Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ISAKMP connection request from client denied by ASA

Hi, all, I am running 8.0(2), I am trying to set up IPsec RA on ASA. The IPsec tunnel from Client will terminate on ASA's Outside interface.

It did not work, debug shows that ISAKMP connection request (UDP destination port 500) is either denied by ASA or ASA complains the no translation group found. I don't understand why ASA is denying ISAKMP connection when such connection is by default permitted. (I also tried to configure ACL on Outside interface to explicitly permit udp isakmp, and toggled "crypto map <> interface Outside", "crytp isakmp enable Outside"), And in what scenario ASA would treat isakmp connection request like a normal inbound traffic and tries to look for translation entry?

It should be a simple configuration, I followed every step in documentation, I am scratching my head to get it the first step of IPsec VPN RA working...

Hall of Fame Super Gold

Re: ISAKMP connection request from client denied by ASA


My first guess is that something in the ASA configuration for the RA VPN is not set up correctly and the ASA is attempting to forward the packet to somewhere else. Can you post the config of the ASA (most especially the VPN parts of the config)?



Community Member

Re: ISAKMP connection request from client denied by ASA

Hi, Rick, thank you for your reply, here is the relevant configuration, please let me know if you need any other configurations:

crypto map:


crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map Outside_dynamic_map 20 set transform-set ESP-3DES-SHA

crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dynamic_map

crypto map Outside_map interface Outside

crypto isakmp identity address

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

Tunnel group configuration:


tunnel-group ipsec-remote type remote-access

tunnel-group ipsec-remote general-attributes

address-pool ra_pool

authentication-server-group RADIUS_SVRS

authorization-server-group RADIUS_SVRS

accounting-server-group RADIUS_SVRS

tunnel-group ipsec-remote ipsec-attributes

pre-shared-key *

NAT related configuration


nat (Inside) 0 access-list inside-nonat

access-list inside-nonat extended permit ip INTERNAL-NETS VPN-Client-NET

Community Member

Re: ISAKMP connection request from client denied by ASA

Let me take a crack at this for ya.

First thing I do not see is a DHCP Pool to assign clients addreses:

! The user vpn dhcp pool cannot overlap with internally used subnets.


ip local pool VPN-DHCP-POOL mask


! Assigning the VPN DHCP Pool subnet as a no-nat on the outside interface allows the user

! traffic to enter the outside interface from the VPN Client in order to be NAT's on its way to the Inet


nat (OUTSIDE) 1


Next thing I do not see is a group policy and associated access list that defines user attributes and access, see this

group-policy REMOTEVPN internal

group-policy REMOTEVPN attributes

wins-server value

dns-server value

vpn-idle-timeout 30

vpn-filter value VPN-USERACCESS

vpn-tunnel-protocol IPSec

default-domain value

You may also want to have usernames for authentication

Community Member

Re: ISAKMP connection request from client denied by ASA

Thanks for your reply, I do have VPN pool "ra-pool" defined and group policy is DfltGrpPolicy which I modified to include all tunnel protocols. Usernames and authentication is configured in RADIUS server. I doubt the points you made would lead ASA to deny incoming ISAKMP connection.

Sorry I did not post every line of my configuration.

Community Member

Re: ISAKMP connection request from client denied by ASA

Well you can either post the entire config here for the community to review or call TAC

CreatePlease to create content