to site VPN.
However when I run the Remote Access VPN wizard to enable a roaming VPN for legacy clients it will not connect.
I get the user authentication tab, so I enter my locally defined user and password, then I see "Securing communications channel" then "Not Connected".

Client log shows
568    17:10:50.921  08/13/14  Sev=Info/4      IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=F263B2A36FEB6E76 R_Cookie=30FFBCC996336A76) reason = DEL_REASON_IKE_NEG_FAILED

569    17:10:50.921  08/13/14  Sev=Info/4      CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

570    17:10:50.999  08/13/14  Sev=Info/4      IKE/0x63000001
IKE received signal to terminate VPN connection

571    17:10:51.966  08/13/14  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

572    17:10:51.966  08/13/14  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

573    17:10:51.966  08/13/14  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

574    17:10:51.966  08/13/14  Sev=Info/4      IPSEC/0x6370000A
IPSec driver successfully stopped

On the ASA "debug Crypto ISAKMP" shows

 Aug 13 17:12:25 [IKEv1]Group = RoamingtotheRemoteSite098, Username = abarclay, IP = x.x.217.189, QM FSM error (P2 struct &0xcbb73a48, mess id              0xa282a5ed)!
Aug 13 17:12:25 [IKEv1]Group = RoamingtotheRemoteSite098, Username = abarclay, IP = x.x.217.189, Removing peer from correlator table failed, no match!
Aug 13 17:12:25 [IKEv1]Group = RoamingtotheRemoteSite098, Username = abarclay, IP = x.x.217.189, Session is being torn down. Reason: crypto map policy not found

I am at a loss to understand what is going on - it looks like it will connect then will not.

Strangely I can connect using my iPhone VPN client !
Any help would be gratefully appreciated.
Question by:Alasdairb
    LVL 57

    Expert Comment

    by:Pete Long
    What client PC? Windwos 8 with IPSEC you might need to do this

    Windows 8 and Cisco (IPSEC) VPN Client


    Accepted Solution

    Sorry for not replying - I didn't get a mail saying I had a respons0, I thought nobody had answered... as it turns out the roaming VPN works perfectly everywhere except in the office that uses site - to -site VPN. So I assume the ASAs were getting confused between site to site (which was already established and working fine) and me trying to use roaming VPN to the same destination. So I never needed to research any further. So I need to withdraw / close this question somehow....

    Author Comment

    thanks for taking the time to reply, I will bear this in mind when I finally jump to Windows 8.
    Best regards


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
    Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    how to add IIS SMTP to handle application/Scanner relays into office 365.

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now