remote access vpn error

Unanswered Question
Aug 7th, 2009
User Badges:

i got the following error while running Remote Access VPN using CA:

i am configuring remote access vpn on cisco asa5500 and i have this error: Aug 06 12:18:59 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2


Attempt to get Phase 1 ID data failed while constructing ID

please what is the cause of this error?

who has noticed this and what is the solution?


thanks for your response in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
stoneystone Tue, 08/11/2009 - 18:56
User Badges:

Do you have a full config? One thing, do you have a group-policy for 'wcsa_Remote'?

default-group-policy wcsa_Remote - where is this pointing?

mcoroghidaf Wed, 08/12/2009 - 22:49
User Badges:

i thought you were able to see the attachment.

The configuration is below:

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 1000

authentication rsa-sig

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 1100

authentication rsa-sig

encryption aes

hash md5

group 1

lifetime 86400

crypto isakmp policy 65530

authentication rsa-sig

encryption aes

hash sha

group 5

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp ipsec-over-tcp port 10000

group-policy defaultgroup internal

group-policy Defaultgroup internal

group-policy Defaultgroup attributes

default-domain value

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

dns-server value

address-pools value Certvpnip

tunnel-group DefaultRAGroup general-attributes

address-pool Certvpnip

address-pool certvpnip

authentication-server-group ACS LOCAL

tunnel-group DefaultRAGroup ipsec-attributes

trust-point major

tunnel-group wcsa_Remote type remote-access

tunnel-group wcsa_Remote general-attributes

address-pool wcsaVPN

authentication-server-group ACS

accounting-server-group ACS

default-group-policy wcsa_Remote

tunnel-group wcsa_Remote ipsec-attributes

pre-shared-key *

tunnel-group defaultgroup type remote-access

tunnel-group defaultgroup general-attributes

address-pool Certvpnip

tunnel-group defaultgroup ipsec-attributes

trust-point major

stoneystone Thu, 08/13/2009 - 04:26
User Badges:

You still don't have your full running-config, or at least I couldn't download it.

As far as your problem:

What is this line?

'crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-AES-128-SHA certvpn'

Doesn't that look confusing? You defined certvpn earlier in the config with this: 'crypto ipsec transform-set certvpn esp-aes esp-sha-hmac'

Also: you don't have a transform-set that will work with this:

crypto isakmp policy 1100

authentication rsa-sig

encryption aes

hash md5

group 1

From the fragment of the running-config you posted, you have a lot of items that appear could be cleaned up.

mcoroghidaf Thu, 08/13/2009 - 09:00
User Badges:

i have attached it for your ref.

can u help with the transform-set?

this was added to see it i could get it running:

crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-AES-128-SHA certvpn

stoneystone Sun, 08/16/2009 - 15:55
User Badges:

This config file is really confusing. It looks like someone was throwing commands at it to make something work.

What exactly are you trying to do? Are you trying to configure a VPN Client?

stoneystone Sun, 08/16/2009 - 18:59
User Badges:

Here is a config that builds a dynamic vpn, using a vpn client. You need to fill your information in where needed.

!First, set an access-list for Split tunnels if you want to internet access while connected:

access-list Split_VPN_List permit ip

!Setup the encryption types

crypto ipsec transform-set certvpn esp-aes esp-sha-hmac

crypto dynamic-map Outside_dyn_map 50 set transform-set certvpn

crypto dynamic-map Outside_dyn_map 50 set reverse-route

crypto map crymap 90 ipsec-isakmp dynamic Outside_dyn_map


group-policy vpnclient internal

group-policy vpnclient attributes


split-tunnel-policy tunnelspecified


split-tunnel-network-list value Split_VPN_List

! 'NAME'

tunnel-group vpnclient type ipsec-ra

tunnel-group vpnclient general-attributes

address-pool Certvpnip //// If this is the pool you want to use

// use these if you are not using another server for verification of user/password

default-group-policy vpnclient ///Group name in your client

tunnel-group vpnclient ipsec-attributes

pre-shared-key 'put_key_here' ///password in your client

See how this works for you.

mcoroghidaf Wed, 08/26/2009 - 23:43
User Badges:

thanks for the response.

the preshared key vpn is working , i only have issues with the CA one.

Your response will be appreciated.

mcoroghidaf Mon, 08/17/2009 - 03:39
User Badges:


that is a Remote ACCESS VPN using CA authentication.

also note that there is an exist remote access vpn using preshared key and that one is working fine.


This Discussion