Software VPN Client Logging & Common Issues


Sep 7, 2011 10:20 AM
Sep 7th, 2011

Hello Everyone. Hope you all must be doing fine. Thanks again for the incredible response on my previous blog “”. As promised I have come with this blog that talks about Software VPN client logs and some of the common issues.

So are you ready for this new blog?

Here we go (Please click the images to enlarge them.)

1.  Software VPN Client Logs

To launch VPN client, please refer the following steps---



2.  Software VPN Client Logs Initial Contact

So you will notice the following logs when VPN client initiates the connection.


3.   Software VPN Client Logs Aggressive Mode Exchange

Please refer the following logs generated during aggressive mode exchange--


4.   Software VPN Client Logs XAUTH

During Xauth process you will notice the following logs--


5.   Software VPN Client Logs Mode Config

Please refer the following mode configuration logs--


6.   Software VPN Client Logs Quick Mode Exchange

Refer the following quick mode exchange logs------


7.   Software VPN Client Logs Routing Table

Here the routing table logs for your reference-----


8.  Software VPN Client Logs


9.  For detailed logs, modify “vpnclient.ini”

So here is the way to change the setting of logs level using



10.    An Example For detailed logs, modify “vpnclient.ini”


Common Issues------

Mismatched ISAKMP Policy


So please adjust the hashing algorithm to resolve this issue.

Incorrect Group Name

If the group name does not match, the IOS router displays “group <groupname> does not exist” message.


Incorrect Group Password

If the group password does not match, then the VPN client displays “Hash verification failed...may be configured with invalid group password.” message in the client logs


Incorrect Username or Password

Enable “debug aaa protocol local” or “debug aaa protocol radius” to troubleshoot user authentication specific issues


Possible Caveats in Switching Paths

Symptom: Only see encryption or decryption counter incrementing from “show crypto engine conn active”

Caveats in the switching paths might cause IPSec encryption/decryption failures (mostly seen with hardware encryption)

Workaround: Try different switch paths (CEF, fast switching, process switching)

Process switching can cause Performance issues!!!

That’s all for this blog. Your comments inputs and feedbacks are always welcome!!

Please let me know on what topics you want to see on future blogs.

Thank you very much for your time and interest.

Average Rating: 0 (0 ratings)


Login or Register to take actions

This Blog

Posted September 7, 2011 at 10:20 AM
Comments:0 Avg. Rating:0

Related Content

Blogs Leaderboard