Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

ASA 5505 + EZVPN Client

Hi Guys,

still struggling with the EZVPN setup.
This is instantaneous setup at the moment.

LAN ---- inside-(​ ASA outside-(DHCP private IP) ---- (private IP)-ISP Router-(public IP)

The ISP blocks UDP/500 and UDP/4500 so there is no way to setup a site-2-site VPN via IPsec.
So we tried to setup the ASA5505 as EZVPN client and configured to use TCP over IPsec. But without success. I think the problem is the private IP on our outside interface. Has someone face the same problem?

Thanks Markus


VIP Purple

You don't show your config,

You don't show your config, so it's not possible to see if something goes wrong there.

If the config is ok, use the capture command on the HQ-ASA to see if the EZVPN-packets reach the HQ.

Community Member

Good day Karsten,next

Good day Karsten,

next maintenance is scheduled on 2014/11/18. I'll post the necessary information after the maintenance.


Community Member

Good all,got the

Good all,

got the configuration...

LAN ---- inside-(​ ASA outside-( ---- ( Router-(

I update the IP address and attached the following log files
1. tmasb_log_file --> log file from the HQ
2. tmasb_ipsec -> is the packet capture from HQ

I found this msg in the log file:

715065|||||Group = TMASB_TEST2, IP =, IKE AM Responder FSM error history (struct &0xb40cbb00) <state>, <event>: AM_DONE, EV_ERROR-->AM_WAIT_MSG3, EV_PROB_AUTH_FAIL-->AM_WAIT_MSG3, EV_TIMEOUT-->AM_WAIT_MSG3, NullEvent-->AM_SND_MSG2, EV_CHECK_SPOOF-->AM_SND_MSG2, EV_CRYPTO_ACTIVE-->AM_SND_MSG2, EV_SND_MSG-->AM_SND_MSG2, EV_START_TMR

This assume that the preshared key is wrong but I double check this with my colleague and this could not be the issue. 
I thinks the problem is before the ASA on the ISP modem. 
Maybe someone had an idea?


CreatePlease to create content