EZ VPN Misbehaving

Unanswered Question
Apr 19th, 2007

Greetings Professionals!

I am trying to configure an ASA 5505 to be an EZ VPN Client. The Server is a PIX 506E with version 6.3. I managed to get it working for the most part, but I find that I often have to go into the ASA and do a no vpnclient enable/vpnclient enable in order to "refresh" the connection. I have no experience with PIX's. I have been reading about IPsec, but I can't say that I am well-versed in that either. I attached the config for the ASA 5505. If necessary, I can attach the config for the 506E. Ultimately, what I need to do is create a VPN connection from a remote site to the central site. For testing purposes, I have a switch that is configured with a vlan that provides live internet access. The e0/0 interface on the ASA is plugged into that. Also on that switch, I have a vlan that simulates the remote site. One of the other ethernet ports is plugged into that vlan, along with my test box. I have tried to look for a pattern--like do I have problems when I unplug/plug it back in? Does it have issues after a certain amount of time? I'm not seeing anything. I do know that everytime I make a change to the config, I have to refresh the connection. Is there a better way than running the command no vpnclient enable/vpnclient enable to do that?

Thanks for your help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
irisrios Wed, 04/25/2007 - 05:16

The Cisco ASA 5505 can function as a Cisco Easy VPN hardware client (also called "Easy VPN Remote") or as a server (also called a "headend"), but not both at the same time. It does not have a default role. Use one of the following commands in global configuration mode to specify its role:

?vpnclient enable to specify the role of the ASA 5505 as an Easy VPN Remote

?no vpnclient enable to specify the role of the ASA 5505 as server

But PIX 506E supports only Easy VPN client or remote.

Cisco Easy VPN Remote is now available on Cisco 800, 1700, 1800, 2800, 3800, and UBR900 Series routers, Cisco PIX 501 and 506E security appliances

Refer these doc:



kjackson74 Tue, 05/01/2007 - 03:53

Thank you very much for that information. You probably saved me a lot of grief when I place the ASA in production. It will be configured to get its ip via DHCP.


This Discussion