Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

EZVPN Remote problem (871W to ASA 5520)


I've been working on this all weekend, and I can't figure out what's wrong. My requirements are that I'm about to bring up a tunnel on demand from one host inside my network to my office for only certain subnets. I've got control of both sides router and ASA. The cisco vpn client works fine with any of the groups that I've tried under the ezvpn, but ezvpn won't negotiate. Under a "debug crypt isakmp" it shows that none of the ike proposals match and it fails Phase 1. On the ASA side, it only tells me that "Information Processing failed" with host x.x.x.x. I'm at a loss.

My current config on my router is attached.

In acl 102, I've tried just "permit ip host any" and it makes the router reload. I changed my mode to client extension, but Cisco docs say that in order to use multiple subnets, you need to have network extension enabled. That didn't work either. I've tried to use the VPN groupname that the software clients use in the ASA, but it doesn't negotiate. I created a new group name for just my router, and I'm allowing only the networks that you see in the config, but that didn't work. I thought that it had something to do with my username because we authenticate to a RADIUS server, so I created a local account on the ASA and change the group-policy to use local authentication. That didn't work either.

Any ideas? I tried to change the version on my IOS to 12.4.24 (currently at 12.4.15), but that didn't work either.



HTH, John *** Please rate all useful posts ***

Re: EZVPN Remote problem (871W to ASA 5520)

Here's my debug file



HTH, John *** Please rate all useful posts ***
New Member

Re: EZVPN Remote problem (871W to ASA 5520)

Have you enabled Network Extension Mode in the Group Polices on the ASA. Its disabled by default.

Have you allowed Reverse Route Injection for the crypto map in the asa