First off, this bug is an internal Cisco bug talking about if you configure the secondary IP address on the main interface, you would see the error code 87.
So far, Secondary IP is the only reason being documented internally by Cisco. However, without secondary IP address set up on the main interface, you would still be able to see the error on vpn client.
If that is the case, the error indicates incorrect or uncompleted configuration issues on the ASA side. Check the ASA config for these items:
1) NAT exemption (NAT 0)- to allow restricted network be accessible from VPN pool
2) Split Tunnel - Ensure if you specify which inside networks (whole or partial) need to included in the secure tunneling list. IF all traffic including Internet traffic are required to be secured by VPN tunnel encryption, you could use ANY
3) For item (2), those Internet traffic needs to rerouted back to Internet from the same Outside interface, so you need to:
3-1) NAT (outside) - this step is to enable VPN private IP address es being NATed properly to outside global IP address before the traffic back to the Internet.
3-2) Hair-Pinning or U-Turn - use command "same-security-traffic permit intra-interface" - This command basically allow the inbound VPN traffic coming out from the same Outside interface. Similar concept like Split Horizon for the IP Routing.
I got the exact same issue before, and eventually after fixing the above items, everything worked fine. And from your VPN client log view, you should be able to see the correct IKE and IPSEC information rather than the Code 87 issue.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :