Unanswered Question
Feb 10th, 2009
User Badges:


We just got a UC520 for our small office. I am trying to set up a VPN (which is totally new for me). The VPN should be used from home on a pc with Cisco VPN client installed and should connect to the UC520 in the office and and get an ip address in the data VLAN.

I found an example config in a white paper and tried it but i keep getting the same error message when i try to connect:


001708: Feb 10 03:42:06.484: ISAKMP:(0):Support for IKE Fragmentation not enabled

001709: Feb 10 03:42:06.484: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at

I have attached my config. Could someone please help?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Ivan Martinon Tue, 02/10/2009 - 10:14
User Badges:
  • Cisco Employee,

Go ahead and enter this command on your router:

crypto isakmp fragmentation

Try your connection again.

jcetkoooo Tue, 02/10/2009 - 10:47
User Badges:

Thanks for the quick response. I will give it a shot tomorrow morning. I'm home now and have no VPN access :) I'll let you know.


jcetkoooo Wed, 02/11/2009 - 01:09
User Badges:

Ok I entered the command and it seemed to solve part of my problem. Now the message reads:

002094: Feb 10 20:57:41.867: ISAKMP:(0): MM Fragmentation supported

002095: Feb 10 20:57:41.871: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at

Anything else I can try?

I have also attached a debug crypto isakmp output.

Please let me know.

Ivan Martinon Wed, 02/11/2009 - 08:18
User Badges:
  • Cisco Employee,

Are we sure we have the correct groupname and password on your vpn client profile? Go ahead and enable the vpn client log on the GUI and set all levels to 3, then try to connect and capture the logs.

Ivan Martinon Fri, 02/13/2009 - 07:47
User Badges:
  • Cisco Employee,

Well the log from the client shows the router does not respond, which leads me back to asking, the only static router seen on this router is one to a service engine, I know this router is getting ip address via dhcp, can you get the show ip route from the router and see if you have a default gateway?

jcetkoooo Mon, 02/16/2009 - 01:05
User Badges:


Thanks for sticking with me on this.

It seems that I have a default gateway.

Would you mind checking the attachment (i'm not much of a router guy).

In the attach you will also find the access list which could be a suspect.

Thanks again,



This Discussion