ASA5505 - Cannot connect with Cisco VPN client

Unanswered Question
Apr 29th, 2009

Using a Cisco VPN Client 5.0 on a ASA5505 I cannot connect with IPsec. I get the following log on the ASA:

....QM FSM error(P2 struct....etc

....All IPSec sa Proposals found unacceptable!

....Mismatch: Overriding phase2 DH Group(DH group!) with phase 1 group (DH group 2)


AS I understand, authentication is okey, but the client and ASA cannot find a IKE policy to agree on ? I've tried to setup several IKE's (that are listed supported with the Cisco client) but with the same result. Am I looking in the wrong direction here ? help !

Best regards,


PS: if this message is posted more than 1 time - well, the Cisco apache/tomcat system has been seek for the last hours..

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Collin Clark Wed, 04/29/2009 - 12:27

The logging capabilities on the VPN client are very good. I would set all the facilities to High, try and connect, and review the logs. They are usually pretty straight forward in reporting what is not working.

Hope that helps.


This Discussion