Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

VPN Client not working

We have already configured our firewall to allow VPN client connections. It is also setup to authenticate to our Active Directory but I still get this error on my vpn client software when trying to access my office.

1 02:26:53.171 02/03/09 Sev=Warning/3 IKE/0xE3000057

The received HASH payload cannot be verified

2 02:26:53.171 02/03/09 Sev=Warning/2 IKE/0xE300007E

Hash verification failed... may be configured with invalid group password.

3 02:26:53.171 02/03/09 Sev=Warning/2 IKE/0xE300009B

Failed to authenticate peer (Navigator:904)

4 02:26:53.171 02/03/09 Sev=Warning/2 IKE/0xE30000A7

Unexpected SW error occurred while processing Aggressive Mode negotiator:(Navigator:2238)

Below is my current running config:

ASA Version 8.0(4)


interface Vlan1

nameif inside

security-level 100

ip address


interface Vlan2

nameif outside

security-level 0

ip address


ftp mode passive

dns server-group DefaultDNS

domain-name abc.local

same-security-traffic permit intra-interface

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit tcp any host eq 222

access-list outside_access_in extended permit tcp any host eq pptp

access-list ST standard permit

access-list ST standard permit

access-list nonat extended permit ip 255


pager lines 24

mtu inside 1500

mtu outside 1500

ip local pool abcpool mask

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

asdm image disk0:/asdm-615.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1

static (inside,outside) tcp 222 ssh netmask 255.255.2


static (inside,outside) tcp interface pptp pptp netmask 255.255.255.


access-group outside_access_in in interface outside

route outside 1

dynamic-access-policy-record DfltAccessPolicy

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host

key abc

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no sysopt connection permit-vpn

crypto ipsec transform-set toabc esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 20 set transform-set toRMT

crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds


crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobyte

s 4608000

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map oustide_map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

threat-detection basic-threat

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 averag

e-rate 200

group-policy abc internal

group-policy abc attributes

dns-server value

split-tunnel-policy tunnelspecified

split-tunnel-network-list value ST

default-domain value abc.local

tunnel-group abc type remote-access

tunnel-group abc general-attributes

address-pool abcpool

authentication-server-group RADIUS

default-group-policy abc

tunnel-group abc ipsec-attributes

pre-shared-key *


class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


message-length maximum 512

service-policy global_policy global


Hall of Fame Super Gold

Re: VPN Client not working


I do not believe that you are getting as far as Active Directory for authentication. The messages suggest that there is a mismatch between what is configured in your VPN client and what is configured on the ASA:

Hash verification failed... may be configured with invalid group password.

This would be a key configured on your client along with the group name of abc. The ASA shows that a pre shared key is configured for group authentication:

pre-shared-key *

but it does not show what that key value is. You need to be sure that the values are the same.

Are other people with VPN client able to connect? If so this would suggest a problem in configuration of your client and you need to re-configure your client. If you are the first person and are testing then it is possible to test this by changing the value on the ASA, changing the value on your client, or by changing both (which is the approach I would suggest).



Community Member

Re: VPN Client not working

Yes, I have already made sure that that pre shared key configured for group authentication is correct. This is the first user to connect to the VPN so I assume that there is an issue going on...

Please advise. Thanks

Hall of Fame Super Gold

Re: VPN Client not working


does the group name configured in the client match the abc used in the config (and does it match upper/lower case)?

I would suggest changing the shared key to something very simple (you can go to a more complex key when you have it working). change it on both the client and the ASA and see if the behavior changes.

If that does not help then I suggest setting the logging level in the client to high (at least for IKE and perhaps for others such as connection manager. test again and post the log output. perhaps it will have some better clue about the problem.



CreatePlease to create content