Core issue
If you use a pre-shared key for the Cisco VPN Client version 3.x to connect to the PIX Firewall, you need to configure Diffie-Hellman (DH) group 2 using the isakmp policy priority group 2 command.
Resolution
Check that the Internet Security Association and Key Management Protocol (ISAKMP) policy on the PIX has the correct DH group configured. Your configuration should be similar to this:
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
For more information about configuring IPSec, refer to Configuring Cisco Secure PIX Firewall 6.0 and Cisco VPN 3000 Clients Using IPSec.