ASA5505 - Cannot connect with Cisco VPN client

Luftslottet · ‎04-29-2009

Using a Cisco VPN Client 5.0 on a ASA5505 I cannot connect with IPsec. I get the following log on the ASA:

....QM FSM error(P2 struct....etc

....All IPSec sa Proposals found unacceptable!

....Mismatch: Overriding phase2 DH Group(DH group!) with phase 1 group (DH group 2)

....PHASE 1 COMPLETED

AS I understand, authentication is okey, but the client and ASA cannot find a IKE policy to agree on ? I've tried to setup several IKE's (that are listed supported with the Cisco client) but with the same result. Am I looking in the wrong direction here ? help !

Best regards,

/Kristian

PS: if this message is posted more than 1 time - well, the Cisco apache/tomcat system has been seek for the last hours..

Collin Clark · ‎04-29-2009

The logging capabilities on the VPN client are very good. I would set all the facilities to High, try and connect, and review the logs. They are usually pretty straight forward in reporting what is not working.

Hope that helps.

cmcbride · ‎05-01-2009

Occasionally I've had configurations all of a sudden require AES IKE policy. I found this out by enabling Debugging on the firewall and determining what exactly IKE policies were being sent from the VPN Client and then matched the first one.

ssingh · ‎05-12-2009

Make sure PFS is disabled or enabled on bothside.