Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA5505 - Cannot connect with Cisco VPN client

Using a Cisco VPN Client 5.0 on a ASA5505 I cannot connect with IPsec. I get the following log on the ASA:

....QM FSM error(P2 struct....etc

....All IPSec sa Proposals found unacceptable!

....Mismatch: Overriding phase2 DH Group(DH group!) with phase 1 group (DH group 2)


AS I understand, authentication is okey, but the client and ASA cannot find a IKE policy to agree on ? I've tried to setup several IKE's (that are listed supported with the Cisco client) but with the same result. Am I looking in the wrong direction here ? help !

Best regards,


PS: if this message is posted more than 1 time - well, the Cisco apache/tomcat system has been seek for the last hours..


Re: ASA5505 - Cannot connect with Cisco VPN client

The logging capabilities on the VPN client are very good. I would set all the facilities to High, try and connect, and review the logs. They are usually pretty straight forward in reporting what is not working.

Hope that helps.

New Member

Re: ASA5505 - Cannot connect with Cisco VPN client

Occasionally I've had configurations all of a sudden require AES IKE policy. I found this out by enabling Debugging on the firewall and determining what exactly IKE policies were being sent from the VPN Client and then matched the first one.

New Member

Re: ASA5505 - Cannot connect with Cisco VPN client

Make sure PFS is disabled or enabled on bothside.