ASA 5505 as EZVPN Remote, cannot establish tunnel, all other clients OK.

Unanswered Question
Apr 8th, 2011
User Badges:

I recently picked up a new ASA 5505 to use in a new remote office and I'm having a terrible time getting to connect via EZVPN to my 2811 ISR. This is my first ASA although I have worked with PIX in the past. I have several remote 850-series routers and several windows Cisco VPN Client windows clients that have no troubles connecting.

The ASA 5505 came with OS 8.2.1 and during the troubleshooting I have upgraded it to 8.4.1, and ASDM to 6.4. All I have done is configure the inside interface subnet and DHCP and set up the ezvpn client. There are no other customizations. I enabled crypto debug vpnclient to see whats going on. What happens is that it tries to establish the tunnel and does contact the 2811 headend but it gets to the point where it prints the preshare key, hangs for a few second, then tears down the config and starts over.

Any thoughts? Like I said, I have IOS EZVPN clients and software clients using this same vpn headend and group and they all connect just fine. Its just the ASA that has a problem. I can disconnect the ASA, plug in a laptop in its place and connect to the headend router using Cisco VPN Client without any problems.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Marcin Latosiewicz Sat, 04/09/2011 - 01:20
User Badges:
  • Cisco Employee,


EZVPN with PSK is implemented on ASA to use aggressive mode, thus your PSK is sent in first packet(/message).

What I would suggest is to enable capture on ASA and debugs on both sides:

- debug cry isa

- debug crypto ipsec

(You can enable conditional debugging on IOS using "debug crypto condition peer ipv4")

and yes debug crypto vpnclient on ASA would be ineterestesting to see.

Regarding captures. We will see if any response is sent from headend (and in debugs on IOS we will see what this response was).


cclarkacs Sat, 04/09/2011 - 15:58
User Badges:

Thanks for the hints. I'll have to set up the equipment again and capture the logs in a bit. I disconnected everything last night when a thunderstorm came through since we don't have any power protection yet. Is there an easy way to sanitize logs prior to posting?

Marcin Latosiewicz Sun, 04/10/2011 - 00:55
User Badges:
  • Cisco Employee,

There's little-to-no sensitive information stored in logs (most of the time just the IP addresses) , the problem might be with capture files (in pcap)...



This Discussion