Unable to connect VPN client to PIX/ASA and the "Sev=Warning/2 IKE/0xE300007E Hash verification failed... may be configured with invalid group password" error message appears in the VPN client logs

Document

Jun 17, 2009 10:13 PM
Jun 17th, 2009

Core issue

This issue usually occurs because of these two reasons:

  1. Mismatch in group name and password on Cisco VPN client
  2. Dynamic map not properly configured on headend device

Resolution

In order to resolve this issue, make sure this is properly configured:

  1. The group name and password on Cisco VPN client must match with the group name and password configured on the headend device.
  2. Dynamic map must be configured and binded to outside interface. Refer to How to configure dynamic maps in a PIX 500 series Firewall with software version PIX 7.x ? in order to learn more about dynamic maps.

Note: With Cisco VPN client version 4.6.x  and later, the maximum pre-shared key length for the VPN Client is 128 characters. The previous limit was 32 characters. The increased key size works only with central-site devices that support 128 characters, for example, an ASA device.

If the central-site device does not support 128 characters, for example, a VPN 3000 Concentrator, you receive the same log messages as if the pre-shared key were wrong:

386 15:39:39.010  03/30/05 Sev=Warning/3 IKE/0xE3000056
The received HASH payload cannot be verified

387 15:39:39.010  03/30/05  Sev=Warning/2 IKE/0xE300007D
Hash verification failed... may be configured with invalid group password.

Client Location on Network with PIX

Outside

VPN Protocols

Pre-shared key

Average Rating: 0 (0 ratings)

Actions

Login or Register to take actions

This Document

Posted June 17, 2009 at 10:13 PM
Stats:
Comments:0 Avg. Rating:0
Views:3681 Contributors:0
Shares:0
Categories: ASA
+

Related Content

Documents Leaderboard

Rank Username Points
1 65
2 56
3 55
4 30
5 24
Rank Username Points
5